Saturday, April 28, 2012

Ten Things To Know About CISPA

DonkeyHotey
The Cyber Intelligence Sharing and Protection Act, known as CISPA passed the House of Representatives by a vote of 248-168 vote, and now goes to the Senate.  The ostensible goal of the legislation is "to help companies beef up their defenses against hackers who steal business secrets, rob customers' financial information and wreak havoc on computer systems."  It does this by making it easier for the government and private industry to share information about cyber threats.

But it raises legitimate civil liberty concerns. The ACLU warns that the bill is "dangerously overbroad."   Reporters Without Borders notes that "the bill would negate existing privacy laws and allow companies to share user data with the government without a court order."

ThinkProgress tells us what we need to know:
CISPA’s broad language will likely give the government access to anyone’s personal information with few privacy protections: CISPA allows the government access to any “information pertaining directly to a vulnerability of, or threat to, a system or network of a government or private entity.” There is little indication of what this information could include, and what it means to be ‘pertinent’ to cyber security. Without boundaries, any internet user’s personal, private information would likely be fair game for the government.
  
It supersedes all other provisions of the law protecting privacy: As the bill is currently written, CISPA would apply “notwithstanding any other provision of law.” In other words, privacy restrictions currently in place would not apply to CISPA. As a result, companies could disclose more personal information about users than necessary. Ars Technica writes, “if a company decides that your private emails, your browsing history, your health care records, or any other information would be helpful in dealing with a ‘cyber threat,’ the company can ignore laws that would otherwise limit its disclosure.” 

The bill completely exempts itself from the Freedom of Information Act: Citizens and journalists have access to most things the government does via the Freedom of Information Act (FOIA), a key tool for increasing transparency. However, CISPA completely exempts itself from FOIA requests. The Sunlight Foundation blasted CISPA for “entirely” dismissing FOIA’s “fundamental safeguard for public oversight of government’s activities.” 

CISPA gives companies blanket immunity from future lawsuits: One of the most egregious aspects of CISPA is that it gives blanket legal immunity to any company that shares its customers’ private information. In other words, if Microsoft were to share your browsing history with the government despite your posing no security threat, you would be barred from filing a lawsuit against them. Without any legal recourse for citizens to take against corporate bad behavior, companies will be far more inclined to share private information. 

Recent revisions don’t go nearly far enough: In an attempt to specify how the government can use the information they collect, the House passed an amendment saying the data can only be used for: “1) cybersecurity; 2) investigation and prosecution of cybersecurity crimes; 3) protection of individuals from the danger of death or physical injury; 4) protection of minors from physical or psychological harm; and 5) protection of the national security of the United States.” This new version still “suffers from most of the same problems that plagued the original version,” writes Timothy Lee. Because terms like “cybersecurity” are so vague, the bill’s language could encompass almost anything. 


Citizens have to trust that companies like Facebook won’t share your personal information: CISPA does not force companies share private user information with the government. That being said, Ars Technica makes the point that “the government has a variety of carrots and sticks it can use to induce private firms to share information it wants.” For instance, many companies receive federal contracts or subsidies and would be hesitant to deny any request from the government that might jeopardize future business. Companies may not be legally required to turn over information, but they “may not be in a position to say no.” 

Companies can already inform the government and each other about incoming cybersecurity threats: While proponents of CISPA claim it’s needed to allow agencies and companies to share information about incoming cybersecurity threats, opponents of the bill point out that “network administrators and security researchers at private firms have shared threat information with one another for decades.” 

The internet is fighting back: The same online activists who fought hard against SOPA are now engaged in the battle over CISPA. Over 770,000 people have signed a petition by the online organizing group Avaaz that asks Congress to defeat the bill. Reddit, the news-sharing internet community that helped lead the fight against SOPA, is organizing again around CISPA. 

Most Republicans support CISPA, while most Democrats oppose it: The House passed CISPA on April 26 on a mostly-party-line vote, 248-168. Among congressmen that voted, 88 percent of Republicans supported the bill while 77 percent of Democrats opposed it. 

President Obama threatened to veto it: Recognizing the threat to civil liberties that CISPA poses, President Obama announced this week that he “strongly opposes” the bill and has threatened to veto if it comes to his desk. Obama singled out the provisions that allow for blanket legal immunity and do not enough to safeguard citizens’ private information.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.