What is CISPA and what does it mean for you?
Described as “misguided” and “fatally flawed” by the two largest US privacy groups, the Cyber Intelligence Sharing and Protection Act (CISPA) threatens the online privacy of ordinary US residents more so than any other Bill since Congress amended the Foreign Intelligence Surveillance Act in 2008.
A lot of confusion still surrounds what CISPA can do, who it affects, and what it will practically achieve. Here’s what you need to know.
What is CISPA?
CISPA, known officially as H.R. 624, is a cybersecurity Bill currently going through the motions in the lower house of Congress, the US House of Representatives. It is designed to help prevent and defend against cyberattacks on critical national infrastructure and against other internet attacks on private firms by obtaining and sharing “cyberthreat information”.
Its sole purpose is to allow private sector firms to search personal and sensitive user data of ordinary US residents to identify this so-called “threat information”, and to then share that information with each other and the US government —without the need for a warrant.
By citing “cybersecurity”, it allows private firms to hand over private user data while circumventing existing privacy laws, such as the Wiretap Act and the Stored Communications Act. This means that CISPA can permit private firms to share your data, such as emails, text messages, and cloud-stored documents and files, with the US government.
It also gives these firms legal protection to hand over such data. There is no judicial oversight.
To make matters worse, because there is little transparency and individual accountability, those who have had their data handed to the US government may not even know about it or be given a chance to challenge it.
Wasn’t CISPA put on the backburner after it failed in the Senate?
In April 2012, the US House passed CISPA by a large majority, voting 248 to 168. It passed at a time when the White House threatened to veto the Bill should it pass the desk of President Obama, citing privacy and civil liberty concerns. But once it was handed to the Senate, it failed to gain traction, likely in light of similar legislation being drafted in the upper house at the time.
How is this new CISPA version any different from the old Senate-stalled version?
The current version of CISPA, reintroduced into the House, has the same name and vastly the same content. CISPA was brought back to the House in its original format.
Since being debated and amended by the House Intelligence committee, it has gone through a mark-up process that would tighten up certain language and add definitions. This process was decided upon by members to be conducted in secret, despite the controversy surrounding this Bill. While CISPA does not force or require a private firm to share data with the US government, major telecoms providers have illegally shared data with the US intelligence agencies before.
During this recent mark-up process, less than half of the privacy re-enabling amendments that passed have “only chipped away at the edges of CISPA”, according to the Electronic Frontier Foundation (EFF).
These amendments now include:
Information for “national security” purposes: One amendment means the US government can only use data collected under CISPA for “cybersecurity purposes”, and not used for “national security” purposes — a catch-all term that can and has been used to skirt Fourth Amendment rights. The second amendment imposes the same rule on private firms. However, “cybersecurity” is still loosely defined and could be misinterpreted or abused by private firms.
Hacking back: Private firms are limited from acting beyond their own networks to gather “cyberthreat information”, such as “hacking the hackers”. But the
EFF noted that a “huge loophole” exists, which allows a firm to “still use aggressive countermeasures outside of its own network as long as it believed the countermeasures were necessary for protection”.
Government-related privacy oversight: This amendment requires oversight on how CISPA affects civil liberties and privacy on government activity, but it does not apply to private firms. The EFF is concerned that there is “no assessment of whether companies over-collect or over-share sensitive information”.
How does Obama’s cybersecurity executive order differ from CISPA?
President Obama signed into law a cybersecurity executive order at the same time CISPA was reintroduced into the House.
Posted from WordPress for Android