The Case For – And Against – Freaking Out About CISPA, The Controversial Cybersecurity Bill That Passed In The House
If you missed it (and, given the news week that just transpired, it’d be hard to blame you), on Thursday, the House of Representatives passed CISPA (full name: Cyber Intelligence Sharing and Protection Act) by a 288-127 vote. While CISPA is meant to enhance national security by facilitating the sharing of electronic information – between, say, a private company and the government – deemed threatening, the bill’s opponents maintain it will make the sharing of personal, private information far too easy. (For his part, Rep. Mike Rogers [R-MI], who sponsored the bill, says it’s “not a surveillance bill.”)
Does that all sound unsettling to you? Unsure what to think? You’re not alone, and we’re here to help: below, you’ll find a list of reasons to be wary of CISPA… and then, a list of reasons why you shouldn’t go around panicking about it just yet. Where should you ultimately fall? We’ll let you know where we stand, but that’s for you to decide.
Why CISPA Should Worry You
1. The privacy concerns are legitimate. One person’s essential defense measure is another’s pernicious civil liberties infringement. While Rogers defends the bill from a privacy standpoint, Sen. John Rockefeller (D-WV) counters, “CISPA’s privacy protections are insufficient.” And the Electronic Frontier Foundation, which devotes itself to defending digital freedoms, really hates the bill:
[CISPA] grants broad new powers, allowing companies to identify and obtain “threat information” by looking at your private information. It is written so broadly that it allows companies to hand over large swaths of personal information to the government with no judicial oversight—effectively creating a “cybersecurity” loophole in all existing privacy laws.
CISPA threatens [existing civil liberties] protections by declaring that key provisions in CISPA are effective “notwithstanding any other law,” a phrase that essentially means CISPA would override the relevant provisions in all other laws—including privacy laws. CISPA also creates a broad immunity for companies against both civil and criminal liability. CISPA provides more legal cover for companies to share large swaths of potentially personal and private information with the government.
2. It passed in the House by a lot. 288 to 127 is an extremely strong majority, and while the bill was overall much more popular among Republicans, nearly as many Democrats voted for it as voted against it. It’s important to note CISPA also comfortably passed in the House last year, but even that margin (248-168) paled in comparison to this year’s vote, which saw the bill enjoy much greater bipartisan support despite remaining, in the words of Gizmodo’s Eric Limer (full disclosure: Eric and I used to both work at Abrams Media), “pretty much unchanged” from last year. Who’s to say that, even if it doesn’t become law this time around, that it won’t keep gaining steam every year until it does?
3. The bill still enjoys much corporate support. Rogers overstated the extent of this support, and Facebook (and Microsoft, to an extent) both cooled on CISPA after previously offering firm support, the list of companies that do support the legislation is still significant… and even Facebook and Microsoft remain more amenable to the goals of CISPA than they were to similarly-controversial SOPA.
4. In the wake of the Boston bombing, it may be easier for politicians to rally around the national security cause to get bills like this passed. Our own Josh Feldman, among others, noted Thursday that Rep. Mike McCaul (R-TX) tried to draw a direct line between the deadly attack on the Boston Marathon and the need to pass CISPA. While the flimsiness of McCaul’s premise was betrayed by the statements of, well, Mike McCaul (“[I]n Boston, they were real bombs…in this case, they’re digital bombs”), that he tried it at all proved the “privacy vs. security” debate is only set to intensify.
Why CISPA Shouldn’t Worry You Too Much
1. It’s no closer to being a law than it was last year. Last year, after passing in the House, CISPA died in the Senate, not to be heard from again until it was re-introduced this year. While it won a larger majority in the House this time around, we’re firmly in the “believe it when we see it” camp when it comes to CISPA even coming to a vote in the Senate, much less passing. And if the Senate can’t pass it, all concerns are moot.
2. Even if it does get past the Senate, the White House says it’ll veto the current bill. Does this also sound familiar? That’s because it also happened last year. In short, there’s nothing to suggest CISPA, as is, can clear two of the three major political hurdles needed for it to become law. For all the worries over what the bill might do, it’ll do exactly nothing if the Senate – and, following that, the president – won’t let it.
3. The crazy news week did not leave CISPA lost in the shuffle. Some of the internet’s more conspiracy-obsessed denizens reacted to CISPA passing the House with photos like this, out of some desperate desire to believe that the massive (completely justifiably so) coverage of events like the Boston Marathon bombing and the awful fertilizer plant explosion in Texas came at the expense of CISPA coverage, and proved that the media is nothing but a bunch of corporate stooges, or something. We would invite such people to look at this. Or this. Or this. Or this. Or this. Or this. Or this. Or this. Any web publication remotely devoted to the world of tech ran a story on the House vote, has been running CISPA stories for over a year, and will undoubtedly remain on the legislation’s case as it moves forward… or doesn’t. For however long CISPA exists, there will be no shortage of easily-available information about it.
4. Hey, at least not everyone is so concerned about the bill’s privacy provisions. And not just the legislation’s sponsor. Tech industry analyst Tony Bradley wrote this for PC World:
On April 16 of 2012, an amendment to the bill was aimed at tackling privacy concerns. There were questions over terminology, so the amendment clarifies what is meant by “cyber threat information” to ensure a narrower interpretation that does not include “intellectual property.”
Some expressed concerns that the bill would authorize ISPs or service providers to block accounts or remove content. In response, the amendment specifies that the legislation is limited to identifying, obtaining, and sharing cyber threat information, and expressly states that the bill does not provide any authority to block accounts or delete information.
The amendment addresses the key privacy concerns. It prevents any information obtained from being used for any other purpose than the intelligence gathering it was intended for, and allows for the US government to be sued if the information obtained is used in ways that violate the limitations placed on the bill. The ammendment [sic] also gives the United States Attorney General oversight to monitor activity under CISPA and ensure privacy safeguards are maintained.
Don’t freak out about CISPA (yet)… but the reason not to worry has almost entirely to do with the legislative process, and next to nothing to do with civil liberties concerns. Bradley’s reassurances, to us, don’t mitigate the EFF’s concern that CISPA makes it too easy for too much of individuals’ private information to be shared for reasons that are too vaguely-defined.
However, due to the White House’s veto threat – and the fact that the bill faces a much tougher road to passage in the Senate than it ever did in the House – the likelihood of CISPA passing in anything close to its current form is remote. The possibly still exists that a future version of CISPA, with enough privacy protections added to gain Senate and presidential support – but still not enough to satisfy civil liberties advocates – will pass (after all, Obama’s reputation among civil liberties advocates is already shot anyway). But that will most likely be another issue for another year – based on everything we’ve seen for a year now, CISPA as it’s currently written doesn’t stand a chance.
Have a tip we should know? firstname.lastname@example.org