Opponents of CISPA such as the ACLU have focused almost exclusively on the bill's potential impact on individual users' privacy, and understandably so. But a close read of CISPA's broad language reveals that Joe Internet's privacy isn't all that would be in jeopardy if the bill makes it through the Senate and past President Obama's veto pen. CISPA poses a threat to the privacy of entire organizations, from nonprofits and small business on up to the enterprise -- and even to the very future of cloud computing.
Drawing from the bill's exact language, CISPA would permit "certified entities" and "cyber security providers" to "voluntarily" share any customer data with other certified entities, so long as the data constitutes "cyber threat intelligence" for "cyber security purposes" -- as well as for the sake of "national security."
In a nutshell, the federal government and "certified entities" could freely pass around customer data in the name of security, without due process and without any fear of reprisal if their purported security fears turn out to be completely unwarranted. "Certified entities" can mean federal agencies, other public agencies, utilities, and private organizations. That's a potentially long, long list of whistleblowers.
"Cyber security providers" are prime candidates to play the role of data providers under CISPA. By the bill's definition, it means any private entity that provides goods or services intended to be used for cyber security purposes. That, too, is a remarkably vague term. Any kind of Internet- or cloud-service provider offers some form of cyber security service, beyond the standard antivirus, antispam, and firewall protection.
For example, Google and Microsoft offer hosted productivity apps for email, word processing, spreadsheets, and so forth -- and part of those service includes securing customer's documents and messages. An ISP such as Verizon or AT&T protects your data as it travels in and out of your network. A SaaS company such as Salesforce.com protects customer's business information. Similarly, providers of IaaS and PaaS offerings secure the data and application processes of their customers. The list goes on and on, from financial institutions to online retailers to social networking sites.
