Well, the Cyber Intelligence Sharing and Protection Act passed the House last week. Now that the dust has cleared (and before we move on to the coming Senate battles) it’s probably worthwhile looking at the changes that were made to CISPA in the hustle and bustle of negotiations and floor consideration to see what came out.
Definitions. The definitions section (which is often where much of the action is) became more complex and difficult to parse. One of the virtues of CISPA has always been its simplicity of draftsmanship. Some of that was lost in the negotiation process as a way of trying ameliorate privacy and civil liberties concerns.
To cite the most prominent example, the definition of cyber threat information now has an exclusion for information pertaining to efforts to gain unauthorized access to a system solely in violation of a term of service or consumer licensing agreement that does not “otherwise constitute unauthorized access.” As far as I can tell, the exclusion is likely to cover the null set since terms of service generally relate to terms of commercial use by consumers and have little or nothing to do with subverting the underlying system (Facebook does not have a “do not hack us” term of service … nor should it have to have one). But merely policing that definition will require effort and lawyers, etc. The cyber intelligence and cyber security purpose definitions (which are needlessly repetitive of the cyber threat definition) have the same exclusion.
Use/Purpose Limitation. Where, earlier, the bill had authorized sharing cyber security threat information within the Federal government so long as “one significant purpose” of the use was either a cybersecurity or national security purpose. Now cyber threat information shared with the Federal government may only be used for a cybersecurity purpose; to investigate a cyber crime; for a national security purpose; to protect individuals from the danger of death or serious bodily injury; or for the protection of minors from child pornography or sexual exploitation. This is a deeply problematic change in the law. It is a step back toward the ill-conceived stovepipe system of information collection and dissemination of information that led to many of the flaws identified by the 9/11 commission. I will leave for others consideration of whether elevating prosecution of child pornography to the same level of importance as national security (and above, say, serious economic espionage; multi-billion dollar fraud; or drug dealing) is a wise policy choice.
Liability Protections. The liability protections of the bill were substantially weakened. Where, previously (as presented to the Rules Committee) the bill had protected private sector actors against liability unless the sharing entity had engaged in “willful misconduct.” Now the liability protection extends only to entities who acted “in good faith.” Since an allegation of “bad faith” is relatively easy to plead, the prospect for lawsuits is significantly magnified. Candidly, I suspect that faced with this new liability protection many entities will simply choose not to share information. This was one of the aspects of the Lieberman-Collins bill that I was skeptical of and I’m equally skeptical of it here.
Sunset. Perhaps most oddly, the bill now has a sunset provision in it. By its terms the entire bill is repealed in 5 years. There are several puzzling aspects to this. First, of course, is the questionable premise that the cybersecurity threat will have sufficiently diminished in 5 years that we can abide a repeal. Even more problematic, however, is the oddity of repealing a liability limitation – do acts that had been protected from liability when done (because done according to authorization of the act and in good faith) suddenly become actionable because the underlying authorization has been repealed and the liability limitation as well? I don’t know, and I doubt that the authors of the sunset know either ….