A number of privacy and civil liberties groups have spoken out against H.R. 3523, the “Cyber Intelligence Sharing and Protection Act of 2011 (CISPA).” because the legislation would threaten individuals’ privacy rights. Last week, in a letter (pdf) to Congress, 36 groups (including the American Civil Liberties Union, American Library Association, Center for National Security Studies, Electronic Frontier Foundation, Government Accountability Project, and the Republican Liberty Caucus) wrote that “CISPA creates an exception to all privacy laws to permit companies to share our information with each other and with the government in the name of cybersecurity. […] CISPA’s ‘information sharing’ regime allows the transfer of vast amounts of data, including sensitive information like internet use history or the content of emails, to any agency in the government.”
Now, President Obama has said in a “Statement of Administration Policy” (White House pdf; archive pdf) that he would veto the legislation, which is being debated in the House. The statement said, “The sharing of information must be conducted in a manner that preserves Americans’ privacy, data confidentiality, and civil liberties and recognizes the civilian nature of cyberspace. Cybersecurity and privacy are not mutually exclusive. […] Accordingly, the Administration strongly opposes H.R. 3523, the Cyber Intelligence Sharing and Protection Act, in its current form.”
The Los Angeles Times has more:
The administration had previously indicated that it was concerned about the measure, but that was before sponsors made or pledged to make a series of changes to limit the type of information shared with the feds, restrict what the government could do with that information and narrow the immunity given services that share information about threats.
Nevertheless, on Thursday the White House issued a Statement of Administration Policy saying the administration “strongly opposes” the bill “in its current form.” The requirements laid out in the statement appear to go beyond the changes that the sponsors announced Tuesday. For example, the administration wants the measure to require companies to minimize personally identifiable information before sharing it with the government and each other. It also warns that by giving a key role to the National Security Agency, “H.R. 3523 effectively treats domestic cybersecurity as an intelligence activity.”
A third complaint is that the bill ignores the administration’s main cyber security proposal: requiring operators of “critical infrastructure” (such as power grids and electronic payment systems) to meet industry standards for securing their networks. “Voluntary measures alone are insufficient responses to the growing danger of cyber threats,” the statement contends.