Why is CISPA so controversial?
CISPA has taken a lot of flack for various reasons, including concerns about privacy, transparency, lack of judicial oversight and the possibility of it being used for surveillance of citizens' Internet activities under the guise of cybersecurity, national security and other vaguely defined terms.
One issue is that it uses blanket terms like "cyber threat intelligence" rather than strictly defining the types of data that can be shared, which could potentially allow companies to obtain and share any sort of information, including personally identifying information (PII), private communications and the like. CISPA does allow private entities to insist that the government anonymize, minimize or otherwise restrict the data they share, but it doesn't require the companies to make such restrictions.
In the subsection regarding the federal government's use of the shared information, there is a paragraph that addresses privacy and civil liberties, but it says, "The Federal Government may, consistent with the need to protect Federal systems and critical information infrastructure from cybersecurity threats and to mitigate such threats, undertake reasonable efforts to limit the impact on privacy and civil liberties of the sharing of cyberthreat information with the Federal Government pursuant to this subsection." The use of the word "may" makes it sound voluntary, and there is no further definition of what these efforts might entail. In the section regarding the creation of an annual report on government use of the information, the bill dictates including "metrics to determine the impact, on privacy and civil liberties, if any," but there is no mention of how this information will be used.
The bill provides legal immunity to companies sharing information, even if it turns out they did it improperly, provided they acted in "good faith." It also allows immunity "for decisions made based on cyber threat information," but doesn't define "decisions made." From the companies' point of view, this allows them to freely share cyberthreat information and to act on that information without worrying about costly lawsuits, but it could completely curtail right of an individual or entity to sue for any harm done, since it is difficult to prove that someone didn't act in good faith. It has been argued that this immunity could also allow companies to do things like retaliation hacking of a suspected intruder to gain information or disrupt their systems.
Another controversial aspect of CISPA's wording is the potential it has to supersede a number of privacy laws.