An introduction to CISPA – Can I Spy on you Please? Act

máj 07, 2012 by Dr. Mezei Péter in Nemzetközi szerzői jog

After the waves of PIPA and SOPA starting to fade away, newer proposals are coming in the US Congress. One of them, which is highly debatable, is the Cyber Intelligence Sharing and Protection Act (CISPA). Let us see this in broad lines!

Even I was really happy, when in January SOPA got shelved and it seemed that this story practically ended. The online and street protests delivered a result, most people were delighted with the outcome. However, there are campaigns still, in which they address the President of the United States. „Tell Obama to promise: ‘I will never advance legislation that blocks websites or disconnects Americans’ internet access.'”

1984 coming to life?

No newer proposals have been shown to the public concerning this topic. However, we have CISPA, another Internet-based bill, dealing with cybersecurity issues. As Ernesto wrote on TorrentFreak: „In short CISPA would allow companies to spy on Internet users and collect and share this data with third-party companies or Government agencies. As long as the company states that these privacy violations are needed to protect against ‘cybersecurity’ threats, they are immune from civil and criminal liabilities.”

CISPA is not a brand new proposal: it was introduced on 30th November 2011 by Michigan Republican Michael J. „Mike” Rogers. If we look at the text, we would see that it is basically an amendment to the National Security Act of 1947. It is interesting that the definitions are not at the beginning of Section 2, they are at the end, in paragraph (h). So we have to read through almost the complete text to find out, what this is all about. In Sec. 2. (a) there are general provisions about cyber threat intelligence and information sharing. It defines the persons with whom the informations could be shared – (b) describes the use and the sharing itself. (c) is about the „Federal Government Use of Information,” which is important and questionable. Let us see the text:

The Federal Government may use cyber threat information shared with the Federal Government in accordance with subsection (b)—
‘‘(A) for cybersecurity purposes;
‘‘(B) for the investigation and prosecution of cybersecurity crimes;
‘‘(C) for the protection of individuals from the danger of death or serious bodily harm and the investigation and prosecution of crimes involving such danger of death or serious bodily harm;
‘‘(D) for the protection of minors from child pornography, any risk of sexual exploitation, and serious threats to the physical safety of such minor, including kidnapping and trafficking and the investigation and prosecution of crimes involving child pornography, any risk of sexual exploitation, and serious threats to the physical safety of minors, including kidnapping and trafficking, and any crime referred to in 2258A(a)(2) of title 18, United States Code; or
‘‘(E) to protect the national security of the United States.

Michael J. „Mike” Rogers

I cannot argue with (A), (B) and (E). But I do not see the point in putting (C) and (D) in this paragraph. Even, in this bill. Do you remember the Protecting Children From Internet Pornographers Act of 2011? It was the previous proposal of Lamar Smith, the Texas Republican Representative, who later introduced SOPA. Jim Hood, the Democratic attorney general of Mississippi, and co-chair of a National Association of Attorneys General committee recently likened rogue Web sites to child porn. Maybe this is the reason, why they try to push it in this bill. In the same paragraph we have the part (4), „Protection of Sensitive Personal Documents”, which is quite important, but a little too narrow in my opinion. Because it does not include for example energy providers’ records, which could cause cybersecurity issues, but also contains information that identifies a person. Robert Pear has an idea, why: „The Senate is working on a more comprehensive bipartisan bill that directs the secretary of the Department of Homeland Security to issue regulations to protect ‘critical infrastructure,’ including the electric power grid, water and sewer systems, transportation hubs and financial service networks.”

If we get back to the proposal, in paragraph (d) we have the liability of the Federal Government – if a department or agency intentionally or willfully violates the previous subsections „with respect to the disclosure, use, or protection of voluntarily shared under this section, the United States shall be liable to a person adversely affected by such violation.” What is surprising, that „no action shall lie under this subsection unless such action is commenced not later than two years after the date of the violation.” This is quite contradictory. On the one hand, if the government could store personal data for two years of every possible „cybercriminal citizen”, the citizen rights groups would not be happy. On the other hand, nowadays two years is not a long time, and if some information could have been useful, it is not good if they cannot seek any action after this short period.

Paragraphs (e) and (f) are not very important, (g) contains the saving clauses, the aforementioned (h) includes the definitions. Section 3. is the Sunset, which is due 5 years after the date of the enactment of this Act.

They are not the same, but people think so.

The main problem with this proposal is that it allows practically every company to share information with the government of possible cybersecurity problems. Of course it is voluntary, but we know, how things work. The other concerning fact that it is dealing with individual Internet subscribers, not copyright infringing websites. They are trying to go after the small fish, instead of the big one. We should note, that the word copyright is not even mentioned in the proposal. It is the most important evidence that CISPA is not a new version of SOPA/PIPA. The fear is that by giving „cyber threat intelligence” to the government of the citizens, they should see the possible copyright infringements as well. This would be quite an effective tie-in, I guess.

However, CISPA was voted yes 248 to 168 on 26th April in the House of Representatives, and it is going to the Senate. There were not too many objections until now, but maybe this is because they simply did not have enough time. For example, the vote was held one day before it was initially projected… However, Texas Repubican Joe L. Barton, who voted against the legislation, said: „We do have a real cyberthreat in this country, and this bill is an honest attempt to deal with it, [… b]ut the absence of explicit privacy protections for individuals is, to me, a greater threat to democracy and liberty than the cyberthreats that face America.” The House Democratic leader, Representative Nancy Pelosi of California, said, “The threat of cyberattack is a real one, but the response must balance freedom and security.”

If you want to read more about CISPA and other opinions, I recommend the articles of Leigh Beadon and Mike Masnick.