Don’t look now, folks, but the Cyber Intelligence Sharing and Protection Act (CISPA) is making a comeback thanks to President Barack Obama.
Between the end of 2011 and early 2012, online activists were able to raise a firestorm over legislation — Stop Online Piracy Act (SOPA), PROTECT IP Act (PIPA), and CISPA — that would have severely diminished Internet privacy. Thanks to the outcry, all three bills eventually died.
According to a report yesterday from The Hill, President Obama will on Wednesday sign an executive order — completely bypassing Congress, which is becoming an all too familar pattern with this White House — that will implement cybersecurity measures from against attack on the United States:
The White House is poised to release an executive order aimed at thwarting cyberattacks against critical infrastructure on Wednesday, two people familiar with the matter told The Hill.
The highly anticipated directive from President Obama is expected to be released at a briefing Wednesday morning at the U.S. Department of Commerce, where senior administration officials will provide an update about cybersecurity policy.
The executive order would establish a voluntary program in which companies operating critical infrastructure would elect to meet cybersecurity best practices and standards crafted, in part, by the government.
CNET reported last week that the White House decided to take action after recent hacking attacks against targets in the United States. Rep. Dutch Ruppersberger (D-MD) had already said that he and House Intelligence Chairman Mike Rogers (R-MI) planned to reintroduce CISPA in the new Congress.
While media reports on the issue note that President Obama issued a veto threat over CISPA last year, that was only because, as Julian Sanchez explained at the time, the bill didn’t “grant the government enough regulatory power over ‘critical infrastructure’ computer networks.”
Like SOPA and PIPA, CISPA had potentially serious ramifications for privacy. However, Trevor Timm of Foreign Policy explained last year during the debate over CISPA that it may have been the worst of the three:
The problem is in the bill’s definition of “cyber threat information” and how companies can respond to it. “Cyber threat information” is an overly vague term that can be interpreted to include a wide range of tasks that normally wouldn’t be considered cyberthreats — like encrypting emails or running an anonymization tool such as Tor — and as a result, a company’s options would be so numerous as to allow it to read any user’s communications for a host of reasons.
Those communications could then be handed over to the government voluntarily without a warrant or any oversight, nullifying well-established laws like the 1968 Wiretap Act and the 1986 Electronic Communications Privacy Act, which prevent companies from reading your communications except under very specific circumstances and prevent the government from getting users’ communications without judicial review.
Once the U.S. government gets hold of such information, the problem intensifies. Private communications can be passed on to intelligences agencies like the National Security Agency (NSA) and the military — bypassing decades of law barring intelligence agencies from spying on Americans — and be used for other law enforcement purposes besides cybersecurity. Almost as an afterthought, the bill also increases government secrecy — already at an all-time high — by creating a new exception to the Freedom of Information Act for any information the government receives from companies.
It remains to be seen what exactly President Obama’s executive order will do and what impact it will have on privacy, but it’s hard not to have an ominous feeling given what we know about the legislative proposal and the damage done to civil liberties by this administration.