Facebook defends CISPA support, completely misses the point


Facebook released a statement today defending its support for the Cyber Intelligence Sharing and Protection Act of 2011, known as CISPA, a piece of cybersecurity legislation that critics say is dangerous to our privacy and civil liberties.

“One challenge we and other companies have had is in our ability to share information with each other about cyber attacks,” writes Joel Kaplan, Facebook Vice President of U.S. Public Policy, in a company blog post. “When one company detects an attack, sharing information about that attack promptly with other companies can help protect those other companies and their users from being victimized by the same attack. Similarly, if the government learns of an intrusion or other attack, the more it can share about that attack with private companies (and the faster it can share the information), the better the protection for users and our systems.”

CISPA would simply “make it easier for Facebook and other companies to receive critical threat data from the U.S. government,” writes Kaplan. And it does so without any “new obligations on us to share data with anyone –- and ensures that if we do share data about specific cyber threats, we are able to continue to safeguard our users’ private information, just as we do today.”

Kaplan also says that Facebook recognizes “that a number of privacy and civil liberties groups have raised concerns about the bill – in particular about provisions that enable private companies to voluntarily share cyber threat data with the government.” The problem, Kaplan writes, is that “companies will share sensitive personal information with the government in the name of protecting cybersecurity.” But he says that there’s no reason to worry, at least as far as Facebook is concerned, because “Facebook has no intention of doing this and it is unrelated to the things we liked about HR 3523 in the first place.”

Of course, all of that is very predictable — and entirely beside the point. While Kaplan is right, that critics are worried that CISPA would allow companies like Facebook to share private information about their users, that’s only part of the problem. Kaplan fails to mention that CISPA would eliminate any liability from companies who share information, as long as the information they share is not blatantly for some purpose other than to protect against “cyber threats” or defend “national security.” He also does not make it clear that CISPA would give Facebook and any other company the power to actively monitor all private communications, including email and private Facebook messages, as part of the process for protecting its system against cyber threats.

Moreover, it is not simply how Facebook or other companies will handle private user data that causes concern; it is how the government will use that information. The House Intelligence Committee announced a new version of CISPA, which removes some of the troublesome bits (most notably: any mention of “intellectual property”), but the new iteration of the bill sill lacks any serious privacy safeguards, and continues to allow the federal government to use the information collected from private entities for anything related to the every-ambiguous goal of “national security.”

The most worrisome part of Kaplan’s defense of CISPA is that the best argument he could come up with for why it is alright to give Facebook more power over our lives is: “trust us, we’re not going to do anything wrong.” I’ve said it once, I’ll say it again: Trust should not be part of this equation. We should not have to trust that a private company — especially one that has an abysmal track record concerning user privacy — will do the right thing. A good cybersecurity bill would make it either impossible for companies to violate our privacy to the federal government, or impose staggering consequences for doing so. CISPA does neither — that’s why we despise this piece of legislation.

Sorry, Facebook. The fight against CISPA is far from over — trust me.