“This bill sacrifices privacy without improving security. We deserve both." In case you missed it, the Cyber Intelligence Sharing and Protection Act (CISPA) is back, and this message is now being displayed on banners atop tens of thousands of websites to push people to act against the deeply flawed bill.

Why so flawed? Because while it aims to protect Americans from malicious cyber attacks, CISPA’s sweeping, vague language creates exemptions to all privacy laws. That’s why the Obama administration threatened to veto it last year, stating “Cybersecurity and privacy are not mutually exclusive.”

Yet that is the false choice being presented by CISPA’s sponsors. They’re gearing up to push the bill through Congress without much debate by raising the specter of growing cyber threats and presenting CISPA as the “simple” solution.

Well I’m not buying what they’re selling – I say we can have both security and privacy. Because let’s face it: We do need better cybersecurity to protect Americans and our economy from harm. In fact, compared to major natural disasters, cyber attacks by a capable adversary could actually affect basic infrastructure like power and water supply for a much more prolonged period and across a much wider geographic area.

That’s why we need a constructive approach to improving information-sharing about cyber-threats. But instead of just complaining and protesting, let’s urge Congress to propose robust safeguards for privacy. While I don't like CISPA, here are some ways we can do that.

#### Chris Finan ##### About Chris Finan is a Truman National Security Project Fellow and a consultant for Department of Defense technology development programs. He formerly served in the Obama administration focusing on cybersecurity legislation and also worked at the Pentagon.

Strip Out Personal Information

By allowing the sharing of ill-defined data for nearly limitless government and commercial purposes, CISPA could result in Americans’ personal information being passed to federal defense, intelligence, and law enforcement agencies for surveillance and prosecution of crimes unrelated to cyber threats.

Since our personal information shouldn’t be shared without our consent, an amendment requiring companies to strip out consumers’ personally identifiable information (PII) before sharing data should be included in any bill.

Not only would this amendment be good for privacy, it’d be good for business. Currently, U.S. companies are at a competitive disadvantage in Europe and elsewhere because the U.S. government requires a wide range of disclosures under current law. A corporate PII minimization requirement would help multinational corporations assure consumers in other countries that their personal information is not being shared with the U.S. government.

Control the Flow of Information

>Cybersecurity and privacy are not mutually exclusive.

As currently written, CISPA allows direct private-to-public sharing of data – with spy agencies, the military, the law enforcement community. You can see the list of who can get your data here.

Instead, Congress should insist that data shared with the government flows to civilian agencies, and then only to defense, intelligence, and law enforcement agencies when necessary for clearly and precisely defined cybersecurity purposes. Otherwise, CISPA's broad, vaguely defined framework could be abused as a warrantless backdoor wiretap.

Simply put, having a spy agency receive Americans’ domestic communications data is not consistent with our founding principles. It’s why peacetime domestic cybersecurity should remain the sole purview of civilian agencies.

Companies Should Be Held Accountable

Since CISPA broadly immunizes corporations from criminal and civil liability, it prevents customers from holding those companies accountable if they negligently or recklessly mishandle their data.

>Not a single U.S. senator challenged the necessity of such an Orwellian approach.

To avoid the moral hazards of such broad immunity, lawmakers should carefully tailor corporate liability protections. Furthermore, to enhance transparency, companies should be required to share any data they send to the government with a non-profit, independent “watchdog.”

Such an entity – consisting of privacy and consumer advocates, civil libertarians, and computer security researchers – could help uphold privacy and consumer rights while also providing researchers with a trove of information. This way, we can draw on the collective expertise of those who believe a free and open internet is entirely compatible with a secure one – while also helping them develop more effective technologies to prevent and mitigate cyber intrusions.

***

What if Internet Service Providers (ISPs) could be granted immunity to act as “agents” of the U.S. Government – searching domestic communications, providing that data to intelligence agencies, and even taking action when directed so to stop harmful internet traffic? Well, that's what the head of the National Security Agency and U.S. Cyber Command suggested to a panel of senators last week. As justification, the general pointed to denial of service attacks last fall that resulted in several online banking sites becoming unavailable to customers for several hours.

While the general may not have appreciated the Fourth Amendment implications of his statement, what’s truly remarkable is that *not a single U.S. senator *noted the obvious Constitutional concerns – or challenged the necessity of such an Orwellian approach.

Yes, the risk of a cyber attack is indeed real, and warrants careful legislative action. But as Congress again debates how to address this risk, our elected officials must be willing to reject the false choices and drastic measures that would undermine our fundamental principles. As Benjamin Franklin so wisely noted, “they who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.”

Wired Opinion Editor: Sonal Chokshi @smc90