Law in Contemporary Society
Eben, I would like to keep working with you this summer to revise this paper. Thanks.

Affirming That Privacy On The Internet Is Gone: CISPA

-- By RyanBingham - 23 Apr 2012


Rep. Mike J. Rogers, along with 112 cosponsors, introduced a new cyber security bill last fall that will be voted on later this week. HR 3523, the Cyber Intelligence Sharing and Protection Act of 2011 (CISPA), modifies the National Security Act of 1947 with new provisions regarding cyber threat intelligence and information sharing. It does so in an overly sweeping manner, and threatens to further solidify our culture of complacency regarding online privacy, enshrining it in federal statute.

"Cyber Threat Information" As An Overly Broad Category

CISPA allows a cyber security provider or self-provider the ability to, notwithstanding any other provision of law, "share [...] cyber threat information with any other other entity, including the Federal Government." Cyber threat information, as defined in this bill, carries with it an assortment of substantial privileges. The trouble is, the definition of "cyber threat information" is vague enough to extend beyond any reasonable conception of the protecting of security:

(2) CYBER THREAT INFORMATION- The term 'cyber threat information'; means information directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from--

(A) efforts to degrade, disrupt, or destroy such system or network; or (B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.

To take one example of the leeway such a definition provides, imagine that the cyber threat under consideration is the Distributed Denial of Service (DDoS? ) method of attack. One means of carrying out this attack "involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable," (see: Wikipedia). "[I]nformation pertaining to the protection of a system from efforts to degrade [...] such system" easily encompasses the personal information of every single user accessing the website during any span of time in which a DDoS? attack is suspected--that is, if the time span is limited at all. A cybersecurity provider could just as easily keep logs of every user who ever visits a website, and categorize it as pertinent. Thereafter, that information becomes fair game to be shared essentially anywhere, and with anyone, with only minor hoops to jump through under CISPA.

Privileged Information Under CISPA

The troubling implications of this broad definition are, I assume, self-evident. Even if they were not, they are laid out in the provisions of the bill itself. CIPSA provides that cyber threat information, if shared with the Federal Government, "shall be exempt from disclosure under section 552 of title 5, United States Code." Section 552, as it happens, is the Freedom of Information Act. CISPA thus nonchalantly exempts anything deemed "cyber threat information" from the strictures that come with the accountability provided by the at-least-distant prospect that anybody files a request for such information to be released. It also removes the prospect of judicial review in case of a denied request. We convert a system with at least nominal judicial oversight to one in which we expect that the Facebooks and Googles of the world will self-police.

Aside from the difficulty of determining what information has been collected and distributed in the first place, another CISPA measure insulates the cyber threat providers and self-providers from any potentially resulting liability:

(3) EXEMPTION FROM LIABILITY- No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider, acting in good faith--

(A) for using cybersecurity systems or sharing information in accordance with this section; or (B) for not acting on information obtained or shared in accordance with this section.

An entity in a position to collect or share an individual's personal information is here placed entirely outside of the law, regardless of the nature of the entity's misuse of private information, as long as it is "in accordance with this section," which is to say, with a few caveats, as long as it is peripherally aimed at cybersecurity purposes. Any remaining prospect that cybersecurity-providing entities will engage in meaningful self-policing is thus disincentivized, to say the least. This is a substantial loss of what potential there was for protecting online privacy.

Finally, the bill allows the Federal Government to use cyber threat information "for any [non-regulatory] lawful purpose only if [...] at least one significant purpose of the use of such information is (i) a cybersecurity purpose; or (ii) the protection of the national security of the United States." CISPA grants the Federal Government an exceptionally broad ability to use otherwise private information for almost any purpose it sees fit.


CISPA is diametrically opposed to the Fourth Amendment's protection to the "right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures." It undermines Katz v. United States 389 U.S. 347, which held that the "Government's activities in electronically listening to and recording [...] constituted a 'search and seizure' within the meaning of the Fourth Amendment." It removes several important protections to the potential for privacy on the internet.

CISPA weakens online privacy and personal liberty because it invents an overly broad category of information that is allowed to be collected and distributed far and wide, and because it provides for a range of exemptions designed to either stifle or circumvent normal checks on the unwarranted collection and unjustifiable sharing of heretofore private information.

But CISPA is just more bat-shit crazy stuff emanating from the House Republican caucus, which makes no more difference than the day dreams of small insects. Neither the Senate majority nor the White House is interested in it, so whatever it says hardly makes the slightest difference. Its purpose is to show potential "contributors" that if they bribe the right Congressmen, they can get anything they want, while exerting pressure on Democrats not to be "soft on cyber-security." But it's so ludicrous it isn't any good at either job,

The cyber-war lobby is very strong now, and the surveillance industrial state wants to data-mine everything in the world in order to prevent "threats," because the Cold War approach to how to conscript national resources to permanent war isn't permanent any more. This is bad for freedom, and we're going to have to struggle against it. So the general issues are of great importance. I have a course about them, called "Computers, Privacy and the Constitution" that you might find interesting.

What has no independent importance, however, is bad legislation that has no chance of passage. Solemnly analyzing such stuff is like taking seriously what is said by those various ranters on cable television. If you want to write usefully about the issues involved, taking the worst material available and writing about its drafting flaws won't get you very far: the bad details in the foreground make it harder to convey the really complex and important questions in the background. Instead of writing about CISPA, how about a draft that starts from the actual questions: how do we have security in the network for civil and governmental infrastructure that might be attacked by criminals or hostile states, without destroying the privacy and civil liberties of individuals and organizations in civil society?

945 words

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.


Webs Webs

r6 - 22 Jan 2013 - 20:10:11 - IanSullivan
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM