an unanticipated consequence of
Jack M. Balkin
Jack Balkin: jackbalkin at yahoo.com
Bruce Ackerman bruce.ackerman at yale.edu
Ian Ayres ian.ayres at yale.edu
Mary Dudziak mary.l.dudziak at emory.edu
Joey Fishkin joey.fishkin at gmail.com
Heather Gerken heather.gerken at yale.edu
Abbe Gluck abbe.gluck at yale.edu
Mark Graber mgraber at law.umaryland.edu
Stephen Griffin sgriffin at tulane.edu
Bernard Harcourt harcourt at uchicago.edu
Scott Horton shorto at law.columbia.edu
Andrew Koppelman akoppelman at law.northwestern.edu
Marty Lederman msl46 at law.georgetown.edu
Sanford Levinson slevinson at law.utexas.edu
David Luban david.luban at gmail.com
Gerard Magliocca gmaglioc at iupui.edu
Jason Mazzone mazzonej at illinois.edu
Linda McClain lmcclain at bu.edu
John Mikhail mikhail at law.georgetown.edu
Frank Pasquale pasquale.frank at gmail.com
Nate Persily npersily at gmail.com
Michael Stokes Paulsen michaelstokespaulsen at gmail.com
Deborah Pearlstein dpearlst at princeton.edu
Rick Pildes rick.pildes at nyu.edu
Alice Ristroph alice.ristroph at shu.edu
Neil Siegel siegel at law.duke.edu
Brian Tamanaha btamanaha at wulaw.wustl.edu
Mark Tushnet mtushnet at law.harvard.edu
Adam Winkler winkler at ucla.edu
A Review of the Cyber Intelligence Sharing and Protection Act (CISPA)
Google’s Wi-Spy incident first caused alarm bells to go off in Washington and raised the ire of privacy activists two years ago -- and it continues to make headlines today. And it’s completely understandable. Google (mistakenly) collected three years of data from unencrypted wireless networks across the country through its camera-equipped Street View cars. The FCC fined them. The FTC scolded them. Connecticut sued them. And now Representative Ed Markey is asking for a hearing on it.
Despite all of this government wide revulsion against private surveillance, Congress is currently discussing a bill that will authorize the corporate surveillance of private communication and information. In fact, the Cyber Intelligence Sharing and Protection Act (“CISPA”) authorizes Google and other Internet and Online Service Providers to gather significantly more private information than the Wi-Spy incident produced. And, as are so many dangerous pieces of legislation these days, it’s being passed under the guise of national security.
There are a number of troublesome parts of the bill. Here are the worst:
1. Void for Vagueness
The bill authorizes the “sharing of certain cyber threat intelligence and cyber threat information” between the government and private entities. But what constitutes cyber threat intelligence? Does it include only detailed information about who is planning to wipe out critical infrastructure? Or does it extend to tweets from excited British tourists who make the unfortunate mistake of using the slang term “destroy” in the context of their upcoming trip to America?
The bill says that cyber threat information includes:
information directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from— (A) efforts to degrade, disrupt, or destroy such system or network; or (B) efforts to gain unauthorized access to a system or network, including efforts to gain such unauthorized access to steal or misappropriate private and government information
There is a lot of innocuous communication that could look like or be construed as a threat to the network. Using encrypted communication could be construed as a threat to the network simply because it reflects active efforts by the communicating parties to obfuscate their communication. Though some might feel this sort of encryption implies a guilty conscience, many others encrypt communication because it is a legitimate and sometimes necessary way to protect one’s privacy. And, as the Orin Kerr has written extensively about with respect to the Computer Fraud and Abuse Act, a broad reading of “unauthorized access” captures a lot of common activities under the purview of this legislation.
The bill originally stated that information regarding the “theft or misappropriation of private or government information, intellectual property, or personally identifiable information” was considered cyber threat intelligence under the statute. While the direct reference to intellectual property seems to have disappeared for now, it remains unclear what the bill means by its reference to the misappropriation of “private information.” It could very well include intellectual property.
2. Deputizes Private Actors to Do the Job of Law Enforcement
The bill puts surveillance authority in the hands of private entities. It authorizes private entities to “use cybersecurity systems to identify and obtain cyber threat information” and to “share such cyber threat information with any other entity, including the Federal Government.”
By authorizing private entities to engage in surveillance, this bill is outsourcing the responsibilities of law enforcement. This is worrisome for a number of reasons. First, private entities are not limited by the constraints mandated by the Constitution. Deputizing private entities to do the job of law enforcement means circumventing the protections of the Fourth Amendment at the cost to the public being monitored.
Second, contracting out core government functions provides less accountability when things go wrong. For example, when the Blackwater incident occurred in Iraq in 2007, the government blamed Blackwater. One of the deep frustrations about the Blackwater incident was that there was seemingly no accountability within the government for what happened. The American people expected that while the U.S. was in a war with Iraq, the people fighting that war would be American troops reporting to the American government, authorized by and subject to American law. And they were wrong. A somewhat similar issue arises with this bill. When the government contracts out its responsibilities, it contracts out its accountability too.
Third, this is not a core competency of private entities. Google does not know how to find a terrorist. Deputizing them to do threatens to create more noise and confusion.
3. No Legal Recourse
The bill protects all participating entities “acting in good faith.” So, what happens when Comcast hands over mountains of data under the encouragement and with the appreciation of the Federal Government? We can’t sue the government, because they didn’t do anything. And we can’t sue Comcast because the bill forbids it. Sound familiar? That’s because for those who followed the FISA Amendments Act, it is.
4. Mission Creep
The bill provides that:
The Federal Government may use cyber threat information shared with the Federal Government in accordance with subsection (b) for any lawful purpose only if—
(A) the use of such information is not for a regulatory purpose; and
(B) at least one significant purpose of the use of such information is—
(i) a cybersecurity purpose; or
(ii) the protection of the national security of the United States
This language makes clear that the government envisions a use of this data beyond the purposes of cybersecurity – which begs the question – what other purposes is data being used for? Without stated limitations on use, mission creep seems inevitable. Moreover, such vague authorizations on the use of personal information obtained without any process whatsoever is deeply troubling and constitutionally suspect.
And while the bill requires the Inspector General of the Intelligence Community to submit a report to Congress detailing how information they received was used by the Federal Government, this requirement is set off by the fact the government is authorized to place information in a “classified annex” if necessary. The danger here is, of course, how information is distributed between the main body of the report and the classified annex. If everything is classified, an annual report provides neither transparency nor comfort. And this concern isn’t unwarranted. A similar battle continues to be fought by those who attempt to avail themselves of Freedom of Information Laws in areas as innocuous as intellectual property, only to find their efforts stymied by state secret exemptions.
5. Weak Protections
There aren’t too many protections in this bill. One good one is the affirmative search restriction, which states that the Federal Government may not affirmatively search cyber threat information shared with the Federal Government unless it concerns cybersecurity or the protection of national security more generally. This is a good thing. This hopefully means that though the government will be keeping a massive trove of data on Americans, they won’t be using it to check to see if we fit the profile for some unsolved crimes they are trying to close.