Protecting against cyber threats, but at what cost?
Published: April 25,2012
This week is Cyber Security Week. To commemorate it, the House of Representatives will likely pass the Cyber Intelligence Sharing and Protection Act (CISPA). Many large telecommunication and Web companies, such as Facebook and IBM, support the bill.
In this day, what can be more virtuous than wanting to protect individuals, businesses and governments from cyber threats?
In truth there is nothing wrong with the goal. The problem lies in the language of CISPA and the similar bills pending in the Senate. They represent a step backward, treading on our right to privacy.
CISPA speaks to companies that provide cybersecurity services to third parties and to companies that perform these services for themselves. If such a company discovers “cyber threat information,” it “may” share the information “with any other entity, including the federal government.”
The bill defines cyber threat information to be “information directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity.” It gives two examples, which are not meant to be exhaustive.
Under this definition a company may share with others the source and content of emails if they simply pertain to a possible threat. Nothing in the bill requires a company to strip personally identifiable information from the emails or other information being shared. Other laws that make such communications confidential do not apply because CISPA trumps them all.
The bill exempts a company from liability for turning over the information. Consequently, a company will take the easy way out and just forward everything to a third party. Again the third party may be the government.
CISPA does nominally restrict the government’s use of the information. The government cannot use the information for a “regulatory purpose.” Any other “lawful purpose” is permitted, provided “one significant purpose” is “cybersecurity” or “the protection of the national security of the United States.”
Significant purpose comes to us from the standard for foreign intelligence searches, which the Patriot Act watered down. A special, secret court issues the warrants for these searches. At a congressional briefing last week, a former judge of the court characterized the standard as a “hole you could drive a truck through.”
A company may choose any government agency, including the military and the NSA, to share the information with. Traditionally, the law constrains the activities of the military inside the United States and the ability of the NSA to acquire information about persons inside the United States. It does so because of their enormous power. Making an exception in the name of cybersecurity diminishes this tradition.
CISPA is silent as to whom within the government has access to the information shared, the criteria for access, and the time the information may be retained. It does not even authorize the executive to promulgate regulations on the subject.
If enacted, CISPA will be one more law that enables the government to collect potentially personal data in vast quantities without going through the normal process of obtaining a warrant or even serving a subpoena. While a company may share the data in the name of cyber security, the government can turn around and use the data in any criminal investigation. As such, CISPA will be an end-run around the protections of the Fourth Amendment.
Our existing electronic privacy laws contain exceptions for emergencies and the like. Supporters of CISPA need to explain better why we need another large hole in the wall which separates the government and the individual.
Scott Forsyth is a partner in Forsyth & Forsyth and serves as counsel to the local chapter of the ACLU in upstate New York. He may be contacted at (585) 262-3400 or email@example.com.