It's not exactly a secret where President Obama stands on a controversial Republican-backed cybersecurity bill: he's already promised to veto it.
But a cadre of Internet activists opposed to the Cyber Intelligence Sharing and Protection Act nevertheless created a petition to the president asking him to "stop CISPA" -- and it has crossed the 100,000-signature threshold necessary to secure a response from the administration.
In reality, there's little Obama can do to stop CISPA that he hasn't already done. The administration offered a stark warning in last year's veto threat, which talked up a competing Democrat-backed bill and predicted CISPA "will undermine the public's trust in the government as well as in the Internet by undermining fundamental privacy, confidentiality, civil liberties, and consumer protections."
CISPA is controversial because it overrules all existing federal and state laws by saying "notwithstanding any other provision of law," companies may share information "with any other entity, including the federal government." It would not, however, require them to do so.
That language has alarmed dozens of advocacy groups, including the American Library Association, the ACLU, the Electronic Frontier Foundation, and Reporters Without Borders, which sent a letter (PDF) to Congress on Monday opposing CISPA. It says: "CISPA's information sharing regime allows the transfer of vast amounts of data, including sensitive information like Internet records or the content of e-mails, to any agency in the government."
If this sounds a bit familiar, it should. A similar coalition mounted an attempt to defeat CISPA last year. It failed: despite a presidential veto threat and criticism from Rep. Jared Polis (D-Colo.) and Ron Paul (R-Tex.), the House of Representatives approved the measure by a largely party line vote of 248 to 168. The bill did not, however, receive a vote in the Senate.
Undaunted, Rep. Mike Rogers, a Michigan Republican and influential chairman of the House Intelligence Committee, reintroduced CISPA (H.R. 624) last month along with Rep. Dutch Ruppersberger, a Maryland Democrat. It's supported by AT&T, the U.S. Chamber of Commerce, Verizon, Intel, IBM, Comcast, and industry trade associations, according to letters of support posted on the committee's Web site.
Rogers' statement (PDF) in defense of CISPA says his legislation is necessary to head off cyberattacks from China and other sources:
This important legislation enables cyberthreat sharing within the private sector and, on a purely
voluntary basis, with the government, all while providing strong protections for privacy and civil
liberties. Voluntary information sharing with the federal government helps improve the
government's ability to protect against foreign cyberthreats and gives our intelligence
agencies tips and leads to help them find advanced foreign cyberhackers overseas. This
in turn allows the government to provide better cyberthreat intelligence back to the
private sector to help it protect itself.
One reason CISPA would be useful for government agencies hoping to conduct additional surveillance is that, under existing federal law, any person or company who helps someone "intercept any wire, oral, or electronic communication" -- unless specifically authorized by law -- could face criminal charges. CISPA would overrule those privacy protections.
Technology trade associations, and a few tech companies, are backing CISPA not because they necessarily adore it, but because they view it as preferable to a Democrat-backed bill that's more regulatory.
But last year's Democratic bill, backed by then-Sen. Joseph Lieberman (I-Conn.), had privacy problems of its own. Civil liberties groups including the Electronic Frontier Foundation opposed Lieberman's bill, warning last year that it would have given "companies new rights to monitor our private communications and pass that data to the government."
After the Senate failed to approve either CISPA or Lieberman's bill, Obama responded last month by signing a cybersecurity executive order. It doesn't rewrite privacy laws, and instead expands "real time sharing of cyberthreat information" to companies that operate critical infrastructure, asks NIST to devise cybersecurity standards, and proposes a "review of existing cybersecurity regulation."