We've written extensively about CISPA over the last year, but since the House Permanent Select Committee on Intelligence is set to mark the bill up next week, and the full House to vote on it the week after that, we're dissecting its shortcomings. Information sharing isn't offensive per se; it's really a question of what can be shared, with whom, and what corporations and government agencies can do with it. Yesterday we told you what could be shared (read: your personally identifiable information) and today we discuss where that information ends up.
With whom can companies share information?
Short answer: anyone the Googles, AT&Ts, Microsofts, and Facebooks of the world want to share it with.
Yes, for all the talk of getting critical information where it needs to go, into the hands of the people who need it--CISPA doesn't say "where" where is, or whose hands will receive it. Instead, CISPA lets the companies decide whether they will share it with other companies or with the government. In the latter scenario, companies even get to decide whether your information can be delivered to civilian agencies like the Departments of Homeland Security (DHS), Treasury, or Energy, or whether it can go to military ones like the National Security Agency (NSA). Under CISPA, the same companies holding records on what we read, where we go, and what we're thinking about get to decide who else can see those records.
When it comes to where the data should go in the government, it should go to civilian agencies. As we've written about before, and as we testified before Congress, maintaining civilian control of domestic cyber programs is one of the most important decisions Congress can make.
Under longstanding American legal requirements and policy traditions, the military is restricted from targeting Americans on American soil. Yet, CISPA would empower military agencies like the NSA to collect more information about internet users in order to respond to online threats. Doing so would create a significant new threat to Americans' privacy, and must be avoided. The NSA has developed extraordinary powers and has been granted broad legal leeway, all under the premise that its spying would be focused outside the confines of the territorial United States. Setting it free to begin collecting American information for cybersecurity purposes would be unprecedented, and incredibly dangerous because of the NSA's immunization from transparency.
In addition to being a bad deal for privacy, shifting cyber programs away from DHS isn't even necessary from a security perspective. The highest ranks of the intelligence community agree that DHS should retain authority over civilian cyber programs. NSA director, Gen. Keith Alexander, has stated that his agency should not be the public face of cybersecurity, and while his agency has a major part to play in our national cyber defense, DHS should be the entity to deal directly with civilians, the private sector, and domestic internet information.
Last year when it threatened to veto CISPA, the administration said that it opposed this bill precisely because it "…effectively treats domestic cybersecurity as an intelligence activity and thus, significantly departs from longstanding efforts to treat the Internet and cyberspace as civilian spheres." The calendar may have changed, but this year's CISPA remains the same as the one presented to the last Congress.
Have no doubt: this is a straight up fight for civilian control over our domestic internet. All members of Congress should oppose CISPA unless the bill is corrected to make sure DHS or other civilian agencies are empowered to act as a gatekeeper for our information. Sign this petition to tell the president to veto CISPA because it lets the NSA collect our very sensitive records.
Next up: What can be done with your sensitive personal information after it is shared? Check back tomorrow for CISPA Explainer #3 and click here to sign a petition to the president asking him to veto CISPA.
CISPA Explainer #1
CISPA Explainer #3
CISPA Explainer #4