Scope-Creep in the Use of Information:

The original version of CISPA allowed the government to use all of the information they have been given for "any lawful purpose" as long as it can be argued that one purpose of that use was cyber-security related. This would seem to have left a back-door wide open for SOPA-like intellectual property enforcement. The bill did not include any form of judicial oversight to check increasingly lenient and inclusive interpretations of this provision. In the absence of such oversight, it seemed likely that -- in an environment of extreme pressure from organizations like the RIAA and MPAA -- scope creep would lead to the use of CISPA provisions for much more than protecting critical national security infrastructure.

Here too the recently proposed amendments offer some significantly positive changes. The Use Amendment (PDF) changes the bill from allowing the information to be used for "any lawful purpose" to allowing the information to be used for five distinct purposes. Under these new restrictions the government will be able to use information shared under CISPA for 1) cybersecurity purposes -- limited more meaningfully by the definitions amendment; 2) for the investigation and prosecution of cybersecurity crimes; 3) "for the protection of individuals from the danger of death or serious bodily harm and the investigation and prosecution of crimes involving such danger of death or serious bodily harm"; and 4) for protecting minors from childpornography, exploitation, trafficking etc.; 5) to protect national security.

Of course, this is still fairly broad; it is likely that action against WikiLeaks could still be justified under these definitions. However, they do seem to help ensure that the use of information does not exceed reasonable cybersecurity bounds by too much. It is still troubling, however, that information shared under CISPA could be used in criminal proceedings against individuals, since it can be collected without any Fourth Amendment considerations.

The Minimization Retention and Notification Amendment (PDF) offers another positive improvement. This amendment requires that if the Federal Government receives any information that is deemed not to be relevant to cyber threats they must notify the private entities that they have shared non-relevant information. It would be nice to see this provision include a public report exposing private companies for repeated over-sharing so people could make informed decisions about providing their data to entities that are over eager sharers.

More importantly, however, this amendment goes on to explicitly prohibit the government from retaining or using any information shared under CISPA for any purpose other than those explicitly allowed. Finally this amendment states that "The Federal Government may... undertake reasonable efforts to limit the impact on privacy and civil liberties of the sharing of cyber threat information with the Federal Government." This is another positive step. However, this language does not seem to create a duty to limit the impact, but rather allows for it. It would be nice to see it worded as "The Federal Governement shall..." rather than "The Federal Government may...."