Citing its effort to better protect American infrastructure from foreign attacks, the US House of Representatives passed the Cyber Information and Security Protection Act last Thursday, 26 April, in spite of worries that consumer data privacy will be compromised if the bill eventually becomes law.
In an interesting and informative debate hosted by KQED public radio Joshua Johnson in San Francisco yesterday, several parties with strong opinions weighed in on the matter - one that stirs up a plethora of questions.
For instance, can CISPA really protect America from hackers who could do nefarious things such as shut down or blow up power plants? While the answer isn’t cut and dried, certainly cyber terrorists could feasibly do a lot of harm. In fact, as Johnson pointed out, just this week Iran took several of its oil terminals offline due to fears hackers would program the machinery to self-destruct.
And will fears about terrorism ultimately trump the popular desire to keep regular people’s data private? As we become more entrenched in all things online and the social data revolution continues to unfold, is a society reminiscent of Orwell’s Big Brother or - to use a more modern prophecy from popular culture -- the movie Minority Report inescapable in years to come?
These questions have no easy answers. The good news is that dialogue on the policy front and in the tech media is earnest and unrelenting. Here are what several experts had to say during yesterday’s debate:
Against CISPA: EFF
Rainey Reitman, activism director for the Electronic Frontier Foundation, is an outspoken contributor to the CISPA debate. Reitman said that while CISPA proponents employ rhetoric that the bill will “fend off a cyber Pearl Harbor,” what they’re really doing is inciting fears of security threats when, in fact, such concerns have existed for years. “I do think there is a need for companies to get more information from the government in a timely fashion. The problem that arises with CISPA is that it does so much more than that,” she says.
“It also opens the floodgates for companies to intercept communications of everyday Internet users and pass unredacted personal information to the governments,” she says, adding that several amendments to the bill would have addressed such concerns but they never made it to the House floor for a vote.
Reitman says civil liberties groups like the EFF don’t want cyber security programs to be a method by which intelligence agencies or the military can garner information about American citizens.
As for why many companies such as Facebook support CISPA, Reitman says the companies understandably want to be better informed about security vulnerabilities and promise not to spy on users or hand unredacted information over to the government. On the other hand, she says CISPA as it stands now lets companies bypass all existing privacy law and pass citizens’ personal data to the government even if there’s a weak excuse that the information is related to cyber security purposes.
“The government in return has said that if they get information that’s unrelated to cyber security they "may" - don’t have to, but may choose to - remove some of the implications toward civil liberties. But they don’t have to and there’s no real guidelines on what they would have to do about it,” she says. “What we want[are] actual laws in place that make that impossible or difficult. In the very least that if the government wants personal information about users of services including the content of emails they [have to ] go to a judge and get a warrant.”
For CISPA: Information Technology Industry Council
Dean Garfield, president and CEO of the Information Technology Industry Council, has also weighed in on behalf of that industry organization. Garfield said 95 percent of the data breaches that take place on the Internet are breaches of people’s personal information -- things like social security numbers and credit card numbers. “This is really about protecting the people who are a part of the Internet ecosystem on an everyday basis and that’s why it’s so critically important,” he says.
He also makes the point that CISPA doesn’t mandate that companies give the government information, but that doing so is voluntary.
As for why cyber security is so important now, Garfield says it’s a problem that just keeps getting worse and he points to data that said between 2009 and 2010 there was an increase of 93 percent in cyber security breaches.
“Most of us spend seven-plus hours a day in a network environment in front of our computer and so we make all sorts of information available on the Internet. It’s an integral part of our everyday life. And of the information that’s being compromised, 95 percent of it is our personal information and it’s important that we take steps to protect that. And there are simple straightforward ways to do that which from our perspective and from the majority of the Congress’ perspective CISPA was a vehicle for doing just that.”
One fly in CISPA’s pie has been that the White House staff says it will recommend to President Obama that he veto the bill if it makes it to his desk. However, Garfield asserts that the recommendation was made regarding a prior version of the bill and not the amended version that was passed by the House of Representatives.
As for concerns about the bill giving the government free reign to get its hands on whatever data it convinces companies to give it, Garfield says that’s not a concern.
“In fact, there was an amendment in the bill that passed that makes clear that CISPA doesn’t enhance the power of the NSA or any other government agency to engage in the kinds of activity that Rainey’s talking about…For example, the bill sunsets in five years. It has a FOIA (Freedom of Information Act clause) so that those who want to find out the types of information that’s being shared can do so. It sets up the process which I don’t think has existed anywhere else where if the government misuses private information, it’s subject to liability for that misuse of information. “
A tech entrepreneur speaks out
A caller into KQED's show identified as “Bruce in Los Gatos” said he is a long-time serial entrepreneur in Silicon Valley who, along with other tech innovators, has invested heavily to develop services, social media, GPS, and mobile apps that give him insight into the behavior and habits of consumers. “We take pride for the most part in doing the best job we can to use the data responsibly and give consumers value around that,” he says.
What concerns him about CISPA and other previous bills that have been under consideration is that the government seems to want to get at that data. “And the courts thus far haven’t been very tough on the government in preventing them from accessing it.”
He also points out that modern technology and services companies legitimately know where and when people travel and with whom they communicate.
“But if the government should choose to start to aggregate and track that data, it’s very concerning. And I would be concerned as a consumer that there aren’t more safeguards in place to prevent the government from just grabbing that data or forcing the companies to turn it over in secret,” he said.
What will happen to CISPA in the Senate?
Garfield says he’s still hopeful about the bill’s future and Reitman says the EFF’s goal is to have a voice in whatever bill the Senate considers.
That said, Jennifer Martinez, technology policy reporter for Politico, says Democratic sources told her that CISPA is “basically dead on arrival” because of the privacy concerns associated with it. She also says that nothing will happen with CISPA at least for the next week because the Senate is currently in recess and Senate Majority Leader Harry Reid has said the issue will get picked up sometime in May.
What’s most likely to get attention first, Martinez says, is a bill by Senator Joe Lieberman (I-Connecticut) that supports a different method of evading and mitigating cyber threats.
“The main difference is that the core component [of Lieberman’s bill] puts new security mandates on operators of critical infrastructures [such as] utilities companies, [and] possibly water plants [whereas] CISPA is focused on improving information sharing about cyber threats between the government and industries so it doesn’t have that piece that addresses security gaps in critical infrastructures,” she says.
How you can hear and be heard
To listen to the entire radio interview for yourself, visit KQED.
And regardless of which side of the fence you’re on, the EFF has posted an online tool that makes it easy for you to send a tweet to your US senators cyber security and privacy. If legislators perk up when a few dozen phone calls come into their offices, imagine the effect of hundreds or thousands of Twitter interactions on the matter.