White House — and 14 year olds — reject CISPA

For the second time in less than a year, the U.S. Congress is in the midst of hearings on legislation intended to protect the nation’s cyber security. And as of yesterday, the White House has again issued a threat to veto any legislation that doesn’t sufficiently protect the privacy of American citizens.

The Cybersecurity Intelligence Sharing and Protection Act, known as CISPA, is designed to allow companies to share information with the U.S. government in return for information about threats to their critical infrastructure. The bill has been roundly denounced by privacy and civil liberties groups (including Access) and security experts for indiscriminate sharing of personal data with military and other agencies, limited procedural oversight, and broad immunity for private sector participants.

A White House veto threat is a tool to influence bills under consideration, and the current threat highlights many of the concerns expressed by advocacy groups. The veto threat states that President Obama’s senior advisers would encourage him to reject the current version of CISPA, H.R. 624. In addition to expressing concerns about privacy, the statement pushes for civilian, rather than intelligence, agencies to take the cybersecurity lead and calls for greater liability.

Congress’s main strategy to address cybersecurity threats has been to encourage businesses and the government to share information. In its new statement, the White House puts this data sharing in perspective as just one strategy among several, including legislation: (1) promoting the establishment and adoption of standards for critical infrastructure; (2) guiding Federal agency network security; (3) giving law enforcement more tools to fight crime in the digital age; and (4) creating a National Data Breach Reporting requirement.

When CISPA was first introduced last year, Access detailed our concerns and requirements for a satisfactory bill. This time around, we have noted how drafters of the ill-conceived legislation failed to incorporate the concerns of privacy and civil liberty advocates. Although the bill has evolved somewhat in Intelligence Committee markups, earlier drafts allowed private sector companies to indiscriminately share user information with the U.S. government, without oversight or due process, and with full immunity for their actions.

When the bill went to the House floor on Tuesday, Apr. 16, its main backer, House Permanent Select Intelligence Committee chair Mike Rogers dismissed the bill’s critics, deriding them as “14-year-olds” in their basement, a response that generated significant social media backlash.

Evidently, the lack of meaningful consultation with CISPA’s critics — whether 14-year-olds or otherwise — yielded a bill that does not meet White House standards. On privacy, the statement maintains that the bill “does not require private entities to take reasonable steps to remove irrelevant personal information” that they share with government, and goes on to assert that “Citizens have a right to know that corporations will be held accountable – and not granted immunity – for failing to safeguard personal information adequately.”

The White House makes clear that any information shared under the new program “should enter the government through a civilian agency, the Department of Homeland Security,” rather than an intelligence or military body–as the proposed bill currently allows.

Finally, the President is “concerned about the broad scope of liability limitations” in H.R. 624, which would grant broad immunity to companies against the consequences of sharing user data. As private corporations hold the keys to more and more sensitive information on their users, it’s critical that reasonable limits should be imposed on the extent of data shared, through a duty of care or other common legal standard. Likewise, the data should be used by the government for specific and narrowly tailored purposes. Although a markup session on the bill removed language that would have allowed private data to be used for national security purposes, the purpose of ‘cybersecurity’ remains broadly defined.

If passed, the bill won’t only affect U.S. citizens–it will affect international users as well, threatening the privacy of users who communicate on networks crossing U.S. jurisdiction or use U.S. based services such as Twitter, Facebook, or Google. As it stands, Access rejects CISPA for its failure to conform to Constitutional safeguards on privacy and civil liberties, as well as international norms on due process and free expression.