Representatives Anna G. Eshoo (CA), Rush Holt (NJ), Janice Schakowsky (IL) and Adam B. Schiff (CA) have written a "Dear Colleague" letter coming out strongly against the current version of CISPA, saying that the bill "has major shortcomings and would undermine the interests of citizens and their privacy."
The Four representatives say that the bill has three major deficiencies that need to be addressed: it does not strip unrelated Personally Identifiable Information (PII) from information shared; the bill allows information to be shared directly by private companies with the National Security Agency, and it provides a sweeping limitation on liability for sharing information in good faith. Eshoo also said that these deficiencies can be fixed and promised that "amendments will be offered at the Rules Committee to address these issues."
The full letter can be found below:
Oppose CISPA Unless Improvements Are Made to Protect Privacy and Civil Liberties
We write to bring to your attention serious concerns regarding legislation the House will consider this week, the Cyber Information Sharing and Protection Act (CISPA). Without further amendments to protect privacy and civil liberties, we cannot support the bill.
As Members who have served multiples terms on the House Intelligence Committee, we understand the importance of cyber security and the degree to which our public and private networks are under constant attack. There is an urgent need to improve cyber security, and facilitating the real time sharing of information about threats is a worthy goal.
However, CISPA has major shortcomings and would undermine the interests of citizens and their privacy. The bill has improved from earlier versions, but even with the amendments adopted, CISPA unacceptably and unnecessarily compromises the privacy interests of Americans online.
There are three significant deficiencies in the bill. The White House, civil liberties and privacy advocates, and Senators who have worked on information sharing legislation share our concerns about these provisions.
First, the bill does not require that companies sharing information under the bill, either with the government or with other private sector entities, make anonymous the data they share by making reasonable efforts to remove unrelated Personally Identifiable Information (PII). Instead, the bill would instruct the government to remove PII only after it has been shared. A government-only minimization makes little sense in those cases when the private party is in the best position to anonymize the data and personal information never need be shared with the government. Most important, this requirement does nothing to protect privacy in the case of private-to-private sharing.
In fact, when the Intelligence Committee held a hearing on CISPA earlier this year, industry witnesses agreed that requiring companies to make “reasonable efforts” to remove unrelated PII was “reasonable” and that, “The provider of the information is in the best position to anonymize it.”
Second, the bill would allow information, and potentially PII, to be shared directly by private companies with the National Security Agency. By allowing the sharing of data on cyber threats that may implicate personal information about Americans directly between Department of Defense agencies and private companies, the bill significantly departs from constitutional principles as well as long-standing efforts to preserve the primacy of civilian agencies in cyber space. We believe a civilian agency like the Department of Homeland Security ought to be the lead agency, even as it may draw on the services of other elements of the intelligence community.
Finally, the bill provides a sweeping limitation on liability for sharing information in good faith, and to a wide range of decisions by private firms on the basis of cyber threat information. The breadth of conduct thus immunized is considerable and may protect companies who take negligent or reckless action in response to a cyber threat or who fail to take any step to remove personal information prior to sharing. Given the wide reach of the legislation, Congress should limit the scope of the liability granted.
All of these concerns are correctable and amendments will be offered at the Rules Committee to address these issues. We urge the Rules Committee to make these important amendments in order. Americans concerned about their privacy and expanded military involvement in cyberspace deserve at the very least a vote by the House of Representatives on amendments to fix the bill.
Without changes to ameliorate these concerns, we intend to oppose the legislation, and urge Members concerned about civil liberties and privacy to do the same.
Adam B. Schiff
Anna G. Eshoo