This past week, the Cyber Intelligence and Security Protection Act (CISPA) that allows for unaccountable sharing of private information despite three revisions passed the House of Representatives with an overwhelming vote of 206 ayes from Republicans and 42 ayes from Democrats.
The CISPA bill is a proposed law introduced last November by U.S. Representative Michael Rogers (R-MI) and 111 co-sponsors. The bill would allow the voluntary sharing of information between the U.S. government and corporations in an attempt to secure networks against potential domestic and foreign cyber attacks.
The bill came just months after Congress rejected Stop Online Piracy Act (SOPA) that was largely opposed by companies like Facebook and Google who now support CISPA for reasons that opponents describe as self-protection from potential consumer lawsuits concerning private information sharing.
The American Civil Liberties Union and Electronic Frontier Foundation, including dozens of other privacy advocacy groups, came out in opposition to the bill, including the Obama administration who threatened to veto because it “fails to provide authorities to ensure that the nation’s core critical infrastructure is protected.”
Concerns from the opposition say that businesses sharing private information across channels would not be held accountable for their security practices due to potential immunity from any lawsuit over improper sharing of user’s personal information.
The second revision of the bill had addressed critic’s concerns, offering clearer details on a citizen’s right to sue a company over private and secretly shared information but the third revision went back to its original wording reigniting the protection of privacy debate.
The bill states that agencies and companies that share user information are “exempt from liability” and no civil or criminal cause of action can be maintained in a Federal or State court as long as they acted in “good faith.”
But if you can’t sue them if they allegedly acted in “good faith” then when can citizens sue? The bill doesn’t say and such vagueness can lead to government and corporate abuse.
In the past 10 years concerning illegal wiretapping of private citizens under the Patriot Act by American intelligence agencies, National Security Agency’s (NSA) ThinThread program, that was adapted for warrantless surveillance, and the largest NSA intelligence and spy center, being built in Bluffdale, Utah, should give concerns to Americans of a wider intelligence gathering initiative under the American government.
CISPA looks to add to such intelligence initiatives through a legal channel that could potentially cross privacy boundaries for the sake of “American security” against Russian and Chinese cyber intelligence.
The Patriot Act violated American civil liberties in the name of national security by accentuating fear of terrorism to justify actions against American citizenry. No public official should make the same decision again with CISPA that could potentially harm American’s freedom to share information privately.
Rogers says the bill is to protect against cyber threats that has resulted in the annual loss of nearly $1 trillion. But according to Dinei Florencio and Cormac Herley of Microsoft Research, who authored an op-ed featured in New York Times, the methodologies used to produce the leading cybercrime estimates are misleading.
Companies tend to use numeric surveys to estimate their losses due to cybercrime, which are “almost always upward,” according to Florencio and Herley.
“Respondent errors – or outright lies – cannot be canceled out. Even worse, errors get amplified when researchers scale between the survey group and the overall population,” said Florencio and Herley.
Therefore, the bill that plays on fear of cybercrime to justify its existence is based off of faulty information. In reality, no one knows the size and scope of cybercrime, a business that very few are successful at.
With fears of “cyber threats” based on illegitimate information advocated by the bills’ proponents as the bulwark of their argument then it becomes obvious that the bill is not adequate for passage.
The bill has already witnessed co-sponsors drop their support for last Thursday’s vote including Anna Eshoo (D-CA) claiming her original sponsorship was on grounds that the bill was to be a “jumping off point,” but is currently nowhere near where it should be in regards to citizen protection rights.
Microsoft who originally supported CISPA pulled their support stating that “any law must allow us to honor the privacy and security promise we make to our customers.”
The Senate should reject this bill when it comes to the floor this month or advocate for an overhaul that specifically gives strict and clear protections to citizen’s privacy and right to sue.