More Problematic Language
CISPA potentially sidesteps judicial oversight through the term "notwithstanding any other provision of law," which overrides a lot of existing privacy laws, including the Wiretap Act, Cable Communications Act, Video Privacy Protection Act, Stored Communications Act and Electronic Communications Privacy Act -- acts that do provide rules and oversight regarding the sharing of personal information. In the case of CISPA, no warrant is required for the government to obtain personal information.
Even though individuals can sue the government if it willfully misuses their information, it could be very difficult to find out such a thing ever happened. Even if non-cyberthreat information is sent to the government, the government is only required to notify the sending entity, and no one is require to inform the person whose data was shared. And information shared is exempt from disclosure under Freedom of Information Act and other similar disclosure laws. There would have to be some obvious harm that pointed to the sharing, and it would have to be evident within two years of the time the federal government misused the data because of the statute of limitations.
CISPA is also under attack for not defining or limiting what government entities the information can be handed over to, aside from the stipulation that receiving agencies give it to the National Cybersecurity and Communications Integration Center of the DHS, which can share it with other agencies. The information could legally be given to any agency of the federal government, including intelligence agencies. How the government can use the information is defined broadly, as well, including "for cybersecurity purposes," which is somewhat vaguely defined in the bill, and "to protect the national security of the United States," which is fairly broadly defined in the National Security Act.
There is a notable dearth of terms related to technology in the bill. The word "computer" is only used within the definition of "cybersecurity crime" to include computer crimes in the list of possible violations. Otherwise, H.R. 624 refers to the things being protected as "systems and networks," which is somewhat ambiguous. The words and phrases "online," "Internet," "Web," "digital," "information technology" and even "technology" are never used.
The original version of the bill included theft of intellectual property as one of the cybersecurity purposes. This has been removed from the latest version of CISPA, and language was inserted to specify that cyberthreat information does not include efforts to gain access involving violations of consumer terms of service or licensing agreements. However, some groups still fear that it can be used to pursue things like copyright infringement.
CISPA doesn't provide the legal means for the government to directly monitor people's online activities and digital data, but it does allow companies to voluntarily give undefined types and amounts of information that they deem cyberthreat information to the federal government, and the government can keep and use this data for reasons of cybersecurity, national security and investigation of a few other crimes. This and the fact that it can be given to any agency are causing consternation since this could allow intelligence agencies a sort of sideways access to personal information.
No one is arguing that sharing information on emerging threats isn't important in the fight to secure computer systems and networks from the ever-growing threat of attack, but arguments are being made to place limitations on the types of information shared and with what entities it can be shared. The supporters of CISPA counter that the bill is not intended for surveillance, and that the immunities are necessary to encourage companies to share information without fear of lawsuit. The opponents argue that the risks to privacy and civil liberties are too great in the bill as currently written.