Washington, D.C., April 21, 2012 — The House of Representatives is expected to vote next week on the Cyber Intelligence Sharing and Protection Act of 2011 (“CISPA”). The Competitive Enterprise Institute and TechFreedom have joined with FreedomWorks, Americans for Limited Government, the Liberty Coalition, and Al Cardenas, Chairman of the American Conservative Union, in sending a letter to Congress identifying several significant problems with the bill as drafted and urging recommendations to alleviate those concerns.
CISPA aims to help companies defend against cyber attacks by facilitating the sharing of cyber threat information among government agencies and the private sector. Despite the bill’s noble intentions, however, it risks unduly expanding federal power, undermining freedom of contract, and harming U.S. competitiveness in the technology sector. Our coalition letter articulates the following major problems with CISPA and explains how Congress can amend the bill to fix them:
1) CISPA does not meaningfully limit Government’s use of shared user data.
The bill contains few restrictions on the sharing of private user information among governmental entities for purposes unrelated to cybersecurity, such as criminal prosecution. The bill merely requires that “at least one significant purpose” of Government’s use of cyber threat information pertain to cybersecurity or national security. As such, CISPA threatens Internet users’ Fourth Amendment rights to be free from unreasonable searches and, therefore, should be amended to proscribe Government use of cyber threat information for purposes unrelated to cybersecurity.
2) CISPA’s sweeping immunity provision undermines voluntary contracts and competition.
The bill exempts companies from all forms of civil and criminal liability for sharing cyber threat information with any other entity, in “good faith” in accordance with the statute. This effectively denies a private company or user any legal recourse against a provider for sharing sensitive data in breach of contract, so long as that provider honestly believed the data pertained to a cyber threat. This undermines the ability of providers to compete on privacy and make enforceable promises to customers about how their data will be shared. The bill should be amended to state that it does not supercede private contracts.
3) CISPA would let government coerce firms into sharing information.
While the bill bars the government from conditioning a private entity’s access to cyber threat information on that entity’s own willingness to share, it does not bar Government from leveraging grants or procurement contracts to pressure companies to disclose cyber threat information. CISPA should contain a ban on such quid pro quos to minimize potential abuses by governmental agencies that have historically leveraged the procurement process to strong-arm companies into facilitating electronic surveillance.
4) CISPA affords insufficient recourse to individuals whose data has been mishandled by Government.
The bill creates a limited private right of action whereby injured parties may recover damages they suffer on account of a governmental entity “intentionally or willfully” mishandling cyber threat information. But aggrieved individuals will often be unable to meet this high burden; thus, CISPA’s private right should be amended to also allow individuals to recover damages for grossly negligent privacy violations by governmental entities.
5) CISPA’s definition of “cyber threat information” is overbroad.
The bill currently allows the sharing of all information pertaining to threats to “degrade” networks; “misappropriate[e]” “private data,” or gain “unauthorized access” to a system. “Unauthorized access” has been construed to include entering an inaccurate age or weight when signing up for a website. Thus, the definition of “cyber threat information” should be narrowed to limit the scope of the bill to genuine cyber threats.