So long SOPA and PIPA, hello Cyber Intelligence Sharing and Protection Act (CISPA), a bill proposed last November to give the government new powers to secure networks and thwart copyright violators. It’s finally up for a vote later this month, sparking protests all this week in what’s looking like another informational ramp-up to leverage the court of public opinion against the bill’s passage. Debate on SOPA, a bill that sought to give the government broad powers in combatting online piracy, was postponed indefinitely after users and companies including Google, Wikipedia and Reddit gathered signatures for anti-SOPA petitions or staged actual service blackouts in mid-January.
Next up: CISPA, a bill that would essentially nullify current privacy laws and set companies up to share data about users with the government without the need for court orders. CISPA would amend the National Security Act of 1947 — responsible for merging the Department of Navy and War, splitting the Air Force from the Army and creating both the Central Intelligence Agency (CIA) and National Security Council (NSC) — by adding provisions that would apply to cybercrime. It aims “[to] provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities,” as well as “other purposes.”
What qualifies as a “cyber threat” according to the latest draft of the bill?
…information in the possession of an element of the intelligence community directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from (A) efforts to degrade, disrupt, or destroy such system or network; or (B) efforts to gain unauthorized access to a system or network, including efforts to gain such unauthorized access to steal or misappropriate private or government information.
What’s more, the bill would require the Director of National Intelligence to both design procedures to facilitate information sharing between private and government sectors, as well as “encourage the sharing of such intelligence.”
Before I get into CISPA’s overt problems, it’s worth stating that I think we’re all — proponents and opponents of CISPA — in favor of intelligent, reasonable and appropriate measures when it comes to grappling with cybersecurity. No one wants to live in a world where companies or government agencies are routinely sabotaged and the Internet critically disrupted. But getting this stuff right off the block is crucial. As Ben Franklin once said, “They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.”
CISPA does away with important information-sharing barriers between the government, military and private sector. According to the Center for Democracy & Technology, CISPA threatens privacy because it “has a very broad, almost unlimited definition of the information that can be shared with government agencies and it supersedes all other privacy laws,” “is likely to lead to expansion of the government’s role in the monitoring of private communications” and “is likely to shift control of government cybersecurity efforts from civilian agencies to the military.”
The restrictions on what can be snooped or how that information can be used are vague. CISPA’s vaguely defined usage restrictions mean your information could be used for purposes other than or only indirectly related to cybersecurity. The Electronic Frontier Foundation says “a company like Google, Facebook, Twitter, or AT&T could intercept your emails and text messages, send copies to one another and to the government, and modify those communications or prevent them from reaching their destination if it fits into their plan to stop ‘cybersecurity’ threats.”
If a company violates your privacy, you have to go to the moon to hold them liable. In the latest draft of the bill, to find a company guilty of “willful misconduct,” you have to show that it engaged in an “act or omission” that was made:
(I) Intentionally to achieve a wrongful purpose;
(II) knowingly without legal or factual justification;
(III) in disregard of a known or obvious risk that is so great as to make it highly probable that the harm of the act or omission will outweigh the benefit.
In addition to proving that a company “intentionally” and “knowingly” did wrong, then, you have to somehow show that the company knew the risks outweighed the benefits. How a company’s supposed to determine this, to say nothing of how you’re supposed to prove it, is anyone’s guess.
The bill’s definition of “cybersecurity purpose” is too broad and vague. The EFF argues the bill’s current rationale for cybersecurity information gathering “is so broad the it leaves the door open to censor any speech that a company believes would ‘degrade the network’.” An extreme example: Company X decides its network performance issues are security-related, grabs beaucoup information about its users, then uses that data to surveil and/or study users’ habits (think of the side benefits), or alternatively to censor a website (an obvious example here would be Wikileaks).
There may be a better, wiser, narrower bill in the offing. Of all the bills on the table, the only one groups like the CDT support is the PRECISE Act, which would “establish a non-profit, quasi-governmental National Information Sharing Organization [NISO] to serve as a national clearinghouse for the voluntary exchange of “cybersecurity threat information,” taking in reports, and sharing them back out, among the federal government, state and local governments, and industry.” According to the CDT, NISO
…is likely to be more effective at quickly responding to cybersecurity threats – and would pose fewer civil liberties risks – than would a government-run information sharing hub. While the NISO board of directors would have governmental representatives and representatives of privacy interests, it would be dominated by industry.