Tech Industry

CISPA vote means companies can't promise to protect privacy

Proposed amendment to CISPA says Internet companies' promises to protect customer privacy were legally enforceable. But then Republicans vote it down.

Rep. Pete Sessions, a Texas Republican shown in this photo from last year, told his colleagues the privacy amendments weren't in "the spirit" of protecting the United States from cyberattacks.
Getty Images

Google, Facebook, Twitter, and other Internet companies and e-mail providers will be prohibited from making legally binding promises to protect your privacy, thanks to a vote this afternoon in the U.S. House of Representatives.

By a 5-8 vote, the House Rules committee rejected a bipartisan fix to the CISPA data-sharing bill that would have ensured companies' privacy promises -- including their terms of use and privacy policies -- remained valid and legally enforceable in the future.

The vote came after Rep. Pete Sessions, a Texas Republican who's the committee's influential chairman, urged his colleagues to vote against the amendment (PDF). All of the committee's eight GOP members voted against the amendment, and all the Democrats supported it. (See CNET's CISPA FAQ.)

It also came hours after a formal veto threat from the Obama administration, citing privacy and other concerns about CISPA. A House floor debate is scheduled to begin tomorrow, which now will not include a vote on the amendment.

"We're disappointed that such a commonsense reform won't even get a vote," Will Adams, a spokesman for Rep. Justin Amash, a Michigan Republican who co-sponsored the amendment, told CNET this evening. "When Americans sign up for service with their phone company or their Internet provider they should be entitled to the privacy protections that the companies promise them. Giving companies legal cover to break their contracts with consumers is bad policy and a disservice to the American people."

Congress should have been able to debate the amendment this week because it would ensure Americans' privacy rights, said Rep. Jared Polis, a Colorado Democrat and former Internet entrepreneur. That includes, he said, the rights of "users who have given their information to the company under the explicit assurance of the terms of use that it wouldn't be shared."

These IBM officials were lobbying Rep. Sessions, center, on cybersecurity legislation, according to this photo that appeared in his Twitter feed. IBM has lobbied for CISPA, saying "information sharing from industry to government" is "valuable."
These IBM officials were lobbying Rep. Sessions, center, on cybersecurity legislation, according to this photo that appeared in his Twitter feed. IBM has lobbied for CISPA, saying "information sharing from industry to government" is "valuable." U.S. House of Representatives

Otherwise, Polis said, CISPA means Internet and other companies will be "completely exonerated from any risk of liability" if they open their databases with confidential customer information to the feds and even private-sector firms.

The amendment was only six lines long. It would have altered the latest version of CISPA (PDF) by saying the legislation does not authorize a company "to breach a contract with any other party," including a terms of service agreement.

If it had been adopted during the floor debate, it would have allowed e-mail providers, social networks, and other companies to pledge not to share customers' confidential information with the National Security Agency, Homeland Security, or any other organization under CISPA -- and made that pledge legally enforceable in court.

CISPA is controversial because it overrules all existing federal and state laws by saying "notwithstanding any other provision of law," including a privacy policy or terms of service agreement, companies may share certain confidential customer information "with any other entity, including the federal government." It would not, however, require them to do so.

That language has alarmed dozens of advocacy groups, including the American Library Association, the American Civil Liberties Union, the Electronic Frontier Foundation, and Reporters Without Borders, which sent a letter (PDF) to Congress last month opposing CISPA. It says: "CISPA's information sharing regime allows the transfer of vast amounts of data, including sensitive information like Internet records or the content of e-mails, to any agency in the government."

A representative for House Intelligence Chairman Mike Rogers (R-Mich.), CISPA's primary author, did not immediately respond to questions from CNET this afternoon.

Other amendments that were approved for discussion during the floor debate include one (PDF) that restricts when federal agencies may vacuum up library records, firearm-sales records, educational records, and medical records. Another (PDF) says CISPA will not authorize the NSA or any other spy agencies "to target a United States person for surveillance."

A reprise of 2012?
Last year, a similar coalition mounted an attempt to defeat CISPA. It failed: despite a presidential veto threat and opposition from Ron Paul (R-Tex.) and many of the same critics who offered amendments this week, the House of Representatives approved the measure by a largely party line vote of 248-168. The bill did not, however, receive a vote in the Senate because of wrangling over a Democratic-backed bill with different privacy problems, and it never became law.

A House committee approved CISPA last week without four key privacy amendments sought by opponents that would have curbed the National Security Agency's ability to collect confidential data.

CISPA's advocates say it's needed to encourage companies to share more information with the federal government, and to a lesser extent among themselves. A "Myth v. Fact" paper (PDF) prepared by the House Intelligence committee says any claim that "this legislation creates a wide-ranging government surveillance program" is a myth.

Rep. Adam Schiff (D-Calif.), who voted against the bill during last week's House Intelligence meeting, said at the time he was "disappointed" that his proposal was overwhelmingly rejected by his colleagues.

"It is not too much to ask that companies make sure they aren't sending private information about their customers, their clients, and their employees to intelligence agencies," Schiff said.

Unlike last year's Stop Online Piracy Act outcry, in which Internet users and civil liberties groups allied with technology companies against Hollywood, no broad alliance exists this time. Companies including AT&T, Comcast, EMC, IBM, Intel, McAfee, Oracle, Time Warner Cable, and Verizon have instead signed on as supporters.

There are some exceptions. As CNET reported last month, Facebook has been one of the few companies to rescind its support. Microsoft has also backed away. Google has not taken a public position.