Privacy activists are taking aim at Congress’ latest attempt to legislate the Web this week—the Cybersecurity Information Sharing and Protection Act (CISPA) being debated in the House today. So far, the measure’s sponsors have managed to fly beneath the radar, avoiding much of the attention that doomed two earlier attempts at Internet policing, the Stop Online Piracy Act (SOPA) in the House and its Senate counterpart, the Protect IP Act (PIPA). But if CISPA’s opponents get their way, the lawmakers’ strategy of keeping quiet won’t work for much longer.
Luckily for Representative Mike Rogers, the Michigan Republican leading the charge on CISPA, he doesn’t need to hold out for more than a couple days. The bill is scheduled for a Friday vote and is expected to pass the House, despite condemnation from key groups like the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF).
The bill comes in two parts. Under one part of CISPA, businesses and corporations would become eligible to receive intelligence from the federal government about imminent cybersecurity threats. The bill’s defenders say that’s important at a time when hacktivists and criminal outfits are launching increasingly brazen attacks on corporate infrastructure—and in some cases releasing private user data into the open. If Washington has knowledge that hackers may be probing a firm for digital weaknesses, it will be free to alert the company to the danger.
The second part of the bill is far more controversial: it makes it possible for businesses to give up information to government agencies regarding cyberthreats. And it’s precisely this aspect of the bill that has privacy advocates worried:
The bills purport to allow companies and the federal government to “share” vital information to protect and defend against cyber attacks. But on Capitol Hill, information “sharing” doesn’t mean what you think it means: it’s a euphemism that includes monitoring or surveillance of your communications. The bills are written broadly and deliberately to permit Internet backbone providers, ISPs, carriers, and online service providers like Google, Facebook, Twitter to intercept your emails and text messages, and possibly even modify or block those communications.
Watchdogs like EFF played a key role in thwarting January’s Internet legislation headliners, SOPA and PIPA. But though many are rushing to label CISPA as the next SOPA, it’s a spurious comparison at best. At worst, it’s a fallacious historical analogy that risks misleading the digital privacy movement altogether.
When SOPA and PIPA began drawing national attention, it took almost no time at all for the debate to tilt in the privacy activists’ favor. On one side, you had Hollywood, its various affiliated interest groups, and lawmakers who failed to grasp how a great deal of the Internet functions—either at the cultural or the technical level. On the other side was practically everyone else—bloggers, Web businesses, watchdogs, think tanks, you name it. Compromise was out of the question. It was clear from the outset that defeating the measures was the only acceptable outcome. This time is different. Not only are lawmakers actively seeking feedback from concerned groups; they’re also getting some buy-in in return. As The Hill reported Tuesday, the Center for Democracy and Technology has spent the week working with representatives to hammer out a package of amendments.
With opposition to CISPA effectively split, legislators seeking to push this bill through have the upper hand. The gradations of opinion among the bill’s critics doesn’t just mean privacy advocates have an uphill struggle in Washington. It means attracting the kind of broad-based, outside-the-Beltway support that proved crucial to defeating SOPA and PIPA will be that much harder too.
That we haven’t seen more vocal demonstrations against CISPA should also warn us from drawing too close a comparison with January’s legislative battles. By this phase of the game last time, Web giants like Mozilla, Google, and Reddit had already staged a nationwide blackout of the Internet in an attempt to illustrate what would happen if SOPA and PIPA became law. No such landmark event has taken place this time, and the House votes tomorrow. To be sure, there’s still the matter of the Senate—and the White House has issued a veto threat—so there’s time for drama. But to be accurate, the CISPA-SOPA analogy would have to get the timing right.
What also sets CISPA apart from its predecessors is its rationale. This is the first piece of Internet legislation we’ve seen in recent months that’s predicated on the logic of national security, as opposed to some lower-order priority like intellectual property protection. If the last decade has anything to teach us, it’s that Washington can get away with a lot where security is concerned. It follows that making the case against a security-related proposal is going to be far more difficult than what privacy activists have faced to date.
At some point, privacy groups will have to come to an agreement with Congress over Internet legislation or risk being tarred as obstructionists. That, combined with the fact that most ordinary Americans lack the means to distinguish among the vagaries of different bills, suggests that Congress is likely to win out over the objections of EFF and the ACLU sooner rather than later. Thinking of CISPA as just another SOPA not only prolongs the inevitable—it’s a poor analogy that obscures more than it reveals.