Facebook and Google Turned Into Government Spies? The Dangerous New Law Before Congress (CISPA)
Stay up to date with the latest headlines via email.
(Update: The Cyber Intelligence Sharing and Protection Act (CISPA) passed the House Thursday.)
The U.S. House of Representatives is expected to pass a reprehensible cyber-security bill that seeks to protect online companies—giant social media firms to data-sharing networks controlling utilities—from cyber attack. It is reprehensible because, as Democratic San Jose Rep. Zoe Lofgren said this week, it gives the federal government too much access to the private lives of every Internet user. Or as Libertarian Rep. Ron Paul also bluntly put it, it turns Facebook and Google into “government spies.”
But that’s not the biggest problem with the Congress’s urge to address a real problem—protecting the Internet from cyber attacks. While House passage launches a process that continues in the Senate, the bigger problem with the best known of the cyber bills before the House, CISPA, the Cyber Intelligence Sharing and Protection Act, is not what is in it -- which is troubling enough -- but what is not on Congress’s desk: a comprehensive approach to stop basic constitutional rights from eroding in the Internet Age.
“I don’t think the current cyber-security debate is adequately protecting civil liberties,” said Anjali Dalal, a resident fellow with the Information Society Project at Yale Law School (and a blogger). “CISPA seems to place constitutionally suspect behavior outside of judicial review. The bill immunizes all participating entities ‘acting in good faith.’ So what happens when an ISP hands over mountains of data under the encouragement and appreciation of the federal government? We can’t sue the government, because they didn’t do anything. And we can’t sue the ISP because the bill forbids it.”
What happens is anybody’s guess. But what does not happen is clear. The government, as with the recently adopted National Defense Authorization Act of 2012, does not have to go through the courts when fighting state "enemies" on U.S. soil. Instead, CISPA, like NDAA, expands extra-judicial procedures as if America’s biggest threats must always be addressed on a kind of wartime footing. Constitutional protections, starting with privacy rights, are mostly an afterthought.
The CISPA bill takes an information-sharing approach to fight cyber attacks. Nobody has said there’s a problem with the government giving classified information to private firms to stop attacks. It is the opposite of that—Internet companies sharing information about users and their online activities—that raises civil liberties red flags. In general, the courts distinguish between public and private aspects of online activity, holding, for example, that e-mail addresses, subject lines and traffic patterns are like snail-mail addresses on the outside of a paper envelope—they are public. But just as a letter’s contents are private, courts have said that is true with online activity—although in a recent Supreme Court case involving wireless surveillance, Justice Sonia Sotomayor raised the question of how much privacy people should expect in their online activities.
For now, however, the government generally needs a search warrant to look at the details of people’s online activities. That is because the Constitution protects civil liberties by restricting government intrusion into citizens' lives. However, a private company doing the government’s work for it does not face the same restrictions.
CISPA’s fine print does an end run around the judicial hurdles. It essentially fights cyber threats by deputizing the tech sector to police the net and share everything— online activities, history, searches, transactions, mail—with various federal agencies, including possibly national security agencies. Internet firms would not be required to tell clients when their information was given to the government.
The latest Intelligence Committee amendments—which were submitted to the House Rules Committee on Wednesday morning (it decides what will be debated on the House floor on Thursday) -- said the information given to the government would be used for “cybersecurity purposes,” or degrading, disrupting or destroying a network or system, as well as unauthorized taking of information. Cyber security purposes also is defined as protecting people from “danger of death or serious bodily harm,” which presumably means terrorism, and protecting minors from “child pornography,” “sexual exploitation” and “kidnapping.” This specificity was missing in earlier versions of the bill.
Critics in the civil liberties community have said CISPA’s wording is too vague, deputizes private actors, leaves no legal recourse, is open to mission creep and offers inadequate public protections, such as requiring ISPs to anonymize personal identifying information, or limiting the government’s use and retention of the data. Private firms cannot be expected to safeguard privacy, they said, especially after Congress has freed them from liability.