Yesterday, EFF participated in a panel discussion about CISPA moderated by CNET's Declan McCullagh and put on by Hackers and Founders. We were happy to have the opportunity to do so, and although we disagreed quite a bit with a key proponent of the bill, House Permanent Select Intelligence Committee staffer Jamil Jaffer, one area where we agreed is that more people should read the text of the bill. Let's not let this legislation rush through right when people are starting to question it—if Jamil and other staffers stand behind the bill, why not give it another week or two to let the public debate mature?
The fundamental problems with the bill are numerous. The language of the bill is too broad, and it's hard to know what information will actually be shared by private entities as a result of the bill, or what “cybersecurity systems” will do once they are enabled (if indeed they are different than what companies are doing already, an unknown). CISPA also grants sweeping immunity to companies to share information “notwithstanding any other provision of law,” and unsurprisingly has a fair amount of industry support as a result. McCullagh rightly called this a “wildcard" clause; it is a lazy way to encourage information sharing that does not adequately protect the civil liberties of Internet users in the United States.
The panel also highlighted a ubiquitous issue with technology legislation—Congress just doesn't know enough to meddle intelligently with technology. The audience questions demonstrated this point quite sharply, and language which Jamil believed to be crystal clear was still completely opaque to people in the tech sector. Many people asking questions were unhappy with the vague definitions, but technologist Jonathan Nelson perhaps said it best during the Q & A:
I read the bill for 5 or 6 hours. I'm an engineer. I don't understand what is defined as a "cybersecurity threat." I've never heard that discussed amongst engineers here in silicon valley. I don't know what a "cybersystem" is. Is it a system on a chip? Is it a LAN? Is it a WAN? Is it the Internet? And I don't understand exactly what information is going to be shared. If it's just malware signatures, put that in the bill.1
This highlights the rift between the tech community and Congress. Unless we as technologists are incredibly vigilant and vocal, the powerful intelligence lobby—rooted in our deep-seated military-industrial complex—will surreptitiously force their surveillance-oriented agenda and Congress won't check them. We hope that as more people become aware of this bill, they will realize that we have to push back. To get good security legislation, we need to demand a better and more detailed explication of the security problems we are facing so that we can narrowly tailor the bill and the private-sector immunities that it grants to those particular problems.
To his credit, Jamil seems sincere that he wants to engage in this debate and talk to the civil liberties community. After all, it's not good when your bill is opposed by dozens of well-respected civil liberties organizations, like the ACLU. But we need to let that debate happen. It's crazy to let Congress vote on the bill only hours after seeing the final text and before they have a chance to consult with technology experts, and there should be no problem with the sponsors of the bill waiting a couple of weeks and letting the public hear the issue and read the bill themselves. If Jamil wants people to read the bill, he has to give them more than a few days to do so.
Take action to help us fight this bad bill.
- 1. Jonathan Nelson, at the Hackers and Founders CISPA panel. Quote paraphrased slightly.