CISPA Lacks Protections for Individual Rights
CISPA's most current draft does not come close to addressing the civil liberties threats posed by the bill
April 18, 2012
Congress should not pass CISPA. Although a carefully crafted information-sharing program that includes robust privacy safeguards could be an effective approach to cybersecurity, CISPA lacks such protections for individual rights.
CISPA would appropriately authorize the federal government to share cyberthreat intelligence with the private sector, to enable private companies to protect their networks from such threats. However, CISPA would also authorize the private sector to share customers' personal information and the contents of private communications with the federal government, without incorporating necessary safeguards:
- CISPA's definition of the information private companies may share with the federal government is overly broad, and fails to include any requirement that unrelated personally identifiable information be stripped from the data to be shared.
- CISPA lacks any meaningful limitations on the ways in which the federal government may use personal information and the content of private communications that it receives from private companies. The use of such information should be limited to cybersecurity purposes, or to sharing with law enforcement when there is probable cause of a non-cybercrime. Under CISPA, by contrast, once an individual's information is in the government's hands, it can be used for just about any purpose.
- CISPA should explicitly require that companies may only share information with civilian agencies. The NSA and the Department of Defense should be able to send out cyberthreat information to the private sector, but when companies report back to the government, all information from private networks should only be turned over to a civilian agency. The best candidate is the Department of Homeland Security, which has developed expertise in cybersecurity through the EINSTEIN program for federal civilian networks and which has prepared numerous Privacy Impact Assessments demonstrating its capacity to protect both cybersecurity and privacy.
Although we appreciate the Intelligence Committee's efforts to improve the bill and willingness to engage in a dialogue with privacy advocates, the changes in its most current draft do not come close to addressing the civil liberties threats posed by the bill, and some of the proposals would actually make CISPA worse. Therefore, Congress should not pass CISPA.