Privacy Fail: House Passes Cyber Intelligence Law: Op-Ed

hackers, anonymous
Anonymous supporters during a 2008 protest against the Church of Scientology in Los Angeles. (Image credit: Vincent Diamante/Creative Commons)

Jeff Nesbit was the director of public affairs for two prominent federal science agencies and is a regular contributor to U.S. News & World Report, where this article first ran before appearing in LiveScience's Expert Voices: Op-Ed & Insights.

Anonymous has had an extraordinary run of successes lately. It somehow managed to hack into North Korea's closed Internet network (twice), which must have agitated that nation's military leadership to no end. It also used social media tools to bring to light the hideous acts at the center of teen suicides in several communities in North America.

But, unfortunately, the hacker collective largely failed recently to derail the Cyber Intelligence Sharing and Protection Act (CISPA) in much the same way that earlier efforts helped derail the Stop Online Piracy Act (SOPA). As a result, CISPA is still rolling along through Congress, despite efforts by civil liberties groups to slow it down. [House Passes CISPA Cybersecurity Bill — Again]

Anonymous had called for an Internet blackout recently to protest CISPA, a new cyber-security bill that would shield big companies that turn over private information to the government. A similar effort helped derail SOPA a year ago.

But, SOPA attracted opposition from lots of big tech companies along with civil liberties groups. For that reason, many of them supported the efforts to derail SOPA, including an Internet blackout where tens of thousands of sites took part.

That's not the case with CISPA, which passed the House of Representatives recently and is now before the Senate. A very long list of major companies — including AT&T, Verizon, Intel, HP, Time Warner Cable, IBM, Comcast, McAfee, Oracle, Google and Facebook — like CISPA because it lets them off the hook. So when Anonymous called for a blackout to protest CISPA, it fell on deaf ears to the big tech, Internet and cable companies responsible for vast swaths of the Internet.

For that reason, the recent Anonymous-led Internet blackout drew support from just a few hundred small websites. Basically, no one noticed — largely because the big tech companies didn't help.

So why do those big tech and Internet companies like CISPA?

For starters, they don't have to monitor users' activity. When federal agencies ask for personal information, the companies can provide that information without worrying about it — it becomes the government's responsibility. Companies won't be liable for breaking terms of service by giving up personal information. [The CISPA Cybersecurity Bill Is No SOPA, but It's Bad Enough]

Here's how CISPA would work. Imagine that Iran launches a cyber-security attack against Google or Facebook. The Department of Homeland Security (DHS) asks those companies to turn over users' private information, data the agency believes will be helpful in tracking the source and nature of the threat.

But, in turning over that user information, the companies aren't required to anonymize the data. That would be expensive, and a burden to companies, their lobbyists have argued. What's more, it might also make DHS's job harder. An effort to require companies to anonymize user information before turning it over to federal authorities didn't work — though an amendment added in the House requiring the government to do so before it passes information on to companies did succeed.

As written now in the CISPA language, Internet sites and companies are not required to make private user information anonymous before providing it to federal authorities. Only the government, on its end, is required to anonymize such personal information.

"CISPA essentially would override the relevant provisions in all other laws — including privacy laws," the non-profit group Electronic Frontier Foundation said in a statement. "CISPA is written broadly enough to permit your communications service providers to share your emails and text messages with the government, or your cloud storage company could share your stored files."

CISPA passed the House last year, and then died in the Senate — largely because of privacy concerns. It's possible that could happen again in 2013, but increased online threats from China and Iran have made cyber-security threats much more urgent now.

President Barack Obama has threatened to veto the bill because of the privacy issues. The administration is "concerned that the bill does not require private entities to take reasonable steps to remove irrelevant personal information when sending cyber-security data to the government or other private sector entities. Citizens have a right to know that corporations will be held accountable — and not granted immunity — for failing to safeguard personal information adequately," the White House said in a statement.

But CISPA's supporters argue that the privacy concerns are overblown, and that the bill is needed to keep data safe from foreign hackers who attempt to steal information from U.S.-based companies. They also point out that federal authorities need the ability to move quickly to deal with emerging, fast-moving threats, and cumbersome or expensive efforts to anonymize data harms that effort. [Finding the Gaps in Privacy and Security Systems]

A few things have changed with CISPA from 2012 to 2013, as well, which make its passage much more likely: Companies can't use shared information for commercial purposes; federal authorities can't hold on to shared information indefinitely under the guise of "national security"; and there are much clearer rules on which branches of the U.S. government have access to shared data.

Sadly, if CISPA as it's written were to become law, individuals wouldn't even know if their information had been improperly shared. Let's say Google improperly shares your Gmail messages to DHS in a way that's beyond the CISPA guidelines. You aren't told about it. The government would just tell Google about it — not you.

And just to add insult to injury, CISPA would actually provide legal immunity to Google or any other company that provides personal information to federal authorities if it was acting in "good faith" to deal with a cyber-security threat. So even if you wanted to complain, you'd have no legal basis.

There is still time on CISPA, and the former owner of Reddit, Alexis Ohanian, is making the most of it. He posted an interesting video a few days ago in an effort to convince the leaders at Google, Facebook and Twitter to get serious about the privacy concerns in CISPA.

"I'm hoping that all of these tech companies take the stand that their privacy policies matter, their users' privacy matters, and no legislation like CISPA should take that away," Ohanian said in the video. "If someone wants access to our private home or to our mail we would say, well, go get a warrant. Right? CISPA basically says, uh, not necessary. Your digital privacy is irrelevant."

The video then shows Ohanian trying to call the CEO of Google, Larry Page. The Google employee answering the call tells him that no one by that name works at Google. "I am pretty sure there's a Larry Page at Google," Ohanian deadpans in the video.

So, I guess this means that Google won't be sharing Larry Page's personal information with the government if CISPA should become law.

Read Nesbit's most recent Op-Ed: Is China Mining a Rare Earth Monopoly?

This article first appeared as CISPA Back in Play:  Where is Google and Facebook on Privacy This Time Around? in the column At the Edge by Jeff Nesbit on U.S. News & World Report.

The views expressed are those of the author and do not necessarily reflect the views of the publisher.