The Cyber Intelligence Sharing and Protection Act (CISPA) passed the House by a comfortable margin last week despite loud opposition from privacy groups, a veto threat from the White House, and uncertain prospects in the Senate. Lawmakers made several changes to the bill aimed at easing privacy concerns. Unfortunately, a provision that should give transparency advocates pause not only survived, but is spreading to other cybersecurity legislation.
When CISPA was originally introduced in the 112th Congress it contained language that would effectively exempt all information about "cyber threats" shared via the bill from the Freedom of Information Act. That provision survived in the version of CISPA that passed the House last week, and similar language has worked its way into another piece of legislation, the SECURE IT Act, introduced earlier this month.
Wholesale exemptions for "cyber threat information" will prevent public oversight and deny citizens and watchdogs the ability to understand how the government and businesses communicate about and respond to cyber threats. The most sensitive information that would be shared through these bills is already protected from disclosure through existing FOIA exemptions. It is hard to see a compelling reason to subvert the FOIA altogether when it comes to cybersecurity.
Privacy advocates are concerned that personal information will be subject to over-sharing and misuse. Without access to rights provided by the FOIA there will be no way to hold those in power accountable if they are collecting too much information or misusing the data they obtain.
The Freedom of Information Act is a cornerstone for public oversight of government activity. Any change to the law deserves a vigorous and open debate.
CISPA and the SECURE IT Act give government officials broad new powers and the current FOIA provisions provide them with blanket protection from public scrutiny. These new, overly broad exemptions are unnecessary and should not be passed into law.