Microsoft is no longer as enthusiastic about a controversial cybersecurity bill that would allow Internet and telecommunications companies to divulge confidential customer information to the National Security Agency.
The U.S. House of Representatives approved CISPA by a 248 to 168 margin yesterday in spite of a presidential veto threat and warnings from some House members that the measure represented "Big Brother writ large." (See CNET's CISPA FAQ.)
In response to queries from CNET, Microsoft, which has long been viewed as a supporter of the Cyber Intelligence Sharing and Protection Act, said this evening that any law must allow "us to honor the privacy and security promises we make to our customers."
Microsoft added that it wants to "ensure the final legislation helps to tackle the real threat of cybercrime while protecting consumer privacy."
That's a noticeable change -- albeit not a complete reversal -- from Microsoft's position when CISPA was introduced in November 2011.
In a statement (PDF) at the time, Microsoft vice president for government affairs Fred Humphries didn't mention privacy. Instead, Humphries said he wanted to "commend" CISPA's sponsors and "Microsoft applauds their leadership." He added: "This bill is an important first step towards addressing significant problems in cyber security."
That wasn't exactly an full-throated endorsement of CISPA, but it was enough for the bill's author, House Intelligence Committee chairman Rep. Mike Rogers (R-Mich.), to list Microsoft as a "supporter" on the committee's Web site.
To be sure, Microsoft's initial reaction to CISPA came before many of the privacy concerns had been raised. An anti-CISPA coalition letter (PDF) wasn't sent out until April 16, and a petition that garnered nearly 800,000 signatures wasn't set up until April 5.
What makes CISPA so controversial is a section saying that, "notwithstanding any other provision of law," companies may share information with Homeland Security, the IRS, the NSA, or other agencies. By including the word "notwithstanding," CISPA's drafters intended to make their legislation trump all existing federal and state laws, including ones dealing with wiretaps, educational records, medical privacy, and more.
Excerpts from the Cyber Intelligence Sharing and Protection Act:
"Notwithstanding any other provision of law, a self-protected entity may, for cybersecurity purposes -- (i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such self-protected entity; and (ii) share such cyber threat information with any other entity, including the Federal Government...
The term 'self-protected entity' means an entity, other than an individual, that provides goods or services for cybersecurity purposes to itself."
CISPA would "waive every single privacy law ever enacted in the name of cybersecurity," Rep. Jared Polis, a Colorado Democrat and onetime Web entrepreneur, said during yesterday's floor debate. Its sponsors, on the other hand, say it's necessary to allow the NSA and Homeland Security to share cybersecurity threat information with the private sector.
What Microsoft appears to favor is a Senate bill introduced in February called the Cybersecurity Act.
At a Senate hearing in February, Microsoft vice president Scott Charney was more effusive about the Cybersecurity Act than his colleague was about CISPA three months earlier. The Senate bill provides "an appropriate framework to improve the security of government and critical infrastructure systems," one which will be "flexible enough to permit future improvements to security" over time, Charney said (PDF).
"We're excited to hear that Microsoft has acknowledged the serious privacy faults in CISPA," said Dan Auerbach, EFF staff technologist. "We hope that other companies will realize this is bad for users and also bad for companies who may be coerced into sharing information with the government."
Here's the full text of what a Microsoft spokesman sent CNET this evening:
Microsoft has previously stated support for efforts to improve cyber security, and sharing threat information is an important component of those efforts. Improvements to the way this information is shared would help companies better protect customers, and online services in the United States and around the world from criminal attack. Microsoft believes that any proposed legislation should facilitate the voluntary sharing of cyber threat information in a manner that allows us to honor the privacy and security promises we make to our customers.
Legislation passed by the House of Representatives yesterday is a first step in this legislative process. Since November, there has been active, constructive dialogue to identify and address concerns about the House bill, and several important changes were incorporated. We look forward to continuing to work with members of Congress, consumer groups, the civil liberties community and industry colleagues as the debate moves to the Senate to ensure the final legislation helps to tackle the real threat of cybercrime while protecting consumer privacy.