According to legislative counsel Michelle Richardson of the American Civil Liberties Union, every stupid spam you receive from Nigeria could make your data fair game for further investigation. "These are everyday occurrences that are cybersecurity events under the bill," says Richardson. Rainey Reitman, activism director at the Electronic Frontier Foundation, says that a service could share any data that it deemed "cyber threat information" and could do so "without legal process, so long as it was in 'good faith' and for a 'cybersecurity purpose.'", "
Data sharing will be easier--or automatic
The ACLU's Richardson adds that under CISPA, the data sharing will be smooth--really smooth. Instead of going through a process in which the government specifically requests information, "they are talking about some sort of process that is automatically going to forward stuff to the government," says Richardson.
If data is going to be routed automatically, when and how PII gets stripped from the data becomes a bigger issue. Unfortunately, no one is talking about making user identities completely anonymous. No, the people behind CISPA are satisfied with mere "minimization"--making a reasonable effort to remove PII. Here's where the definition of "cyber threat information" once again comes into play, says EPIC's Scott: "CISPA does not require [a private company] to remove or otherwise narrow the information provided to the government as long as it falls under the broad umbrella of cyber threat information."
Though it would seem to make sense for the providing company to strip PII from the data they share, under CISPA that task falls to the government. David LeDuc is senior director of public policy for the Software & Information Industry Association, a major trade group representing software developers and digital content businesses, which supports CISPA. LeDuc downplays the importance of PII in cybersecurity, saying that it isn't what interests professionals engaged in fighting cybercrime. "Security experts look for trends," he says, "the prevalence of certain behaviors, and propagation patterns for malware--not at personal information."
LeDuc also points out that CISPA was amended from making government-based minimization optional to making it mandatory. "The federal government must minimize information it receives from the private sector to take out information about specific persons not necessary to respond to a cyber threat," he says.
However, this amendment doesn't address the question of what happens to data shared between private companies. Because only the government has the job of minimizing PII under CISPA, private companies may share relatively PII-rich data among themselves without making any effort toward minimization. In speaking before the House vote on CISPA, Representative Adam Schiff (D-California) made clear his disapproval. "Private entities can share information with each other without ever going through the government," he said. "In those circumstances, how can the government minimize what it never possesses? So government-side minimization alone, which is all this bill includes, is not enough."
Sign up for CIO Asia eNewsletters.