The Cyber Intelligence Sharing and Protection Act, or CISPA, was first put forward in 2011 as a response to the increasing dangers of cyber-warfare. It defines something called “cyber threat intelligence” (CTI), which is essentially information about networks, either government or private, which could be used to compromise, impede, or destroy those networks. It also proposes an infrastructure to identify and process CTI, allowing government agencies to secure those networks and prosecute the parties responsible for damaging or compromising them. CISPA was written to address a real problem – as just about any utility or government agency depends on the continued operation of their networks, it’s possible for a cyberattack to deal as much damage as an air strike. Unfortunately, it sucks.
As with SOPA before it, CISPA has met a great deal of backlash, most notably from the EFF and the ACLU, and rightfully so – there is no mention of any procedure for establishing what constitutes probable cause for investigation of CTI in the bill. It also allows private security companies to access personal information directly from corporations (Facebook, Gmail, etc.), and from government records. Combine these with a vague statement of what exactly could qualify as CTI, and you’ve got a bill which could, in practice, allow both government agencies and private companies to violate individual privacy without any need to establish probable cause.
The bill pays some lip service to maintaining privacy, forbidding access to medical, library, firearm sales, educational, and tax records, but when you’re talking about the entirety of personal correspondence on the internet being available for perusal at the government’s leisure, you’ve already screwed the figurative pooch with regards to civil liberty.
There are a couple underlying reasons for such awful legislation being authored at all, let alone making it to Congress.
First, the main authors of the bill, Mike Rogers (a former FBI agent) and Dutch Ruppersberger, are senators, not IT experts. They’re not intimately familiar with how network security works, how someone who wished to do the United States harm might use weaknesses in network security to their advantage, or what the effects of such an attack might be. As such, any legislation they write about cyber security will lack the intimate details necessary to address the precise nature of the threats, and so will have vague, blanket terminology, to cover as many of these threats as possible without needing to identify them individually. Unless we get someone who actually knows something about cyber security to write these bills, we’re just going to get anything-goes laws that will merely serve to convolute what’s already a minefield of antiquated policy.
Second, and most importantly, is a pervasive and grotesque notion that correspondence via the internet is somehow categorically different from other means of communication. Reading someone’s mail or tapping their phone is a felony, as should be reading their e-mail or any other digital files that they have not explicitly rendered public. It is an obvious and inarguable extension of the 4th Amendment: citizens have the absolute right to be secure in their “papers and effects,” regardless of whether those “papers and effects” are in their mailbox or on their smartphone.
Summarily, CISPA is a poorly-written response to a real problem that deserves attention, which will cause more harm than good to American’s rights if it’s passed. Please follow the link below to the Electronic Frontier Foundation’s handy-dandy contact-your-representatives utility, and let your rep know that you want something better.
Our authors want to hear from you! Click to leave a comment