The Cyber Intelligence Sharing and Protection Act, or CISPA, recently passed through the House of Representatives and is on its way to the Senate. The bill is supposed to help companies and government work together to help fight cyber attacks. However, it poses some real threats to Americans’ Fourth Amendment privacy protections. As Steven Titch recently wrote in the Federal Government section of Reason’s Annual Privatization Report 2013:
While most analysts agree that the U.S. needs to do more to defend its assets from potential cyberattack, policymakers are divided over how best to do this.
The main arguments against the bill are that CISPA makes it much easier for government agencies to put politically disfavored people in prison, government’s shoddy secret keeping may mean CISPA actually makes data less secure and that data suggests that U.S. businesses would rather see the private sector develop cybersecurity solutions.
While the bill has many similarities to last year’s widely reviled SOPA, CISPA enjoys far more corporate support, which has led to a much more muted response online. Anonymous called for an Internet blackout but giants like AT&T, Comcast, Verizon and tech policy group TechNet, whose members include Facebook and Google, all support CISPA. You can see a full list of CISPA supporters here.
One major reason companies support CISPA is that it actually protects them from being sued if or when they break their Terms of Service in order to give government agencies like the National Security Administration their users’ private data, as long as the government claims it’s for cyber security. Even with this handout to tech companies, over 300 websites participated in a blackout Monday. the largest of which was Reddit.
A big problem many people have with CISPA is that it, as Mediaite put it, “effectively creates a ‘cybersecurity’ loophole in all existing privacy laws.” This is done mainly in two ways. First, it expands allowable warrantless government surveillance. Under CISPA, government agencies can collect information on users of sites like Facebook and Twitter, even when that information is supposed to be private under existing Terms of Service. All this can be done without warrants and without warning. Second, and as previously mentioned, it immunizes those companies against lawsuits for violating their Terms of Service.
How much data would CISPA give the government has access to without a warrant?
TechCrunch is reporting that Facebook has plans to build a billion-dollar data center that will cover “1.4 million square feet and serve as what the company says will be ‘the most advanced data center in the world.’” Combine the fact that the average American commits three felonies a day due to vague and broad regulations with the once-unimaginable amounts of data law enforcement can now troll through and CISPA makes it extremely easy for law enforcement to find reasons to imprison unfavored but harmless citizens. Simply put, CISPA makes it much easier for government officials to find reasons to put people it doesn’t like in prison.
Not only does CISPA threaten citizens’ safety from unreasonable searches and seizures, but it may not even keep citizens’ data safe from attackers. As Reason’s Titch wrote:
In August 2012, the U.S. Government Accountability Office (GAO) reported that federal data breaches involving unauthorized disclosures of personally identifiable information increased by 19 percent, or about 13,000 to 15,500, from 2010 to 2011. As if to punctuate the GAO findings, that same month, the Environmental Protection Agency separately disclosed that a security breach exposed social security numbers, banking information and home addresses of some 8,000 people.
Whether due to concerns about effectiveness or privacy, research data suggests that U.S. businesses would rather see the private sector develop cybersecurity protocols and policies for the government, rather than the other way around. Titch again:
Information security professionals say private sector security protocols, honed bottom-up through multi-lateral, multi-stakeholder processes, are far better at securing data than over-reliance on technology and government-driven directives.
Bit9, a security market research firm, released its 2012 Cyber Security Survey of 1,861 IT professionals (1,533 in the U.S.) across a wide range of industries, including government, which found 58 percent of respondents said implementing best practices and better security policies would have the biggest impact on improving the state of cybersecurity. By contrast, only 7 percent said government regulation and law enforcement and 15 percent said better technology.
The Electronic Frontier Foundation has been a vocal critic of CISPA. On warrantless wiretapping, they wrote:
Early in his first presidential campaign, then-Senator Obama was a leading critic of giving telecom companies like AT&T immunity for breaking the law to assist in the government in warrantless wiretapping.
President Obama promised to veto CISPA. This is a move to be applauded as CISPA circumvents Fourth Amendment privacy protections, won’t even guarantee citizens’ data will be kept safe from attackers and is unnecessary as private companies are already hard at work and working together to develop way to keep their valuable data secure.