Ever since reintroducing CISPA, the so-called "cybersecurity bill," its supporters promote the bill with craftily worded or just plain misleading claims. Such claims have been lobbed over and over again in op-eds, at hearings, and in press materials. One "fact sheet" by Rep. Rogers and Ruppersberger titled "Myth v. Fact" is so dubious that we felt we had to comment. To stop this type of misinformation—and to stop CISPA—we urge you to tell your members of Congress to stand up for privacy.
Here are some of the statements supporters of CISPA are pushing and why they're false:
Supporters of CISPA say, "There are no broad definitions"
Supporters are keen to note that the bill doesn't have broad definitions. In the "Myth v. Fact" sheet, the authors of CISPA specifically point to the definition of "cyber threat information." Cyber threat information is information about an online threat that companies can share with each other and with any government agency—including the NSA. In hearings, experts have said that they don't need to share personally identifiable information to combat threats. But the definition in the bill allows for any information related to a perceived threat or vulnerability—including sensitive personal information—to be shared. Cyber threat information should be a narrowly defined term.
Another example of a broad (or missing) definition is the term "cybersecurity system." Companies can use a "cybersecurity system" to "identify or obtain" information about a potential threat ("cyber threat information"). The definition is critical to understanding the bill, but is circular. CISPA defines a "cybersecurity system" as "a system designed or employed" for a cybersecurity purpose (i.e. to protect against vulnerabilities or threats). The language is not limited to network security software or intrusion detection systems, and is so broadly written that one wonders if a "system" involving a tangible item—e.g., locks on doors—could be considered a "cybersecurity system." In practical terms, it’s unclear what is exactly covered by such a "system," because the word “system” is never defined.
The best example of a dangerous undefined term in the bill is found within the overly broad legal immunity for companies. The clause grants a company who acts in "good faith" immunity for "any decisions made" based off of the information it learns from the government or other companies. Does this cover decisions to violate other laws, like computer crime laws? Or privacy laws intended to protect users? Companies should not be given carte blanche immunity to violate long-standing computer crime and privacy law. And it is notoriously hard to prove that a company acted in bad faith, in the few circumstances where you would actually find out your privacy had been violated.
Supporters of CISPA say, “The bill is not a government surveillance program”
Supporters are adamant CISPA doesn't create a wide-ranging "government surveillance program." It’s true the bill doesn't create such a surveillance program like the one described in the ongoing warrantless wiretapping lawsuits.
But the trick here is what is meant by “government surveillance.” We think that if the bill aims at having our information flow to the government, it’s tantamount to government surveillance, whether or not the government initially collected the information.
The bill creates a loophole in the privacy laws that prevented companies from disclosing your information to the government and gives companies broad legal immunity for sharing information with the government. As a result, CISPA makes it more likely that companies will surveil their own users and then disclose that information. The sly wording dodges the key issue: that CISPA encourages companies to conduct surveillance on their networks and hand “cyber threat information” to the government. In short, the bill encourages a de facto private spying regime, with the same end result.
Supporters of CISPA say, "The government can't read your private email"
Reps. Rogers and Ruppersberger are adamant CISPA doesn't grant the government access to read private emails. The claim was recently repeated by James Lewis, a fellow at the Center for Strategic and International Studies. But the broad definitions do allow for personal information to be gathered by companies and then sent to the government without any mandatory minimization of personal information. And under the vague definitions an aggressive company could claim that private messages are related to the threat, obtain them, and share then with the government. If Reps. Rogers and Ruppersberger didn't want the content of emails to be disclosed under CISPA, it would be easy enough for them to exclude this content by including language in CISPA.
Supporters say, "CISPA follows advice from privacy and civil liberty advocates"
In his introduction of the bill, Rep. Rogers assured the audience that he has listened to the privacy and civil liberties community.
This year’s CISPA does contain some language added after privacy and civil liberties advocates complained in 2012. But those changes didn’t address some big issues that were raised last year, and this year’s privacy and civil liberties complaints about CISPA remain unaddressed.
Let's Stop CISPA
Reps. Rogers and Ruppersberger are on a strong publicity offensive to make sure the bill passes. The American public deserves full explanations and clear meanings about what CISPA can do and the extent to which it can do it. The public doesn't need carefully worded messaging materials that obfuscate and mislead a discussion on CISPA. The issues at stake—like the broad legal immunity and new spying powers that allow for companies to collect private, and sensitive, user information—are too serious.