Why the Cyber Intelligence Sharing and Protection Act (CISPA) Is Not the Solution to U.S. Cyber Attack Fears

Posted in: Civil Rights

Last Monday, April 23, the Trustworthy Internet Movement (TIM) published a report that found that ninety percent of the Internet’s top 200,000 HTTPS-enabled websites are vulnerable to known types of SSL attacks.  Last Tuesday, April 24, an official from the GAO testified that cyber attacks on the federal agencies grew from 5,503 in 2006 to 42,887 in 2011.  In short, cybersecurity is a very real concern, and if unaddressed, it could create serious consequences.  However, as I will argue in this column, CISPA is not the answer.

Last Thursday night, April 26, the House had passed the Cyber Intelligence Sharing and Protection Act (CISPA).  CISPA authorizes cyber threat intelligence- and information- sharing between the government and private entities, in order to better protect the United States from cyber attack.  It allows private entities to conduct surveillance of their users on their networks and applications, and to share information that they feel qualifies as cyber threat information with the government.  The bill also authorizes the government to share cyber threat intelligence with private-sector entities.

I’ve spent a bit of time discussing the original text of the bill and the amendments that were ultimately passed on Thursday.  My fundamental concerns with CISPA can be divided into four major categories:

  1. The bill defines cybersecurity threats in a way that could very well extend to common, otherwise legal activities on the Internet.
  2. It allows the government to use information received from private companies under CISPA for non-cybersecurity-related purposes.
  3. It seems to provide an end run around the Fourth Amendment.
  4. It subordinates civil-liberties protections to national-security concerns.

How CISPA Defines Cybersecurity Threats in a Way That Could Very Well Extend to Common, Otherwise Legal Activities on the Internet

The language of CISPA casts a net so broad that it could potentially catch intellectual property piracy, encryption, streaming video, and file-sharing.  Private entities participating in CISPA can, unbeknownst to their customers, monitor their customers, gather information on them, and then hand that information over to the government, as long as the information at issue relates to the “integrity, confidentiality, or availability of a system or network of a government or private entity or any information stored on, processed on, or transiting such a system or network.”

Under the confidentiality prong of CISPA, private entities are authorized to turn over to the government any information relating to a threat to the means of protecting proprietary information stored on, processed on, or transiting a network.  Put another way, under CISPA, knowledge about copyright infringement could be considered cyber threat information.  So, if Google finds out that there is copyright-protected content on YouTube, the company might be authorized to send the information about that content over to the government as purported cyber threat information.  In the wake of cases like that of Megaupload, which led to the arrests and indictments of the owners by federal authorities, and the shutdown of Megaupload’s sites, the sharing of this type of information is particularly disconcerting.

Under the availability prong of CISPA, any activity that might slow down a network might be considered cyber threat information.  This means that use data for services like VPN, Skype, Netflix, Bittorrent and Tor could all be considered cyber threat information simply because the use of these applications and services slows down a network. These are all legal, common uses of the Internet, and yet, under this bill, an individual using these applications and services can have her use data passed onto the government as cyber threat information.

Additionally, the bill classifies any vulnerability to a system or network as a cyber security threat.  As the Trustworthy Internet Movement report mentioned above notes, 90% of the most popular websites are riddled with vulnerabilities.  Are private entities to be reporting on all of these?  What about on networks a bit smaller than the entire Internet?  As Rainey Reitman, EFF’s activism director notes, “CISPA currently defines a ‘cybersecurity system,’ as something that is designed to protect a ‘system or network.’”  Reitman explained that this definition “could mean anything—a Local Area Network, a Wide Area Network, a microchip, a website, online service, or a DVD.”  Is the government giving the manager of Starbucks permission to monitor all Internet activity occurring on her shop’s local area network?

How CISPA Allows the Government to Use Information Received from Private Companies under CISPA for Non-Cybersecurity Related Purposes

CISPA extends the authorized government use of cyber threat information.  In addition to authorized use for cybersecurity and national-security purposes, the government is authorized to use the information for the protection of “individuals from the danger of death or serious bodily harm,” the investigation and prosecution of such crimes, the protection of “minors from child pornography, any risk of sexual exploitation, and serious threats to the physical safety of such minor,” and the investigation and prosecution of those crimes.

This means that when Comcast hands a pile of warrantless surveillance information over to the government, the government can use that information, as long as it is used to protect the country from a massive cyber attack or protect individuals who might be in danger.  This is unsettling, because it means that the government is circumventing the protections of the Fourth Amendment for issues that fall squarely into the category of traditional government policing and prosecution.  Which leads me to the next section of the analysis, focusing directly on Fourth Amendment concerns.

Why CISPA Seems to Provide an End Run around the Fourth Amendment

The third-party doctrine of privacy law states that individuals have no reasonable expectation of privacy in information that they have voluntarily disclosed to third parties.  As the Supreme Court said in United States v. Miller, “The Fourth Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to Government authorities, even if the information is revealed on the assumption that it will be used  only for a limited purpose and the confidence placed in the third party will not be betrayed.”

And the third-party doctrine, strictly speaking, would seem to cover the information- sharing authorizations created under CISPA.  However something seems truly amiss if the government no longer avails itself of the warrant requirement because it simply isn’t necessary.  Justice Sotomayor noted this very point in her concurrence in United States v. Jones, reasoning as follows:

More fundamentally, it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. […] This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. People disclose the phone numbers that they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medications they purchase to online retailers. […] But whatever the societal expectations, they can attain constitutionally protected status only if our Fourth Amendment jurisprudence ceases to treat secrecy as a prerequisite for privacy. I would not assume that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection.

CISPA Subordinates Civil Liberties Protections to National Security Concerns

CISPA also currently provides that the government may take steps to limit the impact on privacy and civil liberties insofar as efforts to do so are reasonable and insofar as such efforts don’t limit the ability of the government to protect against cybersecurity threats.

This language makes very clear that CISPA places the goal of protecting civil liberties second to national security goals.  If the protection of civil liberties comports with national security, then—and only then—is it, too, seen as a workable goal.

While reading the CISPA bills, I couldn’t help but consider CISPA in the context of the PATRIOT Act, FISA, and the “Going Dark” discussions that were taking place at around this time last year.  The theme emerging from all of these developments is that the drumbeat of “National security at all costs” is getting louder and louder.  While the PATRIOT Act was passed in the wake of 9/11, it is notable that the Going Dark discussions were not happening under the shadow of any major cyber attack.  Instead, it is becoming increasingly acceptable—even business as usual—in the minds of lawmakers and regulators to subordinate civil liberties to national security.

Next Steps That Are Likely to Ensue in the Battle Over CISPA

We are now moving on to the next phase of the battle over CISPA—the fight in the Senate.  While the Senate has held hearings on the matter, no bill has yet made it out of the Committee on Homeland Security and Governmental Affairs.  While there are two cybersecurity bills in play in the Senate, the Lieberman/Collins bill and the McCain bill, the focus remains largely on former, because it has the support of the Obama Administration.  The Lieberman/Collins bill requires companies that manage “critical infrastructure”—like electric grids and ISPs—to meet federal cybersecurity standards that are laid out by the Department of Homeland Security.  And while the Lieberman/Collins bill would require companies to anonymize the information they send to the government, it still allows companies to engage in warrantless surveillance on behalf of the government.

Right now, Congress has a powerful opportunity to take a more measured, thoughtful, and effective approach to cybersecurity.  The President supports cybersecurity legislation, and Congress has been poised to pass such legislation for some time.  Thus, there is both the need and the momentum for a new cybersecurity law.  Crafted properly, such a law can be the vehicle through which Congress brings us back to an era where national security concerns are addressed, but not at the cost of civil liberties.