CISPA Authors Offer ‘Significant’ Privacy Amendment

House lawmakers agreed to consider a critical amendment to the Cyber Intelligence Sharing and Protection Act (CISPA) Wednesday, aimed at addressing privacy concerns of opponents to the bill. The amendment, offered by chairmen and ranking members of the House Intelligence and Homeland Security committees, would assign agencies within the departments of Homeland Security and Justice to be the first recipients of any cyberthreat information shared by private sector companies, among other provisions (http://1.usa.gov/14wqFtf). A White House spokeswoman didn’t comment Wednesday and the administration did not lift its veto threat.

The proposed amendment was included during Wednesday’s House debate on the rules for consideration of CISPA and was offered by Rogers, along with House Intelligence Ranking Member Dutch Ruppersberger, D-Md.; House Homeland Security Chairman Mike McCaul, R-Texas; and Ranking Member Bennie Thompson, D-Miss. The amendment offered new requirements aimed at minimizing the impact on privacy and safeguarding classified cyberthreat data that could be used to identify specific individuals. The measure would also direct the secretary of homeland security, the director of national intelligence and the attorney general to periodically review the government’s receipt, retention, use and disclosure of any classified cyberthreat information to ensure that citizens’ privacy rights are protected. It would further require DHS, Defense Department, Justice Department, intelligence officials and the Privacy and Civil Liberties Oversight Board to submit annual reviews of the government’s information use authorized under the bill to the House and Senate Intelligence Committees, Armed Services Committees, Justice Committees, the House Homeland Security Committee and the Senate Homeland Security and Governmental Affairs Committee.

Some Democrats were not assuaged by the new amendment and urged their colleagues to vote against the bill. “The bill falls short in several key ways,” said Rep. Jan Schakowsky, D-Ill., during a floor speech. “Despite some positive changes, the bill fails to adequately safeguard the privacy and civil liberties of Americans,” she said. In particular, Schakowsky said the bill would permit companies to directly share cyberthreat information with the Defense Department and fails to require companies to make “reasonable efforts” to strip personally identifiable information from shared cyberthreat data. Rogers protested and said Schakowsky’s statement was inaccurate: “Nowhere in the bill does it allow the military to survey private networks in this country. Period. End of story,” he said.

Rep. Jared Polis, D-Colo., said during a floor speech he too opposed the legislation because it does not adequately define how cyberinformation can be used and shared by the government, among other issues. “There will be great harm” if the information consumers access and provide on the Web “can be turned over to a government agency and liability provided to companies who provide it to them,” he said. Despite several amendments offered by CISPA’s authors, Polis said there “are still enormous flaws in this bill that need to be addressed. ... Had there been a requirement to increase efforts to reduce the use of personal data, that would have been a step in the right direction,” he said. “We can and we must do better for our country.”

The legislation is “not a surveillance bill,” Rogers, a former FBI agent in Chicago, repeated on the floor. He offered an amendment to clarify that nothing in the bill authorizes the government to target a U.S. citizen for surveillance. “It does not allow that to happen, we would not allow that to happen,” he said. Rogers further touted changes the committee made to strengthen the bill’s privacy safeguards and protections. “We have built multiple levels of oversight into this bill so we can gain the confidence of the public,” he said.

Ruppersberger said the bill incorporated changes to directly address the privacy concerns by opponents of the bill. “We can pass bills in the House all day long but if the Senate doesn’t pass the bill and it isn’t signed by the president it doesn’t go anywhere,” he said. “So we rolled up our sleeves ... and basically made some significant changes to the bill to address privacy,” he said. In particular he touted the bill’s data minimization requirement: “We have a 100 percent minimization [provision] and the government will ensure that ... if there is any personal information in there it will be knocked out.” He also stumped for the “very significant” amendment included Wednesday to require DHS to serve as the “point of entry” for cyberthreat information sharing between the public and private sectors.

A White House spokeswoman said the administration had nothing to share on the CISPA amendments nor did it withdraw its veto threat. On Tuesday the administration said it would recommend that President Barack Obama veto the bill if it passed Congress in its current form, in a statement of administration policy. The White House was concerned that the bill “does not require private entities to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or other private sector entities,” according to the policy statement.

The National Association of Manufacturers said the group would “key vote” in support of CISPA, according to a news release. “CISPA is a key element for ensuring that the comprehensive and connected relationships manufacturers maintain with customers, vendors, suppliers and governments are well protected,” said Senior Vice President-Policy and Government Relations Aric Newhouse. “Preparation is a critical line of defense from cyber threats, and we believe CISPA will help protect manufacturing jobs and intellectual property.”