CISPA, the bill that grants legal immunity to large information-collecting companies from being sued for sharing the personally identifying information of all their customers with the US government, has risen from the grave once again. The “Cyber Intelligence Sharing and Protection Act” was introduced in the Senate by Dianne Feinstein (D-Calif.) and Saxby Chambliss (R-Ga.). The language of this the third undead incarnation of the so-called “zombie bill” is as yet unclear.
Previous versions of CISPA sanctioned broad information practices on the part of the private sector and US spy agencies like the NSA. For example, personal email addresses can be shared with impunity for any reason. Sen. Feinstein however says that the types of information to be sanctioned for sharing in this version of CISPA will be very narrow, focusing only on information that affects national cyber security.
What exactly differentiates a “national security” measure from a violation of millions of individuals’ privacy has long been the crucial question at hand. The current bill does not address that question. Balancing the legislation equation are the existing Electronic Communications Privacy Act (ECPA) and the Wiretap Act, both of which require private information sharing to be used in emergencies only. But again a question arises: What constitutes an emergency as a general rule, and will that rule provide clear, immediate answers during actual emergencies?
Facebook, Google, Comcast, Verizon and other household names have all lobbied in favor of CISPA, even though their customers would likely resent them for it. The companies’ reasoning is that the companies are already required by law to provide information to law enforcement officials upon demand, but it is unclear how much the law enforcement community has been acting within a legal framework. Grey areas abound.