CISPA Explainer #3: What Can Be Done With Information After It Is Shared?
We've written extensively about CISPA over the last year, but since the House Permanent Select Committee on Intelligence is set to mark the bill up next week, and the full House to vote on it the week after that, we're dissecting its shortcomings. Information sharing isn't offensive per se; it's really a question of what can be shared, with whom, and what government agencies and corporations can do with it. Previously, we've discussed what information can be shared and with whom it can be shared. Today we discuss what can be done with your information after it has been shared.
What can be done with information after it is shared?
The answer: a lot of things, many of which have nothing to do with cybersecurity.
As we mentioned in Explainer #2, shared information can travel one or both of two paths – to other companies or to the government. There are traditionally two types of limitations on collected information – use limitations that generally list the permissible categories of use, and minimization procedures that more explicitly discuss the details of collection, retention, use and destruction. CISPA fails on all accounts, but let's address corporate and government recipients since CISPA does too.
Corporate-Use Limitations and Minimization Procedures: None included
The first path leads to other corporations. Under CISPA, telecoms, banks, internet service providers, and others holding sensitive personal information can share it with other corporations if it pertains to a cybersecurity threat (see Explainer #1). Once they do so, there is no limitation on what that recipient can do with it. Even if the information is originally shared for legitimate cybersecurity purposes, that information doesn't just disappear, and nothing in CISPA bars the recipient organizations from repurposing personal information for other activities unrelated to resolving cybersecurity threats. For example, a company might validly share personally identifiable information , maybe in a bulk fashion, and corporate recipients could then use some of that same information for a marketing or research purpose wholly unrelated to cybersecurity. There' isn't any oversight over the use of CISPA information and companies that repurpose such personal information for their own benefit would not be held to account.
There is an easy fix. CISPA could be amended to limit a receiving corporation's use of CISPA information to cybersecurity purposes. Such a change would help maintain the status quo instead of dumping vast additional amounts of personal data into the corporate stream where CISPA would otherwise provide few, if any, protections.
Government Use Limitations and Minimization Procedures: Overbroad, Weak, Optional
The second path for shared CISPA information leads to the government. For some reason, the government use limitations in CISPA only apply to the federal government. If a company shares private data with a local or state law enforcement agency, it's a free for all.
However, if the federal government receives CISPA information, it can only use that data for five general purposes: 1) addressing cybersecurity, 2) prosecuting cybersecurity crimes, 3) investigating and prosecuting crimes involving danger of death or serious harm, 4) investigating crimes against children, and 5)"to protect the national security of the United States."
CISPA also lacks requirements to create specific policies about government collection, use, dissemination, and destruction of information – commonly called minimization procedures. It instead simply says that the government may or may not issue "privacy" guidelines and does not state that they shall encompass important minimization principles such as limiting collection, transparency, anonymity, and other issues.
To be clear, CISPA does not compel companies to turn over personal information to the government, but those companies sure can elect to do so. More importantly, CISPA fails to provide even minimal protection requirements of a subpoena or the more meaningful one of a warrant. CISPA's authors promise that this broad collection program is okay because there will be meaningful post-sharing protections but that is belied by the text itself. For comparison purposes, consider pretty much all other modern collection programs, like the Electronic Communication Privacy Act and Foreign Intelligence Surveillance Act. CISPA allows for the broadest collection authority while providing the weakest use restrictions. The result: a privacy disaster.
The good news is that there's an easy fix for this defect, too. CISPA could be amended to limit federal, state, and local government use of information just to cybersecurity purposes and prosecutions and also require some of the excellent minimization requirements in the Senate bill or in the Fair Information Practice Principles the President just endorsed. None of these amendments would affect the information the government receives - only what it can do with that information once it's in hand. If this is really just a cybersecurity bill, such protections should not be controversial.
Next up: Is there anything besides information-sharing hidden in CISPA? Check back tomorrow for CISPA Explainer #4 and click here to sign a petition to the president asking him to veto CISPA.