By: Ross Woessner

Great controversy surrounds the proposed Cyber Intelligence Sharing and Protection Act (“CISPA”), which passed the House and is currently in the Senate.  The bill provides for voluntary information sharing between private companies and the government in order to prevent or mitigate cyberattacks.  For example, if the government detects a cyberattack threatening Google or Twitter it could inform those companies of the threat; likewise, Google could notify the government if they detect suspicious activity on their networks.  Part of the bill’s rationale is the increasing number of cyberattacks on American companies emanating from China and Iran.

This has alarmed civil liberties groups because of the ease with which private communications companies can share users’ information with the government.  CISPA is written broadly enough that such companies could provide someone’s text messages, emails, or cloud-shared files.  The bill authorizes such disclosure “notwithstanding any other law,” which according to the Electronic Frontier Foundation, “essentially means CISPA would override the relevant provisions in all other laws,” and thus creates “a cybersecurity loophole in all existing privacy laws.”

But as Solove and Schwartz note on page 590, Internet “anonymity is quite fragile, and in some cases illusory.”  Indeed, Business insider has noted that CISPA merely legalizes already common cybersecurity practices.  The Electronic Privacy Information Center (“EPIC”), through a FOIA request, obtained documents that describe a well-established information sharing program between the Department of Defense, Department of Homeland Security and private companies, including immunity provisions for private companies.  This is particularly worrisome because the Obama administration has publicly threatened to veto CISPA “while privately granting immunity to [private companies] as they collaborate with government agencies to evade wiretapping laws.”  Thus, CISPA’s practical impact would be minimal because the practices it authorizes are already widely used.,2817,2417993,00.asp (“What is CISPA, and Why Should You Care?”)