This year witnessed SOPA/PIPA, and now we have CISPA, which stands for The Cyber Intelligence Sharing and Protection Act. The issue of privacy and information gathering online is a hot topic, not only for privacy activists, but also for governments and corporations. The government feels it does not have enough access to online information to maintain national security. Corporations worry about liability of policing the Internet and limits on their ability to grow and profit. And citizens are split between being terrified that their privacy will be destroyed irreparably and not caring one way or the other.
The apparent worries on all sides of the issue make it clear that there is an obvious need for some kind of bill. I won’t argue whether or not CISPA is good or bad. The arguments on both sides are fairly solid. Let’s be clear that CISPA is not the new SOPA. Here is why.
What is CISPA?
CISPA stands for The Cyber Intelligence Sharing and Protection Act, written by Rep. Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD). The main objective of the bill is to facilitate the sharing of information between companies and the federal government in order to prevent cyber attacks. The Electronic Frontier Foundation (EFF) suggests that the bill is written too broadly and allows the monitoring of citizens private communication and allows companies, “to hand over large swaths of personal information to the government with no judicial oversight,” which would undermine all existing privacy laws.
CISPA vs. SOPA
The issues that the EFF and other privacy advocates have with CISPA are similar to SOPA, breach of privacy, allocation of authority, lack of oversight, vague language allowing abuse etc. However, the campaign against CISPA will be very different from the one against SOPA and is less likely to succeed. The biggest reason for this is that the major companies who acted against SOPA are actually for CISPA.
There are very good reasons for this in fact. A major concern for companies—and while not pertinent to this bill, the worry is also shared by institutions like colleges and universities—is liability. In order to avoid the risk of lawsuits, companies and institutions must spend large amounts of money on monitoring social media activity within their networks. SOPA put the responsibility of policing the Internet and monitoring ‘dangerous’ activity in the hands of the companies. For example, this meant that if Facebook failed to recognize a threat they would be at fault.
CISPA not only eliminates this duty from companies purview but also removes all culpability from them should a situation occur. This is fantastic news for these companies and they are unlikely to risk jeopardizing it.
What does CISPA mean for online privacy?
It’s difficult to say what the risk is if CISPA were to pass. The EFF argues that the bills text is too vague. However, after reading it, the bill seems pretty explicit. Mark Burnett, a security consultant with xato.net, argues that perhaps the language in CISPA isn’t as bad as the EFF and other privacy advocates think. He directly addresses several claims made by the EFF.
The EFF states that CISPA will give “companies a free pass to monitor and collect communications, including huge amounts of personal data like your text messages and emails, and share that data with the government and anyone else.” The bill expressly states that for cyber security purposes, an organization may “identify and obtain information about threats to their own rights and property,” writes Burnett.
(A) CYBERSECURITY PROVIDERS- Notwithstanding any other provision of law, a cybersecurity provider, with the express consent of a protected entity for which such cybersecurity provider is providing goods or services for cybersecurity purposes, may, for cybersecurity purposes–
(i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such protected entity; and
(ii) share such cyber threat information with any other entity designated by such protected entity, including, if specifically designated, the Federal Government. (HR 3523 RH)
Burnett continues by addressing the EFF’s fear that the term “cybersecurity threats’ is too vaguely defined. “Worst of all,” the EFF continues in their statement, “the stated definition of “cybersecurity” is so broad, it leaves the door open to censor any speech that a company believes would ‘degrade the network.’” Burnett argues that in fact the bill defines it clearly.
(4) CYBERSECURITY PURPOSE- The term `cybersecurity purpose’ means the purpose of ensuring the integrity, confidentiality, or availability of, or safeguarding, a system or network, including protecting a system or network from–
(A) efforts to degrade, disrupt, or destroy such system or network; or
(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information. (HR 3523 RH)
This definition of what a ‘cybersecurity purpose’ is seems pretty explicit and not nearly as open to loopholes as the EFF worries. Burnett argues, and I agree, that it would be a big leap for a company to claim that speech would ‘degrade the network.’ Burnett addresses other issues brought up by the EFF regarding intellectual property, monitoring and censoring, and civil and criminal immunity.
It comes down to an issue of balancing consumer privacy, commercial rights and national security. Communication in both the US and the world is increasingly online, which has led to an increased risk of cyber attacks. According to Representative Greg Walden (R-OR) in his article titled, Rethinking Communications Law in a Converged, 21st Century Marketplace, in CommLaw Conspectus the commercial industry has taken steps to protect the nations networks and any legislation in this area should, “seek to capitalize on commercial sector expertise and existing cybersecurity organizations and infrastructure.” Walden puts forward several key questions that need to be asked when considering bills like CISPA, “what has been the role of federal agencies in securing cyberspace? In what ways can federal agencies better partner with private enterprise to improve the cybersecurity defenses of our communications networks?“
He also addresses the issue of privacy. Most US privacy laws were written when electronic communications were still coming into existence. “As consumers are using increasingly diverse means to communicate, the divergent protections for consumer privacy have become more and more apparent,” he writes. Walden accurately addresses the problem that American consumer privacy laws are inadequate in a converging market and that the privacy protections in place are dependent on many variables like the means used to communicate, the carrier, the device, the application on the device and so on. However, he fails to address the issue of privacy protections from the government.
This whole issue falls into a vast gray area. There is not a baseline for legislators, companies, or citizens to build from. In February the White House unveiled a plan for an online privacy bill of rights.
The Consumer Privacy Bill of Rights provides a baseline of clear protections for consumers and greater certainty for businesses. The rights are:
- Individual Control: Consumers have a right to exercise control over what personal data organizations collect from them and how they use it.
- Transparency: Consumers have a right to easily understandable information about privacy and security practices.
- Respect for Context: Consumers have a right to expect that organizations will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
- Security: Consumers have a right to secure and responsible handling of personal data.
- Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.
- Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
- Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.
– Office of the Press Secretary
In order to focus the discussion that has led to the proposition of bills like SOPA and CISPA a standard needs to be established that protects citizen privacy rights and brings policy into the digital age. The plan for a privacy bill of rights would accomplish this, rooting the discussion about government acquisition of information and authority in the digital realm in American law.
20 CommLaw Conspectus i. (2011 – 2012 ): 5300 words. . Web. Date Accessed: 2012/04/20.