X

Facebook unfriends CISPA cybersecurity bill over 'privacy'

Authors of cybersecurity bill criticized for privacy invasions used Facebook's enthusiasm to attract political support in D.C. Now the company's execs have backed away from CISPA.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
3 min read
Facebook once lauded a controversial information-sharing bill named CISPA, resulting in a petition aimed at convincing CEO Mark Zuckerberg otherwise. The company has since changed its position.
Facebook once lauded a controversial information-sharing bill named CISPA, resulting in a petition aimed at convincing CEO Mark Zuckerberg otherwise. The company has since changed its position. James Martin/CNET

Facebook no longer supports a controversial federal cybersecurity bill that would let U.S. companies share personal information with government agencies in ways currently prohibited by privacy laws.

The social-networking company had previously applauded the Cyber Intelligence Sharing and Protection Act, or CISPA, which was reintroduced last month. Facebook Vice President Joel Kaplan wrote a letter (PDF) last February to Rep. Mike Rogers, a Michigan Republican, "to commend you on your legislation," and Rogers sent out his own press release noting Facebook's "strong support" for the bill.

CISPA Excerpts

Excerpts from the Cyber Intelligence Sharing and Protection Act:

"Notwithstanding any other provision of law, a self-protected entity may, for cybersecurity purposes -- (i) use cybersecurity systems to identify and obtain cyberthreat information to protect the rights and property of such self-protected entity; and (ii) share such cyberthreat information with any other entity, including the Federal Government...

The term 'self-protected entity' means an entity, other than an individual, that provides goods or services for cybersecurity purposes to itself."

But then groups including the American Civil Liberties Union, the Electronic Frontier Foundation, the National Association of Criminal Defense Lawyers, and the Republican Liberty Caucus raised privacy alarms. CISPA would "waive every single privacy law ever enacted in the name of cybersecurity," Rep. Jared Polis, a Colorado Democrat and onetime Web entrepreneur, warned during a House of Representatives debate a few months later. (See CNET's CISPA FAQ.)

Because of its high-profile enthusiasm for CISPA, Facebook was singled out by Demand Progress in a campaign directed at CEO Mark Zuckerberg that said: "You're encouraging Congress to obliterate online privacy -- even as your users express increasing concern about the privacy of their accounts on your site. Please withdraw your support for CISPA right away."

Now Facebook has changed its tune. The social-networking company appeared in a previous list of corporate supporters that CISPA's authors published last year. It's nowhere to be seen in the current one on the House Intelligence Committee's Web site, which lists AT&T, IBM, Intel, and other companies as supporters.

CISPA is controversial because it overrules all existing federal and state laws by saying "notwithstanding any other provision of law," companies may share certain information "with any other entity, including the federal government." It would not, however, require them to do so. Supporters say (PDF) it's necessary to "improve the government's ability to protect against foreign cyberthreats" and give "intelligence agencies tips and leads to help them find advanced foreign cyberhackers overseas."

A Facebook spokeswoman told CNET today that her employer prefers a legislative "balance" that ensures "the privacy of our users":

We are encouraged by the continued attention of Congress to this important issue and we look forward to working with both the House and the Senate to find a legislative balance that promotes government sharing of cyberthreat information with the private sector while also ensuring the privacy of our users.

"Good for Facebook," said Michelle Richardson, legislative counsel to the ACLU, which has opposed CISPA. "I hope this evolves into flat-out opposition if CISPA isn't fundamentally rewritten to protect privacy."

This follows the lead of Microsoft, which backed away from CISPA, citing "consumer privacy," the day after the House approved the legislation last April. As the result of political wrangling over a Democratic-backed competing proposal, both bills died in the Senate last fall.

Scott Charney, Microsoft's vice president for trustworthy computing, today echoed his employer's privacy concerns with CISPA. Charney told CNET today that: "Microsoft believes that any proposed legislation should facilitate the voluntary sharing of cyberthreat information in a manner that allows us to honor the privacy and security promises we make to our customers."

A spokeswoman for CISPA author Rogers, the chairman of the House Intelligence Committee, did not respond to requests for comment today.