CISPA Amendments Passed Out of Committee—Here’s Why The New Version Still Threatens Online Privacy

Wednesday, the House Permanent Select Committee on Intelligence marked up the Cyber Intelligence Sharing and Protection Act (CISPA), the misguided “cybersecurity” bill that would create a gaping exception to existing privacy law while doing little to address palpable and pressing online security issues. The markup was held entirely behind closed doors—even though the issues being considered will have serious effects on the liberty of Internet users—and was passed out of the committee.

This means the bill can go to the floor and be voted on at anytime. Please tell your Representative now to vote no on CISPA. We probably have only a few days left before the floor vote.

Here’s our analysis of the amendments and why they don’t go nearly far enough in fixing the serious problems with the bill.

Amendments That Helped—Barely.

The amendments that passed only chipped away at the edges of CISPA, without addressing the core civil liberties concerns. Here’s an overview of some of the most important changes in the bill:

Using Information for "National Security" Purposes

This amendment (PDF) would narrow how information can be used by the government after it is shared by companies. Before, the government could use information collected under CISPA for any "national security" purpose—a catch-all term we've long complained about that could basically mean anything. This amendment stops the government from using the information collected for any "national security" purpose. However, information collected under CISPA can still be used for a wide range of poorly defined purposes, like for a "cybersecurity purpose." Under the current language of the bill, "cybersecurity purpose" is defined extremely broadly—leaving the door wide open for the government to claim its use of the data were for wide-ranging actions. Another amendment (PDF) imposes the same limits: companies can only use the information they learn under CISPA for a "cybersecurity purpose." But to really address the issue of how information collected under CISPA is used, Congress would need to narrow the definition of "cybersecurity purpose."

Companies "Hacking Back"

Another amendment (PDF) approved by the committee attempts to clarify whether or not a company can "hack back" at a suspected online threat. But just like the previous amendment, its intent is far different than its actual impact.

The amendment limits companies from acting beyond their own computer networks to gather threat information; however, it ignores another section of the bill that allows wide ranging acts in response to the perceived threat. The immunity section of CISPA covers any "decision made" based on information a company learns so long as it acts in good faith.

This is a huge loophole. A company could still use aggressive countermeasures outside of its own network as long as it believed the countermeasures were necessary for protection. This section could have been fixed by limiting the broad legal immunity given to companies. But it wasn't. So the amendment still leaves the door open to abuse. A user's only recourse is to prove a company didn't act in "good faith," which is notoriously hard.

New Privacy Reports and Guidelines

The amendment (PDF) by Rep. Thompson requires that the Inspector General and the Privacy and Civil Liberties Oversight Board report on how CISPA impacts privacy and civil liberties in the government. While this is certainly nice, it leaves a big gap: it produces a report on government activity, but doesn’t address the corporate side. There’s no assessment of whether companies over-collect or over-share sensitive information. The potential for companies to improperly share sensitive or personal identifiable information is a fundamental problem with the bill.

Amendments That Didn’t Pass—But Should Have

The most important amendment the committee considered was Rep. Adam Schiff’s amendment (PDF). It created a new requirement that companies take “reasonable efforts” to remove unnecessary personal information of users before passing data to the government. While this wouldn’t fix everything that’s wrong with CISPA, it would do one vital thing: help minimize