Should we be as worried about CISPA as we were about SOPA?
Just a few months ago, internet companies and the technology community came together to protest two anti-piracy bills (SOPA and PIPA) because they would have breached free-speech protections and other social safeguards in the name of stopping copyright infringement. Now, a new bill called CISPA that just passed in the House of Representatives is getting a lot of negative attention, with some saying it is just as evil as SOPA, and others — including Facebook and Microsoft — supporting the legislation and arguing that it is much more nuanced than either of its predecessors. So which is it?
Formally known as the Cyber Intelligence Sharing and Protection Act,
the bill is supposed to be aimed at “cyber-security” threats, and it
gives federal authorities and law enforcement fairly broad powers to
find and share data about web users, provided they believe the
information is necessary to go after cyber-criminals and terrorists who
are using technology as a weapon. The bill would amend the National Security Act of 1947, and allow various agencies to compel convince companies like Facebook to provide user data without even a warrant (my colleague Jeff Roberts has a FAQ on the bill here).
The proposed legislation (which is embedded below) passed the House a day earlier than expected
after some last-minute amendments, and now goes to the Senate, where it
will be discussed along with the Senate’s own version of the
legislation, known as the SECURE IT Act. But it is facing some stiff
headwinds, since the Obama administration has made it clear
that it doesn’t support the bill. And while some tech companies support
the legislation, others such as the Electronic Frontier Foundation are
fighting hard to stop the bill, and petitions against the law have drawn close to 800,000 signatures.
Opponents say the bill would erase current privacy protections
A group of over 50 university professors, entrepreneurs and information scientists have published an open letter to Congress calling on lawmakers to oppose CISPA
because they say the the bill (and its Senate counterpart) would allow
companies to hand over the private date of their users to entities like
the Department of Homeland Security, and the only requirement is that
the information involved must somehow be associated with the vague
concept of “cyber-security.”
The bills are drafted to allow entities who participate in relaying or
receiving Internet traffic to freely monitor and redistribute those
network communications. The bills nullify current legal protections
against wiretapping and similar civil liberties violations for that kind
of broad data sharing. By encouraging the transfer of users’ private
communications to US Federal agencies, and lacking good public
accountability or transparency, these “cybersecurity” bills
unnecessarily trade our civil liberties for the promise of improved
network security.
The open letter accuses the bills of:
- “using vague language to describe network security attacks, threat indicators, and countermeasures,” creating the possibility that innocuous online activities could be construed as cybersecurity threats.
- exempting cybersecurity activities “from existing laws that protect individuals’ privacy and devices, such as the Wiretap Act, the Stored Communications Act, and the Computer Fraud and Abuse Act.”
- giving “sweeping immunity from liability” to companies even if they violate individuals’ privacy, and without evidence of wrongdoing.
- allowing data originally collected through cybersecurity programs “to be used to prosecute unrelated crimes.”
Facebook says it supports the bill, and won’t infringe privacy
At the same time, however, CISPA is supported by a number of tech companies, including Microsoft and Facebook.
Facebook’s VP for U.S. public policy Joel Kaplan said in a blog post
that the network had no intention of sharing information with government
authorities unless there was actual evidence
of cybersecurity issues, and merely wanted to be able to find out about
potential wrongdoing. But that wasn’t good enough for the EFF: the
agency said that
Internet users don’t want promises from companies not to intercept our private communications and share that data with one another and the government. We want strong laws that make such egregious privacy violations illegal, that require the government to follow legal process (judicial oversight in most case), and that allow us or the government to sue persons who break the law.
My colleague Derrick Harris has pointed out that CISPA is better in
many ways than SOPA, and that the web and various interest groups run the risk of developing a knee-jerk response to almost any legislation
that involves the internet. And it’s true that CISPA doesn’t compel
companies to do anything that would breach the privacy rights of their
users, the way that SOPA arguably did — but for many critics, there is
still too much potential for information to be shared in ways that would infringe on those rights.
Jared Polis, a Democratic representative from Colorado, said during the debate over CISPA
that it would “waive every single privacy law ever enacted in the name
of cybersecurity,” and that “allowing the military and NSA to spy on
Americans on American soil goes against every principle this country was
founded on.” The American Civil Liberties Union says
points out that “CISPA gives companies the authority to share [private
and sensitive] information with the National Security Agency or other
elements of the Department of Defense, who could keep it forever.”
Amendments have broadened the bill’s powers even further
Not only that, but Techdirt says that CISPA was amended just before it was passed in order to expand the powers it gives the authorities
to use information: before the changes, it allowed the government to
use information for “cybersecurity” or “national security” purposes. The
amendments added three more criteria that would allow data sharing —
namely investigation and prosecution of cybersecurity crime, protection
of individuals, and protection of children:
Basically this means CISPA can no longer be called a cybersecurity bill at all. The government would be able to search information it collects under CISPA for the purposes of investigating American citizens with complete immunity from all privacy protections as long as they can claim someone committed a “cybersecurity crime”. Basically it says the 4th Amendment does not apply online, at all. Moreover, the government could do whatever it wants with the data as long as it can claim that someone was in danger of bodily harm, or that children were somehow threatened—again, notwithstanding absolutely any other law that would normally limit the government’s power.
Trevor Timm at Foreign Policy magazine says that CISPA allows companies to hand over
user information to the government without a warrant or any kind of
oversight, which effectively over-rules or does an end-run around laws
like the Wiretap Act of 1968 and the 1968 Electronic Communications
Privacy Act, which restrict what companies can do to very specific
circumstances, and require judicial review. CISPA, he says, runs the
risk of applying similar kinds of surveillance against American citizens
that the Obama administration criticizes in other countries:
According to the bill’s main author, Rep. Mike Rogers (R-Mich.), CISPA’s main purpose is to allow companies and the government to share information to prevent and defend against cyberattacks. But the bill’s language is written so broadly that it carves out a giant cybersecurity loophole in all existing privacy laws.
So is CISPA as bad as SOPA? Probably not, in the sense that SOPA
required ISPs and other companies to engage in all kinds of activity
that infringed on free speech and subjected even innocent users to
potential seizure of their websites, etc. But the risk when designing a
bill that hinges on a concept as vague as “cyber-security” is that it
allows companies and government agencies fairly wide latitude to
accumulate whatever information they wish — and allows them to do so
without even a warrant or a judge’s order. Companies like Facebook may
promise that they would never do this unless it is really important, but
how can we know that for sure?
