Facebook and Google Turned Into Government Spies? The Dangerous New Law Before Congress (CISPA)
(Update: The Cyber Intelligence Sharing and Protection Act (CISPA) passed the House Thursday.)
The U.S. House of Representatives is expected to pass a reprehensible cyber-security bill that seeks to protect online companies—giant social media firms to data-sharing networks controlling utilities—from cyber attack. It is reprehensible because, as Democratic San Jose Rep. Zoe Lofgren said this week, it gives the federal government too much access to the private lives of every Internet user. Or as Libertarian Rep. Ron Paul also bluntly put it, it turns Facebook and Google into “government spies.”
But that’s not the biggest problem with the Congress’s urge to address a real problem—protecting the Internet from cyber attacks. While House passage launches a process that continues in the Senate, the bigger problem with the best known of the cyber bills before the House, CISPA, the Cyber Intelligence Sharing and Protection Act, is not what is in it -- which is troubling enough -- but what is not on Congress’s desk: a comprehensive approach to stop basic constitutional rights from eroding in the Internet Age.
“I don’t think the current cyber-security debate is adequately protecting civil liberties,” said Anjali Dalal, a resident fellow with the Information Society Project at Yale Law School (and a blogger). “CISPA seems to place constitutionally suspect behavior outside of judicial review. The bill immunizes all participating entities ‘acting in good faith.’ So what happens when an ISP hands over mountains of data under the encouragement and appreciation of the federal government? We can’t sue the government, because they didn’t do anything. And we can’t sue the ISP because the bill forbids it.”
What happens is anybody’s guess. But what does not happen is clear. The government, as with the recently adopted National Defense Authorization Act of 2012, does not have to go through the courts when fighting state "enemies" on U.S. soil. Instead, CISPA, like NDAA, expands extra-judicial procedures as if America’s biggest threats must always be addressed on a kind of wartime footing. Constitutional protections, starting with privacy rights, are mostly an afterthought.
The CISPA bill takes an information-sharing approach to fight cyber attacks. Nobody has said there’s a problem with the government giving classified information to private firms to stop attacks. It is the opposite of that—Internet companies sharing information about users and their online activities—that raises civil liberties red flags. In general, the courts distinguish between public and private aspects of online activity, holding, for example, that e-mail addresses, subject lines and traffic patterns are like snail-mail addresses on the outside of a paper envelope—they are public. But just as a letter’s contents are private, courts have said that is true with online activity—although in a recent Supreme Court case involving wireless surveillance, Justice Sonia Sotomayor raised the question of how much privacy people should expect in their online activities.
For now, however, the government generally needs a search warrant to look at the details of people’s online activities. That is because the Constitution protects civil liberties by restricting government intrusion into citizens' lives. However, a private company doing the government’s work for it does not face the same restrictions.
CISPA’s fine print does an end run around the judicial hurdles. It essentially fights cyber threats by deputizing the tech sector to police the net and share everything— online activities, history, searches, transactions, mail—with various federal agencies, including possibly national security agencies. Internet firms would not be required to tell clients when their information was given to the government.
The latest Intelligence Committee amendments—which were submitted to the House Rules Committee on Wednesday morning (it decides what will be debated on the House floor on Thursday) -- said the information given to the government would be used for “cybersecurity purposes,” or degrading, disrupting or destroying a network or system, as well as unauthorized taking of information. Cyber security purposes also is defined as protecting people from “danger of death or serious bodily harm,” which presumably means terrorism, and protecting minors from “child pornography,” “sexual exploitation” and “kidnapping.” This specificity was missing in earlier versions of the bill.
Critics in the civil liberties community have said CISPA’s wording is too vague, deputizes private actors, leaves no legal recourse, is open to mission creep and offers inadequate public protections, such as requiring ISPs to anonymize personal identifying information, or limiting the government’s use and retention of the data. Private firms cannot be expected to safeguard privacy, they said, especially after Congress has freed them from liability.
House Democrats have tried to amend the Intelligence Committee bill to clarify what is a cyber security threat, impose limits on the government's use and retention of shared data, and to protect privacy by urging the encryption of records, and also saying that what is gathered cannot be used for other regulatory purposes. CISPA’s authors said they have addressed critics' concerns, but late on Wednesday the White House, in its first comments on the bill, said it would veto it in its current form. Previously, the executive branch signaled that it preferred the approach in a Senate bill co-sponsored by Sen. Joe Lieberman, I-Connecticut, and Sen. Susan Collins, R-Maine, saying it offers more privacy assurances while protecting critical infrastructure and online platforms.
One of the biggest unknowns with government data mining—whether by federal agencies or contractors—is what will be done with all the information that is gathered. People may assume that more data means more confusion by analysts, but the opposite actually is true, according to experts such as Jeff Jonas, a senior scientist at IBM and a blogger. He says the public has little idea “what is computationally possible with Big Data,” which can predict—drawing on what is online—what someone is likely be doing at a certain time of day.
“Big Data is making it harder to have secrets,” Jonas wrote on his blog. He explains:
Unlike two decades ago, humans are now creating huge volumes of extraordinarily useful data as they self-annotate their relationships and yours, their photographs and yours, their thoughts and their thoughts about you… and more. With more data, come better understanding and prediction. The convergence of data might reveal your "discreet" rendezvous or the fact you are no longer on speaking terms with your best friend. No longer secret is your visit to the porn store and the subsequent change in your home’s late-night energy profile, another telling story about who you are… again out of the bag, and little you can do about it. Pity… you thought that all of this information was secret.
In the commercial world, consultants like Jonas tell clients that the best business practice is for companies to alert clients when third parties look at their data. But that courtesy, or legal requirement, is not part of the House’s CISPA bill. Indeed, as the San Jose Mercury News, the daily newspaper of Silicon Valley, noted in a Wednesday editorial urging the House to kill the bill, “personal privacy protection is all but nonexistent.”
But the biggest concern is not being touched at all: how to shore up constitutional rights, not chip away at them, when the Internet makes it harder for everyone to have secrets and the government deputizes the private sector to snoop for it without any judicial review.
“I think our First and Fourth Amendment rights aren’t being adequately considered,” said Yale Law School’s Dalal. “We have a right to be free from government intrusion into our private thoughts, actions and effects without a warrant. We also have a right to speak freely without government interference. Authorizing private surveillance of everything we do on the Internet with the understanding that government can be a recipient of that surveillance information threatens our right to speak freely, and to be free from unlawful search and seizure.”
It is almost certain that the GOP-controlled House will pass a version of CISPA on Friday. As was the case when the House passed legislation granting immunity to the telecom industry three years ago—for warrantless wiretapping of every American’s phone records to detect terrorist communications—the proponents will likely make many declarations about the price of freedom being vigilance. And its defenders will also declare that compromises were made to protect privacy rights.
However, every successive legislative "achievement" that gives government a deeper reach into people’s lives doesn’t just undermine specific civil liberties, it shrinks the Constitution. Indeed, it would be a rare day in Washington if Congress looked at constitutional protections first, not at the tail end, of every phase of the legislative process.