The Cyber Intelligence Sharing and Protection Act is coming. If you haven’t heard as much about CISPA as you did about SOPA and PIPA, you will soon. CISPA needs to change, and we need your help to change it.
CISPA is a ‘cybersecurity’ bill that exists in the U.S. House of Representatives, and it’s only a matter of time before a counterpart appears in the Senate. Last week we explained a bit about the bill and what it does here in the ServInt University. Prior versions of CISPA were as odious as PIPA and SOPA. The Internet community needs to be vigilant that the next version isn’t as well. CISPA is not the same bill as SOPA and PIPA, but it has the potential to be just as big an affront to your civil liberties.
CISPA confuses access to information with knowledge of that information.
CISPA started as a bill designed to allow more security information to pass from government agencies to the public – think, a government warning about a potential terrorist threat. But as it evolved, significant incentives were added to the legislation encouraging private Internet providers to share security threat information with the government, possibly including agencies like the NSA and FBI.
So what’s wrong with that? On its surface, CISPA seems well-intentioned enough. The idea is, if you see something, say something. This is exactly what the signs in airports tell us is going to protect us from terrorism.
But hosting providers like ServInt aren’t the same as travelers pointing out suspect packages in an airport. Hosting providers and most internet companies – while having access to their customers’ data because it is housed in their data centers – have little to no direct knowledge of the data itself. There is simply far too much of it. Even if a few companies wished to take it upon themselves to monitor their own customers for national security threats, they would have no feasible way to comb through all of their data looking for something “suspicious.”
Asking Internet companies to voluntarily report any suspicious activity of their customers is like asking baggage handlers to keep an eye out for suspicious items inside bags they are driving onto the tarmac and loading into planes.
CISPA erodes privacy rights and circumvents due process
If private companies have little-to-no direct knowledge of their customers’ data, then the only other scenario where CISPA would come into effect is when the government suspects a person or group of planning some kind of attack then reaches out to the companies housing the suspect’s data and asks for any evidence these companies may have. CISPA could be used in the name of expediency to allow companies to voluntarily share any data they find with the government without a warrant, and without the fear of customer reprisal.
And to those who say that this is neither the intention nor the likely use of CISPA, what should concern us is not the intended use, or the likely use, but the unintended or possible use that a piece of legislation opens up. We must protect the rights of the few, so that we insure the rights of the many.
If CISPA passes in its current form, privacy on the Internet will be irrevocably harmed.
As service providers, we have all made promises to our customers to protect the sensitivity of their data, and to preserve and protect our privacy policies. In a post-CISPA world this would be infinitely harder to do.
CISPA puts America on a slippery slope where U.S. privacy policies would never matter again.
True, lining up behind the current version of CISPA would be the easy course for companies like ServInt. We’d be able to help our government fight crime, reduce the pressure from law enforcement, and all the while ensure that we have nothing to fear from our customers as we disregard our promises to them. Under the current version of CISPA, American businesses and citizens would have no recourse if their private information was inappropriately shared with the government.
But aside from being against what ServInt stands for, treading on the rights of U.S. citizens with CISPA in the name of national security is shortsighted for two reasons:
1. CISPA would hurt the US economy
Giving Internet companies carte blanche to spy on their customers and pass on any potentially damaging data to the federal government, all without fear of reprisal in criminal or civil court, opens the door to any number of abuses. Even if you and I were to assume that U.S. companies would not misuse these powers, foreign customers of U.S.-based Internet companies are not likely to be so trusting.
Currently, the United States is the world leader in hosting online content. The Internet infrastructure industry represents a $9.2 billion trade surplus. That surplus could evaporate overnight. There are many other countries with good Internet infrastructure, and if those countries show that they respect privacy after we show we no longer do, we will see U.S. and international customers alike leaving our shores in droves, not because they are planning or committing acts that threaten U.S. national security, but simply because they do not trust a government that circumvents privacy laws and grants itself full access to all Internet users’ data under the umbrella of “national security.”
The US was the birthplace of the Internet, and it is still the center of online innovation and commerce. But if CISPA passes in its current form, another country or region will become the center of tomorrow’s digital economy.
2. CISPA will increase ‘cybersecurity’ threats far more than it will help
This shift away from U.S.-centric Internet resources will make real cybersecurity threats that much more removed from U.S. jurisdiction. By attempting to circumvent due process in the name of expedience, CISPA would push these threats offshore where they would have just as much potential to harm U.S. citizens and the U.S. economy, but would be beyond the reach of U.S. law enforcement.
Wanting better digital security is a laudable goal, but there’s a right and a wrong way to do it. It is still possible to make a better CISPA – even a good CISPA. But today’s CISPA cannot stand. CISPA in its current form is bad for U.S. businesses, bad for the U.S. economy, bad for U.S. citizens, and it will actually hamper the fight for better Internet security.
ServInt strongly opposes CISPA as it is written today. In the coming weeks you’ll hear more about how our COO, Christian Dawson, is working with the i2Coalition and members of Congress to fight this legislation, or – even better – change it into a bill that actually helps more than it hurts.
You can help too. Stand beside ServInt and companies like ours by joining the i2Coalition. Christian is actually going to be part of a webinar on Tuesday, March 26th about why you should consider joining i2C. You can sign up for the webinar here.
You can also contact your Congressional Representatives to tell them that you are opposed to CISPA in its current form. Together we can make a difference.
Photo by CSIS PONI