Should we be as worried about CISPA as we were about SOPA?
Just a few months ago, internet companies and the technology community came together to protest two anti-piracy bills (SOPA and PIPA) because they would have breached free-speech protections and other social safeguards in the name of stopping copyright infringement. Now, a new bill called CISPA that just passed in the House of Representatives is getting a lot of negative attention, with some saying it is just as evil as SOPA, and others — including Facebook and Microsoft — supporting the legislation and arguing that it is much more nuanced than either of its predecessors. So which is it?
Formally known as the Cyber Intelligence Sharing and Protection Act,
the bill is supposed to be aimed at “cyber-security” threats, and it
gives federal authorities and law enforcement fairly broad powers to
find and share data about web users, provided they believe the
information is necessary to go after cyber-criminals and terrorists who
are using technology as a weapon. The bill would amend the National Security Act of 1947, and allow various agencies to
compel convince companies like Facebook to provide user data without even a warrant (my colleague Jeff Roberts has a FAQ on the bill here).
The proposed legislation (which is embedded below) passed the House a day earlier than expected after some last-minute amendments, and now goes to the Senate, where it will be discussed along with the Senate’s own version of the legislation, known as the SECURE IT Act. But it is facing some stiff headwinds, since the Obama administration has made it clear that it doesn’t support the bill. And while some tech companies support the legislation, others such as the Electronic Frontier Foundation are fighting hard to stop the bill, and petitions against the law have drawn close to 800,000 signatures.
Opponents say the bill would erase current privacy protections
A group of over 50 university professors, entrepreneurs and information scientists have published an open letter to Congress calling on lawmakers to oppose CISPA because they say the the bill (and its Senate counterpart) would allow companies to hand over the private date of their users to entities like the Department of Homeland Security, and the only requirement is that the information involved must somehow be associated with the vague concept of “cyber-security.”
The bills are drafted to allow entities who participate in relaying or receiving Internet traffic to freely monitor and redistribute those network communications. The bills nullify current legal protections against wiretapping and similar civil liberties violations for that kind of broad data sharing. By encouraging the transfer of users’ private communications to US Federal agencies, and lacking good public accountability or transparency, these “cybersecurity” bills unnecessarily trade our civil liberties for the promise of improved network security.
The open letter accuses the bills of:
- “using vague language to describe network security attacks, threat indicators, and countermeasures,” creating the possibility that innocuous online activities could be construed as cybersecurity threats.
- exempting cybersecurity activities “from existing laws that protect individuals’ privacy and devices, such as the Wiretap Act, the Stored Communications Act, and the Computer Fraud and Abuse Act.”
- giving “sweeping immunity from liability” to companies even if they violate individuals’ privacy, and without evidence of wrongdoing.
- allowing data originally collected through cybersecurity programs “to be used to prosecute unrelated crimes.”
Facebook says it supports the bill, and won’t infringe privacy
At the same time, however, CISPA is supported by a number of tech companies, including Microsoft and Facebook. Facebook’s VP for U.S. public policy Joel Kaplan said in a blog post that the network had no intention of sharing information with government authorities unless there was actual evidence of cybersecurity issues, and merely wanted to be able to find out about potential wrongdoing. But that wasn’t good enough for the EFF: the agency said that
Internet users don’t want promises from companies not to intercept our private communications and share that data with one another and the government. We want strong laws that make such egregious privacy violations illegal, that require the government to follow legal process (judicial oversight in most case), and that allow us or the government to sue persons who break the law.
My colleague Derrick Harris has pointed out that CISPA is better in many ways than SOPA, and that the web and various interest groups run the risk of developing a knee-jerk response to almost any legislation that involves the internet. And it’s true that CISPA doesn’t compel companies to do anything that would breach the privacy rights of their users, the way that SOPA arguably did — but for many critics, there is still too much potential for information to be shared in ways that would infringe on those rights.
Jared Polis, a Democratic representative from Colorado, said during the debate over CISPA that it would “waive every single privacy law ever enacted in the name of cybersecurity,” and that “allowing the military and NSA to spy on Americans on American soil goes against every principle this country was founded on.” The American Civil Liberties Union says points out that “CISPA gives companies the authority to share [private and sensitive] information with the National Security Agency or other elements of the Department of Defense, who could keep it forever.”
Amendments have broadened the bill’s powers even further
Not only that, but Techdirt says that CISPA was amended just before it was passed in order to expand the powers it gives the authorities to use information: before the changes, it allowed the government to use information for “cybersecurity” or “national security” purposes. The amendments added three more criteria that would allow data sharing — namely investigation and prosecution of cybersecurity crime, protection of individuals, and protection of children:
Basically this means CISPA can no longer be called a cybersecurity bill at all. The government would be able to search information it collects under CISPA for the purposes of investigating American citizens with complete immunity from all privacy protections as long as they can claim someone committed a “cybersecurity crime”. Basically it says the 4th Amendment does not apply online, at all. Moreover, the government could do whatever it wants with the data as long as it can claim that someone was in danger of bodily harm, or that children were somehow threatened—again, notwithstanding absolutely any other law that would normally limit the government’s power.
Trevor Timm at Foreign Policy magazine says that CISPA allows companies to hand over user information to the government without a warrant or any kind of oversight, which effectively over-rules or does an end-run around laws like the Wiretap Act of 1968 and the 1968 Electronic Communications Privacy Act, which restrict what companies can do to very specific circumstances, and require judicial review. CISPA, he says, runs the risk of applying similar kinds of surveillance against American citizens that the Obama administration criticizes in other countries:
According to the bill’s main author, Rep. Mike Rogers (R-Mich.), CISPA’s main purpose is to allow companies and the government to share information to prevent and defend against cyberattacks. But the bill’s language is written so broadly that it carves out a giant cybersecurity loophole in all existing privacy laws.
So is CISPA as bad as SOPA? Probably not, in the sense that SOPA required ISPs and other companies to engage in all kinds of activity that infringed on free speech and subjected even innocent users to potential seizure of their websites, etc. But the risk when designing a bill that hinges on a concept as vague as “cyber-security” is that it allows companies and government agencies fairly wide latitude to accumulate whatever information they wish — and allows them to do so without even a warrant or a judge’s order. Companies like Facebook may promise that they would never do this unless it is really important, but how can we know that for sure?