X

How CISPA would affect you (faq)

CISPA may have cleared the U.S. House of Representatives, but the fight isn't over. It's shifted to the U.S. Senate. Here's CNET's FAQ on what you need to know about this particularly controversial Internet bill.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
9 min read
House Intelligence Chairman Mike Rogers, who says CISPA will not endanger Americans' privacy.
House Intelligence Chairman Mike Rogers, who says CISPA will not endanger Americans' privacy. U.S. House of Representatives

It took a debate that stretched to nearly seven hours, and votes on over a dozen amendments, but the U.S. House of Representatives finally approved the Cyber Intelligence Sharing and Protection Act on April 26.

Passions flared on both sides before the final vote on CISPA, which cleared the House by a comfortable margin of 248 to 168.

CISPA would "waive every single privacy law ever enacted in the name of cybersecurity," Rep. Jared Polis, a Colorado Democrat and onetime Web entrepreneur, said during the debate. "Allowing the military and NSA to spy on Americans on American soil goes against every principle this country was founded on."

Rep. Mike Rogers (R-Mich.), the chairman of the House Intelligence Committee and author of CISPA, responded by telling his colleagues to ignore "all the things they're saying about the bill that are not true." He pleaded: "Stand for America! Support this bill!"

While CISPA initially wasn't an especially partisan bill -- it cleared the House Intelligence Committee by a vote of 17 to 1 last December -- it gradually moved in that direction. The final tally was 206 Republicans voting for it, and 28 opposed. Of the Democrats, 42 voted for CISPA and 140 were opposed. House Minority Leader Nancy Pelosi said afterward on Twitter that CISPA "didn't strike the right balance" and Republicans "didn't allow amendments to strengthen privacy protections."

The ACLU, on the other hand, told CNET that the amendments -- even if they had been allowed -- would not have been effective. "They just put the veneer of privacy protections on the bill, and will garner more support for the bill even without making substantial changes," said Michelle Richardson, legislative counsel for the ACLU.

Keep reading for some more details from CNET's FAQ about what you need to know about CISPA.

Q: What happens next?
CISPA heads to the the Senate, where related cybersecurity legislation has been stalled for years. Senate Majority Leader Harry Reid, however, has said he'd like to move forward with cybersecurity legislation in May. Its outlook is uncertain.

Senate Democrats may be less likely than House Republicans to advance CISPA after the White House's veto threat on April 25. The administration said CISPA "effectively treats domestic cybersecurity as an intelligence activity and thus, significantly departs from longstanding efforts to treat the Internet and cyberspace as civilian spheres."

CISPA Excerpts

Excerpts from the Cyber Intelligence Sharing and Protection Act:

"Notwithstanding any other provision of law, a self-protected entity may, for cybersecurity purposes -- (i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such self-protected entity; and (ii) share such cyber threat information with any other entity, including the Federal Government...

The term 'self-protected entity' means an entity, other than an individual, that provides goods or services for cybersecurity purposes to itself."

CISPA's opponents are already rallying Americans to contact their senators to oppose CISPA. Demand Progress has created a petition. The Electronic Frontier Foundation says it "vows to continue the fight in the Senate."

Q: What does CISPA do? Let the National Security Agency spy on Americans?
CISPA wouldn't formally grant the NSA or Homeland Security any additional surveillance authority. (A proposed amendment that would have done so was withdrawn on April 26.)

But it would usher in a new era of information sharing between companies and government agencies -- with limited oversight and privacy safeguards. The House Rules committee on April 25 rejected a series of modestly pro-privacy amendments, which led a coalition of civil-liberties groups to complain that "amendments that are imperative won't even be considered" in a letter the following day.

Q: Who opposes CISPA?
Advocacy groups, including the American Library Association, the Electronic Frontier Foundation, the ACLU, and the libertarian-leaning TechFreedom, launched a "Stop Cyber Spying" campaign in mid-April -- complete with a write-your-congresscritter-via-Twitter app -- and the bill has drawn the ire of Anonymous.

A letter (PDF) from two dozen organizations, including the Republican Liberty Caucus, urges a "no" vote on CISPA, and over 750,000 people have signed an anti-CISPA Web petition. Free-market and libertarian groups have opposed it. The Center for Democracy and Technology flip-flopped twice on CISPA as the result of a short-lived deal with the bill's authors not to criticize it.

Rep. Ron Paul, the Texas Republican and presidential candidate, warned on April 23 that CISPA represents the "latest assault on Internet freedom" and was "Big Brother writ large." And 18 Democratic House members signed a letter (PDF) the same day warning that CISPA "does not include necessary safeguards" and that critics have raised "real and serious privacy concerns."

House members clockwise from top left: Jared Polis, who warned CISPA would "waive every single privacy law ever enacted"; Adam Schiff; Sheila Jackson Lee; Jan Schakowsky; Mike Rogers; Hank Johnson
House members clockwise from top left: Jared Polis, who warned CISPA would "waive every single privacy law ever enacted"; Adam Schiff; Sheila Jackson Lee; Jan Schakowsky; Mike Rogers; Hank Johnson C-SPAN

Q: Why is CISPA so controversial?
What sparked significant privacy worries is the section of CISPA that says "notwithstanding any other provision of law," companies may share information "with any other entity, including the federal government." It doesn't, however, require them to do so.

By including the word "notwithstanding," House Intelligence Committee Chairman Mike Rogers (R-Mich.) and ranking member Dutch Ruppersberger (D-Md.) intended to make CISPA trump all existing federal and state civil and criminal laws. (It's so broad that the non-partisan Congressional Research Service once warned (PDF) that using the term in legislation may "have unforeseen consequences for both existing and future laws.")

"Notwithstanding" would trump wiretap laws, Web companies' privacy policies, gun laws, educational record laws, census data, medical records, and other statutes that protect information, warns the ACLU's Richardson: "For cybersecurity purposes, all of those entities can turn over that information to the federal government."

If CISPA were enacted, "part of the problem is we don't know exactly what's going to happen," says Lee Tien, an attorney at the Electronic Frontier Foundation, which sued AT&T over the Bush administration's warrantless wiretapping program. "I worry that you can get a version of cybersecurity warrantless wiretapping out of this."

CISPA's authorization for information sharing extends far beyond Web companies and social networks. It would also apply to Internet service providers, including ones that already have an intimate relationship with Washington officialdom. Large companies including AT&T and Verizon handed billions of customer records to the NSA; only Qwest refused to participate. Verizon turned over customer data to the FBI without court orders. An AT&T whistleblower accused the company of illegally opening its network to the NSA, a practice that the U.S. Congress retroactively made legal in 2008.

Q: Are there other examples of this public-private cooperation for eavesdropping?
Unfortunately, yes.

Louis Tordella, the longest-serving deputy director of the NSA, acknowledged overseeing a similar project to intercept telegrams as recently as the 1970s. It relied on the major telegraph companies including Western Union secretly turning over copies of all messages sent to or from the United States. "All of the big international carriers were involved, but none of 'em ever got a nickel for what they did," Tordella said before his death in 1996, according to a history written by L. Britt Snider, a Senate aide who became the CIA's inspector general.

The telegraph interception operation was called Project Shamrock. It involved a courier making daily trips from the NSA's headquarters in Fort Meade, Md., to New York to retrieve digital copies of the telegrams on magnetic tape.

President Richard Nixon, plagued by anti-Vietnam protests and worried about foreign influence, ordered that Project Shamrock's electronic ear be turned inward to eavesdrop on American citizens. In 1969, Nixon met with the heads of the NSA, CIA and FBI and authorized an intercept program. Nixon later withdrew the formal authorization, but informally, police and intelligence agencies kept adding names to the watch list. At its peak, 600 American citizens appeared on the list, including singer Joan Baez, pediatrician Benjamin Spock, actress Jane Fonda and the Rev. Martin Luther King Jr.

This apparently has continued. In his 2006 book titled "State of War," New York Times reporter James Risen wrote: "The NSA has extremely close relationships with both the telecommunications and computer industries, according to several government officials. Only a very few top executives in each corporation are aware of such relationships."

In a recent Wired article, author James Bamford described how the NSA is currently building the nation's biggest spy center, a $2 billion facility in the Utah desert. Bamford quoted William Binney, a former NSA official, as saying the NSA's backdoor into the U.S. telecommunications network goes far beyond AT&T's facility on Second Street in San Francisco. "I think there's 10 to 20 of them," Binney said. "That's not just San Francisco; they have them in the middle of the country and also on the East Coast."

Q: Would CISPA allow companies to violate their terms of service by turning over information to the Feds without a search warrant?
Yes. Though to be clear: if you trust your Internet provider, e-mail provider, and so on, to protect your privacy, CISPA should not be a worrisome bill. The U.S. government can't force companies to open their databases and networks; federal agencies can only request it. But as the warrantless wiretapping debate shows, the private sector may acquiesce.

One reason CISPA would be useful for government eavesdroppers is that, under existing federal law, any person or company who helps someone "intercept any wire, oral, or electronic communication"--unless specifically authorized by law--could face criminal charges. CISPA would trump all other laws.

Q: What's the argument for enacting it?
A position paper on CISPA from Reps. Rogers and Ruppersberger says their bill is necessary to deal with threats from China and Russia and that it "protects privacy by prohibiting the government from requiring private sector entities to provide information." In addition, they stress that "no new authorities are granted to the Department of Defense or the intelligence community to direct private or public sector cybersecurity efforts."

During the April 26 floor debate, Rogers said:

In just the last few years, nation states like China have stolen enough intellectual property from just defense contractors, that would be equivalent to 50 times the print collection of the US Library of Congress. We have nation states who are literally stealing jobs and our future. We also have countries that are engaged in activities and have capabilities that have the ability to break networks, computer networks. Which means you can't just reboot. It means your system is literally broken. Those kinds of disruptions can be catastrophic when you think about the financial sector, or the energy sector, or our command and control elements for all our national security apparatus.

You know, without our ideas, without our innovation that countries like China are stealing every single day; we will cease to be a great nation. They are slowly and silently and quickly stealing the value and prosperity of America. One credit card company said that they get attacked for your personal information 300,000 times a day, one company.

Q: What industry groups support CISPA?
One of the biggest differences between CISPA and its Stop Online Piracy Act predecessor is that the Web blocking bill was defeated by a broad alliance of Internet companies and millions of peeved users. Not CISPA: the House Intelligence committee proudly lists letters of support from Facebook, Microsoft, Oracle, Symantec, Verizon, AT&T, Intel, and trade association CTIA, which counts representatives of T-Mobile, Sybase, Nokia, and Qualcomm as board members.

In February, Facebook VP Joel Kaplan wrote (PDF) an enthusiastic letter to Rogers and Ruppersberger to "commend" them on CISPA, which he said "removes burdensome rules that currently can inhibit protection of the cyber ecosystem."

By mid-April, however, Facebook had been forced on the defensive, with Kaplan now assuring users that his employer has "no intention" of sharing users' personal data with the Feds and that section is "unrelated to the things we liked" about CISPA in the first place. (A Demand Progress campaign says: "Internet users were able to push GoDaddy to withdraw its support of SOPA. Now it's time to make sure Facebook knows we're furious.")

Q: Was CISPA rushed through the House?
Not really. It was introduced in late November 2011 and approved by the House Intelligence Committee a few weeks later. So the public had approximately five months to review the bill before the April 26 House floor vote.

On the other hand, CIPSA did move relatively swiftly through the legislative process, and the House Republican leadership moved up the floor vote by one day at the last moment.

During a town hall that CNET hosted on April 19 in San Francisco, a House Intelligence aide argued that it was a deliberative process. CISPA opponents say the measure is being "rushed through," said senior counsel Jamil Jaffer. "I can't disagree with that more."

Q: Is CISPA worse than SOPA?
For all its flaws, SOPA targeted primarily overseas Web sites, not domestic ones. It would have allowed the U.S. attorney general to seek a court order against the targeted offshore Web site that would, in turn, be served on Internet providers in an effort to make the target virtually disappear.

It was kind of an Internet death penalty targeting Web sites like ThePirateBay.org, not sites like YouTube.com, which are already subject to U.S. law.

CISPA, by contrast, would allow Americans' personal information to be vacuumed up by government agencies for cybersecurity and law enforcement purposes, as long as Internet and telecommunications companies agreed. In that respect, at least, its impact is broader.