CISPA a Step Backward in Cybersecurity Legislation
Photo Credit: Electronic Frontier Foundation
As internet access spreads around the world and more countries consider ways to regulate users’ online activities, the United States has a responsibility to set an example by enacting legislation that combats online security threats while protecting individual privacy. Unfortunately, the Cyber Intelligence Sharing and Protection Act (CISPA), which is scheduled to undergo markup this week by the House Intelligence Committee, fails to strike this balance, and threatens to set a negative example for other countries looking to adopt similar laws.
CISPA, which was originally introduced last year and was defeated in the Senate after numerous organizations and individuals expressed reservations about the legislation, was reintroduced as H.R. 624 in February, but without the necessary amendments to protect online users’ privacy. The bill allows the government and private companies to share data pertaining to online security threats for the purpose of identifying vulnerabilities and preventing network attacks. Such threats to security are legitimate concerns, and organizations like the ACLU expressed support for President Obama’s executive order on cybersecurity, noting that the order is consistent with privacy principles and calls for transparency and limitations on the use of individual user data. CISPA, however, lacks such privacy protections, and its broad wording could lead to infringements on civil liberties.
In a letter to the bill’s co-sponsors last week, Freedom House outlined specific recommendations for lawmakers when considering this legislation. Similar concerns were also voiced in statements by organizations like the ACLU, the Electronic Frontier Foundation, and the Center for Democracy and Technology. Considering the growing threats to internet freedom around the world, as identified in Freedom House’s report Freedom on the Net 2012, it is disappointing that legislation such as CISPA is being considered by Congress. Among other things, CISPA could be invoked by authoritarian countries intent on enacting strong curbs on internet freedom. This development is particularly disconcerting given the important role that internet freedom plays in U.S. foreign policy.
Lack of judicial oversight: CISPA would allow private companies to share cyber threat intelligence—including personal communications and user data if the content is perceived to pertain to cybersecurity—with the government, without judicial oversight. In addition, CISPA provides broad legal immunity for private entities that share cyber threat intelligence with the government: civil or criminal cases cannot be brought against companies that share cybersecurity information, even in instances of sharing user data beyond what is intended in the bill, as long as the entity was “acting in good faith.”
Judicial oversight of government surveillance is essential to the protection of citizens’ privacy in a democratic society. As Freedom House noted in the 2012 edition of the Freedom on the Net report, non-democratic governments around the world continue to adopt legislation that grants the authorities surveillance capabilities without judicial oversight, while in democratic societies, courts have played a key role in defending internet freedom by overturning legislation that infringes on privacy. Passing CISPA as the bill is currently written would set a negative example for other governments that are in the process of considering similar laws.
Government access to individual user data: While the bill designates the Department of Homeland Security as the main government agency receiving cybersecurity information from private companies, CISPA allows the Department of Homeland Security to share this information with other government agencies and departments, including non-civilian agencies such as the National Security Agency. Additionally, the measure’s vagueness might allow companies to share personally identifiable information (PII) with the government, even though industry experts say it would be feasible to remove this kind of information first before sharing the relevant data. Others note that the kind of information that is most useful in identifying threats—such as network vulnerabilities, malware signatures, or other technical characteristics—does not require PII to be shared. While the bill sponsors argue that individual user information is excluded in the legislation, most advocacy organizations still insist that the bill is too vague and that language should be inserted to specifically exclude PII.
The problems with the current draft of CISPA reveal the degree to which the United States struggles to balance security concerns with the principles of internet freedom. Although there is a clear need to address threats to cybersecurity, passing problematic legislation like CISPA might be seen as contradicting U.S. foreign policy promoting internet freedom.
Earlier this week, Representative Mike Rogers, the chairman of the House Intelligence Committee, stated that the committee was proposing amendments to the bill during the markup session in order to alleviate some of the concerns raised by privacy advocates over the past few months. When considering the proposals in CISPA, legislators need to take into account not only the privacy violations here at home, but also the negative ripple effect this legislation could have on internet freedom around the world.
Analyses and recommendations offered by the authors do not necessarily reflect those of Freedom House.
China’s Cybersecurity Law could take internet censorship to a new high.
Pakistan’s government is moving forward with a cybercrime bill that fails to protect privacy and human rights, ignoring a year’s worth of civil society consultation.