Law in Contemporary Society

Affirming That Privacy In The Internet Is Gone: CISPA

-- By RyanBingham - 23 Apr 2012

CISPA

Rep. Mike J. Rogers, along with 112 cosponsors, introduced a new cyber security bill last fall that will be voted on later this week. HR 3523, the Cyber Intelligence Sharing and Protection Act of 2011 (CISPA), modifies the National Security Act of 1947 with new provisions regarding cyber threat intelligence and information sharing. It does so in an overly sweeping manner, and threatens to further solidify our culture of complacency regarding online privacy, enshrining it in federal statute.

"Cyber Threat Information" As An Overly Broad Category

CISPA allows a cyber security provider or self-provider the ability to, notwithstanding any other provision of law, "share [...] cyber threat information with any other other entity, including the Federal Government." Cyber threat information, as defined in this bill, carries with it an assortment of substantial privileges. The trouble is, the definition of "cyber threat information" is vague enough to extend beyond any reasonable conception of the protecting of security:

(2) CYBER THREAT INFORMATION- The term 'cyber threat information'; means information directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from--

(A) efforts to degrade, disrupt, or destroy such system or network; or (B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.

To take one example of the leeway such a definition provides, imagine that the cyber threat under consideration is the Distributed Denial of Service (DDoS? ) method of attack. One means of carrying out this attack "involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable," (see: Wikipedia). "[I]nformation pertaining to the protection of a system from efforts to degrade [...] such system" easily encompasses the personal information of every single user accessing the website during any span of time in which a DDoS? attack is suspected--that is, if the time span is limited at all. A cybersecurity provider could just as easily keep logs of every user who ever visits a website, and categorize it as pertinent. Thereafter, that information becomes fair game to be shared essentially anywhere, and with anyone, with only minor hoops to jump through under CISPA.

Privileged Information under CISPA

The troubling implications of this broad definition are, I assume, self-evident. Even if they were not, they are laid out in the provisions of the bill itself. CIPSA provides that cyber threat information, if shared with the Federal Government, "shall be exempt from disclosure under section 552 of title 5, United States Code." Section 552, as it happens, is the Freedom of Information Act. CISPA thus nonchalantly exempts anything deemed "cyber threat information" from the strictures that come with the accountability provided by the at-least-distant prospect that anybody files a request for such information to be released. It also removes the prospect of judicial review in case of a denied request. We convert a system with at least nominal judicial oversight to one in which we expect that the Facebooks and Googles of the world will self-police.

Aside from the difficulty of determining what information has been collected and distributed in the first place, another CISPA measure insulates the cyber threat providers and self-providers from any potentially resulting liability:

(3) EXEMPTION FROM LIABILITY- No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider, acting in good faith--

(A) for using cybersecurity systems or sharing information in accordance with this section; or (B) for not acting on information obtained or shared in accordance with this section.

An entity in a position to collect or share an individual's personal information is here placed entirely outside of the law, regardless of the nature of the entity's misuse of private information, as long as it is "in accordance with this section," which is to say, with a few caveats, as long as it is peripherally aimed at cybersecurity purposes. Any remaining prospect that cyber security providing entities will engage in meaningful self-policing is thus disincentivized, to say the least. This is a substantial loss of what potential there was for protecting online privacy.

Finally, the bill allows the Federal Government to use cyber threat information "for any [non-regulatory] lawful purpose only if [...] at least one significant purpose of the use of such information is (i) a cybersecurity purpose; or (ii) the protection of the national security of the United States." CISPA grants the Federal Government a exceptionally broad ability to use otherwise private information for almost any purpose it sees fit.

Conclusion

CISPA weakens online privacy and personal liberty because it invents a overly broad category of information that is allowed to be collected and distributed far and wide, and because it provides for a range of exemptions designed to either stifle or circumvent normal checks on the unwarranted collection and unjustifiable sharing of heretofore private information.


You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.

Navigation

Webs Webs

r1 - 23 Apr 2012 - 21:54:32 - RyanBingham
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM