A Challenge To Facebook: Withdraw CISPA Support Until The Bill Is Fixed Or Replaced
from the get-off-the-fence dept
One of the more concerning aspects of CISPA that sets it apart from SOPA/PIPA is the number of technology companies that support it. Of chief concern is Facebook, which handles a lot of sensitive private data, but is standing behind the bill. Joel Kaplan, Facebook's VP of U.S. Public Policy, has now released a statement explaining their support, which basically amounts to "we promise not to abuse the gray areas in the bill".
A number of bills being considered by Congress, including the Cyber Intelligence Sharing and Protection Act (HR 3523), would make it easier for Facebook and other companies to receive critical threat data from the U.S. government. Importantly, HR 3523 would impose no new obligations on us to share data with anyone –- and ensure that if we do share data about specific cyber threats, we are able to continue to safeguard our users’ private information, just as we do today.
That said, we recognize that a number of privacy and civil liberties groups have raised concerns about the bill – in particular about provisions that enable private companies to voluntarily share cyber threat data with the government. The concern is that companies will share sensitive personal information with the government in the name of protecting cybersecurity. Facebook has no intention of doing this and it is unrelated to the things we liked about HR 3523 in the first place -- the additional information it would provide us about specific cyber threats to our systems and users.
Kaplan then goes on to say that Facebook is engaging lawmakers to see about amending the bill to address people's concerns. But that creates a pretty big question: why are they still supporting the bill if they recognize its problems? Based on this statement, Facebook wants to use cybersecurity laws the right way—to give and receive anonymized and minimized data about specific threats, to be used solely in relation to those and similar threats. But CISPA does not require any of that. It's nice that Facebook is "able to" protect private information, but why aren't they and all other companies forced to? If the authors of the bill want to tout its "strong privacy protections", then a requirement to eliminate personal user information from shared data seems like a necessity.
Moreover, while Facebook may only be worried about specific cyber-threats, they can't control what the government does with the information. As currently written, CISPA basically allows the feds to keep whatever data Facebook shares on file, and search it whenever they want, for anything they want, as long as there is a "cybersecurity" or "national security" purpose. And "cybersecurity" is very broadly described, and includes things like intellectual property. If this bill is supposed to be about protecting networks from disruptive attacks, why aren't the terms and limitations narrowly defined to ensure that's the only thing it can be used for?
If Facebook's cybersecurity motivations are good—and I'm willing to grant them the benefit of the doubt and assume that they are—then they should withdraw their support of CISPA until it is fixed to exclude the broad provisions that go well beyond what Facebook wants to use it for. If the company is so proud of its commitment to user privacy, then surely it has to acknowledge that there are other companies which are not so responsible, and which will abuse the same powers and immunities that Facebook promises to handle responsibly. Unless they can show us that they are making meaningful demands of Congress, this attempt to soften their support of CISPA is just hot air.