We've written extensively about CISPA over the last year, but since the House Permanent Select Committee on Intelligence is set to mark the bill up next week, and the full House to vote on it the week after that, we're posting in more depth about its shortcomings. Information sharing isn't offensive per se; it's really a question of what can be shared, with whom, and what corporations and government agencies can do with it. First up:
What information does CISPA allow companies to share?
The short answer: any information that "pertains" to cybersecurity, broadly defined to include vulnerabilities, threat information, efforts to degrade systems, attempts at unauthorized access, and more. You can see the full list on page 20 of the bill. You'll see that it's not tied to the criminal definition of hacking but instead forges new ground.
The bill sponsors will tell you that CISPA is only about the "ones and zeroes," but it certainly isn't drafted that way. There's nothing limiting CISPA in that manner and personally identifiable information (PII) could be shared right along with some inconsequential code that doesn't impact privacy at all. So, if your communications or records are somehow caught up in a cybersecurity data dump, they might possibly include information that identifies the real-world you, even if that information is not necessary to combat a cyber threat. Under CISPA, you'll just have to trust that the corporations holding your very personal information do what's best. Good luck with that.
The good news is that there are simple fixes that could be incorporated into CISPA which would put a layer of privacy protection over all shared data. First, the House should require that any shared information must be necessary to understand a cybersecurity threat. Under the current formulation, shared information must only pertain to such a threat. A stricter standard would help narrow the flow of information to that which is, well, necessary.
Second, the House should require companies to make reasonable efforts to remove PII from the technical data relating to cybersecurity before they share with government and corporations. This approach is endorsed in the House Republican Cybersecurity Task Force report, by a bi-partisan group of senators, and the Obama administration itself. The CISPA sponsors stated at a hearing in February that such a requirement would slow down sharing, but that's not necessarily the case.
A reasonable-efforts requirement would allow companies the flexibility to deal with the facts on the ground, and if an emergency warrants it, skip stripping out the PII if necessary. But the presumption should put the onus on the companies to take it out, and that's where it should be. All statutes have scoping language and definitions; it's just a matter of where Congress decides to draw the lines. And since Congress is so keen on granting immunity for these sharing programs, it should require the companies to make an effort to protect our sensitive data – just like dozens of other laws require now.
Next up: Who should be able to receive this cyber information? Check back tomorrow for CISPA Explainer #2 and click here to sign a petition to the president asking him to veto CISPA.