An updated list of entities writing letters of support for the controversial Cyber Intelligence Sharing and Protection Act (CISPA) was published last week, and Facebook, a previous supporter, was no longer included.
The bill was introduced in the House of Representatives last April by Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD) to address cyber threats. The legislation is intended to help police national security threats from cyberspace by enabling information sharing between the public and private sectors. The bill was initially greeted with letters of support from various private entities such as Facebook, AT&T, Microsoft, Intel, Verizon and many other kingpins in information collection. Privacy advocates such as the ACLU, however, criticized the bill for undermining other privacy protections already in place. CISPA never made its way through the Senate after its introduction in 2012, but it reemerged last month amid growing concern over cyber vulnerability.
This time around, however, some influential players such as Facebook and Microsoft are no longer such strong advocates for the legislation. A recent report cites the lack of concern for customer privacy as the motivating factor for the withdrawn support. Distinct from the ACLU and other privacy advocate positions, Facebook and Microsoft are concerned with their customer’s trust.
CISPA has had a mixed reception because it would insulate companies from liability for sharing customer information with the government, which often means violating promises made in privacy policies and possibly violations of other state and federal laws. Companies and agencies such as the FBI or NSA could exchange data to build more robust profiles of citizens. It is unclear exactly how this data would be compiled, managed and eventually used, but the underlying theme seems to be the more information the better. Another question is how the FTC would receive legislation that could undermine one of its main enforcement mechanisms and disrupt the current regulatory framework on protecting private information. The passage of CISPA would seem to remove the FTC’s ability to pursue deceptive trade actions against businesses for privacy policy violations, at least in the context of sharing information with the federal government.
Additionally, CISPA does not compel disclosures from private entities but encourages the two-way sharing of information. This means that the likes of Facebook and Microsoft could receive significant data from the government intelligence community in exchange for its customer’s information. It seems like data hoarders like Facebook would relish such an opportunity. It is also noteworthy that neither Facebook nor Microsoft were cited with explicitly opposing CISPA in the previously mentioned report, but each company stated they wanted a balance between adequate national security measures and concern for user privacy. Surely Facebook and Microsoft would welcome the passage of CISPA since they could begin freely trading information with the government and have little concern for violating rights of their users. They evidently realized, however, that publicly advocating for such an opportunity was not the best image management strategy.
Another consideration is that since the legislation is not compulsory, an entity having no desire to participate in sharing information would be free to make that choice. This could create an interesting split in the eyes of consumers between businesses that participate and businesses that do not. A business could leverage the decision to not share information in an effort to attract public appeal. I wonder if a company would be granted CISPA's liability protection if such a decision was "promised" in the company's privacy policy, but the company eventually decided to share information with the government.
Ultimately, enabling private entities and the federal government to better secure our cyber landscape is commendable. I wonder, however, if there is a better approach than simply insulating businesses from liability for breaking promises they’ve made to their customers.
Here are a few other interesting perspectives:
No comments:
Post a Comment