CISPA plan to let feds receive confidential data wins big House vote

The odds of a Democrat-controlled Senate approving legislation opposed by President Obama are slim, but today's vote could increase pressure for some sort of legislation this year.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
4 min read
CISPA author Rep. Mike Rogers, who successfully navigated his legislation through the House of Representatives despite ongoing privacy concerns
CISPA author Rep. Mike Rogers (left), who successfully navigated his legislation through the House of Representatives despite ongoing privacy concerns. Getty Images

The U.S. House of Representatives has overwhelmingly approved a controversial data-sharing bill that would authorize e-mail and Internet providers to share confidential information with the federal government.

By a 288-127 vote today, the House adopted the Cyber Intelligence Sharing and Protection Act, better known as CISPA, which supporters say is necessary to protect American networks from electronic attacks and intrusions. The vote signals more support for the bill than it enjoyed last year, when it cleared the House by a narrower margin but died in the Senate. (See CNET's CISPA FAQ.)

CISPA is "so important to our national security" that it must be adopted, said Rep. Mike Rogers, a Michigan Republican who authored CISPA and heads the House Intelligence Committee.

"This is not a surveillance bill," Rogers said during the floor debate. "It does not allow the national security agencies or the Department of Defense or our military ... to monitor our domestic networks."

CISPA Excerpts

Excerpts from the Cyber Intelligence Sharing and Protection Act:

"Notwithstanding any other provision of law, a self-protected entity may, for cybersecurity purposes -- (i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such self-protected entity; and (ii) share such cyber threat information with any other entity, including the Federal Government...

The term 'self-protected entity' means an entity, other than an individual, that provides goods or services for cybersecurity purposes to itself."

The discussion now shifts to the Democrat-controlled Senate, which appears unlikely to act on the legislation in the wake of a presidential veto threat earlier this week, and an executive order in January that may reduce the need for new legislation. Today's House vote, on the other hand, could increase pressure on the Senate to enact some sort of legislation.

Sen. John Rockefeller, a West Virginia Democrat who was involved in last year's cybersecurity debate, said after today's vote that "CISPA's privacy protections are insufficient." Still, Rockefeller said, "I believe we can gain bipartisan agreement on bills that we can report out of our committees and allow [Majority Leader Harry Reid] to bring them to the Senate floor as early as possible."

Today's vote left opponents deeply unsatisfied, in large part because privacy-protective amendments were rejected or not permitted to be offered. One unsuccessful amendment (PDF) would have ensured companies' privacy promises -- including their terms of use and privacy policies -- remained valid and legally enforceable in the future. Another would have curbed police ability to conduct warrantless searches of CISPA-shared data.

CISPA is controversial because it overrules all existing federal and state laws by saying "notwithstanding any other provision of law," including privacy policies and wiretap laws, companies may share cybersecurity-related information "with any other entity, including the federal government." It would not, however, require them to do so.

That language has alarmed dozens of advocacy groups, including the American Library Association, the American Civil Liberties Union, the Electronic Frontier Foundation, and Reporters Without Borders, which sent a letter (PDF) to Congress last month opposing CISPA. It says: "CISPA's information sharing regime allows the transfer of vast amounts of data, including sensitive information like Internet records or the content of e-mails, to any agency in the government." President Barack Obama this week threatened to veto CISPA.

Rep. Adam Schiff, a California Democrat, said CISPA remained problematic because there was no requirement that private sector firms remove personal information before sharing it with the federal government, and a civilian agency -- not the military or the National Security Agency -- should be in charge of receiving voluntarily shared data.

"The NSA could share data with law enforcement to investigate computer crimes -- which is so broad it includes lying about your age on your Facebook page," said Rep. Hank Johnson, a Georgia Democrat. That's a reference to the Computer Fraud and Abuse Act, which was used to prosecute the late Aaron Swartz and a Missouri woman accused of lying on her MySpace profile.

CISPA's advocates say it's needed to encourage companies to share more information with the federal government, especially in the wake of an increasing number of successful and attempted intrusions, and to a lesser extent among themselves. A "Myth v. Fact" paper (PDF) prepared by the House Intelligence Committee says any claim that "this legislation creates a wide-ranging government surveillance program" is a myth.

Update, 11 a.m. PT: Adds comment from Sen. John Rockefeller; adds link to vote tally.