House Democrat to push for privacy change to cyber bill

But the bill has sparked fierce pushback from privacy advocates that say the bill lacks sufficient protections for people's private information and would allow this information to flow directly to the National Security Agency. The amendment Schiff has drafted intends to address that first concern by requiring companies to remove any information "that can be used to identify a specific person unrelated to a cyber threat" before passing threat data to the government or its peers in the private sector.

ADVERTISEMENT
The amendment is intended to make sure people's personal information isn't inadvertently passed on to the government or the secretive NSA when it is unrelated to an online threat.  

"In most cases ... it wouldn't be necessary to share information with the government that includes personally identifiable information about private parties in order to alert them of a cyber threat," Schiff said in an interview.

The amendment also incorporated industry feedback on how to encourage better cyber intelligence-sharing.

It would allow companies to "make use of automated processes" to digitally remove personal information from cyber threat data before it's shared with outside parties or the government, a copy of the amendment reads. Schiff said this would enable companies to share data about cyber threats in real time, allowing for a faster response to a computer security incident.

"We want to make sure the removal of personally identifiable information can be done in real time. The importance of sharing cyber threat information diminishes over time. It has to be done quickly," he said, noting that cyberattacks move "with the speed of light." 

Greg Nojeim, a senior counsel for the Center for Democracy and Technology, voiced support for the intent of the amendment. The cyber liberties group is a vocal critic of CISPA.

"Requiring reasonable steps to remove personally identifiable information that is irrelevant to the threat would be a significant improvement," Nojeim, who has not seen a copy of the amendment, said in an email. "We assume that much information sharing will be automated.  Making it clear that privacy protection can be part of those automated processes makes sense."

Schiff said he has yet to "find common ground" with Rogers and Ruppersberger on the amendment, but noted that he hasn't received negative feedback from industry on it. 

"Unless we can come to an agreement before the markup, it's my intention to offer the amendment," he said. 

A spokeswoman for Rogers could not be reached for comment.

Schiff said he could not vote for the bill to move out of the Intelligence Committee unless it included language aimed at requiring companies to remove personally identifiable information from threat data.

"I won't be able to support the bill if we don't have a provision in the bill that guarantees reasonable efforts to remove personally identifiable information," he said. "There are other changes I'd like to see, some of which may be addressed by committee members or the chairman offers. But certainly in the absence of this change I wouldn't be able to support the bill."

Schiff said he also agrees with privacy groups' argument that a civilian agency, like the Department of Homeland Security, should handle cyber threat data before it is passed on to the NSA.

He voted for bill in committee last year under the condition that it would be amended with additional privacy protections before it went to the floor, but ultimately voted against its final passage.

Rogers and Ruppersberger said they are working on amendments to CISPA that are aimed at addressing the privacy concerns associated with it. In addition to the outcry from privacy advocates, the White House issued a veto threat against the measure last year in part because of privacy concerns.

"We feel that the bill clearly deals with privacy, that the checks and balances are there, but we're know there's still a perception and we're still trying to deal with that," Ruppersberger said last month. 

This post was updated at 5:59 p.m.