Congressman Schiff had introduced an amendment to address this loophole, but he complains that CISPA's sponsors never brought it before the House for a vote.
What private companies care about: lawsuits
Beneath all this talk of sharing and minimizing, what CISPA really seems to be about is protecting the companies that provide the data from being sued for doing so. When asked what was the most important thing for consumers to know about CISPA, SIIA's LeDuc said that liability risks were thwarting cybersecurity efforts. "Unfortunately, under the current legal framework, companies, or any private entities, face risk of regulatory or legal action for sharing information that they believe could be valuable for preventing or mitigating a cybersecurity threat or incident," he says.
The prospect of litigation is somewhat quaint. After all, with these huge data-scanning efforts, most of us will have no idea whether our data is being used or misused, unless it comes back to bite us. If that were to happen, however, it would be nice to have a process for legal recourse. Here again, CISPA's vague language makes privacy harder to protect. The ACLU's Richardson says, "It's not just what you can share, but any decisions you make based upon the information shared are also immunized. They actually use that term, 'decisions made,' which is incredibly broad."
'Good faith' covers a lot of well-intentioned damage
But SIIA's LeDuc insists that there is a process. "Individual citizens do not lose their ability to sue or utilize the courts for redress," he says. "Any case where a company has been found to not act in 'good faith,' they would likely be liable for harm to an individual."
Reitman of the EFF says that the cover of "good faith" could easily go too far. Protected from liability, companies could share more data more freely. For example, says Reitman, "Netflix could give to the government a list of the names, credit card numbers, home addresses, and account activity for everyone who watched the movie Hackers during the three weeks leading up to Netflix suffering a mild DDOS attack." CISPA currently provides for civilian oversight of data sharing through the Department of Homeland Security and other entities, but if the data then gets passed along to a military entity, the oversight ends.
"We would never know what they did with that data," says Reitman. "We don't think that would be in good faith, but it would be hard for the customers to discover and later prove."
CISPA may not get far
This is CISPA's second attempt to win Senate approval, and its success is far from certain--especially given the President's clearly stated intention to veto CISPA in its current form. Though no piece of legislation is perfect, opponents point to CISPA's vagueness and loopholes as game-stoppers. ACLU's Richardson says, "People are talking about China breaking in and stealing intellectual property. If they had written a bill about that, we'd have fewer complaints. CISPA's broad and sweeps up a lot of everyday activity."
Sign up for CIO Asia eNewsletters.