[Congressional Record Volume 159, Number 59 (Friday, April 26, 2013)]
[Extensions of Remarks]
[Pages E572-E573]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




     THE FEDERAL GOVERNMENT'S USE OF INFORMATION SHARED UNDER CISPA

                                 ______
                                 

                           HON. ALAN GRAYSON

                               of florida

                    in the house of representatives

                         Friday, April 26, 2013

  Mr. GRAYSON. Mr. Speaker, the U.S. House of Representatives has 
passed a bill attempting to secure our nation's cyber-systems and 
networks from attack. This bill expands the authority of private 
entities and the federal government to share specified threat 
information and intelligence with one another. It is intended to grant 
authority for the government and private industry to share cyber-threat 
information and intelligence only in a manner consistent with the need 
for individual citizens to have reasonable expectations of privacy. The 
right of a citizen to remain ``secure in their persons, houses, papers, 
and effects, against unreasonable searches and seizures'' is unaltered. 
This bill largely pertains to network security, and nothing in the bill 
precludes or alters the requirement that the government secure a 
warrant before engaging in searches or seizures of information that 
would otherwise reasonably be expected to remain private.
  With respect to those provisions pertaining to the federal 
government's use of information shared with it under the Cyber 
Intelligence Sharing and Protection Act (``CISPA''), the intent of 
Congress is as follows:
  The only information the federal government may receive under CISPA 
that it heretofore was not permitted to access under law is ``cyber 
threat information'' (Section 3(b)).
  ``Cyber threat information'' is defined narrowly in section 3(g)(4) 
as ``information directly pertaining to'' any of the following:
  (1) A vulnerability of a system or network of a government or private 
entity or utility.
  (2) A threat to the integrity, confidentiality, or availability of a 
system or network of a government or private entity or utility or any 
information stored on, processed on, or transiting such a system or 
network.
  (3) Efforts to deny access to or degrade, disrupt, or destroy a 
system or network of a government or private entity or utility.
  (4) Efforts to gain unauthorized access to a system or network of a 
government or private entity or utility, including to gain such 
unauthorized access for the purpose of exfiltrating information stored 
on, processed on, or transiting a system or network of a government or 
private entity or utility.
  Therefore, if the actions of a user of any system or network do not 
expose a vulnerability; pose a threat to integrity, confidentiality, or 
availability; attempt to deny access, degrade, disrupt, or destroy; or 
attempt to gain unauthorized access, then none of the user's 
information, or information pertaining to the user, or information that 
could possibly identify the user may be shared with the federal 
government under authority granted by CISPA. Each of these categories 
must be construed as narrowly as possible in order to protect the 
constitutional right of citizens to privacy, and provide effect to the 
term ``directly.''
  Restated, the use of a system or network alone does not permit any 
entity to share any information of a user, or pertaining to the user, 
unless it is currently allowed to do so under another law. The terms 
``vulnerability,'' ``threat,'' ``efforts'' and ``unauthorized access'' 
all are to be construed narrowly, and are limited to cybyersecurity 
threats.
  Further, the government cannot use that which it cannot receive.
  Under this Act, should any entity share information with the federal 
government that is not ``cyber threat information,'' e.g., information 
pertaining to normal or permissible use, identifying information, etc., 
then the federal government must notify the entity sharing the 
information of its error (Section 3(c)(5)), shall not retain the 
information (Section 3(c)(6)), and shall not use the information 
(Section 3(c)(6)).
  The federal government may use ``cyber threat information'' shared 
with it only:
  (1) for cybersecurity purposes,
  (2) for the investigation and prosecution of cybersecurity crimes,
  (3) for the protection of individuals from the danger of death or 
serious bodily harm and the investigation and prosecution of crimes 
involving such danger of death or serious bodily harm,
  (4) for the protection of minors from
  (a) child pornography,
  (b) any risk of sexual exploitation, and
  (c) serious threats to the physical safety of minors, including 
kidnapping and trafficking, and
  (5) for the investigation and prosecution of crimes involving 4(a) 
through (c) above, and
  (6) any crime referred to in section 2258A(a)(2) of title 18 of the 
United States Code (knowingly failing to report information pertaining 
to sexual exploitation and other abuses of children--including obscene 
visual representations of such acts). (Section 3(c)(6) and Section 
3(c)(1)).
  The term ``danger of death or serious bodily harm'' is limited to 
acts of domestic terrorism as defined in the criminal code (18 U.S.C. 
Section 23331(5)).

[[Page E573]]

  CISPA does not allow the federal government access to new information 
based upon the points described above, but only access to existing 
information. Moreover, it limits the use of appropriately shared 
``cyber threat information'' solely to the purposes and crimes defined.
  ``Cybersecurity Purpose'' is defined in section 3(g)(8) as ``ensuring 
the integrity, confidentiality, or availability of, or safeguarding, a 
system or network, including protecting a system or network'' from 
vulnerability; threats to integrity, confidentiality, or availability; 
attempts to deny access, degrade, disrupt, or destroy; or attempts to 
gain unauthorized access. It is a narrow subset of the term ``cyber 
threat information.''
  ``Cybersecurity Crimes'' is defined in section 3(g)(6) and are those 
crimes under federal or state law pertaining to misuse of systems or 
networks, as well as any federal computer crime. Only statutes limited 
to the misuse of computers fall within this scope.
  CISPA places an ``Affirmative Search Restriction'' on the federal 
government in section 3(c)(2)--``The Federal Government may not 
affirmatively search cyber threat information shared with [it] . . . 
for a purpose other than a purpose referred to in'' points 1 through 6, 
above. In order to respect the Constitutional right to privacy, this 
provision should be construed as broadly as possible.
  The only new authority CISPA creates with respect to searches is as 
follows:
  (1) Cyber threat information (which is narrowly defined, and for 
almost every American ensures that the sharing of their information, or 
information pertaining to them, is disallowed) must be appropriately 
shared as discussed in section 3(b).
  (2) The federal government may affirmatively search shared cyber 
threat information only for:
  (a) Cybersecurity purposes (which, as defined, is a threshold that 
must be satisfied prior to the information is even being shared with 
the government in the first instance).
  (b) Computer crimes which are already codified.
  (c) And only enumerated crimes pertaining to sexual exploitation and 
other abuses of children.
  No search of information may be performed without satisfying the 
requirements of the 4th Amendment to the U.S. Constitution. Nothing in 
CISPA is meant to eliminate or even curtail the requirement in all 
applicable cases to obtain a warrant.
  If information is not cyber threat information, (1) the government 
may not have it under CISPA (Section 3(c)(6)), and (2) must obtain a 
warrant to search it (Section 3(c)(2)). The information of, pertaining 
to, or identifying any American who is using a network or system in a 
way that comports with the terms and conditions of a user agreement is 
unequivocally not cyber threat information. Any search of such 
information requires a warrant.
  Library circulation records, library patron lists, book sales 
records, book customer lists, firearms sales records, tax return 
records, educational records, and medical records are not records that 
satisfy the definition of ``cyber threat information'' under CISPA. 
Section 3(c)(4) explicitly bars the federal government from using these 
records under CISPA. This provision is to be construed liberally, and 
this list is not exclusive.
  Pursuant to section 3(d)(1), the federal government may be held 
liable for any use of information shared with it that is not cyber 
threat information. This is an explicit waiver of sovereign immunity, 
and is intended to be broad.
  And finally, CISPA, in accordance with section 3(f)(7) does not 
authorize any intelligence agency to engage in surveillance of any 
American citizen. Such action clearly would be a violation of 
Constitutional rights; and actionable through a private right of 
action.
  Mr. Speaker, each of the points addressed above are important. They 
are important to understanding the narrow scope of this law, the ways 
in which the federal government is prohibited from acting, and the ways 
in which American citizens' information remains protected and 
unavailable to the federal government. CISPA should be interpreted 
narrowly as written, and as such, it is not a document that provides 
sweeping new authority to the federal government either to receive or 
use cyber information of the general American public. In case of doubt, 
the letter and spirit of the body of law surrounding the 4th Amendment 
to the U.S. Constitution and our rights to liberty and privacy 
prevails.

                          ____________________