In late 2011 and early 2012, activists, progressive politicians and Internet companies led in part by Internet freedom advocate Aaron Swartz came together to defeat the Stop Online Piracy Act (SOPA) and the Protect IP Act (PIPA). Advertised as measures against copyright infringement, the bills would have opened any website that contained copyrighted material it was not authorized to publish on any of its pages to a forced shutdown. A site that unknowingly held a copyrighted image in a comment section, for instance, would have been eligible as a violator. Virtually everyone was susceptible to closure.
The Cyber Intelligence Sharing and Protection Act (CISPA) followed SOPA and PIPA in April 2012. CISPA was worse than its predecessors, proposing that private companies be allowed to share user information, a provision that would have violated many privacy protections of the Internet. Recognizing this, Swartz fought again. “It sort of lets the government run roughshod over privacy protections and share personal data about you,” he said of the bill at the time. Again, he prevailed.
Now, a year and a half after Swartz killed himself, there is the Cybersecurity Information Sharing Act. CISA is a lot like CISPA, but could end up being even worse. Privacy and civil rights groups including the ACLU and the Electronic Frontier Foundation are standing up to fight it. In an article about the bill, the ACLU’s Sandra Fulton wrote: CISA “poses serious threats to our privacy, gives the government extraordinary powers to silence potential whistleblowers, and exempts these dangerous new powers from transparency laws.” The bill has been approved by the Senate Select Committee on Intelligence and will move to the Senate soon.
Gabe Rottman, a legislative counsel and policy adviser for the ACLU, spoke with Truthdig about CISA. He said the legislation resembles not only CISPA, but the proposed Cybersecurity Act of 2012, which according to him would have been a better bill for protecting privacy and preventing government overreach. “It represented a compromise between the privacy community, industry and the folks pushing cybersecurity on the Hill,” he said of the 2012 legislation. That bill did not pass. CISA borrows some of its elements and removes its privacy and civil rights protections.
“It would allow the use of information that is shared with the government for cybersecurity purposes to be used in the prevention and investigation of crime under the Espionage Act, which includes national security leaks and whistle-blowers,” Rottman added. He said CISA would allow government intelligence agencies not only to retrieve metadata from communication companies on a “voluntary” basis, but also to collect content from emails, texts or other written communications without a warrant. Once the information is in the possession of the Department of Homeland Security, the measure would allow it to be shared with other government entities such as the NSA and the military and possibly even local police forces.
“It could quite literally become an investigative tool,” Rottman said. CISA could enable the government to approach a communications company and find bundles of communications from a number of suspects anytime a new whistle-blower is suspected. It has a provision that is meant to protect people. Personal information is supposed to be removed if it isn’t related to a cybersecurity threat, but it’s unclear how much information would actually be scrubbed.
A further problem with CISA is that it removes protections under Freedom of Information Act and state laws that would allow people to inquire whether their communications have been collected. Rottman said that “the chance you’ll find out that your information has been shared is lessened because of the FOIA exception, and there is an incentive for oversharing, and the information automatically gets shared with the rest of the government.” Furthermore, the bill protects companies that share information from being scrutinized for having done so.
Additionally, CISA doesn’t affect just whistle-blowers and those people who could be considered serious threats to intelligence agencies. It applies to anyone the government could deem a cybersecurity threat as well. This qualification for suspicion is very broad.
In the case against Swartz over his massive, unauthorized downloading of commercial academic journals from MIT, the courts used the Computer Fraud and Abuse Act of 1984 to prosecute him, alleging that downloading the journals was a violation of the network’s terms of service. Under the CFAA, violating the terms of service for any website or Internet tool is considered a criminal offense. For instance, lying about one’s age when registering with a website or accidentally breaking a rule listed in user contracts with Facebook or an email platform could make one a culprit. Under CISA, such harmless violations would make user communications legally vulnerable to government access.
Privacy and civil rights groups also contend CISA does not contain any provisions to protect Net neutrality. Where the Cybersecurity Act of 2012 maintained that terms like “cybersecurity threat” could not be used to inflict damage on open Internet rules, CISA contains no such language.
The ACLU, Electronic Frontier Foundation and many organizations believe CISA would be a boon to the NSA and other intelligence agencies, as well as a serious threat to privacy and protection from warrantless investigation. The Fourth Amendment is meant to protect Americans from such monitoring, but CISA could erase that civil right. Swartz led the fight against the death of our privacy, an open Internet and protection from persecution online. In his absence, others are stepping up to the plate. People continue to be outraged over the revelations made by NSA whistle-blower Edward Snowden, but the government continues to pump steroids into the spy agency’s far-reaching arms.