We've written extensively about CISPA over the last year, but since the House Permanent Select Committee on Intelligence is set to mark the bill up next week, and the full House to vote on it the week after that, we're dissecting its shortcomings. Information sharing isn't offensive per se; it's really a question of what can be shared, with whom, and what can they do with it. Previously, we've discussed what information can be shared, with whom it can be shared with, and what corporations and government agencies can do with it after it's shared. Today we discuss if there's anything else in CISPA that you have to worry about.
Is there anything besides information-sharing hidden in CISPA?
Of course there is.
CISPA is based on the premise that companies should share cyber threat information they come across in the course of everyday business. But CISPA goes beyond mere sharing and allows companies to conduct even more surveillance of records and communications in the search for cyber threats. Even worse, CISPA gives companies complete immunity for "decisions made" based on information discovered through these new monitoring activities or through information shared under CISPA. In other words, CISPA doesn't just grant immunity for broad information-sharing, it grants immunity for literally anything companies choose to do in response to the information gleaned from its CISPA powers.
What exactly does Congress want to immunize here? Who knows? Seriously, who knows, because this is an incredibly expansive and vague authority that lacks any definition. These issues certainly haven't been examined in detail in the hearings on the bill, and it's not addressed in the materials describing CISPA. Such broad language could encompass the "hack back" - efforts by companies to break into their competitors' systems for retribution. In other words: cyber-vigilantism. This is prohibited by criminal law now and allowing it in such an unregulated and unaccountable fashion invites disaster. To see just a sliver of the debate and disagreement about what is currently legal and what should be in the future, follow the Orin Kerr and Stewart Baker debate.
There's only one way to fix this – strike the surveillance and countermeasures sections altogether. If Congress wants to wade into this area, the Judiciary Committees —which actually have jurisdiction over surveillance and hacking laws –need to start from scratch, hold hearings, and carefully draft a bill that doesn't turn the internet into a corporate Wild West where the privacy of individual users is wholly disregarded.
Click here to sign a petition to the president asking him to veto CISPA.
Got more questions on CISPA? Ask ACLU and EFF experts Monday at 1 p.m. ET during a Reddit AMA (Ask Me Anything). Link to come on Monday!