In what is turning out to be a repeat of last year, privacy rights groups launched an assault against the Cyber Intelligence Sharing and Protection Act (CISPA), barely a day after the controversial legislation was reintroduced in Congress on Wednesday.
The bill, sponsored by U.S. Reps. Mike Rogers, (R-Mich.) and C.A. Dutch Ruppersberger, (D-Md.), would bolster cybersecurity by enabling better threat information sharing between the private sector and the government. The law would provide a safe harbor against lawsuits and liability issues for private companies that share intelligence data with each other and with federal agencies, such as the Department of Homeland Security.
Advocacy groups Demand Progress and Fight for The Future claim they have already submitted more than 300,000 signatures from people opposing the bill via email and Twitter. The signatures have been delivered electronically to members of the U.S. House Intelligence Committee and more are being delivered electronically every hour, the two groups claimed in a statement.
According to Tiffany Cheng, a spokeswoman for Fight for the Future, the campaign to oppose CISPA began last Friday when the group first heard of plans to reintroduce CISPA. In total, more than 1 million signatures opposing the measure have been collected by several organizations, including the Electronic Frontier Foundation and Free Press, Cheng said. So far, a .pdf file containing 300,000 of those signatures has been sent to the House Intelligence Committee, she said.
In separate blog posts, rights advocacy groups the EFF and the Center for Democracy and Technology (CDT) expressed adamant opposition to the legislation and urged others to join the fight.
"In seeking to promote cybersecurity information sharing, CISPA creates a sweeping exception to all privacy laws," CDT president Leslie Harris wrote in CDT's blog. "It dismantles years of hard fought privacy protections for Americans."
CISPA was first introduced last year and was approved by the House of Representatives despite a hurricane of protests, including President Obama, who threatened to veto the bill if it landed on his desk.
The bill's supporters, which include nearly every major industry trade group, insist that the information-sharing provisions contained in CISPA are vital to their ability to fight new cyberthreats.
In testimony before Congress on Thursday, Paul Smocer, president of BITS, the technology policy division of the influential Financial Services Roundtable, called the bill essential to improving cybersecurity.
"Given the interconnected nature of cyberspace, institutions recognize that the strongest preparations and responses to cyberattacks require collaboration beyond their own companies," Smocer said in prepared testimony. "The ability to share information more broadly is critical to our response to future attacks."
Smocer downplayed the privacy concerns that have been raised over the bill and hinted that they stemmed from a lack of understanding of the information that companies are seeking to share with each other and the government.
"The reality is that the data being shared on threats are the technical details of malware, sources of malicious attacks and warnings of potential attacks (i.e. 'ones and zeros')," Smocer said.
"If we were comparing this to the world of physical crime, one could think of it as the sharing of ballistic data or modi operandi - information that does not relate to an individual, but that is important to understand both the criminal activity and to stop future risk."
A "Civil Liberties Talking Points" memo on the House Intelligence Committee's website also sought to dispel what the committee claimed were myths related to the legislation.
Privacy advocates, civil rights groups and academics, however, see a much darker side to the bill. Many of them contend the legislation creates or at least enables wide-ranging government surveillance of Internet users.
Their main concern is that the bill's language would allow a wide range of information, including personal data, personal communications and social media interactions, to be collected and shared with government agencies such as the DHS and the National Security Agency under the pretext of cybersecurity.
CISPA also overrides existing privacy law and would grant broad immunities against lawsuits and liabilities to participating companies, EFF policy analyst Mark Jaycox wrote in a blog post Wednesday.
Importantly, there are few transparency provisions in the legislation, Jaycox wrote. Information collected by private companies and provided to the government would be exempt from Freedom of Information Act requests, he noted. There is also nothing in the bill that would require companies to inform users if their information is shared with the government, he said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is [email protected].
Read more about security in Computerworld's Security Topic Center.