Could everyone just chill? Just because CISPA sounds a bit like the love child of SOPA and PIPA doesn't mean it has the same intentions or would have the same effects.
If you don't believe me, just take a look (PDF).
OK, here's the short version. CISPA, which was introduced in the House last year by Reps. Mike Rogers, R-Mich., and Dutch Ruppersberger, D-Md., seeks to encourage the sharing of cybersecurity information among the intelligence community and threatened entities. Whether it is likely to achieve its aims is one question, but what has everyone climbing the walls -- from the Electronic Freedom Foundation to the White House -- is the possibility that it poses a threat to personal privacy.
We know, of course, that everyone who flew the flag of protest against SOPA/PIPA came out of that skirmish covered in glory. Politicians enjoy that feeling, and so do earnest activist groups like the EFF. CISPA is not SOPA/PIPA round two, although the bill could certainly be worded more clearly.
It provides for the sharing of "cyber threat intelligence" among entities or individuals who have security clearance to receive such information (pursuant to guidelines to be issued by the Director of National Intelligence). This raises two questions:
- What is "cyber threat intelligence"?
- What can its recipients do with it?
It's the definition of "cyber threat intelligence" that creates the problem. It's information pertaining to threats to "degrade, disrupt, or destroy" a system or network, or to the "theft or misappropriation of private or government information, intellectual property, or personally identifiable information." Yes, it includes "intellectual property," and that's what has veterans of the SOPA/PIPA campaign pulling their boots on.
As for question No. 2, the bill provides that -- "notwithstanding any other provision of law" -- such intelligence may be shared with any other entity designated by the "protected" (i.e., threatened) entity, including ("if specifically designated") the federal government.
According to EFF activism director Rainey Reitman, this means:
CISPA would allow ISPs, social networking sites, and anyone else handling Internet communications to monitor users and pass information to the government without any judicial oversight.
She also calls the language of the bill "dangerously vague." Vague it is; it's a bill, after all. But dangerously so? Firstly, the bill doesn't allow "anyone" to handle this information -- only entities and individuals with security clearance under guidelines that haven't even been drafted yet.
Secondly, the bill reserves to the protected entities (the entities under threat) the right to designate recipients of the information. As for the doomsday-sounding "notwithstanding any other provision of law," the bill explicitly states:
Nothing in this section shall be construed to permit the Federal Government to... require a private-sector entity to share information with the Federal Government.
The bill also limits government use of any such information to cybersecurity purposes, although one can readily grant the elasticity of such a restriction.
In fact, the bill's overall purpose seems to be to allow the intelligence community and embattled enterprises to share the information about cybersecurity they choose to share -- and in fact places some protections on what can be done with the information, including making the federal government accountable to congressional intelligence committees for use of any information garnered under the bill's provisions.
The simplest way to give this basically well-intentioned piece of legislation a PR facelift would be to just erase the references to intellectual property, which are hardly central to a working definition of "cyber threat intelligence."
Don't expect to see another Internet day of action against CISPA -- after all, Facebook and other big beasts of the digital jungle support it. But be reassured: If it passes into law, it's not going to change the world. For better or worse.
— Kim Davis , Community Editor, Internet Evolution