The actual statement as sent to CNET is listed below;
Microsoft has previously stated support for efforts to improve cyber security, and sharing threat information is an important component of those efforts. Improvements to the way this information is shared would help companies better protect customers, and online services in the United States and around the world from criminal attack. Microsoft believes that any proposed legislation should facilitate the voluntary sharing of cyber threat information in a manner that allows us to honor the privacy and security promises we make to our customers.
Legislation passed by the House of Representatives yesterday is a first step in this legislative process. Since November, there has been active, constructive dialogue to identify and address concerns about the House bill, and several important changes were incorporated. We look forward to continuing to work with members of Congress, consumer groups, the civil liberties community and industry colleagues as the debate moves to the Senate to ensure the final legislation helps to tackle the real threat of cybercrime while protecting consumer privacy
Now as you can see Microsoft is not opposing CISPA at all, but in fact is just saying the equivalent of “We still support this, but well if we can we will try to protect your information”.
This statement sums it all up “We look forward to continuing to work with members of Congress, consumer groups, the civil liberties community and industry colleagues as the debate moves to the Senate to ensure the final legislation helps to tackle the real threat of cybercrime while protecting consumer privacy”
However, if you watched the vote on CISPA none of the amendments that dealt with maintaining consumer privacy were passed. They were all voted down. This is a huge issue and while Microsoft might try to claim they are not legally bound to share customer data, the provisions of the bill make is exceptionally easy for government agencies to obtain it without a warrant. They do not even have to have an active investigation going on for them to submit a subpoena for the information.
This type of legislation is not going to protect anyone (expect for corporate bottom lines). CISPA has just removed the boundaries that were intended to protect communication, and personal privacy. A company such as MedFlow that might have your personal medical records stored on their network can voluntarily hand them over to the US government by-passing doctor patient privilege. The same thing is also possible with client attorney communication if it happens over email. Let’s say your email is on a server owned by Google (or GoDaddy), all of your email can be “voluntarily” handed over once again by-passing laws intended to protect citizens from this type of spying.
For companies like Microsoft, to support a bill with that type of goal while claiming it is for security is repugnant and insulting. Still we hope that as more and more people, websites and companies begin to wake up to the threat posed by bills like SOPA, PIPA, and CISPA the tide will again turn against this type of legislation. We will say this again; If security is the concern put money into Information Security educational programs, restrict the use of outsourced security and managed service providers for critical infrastructure devices and any customer data systems. Offer incentives to companies that comply with threat assessments and who maintain in-house security staff. Do not enact a law that has no benefit and can be manipulated to serve corporate interests like CISPA.
Discuss this in our Forum