Saturday, April 21, 2012

The Latest Online Privacy (Or Lack Thereof) Bill - CISPA

There hasn't been nearly as much to-do about the Cyber Intelligence Sharing and Protection Act of 2011 (CISPA) as there was about the Stop Online Piracy Act (SOPA, of course), but concern about the bill is growing. I think that's a good thing - I have some serious concerns about it myself - but, as usual, there are a lot of people out there who have some pretty wild (and unsupported) ideas about what it would mean. Since this bill is going to the House for a vote on April 23rd, now is a good time to separate truth from fiction. I can't claim to give you a comprehensive explanation of everything the bill would do - the Center for Democracy and Technology gives a great overview - but here are some highlights.

CISPA would let the government share classified information with private companies, and it would let private companies share information with the government. BUT, it would not force companies to give the government information.


Basically, under this bill, the "intelligence community" would be allowed to share classified "cyber threat intelligence" or "cyber threat information" with "certified" private entities, but only those who have the required security clearance (and it would allow for an expedited process for giving out those clearances). Those private entities could then share "cyber threat intelligence" with the government or any other certified entity, and you couldn't sue them for it, so long as they do it "in good faith" (whatever that means). And, they couldn't be charged with a crime, either.

But, they also couldn't be sued or charged with a crime for not giving the government any of this information, which is interesting. The bill also makes it very clear that the government couldn't require companies to give up information in exchange for receiving classified info. This part of the bill, called the "anti-tasking" provision, would ensure that the government couldn't use companies as de facto government agents, searching warrantlessly to their hearts' content. At least, not officially. It's not much comfort, I admit.

The bill defines "cyber threat intelligence" and "cyber threat information" in ridiculously broad terms.


Predictably, the definitions are as vague as you'd imagine:
      (2) CYBER THREAT INFORMATION- The term `cyber threat information' means information directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from--
      (A) efforts to degrade, disrupt, or destroy such system or network; or
      (B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.
      (3) CYBER THREAT INTELLIGENCE- The term `cyber threat intelligence' means information in the possession of an element of the intelligence community directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from--
      (A) efforts to degrade, disrupt, or destroy such system or network; or
      (B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.

As a side note, I find the inclusion of  "intellectual property" in this definition to be ridiculous. What does that have to do with national security, again? Also, this law would preempt any state law on the subject, and it would supersede all other privacy laws (folks at home, that means if a privacy law would otherwise limit this kind of information-sharing, it wouldn't when this law applied).

There are limits on what companies could give the government -  sort of.

According to the bill, private entities couldn't share the information to gain a competitive advantage, and information:

     . . . shall only be shared in accordance with any restrictions placed on the sharing of such information by the [company] authorizing such sharing, including appropriate anonymization or minimization of such information.

I read this to say, the company wouldn't be allowed to violated your user agreement terms. But what I have to ask is, sure, the company weren't supposed to violate your agreement, but if it did anyway, could you sue them for it? Under this bill - and after the way I've seen the Supreme Court treat privacy lately - I have to wonder.

There are very few limits on what the government can do with this information.


The bill says that the government couldn't use this information for a "regulatory purpose" (whatever that means), and it could only use the information if "at least one significant purpose of the use of such information" is a cyber security or national security purpose. We all know what a great limiting principle that is, of course. Also, the government couldn't "affirmatively search" this information for any non-security purpose. I'm not sure how that's supposed to make me feel better.


CISPA would not allow government surveillance of private communications, so it would probably not be a Fourth Amendment violation.


The big concern here is a Fourth Amendment one - that's unreasonable government search and seizure - but this bill wouldn't let the government search anything it couldn't search before. I hate to break it to you, but private companies could always give your information to the government. Now, you just can't sue them for it, and it's definitely not a crime. It's not a new idea: the government can't look in your house without a warrant of probable cause, but they can sure take an anonymous tip about what you've got in there.

But the news isn't all bad...



CISPA is very different from SOPA: It says nothing about shutting down or blocking access to websites whatsoever.


Let's not go too far in freaking out about this. As this US News article points out, this bill doesn't raise the kind of First Amendment problem SOPA would've caused. I think the Electronic Frontier Foundation's claim that "[a]n ISP could even interpret this bill as allowing them to block accounts believed to be infringing, block access to websites like The Pirate Bay believed to carry infringing content, or take other measures provided they claimed it was motivated by cybersecurity concerns" is unfounded. This particular bill is about sharing information, not information restriction, period. 


So, to sum up, yes, this bill creates very serious privacy concerns, especially if companies could get away with violating user agreements (and maybe they couldn't - it's hard to say). But it wouldn't give the government broad, insane enforcement powers like SOPA would've. So go ahead and worry, but, as always, don't panic yet.






No comments:

Post a Comment