Earlier this week, I was invited to join in on a conference call with Reps. Mike Rogers (R-MI) and C.A. “Dutch” Ruppersberger (D-MD), co-authors and chief sponsors of the increasingly-contentious Cyber Intelligence Sharing and Protection Act, better known as CISPA. During the hour-long talk about the bill, we heard time and again why this legislation is necessary, and why it’s not as dangerous as all of us rascally bloggers and civil liberty advocates are making it sound.
CISPA is not SOPA, they told us. It is “very limited” in its powers and its language. The bill is just 13 pages, and easy to understand. It really isn’t about gathering information on individuals, or going after individuals who illegally download music or movies, anyway. It’s about stopping nation states “like Russia and China” from stealing our business trade secrets, or waging a “catastrophic” cyber attack on our vital “networks and systems.”
This is exactly what I expected to hear. The congressmen need to sell their bill, after all, and part of that is convincing a critical press that there is no need to worry. And you know, despite my array of complaints about the bill, the call left me feeling like Rogers and Ruppersberger genuinely believe that CISPA is a good and necessary piece of legislation, one that poses no real threat to our privacy or our civil liberties.
But guess what: That doesn’t matter. Good intentions are not the same as good law.
The fact remains that critical portions of this bill — the infinitely vague definitions of “cyber threat” and “national security,” the far-reaching exemptions to existing laws, the toothless protections for privacy — all require us to trust that the federal government and corporations will not violate our rights. Any why in the hell would we trust that? We wouldn’t, and we don’t — because the federal government and corporations are not trustworthy.
Played for a fool
Let’s take the broad definitions of “cyber threat” and “national security” as a prime example. CISPA mandates that any information handed over to the federal government may only be used to protect against “cyber threats,” or for “the protection of the national security of the United States.” Ok, fine. But as anyone familiar with the Patriot Act knows, “national security” can mean almost anything. That alone makes this so-called “limitation” effectively meaningless. For this reason alone, CISPA should be thrown in a Capitol Hill trash can, and burned.
On top of this, CISPA explicitly says that “cyber threat intelligence” — the data that can lawfully be shared with, and acted upon by, the federal government — includes not only information that “directly” pertains to “a vulnerability of, or threat to, a system or network of a government or private entity,” it also means any information that pertains to “efforts to degrade, disrupt, or destroy such system or network” or “theft or misappropriation of private or government information, intellectual property, or personally identifiable information.”
Now, during the call, both Rogers and Ruppersberger assured us that this last bit is not meant to go after people who download “MP3 files or movies,” and that CISPA in no way gives the government the power to block access to websites. But the information gathered under CISPA most certainly COULD be used for that purpose, even if that’s not the primary objective. This is especially disconcerting considering that the data shared in this program will be handed directly to the Department of Homeland Security —the same organization that already seizes websites.
Once again, they are simply asking us to trust that the powers granted under this bill will not be used to go after these types of crimes. But a good piece of legislation would simply remove trust from the equation altogether by building in explicit rules prohibiting the information from being used in this way.
Just as they want us to believe that CISPA won’t be used for reasons other than direct cyber threats or genuine national security issues, they also want us to trust that the bill doesn’t give the government the power to spy on citizens. They do this by making the sharing of information voluntary, and “encouraging” companies who share their data with the government to strip it of all personally identifiable data. But as Leigh Beadon at TechDirt points out, “complicity between companies and the government, even when legally questionable, is common and widespread.” In other words: CISPA doesn’t require that companies share what they know with the government, but it makes doing so easier, and less risky for all parties involved. If Rogers and Ruppersberger were genuinely concerned about protecting individual privacy, they would amend CISPA to require — not simply permit — companies to anonymize the data they provide.
These are just a few examples of why critics say CISPA is a bad piece of legislation, and why they (I) believe it could be abused. The only argument from the pro-CISPA camp on this front is, “Don’t worry. Trust us.” But we don’t, and we won’t, and we shouldn’t. Trust simply should not be a factor. There are far too many instances of the government and corporations abusing their power at the detriment to innocent individuals for anyone with even a drip of sense to put their faith, privacy, and civil liberties in the hands of those who could so easily squeeze out whatever justification they please.
Image via Kuzma/Shutterstock