NEW YORK – Almost no one had read the Cyber Intelligence Sharing and Protection Act (CISPA) before it was rushed through the United States House of Representatives in late April and sent to the Senate. CISPA is the successor to SOPA, the “anti-piracy” bill that was recently defeated after an outcry from citizens and Internet companies. SOPA, framed by its proponents in terms of protecting America’s entertainment industry from theft, would have shackled content providers and users, and spawned copycat legislation around the world, from Canada and the United Kingdom to Israel and Australia.
Now, with CISPA, the clampdown on Internet freedom comes in the guise of a bill aimed at cyber terrorism that should give Internet entrepreneurs – and all business leaders – nightmares. And yet, this time, major Internet and technology companies, including Facebook and Microsoft, supported the bill, on the grounds that it would create a clear procedure for handling government requests for information. Microsoft, at least, belatedly dropped its support after recognizing that the law would allow the US government to force any Internet business to hand over information about its users’ online activities.
But the bill is far more alarming than that. For example, “the head of a department or agency of the Federal Government receiving cyber threat information…shall provide such cyber threat information to the National Cybersecurity and Communications Integration Center of the Department of Homeland Security.” No actual threat need be made. And what counts as “threat information” is defined so broadly that it can mean anything. “Notwithstanding any other provision of law,” the government may rely on “cybersecurity systems to identify and obtain cyber threat information.”
The vague concept of “cyber threat information” does not just let DHS investigate anyone. By including information pertaining to “a vulnerability of a system or network of a government or private entity,” and the “theft or misappropriation of private or government information, intellectual property, or personally identifiable information,” the bill appears to target whistleblowers and leakers, and threatens investigative journalism.
The respected Internet technology site Techdirt has called the bill “insanity”: “CISPA can no longer be called a cybersecurity bill at all. The government would be able to search information…for the purposes of investigating American citizens with complete immunity from all privacy protections as long as [it] can claim someone committed a ‘cybersecurity crime.’”
Indeed, the DHS may look through data transmitted online without restraint, regardless of what it ultimately finds. And, in this respect,business leaders who believe that this bill is aimed at terrorists – or “at most” at the domestic activists and documentarians who can make it harder for them to operate – should be careful about what they wish for.
Indeed, because the definition of cyberterrorism is so broad and subjective, US business leaders who are pushing for CISPA risk exposing themselves to the DHS’s power to scrutinize their personal lives, subpoena their bank records, and disrupt their electronic communications. And the law would give the DHS similar control over the personal and financial lives of anyone who does business in the US or with American companies – a power that the US government has already tried to assert by issuing a subpoena for Icelandic legislator Birgitta Jonsdottir's personal bank records.
Everyone has secrets: love affairs, substance-abuse problems, mental-health diagnoses, heterodox sexual preferences, or questionable discussions with accountants. In a strong civil society, these personal matters properly remain private. In a surveillance society, they become leverage.
I am fearful of the effects of unrestrained domestic surveillance for specific reasons: I worked in two US presidential campaigns, and saw firsthand the standard tactics – nonviolent but still mafia-inflected – of high-level politics. There was no shortage of privately contracted surveillance and wiretapping. Campaigns routinely planted spies – interns, household staff, or even lovers – in the opposing camp, and devoted vast numbers of man-hours to combing through private records in opposition research. The results were then regularly used behind the scenes to bully, intimidate, and coerce targets.
Most of these “scandals” never saw the light of day – the goal was pressure, not disclosure. CISPA would give the same power to the DHS. America’s business leaders may think that they are immune, but the bill’s definition of “a threat” is so vague – with no distinction between a “threat” to the Internet and any random, even metaphorical “threat” on the Internet – that the DHS may keep tabs on anyone who says something that irks someone in a cubicle.
If CISPA enters into US law, alongside the recently enacted National Defense Authorization Act – which gives the government the power to detain any American for anything forever – fundamental civil liberties will be threatened in a way that no democracy can tolerate. And because so much of the freedom of the Internet around the world derives from the freedom of expression that until recently characterized the US, enactment of CISPA poses a similar threat around the world.
The good news is that President Barack Obama has vowed to veto CISPA. The bad news is that he made – and then broke – a similar vow on the NDAA.