CISPA Is Dead. Now Let’s Do a Cybersecurity Bill Right

04-28-2013 • Julian Sanchez via WIRED.com

The controversial Cyber Intelligence Sharing and Protection Act (CISPA) now appears to be dead in the Senate, despite having passed the House by a wide margin earlier this month. Though tech, finance, and telecom firms with a combined $650 million in lobbying muscle supported the bill, opposition from privacy groups, internet activists, and ultimately the White House (which threatened to veto the law) seem to have proven fatal for now.

For all the heated rhetoric surrounding the CISPA legislation — predictions of an impending Digital Pearl Harbor matched by dire warnings of Big Brother surveillance — the controversy was almost entirely unnecessary.

Americans have grown so accustomed to hearing about the problem of “balancing privacy and security” that it sometimes feels as though the two are always and forever in conflict — that an initiative to improve security can’t possibly be very effective unless it’s invading privacy. Yet the conflict is often illusory: A cybersecurity law could easily be drafted that would accomplish all the goals of both tech companies and privacy groups without raising any serious civil liberties problems.

Few object to what technology companies and the government say they want to do in practice: pool data about the activity patterns of hacker-controlled “botnets,” or the digital signatures of new viruses and other malware. This information poses few risks to the privacy of ordinary users. Yet CISPA didn’t authorize only this kind of narrowly limited information sharing. Instead, it gave companies blanket immunity for feeding the government vaguely-defined “threat indicators” — anything from users’ online habits to the contents of private e-mails — creating a broad loophole in all federal and state privacy laws and even in private contracts and user agreements.