ACLU pans privacy amendments to House cybersecurity bill

Lawmakers have tweaked a House cybersecurity bill to address the concerns of privacy groups, but failed to win the support of the American Civil Liberties Union (ACLU), one of the biggest opponents of the measure.

Michelle Richardson, legislative counsel for the ACLU, said the planned amendments do not "fix the fundamental problems with the bill."

ADVERTISEMENT
The ACLU is taking a harder line against the Cyber Intelligence Sharing and Protection Act (CISPA) than the Center for Democracy and Technology (CDT), which stopped short of endorsing the bill on Tuesday but applauded the proposed changes.

CDT said it still has concerns but will "not oppose the process moving forward in the House."

"In sum, good progress has been made," CDT said in a statement. "The committee listened to our concerns and has made important privacy improvements and we applaud the committee for doing so."

Reps. Mike Rogers (R-Mich.) and Dutch Ruppersberger (D-Md.), the authors of CISPA, said lawmakers will offer amendments on the floor later this week to address the concerns of privacy groups. 

The goal of CISPA is to help companies beef up their defenses against hackers who steal business secrets, rob customers' financial information and wreak havoc on computer systems. The bill would tear down legal barriers that discourage companies from sharing information about cyber threats. 

But civil-liberties groups warn the measure would encourage companies to hand over private information to spy agencies.

One amendment would tighten limitations on how the government can use the information it collects. The government would only be able to use the information to protect against cyberattacks, investigate cyber crimes, protect national security, protect against theft or bodily harm or to protect minors from child pornography.

The amendments would also narrow the definition of "cyber threat information" and would bar the federal government from retaining or using information beyond the explicit purposes of the bill. Another amendment would restrict the scope of the liability protections for companies that turn over data to the government.

The changes address many of the core concerns of privacy groups, but notably would not prevent spy agencies, such as the National Security Agency (NSA), from accessing the information. The privacy groups argue that a domestic agency, such as the Homeland Security Department, would be a more appropriate body to handle the personal information. 

"The companies still aren't required to even make an effort to take out sensitive and personal information before sharing cybersecurity data with the government," the ACLU's Richardson said. "The amendments also still allow this information to be sent directly to the National Security Agency and other military offices instead of keeping civilians in control of Americans' Internet info. The use limitations, while amended, still allow the government to use what it collects for undefined 'national security' purposes."

Richardson said the "good news" is that several Democrats filed amendments with the Rules Committee that would add tougher privacy protections to the bill.

"These fundamental privacy issues should get an up or down vote on the floor," Richardson said. 

On a conference call Tuesday to announce the changes, Rogers predicted he wouldn't be able to win the support of the ACLU.

"Well, ACLU is just not going to support any bill on any level about any issue when it relates to this," he said. "It's important that we continue to make good faith efforts for folks who are willing to negotiate and then move forward."