The U.S. House of Representatives is expected to pass a reprehensible
cyber-security bill this week that seeks to protect online
companies—giant social media firms to data-sharing networks controlling
utilities—from cyber attack. It is reprehensible because, as Democratic
San Jose Rep. Zoe Lofgren
said this week,
it gives the federal government too much access to the private lives of
every Internet user. Or as Libertarian Rep. Ron Paul also
bluntly put it, it turns Facebook and Google into “government spies.”
But that’s not the biggest problem with the Congress’s urge to
address a real problem—protecting the Internet from cyber
attacks. While House passage launches a process that
continues in the Senate, the bigger problem with the best known of the cyber bills before the House,
CISPA, the Cyber Intelligence Sharing and Protection Act, is not what is in it -- which is
troubling enough -- but what
is not on Congress’s desk: a comprehensive approach to
stop basic constitutional rights from eroding in the Internet Age.
“I don’t think the current cyber-security debate is adequately
protecting civil liberties,” said Anjali Dalal, a resident fellow with
the Information Society Project at Yale Law School (and a
blogger).
“CISPA seems to place constitutionally suspect behavior outside of
judicial review. The bill immunizes all participating entities ‘acting
in good faith.’ So what happens when an ISP hands over mountains of data
under the encouragement and appreciation of the federal government? We
can’t sue the government, because they didn’t do anything. And we can’t
sue the ISP because the bill forbids it.”
What happens is anybody’s guess. But what does not happen is clear. The government, as with the recently adopted
National Defense Authorization Act of 2012,
does not have to go through the courts when fighting state "enemies" on
U.S. soil. Instead, CISPA, like NDAA, expands extra-judicial procedures
as if America’s biggest threats must always be addressed on a kind
of wartime footing. Constitutional protections, starting with privacy
rights, are mostly an afterthought.
The CISPA bill takes an information-sharing approach to fight cyber
attacks. Nobody has said there’s a problem with the government giving
classified information to private firms to stop attacks. It is the
opposite of that—Internet companies sharing information about users and
their online activities—that raises civil liberties red flags. In
general, the courts
distinguish between
public and private aspects of online activity, holding, for example,
that e-mail addresses, subject lines and traffic patterns are like
snail-mail addresses on the outside of a paper envelope—they are
public. But just as a letter’s contents are private, courts have said
that is true with online activity—although in a recent Supreme
Court case involving wireless surveillance, Justice Sonia Sotomayor
raised the question of how much privacy people should expect in their online activities.
For now, however, the government generally needs a search warrant to
look at the details of people’s online activities. That is because the
Constitution protects civil liberties by restricting government
intrusion into citizens' lives. However, a private company doing the
government’s work for it does not face the same restrictions.
CISPA’s fine print does an
end run around the judicial
hurdles. It essentially fights cyber threats by deputizing the tech
sector to police the net and share everything— online activities,
history, searches, transactions, mail—with various federal agencies,
including possibly national security agencies. Internet firms would not
be required to tell clients when their information was given to the
government.
The latest Intelligence Committee amendments—which were submitted to the House
Rules Committee on Wednesday morning
(it decides what will be debated on the House floor on Thursday) --
said the information given to the government would be used for
“cybersecurity purposes,” or degrading, disrupting or destroying a
network or system, as well
as unauthorized taking of information. Cyber security purposes also is
defined as protecting people from “danger of death or serious bodily
harm,” which presumably means terrorism, and protecting minors from
“child pornography,” “sexual exploitation” and “kidnapping.” This
specificity was missing in earlier versions of the bill.
Critics in the civil liberties community have said CISPA’s wording
is too vague, deputizes private actors, leaves no legal recourse, is
open to mission creep and offers inadequate public protections, such as
requiring ISPs to anonymize personal identifying information, or
limiting the government’s use and retention of the data. Private firms
cannot be expected to safeguard privacy, they said, especially after
Congress has freed them from liability.
House Democrats
have tried to
amend the Intelligence Committee bill to clarify what is a cyber
security threat, impose limits on the government's use and retention
of shared data, and to protect privacy by urging the encryption
of records, and also saying that what is gathered cannot be used for
other regulatory purposes. CISPA’s authors said they have addressed
critics’ concerns, but late on Wednesday the White House, in its first
comments on the bill, said it would
veto it in its current form. Previously, the executive branch signalled that
it preferred the
approach in a Senate bill co-sponsored by Sen. Joe Lieberman,
I-Connecticut, and Sen. Susan Collins, R-Maine, saying it offers more
privacy assurances while protecting critical infrastructure and online
platforms.
One of the biggest unknowns with government data
mining—whether by federal agencies or contractors—is what will be done
with all the information that is gathered. People may assume that more
data means more confusion by analysts, but the opposite actually is
true, according to experts such as Jeff Jonas, a senior scientist at IBM
and a
blogger.
He says the public has little idea “what is computationally possible
with Big Data,” which can predict—drawing on what is online—what someone
is likely be doing at a certain time of day.
“Big Data is making it harder to have secrets,” Jonas wrote on his blog. He
explains:
Unlike two decades ago, humans are now creating huge volumes of
extraordinarily useful data as they self-annotate their relationships
and yours, their photographs and yours, their thoughts and their
thoughts about you… and more. With more data, come better understanding
and prediction. The convergence of data might reveal your "discreet"
rendezvous or the fact you are no longer on speaking terms with your
best friend. No longer secret is your visit to the porn store and the
subsequent change in your home’s late-night energy profile, another
telling story about who you are… again out of the bag, and little you
can do about it. Pity… you thought that all of this information was
secret.
In the commercial world, consultants like Jonas tell clients that the
best business practice is for companies to alert clients when third
parties look at their data. But that courtesy, or legal requirement, is
not part of the House’s CISPA bill. Indeed, as the
San Jose Mercury News, the daily newspaper of Silicon Valley, noted in a Wednesday
editorial urging the House to kill the bill, “personal privacy protection is all but nonexistent.”
But the biggest concern is not being touched at all: how to shore up
constitutional rights, not chip away at them, when the Internet makes it
harder for everyone to have secrets and the government deputizes the
private sector to snoop for it without any judicial review.
“I think our First and Fourth Amendment rights aren’t being
adequately considered,” said Yale Law School’s Dalal. “We have a right
to be free from government intrusion into our private thoughts, actions
and effects without a warrant. We also have a right to speak freely
without government interference. Authorizing private surveillance of
everything we do on the Internet with the understanding that government
can be a recipient of that surveillance information threatens our right
to speak freely, and to be free from unlawful search and seizure.”
It is almost certain that the GOP-controlled House will pass a
version of CISPA on Friday. As was the case when the House passed
legislation
granting immunity to
the telecom industry three years ago—for warrantless wiretapping of
every American’s phone records to detect terrorist communications—the
proponents will likely make many declarations about the price of freedom
being vigilance. And its defenders will also declare that compromises
were made to protect privacy rights.
However, every successive legislative "achievement" that gives
government a deeper reach into people’s lives doesn’t just undermine
specific civil liberties, it shrinks the Constitution. Indeed, it would
be a rare day in Washington if Congress looked at constitutional
protections first, not at the tail end, of every phase of the
legislative process.
Steven Rosenfeld covers democracy
issues for AlterNet and is the author of "Count My Vote: A Citizen's
Guide to Voting" (AlterNet Books, 2008).