This article has been updated to include information about the Amash amendment and the fate of the bill.
Just because SOPA and PIPA seem to be dead in the water doesn’t mean legislative attempts to limit privacy are over. H.R. 3523, The Cybersecurity Information Sharing and Protection Act of 2011 (CISPA), passed the House of Representatives on April 26 in a surprise vote: CISPA was originally scheduled for a vote on April 27.
The American Library Association (ALA)’s Washington office had asked members to contact their representatives to oppose CISPA, which now goes to the Senate. A coalition of many organizations, including ALA as well as the American Association of Law Libraries, Association of Research Libraries, Society of American Archivists, Special Libraries Association, and many others, sent a letter opposing the bill on the grounds that “it constitutes a wholesale attack on public access to information under the Freedom of Information Act.”
ALA is also concerned that CISPA would allow, or even require, that ISPs and other entities monitor all electronic communications and share that information with the government without effective oversight. The government could keep the information forever and share it with other agencies. CISPA would preempt all existing privacy laws, including the 48 state library record confidentiality laws. According to ALA, library consequences could relate to cloud computing, higher education networks, privatized libraries and networks, and network/vendor contracts.
Chairman Rogers and Ranking Member Ruppersberger of the House Intelligence Committee announced on April 24 that they agreed to make several changes to the bill, which will be offered by members as amendments on the floor this week. These include a minimization, retention, and notification amendment, which would prohibit the federal government from retaining or using information other than for the purposes specified in the legislation; a use amendment, which would limit use of the information to cybersecurity purposes; investigation and prosecution of cybersecurity crimes; protection of individuals from the danger of death or serious bodily harm; protection of minors from child pornography, any risk of sexual exploitation, and serious threats to physical safety; and protection of the national security of the United States; and a definitions amendment that would narrow what information may be identified, obtained, and shared to information that directly pertains to a vulnerability of a system or network of a government or private entity; a threat to the integrity, confidentiality or availability of such system or network or any information stored on, processed on, or transiting such system or network; efforts to degrade, disrupt or destroy such system or network; and efforts to gain unauthorized access to a system or network, not including efforts to gain such unauthorized access solely involving violations of consumer terms of service or consumer licensing agreements.
On April 26, ALA President Molly Raphael sent a letter to members of the House asking them to support the Amash/Labrador/Nadler/Paul/Polis Amendment to CISPA, which seeks to protect library circulation and patron records as well as book sales records and customer lists, firearms sales records, tax return, education and medical records.
“If the U.S.A. PATRIOT Act requires the approval of a federal judge and a senior FBI official before accessing sensitive documents, we should not allow the government access to such personal information without similar and adequate oversight and accountability,” Raphael said.
A vote on Amash amendment was postponed, according to the Electronic Frontier Foundation, which live-tweeted the amendment process @EFFLive, using the #CISPA hashtag.
Beyond supporting this particular amendment, Raphael also called on members of the House to better clarify and narrow the bill’s definition of cybersecurity, and designate the Department of Homeland Security as the primary recipient of information shared under it, rather than the National Security Agency. The bill defines “cybersecurity purpose” as “[t]heft or misappropriation of private or government information, intellectual property, or personally identifiable information.”