Many of the same organizations that planned the Internet-wide protests that killed the Stop Online Piracy Act are gearing up to launch another high profile demonstration against a controversial piece of cybersecurity legislation that is speeding towards the House floor.
«The bill uses very broad language that is capable of many interpretations, and now people are starting to focus on what those interpretations might mean, and they’re looking down the road at how companies and the government might interpret this very broad language, and they’re finding problems,» says Greg Nojeim, senior counsel at the Center for Democracy & Technology and the director of its Project on Freedom, Security & Technology. «If the sponsors of the bill believe these are not problems, it’s incumbent on them to clarify that these are not problems to preclude these interpretations. So far, that hasn’t happened.»
CDT is part of a group of organizations including the American Civil Liberties Union, Demand Progress, and the Electronic Frontier Foundation, which are going to launch a week-long campaign to persuade netizens to contact their members of Congress over their concerns about the legislation, which they say expands domestic Internet surveillance to unprecedented levels.
The legislation is H.R. 3523, the Cyber Intelligence Sharing and Protection Act (CISPA), which the Electronic Frontier Foundation has characterized as «a little piece of SOPA wrapped up in a bill that’s supposedly designed to facilitate detection of and defense against cybersecurity threats.»
To be clear, the legislation doesn’t involve any blacklisting, or domain name blocking, but works to immunize the private sector from any legal liabilities for sharing potential network threat information with each other and the government. Because the legislation’s authors are concerned about economic espionage by foreign actors such as China, the language defining threats includes theft of intellectual property. That’s one component that’s alarmed many Internet users as well as activists, who worry that that might ensnare the activities of file-sharers.
Another concern is that the legislation doesn’t place enough limits on what the shared information can be used for, and the extent of the sharing within the government community.
Nojeim, for example, says that the legislation should specify that the information that private companies share about threats to their networks shouldn’t be siphoned off to the National Security Agency to be used for national security purposes.
«The NSA shouldn’t be allowed to use this information about who communicated with whom to decide who to wiretap,» he says, which would be one way the law as written could be interpreted. «We don’t need the information used for cyber to be dumped into the massive NSA database for these other purposes.»
Nojeim says a competing House bill, H.R. 3674, sponsored by California Republican Dan Lungren, makes more sense because the legislation is much more specific as to what constitutes a cyber threat, who the information can be shared with, and how the information can be used.
Yet CISPA has broad support. It boasts a bipartisan co-sponsorship list of 105 House members and 28 letters of support from private industry. The list includes industry trade groups like the U.S. Chamber of Commerce, US Telecom, The Broadband Association, CTIA — The Wireless Association, Business Roundtable, The Financial Services Roundtable, the Information Technology Industry Council, and the Internet Security Alliance. Prominent technology companies that have written letters supporting the legislation include Facebook, Intel, Microsoft and IBM. AT&T and Verizon also support the legislation.
Conspicuously absent from the list however, is Google. An e-mail sent to the company’s press department was unanswered. Rainey Reitman, leader of the EFF’s activism team, declined to say whether Google was one of the companies that would be involved in the protests against CISPA next week. She said that the EFF is in the process of trying to get a number of companies to sign on to support their campaign.
«I think this will be an interesting issue — Internet companies were happy to come out to protest legislation that could not only impact the future of the internet, but it could also impact their bottom lines,» she says. «Nonetheless, I think there are still a lot of companies out there that in the wake of the SOPA debate who now have a more nuanced understanding of why we need to protect civil liberties in general.»
Though she declined to give more specifics, the intent of the campaign is to get people to call their members of congress about the legislation the week before Congress embarks on its own self-designated «cybersecurity week,» when CISPA is scheduled to be voted on on the House floor on Monday April 23.
And she said the campaign is going to involve elements of the «Tell Vic Everything,» campaign that was launched on Twitter in Canada in February, where citizens used the hashtag #TellVicEverything to flood the microblogging service with useless minutia of their lives.
«The way this campaign worked was folks would Tweet everything about their daily lives to showcase just how much data would be sucked up under the mantle of fending off terrorists threats, and most of the data was useless,» Reitman says. «Our campaign isn’t like that, but it was a little bit inspired by that effective campaign in Canada.»
Members of Anonymous have already started attacking some of the web sites of the associations that have expressed support for CISPA, and members of Reddit have talked about boycotting Facebook.
As if fearing a SOPA backlash, the two sponsors of the legislation, the majority and minority leaders of the House Permanent Committee on Intelligence convened a conference call with reporters on Tuesday morning to sell CISPA, and to dispel any notions that it has any resemblance to SOPA.
They said that their legislation is aimed at thwarting hackers and malicious code unleashed by «nation state actors» like China and Russia. Committee Chairman Mike Rogers, (R-Mich.) and ranking member Dutch Ruppersberger, a Democrat from Maryland, emphasized on the conference call Tuesday that the legislation was meant to stop the theft of U.S. companies’ business information from their networks, as well as help the private sector combat online crime and hackers by giving them access to classified threat information currently held by the U.S. government.
Rogers and Ruppersberger told reporters on Tuesday that they’d spent a year consulting with various groups, including the American Civil Liberties Union and CDT on the legislation. Nojeim says they were consulted, but ignored. Nothing in the language of the legislation changed even after numerous consultations. There wasn’t even a hearing to air concerns about the legislation.
«This is a bill that was introduced one day, marked up the next, and marked up secretly,» Nojeim said in an interview. «Only now is it getting scrutiny, as it heads towards the floor for a vote.»
Asked about the broad language on the conference call, Ruppersberger said:
«We continue to work with various groups to see if the definition can be more narrowly tailored, but it is important that any definitions be flexible enough to deal with rapidly changing technologies, and the various adaptive techniques used by any nation state hackers.»
The legislators are also trying to sell the legislation on their social networks, but some members of the networks weren’t buying.
A Tuesday Facebook post about the conference call attracted critical comments from readers. On Wednesday, that post was then nowhere to be found.
Twenty-seven people «liked» the post, but several readers also reacted negatively.
Scott Swanson was one of the more polite commenters.
«So not only are you trying legally thwart public discontent with government censorship on the internet, you are allowing corporations to directly profile individuals and groups as they see fit and report that activity to the government. Who do you work for, exactly?» he wrote.
This post has been updated. The story incorrectly reported that a Facebook post had been removed, when it had just moved.