Representative Mike Rogers (R-MI) made the argument last week that the privacy community’s significant concerns with CISPA, the privacy-busting cybersecurity bill, don’t stem from actual problems with the bill language, but rather from a misunderstanding of the bill itself. Speaking on behalf of himself and his co-sponsor, Representative Dutch Ruppersberger (D-MD), he told The Hill, “We feel that the bill clearly deals with privacy, that the checks and balances are there, but [we] know there's still a perception and we're still trying to deal with that.”
The ACLU, along with a coalition of 41 privacy and civil liberties groups, are very concerned about the real-world impact that the authorities proposed in CISPA could have on Americans’ privacy and civil liberties. President Obama, along with top administration officials including Department of Homeland Security Secretary Janet Napolitano, have echoed many of our concerns. CISPA, in its current form:
- Creates an exception to all privacy laws to allow companies to share our personal information, including internet records and the content of emails, with the government and other companies, for cybersecurity purposes;
- Permits our private information to be shared with any government agency, like the NSA or the Department of Defense ’s Cyber Command;
- Fails to require the protection of Americans’ personally identifiable information (PII), despite repeated statements by the private sector that it doesn’t want or need to share PII;
- Once shared with the government, allows our information to be used for non-cybersecurity “national security” purposes – an overbroad “catch-all” phrase that can mean almost anything;
- Immunizes companies from criminal or civil liability, even after an egregious breach of privacy;
- Fails to implement adequate transparency and oversight mechanisms
In a recent article in Wired, Chris Finan, former White House director for cybersecurity, urged Congress to fix CISPA by amending the bill so as to require companies to strip their customers’ PII before sharing it with the government; restrict information sharing to civilian agencies; restrict the further dissemination and use of information to cybersecurity purposes; place reasonable limits on companies’ liability protections; and establish a non-profit to act as an "independent 'watchdog'" over any information sharing program to enhance oversight and transparency.
It will would be great if Congress amended CISPA to address all of our privacy concerns, but it’s hard to hold out hope for sufficient changes so long as its chief sponsor thinks that it doesn’t have a privacy problem so much as a PR problem. Everyone, from the privacy community to the president, agrees that CISPA is bad on privacy – the problem isn’t our perception.