The bill makes it clear that companies aren’t supposed to share information willy-nilly, and the government isn’t supposed to use it for any purpose except cybersecurity. A social-networking company shouldn’t, for example, tell the Department of Homeland Security what books you’re reading, and the NSA shouldn’t start a file on you based on that intelligence. But if they do, you’ll have little legal recourse. In fact, you’ll probably never know about it, since the sharing authorized by CISPA is exempted from the Freedom of Information Act.
Facebook’s response to those who’ve criticized its support for the bill is, basically, “trust us.” In a blog post Friday, its vice president for U.S. public policy explained, “The concern is that companies will share sensitive personal information with the government in the name of protecting cybersecurity. Facebook has no intention of doing this.” That’s good to know. But it’s not a compelling justification for a law that would grant exactly that right to Facebook and any number of other companies.
Unlike SOPA, which was such a mess that its opponents went all out to kill it, some Web activists feel CISPA is salvageable. Rainey Reitman of the nonprofit Electronic Frontier Foundation tells me she’s encouraged by the fact that the bill’s authors have already made multiple rounds of edits. But many critics still seem hung up on the intellectual-property angle. They’re trying to capitalize on anti-SOPA sentiment instead of tackling CISPA on its own terms.
Part of the outrage over SOPA stemmed from the fact that the big tech companies were squeezed out from the bargaining table by entrenched entertainment-industry lobbyists. With CISPA, the tech lobby has been much more involved. Google, for one, has reportedly been working behind closed doors to make the bill palatable to Silicon Valley. But in this case, Web users shouldn’t necessarily be heartened by Google’s dealings, because the company doesn’t share the same interests as its customers. Reitman notes that one of the recent “improvements” to the bill actually broadened companies’ exemptions from liability—a step in the wrong direction for the average citizen.
Other recent amendments have been more encouraging, especially one that requires annual reports to Congress on what’s being shared and how it’s being used. But more changes are needed. The FOIA exemption is irresponsible, given that FOIA already contains provisions to protect information that shouldn’t be shared. And if companies are to have carte blanche to share information related to “cyber threats,” the law must be far clearer on what constitutes a cyber threat and what types of information can be shared.
The absurdity of relying on Google and Facebook to fight for your privacy should be obvious. With corporate Silicon Valley more than happy to have CISPA on the books, the grassroots wing of the geek lobby is going to have to partner instead with traditional civil liberties groups to try and get the bill changed before its scheduled floor vote in the House next week. Surprisingly, the geeks might have a friend in the Obama White House, which signaled its own concerns with CISPA on Tuesday and endorsed a separate cybersecurity bill that faces more opposition from the tech industry.
Internet activists were feeling good after flexing their muscle to beat SOPA. Now we’ll see what happens when they go up against the very companies that helped them win last time around.