Computers, Privacy & the Constitution

CISPA and the Corporate Big Brother

-- By ZhouZhou

A bill called the Cyber Intelligence Sharing and Protection Act (CISPA) was recently passed in the House of Representatives. Supporters of the bill include prominent Internet companies such as Facebook and Microsoft. They hail it as the first national cyber-security bill to protect companies against cyber threats. On the other hand opponents of bill are concerned that online privacy rights will be excessively curtailed. After giving a brief overview of CISPA, I will present why its overbroad drafting might result in a loss of privacy rights. I will finally attempt to fit CISPA within the interactions between corporations and the government in the world of online privacy.

CISPA Proposes to Improve the Sharing of Cyber Threat Intelligence

CISPA intends to prevent cyber-attacks against America by enabling private companies to share and receive information about cyber-threats with each other and the federal government. The drafters of CISPA hoped that this information sharing can help corporations confront issues of being “targeted by nation-state actors…for cyber exploitation and theft.” Presumably when one company detects an attack, the sharing of that information promptly can help other companies and their users from being victimized by the same attack. Given the anonymous, instantaneous, and temporary nature of Internet communications, the monitoring of e-mails and social networks are arguably crucial to national security.

Privacy Concerns with CISPA

CISPA threatens online privacy through a clause that allows private companies to share privacy information with each other and the federal government “notwithstanding any other provision of law.” Thus, the “notwithstanding provision” would allow companies to pass on information without regard to privacy laws such as the Electronic Communications Privacy Act (ECPA), which limits the ability of the government to monitor online communications and compel providers to disclose private information without warrants. While this sharing of information is voluntary not mandatory, such flimsy safeguards probably will not have any practical effect. Given the likely deference private entities will give to the federal government as the central coordinator of cyber-threat information, any company’s interest in being in the good graces of the government, and the need for up-to-date information, I think very few companies will have any inhibitions about sharing such private information with each other and the government.

CISPA also threatens privacy rights by failing to provide boundaries to the kind of data that can be shared and how the data may be used. CISPA restricts shareable information to only cyber threat information, but defines such information to those “pertaining to a threat to a system or network of a government or private entity.” Such a broad definition can result in the sharing of almost information, including user usage data, emails, sites visited, and files downloaded. In same vein, CISPA restricts government’s use of its shared information to “cyber security purposes” but defines “cyber security purpose” to include anything towards ensuring the integrity, availability of, or safeguarding a system or network. Since almost any user action on a website can threaten the integrity or availability of a network, this definition will give federal agencies, including non-civilians ones, a backdoor access to warrantless wiretapping.

There are various ways CISPA can be amended to narrow it’s scope. For example, while the current bill encourages anonymitizing shared information, the bill could make rather make it mandatory for companies to strip out personally identifiable information. Furthermore, the bill can restrict its applicable actors only to critical infrastructure operators. Finally, an effective, operational, and independent oversight committee should be developed to investigate and monitor CISPA abuses.

CISPA in context

Regardless of whether the bill is enacted in its current flawed form, I see the CISPA legislation as a poster child for the current interaction between corporations, the government, and individual privacy. Although their ostensible purposes are different and its language has been modified over time, CISPA in many ways is a child of the prior SOPA legislation that were defeated by a coalition of technology companies and civil rights activists earlier this year – a fact that even one of its congressional sponsors admits. The fact that those same technology companies are now in support of this bill shows that the original SOPA debate, as we noted in class, was not a harbinger of the new media industries becoming a force for individual privacy. Rather the SOPA debate was about the new media industry asserting its power over the old one, and indeed over the government. Whereas the government used to the own the physical systems (e.g. highways, mail systems) underlying the way we interact with the world around us, today our online habits are dictated by private entities. The government realizes that is now dependent on these private providers and CISPA can be seen as the latest balancing act between these two forces as the government tries to draw them into the fold.

I’m not sure from the perspective of an individual user whether this transfer of power to intrude (and protect) our privacy on private parties is beneficial. As discussed in class, online providers can freely pass private information to the government, circumventing the purpose of the Fourth Amendment. Furthermore, while users can flexibility contract with online providers to how their data may be used via terms of use agreements and the like, such agreements suffer from collective action problems and lack the gravitas of the Constitution. Finally, it is important to note that private providers, unlike government actors, are restrained by market forces from bad behavior. These same market forces, however, drive corporate policy and we might be worse off in a world where our modern day notions of privacy can be defined by the business strategy of one company, like Facebook. The idea of government Big Brother might be frightening, but at least we have a legal process in place to challenge it; this is more than what we can say about our new corporate sibling.

-979 Words

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.


Webs Webs

r3 - 11 Jan 2013 - 21:48:56 - IanSullivan
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM