Last week, the House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA) by a vote of 248 to 168. The bill will allow (but not require) private companies to provide the government with the private information they collect, and the government may access and use this information without a warrant.
Originally, the use of this information was meant to be used for the purpose of defending against threats to cyber security. However, the bill was passed with several amendments, including one purporting to limit the vague term cyber security to five more specific instances: 1) cyber security, 2) prosecution and investigation of cyber crime, 3) protecting individuals from death or physical injury, 4) protecting minors from physical or psychological harm, and 5) national security.
First of all, the term cyber security hasn’t been removed. Supposedly, going by statements from various Representatives, the purpose of CISPA is to prevent attacks by foreign hackers. So, the additional provisions in this amendment expand CISPA instead of limiting it. Left as is, courts faced with the question of the exact definition of cyber security would have looked to factors including legislative history to determine the statute’s intent and likely, looking at all the speeches claiming that no way was this supposed to affect the privacy of American citizens, would have reasonably concluded as much.
The amendment just introduces more nebulous definitions. “Physical and psychological harm” – it’s hard to imagine any way this could have been phrased more vaguely. Also, there has been much less talk about the provisions of this amendment, much less any legislative history to determine intent and definitions. The vagueness may even be intentional here, specifically so as to include a broad range of suspect conduct. If this part of the amendment means to target issues such as sexual solicitation of minors, it could have just enumerate the specific conduct it meant to prevent.
Although participation is voluntary, many companies, including Facebook and Microsoft, have declared themselves in favor of the bill. Facebook added that it won’t share personal information with the government. Given Facebook’s generally lackadaisical — at best — attitude to its users’ privacy, this doesn’t sound very reassuring.
A full list of companies that have given their direct support of CISPA appears on the U.S. House of Representatives Permanent Selection Committee on Intelligence website, along with PDF copies of letters of support from companies such as AT&T, Facebook, Lockheed Martin, Oracle, and more.
Earlier this year, Justice Elena Kagan, in her concurring opinion in U.S. versus Jones, expressed a specific concern with the threat to privacy that unbridled government access to and use of aggregations of citizens’ private information. The White House has announced its intention to veto the bill, citing privacy concerns as the reason, and states that it’s in favor of a cyber security program with oversight by the Department of Homeland Security. House Speaker John Boehner retorted that this is because the “government wants to run everything.” It makes sense, however, that the government should be in charge of national security, which is ostensibly what this is all about. However, there already exist procedural vehicles for collecting information held by individuals or corporations — something called a search warrant, for instance.