

While most folks are looking elsewhere, it appears that Congress is trying to see if it can sneak an absolutely awful "cybersecurity" bill through Congress. We've discussed how there's been some fighting on the Senate side concerning which cybersecurity bill to support, but there's a similar battle going on in the House, and it appears that the Rogers-Ruppersberger bill, known as CISPA (for Cyber Intelligence Sharing and Protection Act) or HR 3523 is winning out, with a planned attempt to move it through Congress later this month. The bill is awful -- and yet has somehow already gained over 100 sponsors. In an attempt to pretend that this isn't a "SOPA-like" problem, the supporters of this bill are highlighting the fact that Facebook, Microsoft and TechAmerica are supporting this bill.



However, this is a terrible bill for a variety of reasons. Even if we accept the mantra that new cybersecurity laws are needed (despite a near total lack of evidence to support this -- and, no, fearmongering about planes falling from the sky doesn't count), this bill has serious problems. As CDT warned when this bill first came out, it's way too broad and overreaching: However, the bill goes much further, permitting ISPs to funnel private communications and related information back to the government without adequate privacy protections and controls. The bill does not specify which agencies ISPs could disclose customer data to, but the structure and incentives in the bill raise a very real possibility that the National Security Agency or the DOD’s Cybercommand would be the primary recipient. If it's confusing to keep track of these different cybersecurity bills, the ACLU has put together a handy dandy (scary) chart (pdf) comparing them all. And what comes through loud and clear is that the Rogers-Ruppersberger CISPA bill will allow for much greater information sharing of companies sending private communication data to the government -- including the NSA, who has been trying very, very hard to get this data, not for cybersecurity reasons, but to spy on people. CISPA has broad definitions, very few limits on who can get the data, almost no limitations on how the government can use the data (i.e. they can use it to monitor, not just for cybersecurity reasons) and (of course) no real oversight at all for how the data is (ab)used.



CDT has put together a reasonable list of 8 things that should be done if politicians don't want to turn cybersecurity into a new SOPA, but so far, Congress is ignoring nearly all of them. Similarly, EFF is asking people to speak out against CISPA, noting that it basically creates a cybersecurity exemption to all existing laws. If the government wants your data, it just needs to claim that it got it for "cybersecurity purposes" and then it can do pretty much whatever it wants.



This is a really bad bill and it looks like it's going to pass unless people speak up.













