The Cyber Intelligence Sharing and Protection Act (CISPA), which last week passed the House committee, continues to incite controversy between CISPA’s proponents (government agencies, large online companies) and its deterrents (small tech companies, privacy groups). I decided to read through the law’s latest iteration to figure out whether it would, as some would have it, wipe out all consumer privacy rights as we know it.
Here’s what I read:
1. CISPA gives private entities (tech companies) the right to share with government agencies, namely the Department of Homeland Security, any “Cyber Threat Intelligence” they collect as part of their Cybersecurity protocols.
2. CISPA gives private entities the right to share the above information with other private entities.
3. CISPA gives government agencies the right to share the above information with certain approved private entities.
4. Private entities would be immune from any legal action arising out of the above sharing of information.
5. The government can be sued (for damages and reasonable attorneys’ fees) for certain improper uses of the above-shared information.
6. All of the above things that CISPA allows private entities and the government to do would trump any existing US laws.
Here’s what I foresee:
CISPA, as it is currently written, pretty much allows private companies to share whatever they want with the government.User logs, certain personally identifiable information, and (IMO most worrying) inter-user communications are all fair game for sharing so long as the company interprets them to be connected to some vague idea of a Cybersecurity threat.
The number one problem I see here is this idea that CISPA trumps all existing US laws. From the Act itself:
“Not withstanding any other provision of law….[a covered entity may share information with other covered entities as described above.]”
This is a BIG deal, because CISPA, according to the above, will essentially trump such privacy laws as the Electronic Communication Privacy Act (ECPA), the Stored Communications Act, the Wiretap Act, the Foreign Intelligence Surveillance Act, and the Privacy Act. All of the above laws restrict private companies, such as ISPs, from disclosing certain user communications, such as emails, without the proper warrant and/or court order.
The danger of CISPA, and the reason it poses a real risk to consumer privacy, is that it seems nullify the myriad of legal privacy protections we currently have in place.
I should also note: I see two reasons why large, established tech companies seem to like this law.
1. Larger companies, which these days do indeed seem to face an increase of denial of service attacks and other types of “cyber threats,” have a legitimate need to protect themselves. Whether or not CISPA fairly balances this legitimate need against consumers’ privacy rights is debatable.
2. The part where the US government opens itself up to lawsuits for improper use of the shared information (#5 above) seems to effectively create a potential defendant with deeper pockets (Uncle Sam) to be sued in the various privacy-based class actions we see spiking up from time to time. Certainly the larger companies, who are the traditional defendants in such class actions, would love it if plaintiffs had a bigger fish to fry.