Congress' latest attempt at a bill that affects the way people use the Internet has many scared, with some calling the Cyber Intelligence Sharing and Protection Act (CISPA) is "worse than SOPA," the bill that caused widespread Internet outrage and blackouts before ultimately being shelved. Experts say the danger level associated with CISPA depends on the answer to one question: Which Constitution amendment do you care about more, the First or the Fourth?
While the Stop Online Piracy Act dealt with censoring sites that illegally hosted copyrighted content, CISPA is designed to help companies fight cyber crime—potentially in exchange for helping the federal government spy on users.
"It's a completely different issue [than SOPA]," says Jim Dempsey, vice president for public policy at the Center for Democracy and Technology. "This is about government monitoring. [SOPA] is about the First amendment, [CISPA] is about the Fourth, but they both take a legitimate problem and try to tackle it with an overbroad solution."
CISPA's main goal, according to sponsoring Reps. Mike Rogers and Dutch Ruppersberger, is as follows: Foreign governments and independent hackers are stealing information from American corporations all the time, costing the companies billions of dollars. The government knows how to stop these attacks and wants to help out private companies, but the current law doesn't allow them to share classified information with private companies. CISPA would open that pipeline, but it would be a two way street—the way the bill is written, companies can share users' information with the government if they sense a "cyber threat."
In a conference call with reporters Tuesday, Rogers and Ruppersberger repeatedly said that companies wouldn't be required to share information with the federal government.
"The government cannot require companies to give the government E-mails and that type of information, and it is voluntary," Ruppersberger said. "This is not surveillance. Companies can give back information about an attack as it pertains to a threat or vulnerability of a system or a network, but only as it relates to national security."
That gives some experts pause—it's overly broad, according to Dempsey.
The bill doesn't technically require companies to share data with the government, but it also doesn't require the government to share cybersecurity secrets with the companies.
"The government can say 'You want our secret sauce, give us all your data, if you play ball with us, we'll play ball with you,'" Dempsey says, although an amendment to the bill is meant to discourage required data trades. "Once [CISPA] removes the legal barriers, it becomes harder for companies to resist those inducements, which can lead them to do things they're uncomfortable with [like sharing data.]"
The Electronic Frontier Foundation says CISPA could lead to "backdoor wiretaps" and would "give companies a free pass to monitor and collect communications … [and] ship that data wholesale to the government or anyone else provided they claim it was for 'cybersecurity purposes.'"
CISPA has wide support in the House—more than 100 members have signed on, and a vote is expected later this month. Companies such as AT&T, Verizon, Facebook, Microsoft and IBM have voiced their support of the bill.
Dempsey says those companies want help from the government in repelling attacks, and want to be able to share their own cybersecurity techniques and vulnerabilities with each other, but are likely not considering the company-to-government sharing that might be essentially required to receive the bill's benefits.
"I think those companies thought [giving information to the government] is essentially a meaningless provision, because they're not required to share," he says. "But I think there's all sorts of incentives the government can use to leverage that form of sharing."