I’ve long argued CISPA is a good idea, given that online we are at war with hostile foreign powers attacking our government and our commerce. However that doesn’t mean the bill doesn’t have issues that should be addressed in the normal legislative process. In the following post, Berin Szoka of TechFreedom and Ryan Radia of CEI explain why we should add a few words to CISPA that would preserve the purpose of the bill, while still protecting the private right of contract in this country.
On Thursday, the House of Representatives is set to vote on CISPA, a controversial cybersecurity bill that’s beloved by companies besieged by cyber attacks — but despised by many Internet activists.
CISPA’s premise is simple enough: Web firms that deal with cyber attacks every day should be free to share data about these threats with other companies or with government agencies—so they can defend their systems and their users from attack. But a thicket of federal laws, some dating back to the 1960s, stands in the way of this kind of information-sharing. For instance, while a telecom provider may intercept and share information about threats to its own network, it cannot do so to protect its customers’ networks. Such restrictions make little sense in the 21st century and should be reconsidered—especially if they actually make it harder for companies to protect their users’ personal data from malicious hackers.
But CISPA does much more than simply permit companies to share information about genuine cyber threats. It would give companies blanket immunity from “any provision of law” that might limit the sharing of information about cybersecurity threats. That includes so-called net flow data, and other “big data” patterns of behavior that could indicate an attack is coming — but such data doesn’t include individuals’ private information. Yet, under CISPA, if a provider has a hunch that the contents of user emails or other online communications relate to a cyber threat, the provider may share this information with impunity.
Despite what CISPA’s sponsors argue, the bill’s immunity provision doesn’t just nullify outdated privacy laws that arguably restrict how private companies run, and defend, their businesses; it provides blanket immunity from any conceivable liability, including for breaches of contract. Thus, in the name of clearing statutory barriers, CISPA would prevent private companies from making enforceable privacy promises to their users by contract or in a terms of service. These promises might include not sharing certain kinds of information with the government or simply de-identifying what is shared. But CISPA’s blanket immunity discourages private companies from competing on, or innovating in, privacy protection.
More profoundly, CISPA’s immunity language—”notwithstanding any provision of law”—violates a basic principle of the rule of law in a free society: private companies and individuals should be free to form voluntary arrangements beyond the strictures of federal law. As Professor Richard Epstein argues, “the most ubiquitous legal safety hatch adds three words to the formal statement of any rule: unless otherwise agreed.” CISPA does just the opposite.
Fortunately, a bipartisan group of lawmakers led by Rep. Justin Amash (R-Mich.), a rising conservative star in Congress, has offered an amendment (PDF) to CISPA to fix this problem. By adding 16 words, their amendment clarifies that CISPA’s liability exemption does not permit companies to break the contractual promises they’ve made to their customers. This simple, elegant fix does nothing more than align CISPA’s language with its sponsors’ public statements — that information sharing must be truly voluntary — while still clearing the regulatory “thicket” that may hinder beneficial information sharing today.
Supporting this amendment should be a no-brainer for House Republicans—and not just because it’s the right thing to do. If CISPA ends up the law of the land, it could be around for decades—and become an albatross around the necks of Republicans trying to connect with Silicon Valley and Internet users as champions of Internet Freedom. If the GOP wants to maintain its credibility on tech issues, it must at least ensure the bill lives up to the promises of its sponsors.
The lesson of the SOPA debacle, more than anything else, is that lawmakers should think through legislation carefully from the outset, listen carefully to feedback, and craft a bill that targets real problems with narrow government interventions — whether this entails new enforcement regimes or exemptions from existing laws intended to protect users. Our organizations have emphasized this concern for the past year. It’s not too late for House Republicans to heed our caution—and remember their own principles about the central importance of private ordering and the freedom of contract.