The Cyber Intelligence Sharing and Protection Act (CISPA) may have a strong backing in the tech world, but that began to look increasingly tenuous this weekend after software giant Microsoft seemed to walk back its support for the bill, warning that the company would now push lawmakers for additional privacy safeguards.
That's a big change for the company behind Windows and Xbox, which said in November that CISPA represented "an important first step towards addressing significant problems in cyber security," and that Microsoft "applauds" lawmakers for pushing the bill.
The company's initial letter, written by Microsoft's U.S. VP for government affairs, has been a key document in support of the bill: Rep. Mike Rogers (R-MI), CISPA's author, even prominently featured Microsoft's support on his official website.
The software giant's movement on the matter comes after a growing public outcry over CISPA and several recent amendments ostensibly meant to limit what information can be shared and how it can be used. Those provisions did not dislodge leading critics’ concerns about the bill, and actually appear to have grown the data the National Security Agency may collect to include information about violent threats made online and the distribution of child pornography.
Other companies still backing CISPA include Facebook, IBM, AT&T, Boeing, Lockheed Martin, Oracle, Symantec and Verizon, but some of those firms could be reexamining their positions this week thanks to a statement from Microsoft over the weekend, which explained the company supports information sharing between the private sector and government so long as it can still keep private customer data private.
"Microsoft believes that any proposed legislation should facilitate the voluntary sharing of cyber threat information in a manner that allows us to honor the privacy and security promises we make to our customers," Microsoft reportedly said..
Microsoft's budge from CISPA may force other companies that are officially neutral to take a public stand in the coming days. Following the statement, Microsoft rivals, particularly Google, will be hard pressed to speak out one way or another, especially since Google recently disclosed that its lobbyists helped lawmakers craft the bill.
Microsoft's position isn't an extreme one, either: President Barack Obama feels similarly, an administration official said last week. The president is expected to veto CISPA if the bill does not preserve "Americans' privacy, data confidentiality, and civil liberties," the administration said.
The bill's proponents argue that CISPA's data-sharing provisions are purely voluntary, and they believe that it's a better alternative to a bill proposed by Sen. Joe Liebermann (I-CT), which would impose minimum network security requirements on virtually all major tech firms.
However, a group of 50 tech professionals recently disagreed with that characterization in an open letter to Congress beseeching lawmakers to turn it down, warning it would "nullify current legal protections against wiretapping and similar civil liberties violations."
Their letter cautions that Congress should not approve any legislation that "uses vague language" to describe IT threats and countermeasures, exempts “cybersecurity” efforts to relevant laws, provides immunity to private companies if they violate customers’ privacy or allows data to be collected in such a way that people who aren’t cyber criminals are swept up for other crimes.
Some of that "vague language" pertains to the definition of "cyber threat intelligence," in which the bill includes "theft or misappropriation of private or government information, intellectual property, or personally identifiable information." The bill also says that its provisions apply "nonwithstanding" any other privacy laws, which critics warn could make the bill a massive black hole in privacy law where anything goes under the justification of "cybersecurity."
Though CISPA easily cleared the House, it will have a more difficult trek through the Senate, where two competing bills aim to accomplish these same ends. The Cybersecurity Act of 2012, proposed by Sen. Lieberman and widely supported by Democrats, would empower the Department of Homeland Security to require that major tech firms maintain a minimum level of network security. The Strengthening and Enhancing Cybersecurity by Using Research, Education, Information and Technology Act of 2012 (SECURE IT), introduced by Sen. John McCain (R-AZ) and widely supported by Republicans, would essentially do the same thing as CISPA.