This is just tacky. Inevitable, but tacky none the less.
Mike McCaul, a Republican congressman from Texas, is using the Boston Marathon bombing as an argument for passing the CISPA bill currently pending in Congress. Said McCaul: “I think if anything, the recent events in Boston demonstrate, that we have to come together to get this done in name. In the case of Boston, they were real bombs. In this case they’re digital bombs. These bombs are on their way. That’s why this legislation is so urgent. For if we don’t and those digital bombs land and attack the United States, and Congress failed to act, then Congress has that on his hands.”
The CISPA legislation would allow companies to share any information – including customer’s personal details and private emails – with “any other entity” if there is some relationship to “cybersecurity”. I’m not a lawyer, but as I read the proposed wording, this would allow any company that provides cybersecurity to itself to send customer data not only to the government but to any other company that provides cybersecurity to itself.
Again, as I read it, it’s so broadly written that encrypting customer’s passwords on their website could be construed as a providing cybersecurity, and mistyping a password could be interpreted as a hacking attempt (a “cyberthreat”). So under this legislation, I could see, say, Microsoft sending a list of customers who had failed logins (including all known information – names, addresses, income, SSN, and so on) to a marketing affiliate with a cover along the lines of “The following individuals may have been the subject of a cyberthreat. Please be on the alert for further attempts to access their information.”
Think I’m being alarmist? Note that the bill includes language (“Notwithstanding any other provision of law”) which many advocacy groups believe would protect companies from any violation of laws protecting privacy rights or even their own privacy policies. Note also that the Computer Fraud and Abuse Act (intended to be used against malicious hackers) was used to prosecute a woman last year for setting up a fake MySpace profile as part of an online harassment campaign. Even better, according to the ACLU, amendments supposedly made to improve privacy actually decrease it by adding library and tax information to the category of information that can be collected and shared.
Even more delightful: if the company sends your information to anyone, you’ll never know – the company is under no obligation to tell you that your information is being shared, and even in the case where the information is sent to a government agency, that agency will notify the company about the validity of the alleged threat, but not you.
Note that CISPA was passed by the House last year and died in the Senate. A package of amendments to add some protections (including limitations on police ability to request information without a warrant and confirmation that privacy policies can be legally enforced) was rejected by the House Rules committee Tuesday.
So, coming back to McCaul’s tactic. He’s saying that you have no right to privacy because you might be a bomber, a hacker, or a liar and that it’s not only the government’s responsibility to monitor everything you say or do online in case you decide to tell a lie, but it’s also the responsibility of every company you do business with to do the same.
The really depressing thing is that tacky or overblown, it appears that McCaul’s tactic worked. Today’s vote on CISPA in the House passed by a larger margin than it did last year.
President Obama threatened to veto the bill if it gets to him, but a promise isn’t worth much in the face of appearing soft on terrorism. The bill goes on to the Senate now. Contact your senators now and let them know that you oppose CISPA’s sharing of your personal information.