CISPA 3.0: The Senate's New Bill As Bad As Ever

CISPA is back for a third time—it has lost the 'P,' but it's just as bad for civil liberties as ever.

The Senate Intelligence Committee is considering a new cybersecurity bill that contains many of the provisions that civil liberties groups hated about the Cybersecurity Information Sharing and Protection Act (CISPA). Most notably, under the proposed bill companies could not be sued for incorrectly sharing too much customer information with the federal government, and broad law enforcement sharing could allow for the creation of backdoor wiretaps.

The bill, called the Cybersecurity Information Sharing Act of 2014 (embedded below), was written by Senate Intelligence Chair Dianne Feinstein (D-Calif.) and Sen. Saxby Chambliss (R-Ga.) and is currently circulating around the committee right now but has not yet been introduced. Right now, the bill is only a “discussion draft,” and the committee is still looking to make revisions to the bill before it is officially introduced.

In any case, the bill will look familiar to anyone who has followed the trials and tribulations of CISPA: The general premise of the bill is to allow the federal government to share classified “cyber threat” information with companies (which is good), but also allows companies to share “cyber threat” information about their customers with the federal government—which could be bad, depending on how it’s implemented. Any programs created by the bill would be under the authority of the Department of Homeland Security, which is important, because it's a civilian, not military group such as the National Security Administration.

If you'll remember, the Senate is where the last CISPA went to die, and other Senate cybersecurity bills have limited the circumstances under which data can be shared with law enforcement. Not so in Feinstein's new bill. The language of the draft would give companies a wide latitude to share information, in real time, with state, local, and federal law enforcement, a move that's concerning to civil liberties experts.

"I think the Senate bill was much much better placed when this issue came up before—it limited law enforcement use to very specific circumstances, such as when there was the threat of imminent death or bodily injury," Greg Nojeim, senior counsel at the Center for Democracy and Technology, told me. "This very broad criminal purpose creates the possibility that cybersecurity information sharing becomes a backdoor wiretap, because law enforcement would be receiving information it otherwise would not get unless it showed probable cause. You don’t want a world where very robust cybersecurity information sharing turns into a law enforcement tool that’s used to prosecute people for completely unrelated crime."

It’s clear in the draft language that Feinstein is trying to assuage the concerns of civil liberties groups, but they’re still not going to be terribly happy with many of the provisions. The bill generally requires that companies strip identifying information from any information shared with the government that could pertain to a person not directly involved with a “cyber threat” and also calls for the attorney general to meet with civil liberties groups to devise the final policies and procedures for how the whole thing would work within 30 days of the bill’s passage.

But even those provisions don't go far enough or have loopholes, according to Amie Stepanovich of the civil liberties group Access. While any information that goes from the government to private companies would have identifying information in it stripped, Stepanovich says there's a "loophole large enough to drive a semi-truck through" that would allow companies to leave identifying information if someone tangentially relates to a cyber threat.

"A 'cyber threat' could mean you're just on a spam email list," and are therefore subject to having your information shared with the government, she said.

The bill also calls for the government to create some sort of “notification system” to let companies know when they’ve shared data that doesn’t pertain to a specific cyber threat.

But that’s all it’d be—a notification. Like CISPA, the bill gives companies nearly complete liability protection—they can’t be sued for the information they share with the federal government as long as they act with “good faith.” According to the bill, companies that act with “gross negligence” or “willful misconduct” would still be subject to legal sanctions. That clause is still problematic, Stepanovich said.

"It fails to encourage good information practices, it’s a crutch instead of encouraging proper cybersecurity. They're saying that some information shouldn’t be transferred, but even if it is transferred, it cannot result in a lawsuit even if it’s intentionally shared," she told me. "It takes away the ability for the public to have any say in how their information is shared."

In any case, this is the major hangup that civil liberties groups and CISPA’s author, Rep. Mike Rogers (R-Mich.), couldn’t reconcile. Rogers has said that, without liability protection, any information sharing is “a hard problem to work.”

“You have liability issues with sharing information, and you have, my fear would be, this unwieldy cooperation of competition between companies, and so, yes, we put liability protection in the bill, and again we did that because it has to be in my mind a voluntary process,” Rogers said at an event discussing CISPA last year. “We don’t want any mandates telling people, ‘you must give us information, or you must cooperate.’”

To get around that, then, you remove any sort of responsibility from companies who overshare; you “notify” them that they’ve overshared instead of holding them responsible, and whoever’s privacy gets violated along the way just has to deal with it.

Rogers often takes most of the heat for CISPA and other cybersecurity bills, but this isn’t the first time that Feinstein has introduced something like this. In 2012, she introduced similar legislation that ended up dying in committee.

Again, this is just an early draft—it’s possible that the civil liberties provisions get toughened up before the bill is introduced, but as it now stands, the bill is certainly problematic.

Meanwhile, progress has stalled on any bills that would overhaul how groups like the NSA collect information.

"I can't believe this is coming out now. Congress can’t pass a law to limit NSA surveillance, but they seem to be actively working to increase the amount of surveillance," Stepanovich said. "They haven't been transparent in drafting this law."

Cybersecurity Information Sharing Act of 2014