Privacy protections booted from CISPA data-sharing bill

Committee overwhelmingly votes down privacy amendments that would have curbed National Security Agency's access to private sector data. Now the bill heads to the House floor for a vote.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
6 min read
House Intelligence chairman Mike Rogers, CISPA's author (left), says allowing U.S. companies to share types of data with the National Security Agency will allow them to fend off "cyber looters."
House Intelligence chairman Mike Rogers, CISPA's author (left), says allowing U.S. companies to share types of data with the National Security Agency will allow them to fend off "cyber looters." Getty Images

A controversial data-sharing bill won the approval of a key congressional committee today without privacy amendments, raising concerns that the National Security Agency and other spy agencies will gain broad access to Americans' personal information.

The House Intelligence committee, by a vote of 18 to 2, adopted the so-called CISPA bill after an unusual session closed to the public where panel members debated and voted on the proposed law in secret.

Rep. Jan Schakowsky (D-Ill.), who proposed three unsuccessful privacy amendments, said afterward she was disappointed her colleagues did not limit the NSA and other intelligence agencies from collecting sensitive data on Americans. (See CNET's CISPA FAQ.)

Her privacy amendments would have "required that companies report cyber threat information directly to civilian agencies, and maintained the long-standing tradition that the military doesn't operate on U.S. soil against American citizens," Schakowsky said.

Schakowsky had attempted to fix one of the most contested parts of CISPA: language overruling every state and federal privacy law by allowing companies to "share" some types of confidential customer information with the NSA and other intelligence and law enforcement agencies. While no portion of CISPA requires companies to share data with the feds, major telecommunications providers have illegally shared customer data with the NSA before, leading to a congressional grant of retroactive immunity in 2008.

Today's committee decision advances CISPA to the House floor, with a vote expected as soon as next week. It's a difficult vote to handicap: it could be a reprise of last year, when members approved the legislation by a vote of 248 to 168. On the other hand, if only 40 members switch their votes from yea to nay, CISPA is defeated.

Last time around, a formal veto threat by President Obama a day before the House vote helped galvanize Democratic opposition -- Democrats preferred their own legislation, which had a different set of privacy problems. But the White House has not responded to an anti-CISPA petition that topped 100,000 signatures a month ago, and the president's recent signature on a cybersecurity executive order may mean the administration's position on legislation has shifted.

CISPA's advocates say it's needed to encourage companies to share more cybersecurity-related information with the federal government, and to a lesser extent among themselves. A "Myth v. Fact" paper (PDF) prepared by the House Intelligence committee says any claim that "this legislation creates a wide-ranging government surveillance program" is a myth.

"Cyber-hackers from nation-states like China, Russia, and Iran are infiltrating American cyber networks, stealing billions of dollars a year in intellectual property, and undermining the technological innovation at the heart of America's economy," House Intelligence chairman Mike Rogers (R-Mich.), sponsor of CISPA, said after the vote. "This bill takes a solid step toward helping American businesses protect their networks from these cyber looters."

The four privacy amendments that were rejected included:

• Limiting the sharing of private sector data to civilian agencies, and specifically excluding the NSA and the Defense Department. (Failed by a 4-14 vote.) (PDF)

• Directing the president to create a high-level privacy post that would oversee "the retention, use, and disclosure of communications, records, system traffic, or other information" acquired by the federal government. It would also include "requirements to safeguard communications" with personal information about Americans. (Failed by a 3-16 vote.) (PDF)

• Eliminating vague language that grants complete civil and criminal liability to companies that "obtain" information about vulnerabilities or security flaws and make "decisions" based on that information. (Failed by a 4-16 vote.) (PDF)

• Requiring that companies sharing confidential data "make reasonable efforts" to delete "information that can be used to identify" individual Americans. (Failed by a 4-16 vote.) (PDF)

Rep. Jan Schakowsky (D-Ill.) voted against CISPA in committee today because the U.S. military -- which includes the NSA -- shouldn't "operate on U.S. soil against American citizens."
Rep. Jan Schakowsky (D-Ill.) voted against CISPA in committee today because the U.S. military -- which includes the NSA -- shouldn't "operate on U.S. soil against American citizens." Getty Images

The six amendments that were adopted include:

• Specifying that Homeland Security will be copied on information sent by companies to other federal agencies "in as close to real time as possible." This amendment also prohibits companies submitting data to the federal government from specifying that it would be sent only to one federal agency. Submitted data can be shared with other agencies. (Approved by voice vote.) (PDF)

• Requiring that privacy officers from the Director of National Intelligence, the Justice Department, and other agencies "annually and jointly submit to Congress a report" about how CISPA is used. There is no requirement, however, that the report be unclassified and available to the public. (Approved by voice vote.) (PDF)

• Saying that organizations receiving information from companies may only use it to safeguard systems, block unauthorized access, and patch vulnerabilities. There's a big loophole: that does not apply to the federal government. (Approved by voice vote.) (PDF)

• Deleting nebulous language that would have allowed information shared with the federal government to be used "to protect the national security." That information can still be used for cybersecurity purposes, prosecuting cybersecurity crimes, and for prosecuting violent crimes and people accused of possessing child pornography. (Approved by voice vote.) (PDF)

The primary reason CISPA is so contentious is that it overrides every other state and federal law on the books, including laws dealing with e-mail privacy, when authorizing companies to share data with the feds. Data that can be shared includes broad categories of information relating to security vulnerabilities, network uptime, intrusion attempts, and denial-of-service attacks, with no limit on including personal data.

Rep. Adam Schiff (D-Calif.), who proposed one of four unsuccessful privacy amendments and joined Schakowsky in opposing the final bill, said afterward he was "disappointed" that his proposal was overwhelmingly rejected by his colleagues.

CISPA Excerpts

Excerpts from the Cyber Intelligence Sharing and Protection Act:

"Notwithstanding any other provision of law, a self-protected entity may, for cybersecurity purposes -- (i) use cybersecurity systems to identify and obtain cyberthreat information to protect the rights and property of such self-protected entity; and (ii) share such cyberthreat information with any other entity, including the Federal Government...

The term 'self-protected entity' means an entity, other than an individual, that provides goods or services for cybersecurity purposes to itself."

"It is not too much to ask that companies make sure they aren't sending private information about their customers, their clients, and their employees to intelligence agencies," Schiff said.

Unlike last year's Stop Online Piracy Act outcry, in which Internet users and civil liberties groups allied with technology companies against Hollywood, no broad alliance exists this time. Companies including AT&T, Comcast, EMC, IBM, Intel, McAfee, Oracle, Time Warner Cable, and Verizon have instead signed on as supporters of CISPA.

The Software and Information Industry Association, for instance, applauded the bill's committee approval after the vote, saying it "supports CISPA because it would provide the critical necessary framework for early detection and notification of cybersecurity threats."

There are some exceptions. As CNET reported last month, Facebook has been one of the few companies to rescind its support. Microsoft has also backed away. Google has not taken a public position.

Michelle Richardson, ACLU legislative counsel, said her organization had identified four problems with CISPA before today's closed-door vote: limiting government use of shared data, civilian vs. military access, protection of personal information, and clearly prohibiting "hacking back" in self-defense to disrupt a suspected attacker's system.

CISPA remains a terrible idea after today's amendments, Richardson said: "Eighty percent of our original materials and criticism stands. It's going to take a lot of effort on our part to make sure word gets out to members of the House."