CISPA: The Finale

By Charlotte Walden

Alas, unless there is some news from the Senate, this will be the final CISPA blog.  To recap, the previous CISPA blogs have established that, if CISPA becomes law, private corporations may voluntarily share cyber threat information with the federal government. Furthermore, CISPA limits what the federal government and certified entities can do with cyber threat information; CISPA also trumps many privacy and public disclosure laws.

But what about the federal government sharing cyber threat information with private corporations? What about the federal government sharing information with other federal departments and agencies? Can I sue the government or a certified entity if they do not use my information in accordance with CISPA? Why was CISPA written? These are the questions that the following paragraphs will answer.  

The Federal Government Sharing Information With Private Companies and other Government Agencies or Departments

On April 13, 2012, Facebook Vice President of U.S. Policy,  Joel Kaplan, revealed Facebook’s support for CISPA. In that post, Kaplan wrote that CISPA will allow the federal government to share  information about  “an intrusion or other attack. . . with private companies . . . [in order to ensure] better the protection for users and . . .systems” (Kaplan, 2012). What part of CISPA was Kaplan writing about? Why section 1104 (a)(1) of course!  Yet, since CISPA gives the Director of National Intelligence the power to create regulations dealing with how the government (read: members of the intelligent community, a term that may also include private corporations) will share cyber threat intelligence with the private sector and utilities, CISPA will have to become law in order to find out what the that scheme may be. If CISPA does not pass, we will never know what the Director’s scheme would have been.  

Yet, CISPA does reveal how the federal government can share cyber threat information with other federal government agencies and departments. Section 1104 (b)(2) (A) states the head of the department of agency of the federal government who receives cyber threat information must provide that information to the National Cyber Security and Communications Integration Center of the Department of Homeland Security. Once this information is provided to the center, the federal department or agency may request the center to provide cyber threat information to another department or agency. (see section 1104(b)(2(B) of CISPA).  Some argue that this provision will allow cyber threat information to be used for massive data mining purposes.(Imagery, 2012). Others claim it will help protect cyber security (Kaplan, 2012).  Again, the age old debate of trading civil liberties for security rears its ugly head.

CISPA and Legal Recourse

But wait a minute. Earlier, these CISPA blogs revealed that Facebook supported CISPA, but wasn’t Facebook and other companies adamantly opposed to PIPA and SOPA earlier this year? What makes CISPA different? Some think that because CISPA takes the pressure to regulate users off private companies and gives that pressure to the government, Facebook and others like it (Explainers, 2012).  Others think that the provision that exemptions certified entities  from being sued is why former protestors of PIPA and SOPA like it (Kardell 2012). Section 1104 (b)(4) of CISPA is the section that exempts certified entities from being sued.

The Electronic Frontier Foundation (EFF), one of the many organizations who oppose this bill, contends that this liability exemption for certified entities  is “vague” and that the exemption could potentially harm innocent parties (Jaycox, 2012). For instance, the EFF argues, “[i]f a company learns about a security flaw, fails to fix it, and users' information is misused or stolen, companies cannot be held liable as long as the company acted ‘in good faith’”  (Jaycox, 2012). Essentially, CISPA limits judicial oversight of a certified entity’s activity with cyber threat information, which, in all honesty, could be your information (Jaycox, 2012).

However, while a person may be limited to bring a suit against a certified entity, a person may be able to bring a suit against the federal government who intentionally or willfully violates the cyber threat information use provisions of section 1104 (b)(3)(C) or subsection (c). [See section 1104 (d)(1) of CISPA]. However, one has two years after the violation of the applicable sections in order to bring a suit. Some find this to be problematic. As the EEF has pointed out, given the exemption from public disclosure, a person who has been wronged may have no idea that they have been wronged until well after the two-year statute of limitations (Timm, 2012). This, of course, depends on when the statute of limitations begins to run. Does it start the day the government violates the applicable section? Or does it start when you realize you have been wronged? Whatever the case, the EFF's point has merit.  Thus, it is quite possible, that this provision is merely smoke and mirrors and provides no judicial oversight of the federal government’s activities with your information what so ever.   

Why Was  CISPA Written In The First Place?

So, CISPA provides little judicial oversight, exempts cyber threat information from privacy and public disclosure laws, and allows private companies to voluntarily share cyber threat information (which could be your information) with the federal government. And just who is responsible for this bill and why was it created?

Congressmen Mike Rogers introduced CISPA to prevent foreign companies from stealing secret information from US databases (Beadon, 2012). The goal of CISPA is to ensure foreign companies do not gain unfair advantage over U.S. companies (Beadon, 2012). It is because of this, Rogers reasons, why private companies and the federal government need to share sensitive information.  (Beadon, 2012). It is because of this, Rogers reasons, why we need CISPA. While some argue that Roger's proposed legislation has merit to protect the U.S.'s Internet systems from cyber attacks (Kaplan, 2012), the bill, as it stands now, is too imperfect for reasons stated throughout this blog. 




After reading through these blogs and visiting the referenced links, please discuss what you think of CISPA. This blog contends that CISPA has the could create a disincentive to share certain types of information online, but this blog is also an open forum for concurrence and dissent. Perhaps you believe that the potential censorship CISPA might create would spawn a new way of sharing information. Or perhaps you see things a different way. On an additional note, for those curious, click here for a list of CISPA supporters. 

References:

Beadon, Leigh. (2012, Mat 7). CISPA sponser warns bill is needed because China’s Chinese hackers from China are stealing all-American secrets (China!).  Techdirt. Retrieved from http://www.techdirt.com/articles/20120504/08384918786/cispa-sponsor-warns-bill-is-needed-because-chinas-chinese-hackers-china-are-stealing-all-american-secrets-china.shtml.

Downes, Larry. (2012, April 27). Why CISPA can’t be fixed. Forbes. Retrieved from http://www.forbes.com/sites/larrydownes/2012/04/25/why-cispa-cant-be-fixed/.

Explainers. (2012, April). All about CISPA, the bill that wants to erode your online privacy. Lifehacker. Retrieved from http://lifehacker.com/5900962/why-microsoft-and-facebook-are-pro+cispa-but-anti+sopa.

Imagery. (2012, May 2). CISPA destroys privacy and shares data with the government. Weather imagery: A little mix of everything. Retrieved from http://www.weatherimagery.com/blog/cispa-destroys-privacy-and-shares-data-with-government/.

Jaycox, M. How the expansive immunity clauses in CISPA will facilitate abuse of user privacy. Electronic frontier foundation. Retrieved from https://www.eff.org/deeplinks/2012/04/how-expansive-immunity-clauses-cispa-will-facilitate-abuse-user-privacy-0.

Kaplan, J. (2012, April 13).  A message about CISPA. Facebook.  Retrieved from: http://www.facebook.com/note.php?note_id=10150723305109455.

Kardell, N. (2012, April 30). CISPA, approved by the House, poses threat to internet freedom. The National Law Review. Retrieved from http://www.natlawreview.com/article/cispa-approved-house-poses-threat-to-internet-freedom.

Timm, T. (2012, Aril 25). CISPA, “national security,” and NSA’s ability to read your e-mails. Electronic frontier foundation. Retrieved from https://www.eff.org/deeplinks/2012/04/cispa-national-security-and-nsa-ability-read-your-emails.