CISPA fight reveals political split in Internet policy battles

Let’s hope lawmakers realise what is really at issue in upcoming conflicts on the Internet and choose the dynamic route

William Rinehart
On 23 April 2013 08:48

Last Thursday, the U.S. House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA), which the House passed last session but which stalled in the Senate.

The bill again moves on to the upper chamber for deliberation and a vote, but it might see a different fate this time. The Chair of the Senate’s Intelligence Committee, Sen. Dianne Feinstein, recently hinted at a different outcome: “We are currently drafting a bipartisan information sharing bill and will proceed as soon as we come to an agreement.”   

CISPA was designed to solve a largely government-created problem. In the late 1960s at the advent of the computer age, policymakers began to pass privacy laws explicitly restricting information sharing. Some forty years into this legislative programme and countless laws later, companies are now bound by a thicket of information sharing regulations. In the past decade, online breaches and hacks have multiplied, and in turn have highlighted the shortcoming in the laws: organisations have a difficult time sharing information about cyberattacks with both security firms and the government. CISPA aims to fix this tension, but as written, the bill goes much further.  

As TechFreedom’s President Berin Szoka has argued time and again, a primary concern with the bill is the legal immunity that it gives companies, and its likely consequences on private contracts and the rule of law. Dispensing with these foundational legal principles is economically and philosophically foolhardy.

Indeed, as Ryan Radia, a privacy expert at the Washington D.C.-based Competitive Enterprise Institute, observed:

[T]he bill gives firms blanket immunity for all acts involving cyber threat information sharing, so long as such acts are taken in “good faith” – even if companies have not taken any reasonable steps prior to sharing information to ensure that it pertains to an actual cyber threat.

In other words, it isn’t clear businesses will be able to make enforceable terms of service or contract about the information they share. This is hardly a minor quibble. These kinds of promises are at the core of privacy law, allowing companies the ability to compete on privacy protections. Gutting these commitments would hugely impair the continued evolution of online services.

Rep. Justin Amash, a young and promising legislator from Michigan, offered up an amendment to change this section of the bill, only to have it quashed by the powerful House Rules Committee, which dictates the amendments that will reach the House floor. Moreover, the major proponent of the bill, Rep. Mike Rogers, did respond to my colleague Berin Szoka and a number of others to allay concerns about law, but didn’t acknowledge the outstanding issue with contracts.     

Early in the week, the White House chimed in on the debate with a veto threat of the bill. Their worries were an amalgam of concerns from across the political and institutional spectrum. As they opened in the letter:

While there is bipartisan consensus on the need for such legislation, it should adhere to the following priorities: (1) carefully safeguard privacy and civil liberties; (2) preserve the long-standing, respective roles and missions of civilian and intelligence agencies; and (3) provide for appropriate sharing with targeted liability protections.

It could be that the White House wants one bill to rule them all, opting instead to support a more comprehensive cybersecurity law. Both this veto threat and the one that accompanied the 2012 CISPA passage contain much of the same language. In particular, the Administration wants the creation of critical infrastructure standards, updates to federal network security, enhanced law enforcement tools, and a national data breach reporting requirement. At any rate, the bill’s ultimate fate seems to be the rubbish bin, which is surely a win for rule of law.  

In the meantime, the fight has strengthened a maturing coalition. As Berin Szoka notes:

The good news is that, as with SOPA, this fight transcended partisan lines, uniting a Democrat like Jared Polis (an openly gay progressive from Boulder) with a strict constitutionalist like Justin Amash (the "Ron Paul Republican" from Grand Rapids Michigan)—and four more traditional Republicans. This is precisely the realignment predicted 15 years ago by Virginia Postrel in The Future and Its Enemies.

On one side are those profoundly uncomfortable with change, desperate to control and plan the future, and so insecure about their own understanding of technology that they inevitably perceive criticism as a personal attack. On the other are those far more humble and more willing to let the future play out in all its messy unpredictability.

The first camp is always pushing for the one, right piece of legislation that will avert a crisis. The second camp admits they don't know the one, best way to deal with a problem like encouraging sharing of cyberthreat information while protecting user privacy, so they reject static rules that can only be changed by Congress. They want simple rules for a complex world.

Regardless of the country in which it is based, each new Internet policy proposal requires that we ask one simple question: does it create a regulated and engineered world, or does it help create a world of constant creation and dynamic competition?

The Internet Governance Forum and World Conference on International Telecommunications are only two recent examples where this question was played out. Likewise, nearly everyone can agree CISPA is another such fight, which itself was precipitated by the failures of past regulatory engineering efforts. Let’s hope lawmakers realise what is really at issue in upcoming conflicts on the Internet and choose the dynamic route. Correcting our mistakes in the future will surely be more costly.  

William Rinehart is a Research Fellow at TechFreedom and tweets at @WillRinehart

blog comments powered by Disqus