BREAK IN TRANSCRIPT
Mr. NADLER. Madam Chair, I rise in strong opposition to H.R. 3523, the Cyber Intelligence Sharing and Protection Act (CISPA).
The main topic this week, as announced by the House Republican Leadership, is cyber security, a serious issue for our Nation. As we become more dependent on computers and technology for even common or routine actions that happen every day, we become at increased risk of great damage from a cyber attack. Nations or individuals who wish us harm know that, and so we must be vigilant.
What we are considering today is premised on the idea that greater information sharing of cyber threats between the government and the private sector will improve security. While this is a relatively uncontroversial idea in concept, the bill before us raises a number of concerns.
It is important to note at the outset that the bill allows companies to share information, including private e-mails and other Internet communications, with the government--notwithstanding any other law. So, protections in existing law, such as the Electronic Communications Privacy Act (ECPA) and the Wiretap Act, are totally superseded. The government could get all of your information without a warrant or subpoena, and you would have little ability, if any, to stop it. Such a blanket exemption should give us great pause.
Unfortunately, the rest of the bill does not provide sufficient safeguards to justify this blanket exemption. To begin with, the definition of the cyber threat information to be shared is very broad. Suggestions have been made that define what should be included as cyber threat information in a narrow but sufficient way. These suggestions were not included in this bill.
At the very least, companies and other entities providing the government with information should be required to take some reasonable steps to remove personally identifiable information. Such reasonable steps need not be overly burdensome, but, again, even this limited protection was not included.
Once this information was shared with the government, it could be reviewed and used by any department. The Department of Defense, National Security Agency, and other defense and intelligence agencies thus would have access to the private, domestic internet activities of innocent Americans. This mixing of domestic information with military entities is dangerous and unprecedented. In fact, our policy has long-been to keep the military out of such domestic affairs. Information about cyber security should be limited to the relevant domestic government bodies, such as the Department of Homeland Security.
The power of government to use the information it receives would also be tremendously broad. One allowable use for this information is the hopelessly vague ``national security.'' In the past, the government has considered peace groups, civil rights activists, and other advocates to be ``threats'' to national security. It is easy to imagine how this term could be utilized for all the wrong reasons. The bill is supposed to be about cyber security, but allowing use of the information collected for national security purposes does not necessarily serve that purpose.
Further, the bill makes enforcing even the limited restrictions it contains difficult. With respect to private entities, as long as they act ``in good faith,'' they are immune from any civil or criminal case in state or federal court. This low standard means that any time a company claims it thought it was following the law, persons harmed by the improper sharing of information will have no recourse.
The bill does allow for civil actions against government violations. Unfortunately, the ability to bring a lawsuit against the government, as provided for in the bill, is deficient in three ways.
First, the bill only would allow lawsuits against the government for breaches if filed ``not later than two years after the date of the violation.'' That time period is wholly unworkable, unfair, and unrealistic.
Second, as written the bill only would impose liability on the government only for ``intentionally'' or ``willfully'' violating its restrictions. While this is helpful, such a limited liability scheme ignores damages arising from negligence. Such negligent acts could involve the failure to properly protect sensitive information or the failure to act with due care in deciding what information should be used.
Lastly, the only remedy is monetary damages. Injunctive relief, which could force the government to change its practices, is not provided for.
I filed an amendment with the Rules Committee to solve these three problems regarding the ability to hold the government accountable. It was not made in order.
In fact, multiple amendments were filed with the Rules Committee which would have made significant improvements to this bill. They would have narrowed its terms, limited how information could be used, protected personal information, and so on. The Rules Committee chose not to make them in order. Some of the amendments the House was allowed to consider will improve the bill, but not enough to sufficiently protect our privacy and civil liberties.
In closing, I want to reiterate that I recognize the importance of the issue of cyber security. I agree with the proponents of the bill that we must improve our cyber security defenses.
But, I remain firmly committed to the notion that we can protect our security and maintain our liberty, privacy, and freedom. This bill puts our privacy at great risk, and unnecessarily so. As such, I oppose its passage and recommend my colleagues do the same.
BREAK IN TRANSCRIPT
Mr. NADLER. Madam Chair, I rise in strong support of the Amash-Labrador-Nadler-Paul-Polis Amendment.
While I believe most Members agree both that a cyber attack could be devastating and that sharing information will help to fight that threat, the underlying bill is overly broad and intrusive. Our amendment will add at least a modicum of protection for Americans' privacy.
While the idea of privacy may seem quaint to some in this day of social networking and the Internet, most Americans still believe that they have a zone of privacy vis-a-vis the government. As such, it is important we protect private actions from the prying eyes of government. Moreover, the government has a history of misusing such information and so we need to be very circumspect in what we allow it access to.
Our amendment prohibits records or information regarding what books you bought or checked out of the library, your medical records, tax returns, and so on from being used by the government for any purpose if it obtained that information pursuant to this bill. There is no need for the government to have this most personal of information--I don't see how any of it could be possibly relevant to cyber security. And, if the information can't be legally used, hopefully that will discourage companies from sharing it in the first place.
The categories of information in our amendment are already given a protected status in the Foreign Intelligence Surveillance Act (FISA). FISA requires a court order and the approval of a high-ranking FBI official to request these personal materials. If that is the standard under FISA, we should not let companies cavalierly hand such records to the government with no independent review at all.
I urge my colleagues to support this amendment.
BREAK IN TRANSCRIPT