The amendments included one that would require the government to strip away any private information they receive from companies participating in information sharing, another that would prohibit companies from hacking back at attackers and a third that would strictly limit the use of threat information, gathered via information sharing arrangements, to cybersecurity purposes. The government will also no longer be permitted to use threat information for broader "national security" purposes as provided for under the original bill.
The changes appear to have done little to change attitudes among those opposed to the bill.
CISPA is designed to bolster national cybersecurity by enabling companies and federal agencies to share threat information with others more freely and without fear of legal or liability issues.
Supporters of the measure, which include the U.S. Chamber of Commerce, nearly every major Internet service provider, and scores of technology companies, say that such threat-information sharing is vital to improving security. Many security practitioners insist that the only information they are interested in sharing pertains to non-personal data like IP addresses involved in targeted attacks, the addresses of command-and-control servers used to direct botnets, and breach and vulnerability indicators.
Privacy and rights advocacy groups, however, see CISPA as a looming threat to privacy. Many digital rights groups fear the bill will open up an opportunity for government agencies to collect and monitor vast amounts of Internet user data under the pretext of cybersecurity. They worry that the bill will allow ISPs to share data with the government and others with impunity, and with little fear of legal action.
"The changes to the bill don't address the major privacy problems we have been raising about CISPA for almost a year and a half," American Civil Liberties union (ACLU) legislative council Michelle Richardson said in a statement. "CISPA still permits companies to share sensitive and personal customer information with the government and allows the National Security Agency to collect the Internet records of everyday Americans."
The fact that the bill was voted on on Wednesday, after a markup session in which the media and public was excluded, has only heightened such concerns. "It's a sign that the committee members aren't interested in a vigorous public debate on the bill," said Mark Jaycox, a staff attorney with the Electronic Frontier Foundation (EFF). "With this closed markup Congress is actually making law in secret. It's a step backwards."