• CISPA - Evil Spawn of SOPA and PIPA?
  • May 7, 2012 | Author: Thomas L. Bowden
  • Law Firm: Sands Anderson PC - Richmond Office
  • The House of Representatives has passed The Cyber Information and Security Protection Act, sponsored by Rep. Mike Rogers (R-MI) and introduced not long after SOPA and PIPA were abandoned in the wake of a popular uprising of opposition. Its fate in the Senate is uncertain, but it’s clear the federal government is determined to find a way to further reduce any semblance of privacy and protection of your electronic information... for your own good, of course.

    I am all for fighting off cyber-attacks and terrorism, but when Ron Paul, Barack Obama and the ACLU are all aligned against a bill, we have to ask ourselves whether we are moving in the right direction.

    This all may be much ado about nothing if, as promised, President Obama vetoes CISPA (assuming it gets through the Senate), but if the bill should find itself on the President’s desk, and he should change his mind for any reason, (it is an election year after all - wouldn’t want to look soft on cyber-threats) it will be too late to kill it at that point.

    So let’s look at what the bill does, and try to determine whether we should be concerned.

    CISPA is drafted to allow the government to share information about “cyber threats” with commercial companies. So far so good - but do we need an act for that? Wouldn’t you expect your government to warn you if you were about to be attacked? You don’t have to be a Pearl Harbor or 9/11 conspiracy theorist to wonder why this would require special legislation. One possible reason is that some of the information that might be shared, might have been obtained through technical means that the government would otherwise rather not be made public - or even hinted at. In other words, they would tell you but ... you know how it goes.

    The flip side is that companies who have confidential information that might suggest the possibility of a cyber threat would now be allowed and “encouraged” to share that information with the government. Again, at first glance, you again might ask - what’s the big deal - shouldn’t Bank of America tell the FBI if, for example, they detect a sophisticated threat? Certainly they should - but they should do so without violating laws already on the books to protect the privacy of your information. CISPA, however, would grant corporations legal immunity for sharing information if it fits within the definition of a cyber threat scenario as defined by CISPA.

    OK - now we get it. Under CISPA, Corporations and Government, in the name of protecting us all from cyber attack, could, with immunity, violate our privacy wholesale by sharing all kinds of data that we have come to think of as legally protected. Do you really think, for example, that a major corporation will take the time to carefully anonymize terabytes of information if, instead, it can just claim immunity under CISPA and turn it over to the government in bulk? I can hear the senate hearings now:

    Committee Chairman: “Mrs. Smith, when your bank released all of its private customer transactional data to the government in response to the threat of a foreign government sponsored hacking campaign, what precautions did you take to preserve the privacy of your account holders?”

    Witness Smith: “Well Senator, under the circumstances, which seemed pretty serious, we thought the better approach was to simply turn it all over and cooperate as much as possible.”

    Chair: “Weren’t you concerned that your customers or even perhaps another government entity might sue or prosecute you for such a wholesale violation of privacy laws?”

    Smith: “Uhhh - actually, no, not really, because, er, um, I mean, well, our attorneys advised us that we had immunity under CISPA, so we thought it best to just release the information.”

    Chair: “But of course, the threat turned out to be non-existent, isn’t that correct?”

    Smith: “Yes Senator, but at the time it seemed quite real.”

    Chair: “And has the government then deleted all of that information, since it no longer seems relevant to national security or any threat to our commercial systems?”

    Smith: “Well, Senator, I would have no way of knowing that.”

    Chair: “Thank you, Mrs. Smith.”

    That’s what worries me. Does it worry you, too?