Importantly, CISPA doesn't just specify individuals when it talks about customers of cyber security providers. That means if a cyber security provider notices one of its customers is engaging in business practices that could constitute some kind of general security threat, that provider can pass that suspect data on to whomever. That data could include email messages, financial transactions, Web history, customer information. That list, like the list of potential data sharers, stretches on and on.
Proponents of the bill might point to the part that specifies an entity can't share its customer's data unless it constitutes a cyber threat or a threat to national security. Unfortunately, that is pretty darn subjective. Depending on one's political leanings, certain nonprofits -- such as religious or political groups -- pose a "national security threat." Health care organizations that provide controversial services such as abortions or stem-cell treatment could be deemed a threat. Media companies -- whether the New York Times or Fox News or CNN -- might pose security threats in their critics' minds. Private companies with clients who are potentially involved in suspect activities -- say, a company that does business in countries that aren't U.S. allies -- could be construed as a security threat.
Yet again, the possibilities stretch on because the bill's language is vague. Participants have the luxury of picking and choosing what information to share, so long as they can frame it as a security threat. If it turns out the shared data doesn't represent a threat at all, the entity that volunteers it faces no consequences.
So how might the passage of CISPA affect the future of the cloud? Well, CISPA could deter any privacy-conscious organization from using cloud- and Internet-based services altogether. Why risk letting Microsoft or Google monitor and protect your business's email, or Amazon or Rackspace protect your data, or Salesforce.com protect your customer data, knowing that on any given day someone might pass your sensitive data to the feds and other entities -- some of whom might even be your competitors -- in the name of security? Even if 95 percent of the admins exercise discretion, there's always a chance someone with a bad case of paranoia or an itchy trigger finger or some odd vendetta could decide your organization's data poses a security threat and should be passed along.
Is your organization willing to risk it?
This story, "Why CISPA could kill the cloud," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.