World’s Largest Organization for Computer Professionals Comes Out Against CISPA

Mark Jaycox of EFF writes:

The US Public Policy Council of the Association of Computing Machinery (ACM), representing ACM, came out against CISPA, the cybersecurity legislation recently passed by the US House. ACM is the world’s largest organization for computer professionals. They are joining a diverse group of individuals and organizations opposing this bill, including a wide array of digital civil liberties organizations like EFF, computer scientists like Bruce Schneier and Tim Berners-Lee, and companies like the Mozilla Foundation.

CISPA is intended to protect America against cyberthreats, but destroys core privacy protections by providing vague definitions and unfettered access to personal communications by companies and government agencies. In one such example, ACM criticized the expansive definition for “cyberthreat information,” which could “encompass everything from port scans to destruction of entire networks.” We agree, and voiced identical concerns when CISPA was first released.

Read more on EFF.  And count PogoWasRight.org among those who opposed and continue to oppose the version of CISPA passed by the House. It’s needlessly overbroad in its scope and incorporates too few protections and accountability or redress.  But one of the Senate bills, the Lieberman-Collins Cybersecurity Act (S. 2105) also poses serious risks. As Rainey Reitman of EFF explains in another post:

The Cybersecurity Act (S. 2105) Threatens Online Rights

The Cybersecurity Act (S. 2105), sponsored by Sen. Lieberman and Sen. Collins, compromises core American civil liberties in the name of detecting and thwarting network attacks. While Internet security is of the utmost importance, safeguarding our networks need not come at the expense of our online freedoms. That’s why civil liberties groups, security experts, and Internet users oppose this bill.

The Cybersecurity Act is fundamentally flawed and dangerous for online rights:

1. The bill uses dangerously vague language to define “cybersecurity threat indicators”(information that companies can share with the government), leaving the door open to abuse (intentional or accidental) in which companies share protected user information with the government without a judge ever getting involved.
2. Data collected under the Cybersecurity Act can be shared with law enforcement for non-cybersecurity purposes if it “appears to relate to a crime” either past, present, or near future. This is overbroad and contrary to the spirit of our Constitution. Senator Wyden, talking about a similar provision in CISPA, noted “They would allow law enforcement to look for evidence of future crimes, opening the door to a dystopian world where law enforcement evaluates your Internet activity for the potential that you might commit a crime.” The CSA suffers the same “future crime” flaw.
3. If companies overstep their authority, violating the privacy of Internet users for non-cybersecurity purposes or oversharing sensitive data with the government, it will be very difficult for individuals to hold these companies accountable by taking them to court. The bill puts incredibly high burdens on the plaintiff in such a case to prove that a company was not monitoring for the purpose of detecting cybersecurity threats and did not have a “good faith” belief that they were allowed to do it (whether they are right or wrong); or that they “knowingly” and “willfully” violated the restrictions of the law. Furthermore, the bill allows companies to bypass much of preexisting law designed to limit company disclosure of private communications – bedrock privacy law like the Wiretap Act and the Electronic Communications Privacy Act.
4. The Cybersecurity Act would allow sensitive private communications to flow to the NSA, a U.S. military agency — contrary to a long held value that military agencies should not be engaged in collecting data on American citizens.
5. This bill has been criticized by open government groups who rightly point out that the billcreates new exemptions to FOIA—making it that much harder for people to understand how much and what kind of data is being shared with the government and ensure that the government and companies do not abuse this authority.

There is much our country can and should do to safeguard our networks, but sacrificing the civil liberties of Internet users is neither desirable nor necessary for that goal. As a constituent and an Internet user concerned about my online rights, I urge my Senator to support privacy protective amendments and oppose the Cybersecurity Act.