CISPA’s sweeping, vague language creates exemptions to all privacy laws, and would immunize corporations that choose to monitor domestic communications and share Americans’ data freely with federal agencies without securing individual consent. Authorization and immunity such as this raises the specter of companies acting as “agents” of the government, effectively monitoring U.S. Internet networks for cyber threats and blocking traffic on its behalf.
CISPA’s sponsors claim the data collected and shared under the proposed statute is only intended to be the digital signatures of suspected cyber attack code, or malware. However, if one actually reads CISPA’s definition of “cyber threat information,” it’s clear the data that would be legally authorized to be collected and shared with the government would be much broader than just malware signatures, including the content of Americans’ online communications as well as their personally identifiable information (PII).
Furthermore, the vast automated data collection and sharing regime CISPA seeks to facilitate would inevitably produce myriad false positives. The bill would likely result in thousands, potentially millions, of instances of Americans’ personal information being shared with the federal government, including military, intelligence and law enforcement agencies.
In contrast, the cyber information sharing provision introduced last year in the Senate by Sen. Dianne Feinstein (D-Calif.) included more nuanced definitions to help ensure the content of Americans’ communications would not be collected or shared under the statute. As added protections, the Feinstein information-sharing framework included a requirement for companies to make reasonable efforts to strip PII from data before sharing it, and limited the sharing of data to civilian agencies.
CISPA includes no such provisions even though corporate cybersecurity experts testified to the House Intelligence committee in February that companies could implement PII minimization procedures without imposing unreasonable burdens or impractical costs. Additionally, senior military, intelligence and law enforcement officials have repeatedly stated they believe the Department of Homeland Security should be the initial point of receipt for information.
Improving information sharing about cyber threats is a necessary step to bolster the nation’s cybersecurity, but certainly not the panacea that CISPA’s supporters portray it to be. CISPA does nothing to directly address the most concerning cyber national security issue: the nation's critical infrastructure vulnerabilities. Improvements to the nation's critical infrastructure cybersecurity would have to come from the trickle-down effects of additional information sharing. Since a great deal of information about cyber threats is already being shared, including classified threat information between federal agencies and the private sector, the notion that trickle-down cybersecurity will address our most pressing cyber national security concern is severely flawed. Unfortunately, information sharing will not magically plug the holes in the nation's critical infrastructure defenses.
Information sharing legislation should be part of a comprehensive effort to protect Americans and our economy from cyber risks, including measures to specifically address vulnerabilities in the nation’s critical infrastructure.
Most importantly, any legislation must include robust privacy and civil liberties protections so Americans feel secure that their online freedom and privacy remain protected. CISPA is fundamentally flawed in that regard.
The Feinstein information sharing provision won the endorsement of key privacy and civil liberties groups last year. Conversely, the same groups strongly oppose CISPA. Members of the House should scrap CISPA and start over using the Senate template with its nuanced definitions and robust privacy safeguards, or should radically overhaul CISPA to include the Senate bill’s definitions and safeguards. The Senate bill is evidence that Congress can strengthen both online privacy and security.
Americans have strong beliefs about the role of the federal government and their Constitutional rights. No one would support legal immunity for corporations to eavesdrop on conversations in their homes and share what they hear with the government for physical security purposes. It would be inconsistent with our nation’s foundational values. Congress should apply Americans’ expectations of privacy equally in the physical and digital worlds.
Internet freedom and privacy may seem like abstract issues to members of Congress, especially those who eschew the use of technology, but lawmakers should recognize that most Americans value freedom and privacy in cyberspace just as much as in the physical world.
Without more principled thinking, members of the House are in danger of being bamboozled into voting for legislation that would undermine our fundamental values and 4th Amendment rights.
Finan is a Truman National Security Project fellow and consultant for Department of Defense technology programs. He formerly served in the Obama administration focusing on cybersecurity legislation.