A group of House Democrats circulated a letter Monday calling on lawmakers to oppose a controversial cybersecurity bill up for a vote this week unless additional privacy protections are adopted into the measure.
Four Democratic members say the Cyber Intelligence Sharing and Protection Act, or CISPA, as written "would undermine the interests of citizens and their privacy" despite the addition of five privacy-focused amendments adopted to the bill last week. They argue that the amendments do not go far enough to ease their concerns.
"Without further amendments to protect privacy and civil liberties, we cannot support the bill," the House Democratic lawmakers write in the "Dear Colleague" letter.
"The bill has improved from earlier versions, but even with the amendments adopted, CISPA unacceptably and unnecessarily compromises the privacy interests of Americans online," they add.
Reps. Adam SchiffAdam Bennett SchiffJan. 6 committee chair says panel will issue a 'good number' of additional subpoenas Jan. 6 panel subpoenas four ex-Trump aides Bannon, Meadows Schiff: Criminal contempt charges possible for noncooperation in Jan. 6 probe MORE (D-Calif.), Jan Schakowsky (D-Ill.), Anna Eshoo (D-Calif.) and Rush Holt (D-N.J.) signed the letter.
The House Rules Committee will meet on Tuesday afternoon to approve the rule for the bill, which will determine what amendments will be voted on in the House later this week. House members have until Tuesday morning to file their proposed amendments to the bill.
In the letter, the Democratic lawmakers call on the House Rules panel to let members vote on amendments that would bolster the privacy and civil liberties protections in CISPA.
"Americans concerned about their privacy and expanded military involvement in cyberspace deserve at the very least a vote by the House of Representatives on amendments to fix the bill," they write.
CISPA is aimed at making it easier for companies and the government to share information about malicious source code and other cyber threat data with each other in real time. Reps. Mike Rogers (R-Mich.) and Dutch Ruppersberger (D-Md.) argue the bill is needed to protect American critical infrastructure from cyberattacks, as well as help companies protect their intellectual property from probing hackers.
Privacy and civil liberties groups have criticized CISPA because it would allow companies to share cyber threat data directly with the National Security Agency. They also oppose the bill because it would not require companies to remove personally identifiable information from threat data they share with other businesses and the government.
In their letter, the Democratic members argue that the bill would grant companies sweeping liability protection when they share cyber threat data with the government, which could protect companies who might take "negligent or reckless action" when responding to a hacker attack. They argue that Congress should limit the scope of the liability protection granted to companies in the bill.
They also call for the bill to require companies to take "reasonable steps" to remove people's personal information, such as IP or email addresses, from threat data prior to sharing it with the government or other private-sector companies. Schiff plans to offer an amendment that would tackle this issue to the Rules Committee.
In its current form, the government is required to strip personal information from the cyber threat data they receive from companies. The Democratic lawmakers, however, argue that this provision doesn't solve their concern and "makes little sense in those cases when the private party is in the best position to anonymize the data." It also wouldn't require companies to remove personal information from threat data prior to passing it on to other companies, they add.
The Democratic members also call for a civilian agency, such as the Department of Homeland Security, to be the first recipient of threat data from companies, before the information is funneled to other agencies. Schakowsky plans to file an amendment that would ensure companies report cyber threat information directly to civilian agencies, rather than letting them relay the data directly to the NSA.