Organizations ranging from Mozilla and the ACM, to the EFF and ACLU, to grassroots activist groups of the left and right didn't share your casual confidence in the reasonableness of 2012 CISPA.
Their analysis was that once a determination of a 'cyber threat' was made and shared, private communications and other data that would usually require stronger cause could (and probably would) then be handed over ('shared') on government request. The words "voluntary opt-in" are not reassuring, if it's a service provider opting-in customer data to law-enforcement, disregarding traditional expectations of privacy or even explicitly agreed terms.
When you say 2012 CISPA "remove[d] IP from a list of assets protected by the bill", they could only 'remove' it because the original draft had it in. And, that's the sort of insider-wishlist-item that can be re-added as the bill progresses, or perhaps even interpreted-back-in when the bill contains vague language.
The 2013 language includes in its definition of covered 'cybersecurity crimes': "a violation of any provision of title 18, United States Code, created or amended by the Computer Fraud and Abuse Act of 1986 (Public Law 99-474)."
That's the same CFAA as used in the recent prosecutions of Swartz and Aurenheimer. It has the open-ended "exceeding authorized access" and "obtains anything of value" language that lets the violation of terms-of-service and unauthorized acquisition of commercially-valued copyrighted material become serious federal crimes.
Advocates of new security powers tend to portray their scope as small and reasonable, before passage, but then manage to find a more expansive interpretation, when it behooves them after passage. Because such bills keep changing and stretching, I tend to trust the EFF and ACLU, who will actually litigate cases under the enacted legal regime, about the bill's likely effects.
Noting all the concerns about privacy, it is still intellectually dishonest to compare it to SOPA, with which it shares literally nothing.
But that is not particularly surprising because Namecheap cares more about getting people fired up to switch their domains to Namecheap, than they do about being an honest participant in the legislative process.
Sure, it's not the 'same as' SOPA, nor is it SOPA renamed/resuscitated. But CISPA shares an aspect giving law-enforcement new powers that may be expansively used, without judicial hearing, against anyone identified as a 'cyber threat' or engaging in 'cybersecurity crimes'.
And CISPA does this via a similar mechanism: broad immunity for those non-governmental service providers who 'voluntarily' do what law-enforcement may only informally advise. That's an elastic clause that can look innocent in the text but be nasty in practice.
So there are enough similarities in mechanism and feared effect that analogizing it to SOPA is within the bounds of fair discourse. It's the same approximate way of speaking we see ins headlines that say "Mexico is the new China" or "Facebook is the new Google"... similarity in an important aspect, not all important aspects.
Mere contradiction -- "No, it doesn't" -- isn't convincing.
Your argument doesn't pass a simple-logic smell-test: why would law enforcement want this, if it doesn't give them any new capabilities?
Organizations that are expert in the legal implications of such bills, like the EFF and ACLU, disagree with you about the effect. Their concern is that under CISPA, "these combined power and immunity provisions would override existing privacy laws like the Wiretap Act and the Stored Communications Act." [1]
Imagine there were a law which said, search and seizure without a warrant or probable cause is bad, but any evidence so collected is always admissible in court, and law officers who collect such evidence may never be disciplined in any civil, criminal, or administrative fashion. That creates a de facto new power, because it shifts all the incentives, and agents may then search and seize with impunity.
The concern of the EFF and the ACLU is that CISPA does something similar. It sets up a system where doing the federal government the 'voluntary' favor of sharing information -- even in contravention of other laws or contracts that could create liability -- is always the safe and easy course. So, agencies wind up collecting far more info that people expected to be private.
There's an old joke that "national security" is the root password to the Constitution. Well, CISPA makes "cybersecurity threat" the root password to every private service-provider data set.
Carefully read the EFF link you posted. It does not say that CISPA gives law enforcement any new powers. Their objections to the bill center around the privacy implications of giving private companies liability protection if they choose to share data with the government.
The language of CISPA explicitly prohibits the government from using such protections to force companies to give up data. Again--read the EFF article. It does not even use the phrase "law enforcement" at all, nor the word "force". The only usage of the word "power" refers to the power of private companies to collect data related to cybersecurity (which of course they already do).
The EFF is right to raise questions about privacy in the context of cybersecurity coordination. Where I part ways with them is that they seem to have taken a maximalist approach that any and all sharing of data is wrong and should be prevented. I happen to think that there is a role for the federal government to help coordinate cyber threat information.
I've read the EFF write-ups, the 2013 proposed bill text, and other sources carefully.
If after CISPA, federal agencies can receive more private data than before – in ways that were previously prevented by liability under the Wiretap Act, the Stored Communication Act, contractual obligations, and other court precedents about expectations of privacy – then that's a 'new power' for law enforcement. Even if the way the new power is created is indirect, through immunized information 'sharing'.
I guess we'll just have to disagree about the meaning of the phrase "law enforcement power." SOPA would have given law enforcement a legal right to compel certain behavior. CISPA does not grant any right to compel behavior.
2012's CISPA:
* Did not provide the government with any capability to shut down traffic
* Explicitly rejected enforcement of intellectual property, going so far as to remove IP from a list of assets protected by the bill
* Created an entirely voluntary opt-in mechanism for companies to share information about attacks
* Limited the information shared to attack data, and provided a definition in the law for what "attack" meant that did not include piracy
CISPA 2012 was not a "warmed over SOPA". SOPA was so much more intrusive than CISPA 2012 that it is strange to even compare them.
So, is CISPA 2013 much worse?