As general counsel for Avvo, a social media startup that offers an expert-only Q&A forum and profiles and ratings of lawyers, doctors and dentists in the U.S., I’ve seen firsthand how those with the means to do so will exploit any opening possible to try to silence speech they do not like. I’ve responded to hundreds of lawsuit threats and lawsuits against Avvo on grounds ranging from privacy to commercial misappropriation to unfair competition to copyright or trademark infringement — all for activity that is soundly protected by the First Amendment.

The takeaway is simple: any attempt to regulate speech online — whether in service of “stopping piracy” or “defending against cyberattack” — must be ruthlessly interrogated for how it will be abused. Because it will be abused. Those with censorious impulses will push the four corners of the law as far as possible to silence speech they don’t like. It is depressingly common to see the mere threat of a lawsuit cause a withering of speech online. It’s vitally important that we recognize and call out the certainty that even well-intentioned laws that impact expression will be used as a bludgeon against the open expression of information and ideas online. In addition to opposing SOPA and its ilk, here are three areas where companies can take a stand to protect free speech on the Internet.

1. Retain anonymous comments.

Are anonymous comments less credible than those attributed to a person? Of course. Does anonymous commentary increase the likelihood of “flaming” attacks and false statements? Naturally. But anonymity has its place. Anonymous authorship of the Federalist Papers allowed the founders of the republic to circulate ideas unsullied by the personality of those espousing them. Anonymity offers protection from retaliation and harassment. And in the case of today’s online forums, it allows the posting of sensitive material (think, for example, of doctor reviews by patients) free of privacy concerns. Ultimately, it should be up to readers to determine whether they trust an anonymous comment rather than censor the message altogether. The cure for speech you don’t like shouldn’t be to curtail it, but to create an environment in which more speech can flourish.

2. Support existing laws enabling online forums. 

Credit for much of the robust sharing of ideas and information online can be laid at the feet of Section 230 of the Communications Decency Act (CDA) and the Digital Millennium Copyright Act (DMCA). Although the DMCA in particular was controversial among free speech advocates when it was enacted, it created a good balance between the needs of online forums and those of rights holders. And by immunizing interactive service providers from liability for third-party comments, CDA 230 enabled the flourishing growth of user-generated content, from reviews on Yelp to videos on YouTube. These two stalwarts are the sort of laws those of us in the online community should stand behind — laws that allow breathing space on the Web without limiting free speech. Attempts to gut these laws — whether legislatively (SOPA) or judicially (Viacom’s continuing battle with YouTube) — should be actively resisted by all who care about robust and free-flowing interaction online.

3. Enact a national anti-SLAPP law.

“Strategic lawsuits against public participation” are a form of “lawfare,” a use of the courts to bully speakers into staying silent for fear of incurring the costs of defending a lawsuit. As a company that rates and profiles lawyers, Avvo has seen more than its share of threatened and actual lawsuits. Fortunately, Avvo is based in Washington, which — along with California, Texas and a number of other states — has a robust anti-SLAPP statute. Such statutes level the playing field by allowing those exercising their First Amendment rights to quickly dispose of lawsuits designed only to silence them. And as the last attorney to sue Avvo discovered, losing a SLAPP suit in Washington state also means paying our attorney fees and a $10,000 fine.

But not every state has such protections. In New York, Florida and dozens of other states, it’s still far too easy for speech to be chilled by the prospect of defending against uncertain and costly litigation. To help change this, the Public Participation Project (PPP) is spearheading the effort to enact full anti-SLAPP protections at the federal level. Such a law would end forum shopping in defamation cases and be a powerful development for free speech online. I’m on the board of the PPP, and I encourage everyone with an interest in free speech to support its good work.

As the Internet becomes more and more vital to our daily lives, it is inevitable that legislators will continue to propose laws restricting it. Many of these laws will be cast in moral tones, imploring us to “think of the children,” protect people from cyberbullying or save us from criminals. These may be laudable goals, but it’s incumbent on the Internet community to ask whether the price in free speech online is worth it. And it’s not going to be. There’s no way to restrict just the bad and preserve only the good. Limits and restrictions invariably favor one class of speaker over another, impoverish the discourse and reduce transparency. Ultimately, the answer to concerns about the messiness of communication online lies in what caused the messiness in the first place: Keep the discussion as wide open as possible.

Josh King is vice president of business development and general counsel of Avvo, a free social media platform that provides a health and legal Q&A forum and a directory of doctors and lawyers in the U.S.

Image courtesy of Flickr user Newtown grafitti.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• SOPA, OPEN and the fight for the Internet
• Google doesn’t like walled gardens — except its own
• CES 2012: a recap and analysis

The Pirates saw their first major electoral success in the European elections of 2009, when voters in the movement’s birthplace of Sweden returned a Pirate to the European Parliament. The Swedes didn’t vote the Pirates into their own legislature, mind you, but now big wins are coming in Germany, the continent’s largest economy and the ideological home of the hacker movement.

Why Germany? Because that’s what the Pirates are trying to do: hack politics, in the sense of making-and-tweaking-stuff sense, rather than destroying it. The movement may have begun with a narrow focus on intellectual property, but it has developed into an attempt to make the political process transparent — and of course better suited to the digital age.

Piratical beginnings

The first Pirate Party appeared in 2006, when Swede Rick Falkvinge (‘Falconwing’, a name he came up with for himself) decided to rally advocates of copyright reform. His case was strongly aided by legal attacks on The Pirate Bay, the notorious file-sharing site, but the remit grew to take in stances on software patents (bad), DRM (bad) and transparent government (good).

Then came the 2009 European elections, which eventually led to all the Pirates’ digital policies being adopted by an alliance of left-wing parties, including the Greens, and last year, when Pirates grabbed all 15 of the Berlin state parliament seats they stood for.

Then the Pirates moved up another step, winning four state parliament seats in the western Saarland region. They’re likely to repeat the trick again in two more upcoming state elections, and current polling has them on track to come third in the national elections next year.

If the German Pirate Party was a tech startup, now would be the phase where it’s seeing a surprising number of downloads and starting to panic about scalability. Pirate politicians are only now getting their first experience of power and responsibility, and they know it — they’ve ruled out joining any coalition federal government (Germany does coalitions, almost all the time) until the 2017 elections.

Not that anyone would want to form a coalition with them yet. The Pirates have declared that they will only go into partnership with a party that agrees to livestream the coalition negotiations, so everyone can see what deals are being cut. Right now, that’s a no-go for every party bar the Pirates themselves.

Liquid Feedback

One thing that’s important to remember about the Pirate movement is that, like Silicon Valley to some extent, it brings together a spectrum of people ranging from techno-utopian left-wingers to libertarian right-wingers. This creates a broad base — but means that on a lot of essential stuff that doesn’t relate to the common ground of intellectual property reform and transparency, the Pirates actually don’t yet know what they collectively stand for.

For example, how do you get the left and the right to agree on economic policies?

It should come as no surprise that they’re turning to technology to solve this kind of problem.

For the last year and a half, the German Pirate Party has been experimenting with a piece of software called Liquid Feedback, an online system for formulating and voting on policies. Right now those policies then go to a traditional vote at party meetings, but the Pirates are considering using Liquid Feedback to finalize position papers (something that the Italian Pirate Parties are already doing).

Any Pirate Party member can use Liquid Feedback to propose a policy, or to comment on or create alternative versions of other members’ proposals. Proposals get revised and voted up or down. Each member gets one vote — but here’s where the system becomes much more than a simple decision-making forum.

Not everyone wants to sit there marking up every piece of policy. That’s what elected representatives are for. But not everybody likes having elected representatives — some people really do want to treat every minor policy like a referendum.

So Liquid Democracy lets party members delegate their votes to other people for everything, or only for certain policy areas, or not at all. It’s effectively a sliding scale between representative and direct democracy, with each voter choosing what level of responsibility and control they want to have.

If someone has been delegated votes, based on their popularity or expertise, they can then re-delegate their votes to someone else. The system could theoretically allow the creation of a dictator, but because each member can cancel their delegation and reclaim their direct vote at any time, this outcome wouldn’t last for long.

Into the future

It’s hard to say how much of an attraction Liquid Feedback is for the general public. The system itself is as ugly as sin and, while the Pirates recently produced APIs to let people create sexier front-ends for smartphones and the like, it’s almost certainly not a draw in itself.

But the ethos behind it is. Make no mistake, the biggest reason voters are flocking to the Pirates is that they’re disillusioned with the opaque deal-making and elite hierarchies of traditional politics.

The Pirate movement on the other hand is very much born of the internet, with its open nature, ever-shifting meritocracy and low barriers to entry for new ideas. The goofiness of net humour is there in force — Pirates have been known to turn up to Berlin’s parliament in fancy dress — but the message is serious, and it is taken seriously.

And while the focus has shifted somewhat from intellectual property to transparency, the long-running war between tech and copyright also continues to send new converts the Pirates’ way.

The Pirate movement is really still in its infant stages. There are a tremendous number of kinks that need to be worked out in the way the party operates and what it wants, from the mechanisms of Liquid Feedback to much deeper internal ideological clashes. There are also questions to be answered about the alleged extremist past of some high-profile members — something that can carry a lot of weight in Europe.

And if they navigate all this, it will still be a few years yet before Pirates are taking weighty political decisions. But at this rate, they will almost certainly end up in that position. Of course, that depends on the country – Germany’s political system encourages the growth of new parties, whereas the UK’s and the United States, for example, do not.

However, even if the Pirate movement as we know it turns into something else, the foundations have been laid for a long-term phenomenon: politicians who not only get technology, but who enthusiastically use it to engage in a new relationship with voters.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• After the blackout: How the IT industry can stop SOPA in the long term
• SOPA, OPEN and the fight for the Internet
• Google and the Ghost of Silicon Valley Past

In January, America’s major tech companies joined everyday internet users to break the back of a reviled law called SOPA. Months later, Washington is brewing a new law that alarms many SOPA opponents — but this time the same companies have been quiet as church mice.

On Thursday, the US House of Representatives passed the Cyber Intelligence Sharing and Protection Act, a law that will make it easier for companies to share data with the government. On its face, the law known as CISPA has a laudable purpose — to help companies and the government prevent and respond to attacks on the nation’s computers. But civil libertarians warn that the current version of the law will result in a raft of new Patriot Act like rules that will diminish our privacy rights even further.

The vote has already produced dramatic headlines like “Insanity: CISPA Just Got Way Worse..” and “CISPA is ridiculously hideous.” So the press and privacy groups have raised the alarm — but where are the tech companies whose internet muscle smashed SOPA?

We put in calls about the vote to some of our Silicon Valley sources and the response has been nothing but crickets. Silence from Google. Ditto from Facebook. Ditto from Apple (although tight-lipped Apple would probably respond with a “no comment” to news of a meteor hitting Cupertino).

So what gives? Why are these companies ducking the fight? Well, for starters, the two laws are very different: among other things, SOPA would have turned them into copyright cops, while CISPA simply gives them the option to pass on data if they choose.

Secondly, cyber-attacks are serious stuff for such companies. For just one example, read Stephen Levy’s In the Plex description of how the Chinese government broke into Google’s computers and stole not only code, but the Gmail messages of political dissidents. China is plundering US tech secrets on a regular basis and it’s understandable that the firms would welcome new tools to help them fight back.

Whether CISPA is the right tool is another question, of course.  But the point, for now, is that CISPA doesn’t harm the self-interest of Silicon Valley companies so they have little incentive to kick up dust. (Facebook offered initial support for the goals of the bill but has since gone silent).

Finally, CISPA is not going anywhere fast. It passed the House with Republican support but is unlikely to make quick headway in a Democrat-controlled Senate, especially after the Obama administration threatened to veto it. This means the tech companies may be simply keeping their powder dry, betting that no law is going to pass until after the November election. Or maybe they just don’t care.

Either way, CISPA opponents looking for their SOPA allies to ride to the escape may have a long wait.

You can learn more about CISPA from our FAQ, Mathew Ingram’s comparison of CISPA and SOPA or our “step-by-step guide to making CISPA suck less.”

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• CES 2012: a recap and analysis
• 12 tech leaders’ resolutions for 2012
• LTE-Advanced: what it is and isn’t

Just a few months ago, internet companies and the technology community came together to protest two anti-piracy bills (SOPA and PIPA) because they would have breached free-speech protections and other social safeguards in the name of stopping copyright infringement. Now, a new bill called CISPA that just passed in the House of Representatives is getting a lot of negative attention, with some saying it is just as evil as SOPA, and others — including Facebook and Microsoft — supporting the legislation and arguing that it is much more nuanced than either of its predecessors. So which is it?

Formally known as the Cyber Intelligence Sharing and Protection Act, the bill is supposed to be aimed at “cyber-security” threats, and it gives federal authorities and law enforcement fairly broad powers to find and share data about web users, provided they believe the information is necessary to go after cyber-criminals and terrorists who are using technology as a weapon. The bill would amend the National Security Act of 1947, and allow various agencies to compel convince companies like Facebook to provide user data without even a warrant (my colleague Jeff Roberts has a FAQ on the bill here).

The proposed legislation (which is embedded below) passed the House a day earlier than expected after some last-minute amendments, and now goes to the Senate, where it will be discussed along with the Senate’s own version of the legislation, known as the SECURE IT Act. But it is facing some stiff headwinds, since the Obama administration has made it clear that it doesn’t support the bill. And while some tech companies support the legislation, others such as the Electronic Frontier Foundation are fighting hard to stop the bill, and petitions against the law have drawn close to 800,000 signatures.

Opponents say the bill would erase current privacy protections

A group of over 50 university professors, entrepreneurs and information scientists have published an open letter to Congress calling on lawmakers to oppose CISPA because they say the the bill (and its Senate counterpart) would allow companies to hand over the private date of their users to entities like the Department of Homeland Security, and the only requirement is that the information involved must somehow be associated with the vague concept of “cyber-security.”

The bills are drafted to allow entities who participate in relaying or receiving Internet traffic to freely monitor and redistribute those network communications. The bills nullify current legal protections against wiretapping and similar civil liberties violations for that kind of broad data sharing. By encouraging the transfer of users’ private communications to US Federal agencies, and lacking good public accountability or transparency, these “cybersecurity” bills unnecessarily trade our civil liberties for the promise of improved network security.

The open letter accuses the bills of:

• “using vague language to describe network security attacks, threat indicators, and countermeasures,” creating the possibility that innocuous online activities could be construed as cybersecurity threats.
• exempting cybersecurity activities “from existing laws that protect individuals’ privacy and devices, such as the Wiretap Act, the Stored Communications Act, and the Computer Fraud and Abuse Act.”
• giving “sweeping immunity from liability” to companies even if they violate individuals’ privacy, and without evidence of wrongdoing.
• allowing data originally collected through cybersecurity programs “to be used to prosecute unrelated crimes.”

Facebook says it supports the bill, and won’t infringe privacy

At the same time, however, CISPA is supported by a number of tech companies, including Microsoft and Facebook. Facebook’s VP for U.S. public policy Joel Kaplan said in a blog post that the network had no intention of sharing information with government authorities unless there was actual evidence of cybersecurity issues, and merely wanted to be able to find out about potential wrongdoing. But that wasn’t good enough for the EFF: the agency said that

Internet users don’t want promises from companies not to intercept our private communications and share that data with one another and the government. We want strong laws that make such egregious privacy violations illegal, that require the government to follow legal process (judicial oversight in most case), and that allow us or the government to sue persons who break the law.

My colleague Derrick Harris has pointed out that CISPA is better in many ways than SOPA, and that the web and various interest groups run the risk of developing a knee-jerk response to almost any legislation that involves the internet. And it’s true that CISPA doesn’t compel companies to do anything that would breach the privacy rights of their users, the way that SOPA arguably did — but for many critics, there is still too much potential for information to be shared in ways that would infringe on those rights.

Jared Polis, a Democratic representative from Colorado, said during the debate over CISPA that it would “waive every single privacy law ever enacted in the name of cybersecurity,” and that “allowing the military and NSA to spy on Americans on American soil goes against every principle this country was founded on.” The American Civil Liberties Union says points out that “CISPA gives companies the authority to share [private and sensitive] information with the National Security Agency or other elements of the Department of Defense, who could keep it forever.”

Amendments have broadened the bill’s powers even further

Not only that, but Techdirt says that CISPA was amended just before it was passed in order to expand the powers it gives the authorities to use information: before the changes, it allowed the government to use information for “cybersecurity” or “national security” purposes. The amendments added three more criteria that would allow data sharing — namely investigation and prosecution of cybersecurity crime, protection of individuals, and protection of children:

Basically this means CISPA can no longer be called a cybersecurity bill at all. The government would be able to search information it collects under CISPA for the purposes of investigating American citizens with complete immunity from all privacy protections as long as they can claim someone committed a “cybersecurity crime”. Basically it says the 4th Amendment does not apply online, at all. Moreover, the government could do whatever it wants with the data as long as it can claim that someone was in danger of bodily harm, or that children were somehow threatened—again, notwithstanding absolutely any other law that would normally limit the government’s power.

Trevor Timm at Foreign Policy magazine says that CISPA allows companies to hand over user information to the government without a warrant or any kind of oversight, which effectively over-rules or does an end-run around laws like the Wiretap Act of 1968 and the 1968 Electronic Communications Privacy Act, which restrict what companies can do to very specific circumstances, and require judicial review. CISPA, he says, runs the risk of applying similar kinds of surveillance against American citizens that the Obama administration criticizes in other countries:

According to the bill’s main author, Rep. Mike Rogers (R-Mich.), CISPA’s main purpose is to allow companies and the government to share information to prevent and defend against cyberattacks. But the bill’s language is written so broadly that it carves out a giant cybersecurity loophole in all existing privacy laws.

So is CISPA as bad as SOPA? Probably not, in the sense that SOPA required ISPs and other companies to engage in all kinds of activity that infringed on free speech and subjected even innocent users to potential seizure of their websites, etc. But the risk when designing a bill that hinges on a concept as vague as “cyber-security” is that it allows companies and government agencies fairly wide latitude to accumulate whatever information they wish — and allows them to do so without even a warrant or a judge’s order. Companies like Facebook may promise that they would never do this unless it is really important, but how can we know that for sure?

HRPT-112-HR3523HR4628

Post and thumbnail images courtesy of Flickr users Darya Sipyeykina and Bloomsberries

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• 12 tech leaders’ resolutions for 2012
• Q4 Wrap-up: SOPA and the future of digital content
• Sector RoadMap: Social customer service in 2013

It’s tough to figure out whether that’s good news or bad news. Maybe he’s changed and it will be a lot of fun to work together. Maybe CISPA could actually be used primarily for the legitimate cause of fighting cyber attacks, and critics are just reading too much into its myriad vagaries.

Just to make sure, though, here’s a step-by-step guide Congress can follow in order to quell any concerns about how CISPA will be used.

Step 1: Figure out what you actually want

Stopping cyber attacks is a noble goal, but it’s a tad broad. This is especially true when it comes to information pertaining to said cyber attacks, which could mean anything from system-level data related to attempted attacks, to emails about hacking activity. Considering that CISPA covers the entirety of U.S. businesses and organizations, the types of information that could be shared are seemingly limitless.

That’s what has CISPA opponents up in arms, so narrow it down. They might not mind anyone sharing server logs illustrating suspected hacking incidents, but emails, phone records, download activity, you name it — well, that’s a little much.

Step 2: Let’s see some conditions

In the current version of CISPA, information sharing — and then government action upon that information — is conditionless. Everyone shares only they want to, and then they pretty much do what they want with it. The government can’t use data for regulatory purposes, but it can otherwise act upon it under the rather broad definitions of cybersecurity and national security.

Opponents might actually feel better about such broad sharing permissions if they were conditioned on the presence of specific characteristics that justify the need to share (e.g., a direct threat against a particular system, or more than passing similarities with previous attack methods). And if the government has authority to act upon any info it receives, there should be conditions on what actions it can take under what circumstances.

Step 3: Lose the black box

This is probably the bill’s single biggest flaw: there’s no accountability to anybody for anything. Not only is the information shared under this bill free from existing laws mandating the disclosure of agency records, but — and here’s the kicker — “[n]o civil or criminal cause of action shall lie or be maintained … against [anybody], acting in good faith for using cybersecurity systems or sharing information in accordance with this section.”

This goes hand-in-hand with Steps 1 and 2. Narrow what can be shared and how it can be acted upon, under what circumstances, and then have penalties in place for violations.  Otherwise, the bill reads “spy with impunity,” and very few people — not even the President — are getting on board with that.

Step 4: If all else fails, make it longer

As anyone who has read CISPA might have noted, it’s a pretty short bill. But when you’re talking about complex issues, such as privacy, you can’t simply do away with nuance and detailed explanations. Sorry, Justice Scalia.

If someone just sits down in front of CISPA — a whopping 15 pages of center-aligned text in large font — and starts writing literally anything, the bill has to get better. The current legislation is so vague as is that extra text that doesn’t somehow expand the scope of the rules couldn’t make it worse.

Step 5 (for citizens): Contact your senators

Sarcasm aside, this is serious stuff. As I’ve explained before, CISPA isn’t going anywhere because, unlike SOPA, it has actually has redeeming qualities. More importantly, it has powerful backers across Congress, industry and even the web.

What’s troubling now is that the House had a chance to amend the bill to address its shortcoming, but only did so with a few relatively toothless additions, and then passed CISPA in a surprise vote. Assuming the Senate won’t be willing to kill the bill entirely, concerned citizens must contact their senators and point out specific problems with the bill and how they might be improved.

If CISPA becomes an all-or-nothing issue, then the powers representing all will win. Let’s see if the web can learn to compromise.

Photo courtesy of Shutterstock user grynold.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Connected world: the consumer technology revolution
• Sector RoadMap: Content personalization in 2013
• Connected consumer first-quarter 2013: Analysis and outlook

The revised bill passed by a vote of 248 to 168, with 206 Republicans voting in favor of the bill and 140 Democrats voting against it. Earlier today, we published this FAQ, which examines the issues surrounding the bill and its potential impact on the technology and media industries.

Proponents of the bill have framed it as an “information sharing” measure that is necessary to protect companies from hacking and the country form cyber-attack.

“This is not a perfect bill, but the threat is great,” Rep. Dutch Ruppersberger (D-Md.), said on the House floor on Thursday.

Ruppersberger is one of a handful of key Democrats who are supporting the bill. His words are likely to provide fodder to critics who complain that politicians are once again using fear tactics in an effort to ram through questionable legislation.

While cyber-attacks have been a real issue for companies and government agencies, the CISPA bill contains measures that may be broader than what is needed to do the job. The White House, civil libertarians and Republicans like Ron Paul have said the bill makes it too easy for companies to hand personal data about consumers to the federal government.

The most significant part of the bill is a provision that says “notwithstanding any other provision of law” — this would override a number of laws that have been in place for decades that force companies to safeguard personal information. Under the bill, companies are allowed to pass on data only in a limited number of circumstances — such as cyber-security or child pornography — but critics worry these categories will become broad loopholes.

Today’s surprise vote came after the passage of several last-minute amendments. The most important of these was a sunset clause which means the bill will expire in five years unless it is renewed. The members of the House, however, rejected a number of other amendments that would have provided new privacy protections.

The bill is far from certain to pass the law as it faces White House opposition and must pass the Democrat-controlled Senate.

To learn more, see your plain English FAQ about CISPA.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Connected consumer first-quarter 2013: Analysis and outlook
• Dissecting the data: 5 issues for our digital future
• Connected world: the consumer technology revolution

UPDATE: The vote was originally scheduled for Friday but took place Thursday evening instead. It passed 248 to 168 on largely partisan lines. (Read our account here)

Here’s a plain English guide to the polices and politics driving the Cyber Intelligence Sharing and Protection Act:

So is this SOPA all over again?

Not really. The ill-fated Stop Online Piracy Act was about Hollywood trying to force tech companies to become copyright cops. CISPA, on its face, is about giving those same companies tools to confront cyber-attacks.

Isn’t that the same thing?

Critics said that an earlier version of CISPA was a stalking horse for the copyright industry — they worried that companies would dress up anti-piracy initiatives as security complaints. New language makes this unlikely and emphasizes that the bill is indeed about cyber-security.

Well, what cyber-security concerns are we talking about?

Major U.S. companies and government agencies have suffered hacking attacks in which intruders have stolen classified files, trade secrets or source code. The attackers include criminal gangs and state-sponsored (read: China) cyber espionage teams. Security experts warn that cyber-attacks lead to economic loss for companies and military vulnerabilities for the country.

Sounds scary. What does CISPA do to address this?

One of the bill’s main goals is to improve the sharing of information between companies and the government. In theory, it will be easier for the government to warn companies about security threats. In turn, the companies will have more ability to alert the government about suspicious activities or attacks.

So why do we need a law new for this?

CISPA wants to update existing laws like the National Security Act of 1947 to require authorities to share information about cyber-attacks as well as conventional military threats. There are also laws like the Wiretap Act and the Electronic Communications Privacy Act that limit what private companies can do with information about their customers. CISPA would help companies avoid getting sued under those laws when they share information about cyber-security.

Sounds reasonable. Everyone’s got to do their part to prevent a cyber-attack, right?

The problem, as you may have guessed, is that CISPA may be a lot broader than what is needed to get the job done. Critics worry that companies will be cavalier about passing data around if they don’t have to fear privacy lawsuits. Companies like Facebook, Amazon, Google and Netflix (many of which are supporting CISPA) are facing dozens of privacy-related lawsuits — CISPA might be a way to sidestep some of these in the future. Also, the government could invoke CISPA as a pretext to override civil liberties. From this perspective, CISPA is not so much SOPA but instead a new form of the Patriot Act.

Uh, oh. Is the law actually going to pass?

The bill passed the House amidst Democratic grumbling. Politico reports that Sen. Joe Lieberman expects a Senate version will see floor time as soon as next month. This does not, of course, mean that the bill will become law anytime soon — the approach of the November election is likely to put Congress into its semi-annual state of paralysis. Also, there are competing bills from the White House and also from people like Lieberman who want stronger measures to protect infrastructure like dams and utilities.

What about the veto threat?

The White House issued a strong statement on Wednesdays that attacked CISPA for trampling privacy and civil liberties. It said the bill should include a provision obliging the government and companies to minimize the amount of personal data that passes between them. The statement stressed the “civilian nature of cyberspace” and warns of a veto. But veteran political types noted the veto threat contains a hedge — it says advisers would recommend a veto, not that the President will veto it.

Where can I learn more about all this?

The Electronic Frontier Foundation has its usual top-rate privacy analysis here. CNET’s Declan McCullagh has a worthy overview of the lobbying forces here and GigaOM’s Derrick Harris has a cool-headed look at the bill here. And the non-partisan Congressional Research Service has the bill and a summary here.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• CES 2012: a recap and analysis
• 12 tech leaders’ resolutions for 2012
• After the blackout: How the IT industry can stop SOPA in the long term

Demand Progress has been circling an online petition asking Facebook to withdraw its support from the bill, citing concerns from the Electronic Frontier Foundation and the Center for Democracy and Technology about how the bill would allow online services to share a user’s private information with the government. However, in a blog post Friday Facebook’s Joel Kaplan, Vice President-U.S. Public Policy argues that the legislation and Facebook’s support is far more nuanced:

That said, we recognize that a number of privacy and civil liberties groups have raised concerns about the bill – in particular about provisions that enable private companies to voluntarily share cyber threat data with the government. The concern is that companies will share sensitive personal information with the government in the name of protecting cybersecurity. Facebook has no intention of doing this and it is unrelated to the things we liked about HR 3523 in the first place — the additional information it would provide us about specific cyber threats to our systems and users.

Essentially Facebook is asking users to trust it and its intentions with regard to its support of the bill as it goes to the table to negotiate in D.C. There are a lot of issues this entire debate over CISPA brings up, including the one my colleague Derrick Harris covered when he asked if the Web was prepared to fight with nuance. But Facebook’s response also asks citizens to trust that a corporation and lawmakers can together find common ground that will protect users’ privacy and still let Facebook retain the advantage knowing about security threats via CISPA.

It’s a PR campaign of course –aimed at those reading about the petition and outcry — and one that blatantly assumes that the power in government doesn’t rest with individuals and their power to sway Congress, but individuals and their power to sway corporate interests. That’s a cynical view, but things like the Occupy movement and these online petitions suggest that cynics have decided activism done hand-in-hand with corporate backing is better than activism alone.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• 12 tech leaders’ resolutions for 2012
• Q4 Wrap-up: SOPA and the future of digital content
• Survey: How apps can solve photo management

It’s hard to be a web user these days, especially since the government has gotten so interested in what we’re doing online. Bills and proposed regulations that target web activity and user data are popping up all the time, and it’s hard to keep track of what any of this actually means. It gets even worse when we can’t figure out who — if anyone — is actually on our side, and when compromise has to take the place of all-out war.

Occasionally, things are easy, like SOPA. It was a ridiculous bill for the myriad reasons cited between its rise to prominence in October 2011 and its eventual shelving in January 2012. It would have led to absurd lawsuits and would have proved to be an incredible burden for many web service providers. But that bill clearly targeted web users’ favorite web sites and the users themselves — if you were in one of those two camps, it was easy to pick a side.

Some things are trickier

I admit I have been somewhat taken aback, however, by the outrage over the Cyber Intelligence Sharing and Protection Act, or CISPA — namely, the allegations that it’s little more than SOPA 2.0. As I explained in a post yesterday, although the bill does mention intellectual property, it doesn’t aim to target illegal downloading. It targets actual breaches of corporate networks in an attempt to steal files, and that’s a good thing.

I get why web users are gun-shy about copyright infringement, but things like legislative intent do matter. It’s probably not worth burning cycles chasing red herrings.

A law is only effective if it can withstand judicial scrutiny. Otherwise, something happens, someone files a lawsuit, and a court either declares a law unconstitutional or narrowly construes its meaning. The latter happened earlier in the week when the Ninth Circuit Court of Appeals held that the Computer Fraud and Abuse Act doesn’t apply to cases where people merely exceed the permissions to which they’ve agreed. It’s a very good example of the importance of legislative intent, as both the majority and dissenting opinions agree on the cases the law did not intend to target (i.e., employees using Facebook at work or dating-site users lying about their physical attributes).

However, the CISPA does present a tricky question for web users to answer: When it comes to privacy, do we trust the government more, or do we trust Facebook? Jim Dempsey, vice president for public policy at the Center for Democracy and Technology, made some good points about CISPA’s privacy shortcomings in a U.S. News & World Report article on Thursday. We already knew the bill’s language about information sharing and protective measures was vague, but Dempsey suggests government pressure might make sites like Facebook willing to share more-personal information on users than they’d normally do.

The bill actually purports to put the power in companies’ hands, stating that ”Cyber threat information … shall only be shared in accordance with any restrictions placed on the sharing of such information by the protected entity or self-protected entity authorizing such sharing, including, if requested, appropriate anonymization or minimization of such information.” But even if companies would like to just provide the anonymous bits and bytes related to suspected attacks, says Dempsey, “The government can say ‘You want our secret sauce, give us all your data; if you play ball with us, we’ll play ball with you.’”

Who’s on our side, and what can we live with?

But Facebook wouldn’t do that, right? Or Google or Twitter or any of the large web companies web users sided with to help defeat SOPA? Well, maybe. After all, they’re the villains in the debate over web privacy, right? And it’s possible they’re more concerned with their own self interests in preventing attacks than they are with any specific sets of user data, right?

But doesn’t that make the government two-faced? After all, it’s the hero in the debate over web privacy, becayuse it’s the one that wants to regulate what web sites can do with the data users are all but forced to hand over in order to use any web service. Right? Well, maybe the Federal Trade Commission has users’ best interests in mind, but the Justice Department, which for years has been leveraging antiquated laws to demand user data without search warrants — and which is the agency at play in CISPA — doesn’t seem to think that data should be so private.

I guess what I’m saying is that the law isn’t always black and white, and reacting to the words intellectual property within a bill with crazy arm-waving and chants of SOPA 2.0 probably aren’t too effective. We actually need to consider what proposed laws say, how they relate to existing legal doctrine and what are the interests of the parties involved, and then react accordingly.

Often times, as with CISPA, that requires not throwing the baby out with the bathwater, or even throwing out the bathwater at all — because when Congress and industry are aligned, something is going to pass. Rather, we’ll have to determine what’s actually wrong with the bathwater and then figure out a way to make it tolerable. And those debates are a lot harder, a lot more nuanced and a lot less fun than sticking it to SOPA supporters.

Feature image courtesy of Flickr user aesop.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• SOPA, OPEN and the fight for the Internet
• Sector RoadMap: Content personalization in 2013
• The quantified self: hacking the body for better health

The criticism that, by including a provision for the protection of intellectual property, CISPA is little more than a less-conspicuous form of the draconian SOPA bill seems misguided. CISPA is vague and unnecessarily broad, but it’s not SOPA. In fact, the very same Internet companies that were so adamantly opposed to SOPA might support CISPA. Facebook already does. So does outspoken SOPA critic Darrell Issa (R-CA). Here’s why.

1. CISPA is actually good, in theory. The idea of sharing cybersecurity information between private companies and the government has merit, especially in a world of increased cyberattacks against organizations in both sectors. If you’re trying to discover patterns in attacks, more data is always better, and web sites are attacked constantly. That they also could have access to classified government data is particularly beneficial.
2. CISPA doesn’t require service providers to do anything. SOPA all but forced service providers to monitor user behavior to the benefit of media companies (or to avoid being shut down by them), but CISPA only allows those providers to act in their own best interests. It’s unclear to me, at this point, why any company like Facebook, Google or Twitter would do anything other than obtain information on activity that directly affects the security of their platforms or their proprietary data.
3. I’m not certain the inclusion of intellectual property protection was driven by ulterior motives. For one, CISPA actually reads as if private parties can only gather information relating to their own rights and property, which would mean ISPs can’t go about monitoring for copyright infringement because they don’t own any copyright. There’s a strong argument that the bill primarily targets cyberattacks aimed at stealing data or files from a company’s servers (CISPA co-author Mike Rogers (R-MI) said as much in a press conference yesterday), although existing cybersecurity law certainly target some of that activity.

Probably the biggest problem is what a company is able to do to “protect” itself from such threats. As the EFF points out, CISPA allows companies to “use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such protected entity.” It also grants companies immunity from lawsuits if they exercise their rights under the bill in good faith.

If the EFF is correct, companies could bypass existing laws regarding the monitoring of communications, claim good faith and — if they have a solid case — be free from liability. The EFF also talks a lot about CISPA allowing service providers to “block” sites, although it’s unclear what type of activity the bill actually allows in response to information gathered. Does it allow them to obtain information and take shutdown actions like those SOPA would allow, or just to react to information only within the bounds of what’s already legal?

It’s a little scary, then, that CISPA has such strong support in the House of Representatives. Whereas SOPA had only 23 co-sponsors, CISPA has 106, including Issa. That web companies such as Microsoft and Facebook have signed off on it isn’t too promising, either. It likely will take some powerful voices to at least clear up the vagaries of the bill, but it’s hard to see where they’ll come from this time around.

Feature image courtesy of Rob Allday.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• After the blackout: How the IT industry can stop SOPA in the long term
• Connected consumer first-quarter 2013: Analysis and outlook
• CES 2012: a recap and analysis