On February 13, Congressmen Rogers (R-MI) and Ruppersberger (D-MD) reintroduced the Cyber Intelligence Sharing and Protection Act (CISPA) in the U.S. House of Representatives. In a statement released to the media, Sharon Bradford Franklin, senior policy counsel at The Constitution Project, called the privacy and civil liberties protections in the bill “woefully inadequate.”
Virtually identical to the Cyber Intelligence Sharing and Protection Act (H.R. 3523) passed by the House in the last Congress, the stated purpose of the reintroduced legislation is to promote public-private cooperation in providing cybersecurity. While the bill would facilitate arrangements for the government and private companies – such as Facebook or Google – to provide information about cyberthreats to one another, the bill would also open the door for private companies potentially sharing sensitive personal information, including possibly the content of emails, with the government. TCP urged the House to amend the legislation to:
– Ensure that civilian agencies, and not military and intelligence agencies like the National Security Agency or the Department of Defense Cyber Command, are the recipients of cyber threat information submitted by private companies;
– Require that private companies make reasonable efforts to remove information that can be used to identify specific individuals before they are allowed to share private data with the government;
– Prohibit the government from using the private information shared with it for national security purposes unrelated to cybersecurity, and thereby ensure that this program does not expand beyond its stated purposes to become a means for the government to collect and use vast quantities of constitutionally protected personal information; and
– Require the government to develop policies and procedures to minimize the impact of the program on privacy and civil liberties.
These recommendations are based on TCP’s Liberty and Security Committee’s report Recommendations for the Implementation of a Comprehensive and Constitutional Cybersecurity Policy, which was released in 2012.