Microsoft is no longer as enthusiastic about a controversial cybersecurity bill that would allow Internet and telecommunications companies to divulge confidential customer information to the National Security Agency.

The U.S. House of Representatives approved CISPA by a 248 to 168 margin yesterday in spite of a presidential veto threat and warnings from some House members that the measure represented "Big Brother writ large." (See CNET's CISPA FAQ.)

In response to queries from CNET, Microsoft, which has long been viewed as a supporter of the Cyber Intelligence Sharing and Protection Act, said this evening that any law must allow "us to honor the privacy and security promises we make to our customers."

Microsoft

Microsoft added that it wants to "ensure the final legislation helps to tackle the real threat of cybercrime while protecting consumer privacy."

That's a noticeable change -- albeit not a complete reversal -- from Microsoft's position when CISPA was introduced in November 2011.

In a statement (PDF) at the time, Microsoft vice president for government affairs Fred Humphries didn't mention privacy. Instead, Humphries said he wanted to "commend" CISPA's sponsors and "Microsoft applauds their leadership." He added: "This bill is an important first step towards addressing significant problems in cyber security."

That wasn't exactly an full-throated endorsement of CISPA, but it was enough for the bill's author, House Intelligence Committee chairman Rep. Mike Rogers (R-Mich.), to list Microsoft as a "supporter" on the committee's Web site.

And it was also enough for news organizations, including the Washington Post and the Los Angeles Times, to list Microsoft as having an unqualified pro-CISPA stand.

To be sure, Microsoft's initial reaction to CISPA came before many of the privacy concerns had been raised. An anti-CISPA coalition letter (PDF) wasn't sent out until April 16, and a petition that garnered nearly 800,000 signatures wasn't set up until April 5.

What makes CISPA so controversial is a section saying that, "notwithstanding any other provision of law," companies may share information with Homeland Security, the IRS, the NSA, or other agencies. By including the word "notwithstanding," CISPA's drafters intended to make their legislation trump all existing federal and state laws, including ones dealing with wiretaps, educational records, medical privacy, and more.

CISPA Excerpts Excerpts from the Cyber Intelligence Sharing and Protection Act: "Notwithstanding any other provision of law, a self-protected entity may, for cybersecurity purposes -- (i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such self-protected entity; and (ii) share such cyber threat information with any other entity, including the Federal Government... The term 'self-protected entity' means an entity, other than an individual, that provides goods or services for cybersecurity purposes to itself."

CISPA would "waive every single privacy law ever enacted in the name of cybersecurity," Rep. Jared Polis, a Colorado Democrat and onetime Web entrepreneur, said during yesterday's floor debate. Its sponsors, on the other hand, say it's necessary to allow the NSA and Homeland Security to share cybersecurity threat information with the private sector.

What Microsoft appears to favor is a Senate bill introduced in February called the Cybersecurity Act.

At a Senate hearing in February, Microsoft vice president Scott Charney was more effusive about the Cybersecurity Act than his colleague was about CISPA three months earlier. The Senate bill provides "an appropriate framework to improve the security of government and critical infrastructure systems," one which will be "flexible enough to permit future improvements to security" over time, Charney said (PDF).

The Electronic Frontier Foundation, which has been active in an anti-CISPA coalition, welcomed Microsoft's new statement.

"We're excited to hear that Microsoft has acknowledged the serious privacy faults in CISPA," said Dan Auerbach, EFF staff technologist. "We hope that other companies will realize this is bad for users and also bad for companies who may be coerced into sharing information with the government."

Here's the full text of what a Microsoft spokesman sent CNET this evening: