Could the Cyber Intelligence Sharing and Protection Act unintentionally create a safe haven for corporate hacking?
Amidst all the clamour over what CIPSA means for civil liberties, with its emphasis on allowing tech companies and the government to more easily share information about Web users, there are cries of hypocrisy about those who'd be exempted from the potential new law.
Mark Jaycox of the Electronic Frontier Foundation, which opposes CIPSA, says language in the bill gives exempted companies too much leeway in deciding who can be labeled a cybersecurity threat and pursued with the new powers that would be granted by the legislation. Although an amendment added to the bill would limit companies' information gathering to their own networks, other parts of the bill would allow "wide ranging acts" to combat any potential cybersecurity threats.
“All the amendments are window dressing that do not address any of the core privacy concerns," Jaycox told The Daily Dot. "CISPA is littered with large ambiguities and circular definitions that do not provide the necessary details and technical language when dealing with online security."
The vague language of the bill, Jaycox and others argue, would allow companies to get away with some of the very same acts the bill is intended to stamp out. This concern stems from the following portion of the bill:
‘(3) EXEMPTION FROM LIABILITY-
‘(A) EXEMPTION- No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider, acting in good faith--
‘(i) for using cybersecurity systems to identify or obtain cyber threat information or for sharing such information in accordance with this section; or
‘(ii) for decisions made for cybersecurity purposes and based on cyber threat information identified, obtained, or shared under this section.
‘(B) LACK OF GOOD FAITH- For purposes of the exemption from liability under subparagraph (A), a lack of good faith includes any act or omission taken with intent to injure, defraud, or otherwise endanger any individual, government entity, private entity, or utility.
In particular, Jaycox says, the "good faith" terminology makes it too easy for companies to collect and share user information on innocent individuals, since the companies get to decide what makes them feel threatened. Jaycox isn't the only one who feels this way, the Center for Democracy and Technology's Greg Nojeim told Motherboard that the language invites companies to "engage in reckless and negligent cybersecurity conduct that could injure others and insulates that conduct against criminal and civil liability."
In other words, Nojeim and Jaycox argue, the bill would give companies every recourse if they feel threatened while giving none to private citizens in the same position.
Of course, that's not how the bill's sponsor sees it. The office of Rep. Mike Rogers (R-Mich.) did not return the Daily Dot's request for comment, but a spokeswoman for the Congressman's office objected to this characterization of the liability exemption portion of the bill. And in a statement released shortly after CIPSA passed the House of Representatives last week, Rogers said he critics had distorted the reality of the bill's intent.
“I am very proud that so many of my colleagues were able to look past the distortions and fear mongering about this bill, and see it for what it really is – a very narrow and focused authority to share cybersecurity threat information to keep America safe," he said.
House passage of the bill has already excited Libertarians and Internet freedom advocates who took part in protests Tuesday, but it may be unnecessary. The bill faces strong resistance from Democrats in the Senate and President Barack Obama has threatened to veto the legislation in its current form.
Even though CISPA appears dead-on-arrival this time, Jaycox said it was important to make sure Web users are aware the positions being advocated and their potential consequences.
"Online security legislation should be a balance between security and privacy," he said. "We do not need to give up one for the other."
Photo by swanksalot/Flickr