Leaders of the House Permanent Select Committee on Intelligence pledged Tuesday to amend their cybersecurity bill, the Cyber Intelligence Sharing and Protection Act, to address the main concerns raised by civil libertarians and privacy advocates. The revisions are clear improvements, and they show that the committee is trying hard to limit the measure's scope. Nevertheless, the bill still has a fundamental problem: By encouraging network operators to share information with the government about what their customers do online, it threatens to turn ISPs and online service providers into snoops.
An array of lawmakers from both parties had filed more than 40 amendments by early Tuesday evening, occasionally in bipartisan clusters of liberty-oriented Republicans and liberal Democrats. These proposals seek to limit the type of information that could be collected and shared in the name of cybersecurity; ensure that civilian agencies were in charge of that information, not the Pentagon or the National Security Administration; require the elimination or minimization of personal information shared with and retained by the government; restrict federal agencies' use of that information to cybersecurity and, possibly, national security; and narrow the liability protections so they applied only to actions taken to promote cybersecurity.
The amendment outlined by the committee's chairman, Rep. Mike Rogers (R-Mich.), and its top Democrat, Rep. C.A. Dutch Ruppersberger (D-Md.), offers at least some accommodation on all these issues. It would define much more precisely the information that could be collected and shared. It would sharply narrow the uses that the feds could make of any such information, allowing only those efforts that are related to cybersecurity, protecting against serious bodily harm, safeguarding minors from kidnapping and sex crimes, and protecting national security. It would bar the feds from retaining information not related to those purposes. It would clarify that the feds wouldn't have any new authority to install cybersecurity systems on private-sector networks. And it would narrow the liability protection so that it doesn't apply beyond the cybersecurities activities discussed in the bill.