A bill similar to the Stop Online Piracy Act (SOPA) — which was postponed earlier this year following significant public backlash and scrutiny — is being introduced by Rep. Michael Rogers (R-MI) and sponsored by 106 House members. Already, Rep. Rogers’s Cyber Intelligence Sharing and Protection Act of 2011 (CISPA) is receiving significant criticism. Per the Electronic Frontier Foundation:
Under the proposed legislation, a company that protects itself or other companies against “cybersecurity threats” can “use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property” of the company under threat. But because “us[ing] cybersecurity systems” is incredibly vague, it could be interpreted to mean monitoring email, filtering content, or even blocking access to sites. A company acting on a “cybersecurity threat” would be able to bypass all existing laws, including laws prohibiting telcos from routinely monitoring communications, so long as it acted in “good faith.”
EFF staff technologist Dan Auerbach says CISPA and SOPA are separate bills with separate issues. He claims there were a great many First Amendment issues with SOPA, but believes CISPA has Fourth Amendment problems. Auerbach described three major concerns with CISPA:
First, the definitions are too vague in the bill. With vague definitions come a lot of wiggle room for both the government and companies, both in terms of monitoring and countermeasures (for cyber security threats). It’s hard to know what [the government's] actual plans are, and the reason it’s hard to know is it’s so damn vague.
Auerbach’s second concern: CISPA would grant total immunity to internet service providers and cable and telephone companies who share information with government agencies, “notwithstanding any other law.” Users would have no recourse if their privacy was violated.
His third concern: the bill would give authority for gathering “cyber intelligence” over to the super-secretive National Security Agency (NSA):
It puts not a civilian agency in charge, but the NSA. The dangerous part about putting the NSA in charge is that NSA is a spectacularly non-transparent agency.
Auerbach told PJ Media that there has been some talk by Congress of amending the bill to put the Department of Homeland Security (DHS) in charge rather than NSA. But Auerbach says that’s a distinction without a difference, as there’s nothing stopping DHS from promptly passing the information along to NSA.
It’s a completely different issue [than SOPA]. This is about government monitoring. [SOPA] is about the First Amendment, [CISPA] is about the Fourth, but they both take a legitimate problem and try to tackle it with an overbroad solution.
The broad language around what constitutes a cybersecurity threat leaves the door wide open for abuse. For example, the bill defines “cyber threat intelligence” and “cybersecurity purpose” to include “theft or misappropriation of private or government information, intellectual property, or personally identifiable information.”
Yes, intellectual property. It’s a little piece of SOPA wrapped up in a bill that’s supposedly designed to facilitate detection of and defense against cybersecurity threats.
The language is so vague that an ISP could use it to monitor communications of subscribers for potential infringement of intellectual property. An ISP could even interpret this bill as allowing them to block accounts believed to be infringing, block access to websites like The Pirate Bay believed to carry infringing content, or take other measures provided they claimed it was motivated by cybersecurity concerns.
Auerbach and the EFF agree there may be need for legislation or at least congressional discussion on the topic, but remain unconvinced this bill is necessary:
There is a real debate to be had about what measures should be deployed. But there’s no real evidence to say we need this bill.
The analysis by Reitman and Tein concludes:
Congress is intent on passing cybersecurity legislation this year, and there are multiple proposals in the House and the Senate under debate. But none is as poorly drafted and dangerously vague as the Rogers bill. We need to stop this bill in its tracks, before it can advance in the House and before the authors can negotiate to place this overbroad language into other cybersecurity proposals.