"We support the intent of the Cyber Intelligence Sharing and Protection Act, but we are disappointed in some aspects of it and believe that it can be improved to better protect privacy and civil liberties, while still working effectively to enhance cybersecurity," the four lawmakers write.
After citing privacy concerns with the bill, Schiff and Schakowsky were
the only two members to vote against moving it out of committee.
The views expressed in the addendum align with the arguments that privacy advocates have raised against the bill in recent weeks. CISPA is expected to be voted on in the House as early as next Wednesday.
CISPA is intended to encourage companies and the government to share data about malicious source code and other cyber threat information in real time with each other. Companies worry that they may face legal action for sharing threat data with the government and have been hesitant to do so. To this end, the bill would grant companies liability protection for sharing threat data with agencies.
The Democratic members note that industry witnesses told the House Intelligence panel at a hearing this year that removing people's personal information from threat data prior to sharing it with the government "is technically feasible and not an onerous requirement." They add that a witness at the hearing said companies were in the best position to strip personal information from data.
Schiff offered an amendment to CISPA this week that would have required companies to take this step before sharing cyber threat information with the government and other businesses. The amendment failed to win enough votes to be adopted, which disappointed privacy advocates.
The lawmakers also argued that a civilian agency, like the Department of Homeland Security, should be the first to receive cyber threat data from companies, not the military or National Security Agency. The bill would allow companies to share cyber threat information directly with the NSA, along with a menu of other agencies, including the DHS.
"Allowing information to go directly to military agencies significantly departs from longstanding efforts to treat the Internet and cyberspace as traditional spheres," they wrote.
Schiff, Schakowsky, Himes and Gutierrez expressed concern with the scope of the liability protections in the bill, saying it "may allow cybersecurity entities to claim immunity even if injuries are the result of neglect or recklessness"