Thoughts on CISPA

H.R. 3523 (also known as CISPA) starts out pretty good; the whole point is to:

“… establish procedures to allow elements of the intelligence community to share cyber threat intelligence with private-sector entities and to encourage the sharing of such intelligence.”

More open sharing of information in both directions; sounds great! And data can only be turned over if it’s related to “cyber threat intelligence,” so it will only be turned over to stop criminals from stealing personal or government secrets right? The act defines “cyber threat intelligence” as:

“information in the possession of an element of the intelligence community directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from … (B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.”

Wait, “intellectual property?” So when your kid brother sends you a Kina Grannis song, Facebook can turn over all of your personal information? It amused me that a bill that’s partially about protecting “personally identifiable information” could allow any “cybersecurity provider” you use to turn over all of your information without fear of legal repercussions. … yup, you read that last bit right:

“No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider, acting in good faith … for using cybersecurity systems or sharing information in accordance with this section”

Sounds a bit vague. Luckily, the act also requires an annual review of shared information by the Privacy and Civil Liberties Oversight Board (at least one thing here was done right).

Yes, it might allow the government to share information in good faith, but the hopelessly vague wording of the bill also means any private company can share your information with other approved parties for “cybersecurity purposes” (cybersecurity isn’t defined anywhere in the bill, by the way).

Luckily, Facebook (among others, I’m sure) “has no intention of [sharing sensitive personal information with the government in the name of protecting cybersecurity] and it is unrelated to the things we liked about HR 3523 in the first place [1]”

Thanks Facebook; I’m glad you promise not to share everyone’s personal information.

Personally, I’m of the opinion that the vagueness of CISPA is not driven by ulterior motives, and I love the general idea; but maybe we should clean this up, drop the stupid intellectual property references, and make sure we define things a little better before sending it to the floor for a vote (in 2 weeks).

For more information, the full text of CISPA can be found here. A statement against the bill by the EFF can be read here, and a good statement about why it’s not as bad as the EFF makes it out to be can be found here.