CISPA Explainer #1: What Information Can Be Shared?

We've written extensively about CISPA over the last year, but since the House Permanent Select Committee on Intelligence is set to mark the bill up next week, and the full House to vote on it the week after that, we're posting in more depth about its shortcomings. Information sharing isn't offensive per se; it's really a question of what can be shared, with whom, and what corporations and government agencies can do with it. First up:

What information does CISPA allow companies to share?

The short answer: any information that "pertains" to cybersecurity, broadly defined to include vulnerabilities, threat information, efforts to degrade systems, attempts at unauthorized access, and more. You can see the full list on page 20 of the bill. You'll see that it's not tied to the criminal definition of hacking but instead forges new ground.

The bill sponsors will tell you that CISPA is only about the "ones and zeroes," but it certainly isn't drafted that way. There's nothing limiting CISPA in that manner and personally identifiable information (PII) could be shared right along with some inconsequential code that doesn't impact privacy at all. So, if your communications or records are somehow caught up in a cybersecurity data dump, they might possibly include information that identifies the real-world you, even if that information is not necessary to combat a cyber threat. Under CISPA, you'll just have to trust that the corporations holding your very personal information do what's best. Good luck with that.

The good news is that there are simple fixes that could be incorporated into CISPA which would put a layer of privacy protection over all shared data. First, the House should require that any shared information must be necessary to understand a cybersecurity threat. Under the current formulation, shared information must only pertain to such a threat. A stricter standard would help narrow the flow of information to that which is, well, necessary.

Second, the House should require companies to make reasonable efforts to remove PII from the technical data relating to cybersecurity before they share with government and corporations. This approach is endorsed in the House Republican Cybersecurity Task Force report, by a bi-partisan group of senators, and the Obama administration itself. The CISPA sponsors stated at a hearing in February that such a requirement would slow down sharing, but that's not necessarily the case.

A reasonable-efforts requirement would allow companies the flexibility to deal with the facts on the ground, and if an emergency warrants it, skip stripping out the PII if necessary. But the presumption should put the onus on the companies to take it out, and that's where it should be. All statutes have scoping language and definitions; it's just a matter of where Congress decides to draw the lines. And since Congress is so keen on granting immunity for these sharing programs, it should require the companies to make an effort to protect our sensitive data – just like dozens of other laws require now.

Next up: Who should be able to receive this cyber information? Check back tomorrow for CISPA Explainer #2 and click here to sign a petition to the president asking him to veto CISPA.

Other blogs in this series:
CISPA Explainer #2
CISPA Explainer #3
CISPA Explainer #4

Learn more about cybersecurity and other civil liberty issues: Sign up for breaking news alertsfollow us on Twitter, and like us on Facebook.

View comments (3)
Read the Terms of Use

Amy C

Can you give some examples of the information that might be shared? I'm having a hard time getting my arms around why this matters to me if I'm not involved in any kind of cyber-security attacking.

Robyn Greene, ACLU

CISPA does not set any limits on the types of information that companies can share with the government - it requires only that the information "pertains" to a cybersecurity threat. The definition of a threat is extremely broad in CISPA. This means companies can share any information they think is related to a threat, including private or personally identifiable information, such as your internet records or even the content of your e-mails. The result: everyday Americans and victims of cyber-attacks could be swept up in this information sharing program, not just cyber-attackers.

You can learn more about CISPA and other cybersecurity legislation at our cybersecurity webhub, which has ACLU and coalition letters to Congress and the administration detailing our concerns about CISPA, additional blogs, backgrounders, and a legislative comparison chart summarizing what each cybersecurity bill in consideration authorizes:

Mark C

More times than not, I find my viewpoints in direct opposition to those of the ACLU. This time though, I find myself in total agreement with you when it comes to CISPA. I applaud you for your efforts to inform and help steer the conversation on this high controversial and deceptive piece of legislation. Thank you for your hard work on this issue. We'll be contacting our elected leaders and help keep the good fight going!

Stay Informed