CISPA is back before Congress. In fact, while we were all focused on the unfolding tragedy in Boston, the House of Representatives passed the measure. So what is CISPA? It stands for the "Cyber Intelligence Sharing & Protection Act." Its intent is to prevent a "Cyber Pearl Harbour." Unfortunately, the bill goes much farther than that. This is Congress' second crack at this bill. It passed in the House along a fairly partisan line, but President Obama threatened to veto the bill on the grounds that it goes too far. The bill currently before Congress is virtually the same and President Obama has yet again threatened to veto the bill. In an article from Congress' first attempt to pass this bill last year, Think Progress enumerated why CISPA is so dangerous to the privacy of all Americans:
CISPA’s broad language will likely give the government access to anyone’s personal information with few privacy protections: CISPA allows the government access to any “information pertaining directly to a vulnerability of, or threat to, a system or network of a government or private entity.” There is little indication of what this information could include, and what it means to be ‘pertinent’ to cyber security. Without boundaries, any internet user’s personal, private information would likely be fair game for the government.
It supersedes all other provisions of the law protecting privacy: As the bill is currently written, CISPA would apply “notwithstanding any other provision of law.” In other words, privacy restrictions currently in place would not apply to CISPA. As a result, companies could disclose more personal information about users than necessary. Ars Technica writes, “if a company decides that your private emails, your browsing history, your health care records, or any other information would be helpful in dealing with a ‘cyber threat,’ the company can ignore laws that would otherwise limit its disclosure.”
The bill completely exempts itself from the Freedom of Information Act: Citizens and journalists have access to most things the government does via the Freedom of Information Act (FOIA), a key tool for increasing transparency. However, CISPA completely exempts itself from FOIA requests. The Sunlight Foundation blasted CISPA for “entirely” dismissing FOIA’s “fundamental safeguard for public oversight of government’s activities.”
CISPA gives companies blanket immunity from future lawsuits: One of the most egregious aspects of CISPA is that it gives blanket legal immunity to any company that shares its customers’ private information. In other words, if Microsoft were to share your browsing history with the government despite your posing no security threat, you would be barred from filing a lawsuit against them. Without any legal recourse for citizens to take against corporate bad behavior, companies will be far more inclined to share private information.
Recent revisions don’t go nearly far enough: In an attempt to specify how the government can use the information they collect, the House passed an amendment saying the data can only be used for: “1) cybersecurity; 2) investigation and prosecution of cybersecurity crimes; 3) protection of individuals from the danger of death or physical injury; 4) protection of minors from physical or psychological harm; and 5) protection of the national security of the United States.” This new version still “suffers from most of the same problems that plagued the original version,” writes Timothy Lee. Because terms like “cybersecurity” are so vague, the bill’s language could encompass almost anything.
Citizens have to trust that companies like Facebook won’t share your personal information: CISPA does not force companies share private user information with the government. That being said, Ars Technica makes the point that “the government has a variety of carrots and sticks it can use to induce private firms to share information it wants.” For instance, many companies receive federal contracts or subsidies and would be hesitant to deny any request from the government that might jeopardize future business. Companies may not be legally required to turn over information, but they “may not be in a position to say no.”
Wherever you are on the political spectrum, this is an issue about which we should all be concerned. It is not a left/right argument, it is a security/liberty argument. We should not give up one for the other, because we may end up with neither if we do.Companies can already inform the government and each other about incoming cybersecurity threats: While proponents of CISPA claim it’s needed to allow agencies and companies to share information about incoming cybersecurity threats, opponents of the bill point out that “network administrators and security researchers at private firms have shared threat information with one another for decades.”