How Worried Should I Be About CISPA? Is it SOPA 2.0?

Innovation, the Internet, gadgets, and more.
April 18 2012 1:45 PM

Not Another SOPA

CISPA isn’t the Stop Online Piracy Act 2.0, but you should still be wary of the latest congressional tech bill.

Protesters demonstrate against the proposed Stop Online Piracy Act (SOPA).
Protesters demonstrate against the proposed Stop Online Piracy Act (SOPA) and Protect IP Act (PIPA) outside the New York offices of Sen. Charles Schumer and Sen. Kirsten Gillibrand on Jan. 18, 2012

Photograph by Mario Tama/Getty Images.

Three months ago, the Stop Online Piracy Act was killed by righteous, indignant Internet activists who found the legislation so menacing that they blacked out their sites in protest. Now, the story goes, SOPA is back, like a movie villain rising from the grave for a bloody sequel. CISPA, the Cyber Intelligence Sharing and Protection Act, has been dubbed “SOPA 2.0” by tech blogs, who want you to believe it’s the same devil in a new disguise.

Will Oremus Will Oremus

Will Oremus is Slate's senior technology writer.

They’re wrong. CISPA is a different devil altogether. And while it’s unlikely to provoke anywhere near the same level of outcry as SOPA, it has the potential to be insidious in its own right. The difference is that, if CISPA is abused, it won’t be the tech firms that get hurt. It will be you.

SOPA was primarily about intellectual property. The bill would have given digital rights-holders—record companies and film studios, for instance—sweeping power to go after websites that appeared to “enable or facilitate” copyright infringement. Those that didn’t comply could be blacklisted. It’s easy to see why companies like Google and Facebook adamantly opposed it. It was a broadside against the culture of free sharing that underpins their business models.

CISPA, in contrast, is about cybersecurity, not your bootleg copy of Avatar. Its main goal is not to protect copyright-holders’ profits, but to protect websites and the government from hackers. Early incarnations of the bill set SOPA opponents on edge with a line about protecting intellectual property. But its bipartisan sponsors, Reps. Mike Rogers of Michigan and Dutch Ruppersberger of Maryland, wisely edited CISPA last week to remove that mention. It should now be clear to all but the most paranoid that CISPA isn’t SOPA 2.0. At this point, to label it as such is to both miss the bill’s legitimate aim and to overlook the bill’s real potential harms.

So what is CISPA all about? The bill’s most important provision would protect companies from lawsuits that might arise from the confidential sharing of “cyber threat information” with the government. But what, exactly, constitutes “cyber threat information”? That’s where it gets a bit murky.

There’s a legitimate aim here to improve communication between the federal government and Web companies when it comes to hacking, whether the attacks come from the Chinese government, Anonymous, or criminal gangs. Right now, both the government and Web firms risk opening themselves to lawsuits if they divulge private information to one another. That makes it hard to track attack patterns, leaving both sides in the dark. The bill sets up a legal framework for them to do that sort of sharing without exposing the information to the public.

And that explains why companies like Facebook and Microsoft, which opposed SOPA, are backing this bill. CISPA doesn’t require Web firms like Facebook to do anything. Rather, it grants their officials special access to the government’s information on “cyber threats”—access the general public doesn’t have.

That sounds good as long as you have full faith in companies and the government not to mishandle any of your information in the name of cybersecurity. The bill’s current language authorizes the sharing of “information pertaining directly to a vulnerability of, or threat to, a system or network of a government or private entity.” Could that information include users’ names, addresses, and credit card numbers? Records of other sites they’ve visited? The bill doesn’t say. How does a company decide whether there’s enough reasonable suspicion to justify sharing a given user’s data? It doesn’t explain that either.

The bill makes it clear that companies aren’t supposed to share information willy-nilly, and the government isn’t supposed to use it for any purpose except cybersecurity. A social-networking company shouldn’t, for example, tell the Department of Homeland Security what books you’re reading, and the NSA shouldn’t start a file on you based on that intelligence. But if they do, you’ll have little legal recourse. In fact, you’ll probably never know about it, since the sharing authorized by CISPA is exempted from the Freedom of Information Act.

Facebook’s response to those who’ve criticized its support for the bill is, basically, “trust us.” In a blog post Friday, its vice president for U.S. public policy explained, “The concern is that companies will share sensitive personal information with the government in the name of protecting cybersecurity. Facebook has no intention of doing this.” That’s good to know. But it’s not a compelling justification for a law that would grant exactly that right to Facebook and any number of other companies.

Unlike SOPA, which was such a mess that its opponents went all out to kill it, some Web activists feel CISPA is salvageable. Rainey Reitman of the nonprofit Electronic Frontier Foundation tells me she’s encouraged by the fact that the bill’s authors have already made multiple rounds of edits. But many critics still seem hung up on the intellectual-property angle. They’re trying to capitalize on anti-SOPA sentiment instead of tackling CISPA on its own terms.

Part of the outrage over SOPA stemmed from the fact that the big tech companies were squeezed out from the bargaining table by entrenched entertainment-industry lobbyists. With CISPA, the tech lobby has been much more involved. Google, for one, has reportedly been working behind closed doors to make the bill palatable to Silicon Valley. But in this case, Web users shouldn’t necessarily be heartened by Google’s dealings, because the company doesn’t share the same interests as its customers. Reitman notes that one of the recent “improvements” to the bill actually broadened companies’ exemptions from liability—a step in the wrong direction for the average citizen.

Other recent amendments have been more encouraging, especially one that requires annual reports to Congress on what’s being shared and how it’s being used. But more changes are needed. The FOIA exemption is irresponsible, given that FOIA already contains provisions to protect information that shouldn’t be shared. And if companies are to have carte blanche to share information related to “cyber threats,” the law must be far clearer on what constitutes a cyber threat and what types of information can be shared.

The absurdity of relying on Google and Facebook to fight for your privacy should be obvious. With corporate Silicon Valley more than happy to have CISPA on the books, the grassroots wing of the geek lobby is going to have to partner instead with traditional civil liberties groups to try and get the bill changed before its scheduled floor vote in the House next week. Surprisingly, the geeks might have a friend in the Obama White House, which signaled its own concerns with CISPA on Tuesday and endorsed a separate cybersecurity bill that faces more opposition from the tech industry.

Internet activists were feeling good after flexing their muscle to beat SOPA. Now we’ll see what happens when they go up against the very companies that helped them win last time around.

TODAY IN SLATE

History

Slate Plus Early Read: The Self-Made Man

The story of America’s most pliable, pernicious, irrepressible myth.

Rehtaeh Parsons Was the Most Famous Victim in Canada. Now, Journalists Can’t Even Say Her Name.

Mitt Romney May Be Weighing a 2016 Run. That Would Be a Big Mistake.

Amazing Photos From Hong Kong’s Umbrella Revolution

Transparent Is the Fall’s Only Great New Show

The XX Factor

Rehtaeh Parsons Was the Most Famous Victim in Canada

Now, journalists can't even say her name.

Doublex

Lena Dunham, the Book

More shtick than honesty in Not That Kind of Girl.

What a Juicy New Book About Diane Sawyer and Katie Couric Fails to Tell Us About the TV News Business

Does Your Child Have Sluggish Cognitive Tempo? Or Is That Just a Disorder Made Up to Scare You?

  News & Politics
History
Sept. 29 2014 11:45 PM The Self-Made Man The story of America’s most pliable, pernicious, irrepressible myth.
  Business
Moneybox
Sept. 29 2014 7:01 PM We May Never Know If Larry Ellison Flew a Fighter Jet Under the Golden Gate Bridge
  Life
Dear Prudence
Sept. 30 2014 6:00 AM Drive-By Bounty Prudie advises a woman whose boyfriend demands she flash truckers on the highway.
  Double X
Doublex
Sept. 29 2014 11:43 PM Lena Dunham, the Book More shtick than honesty in Not That Kind of Girl.
  Slate Plus
Slate Fare
Sept. 29 2014 8:45 AM Slate Isn’t Too Liberal, but … What readers said about the magazine’s bias and balance.
  Arts
Brow Beat
Sept. 29 2014 9:06 PM Paul Thomas Anderson’s Inherent Vice Looks Like a Comic Masterpiece
  Technology
Future Tense
Sept. 30 2014 7:36 AM Almost Humane What sci-fi can teach us about our treatment of prisoners of war.
  Health & Science
Bad Astronomy
Sept. 30 2014 7:30 AM What Lurks Beneath The Methane Lakes of Titan?
  Sports
Sports Nut
Sept. 28 2014 8:30 PM NFL Players Die Young. Or Maybe They Live Long Lives. Why it’s so hard to pin down the effects of football on players’ lives.