CISPA has a bunch of clauses saying that it trumps any law to the contrary ("Notwithstanding any other provision of law"), so the ECPA only applies when CISPA doesn't. CISPA even has a redundant clause talking about federal preemption that appears to be there just to emphasize the fact that it was intended to overrule everything else.
They repeat a fair number of the EFF's complaints, including how the law is too broad. I don't think the sky is falling here, but I do think that putting a giant loophole in every single privacy law, however inadequate the current ones may be, is a mistake. If they really want to do something, they ought to update the ECPA. It's rather dated.
I think I agree with everything the ACLU is arguing for, while noting that these are things we don't have today. For instance, when security and investigations info is shared with the government today under the post-PATRIOT ECPA, there aren't "use restrictions" and there isn't a requirement for PII to be scrubbed.
One by one, ACLU wants CISPA to:
* Narrowly define the privacy laws it will contravene. In other words, the law should directly reference the ECPA & Communications Act and carefully define the parts of it it overrides. Sure, but this won't fundamentally change the character of the law, because the ECPA doesn't offer strict protections either.
* House domestic cybersecurity efforts in a civilian agency. I'm skeptical of all government cybersecurity efforts and could care less where they're housed. If anything, I might rather have the military leading this, since they actually have operational experience. I don't buy that we need a new "Cyber TSA" to be created.
* Require companies to remove personally identifiable information (PII) from data they share with the government CISPA already suggests anonymization. ACLU would presumably prefer to make anonymization the default. That's fine. But there is no provision requiring scrubbing of PII in ECPA.
* Limit government use of information shared for cybersecurity purposes Who's going to disagree with this? Certainly not me. But: the protection ACLU is asking for does not exist today.
* Create an oversight and accountability structure that includes public and congressional reporting Zzzzzzz.
I'm glad for the reference to the ACLU statement on this bill (I support the ACLU). But again, I think a lot of opposition to CISPA falls into a mold of "if we're going to pass new laws, they should improve privacy from the status quo". And: I like privacy! But "not improving privacy" is just not the same thing as "demolishing privacy" or, as Doctorow thinks, "selling the whole Internet out to the MPAA".
You have a point that one of the most interesting points in CISPA is that the entity sharing the data can put restrictions on the use of it. But the suggestion in CISPA that data could be anonymized where appropriate is nothing more than a suggestion.
I feel like we're arguing over whether or not to get rid of a few toothless guard dogs. While I can understand the argument that getting rid of toothless guard dogs is a no-op, I'm worried because the current plan does not involve replacing them at all. And there I think we agree: reform is needed.
CISPA has a bunch of clauses saying that it trumps any law to the contrary ("Notwithstanding any other provision of law"), so the ECPA only applies when CISPA doesn't. CISPA even has a redundant clause talking about federal preemption that appears to be there just to emphasize the fact that it was intended to overrule everything else.
Perhaps you would prefer to hear the ACLU's opposition piece: https://www.aclu.org/technology-and-liberty/aclu-opposition-...
They repeat a fair number of the EFF's complaints, including how the law is too broad. I don't think the sky is falling here, but I do think that putting a giant loophole in every single privacy law, however inadequate the current ones may be, is a mistake. If they really want to do something, they ought to update the ECPA. It's rather dated.