It’s only been a couple of months since SOPA and PIPA were successfully beaten back by the proponents of free speech. At the time, I remarked that it was unlikely that this would be the last assault on the internet freedoms. However, I didn’t think the next attack would occur so quickly.
The Cyber Intelligence Sharing and Protection Act (CISPA) is scheduled for a vote the Friday in the House of Representatives. The original intent of the bill is to encourage the federal government and American businesses to share information in order to protect their computer networks from internet attacks. Currently, most businesses don’t share security information with third parties for fear of violating privacy or antitrust laws.
Opposition to the bill originates from the overly broad language that may infringe on privacy rights and the expansive definition of cybersecurity threat information.
A company acting for cybersecurity purposes would be able to bypass all existing statutory safeguards and communicate threat information to the government with no judicial oversight. The company would be immune from both civil and criminal liability for any action, including to violating a user’s privacy, just so long as they did not knowingly and intentionally violate your privacy.
CISPA has such an expansive definition of cybersecurity threat information that many ordinary activities could qualify. Basic privacy practices—like using an anonymizing service like Tor or even encrypting your emails—could be considered an indicator of a threat. The bills’ definitions implicate far more than what security experts would reasonably consider to be cybersecurity threat indicators—things like port scans, DDoS traffic, and the like.
Some of the more specific concerns of CISPA were posted by Congresswoman Zoe Lofgren this week. (Rep. Lofgren’s district includes the heart of Silicon Valley).
- CISPA allows any private company to share sensitive, private data about its customers with the government. CISPA would override all other federal and state privacy laws, and allow a private company to share nearly anything, as long as it directly pertains to a cyber threat, which is broadly defined.
- CISPA does not require that data shared with the government be stripped of unnecessary personally-identifiable information.
- CISPA would allow the government to use collected private information for reasons other than cybersecurity.
- CISPA would give Internet Service Providers free rein to monitor the private communications and activities of users on their networks. ISPs would have latitude to do anything that can be construed as part of a cybersecurity system, regardless of any other privacy or telecommunications law.
- CISPA would empower the military and NSA to collect information about domestic internet users. CISPA contains no limit to direct private information from domestic sources to civilian agencies, such as the Department of Homeland Security. The Department of Defense and NSA could solicity and receive information directly from American companies about users and systems within the United States.
- CISPA places too much faith in private companies to safeguard their most sensitive customer data from government intrusion. While information sharing is voluntary under CISPA, the government has a variety of ways to pressure private companies. With complete legal immunity, private companies have few incentives to resist such pressure. Also , the bill contains no requirements to ever tell their customers what they have shared, either before or after the fact.
I encourage everyone to contact your representative and voice your opposition to CISPA! Dr. Paul Broun-GA (broun.house.gov), John Barrow-GA (barrow.house.gov), Joe Wilson-SC (joewilson.house.gov), or Jeff Duncan-SC (jeffduncan.house.gov). Personal liberty still exists online, but we are going to have to fight to keep it. Until next time, I’ll see you on the internet. @gregory_a_baker