U.S. House of Representatives

New revisions to a proposed federal cybersecurity law still would permit Internet companies to hand over confidential customer records and communications to the National Security Agency.

A recent torrent of criticism prompted the politicians behind the Cyber Intelligence Sharing and Protection Act to circulate a revised version (PDF) of CISPA this evening before an expected floor vote next week. But the authors made only relatively minor tweaks.

The legislation remains so broad that the NSA could vacuum up "all sorts of sensitive information like Internet use information and the contents of e-mails," ACLU legislative counsel Michelle Richardson told CNET.

CISPA is experiencing a milder form of the same kind of Internet backlash that doomed the Stop Online Piracy Act (SOPA) and Protect IP early this year.

Advocacy groups, including the American Library Association, the Electronic Frontier Foundation, and the libertarian-leaning TechFreedom, launched a "Stop Cyber Spying" campaign today -- complete with a write-your-congresscritter-via-Twitter app -- and the bill has now drawn the ire of Anonymous. A letter (PDF) sent today by more than two dozen organizations, including the Republican Liberty Caucus, urges a "no" vote on CISPA, and more than 669,000 people have signed an anti-CISPA Web petition.

CISPA Excerpts Excerpts from the Cyber Intelligence Sharing and Protection Act: "Notwithstanding any other provision of law, a self-protected entity may, for cybersecurity purposes -- (i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such self-protected entity; and (ii) share such cyber threat information with any other entity, including the Federal Government... The term 'self-protected entity' means an entity, other than an individual, that provides goods or services for cybersecurity purposes to itself."

What sparked the privacy worries is the section of CISPA that says "notwithstanding any other provision of law," companies may share information "with any other entity, including the federal government." It doesn't, however, require them to do so.

By including the word "notwithstanding," House Intelligence Committee Chairman Mike Rogers (R-Mich.) and ranking member Dutch Ruppersberger (D-Md.) intended to make CISPA trump all existing federal and state civil and criminal laws. (It's so broad that the non-partisan Congressional Research Service once warned (PDF) that using the term in legislation may "have unforeseen consequences for both existing and future laws.")

"Notwithstanding" would trump wiretap laws, Web companies' privacy policies, gun laws, educational record laws, census data, medical records, and other statutes that protect information, warns the ACLU's Richardson: "For cybersecurity purposes, all of those entities can turn over that information to the federal government."

If CISPA were enacted, "part of the problem is we don't know exactly what's going to happen," says Lee Tien, an attorney at the Electronic Frontier Foundation in San Francisco, which sued AT&T over the Bush administration's warrantless wiretapping program. "I worry that you can get a version of cybersecurity warrantless wiretapping out of this."

For their part, the bipartisan duo who authored CISPA have downplayed the scope of the "notwithstanding" language by saying that's not the intent of their legislation. (A spokeswoman for the House Intelligence committee, which has been taking to Twitter to deny any comparisons with SOPA, did not respond to questions from CNET.)

"We have maintained an open door for all interested parties since the drafting of this bill began last year, and we appreciate all the constructive feedback and input we have received," Rogers said in a statement yesterday. "This transparent process has involved hundreds of meetings and phone calls and has certainly made this a better bill."

A position paper on CISPA from Rogers and Ruppersberger says their bill is necessary to deal with threats from China and Russia and that it "protects privacy by prohibiting the government from requiring private sector entities to provide information." In addition, they stress that "no new authorities are granted to the Department of Defense or the intelligence community to direct private or public sector cybersecurity efforts."

If that's actually the goal of the House Intelligence committee, critics say, the legislation should be rewritten to make sure that current privacy laws remain in effect. Today's letter (PDF) to Congress from CISPA critics says:

CISPA creates an exception to all privacy laws to permit companies to share our information with each other and with the government in the name of cybersecurity. Although a carefully-crafted information sharing program that strictly limits the information to be shared and includes robust privacy safeguards could be an effective approach to cybersecurity, CISPA lacks such protections for individual rights. CISPA's 'information sharing' regime allows the transfer of vast amounts of data, including sensitive information like internet use history or the content of emails, to any agency in the government including military and intelligence agencies like the National Security Agency or the Department of Defense Cyber Command.

One of the biggest differences between CISPA and its SOPA predecessor is that the Web blocking bill was defeated by a broad alliance of Internet companies and millions of peeved users. Not CISPA: the House Intelligence committee proudly lists letters of support from Facebook, Microsoft, Oracle, Symantec, Verizon, AT&T, Intel, and trade association CTIA, which counts representatives of T-Mobile, Sybase, Nokia, and Qualcomm as board members.

EFF

In February, Facebook VP Joel Kaplan wrote (PDF) an enthusiastic letter to Rogers and Ruppersberger to "commend" them on CISPA, which he said "removes burdensome rules that currently can inhibit protection of the cyber ecosystem."

What a difference a few weeks makes. By last Friday, Facebook had been forced on the defensive, with Kaplan now assuring users that his employer has "no intention" of sharing users' personal data with the Feds and that section is "unrelated to the things we liked" about CISPA in the first place. (A Demand Progress campaign says: "Internet users were able to push GoDaddy to withdraw its support of SOPA. Now it's time to make sure Facebook knows we're furious.")

CISPA's authorization for information sharing extends far beyond Web companies and social networks. It would also apply to Internet service providers, including ones that already have an intimate relationship with Washington officialdom. Large companies including AT&T and Verizon handed billions of customer records to the NSA; only Qwest refused to participate. Verizon turned over customer data to the FBI without court orders. An AT&T whistleblower accused the company of illegally opening its network to the NSA, a practice that the U.S. Congress retroactively made legal in 2008.

CISPA was approved by the House Intelligence committee by a bipartisan 17-1 vote on December 1, 2011, and it enjoys a total of 106 sponsors. Rogers and Ruppersberger circulated a revised discussion draft last week before the one this evening; last week's version was enough to convince Engine Advocacy to say it "no longer opposes the legislation."

The original version of CISPA referred to "theft or misappropriation" of "intellectual property." Now it includes efforts to "steal or misappropriate private or government information" -- which still appears broad enough to include copyright infringement. Another change is that the Privacy and Civil Liberties Oversight Board would have been responsible for preparing an annual "unclassified" report on how the law was used. Now it's the Inspector General of the Intelligence Community preparing a report that "may include a classified annex."

Jim Harper, director of information policy studies at the Cato Institute in Washington, D.C. says a better option might be for politicians to wait on cybersecurity legislation, or better yet, do nothing.

"Congress has no particular capacity or knowledge of how to do cybersecurity," Harper says. "It's not a choice between two different versions in the House and two different versions in the Senate. The question is still open: is Congress capable of doing any good here?"