In 2011, the Cyber Intelligence Sharing and Protection Act (CISPA) was introduced to the House of Congress by representative Mike Rogers, but failed to pass the senate. In February of 2013 the same bill was reintroduced and once again defeated; President Obama went so far as to say he would veto the bill if it ever made it through both Congress and Senate. Earlier this year, democrat Dutch Ruppersberger reintroduced the bill yet again and — it remains largely unchanged from previous versions. So what’s the big deal with CISPA? What’s the aim of this legislation, why can’t lawmakers simply leave it alone, and what happens if it passes? Short form, it’s bad news for privacy. Long form? Read on to find out the gritty details.
Your Data, Their Rules
Here’s the idea behind CISPA: Protect the United States by making it easier for the NSA and other spy agencies to collect data about criminal and terrorist activities taking place in American cyberspace. The bill aims to do this in two ways, first by permitting the “sharing” of data between private companies and the government and by allowing security organizations to grab whatever private data they want without permission from a judge or notification to the affected party.
In practice, this means that the NSA could snoop on your email, Internet browsing habits, purchases and any other online activity it deems as “information…directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity.” And since the NSA is known for casting the widest possible net when it comes to interpreting governmental permission, just about any action online could be made to fit this definition. What’s more, the “sharing” provisions in CISPA effectively amount to coercion on the part of government agencies: While private companies would be granted protection from legal action if they willing gave up data on private citizens, they could also be compelled to do so without any recourse. Bottom line? This is bad news.
With the bill already defeated twice and with no significant revisions made to the current iteration, why do government representatives keep championing the idea? The big push here is to increase cybersecurity through improved surveillance. By keeping tabs on citizens and criminals alike, CISPA champions say it’s possible to filter out the good and prosecute the bad.
CISPA’s most recent reintroduction was inspired by the Sony attacks in December of last year — with North Korea the most likely culprit, lawmakers saw it as the perfect time to push CISPA back into the limelight and hope that fear of compromise would override worry about privacy violations. But as noted by Tech Dirt, there’s no guarantee that if Sony had given the NSA access to its database that the attack would have been averted. Sony simply provides a high-profile talking point to get the cybersecurity discussion rolling again. And Gizmodo argues that CISPA and similar bills simply aren’t effective when it comes to defending the U.S. — or any nation — from cyber threats. The focus on surveillance over security speaks to the hope that cyber-terrorists will simply reveal themselves by their actions, rather than developing a proactive plan to guard virtual borders.
While CISPA hasn’t passed yet, the House has just approved the Protecting Cyber Networks Act (PCNA), which permits the sharing of information between private companies and the government and includes provisions for corporate protection from legal repercussions. So far, President Obama seems on board and while there’s no guarantee of Senate approval, this seems like a first step toward the broader powers of CISPA. Hacktivist group Anonymous, meanwhile, has released an online awareness-raising campaign to educate users about CISPA and other privacy-limiting bills and while they’ve stuck mostly to statements and petitions, they’re not shy about getting more directly involved where warranted. In other words, even if CISPA does pass, it may be the government’s “privacy” which ends up violated.
No matter which side of the privacy debate you land on, CISPA has some worrisome provisions, mostly owing to vague wording which allows broad interpretation by the NSA and a lack of notification to users. Hopefully the proposed will be defeated a third and final time; if not, it may be time for law-abiding Netizens to place their data beyond the reach of government surveillance.