CISPA v3 is back!
We had believed, along with a number of others, that the Snowden leaks showing how the NSA was spying on pretty much everyone would likely kill CISPA dead. After all, the key component to CISPA was basically a method for encouraging companies to have total immunity from sharing information with the NSA. And while CISPA supporters pretended this was to help protect those companies and others from online attacks, the Snowden leaks have reinforced the idea (that many of us had been pointing out from the beginning) that it was really about making it easier for the NSA to rope in companies to help them spy on people.
Also, if you don’t remember, while CISPA had passed the House, the Senate had shown little appetite for it. Last year, the Senate had approved a very different cybersecurity bill, and had expressed very little interest in taking up that fight again this year. Except now, in an unexpected move, Senate Intelligence Committee boss, and chief NSA defender because of reasons that are top secret, has now announced that she’s been writing a Senate counterpart to CISPA and is prepared to “move it forward.”
CISPA does not require that data shared with the government be stripped of unnecessary personally-identifiable information. A private company may choose to anonymize the data it shares with the government. However, there is no requirement that it does so even when personally-identifiable information is unnecessary for cybersecurity measures. For example, emails could be shared with the full names of their authors and recipients. A company could decide to leave the names of its customers in the data it shares with the government merely because it does not want to incur the expense of deleting them. This is contrary to the recommendations of the House Republican Cybersecurity Task Force and other bills to authorize information sharing, which require companies to make a reasonable effort to minimize the sharing of personally-identifiable information.
CISPA would allow the government to use collected private information for reasons other than cybersecurity. The government could use any information it receives for “any lawful purpose” besides “regulatory purposes,” so long as the same use can also be justified by cybersecurity or the protection of national security. This would provide no meaningful limit a government official could easily create a connection to “national security” to justify nearly any type of investigation.
CISPA would give Internet Service Providers free rein to monitor the private communications and activities of users on their networks. ISPs would have wide latitude to do anything that can be construed as part of a “cybersecurity system,” regardless of any other privacy or telecommunications law.
CISPA would empower the military and the National Security Agency (NSA) to collect information about domestic Internet users. Other information sharing bills would direct private information from domestic sources to civilian agencies, such as the Department of Homeland Security. CISPA contains no such limitation. Instead, the Department of Defense and the NSA could solicit and receive information directly from American companies, about users and systems inside the United States.
CISPA places too much faith in private companies, to safeguard their most sensitive customer data from government intrusion. While information sharing would be voluntary under CISPA, the government has a variety of ways to pressure private companies to share large volumes of customer information. With complete legal immunity, private companies have few clear incentives to resist such pressure. There is also no requirement that companies ever tell their customers what they have shared with the government, either before or after the fact. As informed consumers, Americans expect technology companies to have clear privacy policies, telling us exactly how and when the company will use and share our personal data, so that we can make informed choices about which companies have earned our trust and deserve our business.
CISPA BIG Supporters
- AT&T: Interprets the bill as promoting “private sector innovation, and protects fundamental American values.”
- Facebook: Supports enhancing “the ability of companies like Facebook to address cyber threats” and feels the bill would not make the company share any more of its own data than is currently required.
- Comcast: “Preventing, detecting, deterring, and responding to cybersecurity threats are therefore fundamental requirements for our continued business success,” David L. Cohen, the company’s executive vice president wrote on February 13.
- IBM: CISPA “would greatly improve the government and private sector’s ability to mitigate cyber threats by enabling better information sharing,” Christopher Padilla, vice president, IBM Governmental Programs, wrote on February 13.
- Intel: Combating online threats requires “cooperative efforts of government and NGO stakeholders working together to improve cybersecurity in a way that promotes innovation and protects citizens’ privacy and civil liberties,” said Peter M. Cleveland, the company’s director of global policy.
- Time Warner Cable: The telecom giant supports the bill because it wants to protect its 15 million plus customers and feels CISPA enables a “shared responsibility born in partnership by the public and private sectors.”
- Verizon: Echoing other support sentiments, the company is pushing for the bill to bridge the private-public sectors and be able to share data to “secure private networks” and protect customers.
- Oracle: Supported last year’s version of the bill, stating that CISPA would remove the legal obstacles inherent in sharing data with the government.
- Symantec: Defending information sharing, the company wrote in 2012 that this tactic is “not an end goal, but rather a situational tool to provide awareness.”
- Microsoft: Previously vocal in its support that the bill would “eliminate barriers and disincentives that currently prevent effective information sharing to guard against cyber attacks.” Since then, Microsoft has clarified its position to say that it would move to “ensure the final legislation helps to tackle the real threat of cybercrime while protecting consumer privacy.”
- Google: The Mountain View company tried to steer away from taking a public stand, but last year, lawmakers in Washington alluded to having Google’s support.
Other notable supporters include the U.S. Chamber of Commerce, USTelecom, the Broadband Association, Edison Electric Institute, Financial Joint Trades, Financial Services Roundtable, Internet Security Alliance, Juniper Networks, National Cable & Telecommunications Association and TechAmerica.
Freely CISPA Opponents
- American Civil Liberties Union: “The bill would create a loophole in all existing privacy laws, allowing companies to share Internet users’ data with the National Security Agency, part of the Department of Defense, and the biggest spy agency in the world—without any legal oversight,” the ACLU warned in 2012.
- Electronic Frontier Foundation: When CISPA was reintroduced in February 2013, the EFF joined the ACLU and Fight for the Future in combat. The Internet advocacy group is vehemently against the bill for a slew of reasons, including that it gives companies the right to monitor users and share that data with the government without a warrant. Transparency and accountability are also undefined by the bill, which creates a “broad immunity from legal liability for monitoring, acquiring, or sharing” communication and overriding “privacy laws like the Wiretap Act and the Stored Communications Act.
- Center For Democracy And Technology: The Center’s serious concerns include an “unlimited definition of the information that can be shared with government agencies notwithstanding privacy and other laws,” which the CDT says will likely “shift control of government cybersecurity efforts from civilian agencies to the military.”
- Cato Institute: The public policy institute raises issues of hype and misinformation related to cybercrime causing a skewed perception of the problem. “Among dozens of surveys, from security vendors, industry analysts and government agencies, we have not found one that appears free of this upward bias.”
- Fight For The Future: The non-profit has setup a site to inform and protest the bill, calling CISPA “the end of meaningful privacy for anyone with personal data on U.S. based services.”
- Free Press: The media reform group acknowledges the need for protection, but warns> “CISPA could lead all too easily to governmental and corporate violations of our privacy and attacks on our right to speak freely via the Internet.”
- Mozilla: In a 2012 interview with Forbes, Mozilla’s privacy and public policy office called the language of the bill broad and alarming and said it “infringes against our privacy.”
- Cheezburger Inc.: Chief Executive Ben Huh told ProPublica in 2012 that CISPA is “SOPA’s cousin who works for the CIA.”
- Reddit: Although previously undecided, on Friday at SXSW, Reddit founder Alexis Ohanian called his local congressman to protest CISPA. He says he won’t invest in Facebook because of the company’s support.
- The White House: Last year, the President voiced his strong opposition to the bill, saying it failed to bridge the gap between privacy concerns and limiting sharing of personal information. “Citizens have a right to know that corporations will be held legally accountable for failing to safeguard personal information adequately. The government, rather than establishing a new antitrust exemption under this bill, should ensure that information is not shared for anti-competitive purposes.” However, with Obama’s new cybersecurity mandate and renewed talks and pressure from the House Intelligence Committee, that position could change.
Other individuals and organizations opposed to CISPA include Tim Berners-Lee, Bruce Schneier, Ron Paul, Demand Progress, Entertainment Consumers Association, Free Market Coalition, Reporters Without Borders, POPVOX, Access Now, Sunlight Foundation and the American Library Association.
One major online player missing-in-action stance wise is still Twitter. While the microblogging platform is a hotbed of activism and campaigns for both sides, the company itself has not taken a public stand.
Right now what the public is concerned about are not “cyberattacks” from foreigners — they’re concerned about our own government undermining the security and privacy of Americans themselves. Giving those responsible for that destruction of privacy and trust more power to abuse the privacy of Americans is not what people are looking for. Quite the opposite.