If passed, the Cyber Information Sharing & Protection Act (CISPA) would facilitate the flow of internet traffic data between web-based companies and the federal government without regard for otherwise existing privacy legislation in the name of security against cyber-attacks. In other words, CISPA would supersede longstanding federal and state privacy laws protecting information of a content ranging from medical records to wiretaps in the name of security against cyber threats. The legislation would not impose a legal obligation upon companies to pass this information to the government, and many would refrain from doing so; the legislation has, however, garnered enthusiastic support from titans of internet technology including Facebook and Microsoft. Indeed, it is in the best interest of these corporations to do so, as the bill’s policies would empower the National Security Agency (NSA) to serve as a nucleus for the policing of activity potentially threatening their own interests. This agency’s already intimate relationship with the computer and telecommunications industries will motivate those companies to share information in order to maintain their relationship. Additionally, CISPA would offer “good faith” immunity to companies that identify and report cyber issues to the federal government.
At the heart of the controversy surrounding CISPA is a concern for negotiating the fundamental rights of privacy owed to the individual with the clear need to guard against cyber-attacks. The necessity for the protection of both these objectives is evident. Today, one of the most lethal means of assailing the infrastructure of a government or a business is by striking or stealing its massive repository of online data or functionality. At the same time, establishing security against such an assault cannot be seen as grounds licensing the federal government to gain indiscriminate access to the American’s internet activity. We feel that in its current form, the CISPA legislation maintains broad and poorly defined criteria for the proposed exchange of information between technology companies and the government that could lend themselves to an undue acquisition of personal data—data not immediately relevant and critical to cyber-security—of individual navigators of the internet. At the same time, because they have the ability to report and withhold information as it suits them, the corporations participating in this exchange are given an arguably inappropriate role in a partnership that becomes a nucleus of policing the digital world.
Parts of CISPA have value by hindering other countries ability to steal intellectual property from companies such as defense contractors. With computer hacking techniques constantly becoming more advanced and lethal, there is certainly a need for protection. Currently, companies can only divulge a limited amount of information in the case of a cyber attack. CISPA’s enactment would remove the restrictions on the amount of personal information that can be shared. It is our concern, however, that the value of CISPA’s enhancement of security against cyber threats would constitute too great a sacrifice to the ramifications for the loss of privacy incurred by such legislation of this nature.
Here’s why: The clause of CISPA stating that “notwithstanding any other provision of law,” technology companies may share information “with any other entity, including the federal government” is essentially carte blanche provision for the transmission of personal information not only from such a company to the government, but in fact among the government and such companies in general in the name of protection against cyber threats. This would, for example, allow a company to violate its terms and conditions of service with impunity if a case can be made that a piece of shared information was relevant to cybersecurity.
Once a piece of information is divulged to the government, the bill allows for its use in the following ways:
“(1) LIMITATION.—The Federal Government may use cyber threat information shared with the Federal Government in accordance with subsection (b)—
(A) for cybersecurity purposes;
(B) for the investigation and prosecution of cybersecurity crimes;
(C) for the protection of individuals from the danger of death or serious bodily harm and the investigation and prosecution of crimes involving such danger of death or serious bodily harm;
(D) for the protection of minors from child pornography, any risk of sexual exploitation, and serious threats to the physical safety of such minor, including kidnapping and trafficking and the investigation and prosecution of crimes involving child pornography, any risk of sexual exploitation, and serious threats to the physical safety of minors, including kidnapping and trafficking, and any crime referredto in 2258A(a)(2) of title 18, United States Code; or
(E) to protect the national security of the United States.”
The words above are not a truncated or summarized version of the bill—they are directly from the bill itself, in its most recent draft passed by the House to the Senate. Not exactly brimming with specificity, right? As most will notice, clauses (A), (B), and (C) are remarkably broad, and thereby permit the federal government to utilize personal data acquired by this collaborative effort for troublingly general purposes.
Because a bill with the essential objective of CISPA—that of ensuring cybersecurity—will indeed be necessary in the near future, we hope that the legislation will be dramatically restructured rather than simply abandoned all together. At the most basic level, we can offer two suggestions for making the piece of legislation more acceptable to the sensibilities of the American with a concern for protecting the privacy of the individual. First, give us concrete and detailed criteria for what types of information constitute threats to cybersecurity and the national security of the United States and therefore qualify for divulgence to the federal government and for sharing amongst technology companies. For example, give us comprehensive standards for information relevant to crimes such as identity theft, hacking of personal financial information such as credit card numbers, data suggesting the funding of terrorism, etc.
Secondly, include as part of the legislation a mandate for the establishment of something along the lines of a “Digital Information Sharing Oversight Committee” that serves as a buffer between those entities sharing the information and the agencies of the government that would acquire it. This committee should be charged with evaluating each and every piece of information proposed for transmission to the government to ensure that it is relevant to the specific criteria referenced in our first suggestion above and guaranteeing that it does indeed reveal so significant of a threat to cybersecurity or to national security than a breach in privacy is warranted. Of course, because those individuals on this committee would constantly be exposed to highly personal, private information, they would be expected to take an oath of confidentiality and to maintain the utmost probity in protecting the information with which they are presented. When these measures are taken, we might have a feasible piece of legislation on our hands.