White House raises concerns over CISPA bill
Information sharing without privacy safeguards is a problem, National Security Council spokeswoman says
The White House joined the growing chorus of voices expressing concern over the proposed Cyber Intelligence Sharing and Protection Act (CISPA) legislation that is scheduled for a vote in the U.S. House of Representatives next week.
The bill would allow Internet service providers and Internet companies such as Google and Facebook to collect and share a wide range of user data with the government. Privacy and civil rights groups have blasted the bill , saying it would dismantle privacy protections and enable unprecedented surveillance of online activities under the pretext of cybersecurity.
Any cybersecurity legislation should include strong privacy protections, The Hill quoted Hayden as saying. "The nation's critical infrastructure cyber vulnerabilities will not be addressed by information sharing alone," she said in apparent reference to CISPA.
"Also, while information sharing legislation is an essential component of comprehensive legislation to address critical infrastructure risks, information sharing provisions must include robust safeguards to preserve the privacy and civil liberties of our citizens," Hayden is quoted as saying. "Legislation without new authorities to address our nation's critical infrastructure vulnerabilities, or legislation that would sacrifice the privacy of our citizens in the name of security, will not meet our nation's urgent needs."
Though the statement did not mention CISPA by name, Hayden's references to "information sharing" make clear that she is referring to CISPA because that is the only bill under consideration that calls for extensive sharing of information between the private sector and the government.
The White House's comments add to the crescendo of voices that are calling for CISPA to be stopped or seriously amended. U.S. Reps. Mike Rogers (R-Mich.) and Dutch Ruppersberger (D-Md.) introduced CISPA in the House in November.
The bill is designed to help improve cybersecurity by allowing Internet companies to monitor and collect any information on users that they think might pose a threat to their networks or systems.
Rights groups such as the American Civil Liberties Union, the Electronic Frontier Foundation and the Center for Democracy and Technology maintain that CISPA's ambiguous wording can cause serious problems.
For instance, there's nothing in the language of the bill that would prohibit companies from monitoring private email messages, chat messages and Facebook postings simply by claiming a cybersecurity purpose to the monitoring. They can then share that information with any other entity, including the Department of Homeland Security and the National Security Agency, without judicial oversight. The bill affords Internet companies a great deal of immunity for conducting such information monitoring and sharing.
The bill affords Internet companies a great deal of immunity for conducting such information monitoring and sharing and offers little opportunity for Internet users to sue companies for unfairly collecting and sharing their information with the government, according to the rights groups.
They also note that while the bill is designed to enhance cybersecurity, government agencies will be able to use information provided by Internet companies for a variety of other reasons, including national security reasons. An early version of the bill contained language that would have allowed law enforcement to go after copyright infringers using the data gathered by Internet companies.
A coalition of rights groups has organized a weeklong protest against the bill this week in the hopes of stirring up broad public opposition to the bill. Similar public protests derailed two equally unpopular pieces of legislation -- the Stop Online Piracy Act and the Protect IP Act--a few months ago.
Despite the growing opposition to the bill, many technology companies including Google, Facebook, and AT&T and trade associations such as TechAmerica support CISPA.
TechAmerica, which was hit with a sustained denial-of-service attack recently over its support of the bill, this week, reiterated its position.
"The inability to share information is one of the greatest challenges to collective efforts toward improving our cybersecurity," the trade group's president Shawn Osborne said in a letter to Congress. "Unless there is cooperation between government and business, cyber-criminals will continue stealing money and cyber-spies will continue walking away with ideas and innovation," Osborne said..
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is email@example.com.
Read more about gov't legislation/regulation in Computerworld's Gov't Legislation/Regulation Topic Center.