When Cybersecurity Makes Things Worse

Adam Dachis has an interesting and worrisome post up at Lifehacker. (Disclosure: he kindly asked me for input into the post.) It thinks about a post-CISPA world, where privacy exists only at the behest of companies who hold our information. CISPA would immunize these firms for sharing information with the federal government, so long as one purpose of the sharing is cybersecurity. (Don’t be fooled by CISPA’s “significant purpose” language; the same terms appear in the USA PATRIOT Act’s revisions to FISA, and have been interpreted to mean “any purpose.” *See below.) This is what I think of as the “bus stop” problem. You’re waiting for the bus, and there’s a small shelter with a roof. (If you want to make it a bit creepier, imagine there’s also a closed-circuit security camera pointed at the shelter.) If you can see even the hint of a cloud in the sky, you’ll stand under the shelter. Why not? If it does rain, you’re dry; if not, no real harm done.

This is how safe harbors work. Title II of the Digital Millennium Copyright Act is the best example: most Internet application providers wouldn’t be liable for copyright infringement even under pre-DMCA precedent. But following notice-and-takedown eliminates risk entirely. So, why not do it? Even if it undercuts fair use and other creative reworkings of expression, that’s little cost to the IAPs. Ditto cybersecurity sharing. The incentives are entirely towards sharing, if not oversharing.

One puzzle that Adam asked about is why there hasn’t been more attention to CISPA. I think there are three reasons. First, ironically, the success of the battle against SOPA lulled us into complacency. We thought we’d won. Second, it is far more effective to frame information sharing as a cybersecurity measure than an anti-infringement one. Who’s opposed to cybersecurity, especially when you have nutjobs like Richard Clarke screaming that the sky is falling (or, at least, airplanes are falling out of it)? And lastly, the political constituencies matter: many tech companies who opposed SOPA support CISPA. It is much harder to assemble a coalition of netizens when the politically powerful players are almost unanimously lined up against you.

In closing, when I talk with folks about CISPA, they note that they don’t have to worry – after all, President Obama stated he would veto the bill. Taking Obama’s word as ironclad makes as much sense as believing that you can pick the ace in a street-corner game of three card monte. See, for example, the National Defense Authorization Act, or Obama’s refusal to sign an executive order banning discrimination against LGBT employees working for federal contractors. The president has remarkable, er, flexibility when it comes to principles and positions. So, it wouldn’t hurt to write your Congressional representative

*Here’s the language from In re Sealed Case: “the Patriot Act amendment, by using the word ‘significant,’ eliminated any justification for the FISA court to balance the relative weight the government places on criminal prosecution as compared to other counterintelligence responses. If the certification of the application’s purpose articulates a broader objective than criminal prosecution–such as stopping an ongoing conspiracy–and includes other potential non-prosecutorial responses, the government meets the statutory test.”

Comments are closed.