From Scott Lemieux at Alternet:
Six things you should know about the proposed Cyber Intelligence Sharing and Protection Act (CISPA), H.R. 3523, which is scheduled to go to the House floor this week for a final vote. The Bill has 112 cosponsors and is expects to pass the House.
1. CISPA would allow companies to share potentially sensitive customer data with each other in ways that would otherwise be inconsistent with current laws that protect consumer privacy, such as the Electronic Communications Privacy Act (ECPA). As the ACLU notes, “Health records, gun records, tax records, census data, educational records – essentially all information now protected under privacy laws carefully considered and passed by Congress over the past decades –would no longer have that protection as cybersecurity information if these bills are to become law.” CISPA would also allow the government to require companies to share customer data without the warrant or subpoena that would be required under current law. The privacy rights of customers may be violated, in other words, without substantial evidence that they pose any kind of security threat.
2. CISPA would also pre-empt state laws that provide more privacy protection than the federal standard. Citizens in some states would face diminished privacy rights both now and in the future.
3. Companies would be broadly immunized from both criminal and civil liability for sharing personal data under CISPA. This is important, because the threat of lawsuits is crucial to ensuring that companies respect the privacy of their customers. Under CIPSA, conversely, corporations would have little incentive to err on the side of protecting privacy and would not face legal sanctions for even wholly unjustified invasions of privacy.
4. Private companies would not be required to remove identifying information from data they share with the government. Private information could be shared not only with civilian but with military authorities. Given the deference that courts generally show to invocations of national security interests by entities associated with the military, this makes the risks of privacy invasions even more severe. Any information shared under a new legislative framework should go to a civilian rather than a military agency.
5. The only restriction on the sharing of data is that it be related to “cybersecurity.” The bill makes no serious attempt to specifically define what would qualify, and hence this limitation will do very little to limit privacy violations in practice. As the Electronic Freedom Foundation correctly points out, the bill would apply to “far more than what security experts would reasonably consider to be cybersecurity threat indicators — things like port scans, DDoS traffic, and the like.” Without a more careful definition, the potential for abuse is simply too great.
6. Not only does the language of the bill not provide enough protection before the fact, but it also does too little to protect individual privacy after information is first shared with the government. As Sharon Bradford Franklin explains, “CISPA lacks any meaningful limitations on the ways in which the federal government may use personal information.”