There’s a scene in The Matrix where Keanu Reeves‘ character, Neo, gets the tar beaten out of him by Agent Smith. After an extremely intense fight that has him narrowly avoiding death by jumping out of the way of an oncoming train, he is tired and staggering away. The train stops and a refreshed Agent Smith steps off, ready to fight again.
This is much like the fight that the people of the internet are faced with right now. Fighting SOPA in January, 2012, took a monumental effort that called in the combined efforts of juggernaut websites like Wikipedia and Reddit to defeat. It was a long, sustained battle that ended well for the good guys. Shortly afterwards, the US government was hard at work learning from their mistakes and preparing for another round. The internet, tired and still recovering from the last fight, has not shown up to fight this battle. Anonymous has. Most of the big players seem to be sitting this one out.
It isn’t just fatigue. The bill was positioned much better this time. Support was rallied heavily and much earlier this time around. Without casting any direct accusations and with no evidence to support it, I can say with a near certainty that some of the larger companies were “bought off” through promises of favorable legislation and threats of repercussions to anyone who stood in the way. The bill is too universally supported by large tech companies who opposed SOPA for this to not be the case.
By contrast, Anonymous is joined by Reddit, Mozilla, and Automattic (parent company of WordPress) in opposition to the bill. That’s about it.
The bill, on the surface, is better than its predecessors. Unfortunately, if you peel back the layers and understand some of the “minor” points in the bill, you’ll see that they left it open to three loopholes that make it more dangerous than anything we’ve seen. The language used is very crafty. It continuously points to protection of privacy and to narrowing the scope of the bill to only cover cybersecurity threats. It is liberal in its use of favorable terms like “voluntary” and “limitations” to make it seem less potentially harmful. This was done on purpose, of course, to keep as few people as possible from jumping up and crying foul.
Then, there are the standard concerns. Sharing of private information, storage of private data, the use of personal data for marketing, involvement in investigations not pertaining to an individual, government surveillance, the broadness of the definitions – all of these have been addressed in some form or fashion to the point that a valid argument could be made that the bill does not infringe on any of these. The government has made a pretty iron-clad case that the bill is necessary for national security, that it addresses the concerns of previous bills, and that those opposed are “14 year-old Tweeters” in basements.
The con job is working.
The three big points of concern that make this bill so dangerous are minor in the whole scheme of things but open the doors to the problems that most Americans would fear if they understood them properly. Subsection (b)(3) is the exemption from liability. It reads:
(3) EXEMPTION FROM LIABILITY- No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider, acting in good faith–
— (A) for using cybersecurity systems or sharing information in accordance with this section; or
— (B) for not acting on information obtained or shared in accordance with this section.
Yes, that means that it’s wide open. There are no potential repercussions to those who are “acting in good faith” with the bill. In other words, a company or member of the government does not have to prove that they didn’t do anything wrong. They simply have to demonstrate that they were acting in the best interests for the cybersecurity of the country. They don’t have to prove it in court. If they can demonstrate up front that they thought they were doing the right thing, they won’t have to go to court. In fact, they cannot. They are exempt from liability as long as they were acting in good faith.
The second point of concern is actually quite laughable. They assert several times in both the bill and their mythbusting sheet (pdf) that they cannot retain and use information outside of the scope of cybersecurity. They say nothing about flagging and recording the presence of data of interest, a loophole few are talking about but that acts as a way for the government to record private data about us without actually “recording” it to the letter of the law. Sites like Facebook and entities such as ISPs retain our data whether we like it or not. Most sites and companies maintain in their terms of service the allowance to keep record of everything that happens on their properties.
The government can flag pertinent data in our individual records and then delete the actual information. They don’t need to store it. They only need to know that the information exists and that they know how to retrieve it when necessary. CISPA will make the flow of information so potentially free between entities that the government only needs to know where to get it when they believe they need it. If anything, this allows them to have a much broader view of the populace as well as a more useful view of individuals without having to technically store anything.
The last point of concern is the lack of consequence for breaking their own rules. If they feel the need to infringe on our privacy, they are likely only liable for $1,000. Actual damages due to privacy infringement by a government agency are very challenging to demonstrate. It comes down to a choice – is the data they want on someone important enough to justify the $1,000 at risk. In the name of cybersecurity, this is a no-brainer.
CISPA in its current form was designed to have no chance of losing. They hushed the potential detractors. They did a masterful job of crafting it in a way that seems to be harmless. They learned what they did wrong with SOPA and this new and improved version is almost impervious to assault. Anonymous, Reddit, Mozilla, and Automattic need help. Are you willing to speak out and expose the truth about this dangerous piece of legislation?