In the name of protecting us from hackers, computer viruses and cyber-terrorists, the House of Representatives has passed a bill that would make it easier for sites like Facebook and Twitter and Internet service providers like Comcast and Time-Warner to share users’ private messages and files with government agencies.
The House on April 25 passed the Cyber Intelligence Sharing and Protection Act, or CISPA. The act aims to make it easier for the government and online businesses to exchange information about computer and network security risks so they can more effectively respond to hackers, digital espionage and computer viruses. Yet to achieve this end, it allows private companies to share with any government agency all information they deem relevant to a so-called “cyber threat,” defined broadly and vaguely as “a vulnerability” of a computer system or network — and protects these companies from liability for handing over user information even if doing so explicitly violates their own stated privacy policies. That means a company like Google could legally give the government a user’s search history, e-mails, files stored on cloud service, even videos uploaded to the company’s YouTube site, if that material is shared for cyber security purposes.
The bill does specify that the government must reject any inappropriate personal information it receives from a business. But if this happens, the user whose privacy is violated is never directly notified — only the company is. Moreover, under the terms of the bill, once a user’s private data are in the government’s hands, there is no way for that person to know who is using it or if in fact it is being used properly because the information the government obtains from the private sector would not be subject to transparency laws like the Freedom of Information Act.
Also worth noting is the fact that CISPA sets no limits to how long the government may retain the personal information it is given. So, theoretically, the CIA or FBI could keep a user’s private data forever.
While advocates insist this sort of sweeping government surveillance is needed to keep us safe online, critics correctly point out that CISPA would essentially negate all existing state and federal privacy laws, including laws originally created to prevent invasive wiretaps. The ACLU calls the bill “a privacy disaster.” Tim Berners-Lee, the man credited with inventing the World Wide Web, said the cyber security act “is threatening the rights of people in America, and effectively rights everywhere, because what happens in America tends to affect people all over the world.”
Fortunately, the bill appears to have run into a wall of opposition. President Obama has threatened to veto the legislation unless it is amended to require companies to take reasonable steps to remove irrelevant personal information when sending data to the government. After the House vote, a coalition of 34 civil liberties groups and high-tech companies vowed to redouble its fight against CISPA’s attack on online privacy.
No doubt because of this resistance, the Senate will reportedly shelve CISPA and work on its own alternative cyber security legislation instead. Still, there is a possibility that the bill ultimately drafted by the Senate will incorporate some of CISPA’s objectionable provisions. And whatever the Senate comes up with would have to be reconciled with CISPA in conference committee.
Internet security threats are a growing concern in the computer-mediated world we live in. But CISPA as written would undermine our Fourth Amendment protections against unreasonable government search and seizure. The Senate is right to scrap it and start over. Any new bill offered in its place should define with precision what constitutes a “cyber threat,” should only permit companies to report “threat data” to civilian agencies — as proposed in an amendment to CISPA authored by Rep. Jan Schakowsky (D-Ill.) — and should require companies to remove identifying personal information from any data they pass along. But just as important, any new bill ought to preserve the individual’s right to sue for damages when businesses give authorities their personal online information without just cause.
Whatever form the legislation ultimately takes, it should not sacrifice our privacy on the altar of cyber security.
Macek is an associate professor of speech communication at North Central College in Naperville, Ill. and a founding member of Chicago Media Action.