CISPA: Embraced by Facebook, Scorned by Privacy Advocates

The congressional Internet security bill is finding support among Facebook and other vendors, but the measure is touching off protests by groups warning of too much information sharing.

Privacy advocates are hoping that a week of protests against the proposed Cyber-Intelligence Sharing and Protection Act (CISPA) will have the same effect that similar movements had earlier this year in helping kill other proposed federal Internet security measures.

However, the challenge will be a little different this time around, particularly since some major tech companies that had been opposed to the Stop Online Piracy Act (SOPA) and the Protect IP Act (PIPA)€”including Facebook and Microsoft€”are now supporting CISPA.

Joel Kaplan, vice president of U.S. public policy at Facebook, roiled the already turbulent waters even more with an April 15 post on the social networking giant€™s blog outlining why the company supports the bill. In particular, Kaplan wrote, CISPA will give Facebook and other companies needed information from each other and the government about cyber-attacks, without requiring the vendors to reveal personal information about their users.

€œWhen one company detects an attack, sharing information about that attack promptly with other companies can help protect those other companies and their users from being victimized by the same attack,€ he wrote. €œSimilarly, if the government learns of an intrusion or other attack, the more it can share about that attack with private companies (and the faster it can share the information), the better the protection for users and our systems.€

Kaplan said he was aware of the concerns of the privacy advocacy groups that Facebook and other companies will share user information with the government, but he stressed CISPA doesn€™t require it and Facebook wouldn€™t do it.

Such promises have done little to quell the concerns of such groups as the Electronic Frontier Foundation (EFF), American Civil Liberties Union (ACLU) and Center for Democracy and Technology (CDT), who say it would be easy for private user information to end up in the hands of government agencies.

€œKeeping our computer systems secure is a real concern, but CISPA is absolutely the wrong answer,€ Mandy Simon of the ACLU said in an April 16 blog post. €œThe bill would create a loophole in all existing privacy laws, allowing companies to share Internet users' data with the National Security Agency, part of the Department of Defense, and the biggest spy agency in the world€”without any legal oversight. If CISPA passes, companies like Google and Facebook could pass your online communications to the military, just by claiming they were motivated by €˜cyber-security purposes.€™€

They also have argued that CISPA would too broadly define what would be considered a cyber-attack, puts no limits on the amount or kind of information that can be shared and offers little if any transparency into the government agencies that would have access to the user information.

€œFreedom of expression and the protection of online privacy are increasingly under threat in democratic countries, where a series of bills and draft laws is sacrificing them in the interests of national security or copyright,€ the group Reporters Without Borders said in an April 16 blog post. €œA blanket monitoring system is never an appropriate solution. Reporters Without Borders opposes CISPA and asks Congress to reject this legislation.€

The groups are pushing citizens to contact congressmen the week of April 16 to voice their opposition to the bill, which is scheduled be voted on by the House of Representatives next week. They also have kicked off a Twitter campaign as another avenue for people to contact their representatives as part of the €œStop Cyber-Spying Week€ of protests.

€œThe bill would carve out huge exemptions to bedrock privacy law and allow companies to share private user data with the government without any judicial oversight,€ Rainey Reitman, activism director for EFF, said in an April 16 post on the company blog. €œThe result? Untold and unfettered personal data flowing from online service providers like AT&T and Google to government agencies like the NSA [National Security Agency].€