Why CISPA Could Do More Harm Than Good

Are you familiar with the Cyber Intelligence Sharing and Protection Act? The bill, which is more commonly known as CISPA, is getting a considerable amount of criticism from both Internet and consumer advocates. Many of these groups are equating it with SOPA and are hoping that it will receive the same outcome.

CISPA, and other cybersecurity bills, has recently become front and center as cyber threats have grown more prevalent. Numerous lawmakers are pushing for legislation in hopes of lessening the concerns.

But, what would CISPA actually do? And, would it have the same impact that SOPA would have had? According to the bill itself, the goal is:

“To provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities, and for other purposes.”

How do you feel about CISPA? Are you for or against it? Why or Why not? Please share.

Aside from the Internet-related legislation, CISPA is not very similar to SOPA. CISPA is geared toward cybersecurity concerns and, primarily, the sharing of cyber threat information between the private sector and the government. SOPA, on the other hand, was focused on intellectual property and was pushed by the entertainment industry to address piracy issues.

“The bills don’t have many similarities beyond the basic idea that they are both forms of government overreach,” Ryan Radia, the Associate Director of Technology Studies at the Competitive Enterprise Institute (CEI), told WebProNews.

The reason, however, that so many have associated the bills with each other is due to the implications they would have. According to Radia, the basis of CISPA is well intentioned, but the wording of it is dangerous.

As he explained to us, even though the bill has had multiple amendments, it is still too vague. The main controversy is in how “cyber threat information” would be interpreted and, also, what the government would do with it.

“The information that you hand over to, say, Google, Facebook, Yahoo, etc., may have some nexus to a so-called cyber threat – that information could end up in the government’s hands not only for use in fighting off cyber attacks, but for use in, say, run of the mill criminal prosecutions,” said Radia.

For instance, he told us that language such as “unauthorized access” could not only apply to hackers, but that it could also apply to users’ stretching the truth online. In other words, it could give the government access to Facebook users that lie about their age or to people that use their employer’s computers to watch YouTube videos.

“Should lying about your age and weight on an online dating site be a federal crime?” asked Radia. “I don’t think so… this bill doesn’t make it a crime but gives government access to information that could relate to such crimes.”

With this broad language, CISPA could drastically change all existing laws pertaining to criminal, civil, statutory, contractual, and various other cases. Although the government would not be able to use the information it receives for regulation purposes, Radia told us that CISPA would be a “prosecutor’s dream” since they could avoid obtaining court orders and other forms of red tape.

As a result of these implications, privacy activists believe CISPA is a violation of consumer privacy rights. Radia agrees saying it poses “a very real risk to privacy.”

“Under CISPA, we could see a whole host of information being shared with the government in ways that do represent a very real threat to privacy and that offend the basic 4th Amendment principle that we should be free from unreasonable searches,” said Radia.

There are numerous petitions to stop CISPA, including one from Demand Progress and one from Avaaz. The Electronic Frontier Foundation (EFF) has also been particularly outspoken about the harm CISPA would bring and even launched a campaign last week in protest of the bill. The EFF is hoping to give the government too much information in the form of its CongressTMI hashtag in order to “showcase the types of unnecessary private data that could be swept up under CISPA.”

While these campaigns to stop CISPA are reminiscent of the Internet blackout in January in protest of SOPA, the Internet community has been less than active in regards to this latest piece of legislation. If you recall, almost every corner of the Internet had some form of protest from Reddit going dark to the Internet community creating memes in protest of SOPA.

It’s not entirely clear if it’s due to apathy or just ignorance of the bill, but CISPA doesn’t face as much criticism from the Internet as a whole as SOPA did. The Avaaz petition, which is also referenced on Reddit’s front page, has over 700,000 signatures, but it pales in comparison to the anti-SOPA petition that received over 3 million signatures. It’s clear that many people just don’t see the same threat in CISPA that they did in SOPA.

Incidentally, Tim Berners-Lee, who is one of the “fathers of the World Wide Web,” recently spoke to the Guardian and expressed his concern for CISPA.

“[It] is threatening the rights of people in America, and effectively rights everywhere, because what happens in America tends to affect people all over the world. Even though the Sopa and Pipa acts were stopped by huge public outcry, it’s staggering how quickly the US government has come back with a new, different, threat to the rights of its citizens.”

Unlike SOPA, Internet giants such as Google and Facebook support CISPA, which has produced a divided perspective from the Internet community. Radia, however, told us that many of these companies are backing the bill for its core purpose – to make sharing information easier.

“Companies aren’t supporting this generally because they really want to screw consumers or take away their privacy, but rather, they want more freedom to share information,” he said.

“How much is less clear,” Radia continued. “This bill would give them, perhaps, too much freedom and give government too much freedom.”

In addition to CISPA, there are several other cybersecurity bills in Congress. One is the Cybersecurity Act of 2012, which puts a regulatory approach on cybersecurity, and is backed by Sens. Joe Lieberman and Susan Collins. Senator John McCain has also introduced a bill called the Secure IT Act that focuses on information sharing and gives more power to the private sector instead of the government.

Other bills including the Security Amendments Act of 2012, the Cybersecurity Enhancement Act, and the Precise Act, are also being discussed but have not received as much media attention as the others.

“Every one of these bills has a broad immunity grant for private sector information sharing with government,” said Radia. “None of them, in their current versions, have careful limits on the use and on… the conditions the government can place on private entities.”

He believes that the Precise Act is the best one introduced up to this point but that, even it, borrows from the broad language of CISPA.

In spite of all this focus on cybersecurity, Jerry Brito, the Director of the Technology Policy Program at George Mason University, recently told us that, the rhetoric in Washington about it is being overblown.

“There really is little evidence for us to believe that we are on the brink of real calamity,” said Brito.

Radia agrees with Brito and even suggested that cybersecurity legislation may not provide a real solution to the concerns. He, like Brito, is not convinced that a law, especially one of the bills already introduced, would actually reduce cyber threats.

“What we need is a rifle shot – a narrow, careful target approach to ensure that the very specific types of cyber threat information are being shared with private entities and with government,” he pointed out.

In terms of CISPA, specifically, Radia thinks it has a 50/50 chance of becoming a law. He said that it could pass the House but, beyond that, it could go either way.

Last week, the White House issued a statement to The Hill that indicated its opposition to the bill. Although she avoided calling out CISPA directly, National Security Council spokeswoman Caitlin Hayden said:

“The nation’s critical infrastructure cyber vulnerabilities will not be addressed by information sharing alone. Also, while information sharing legislation is an essential component of comprehensive legislation to address critical infrastructure risks, information sharing provisions must include robust safeguards to preserve the privacy and civil liberties of our citizens. Legislation without new authorities to address our nation’s critical infrastructure vulnerabilities, or legislation that would sacrifice the privacy of our citizens in the name of security, will not meet our nation’s urgent needs.”

The White House putting their weight behind the anti-CISPA efforts will help, but it seems that the bill is already undergoing some changes to improve the legislation. A recent OP-ED on Mashable reveals that the authors of the bill are currently in talks with Internet companies to reach a compromise that would satisfy all parties, including privacy-minded citizens. It’s this willingness to work with Internet companies to reach a compromise that may set CISPA apart from SOPA the most.

The House of Representatives is scheduled to vote on CISPA this week. On Digital Trends, Andrew Couts points out that, according to House Majority Leader Eric Cantor’s schedule, the House will begin debating CISPA on Thursday, April 26, and that a vote will happen no later than Friday afternoon.

Could CISPA help reduce cyber threats, or is it a threat itself? Please share your thoughts.