CISPA: Who’s Watching?

Cybersecurity And The Right To Privacy

So what is the Cyber Intelligence Sharing and Protection Act (CISPA)?  It is a bill in the US that would allow for the sharing of Internet traffic information between the government and various companies.  The stated aim of the bill is to help the US with cyber-threats and ensure the safety of systems from cyber-attacks.  The other week, with very little notice, the House of Representatives passed CISPA by a vote of 288-127 vote.  Senate Democratic leadership says that CISPA will not come up for a vote, and President Obama has threatened a veto if it were to pass through Congress.  (You can read the bill by clicking here.)

1904132300There are some questions when it comes to CISPA.  What kind of information would companies be allowed to share?  To simply put this… any information that pertains to cybersecurity.  This is includes threats, vulnerabilities, efforts to degrade systems, and attempts at unauthorized access.  So whom can these companies share your information with?  Anyone they wish to ranging from other companies, the government, and even civilian agencies like the Department of Homeland Security, etc.  The way CISPA is currently written, there is the concept of getting important information on where it needs to go, but it doesn’t define on where that is.  So as companies make a record of what sites you visit, what you read, etc., they’d be allowed to share that information with anyone they choose to.  So what can be done with this information?  A short answer… anything they want to, and it doesn’t really need to have any relevance to cybersecurity.    There are no corporate-use limitations once that information is shared with another company.  So then they can do whatever they want with the information they receive.  When it comes to the government, there are only regulations in place for the federal government.  If a company chooses to share information with local or state law enforcement, then it’s a free for all.  The restrictions placed on the federal government mean that it can only use the information for addressing cybersecurity, prosecuting cybersecurity crimes, investigating and prosecuting crimes involving danger or death or serious harm, investigating crimes against children, and to protect the national security of the US.  So what else is in the bill?  CISPA allows for more surveillance of records and communications, and it provides companies with complete immunity for decisions made based on the information they gather.

So that is CISPA in a basic form.  It does not, however, compel companies to turn over information, but companies can elect to do so if they wish.  It does not require a subpoena or a warrant per the 4th Amendment to the US Constitution which protects citizens from unwarranted searches and seizure without a warrant to do so which was judicially issued with probable cause.  The definition of “search” was defined in the Supreme Court case Katz v. United States (1967).  The court ruled that a search occurs when a person expects privacy in the thing that is searched, and society believes that that expectation is reasonable.  In the case Griswold v. Connecticut (1965), the Supreme Court ruled that the Constitution protected the right to privacy though it is not mentioned specifically in the US Constitution.  Justice Arthur Goldberg wrote a concurring opinion based on the Ninth Amendment, as well as the Due Process Clause of the Fourteenth Amendment.  He would be joined in the concurrence of the Due Process Clause by Justice John Marshall Harlan II and Justice Byron White.

The Independent Voter Network (IVN) highlighted some points that were issued in a statement by the Intelligence Committee in support of CISPA.  These points were:

  1. “The legislation actually prohibits the expansion of any agency or current security authority and requires the government to ‘eliminate any personal information it happens to receive that is not necessary to understand the cyber threat.’
  2. They claim that CISPA has nothing to do with government surveillance. Rather, ‘it simply provides narrow authority to share anonymous cyber threat information between the government and the private sector.’
  3. Addressing concerns about the potential misuse of private information, the supporters state that there is a very narrow allowable use for the information going so far as to limit ‘the government’s permissible uses for cyber threat information by eliminating the national security use exception.’
  4. Regarding concerns over the government storing large amounts of personal information, ‘the bill prohibits the federal government from retaining or using information other than for the cyber threat purposes specified in the legislation.’
  5. Finally, the supporters are quick to point out that CISPA is not at all comparable to SOPA or PIPA. SOPA/PIPA concerned copyright infringement, whereas CISPA is about security.”

shutterstock_72840718Though the Supreme Court has ruled that we have a right to privacy and that it’s protected by the US Constitution, one must wonder where the line is drawn between privacy and protection from a cyberattack.  When the public first realized that companies were keeping private information about us and our habits online, there was an initial outcry over privacy violations.  Companies quickly had to draw up Privacy Guidelines on what information was collected and shared and to make sure the people were aware of them.  Those guidelines sometimes got rather so lengthy that people just didn’t read them.  So Congress stepped in and drafted a bill that stated companies also had to release a summary of those guidelines so that we, as consumers, could quickly scan it over.  But that information was usually shared among partnered or affiliated companies.  (i.e. Gap and Banana Republic since they are owned by the same parent company.  Or even ABC and ESPN since they are owned by the same parent company)  This type of information has helped a great deal in terms of marketing.  If you’ve ever noticed, ads on websites are often geared toward what you buy or the websites you browse.  But now we are discussing a bill that would allow companies to turn over any information they want to whomever they want… including the government.  It’s in the name of cybersecurity.  In IVN’s article, it states that “personal privacy and cyber security are often at odds.  As a consequence, it is difficult for both companies and the government to find hackers and protect power grids and online infrastructure against assault.”

The current form of CISPA is too broad, as its opponents suggest.  It doesn’t define which agency (agencies) can receive information… or to put it different, with whom these companies are supposed to share the information with.  And though it is supposed to only be information regarding cybersecurity, that still needs to be clearly and definitively defined.  Our cyber security does need to be protected from threats, but it must be done without jeopardizing our right to privacy.  And it must make it absolutely clear that the government cannot ask for such information on anyone without a subpoena or a warrant as per the Fourth Amendment.  Just because we are now in the computer/digital age, does not mean that our rights defined in the Bill of Rights are any less important and don’t need to be protected.  If anything, we must be on the guard even more now than probably any other time since the initial founding of our country.  CISPA should be grabbing everyone’s attention.  And the Senate should be paying close attention to its wording… though the head of the committee that would be bringing up the bill, Sen. Jay Rockefeller (D-WV), has stated the bill is DOA already.  Privacy is a right shared by all Americans, and we deem it an important right.  So where do we draw that line between our personal privacy and cybersecurity?  And is it even possible for the two to coexist in some form?


3 Responses to CISPA: Who’s Watching?

  1. Defense Lawyer In Sugar Land says:

    Really good. I agree.

  2. The short answer: any information that “pertains” to cybersecurity, broadly defined to include vulnerabilities, threat information, efforts to degrade systems, attempts at unauthorized access, and more. You can see the full list on page 20 of the bill . You’ll see that it’s not tied to the criminal definition of hacking but instead forges new ground.

  3. This week is “Cybersecurity Week” in the House of Representatives, and members will vote on a handful of bills intended to protect cybersecurity — the ability to prevent and respond to threats from foreign governments, terrorists and criminals over the Internet. Some of the bills are civil-liberties-neutral but, as usual when addressing a security issue, Congress is considering a bill that overreaches — this time by allowing companies to share private and sensitive information with the government without a warrant and without much oversight.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: