Despite the administration's threat to veto the bill, the U.S. House of Representatives approved the controverisal cyber-survellience legislation late last week by a vote of 248 to 168. CISPA, the Cyber Intelligence Sharing and Protection Act, encourages companies to freely share what would otherwise be private information about customers to government authorities. CISPA does this by granting companies who volunteer this information immunity from all existing laws which would prohibit divulging such information, such as ignoring due process or violating constitutional rights to privacy. In fact, the wording of the bill suggests that companies may be able to share this information freely with any "certified entity". A certified identity is any entity that provides cybersecurity or has a government security clearance.

CYBERSECURITY PROVIDERS- Notwithstanding any other provision of law, a cybersecurity provider, with the express consent of a protected entity for which such cybersecurity provider is providing goods or services for cybersecurity purposes, may, for cybersecurity purposes 

  1. use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such protected entity; and
  2. share such cyber threat information with any other entity designated by such protected entity, including, if specifically designated, the Federal Government.

SELF-PROTECTED ENTITIES- Notwithstanding any other provision of law, a self-protected entity may, for cybersecurity purposes--

  1. use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such self-protected entity; and
  2. share such cyber threat information with any other entity, including the Federal Government.

CERTIFIED ENTITY- The term 'certified entity' means a protected entity, self-protected entity, or cybersecurity provider that:

  1. possesses or is eligible to obtain a security clearance, as determined by the Director of National Intelligence; and
  2. is able to demonstrate to the Director of National Intelligence that such provider or such entity can appropriately protect classified cyber threat intelligence.

Source: thomas.loc.gov, CISPA

"Notwithstanding" is the key here – that wording means this bill is intended to trump all other laws for the good of cybersecurity. Presumably, such a bill would offload the burden of protecting consumer privacy to the federal government. If companies fail to uphold existing privacy laws, they can be sued. Under CISPA, they will be protected as long as any such violations can be reasoned as necessary for purposes of cybersecurity.

Naturally, many companies were quick to support CISPA. However, the danger is that this also removes accountability for any invasion of privacy (whatever that may be – it seems like we're still trying to figure out what those boundaries are) in the name of cybersecurity. The bill gives a wide swath of private and government citizens access to virtually any person's data of any kind, no matter how confidential, with few limitations.

Just after the House passed the bill, citing concerns regarding consumer privacy, Microsoft softly yet abruptly backpedaled on its support of CISPA. However, many other enterprises have expressed their support.

Microsoft has previously stated support for efforts to improve cyber security, and sharing threat information is an important component of those efforts. Improvements to the way this information is shared would help companies better protect customers, and online services in the United States and around the world from criminal attack. Microsoft believes that any proposed legislation should facilitate the voluntary sharing of cyber threat information in a manner that allows us to honor the privacy and security promises we make to our customers.

Legislation passed by the House of Representatives yesterday is a first step in this legislative process. Since November, there has been active, constructive dialogue to identify and address concerns about the House bill, and several important changes were incorporated. We look forward to continuing to work with members of Congress, consumer groups, the civil liberties community and industry colleagues as the debate moves to the Senate to ensure the final legislation helps to tackle the real threat of cybercrime while protecting consumer privacy.

Source: news.cnet.com, Microsoft spokesperson

You can read the full text of CISPA as it passed in the House here.

Infographic by Paralegal.net.