When it comes to outrage over the Cyber Intelligence Sharing and Protection Act of 2011, or CISPA, don’t believe the hype (not all of it, at least). The Electronic Frontier Foundation and hacktivist group Anonymous might have overblown the potential ramifications of the bill, but that doesn’t mean it’s well-written. CISPA still needs work to clear up what, exactly, it allows for, but strong congressional and industry support might make it a lot harder to stop than was the Stop Online Piracy Act of 2011, or SOPA, that created an online firestorm earlier this year.
The criticism that, by including a provision for the protection of intellectual property, CISPA is little more than a less-conspicuous form of the draconian SOPA bill seems misguided. CISPA is vague and unnecessarily broad, but it’s not SOPA. In fact, the very same Internet companies that were so adamantly opposed to SOPA might support CISPA. Facebook already does. So does outspoken SOPA critic Darrell Issa (R-CA). Here’s why.
- CISPA is actually good, in theory. The idea of sharing cybersecurity information between private companies and the government has merit, especially in a world of increased cyberattacks against organizations in both sectors. If you’re trying to discover patterns in attacks, more data is always better, and web sites are attacked constantly. That they also could have access to classified government data is particularly beneficial.
- CISPA doesn’t require service providers to do anything. SOPA all but forced service providers to monitor user behavior to the benefit of media companies (or to avoid being shut down by them), but CISPA only allows those providers to act in their own best interests. It’s unclear to me, at this point, why any company like Facebook, Google or Twitter would do anything other than obtain information on activity that directly affects the security of their platforms or their proprietary data.
- I’m not certain the inclusion of intellectual property protection was driven by ulterior motives. For one, CISPA actually reads as if private parties can only gather information relating to their own rights and property, which would mean ISPs can’t go about monitoring for copyright infringement because they don’t own any copyright. There’s a strong argument that the bill primarily targets cyberattacks aimed at stealing data or files from a company’s servers (CISPA co-author Mike Rogers (R-MI) said as much in a press conference yesterday), although existing cybersecurity law certainly target some of that activity.
Probably the biggest problem is what a company is able to do to “protect” itself from such threats. As the EFF points out, CISPA allows companies to “use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such protected entity.” It also grants companies immunity from lawsuits if they exercise their rights under the bill in good faith.
If the EFF is correct, companies could bypass existing laws regarding the monitoring of communications, claim good faith and — if they have a solid case — be free from liability. The EFF also talks a lot about CISPA allowing service providers to “block” sites, although it’s unclear what type of activity the bill actually allows in response to information gathered. Does it allow them to obtain information and take shutdown actions like those SOPA would allow, or just to react to information only within the bounds of what’s already legal?
It’s a little scary, then, that CISPA has such strong support in the House of Representatives. Whereas SOPA had only 23 co-sponsors, CISPA has 106, including Issa. That web companies such as Microsoft (s msft) and Facebook have signed off on it isn’t too promising, either. It likely will take some powerful voices to at least clear up the vagaries of the bill, but it’s hard to see where they’ll come from this time around.
Feature image courtesy of Rob Allday.