The House on Thursday approved cybersecurity legislation that privacy groups have decried as a threat to civil liberties.
The Cyber Intelligence Sharing and Protection Act, or CISPA, sponsored by Reps. Mike Rogers (R-Michigan) and Dutch Ruppersberger (D-Maryland), passed on a vote of 248 to 168.
Its goal is a more secure internet, but privacy groups fear the measure breaches Americans’ privacy along the way. The White House had weighed in on Wednesday, threatening a veto unless there were significant changes to increase consumer privacy. The bill was amended to provide more privacy protections, but it was not immediately clear whether the Senate or the White House would give the amended bill its blessing.
The measure, which some are calling the Son of SOPA, allows internet service providers to share information with the government, including the Department of Homeland Security and the National Security Agency, about cybersecurity threats it detects on the internet. An ISP is not required to shield any personally identifying data of its customers when it believes it has detected threats, which include attack signatures, malicious code, phishing sites or botnets. In short, the measure seeks to undo privacy laws that generally forbid ISPs from disclosing customer communications with anybody else unless with a court order.
The bill immunizes ISPs from privacy lawsuits for voluntarily disclosing customer information thought to be a security threat. Internet companies are also granted anti-trust protection to immunize them against allegations of colluding on cybersecurity issues. The measure is not solely limited to cybersecurity, and includes the catchall phrase “national security” as a valid reason for turning over the data.
CISPA also allows ISPs to bypass privacy laws and share data with fellow ISPs in a bid to promptly extinguish a cyberattack.
Moments before the vote was taken during a daylong hearing, Rogers urged his colleagues to “stand up for America. Support this bill.” He said those who were opposing the measure — groups that include the American Civil Liberties Union and the Electronic Frontier Foundation — were practicing “obfuscation.”
The bill’s supporters include Microsoft, Facebook, AT&T, Verizon, Oracle and many others.
The ACLU quickly blasted the measure’s passage. They and other groups said Americans’ private data should not be shared with the military, and that data sent to the government should be anonymized as much as possible to protect privacy.
“Cybersecurity does not have to mean abdication of Americans’ online privacy. As we’ve seen repeatedly, once the government gets expansive national security authorities, there’s no going back. We encourage the Senate to let this horrible bill fade into obscurity,” said Michelle Richardson, ACLU legislative counsel.
Some last-minute amendments included making non-national-security data subject to the Freedom of Information Act, sunsetting the measure after five years and barring the government (.pdf) from reviewing library, firearms, tax and medical records.
Rep. Edward Markey (D-Massachusetts) during the debate seemingly agreed with the ACLU. “Could the government use that personal information to spy on Americans? Yes,” he said. Rep. Dan Boren (D-Oklahoma) wasn’t convinced: “The government is not the enemy,” he said.
Amendments to remove language allowing the information-sharing in the name of “national security,” and to remove the NSA from the agencies receiving the data, never made it to the House floor.
The measure is now headed for the Senate. If it passes there, it will go to the White House for approval or veto.