Supporters Say All The Wrong Things to Try and Pass CISPA

Ever since reintroducing CISPA, the so-called "cybersecurity bill," its supporters promote the bill with craftily worded or just plain misleading claims. Such claims have been lobbed over and over again in op-eds, at hearings, and in press materials.  One "fact sheet" by Rep. Rogers and Ruppersberger titled "Myth v. Fact" is so dubious that we felt we had to comment. To stop this type of misinformation—and to stop CISPA—we urge you to tell your members of Congress to stand up for privacy.

Here are some of the statements supporters of CISPA are pushing and why they're false:

Supporters of CISPA say, "There are no broad definitions"

Supporters are keen to note that the bill doesn't have broad definitions. In the "Myth v. Fact" sheet, the authors of CISPA specifically point to the definition of "cyber threat information." Cyber threat information is information about an online threat that companies can share with each other and with any government agency—including the NSA. In hearings, experts have said that they don't need to share personally identifiable information to combat threats. But the definition in the bill allows for any information related to a perceived threat or vulnerability—including sensitive personal information—to be shared. Cyber threat information should be a narrowly defined term.

Another example of a broad (or missing) definition is the term "cybersecurity system."  Companies can use a "cybersecurity system" to "identify or obtain" information about a potential threat ("cyber threat information"). The definition is critical to understanding the bill, but is circular.  CISPA defines a "cybersecurity system" as "a system designed or employed" for a cybersecurity purpose (i.e. to protect against vulnerabilities or threats). The language is not limited to network security software or intrusion detection systems, and is so broadly written that one wonders if a "system" involving a tangible item—e.g., locks on doors—could be considered a "cybersecurity system."  In practical terms, it’s unclear what is exactly covered by such a "system," because the word “system” is never defined.

The best example of a dangerous undefined term in the bill is found within the overly broad legal immunity for companies. The clause grants a company who acts in "good faith" immunity for "any decisions made" based off of the information it learns from the government or other companies. Does this cover decisions to violate other laws, like computer crime laws? Or privacy laws intended to protect users? Companies should not be given carte blanche immunity to violate long-standing computer crime and privacy law. And it is notoriously hard to prove that a company acted in bad faith, in the few circumstances where you would actually find out your privacy had been violated. 

Supporters of CISPA say, “The bill is not a government surveillance program”

Supporters are adamant CISPA doesn't create a wide-ranging "government surveillance program." It’s true the bill doesn't create such a surveillance program like the one described in the ongoing warrantless wiretapping lawsuits.

But the trick here is what is meant by “government surveillance.”  We think that if the bill aims at having our information flow to the government, it’s tantamount to government surveillance, whether or not the government initially collected the information.   

The bill creates a loophole in the privacy laws that prevented companies from disclosing your information to the government and gives companies broad legal immunity for sharing information with the government. As a result, CISPA makes it more likely that companies will surveil their own users and then disclose that information.  The sly wording dodges the key issue: that CISPA encourages companies to conduct surveillance on their networks and hand “cyber threat information” to the government. In short, the bill encourages a de facto private spying regime, with the same end result.

Supporters of CISPA say, "The government can't read your private email"

Reps. Rogers and