CISPA has just been amended by it’s authors. Formerly one of the more problematic clauses read…
(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.
Which was changed over the weekend to this…
(B) efforts to gain unauthorized access to a system or network, including efforts to gain such unauthorized access to steal or misappropriate private or government information
Which removes the “theft” and “private information” and “intellectual property” claims, and narrows the bill to unauthorized access… which was supposedly its original intent.
Still, one of the biggest problems—the fact that the government can use, retain and affirmatively search the information they gather for vaguely defined “national security” purposes — is untouched in the new draft.
(A) the use of such information is not for a regulatory purpose; and (B) at least one significant purpose of such information is (i) a cybersecurity purpose; or (ii) the protection of the national security of the United States.
It’s the “or (ii)” that’s the kicker. Any information gathered can be turned over to the US, which can then use that information in any way deemed necessary to the “national security” of the US.
Under CISPA, a company could read your email under the grounds that they’re scanning for “threats” to security. They can then “share” that “data” with the government. After that it’s free game.
The national security loophole has been used, for example, to feed “terrorist” data collected under the Patriot Act to the DEA in order to curtail drug smuggling. Is drug smuggling illegal? Yes. Is it a “national security” issue? Apparently.
The law also declares that any provision in CISPA is effective “notwithstanding any other law.” This means companies can bypass all existing laws, as long as they claim a vague “cybersecurity” purpose.
As an added bonus, any company that shares data with the government under CISPA receives immunity from all existing privacy laws unless you can show that their actions caused you injury and constituted “willful misconduct.”
Anyone trying to sue a firm or agency on those grounds will have to prove an intention to achieve a “wrongful purpose,” that misconduct was carried out without “legal or factual” justification, and that the harm caused by the action was greater than the benefit.
Which would be fine, except that the wording of such in the bill leaves that injury almost impossible to prove, and that in turn makes it essentially impossible to ever sue a company for wrongly sharing data under CISPA.
Assuming you knew to do so, since all information shared is exempt from the Freedom of Information Act.
Bottom line? The “safeguards” in the bill are essentially meaningless.
Which is the point.
The draft of the bill follows, for those who are interested.