There have been some noteworthy modifications to CISPA since this article was written. You can read about them here. Any statements that are no longer accurate have been struck through. Otherwise the text remains unedited.
It wasn’t long ago that the potentially Internet-destroying twins SOPA and PIPA were effectively defeated, but ever since they snuck up on the Internet-at-large, there’s been the worry that something similar might happen again. Well, it’s happening. The new bill HR 3523, or the Cyber Intelligence Sharing and Protection Act (CISPA), while different from SOPA in many ways, is pushing its way through Congress as we speak, and could pose a serious threat to the Internet that is both very similar and very different from SOPA.
As with any bill, especially a cybersecurity bill, there is a lot to know. For the moment we’ll try to stick with the basics:
CISPA, on its face, claims to be concerned with cybersecurity unlike SOPA and PIPA, which focused on copyrights and piracy.
SOPA was a bill with an admirable goal and potentially devastating consequences. It aimed to put an end to piracy and instead could have put an end to free Internet as we know it through DNS blocking, misguided logic, and overly broad powers. Likewise, CISPA ostensibly aims to theft of government information or intellectual property and cybercrime in general. Unlike SOPA, however, CISPA operates under the guise of national cybersecurity as opposed to economic concerns, but CISPA’s overly broad language could be used for surveillance or censorship because the bill lacks sufficient restrictions. Supporters of CISPA will be quick to discourage comparisons of CISPA to SOPA considering the former was economic and the later is concerned with security (and considering “SOPA” has pretty much developed into something of a slur). While this is true, both bills would could have similarly devastating effects on the Internet and the people who hang out and do business there.
CISPA allows the government and private companies to exchange private information so long as the exchange has something to do with “cybersecurity.”
The problem here has to do with the lack of justification. Like SOPA which — at points in its existence — would have allowed for wholesale takedowns of entire sites based on the mere accusation of copyright infringement, CISPA allows for the sharing of otherwise private data between private companies and the government (in both directions) so long as the exchange is ostensibly related to cybersecurity. What “cybersecurity” actually means is woefully unclear. As far as the bill is concerned, a “cybersecurity purpose” is:
- The term ‘cybersecurity purpose’ means the purpose of ensuring the integrity, confidentiality, or availability of, or safeguarding, a system or network, including protecting a system or network from–‘(A) efforts to degrade, disrupt, or destroy such system or network; or
You’ll note that according to the FBI, federal copyright violation is a flavor of intellectual property theft.
Furthermore, whether or not an action does have a cybersecurity purpose seems to be a total judgement call for those involved when the share actually goes down. Of course, with a definition that broad, pretty much anything could fit the criteria which is probably why the need of some sort of third-party validation seems crucial to opponents, but might seem unnecessary for supporters. The Privacy and Civil Liberties Oversight Board is required to submit “a review of the sharing and use of information by the Federal Government” to Congress annually, but like SOPA’s shoot-first DNS takedowns, this is an after-the-fact move; the information can’t be unshared even if some wrists get slapped.
CISPA would instate ridiculously wide-reaching protections regarding the sharing and use of information.
The fact that CISPA-related information exchanges are only reviewed for validity after the fact, instead of being carefully considered beforehand, is only part of the problem. CISPA also has very, very broad protections in place for anyone who shares anything relating to cybersecurity. First of all, CISPA sharing supersedes any and every other privacy law, federal and state, meaning anything that might be considered private otherwise is suddenly not when cybersecurity is involved.
Second, anyone who does or doesn’t do stuff with CISPA-shared data is protected from pretty much anything. Basically, anyone acting “in good faith” is exempt from both civil and federal suits regarding any information they’ve shared or regarding any actions they took — or failed to take — based on any cybersecurity information they may have received. So even if someone shares something they shouldn’t have, or over-reaches based on some juicy dish they got, they’re in the clear so long as it’s decided they were acting in good faith.
CISPA, in theory, isn’t concerned with individuals, but in practice could easily invade personal privacy.
For all the things that CISPA allows, there are a few it doesn’t and they are worth noting. CISPA does not allow the government to require anyone to give them information.
Of course, that isn’t to say that there can’t be any strong persuasion or technically-you-could-live-without-these-but-the-same-way-you-can-technically-live-without-a-head-for-like-5-seconds “benefits” to sharing. CISPA also does not allow “individuals” to be any part of all this. Entities are giving the information and the information concerns entities. As Techdirt points out, however, this information is going to contain tons of information about individuals, and CISPA provides no incentive to anonymize the data.
Considering the freewheeling “everything at the cost of cybersecurity” nature of CISPA, this personal information could easily be abused. Take, for instance, the classic example of cops who gain a warrant to search your home for a stolen piano and instead find drugs in your bedside drawer. Clearly they were not expecting to find the piano in there, so it’s not an admissible find.
If a company hands over records to the government regarding some kind of nebulous cybersecurity threat, there seems to be no such restriction in place. All the data is fair game for pretty much anything.
Essentially, like SOPA’s most egregious DNS takedown provisions encouraged haphazard site censorship and like DMCA’s safe harbor provision encourages content hosts to haphazardly remove content at the slightest cry of “wolf”, CISPA encourages the government and other private entities to haphazardly share potentially sensitive information without only cursory approval after the fact. When it comes to principle, CISPA is just the latest in a series of bills and laws that throw caution — and due process — to the wind, except in this case, the stakes are quite high. We’re talking information –all kinds of information — being shared all over the place, but we’re also talking national security (supporters will argue), which is a pretty effective appeal to fear, almost as effective as “but think of the children.”
CISPA has been out of committee since December 1, 2011, but has yet to be debated or brought to a vote. Basically, we’re in the same place we where when the SOPA ball really started rolling. That being said, the Internet at large should have a better feel of what’s at stake and what to do about it, after having experience with SOPA. Hopefully everyone’s had enough time to cool down. If you want to help kill CISPA, Demand Progress is collecting resources to help you do that. In the meantime we’ll keep a close eye on where things are headed.