In spirit, CISPA aims to clear the thicket of restrictions firms face when they try to share data about online attacks. In practice, as TechFreedom’s Berin Szoka and CEI’s Ryan Radia make clear in Red State , the law goes much further:
It would give companies blanket immunity from “any provision of law” that might limit the sharing of information about cybersecurity threats. That includes so-called net flow data, and other “big data” patterns of behavior that could indicate an attack is coming — but such data doesn’t include individuals’ private information. Yet, under CISPA, if a provider has a hunch that the contents of user emails or other online communications relate to a cyber threat, the provider may share this information with impunity.
Despite what CISPA’s sponsors argue, the bill’s immunity provision doesn’t just nullify outdated privacy laws that arguably restrict how private companies run, and defend, their businesses; it provides blanket immunity from any conceivable liability, including for breaches of contract. Thus, in the name of clearing statutory barriers, CISPA would prevent private companies from making enforceable privacy promises to their users by contract or in a terms of service. These promises might include not sharing certain kinds of information with the government or simply de-identifying what is shared. But CISPA’s blanket immunity discourages private companies from competing on, or innovating in, privacy protection.
Read the entire post here .