Balkinization  

Friday, April 20, 2012

A Review of the Cyber Intelligence Sharing and Protection Act (CISPA)

Guest Blogger

Anjali Dalal

Google’s Wi-Spy incident first caused alarm bells to go off in Washington and raised the ire of privacy activists two years ago -- and it continues to make headlines today. And it’s completely understandable. Google (mistakenly) collected three years of data from unencrypted wireless networks across the country through its camera-equipped Street View cars. The FCC fined them. The FTC scolded them. Connecticut sued them. And now Representative Ed Markey is asking for a hearing on it.

Despite all of this government wide revulsion against private surveillance, Congress is currently discussing a bill that will authorize the corporate surveillance of private communication and information. In fact, the Cyber Intelligence Sharing and Protection Act (“CISPA”) authorizes Google and other Internet and Online Service Providers to gather significantly more private information than the Wi-Spy incident produced. And, as are so many dangerous pieces of legislation these days, it’s being passed under the guise of national security.

There are a number of troublesome parts of the bill. Here are the worst:

1. Void for Vagueness

 The bill authorizes the “sharing of certain cyber threat intelligence and cyber threat information” between the government and private entities. But what constitutes cyber threat intelligence? Does it include only detailed information about who is planning to wipe out critical infrastructure? Or does it extend to tweets from excited British tourists who make the unfortunate mistake of using the slang term “destroy” in the context of their upcoming trip to America?
The bill says that cyber threat information includes:
information directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from— (A) efforts to degrade, disrupt, or destroy such system or network; or (B) efforts to gain unauthorized access to a system or network, including efforts to gain such unauthorized access to steal or misappropriate private and government information
There is a lot of innocuous communication that could look like or be construed as a threat to the network. Using encrypted communication could be construed as a threat to the network simply because it reflects active efforts by the communicating parties to obfuscate their communication. Though some might feel this sort of encryption implies a guilty conscience, many others encrypt communication because it is a legitimate and sometimes necessary way to protect one’s privacy. And, as the Orin Kerr has written extensively about with respect to the Computer Fraud and Abuse Act, a broad reading of “unauthorized access” captures a lot of common activities under the purview of this legislation.
The bill originally stated that information regarding the “theft or misappropriation of private or government information, intellectual property, or personally identifiable information” was considered cyber threat intelligence under the statute. While the direct reference to intellectual property seems to have disappeared for now, it remains unclear what the bill means by its reference to the misappropriation of “private information.” It could very well include intellectual property.

2. Deputizes Private Actors to Do the Job of Law Enforcement

 The bill puts surveillance authority in the hands of private entities. It authorizes private entities to “use cybersecurity systems to identify and obtain cyber threat information” and to “share such cyber threat information with any other entity, including the Federal Government.”
By authorizing private entities to engage in surveillance, this bill is outsourcing the responsibilities of law enforcement. This is worrisome for a number of reasons. First, private entities are not limited by the constraints mandated by the Constitution. Deputizing private entities to do the job of law enforcement means circumventing the protections of the Fourth Amendment at the cost to the public being monitored.
Second, contracting out core government functions provides less accountability when things go wrong. For example, when the Blackwater incident occurred in Iraq in 2007, the government blamed Blackwater. One of the deep frustrations about the Blackwater incident was that there was seemingly no accountability within the government for what happened. The American people expected that while the U.S. was in a war with Iraq, the people fighting that war would be American troops reporting to the American government, authorized by and subject to American law. And they were wrong. A somewhat similar issue arises with this bill. When the government contracts out its responsibilities, it contracts out its accountability too.
Third, this is not a core competency of private entities. Google does not know how to find a terrorist. Deputizing them to do threatens to create more noise and confusion.

3. No Legal Recourse

The bill protects all participating entities “acting in good faith.” So, what happens when Comcast hands over mountains of data under the encouragement and with the appreciation of the Federal Government? We can’t sue the government, because they didn’t do anything. And we can’t sue Comcast because the bill forbids it. Sound familiar? That’s because for those who followed the FISA Amendments Act, it is.

4. Mission Creep


The bill provides that:
The Federal Government may use cyber threat information shared with the Federal Government in accordance with subsection (b) for any lawful purpose only if—

      (A) the use of such information is not for a regulatory purpose; and
      (B) at least one significant purpose of the use of such information is—
            (i) a cybersecurity purpose; or
            (ii) the protection of the national security of the United States

This language makes clear that the government envisions a use of this data beyond the purposes of cybersecurity – which begs the question – what other purposes is data being used for? Without stated limitations on use, mission creep seems inevitable. Moreover, such vague authorizations on the use of personal information obtained without any process whatsoever is deeply troubling and constitutionally suspect.

And while the bill requires the Inspector General of the Intelligence Community to submit a report to Congress detailing how information they received was used by the Federal Government, this requirement is set off by the fact the government is authorized to place information in a “classified annex” if necessary. The danger here is, of course, how information is distributed between the main body of the report and the classified annex. If everything is classified, an annual report provides neither transparency nor comfort. And this concern isn’t unwarranted. A similar battle continues to be fought by those who attempt to avail themselves of Freedom of Information Laws in areas as innocuous as intellectual property, only to find their efforts stymied by state secret exemptions.

5. Weak Protections

There aren’t too many protections in this bill. One good one is the affirmative search restriction, which states that the Federal Government may not affirmatively search cyber threat information shared with the Federal Government unless it concerns cybersecurity or the protection of national security more generally. This is a good thing. This hopefully means that though the government will be keeping a massive trove of data on Americans, they won’t be using it to check to see if we fit the profile for some unsolved crimes they are trying to close.

That said, the government casts a pretty wide net when it comes to what constitutes cybersercurity and the protection of national security. The government has previously squeezed intellectual property enforcement and the stonewalling of litigation around warrantless wiretapping into that net.

This bill is a long way from passage, but given its unprecedented scope and authorizations, it’s worth keeping an eye on.

Anjali Dalal is a resident fellow at the Yale Information Society Project. You can reach her by e-mail at anjali.dalal at yale.edu

Home