Civil society groups are pushing back this week against CISPA, the Cyber Intelligence Sharing and Protection Act, which privacy advocates believe would give broad powers and immunity to private companies and the government to spy on Internet users.
While CISPA is purportedly meant to protect the government and companies from cyber attacks, Tim Karr of the media reform group Free Press says that "CISPA goes far beyond its stated purposes, sacrificing almost all of our online privacy rights without any safeguards against abuse." And it "could lead all too easily to governmental and corporate attacks on our digital freedoms."
Karr writes that "CISPA contains sweeping language that could be used as a blunt weapon to silence whistleblower websites like WikiLeaks and the news organizations that publish their revelations."
Digital rights group Electronic Frontier Foundation (EFF) notes that the act, written by Rep. Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD), "will grant Internet companies immunity from civil or criminal liability for any monitoring or sharing of user activity—as long as it is done in ‘good faith.’"
The current pushback against CISPA called ‘Stop Cyber Spying Week’ has the suppot of groups including EFF, Avaaz.org, Free Press Action Fund, ACLU, Access, CDT and the American Library Association.
* * *
What is “CISPA”?
Under CISPA, can a company hand my communications over to the government without a warrant? Yes.
CISPA stands for The Cyber Intelligence Sharing and Protection Act, a cybersecurity bill written by Rep. Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD) (H.R. 3523). The bill purports to allow companies and the federal government to share information to prevent or defend from cyberattacks. However, the bill expressly authorizes monitoring of our private communications, and is written so broadly that it allows companies to hand over large swaths of personal information to the government with no judicial oversight—effectively creating a “cybersecurity” loophole in all existing privacy laws. Because the bill is so hotly debated now, unofficial proposed amendments are also being circulated and the actual bill language is in flux.
Under CISPA, can a private company read my emails?
Yes. Under CISPA, any company can “use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property” of the company. This phrase is being interpreted to mean monitoring your communications—including the contents of email or private messages on Facebook.
Right now, well-established laws, like the Wiretap Act and the Electronic Communications Privacy Act, prevent companies from routinely monitoring your private communications. Communications service providers may only engage in reasonable monitoring that balances the providers' needs to protect their rights and property with their subscribers' right to privacy in their communications. And these laws expressly allow lawsuits against companies that go too far. CISPA destroys these protections by declaring that any provision in CISPA is effective “notwithstanding any other law” and by creating a broad immunity for companies against both civil and criminal liability. This means companies can bypass all existing laws, as long as they claim a vague “cybersecurity” purpose.
What would allow a company to read my emails?
CISPA has such an expansive definition of "cybersecurity threat information" that many ordinary activities could qualify. CISPA is not specific, but similar definitions in two Senate bills provide clues as to what these activities could be. Basic privacy practices that EFF recommends—like using an anonymizing service like Tor or even encrypting your emails—could be considered an indicator of a “threat” under the Senate bills. As we have stated previously, the bills’ definitions “implicate far more than what security experts would reasonably consider to be cybersecurity threat indicators—things like port scans, DDoS traffic, and the like.”
A more detailed explanation about what could constitute a “cybersecurity purpose” or “cyber security threat indicator” in the various cybersecurity bills can be read here.
Under CISPA, can a company hand my communications over to the government without a warrant?
Yes. After collecting your communications, companies can then voluntarily hand them over to the government with no warrant or judicial oversight whatsoever as long is the communications have what the companies interpret to be “cyber threat information” in them. Once the government has your communications, they can read them too.
Under CISPA, what can I do if a company improperly hands over private information to the government?
Almost nothing. CISPA would affirmatively prevent users from suing a company if they hand over their private information to the government in virtually all cases. A broad immunity provision in the proposed amendments gives companies complete protection from user lawsuits unless information was given to the government:
(I) intentionally to achieve a wrongful purpose;
(II) knowingly without legal or factual justification; and
(III) in disregard of a known or obvious risk that is so great as to make it highly probably that the harm of the act or omission will outweigh the benefit.
As Techdirt concluded, “no matter how you slice it, this is an insanely onerous definition of willful misconduct that makes it essentially impossible to ever sue a company for wrongly sharing data under CISPA.” This proposed immunity provision is actually worse than the prior version of the bill, under which companies could be sued if they acted in “bad faith.”
* * *
The Guardian: Cispa will give US unprecedented access, internet privacy advocates warn
With echoes of Sopa, critics charge that bill will overturn US privacy protections in government attempts to track hackers
"As it stands the bill allows companies to turn over private information to the government and for them to use it for any purpose that they see fit, all without a warrant," said Michelle Richardson, with the ACLUWashington looks set to wave through new cybersecurity legislation next week that opponents fear will wipe out decades of privacy protections at a stroke.
The Cyber Intelligence Sharing and Protection Act (Cispa) will be discussed in the House of Representatives next week and already has the support of 100 House members. [...]
In one section, the bill defines "efforts to degrade, disrupt or destroy" a network as an area that would trigger a Cispa investigation. Opponents argue something as simple as downloading a large file – a movie for example – could potentially be defined as an effort to "degrade" a network.
The bill also exempts companies from any liability for handing over private information.
"As it stands the bill allows companies to turn over private information to the government and for them to use it for any purpose that they see fit, all without a warrant," said Michelle Richardson, with the American Civil Liberties Union (ACLU). "For 40 years we have had legislation about wiretapping that protects people. This would overturn that and make a cyber exception."
Privacy advocates are especially concerned about what they see as the overly broad language of the bill. As people increasingly use services like Skype and other internet telephony services, Twitter and Facebook to communicate, advocates fear the bill is a land grab that would give US authorities unprecedented access to private information while removing a citizen's legal protection.
It will be the first such bill to go to a vote since the collapse of the Stop Online Piracy Act (Sopa) in January after global protests and a concerted campaign by internet giants such as Google, Wikipedia and Twitter.
* * *
Timm Karr: Big Brother Is Not Your 'Friend'
CISPA could lead all too easily to governmental and corporate attacks on our digital freedoms. Promoted to protect our national interests against a loosely defined horde of cyber-terrorists, CISPA goes far beyond its stated purposes, sacrificing almost all of our online privacy rights without any safeguards against abuse. It’s the type of misguided Internet legislation that we have seen in the past, where government and corporations craft restrictive new laws without giving Internet users a seat at the table. Will they never learn?
Groups including EFF, Avaaz.org, Free Press Action Fund, ACLU, Access, CDT and the American Library Association have just launched “Stop Cyber Spying Week” so that Washington understands that the online rights of millions of Americans are not negotiable. In addition to helping Americans contact Congress, these groups have unleashed the power of Twitter against any legislator weighing a vote for this bad bill.
The folks behind CISPA claim that national security interests make this surveillance necessary, but the bill's language is so vague and overreaching that it opens the door for rampant abuse. Here’s what’s wrong:
- CISPA would allow companies and the government to bypass privacy protections and spy on your email traffic, comb through your text messages, filter your online content and even block access to popular websites.
- CISPA would permit companies to give the government your Facebook data, Twitter history and cellphone contacts. It would also allow the government to search your email using the vaguest of justifications — and without any real legal oversight.
- CISPA contains sweeping language that could be used as a blunt weapon to silence whistleblower websites like WikiLeaks and the news organizations that publish their revelations.
- CISPA would have a chilling effect on our ability to speak freely online by stoking fears that the National Security Agency — the same agency that has conducted "warrantless wiretapping" online for years — could come knocking.
CISPA could lead all too easily to governmental and corporate attacks on our digital freedoms. And while there is a real need to protect vital national interests from cyber attacks, we can’t do it at the expense of our rights.
* * *
Katitza Rodriguez: EFF: The Impending Cybersecurity Power Grab – It’s not just for the United States
Using the guise of ‘cybersecurity’, CISPA aims to mobilize Internet intermediaries to institute a sweeping, privacy-invasive, voluntary information-sharing regime with few safeguards. Using the guise of ‘cybersecurity’, CISPA aims to mobilize Internet intermediaries to institute a sweeping, privacy-invasive, voluntary information-sharing regime with few safeguards. The U.S. cybersecurity strategy, embodied in CISPA and other legislative proposals, also seeks to empower Internet companies to deploy ill-defined ‘countermeasures’ in order to combat these threats. Use of these powers is purportedly limited to situations addressing ‘cybersecurity’ threats, yet this term is so loosely defined that it can encompass almost anything – even, potentially, to investigate potential breaches of intellectual property rights!
The cornerstone of the privacy-invasive CISPA component is the establishment of private-public partnerships for information sharing. This creates a two-tiered regime that, on the one hand, facilitates the collection of personal Internet data by private Internet companies as well as the sharing of that information with the government and, on the other, allows government agencies to share information with private companies.
To enable information flows from Internet companies to government agencies, CISPA will grant Internet companies immunity from civil or criminal liability for any monitoring or sharing of user activity—as long as it is done in ‘good faith.’ Specifically, CISPA authorizes companies to “use cybersecurity systems to identify and obtain cyber threat information.” Aggrieved users who sue Internet companies for wrongfully handing over their data to the government will have to meet the incredibly high bar of proving the decision comprised ‘willful misconduct.’
The U.S. cybersecurity strategy will also permit Internet companies to employ dubiously defined ‘countermeasures,’ provided they are justified with equally vague and undefined ‘defensive intent.’ Internet companies will be permitted to deploy ‘cybersecurity systems’ – products designed to ‘safeguard...a network from efforts to degrade, disrupt, or destroy’. While it is unclear exactly what this would permit an Internet company to do, it could allow blocking of specific websites or individuals or even a much broader range of filtering. Given the potentially all-encompassing and inclusive definition of ‘cybersecurity’, it would not be surprising if these ‘countermeasures’ were ultimately used to block online entities such as Wikileaks or sites accused of copyright infringement. The inclusion of ‘degrade’ in the definition of permissible ‘cybersecurity systems’ could even raise net neutrality concerns, as ISPs have, in the past, claimed ‘network degradation’ as justification for the throttling of downstream services such as peer-to-peer applications. Indeed, U.S. cybersecurity laws have a history of being employed by private Internet companies to stifle downstream competition.
In sum, the U.S. cybersecurity strategy envisions a voluntary cooperative regime where Internet companies are given broad-ranging immunities to surveil Internet users and downstream online services. This amounts to an erosion of personal privacy safeguards currently in place. Under this regime, an online company need only to assert a vague ‘cybersecurity objective’ and it will have carte blanche to bypass domestic laws and protections against privacy invasion.