The White House Recommends CISPA Veto; CISPA Dissected By The EFF

In a Wednesday e-mail released by the Office of Management and Budget, the latter said that if CISPA reaches the president’s desk in its current form, “his senior advisors would recommend that he veto the bill.”

“Legislation should address core critical infrastructure vulnerabilities without sacrificing the fundamental values of privacy and civil liberties for our citizens, especially at a time our Nation is facing challenges to our economic well-being and national security,” the e-mail states.

“The Administration looks forward to continuing to engage with the Congress in a bipartisan, bicameral fashion to enact cybersecurity legislation to address these critical issues. However, for the reasons stated herein, if H.R. 3523 were presented to the President, his senior advisors would recommend that he veto the bill.”

OMB’s message highlights various reasons on why the office opposes the bill, including that the bill “significantly departs from longstanding efforts to treat the Internet and cyberspace as civilian spheres” and that it “also lacks sufficient limitations on the sharing of personally identifiable information between private entities and does not contain adequate oversight or accountability measures necessary to ensure that the data is used only for appropriate purposes.”

In response, the authors of the bill said that Tuesday’s revisions take into account “nearly every single one of the criticisms leveled by the Administration, particularly those regarding privacy and civil liberties of Americans.”

The bill is set for a vote before the House of Representatives on Friday.

In addition we find out from an EFF’s report that Rep. Rogers is convinced that the Cyber Intelligence Sharing and Protection Act is an information “sharing” bill. Sounds so innocent, but the truth is that the act itself is also a surveillance bill. Its definitions allow private companies to monitor network traffic and stored data (including private e-mails) and transfer this kind of data to the government or others with no oversight or legal accountability, bypassing established privacy laws.

In a press call, Rep. Rogers said that the bill “does not provide any authority for the government to monitor private networks or read private e mail,” but the truth is that CISPA allows private companies to use “cybersecurity systems” – a very ambiguous term in the bill – to “identify and obtain” information on any relevant cyber threat, and then send the communications (without de-identifying the data) to the government. So giving this kind of power strictly based on good faith would be an act of insanity.

Furthermore, the bill creates expansive legal immunity, making companies and the government largely unaccountable to users. It provides “good faith” immunity for using those “cybersecurity systems” to obtain information, for not using for personal purposes the obtained information, and for making any decisions based on the information they receive. Let’s give an example to better understand under what circumstances CISPA works its magic: let us say that a company finds out about a security flaw, fails to fix it, and users’ information is misused or stolen (better said leaked). Well, if that happens, the companies are not to be held liable as long as they acted “in good faith”. In addition, companies “acting in good faith” are also liability-free for engaging in potential countermeasures, even if they harm innocent parties.

That means that CISPA grants surveillance power to private entities “notwithstanding any other provision of law,” bypassing existing rights to sue under laws like the Wiretap Act, the Stored Communications Act, and the Computer Fraud and Abuse Act. In other words, if CISPA passes, companies will lose their legal right to protect their users’ privacy, such as federal or state privacy laws that keep companies from sharing sensitive personal information like health records and personal financial information.

Although there is a proposed amendment that allows people to file lawsuits against the federal government in case it violates some restrictions on the use of the obtained data, in practice this amendment is meaningless. First of all, the amendment only permits a lawsuit if it’s brought within two years of the date of the violation and not the date of the discovery of the violation. Yet CISPA exempts all data received by the government from the Freedom of Information Act (FOIA), and blocks disclosure to any non-federal entity without the consent of the sending entity – meaning that it’s likely that users won’t be aware of any violation of their privacy for years (probably never), and when they do it will be too late, due to the two years limitation.

Second of all, if an individual sues the government, the government could invoke privileges like the state secrets privilege. This kind of lawsuit – involving classified information or state secrets – is difficult, expensive, and time consuming.

Here’s an example:

EFF (The Electronic Frontier Foundation) has been involved for years in a lawsuit claiming Fourth Amendment and statutory violations rooting from the warrantlesswiretapping program ran by the National Security Agency.

By combining immunity exemptions with weak federal liability CISPA will allow spying on users who ultimately are unable to hold companies and the government accountable for their actions.

You can protest against CISPA by sending an e-mail to the Congress, and also use EFF’s Congressional Twitter handle detection tool to tweet the Congress.

Fight for your rights!