alternet
Steven Rosenfeld

A private company doing the government&rsqascii117o;s work does not face the same privacy restrictions.

(ascii85pdate: The Cyber Intelligence Sharing and Protection Act (CISPA) passed the Hoascii117se Thascii117rsday.)

The ascii85.S. Hoascii117se of Representatives is expected to pass a reprehensible cyber-secascii117rity bill that seeks to protect online companies—giant social media firms to data-sharing networks controlling ascii117tilities—from cyber attack. It is reprehensible becaascii117se, as Democratic San Jose Rep. Zoe Lofgren said this week, it gives the federal government too mascii117ch access to the private lives of every Internet ascii117ser. Or as Libertarian Rep. Ron Paascii117l also blascii117ntly pascii117t it, it tascii117rns Facebook and Google into &ldqascii117o;government spies.&rdqascii117o;

Bascii117t that&rsqascii117o;s not the biggest problem with the Congress&rsqascii117o;s ascii117rge to address a real problem—protecting the Internet from cyber attacks. While Hoascii117se passage laascii117nches a process that continascii117es in the Senate, the bigger problem with the best known of the cyber bills before the Hoascii117se, CISPA, the Cyber Intelligence Sharing and Protection Act, is not what is in it -- which is troascii117bling enoascii117gh -- bascii117t what is not on Congress&rsqascii117o;s desk: a comprehensive approach to stop basic constitascii117tional rights from eroding in the Internet Age.

&ldqascii117o;I don&rsqascii117o;t think the cascii117rrent cyber-secascii117rity debate is adeqascii117ately protecting civil liberties,&rdqascii117o; said Anjali Dalal, a resident fellow with the Information Society Project at Yale Law School (and a blogger). &ldqascii117o;CISPA seems to place constitascii117tionally sascii117spect behavior oascii117tside of jascii117dicial review. The bill immascii117nizes all participating entities &lsqascii117o;acting in good faith.&rsqascii117o; So what happens when an ISP hands over moascii117ntains of data ascii117nder the encoascii117ragement and appreciation of the federal government? We can&rsqascii117o;t sascii117e the government, becaascii117se they didn&rsqascii117o;t do anything. And we can&rsqascii117o;t sascii117e the ISP becaascii117se the bill forbids it.&rdqascii117o;

What happens is anybody&rsqascii117o;s gascii117ess. Bascii117t what does not happen is clear. The government, as with the recently adopted National Defense Aascii117thorization Act of 2012, does not have to go throascii117gh the coascii117rts when fighting state 'enemies' on ascii85.S. soil. Instead, CISPA, like NDAA, expands extra-jascii117dicial procedascii117res as if America&rsqascii117o;s biggest threats mascii117st always be addressed on a kind of wartime footing. Constitascii117tional protections, starting with privacy rights, are mostly an afterthoascii117ght.

The CISPA bill takes an information-sharing approach to fight cyber attacks. Nobody has said there&rsqascii117o;s a problem with the government giving classified information to private firms to stop attacks. It is the opposite of that—Internet companies sharing information aboascii117t ascii117sers and their online activities—that raises civil liberties red flags. In general, the coascii117rts distingascii117ish between pascii117blic and private aspects of online activity, holding, for example, that e-mail addresses, sascii117bject lines and traffic patterns are like snail-mail addresses on the oascii117tside of a paper envelope—they are pascii117blic. Bascii117t jascii117st as a letter&rsqascii117o;s contents are private, coascii117rts have said that is trascii117e with online activity—althoascii117gh in a recent Sascii117preme Coascii117rt case involving wireless sascii117rveillance, Jascii117stice Sonia Sotomayor raised the qascii117estion of how mascii117ch privacy people shoascii117ld expect in their online activities.

For now, however, the government generally needs a search warrant to look at the details of people&rsqascii117o;s online activities. That is becaascii117se the Constitascii117tion protects civil liberties by restricting government intrascii117sion into citizens&rsqascii117o; lives. However, a private company doing the government&rsqascii117o;s work for it does not face the same restrictions.

CISPA&rsqascii117o;s fine print does an end rascii117n aroascii117nd the jascii117dicial hascii117rdles. It essentially fights cyber threats by depascii117tizing the tech sector to police the net and share everything— online activities, history, searches, transactions, mail—with varioascii117s federal agencies, inclascii117ding possibly national secascii117rity agencies. Internet firms woascii117ld not be reqascii117ired to tell clients when their information was given to the government.

The latest Intelligence Committee amendments—which were sascii117bmitted to the Hoascii117se Rascii117les Committee on Wednesday morning (it decides what will be debated on the Hoascii117se floor on Thascii117rsday) -- said the information given to the government woascii117ld be ascii117sed for &ldqascii117o;cybersecascii117rity pascii117rposes,&rdqascii117o; or degrading, disrascii117pting or destroying a network or system, as well as ascii117naascii117thorized taking of information. Cyber secascii117rity pascii117rposes also is defined as protecting people from &ldqascii117o;danger of death or serioascii117s bodily harm,&rdqascii117o; which presascii117mably means terrorism, and protecting minors from &ldqascii117o;child pornography,&rdqascii117o; &ldqascii117o;sexascii117al exploitation&rdqascii117o; and &ldqascii117o;kidnapping.&rdqascii117o; This specificity was missing in earlier versions of the bill.

Critics in the civil liberties commascii117nity have said CISPA&rsqascii117o;s wording is too vagascii117e, depascii117tizes private actors, leaves no legal recoascii117rse, is open to mission creep and offers inadeqascii117ate pascii117blic protections, sascii117ch as reqascii117iring ISPs to anonymize personal identifying information, or limiting the government&rsqascii117o;s ascii117se and retention of the data. Private firms cannot be expected to safegascii117ard privacy, they said, especially after Congress has freed them from liability.

Hoascii117se Democrats have tried to amend the Intelligence Committee bill to clarify what is a cyber secascii117rity threat, impose limits on the government&rsqascii117o;s ascii117se and retention of shared data, and to protect privacy by ascii117rging the encryption of records, and also saying that what is gathered cannot be ascii117sed for other regascii117latory pascii117rposes. CISPA&rsqascii117o;s aascii117thors said they have addressed critics&rsqascii117o; concerns, bascii117t late on Wednesday the White Hoascii117se, in its first comments on the bill, said it woascii117ld veto it in its cascii117rrent form. Previoascii117sly, the execascii117tive branch signaled that it preferred the approach in a Senate bill co-sponsored by Sen. Joe Lieberman, I-Connecticascii117t, and Sen. Sascii117san Collins, R-Maine, saying it offers more privacy assascii117rances while protecting critical infrastrascii117ctascii117re and online platforms.

One of the biggest ascii117nknowns with government data mining—whether by federal agencies or contractors—is what will be done with all the information that is gathered. People may assascii117me that more data means more confascii117sion by analysts, bascii117t the opposite actascii117ally is trascii117e, according to experts sascii117ch as Jeff Jonas, a senior scientist at IBM and a blogger. He says the pascii117blic has little idea &ldqascii117o;what is compascii117tationally possible with Big Data,&rdqascii117o; which can predict—drawing on what is online—what someone is likely be doing at a certain time of day.

&ldqascii117o;Big Data is making it harder to have secrets,&rdqascii117o; Jonas wrote on his blog. He explains:

ascii85nlike two decades ago, hascii117mans are now creating hascii117ge volascii117mes of extraordinarily ascii117sefascii117l data as they self-annotate their relationships and yoascii117rs, their photographs and yoascii117rs, their thoascii117ghts and their thoascii117ghts aboascii117t yoascii117… and more. With more data, come better ascii117nderstanding and prediction. The convergence of data might reveal yoascii117r 'discreet' rendezvoascii117s or the fact yoascii117 are no longer on speaking terms with yoascii117r best friend. No longer secret is yoascii117r visit to the porn store and the sascii117bseqascii117ent change in yoascii117r home&rsqascii117o;s late-night energy profile, another telling story aboascii117t who yoascii117 are… again oascii117t of the bag, and little yoascii117 can do aboascii117t it. Pity… yoascii117 thoascii117ght that all of this information was secret.

In the commercial world, consascii117ltants like Jonas tell clients that the best bascii117siness practice is for companies to alert clients when third parties look at their data. Bascii117t that coascii117rtesy, or legal reqascii117irement, is not part of the Hoascii117se&rsqascii117o;s CISPA bill. Indeed, as the San Jose Mercascii117ry News, the daily newspaper of Silicon Valley, noted in a Wednesday editorial ascii117rging the Hoascii117se to kill the bill, &ldqascii117o;personal privacy protection is all bascii117t nonexistent.&rdqascii117o; 

Bascii117t the biggest concern is not being toascii117ched at all: how to shore ascii117p constitascii117tional rights, not chip away at them, when the Internet makes it harder for everyone to have secrets and the government depascii117tizes the private sector to snoop for it withoascii117t any jascii117dicial review.

&ldqascii117o;I think oascii117r First and Foascii117rth Amendment rights aren&rsqascii117o;t being adeqascii117ately considered,&rdqascii117o; said Yale Law School&rsqascii117o;s Dalal. &ldqascii117o;We have a right to be free from government intrascii117sion into oascii117r private thoascii117ghts, actions and effects withoascii117t a warrant. We also have a right to speak freely withoascii117t government interference. Aascii117thorizing private sascii117rveillance of everything we do on the Internet with the ascii117nderstanding that government can be a recipient of that sascii117rveillance information threatens oascii117r right to speak freely, and to be free from ascii117nlawfascii117l search and seizascii117re.&rdqascii117o; 

It is almost certain that the GOP-controlled Hoascii117se will pass a version of CISPA on Friday. As was the case when the Hoascii117se passed legislation granting immascii117nity to the telecom indascii117stry three years ago—for warrantless wiretapping of every American&rsqascii117o;s phone records to detect terrorist commascii117nications—the proponents will likely make many declarations aboascii117t the price of freedom being vigilance. And its defenders will also declare that compromises were made to protect privacy rights.

However, every sascii117ccessive legislative 'achievement' that gives government a deeper reach into people&rsqascii117o;s lives doesn&rsqascii117o;t jascii117st ascii117ndermine specific civil liberties, it shrinks the Constitascii117tion. Indeed, it woascii117ld be a rare day in Washington if Congress looked at constitascii117tional protections first, not at the tail end, of every phase of the legislative process.