CISPA, the Cyber Intelligence Sharing and Protection Act, is headed to the House floor for a vote this week. How worried should you be?
Whenever anyone wants to tamper with the Internet it is easy to get alarmed. “No,” one says. “Do not monkey with the Internet. It is where I keep all my stuff.”
The Internet, as everyone recognizes, is a delicate ecosystem. Tamper with one thing with the best of intentions, and you can have horrible over-spilling consequences. Get rid of the wolves that are devouring your sheep, and suddenly the landscape is overrun with feral deer. Reintroduce the rare speckled lizard of Cybersecurity Threat Information Sharing, and suddenly the indigenous Birds of User Confidence in Privacy start falling out of the sky. Well, not quite that metaphor, but you know what I mean. There’s always a precarious balance to be maintained between privacy and security, freedom and protection.
And the Internet has a tendency to do a credible impression of Chicken Little and shriek that the sky is falling any time anything relating to Internet regulation is proposed in Congress. This is an understandable response — much of what has been proposed thus far has been gosh-awful, from SOPA’s ham-fisted effort to stop piracy, which at the time I likened to watching drunk bears toss your baby back and forth over a pit of boiling lava, to PIPA. And the recollection of the time when Sen. Ted Stevens described the Internet as “a series of tubes” is still uncomfortably vivid.
But does CISPA deserve this treatment?
After all, cybersecurity is an area where people generally agree that improvements are necessary. Currently, the private sector and the government engage in a limited and timorous form of information sharing about certain kinds of threats, hampered by laws dating back to 1947 and not protected. Most people agree that it would not be a bad thing — would, indeed, be a good and necessary thing — to enable better sharing of information about online threats in real time. Much of what the bill does is to formalize and regulate the kind of sharing that already takes place.
But how to go about it while respecting user privacy, maintaining transparency and not accidentally creating a much broader authority for snooping into private data than intended?
And at what point do you say, “Well, this bill is good enough; something is better than nothing; we can fix it in post-production; tally ho and so forth?”
That is the question.
The administration doesn’t think CISPA is there yet. It issued on Tuesday a Statement of Administration Policy noting that “the Administration still seeks additional improvements and if the bill, as currently crafted, were presented to the President, his senior advisors would recommend that he veto the bill.” The administration worried that “the bill does not require private entities to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or other private sector entities. Citizens have a right to know that corporations will be held accountable — and not granted immunity — for failing to safeguard personal information adequately” and stipulates that it should make certain “newly authorized information sharing for cybersecurity purposes from the private sector to the government should enter the government through a civilian agency, the Department of Homeland Security” — not the NSA.
Some amendments were proposed during the Tuesday Rules Committee hearing on the bill that would have addressed numerous of the administration’s concerns — making sure the info went through the civilian DHS, requiring minimization of personally identifying information — but they did not make it out.
The bill is certainly an improvement on the CISPA that showed up for a vote last year and met a veto threat. Google and other Internet companies who form the TechNet group have expressed support for the bill, although Facebook has reservations. (And as one of my friends noted, if Facebook is concerned that something has privacy problems, maybe you should be a little worried. That’s like Lindsay Lohan trying to throw you an intervention for your substance problem.) But it’s still not perfect, and some opponents complain that its efforts to point out its privacy improvements only highlight how vague it remains in critical areas.
Still, there’s a lot about the bill that is encouraging, and even the at times frustrating debate in the Rules Committee suggested that the people who are legislating on this important subject have come a little closer to actually understanding the Strings of Angry Ones And Zeroes that they are talking about.
The basic premise of CISPA is one that most people who care about the Internet think is important. Even the Electronic Freedom Foundation, which otherwise opposes the bill, thinks that the idea of information sharing about cyberthreats is a good idea. The bill provides liability protection for companies who share threat information in good faith — which would greatly increase their incentive to share data and help protect against ongoing attacks. But does it offer enough privacy protection to the individual user?
Rep. Jared Polis (D-Colo.) wondered during the Rules Committee discussion whether the inclusion of a provision that the federal government could use cyberthreat data “for the protection of individuals from the danger of death or serious bodily harm” would expose people who posted about football, skydiving, eating pizza, or gun shows to government scrutiny — all of these, after all, pose risks of personal bodily harm. The bill’s sponsors contended that this really wasn’t what the bill was aiming for at all, and that the threat information was mainly strings of malignant code, not flyers for gun shows, one example Polis suggested.
Right now the bill limits the federal government to the use of cybersecurity information as follows:
“The Federal Government may use cyber threat information shared with the Federal Government in accordance with subsection (b)— A) for cybersecurity purposes; (B) for the investigation and prosecution of cybersecurity crimes; (C) for the protection of individuals from the danger of death or serious bodily harm and the investigation and prosecution of crimes involving such danger of death or serious bodily harm; or ‘(D) for the protection of minors from child pornography, any risk of sexual exploitation, and serious threats to the physical safety of minors, including kidnapping and trafficking and the investigation and prosecution of crimes involving child pornography, any risk of sexual exploitation, and serious threats to the physical safety of minors, including kidnapping and trafficking” which seem like terrible things but not necessarily the first priority in a bill supposed to be targeting cyber-threats, which as the bill’s sponsors kept repeating are just malicious strings of “ones and zeroes.”
Protecting minors from exploitation and individuals from death are both good things. But do they really belong in a bill targeted against cyber-threats of a much different kind? This seems irrelevant to the kind of information sharing the bill is supposed to encourage and could create an unnecessarily broad surveillance authority.
Careless wording can create a broader authority than necessary, and with the Internet the last thing you want is careless wording that creates an unnecessarily broad authority to snoop into your data. It is possible to share a lot of information about threats without revealing personally identifying information, although in some cases this can be tough, like having closed-circuit video of a robbery and having to filter out all the other customers before passing it along to law enforcement.
But at a certain point it’s self-defeating to keep shooting down every bill about threat information sharing. People generally agree that such bills are necessary. Is an imperfect something worse than nothing at all? And what if the next one’s worse?
But is this one good enough?