By Timothy B. Lee | Ars Technica | Apr. 19, 2012
The controversy over the Cyber Intelligence Sharing and Protection Act intensified on Tuesday when a White House spokeswoman warned Congress not to pass "cybersecurity" legislation without "robust safeguards to preserve the privacy and civil liberties of our citizens." While the statement by National Security Council spokeswoman Caitlin Hayden did not mention CISPA specifically, there was little doubt which legislation she was talking about.
Hayden denounced "legislation that would sacrifice the privacy of our citizens in the name of security." This week, a broad coalition of civil liberties groups has been warning that CISPA would do just that. The legislation, which was introduced by Rep. Mike Rogers (R-MI) late last year, is slated for a House vote next week.
The critics have a point. CISPA is a solution in search of a problem. And it threatens to undermine important privacy protections.
"Notwithstanding" privacy rights
CISPA's defenders say the legislation will help the government and private companies to more effectively defend their networks by sharing information about impending security threats. If one company detects a malware outbreak or an attempt to hack into its corporate network, it can warn others about the threat. Similarly, if the NSA or CIA obtains intelligence suggesting that a foreign government is attempting to penetrate the network of a US company, it can tip the company off to the threat.
It's unclear why new legislation is needed to allow this kind of uncontroversial information sharing to occur. Network administrators and security researchers at private firms have shared threat information with one another for decades. And the law also allows information sharing between private firms and the government in many circumstances. For example, a private company is already free to notify the FBI if it detects an attempt to hack into its network.
Of course, some kinds of information sharing are regulated by law. For example, the 1986 Electronic Communications Privacy Act regulates when and how network providers can disclose the contents of their customers' electronic communications. There are numerous other laws on the books protecting privacy of consumers' health care records, financial information, educational records, video rentals, and more.
But rather than trying to identify which specific privacy laws hamper cyber-security efforts and reforming them, Rep. Rogers took the easy way out. His legislation provides that companies are authorized to share "cyber threat information" with other private companies or the government "notwithstanding any other provision of law." That appears to mean that if a company decides that your private emails, your browsing history, your health care records, or any other information would be helpful in dealing with a "cyber threat," the company can ignore laws that would otherwise limit its disclosure. The legislation also immunizes firms who share "cyber threat information" from customer lawsuits.
Earlier this week, the bill's sponsors circulated a revised version of the bill, but it suffers from most of the same problems that plagued the original version. The new version does feature a more precise definition of "cybersecurity," which focuses on unauthorized network access. But it doesn't provide any meaningful limits on what kids of materials can be regarded as "cybersecurity"-related, nor does it provide for any judicial oversight to ensure the definition is adhered to.
The "notwithstanding" approach to cybersecurity is fundamentally flawed because it's almost impossible to predict which parts of US law might be effectively changed by the new law, or to prevent unintended consequences from unduly broad sharing. It would be far better for Congress to figure out which specific privacy laws (if any) prevent effective network security responses and explicitly reform those provisions.
The new SOPA?
Given the roaring success of the Internet's backlash against the Stop Online Piracy Act, CISPA opponents have an irresistable temptation to compare the two bills. Both bills represent attacks on the rights of Internet users, but the similarity largely ends there.
A better analogy is the 2008 FISA Amendment Act, which granted major telecommunications incumbents retroactive immunity for their participation in warrantless wiretapping and eliminated judicial oversight for a broad category of government surveillance. CISPA is likely to further erode the already weak legal restraints on government surveillance of Americans, and there's no meaningful judicial oversight of information shared under the "cyber threat" program.
Unlike FAA, CISPA doesn't mandate any information sharing. Theoretically, private companies are free to refuse to share any new information with the government. But the government has a variety of carrots and sticks it can use to induce private firms to share information it wants. Many large companies receive government subsidies, and many also have business before executive branch agencies. So when a future administration asks a private firm to "voluntarily" hand over its customers' private data, it may not be in a position to say no. And even if the customer eventually found out about the disclosure, the legislation's broad grant of immunity would leave customers with no meaningful remedies.
The FAA eventually passed Congress after a year of intense partisan wrangling. January's SOPA defeat suggests that Internet freedom activists have become a lot better organized in the last four years. But they only have a few days to go before the House votes on CISPA.