CISPA Rears It’s Ugly Head…Again…

cispa-is-not-dead

CISPA is a bill that doesn’t seem to want to die, and there are very strong emotions both ways on that fact. The Cyber Intelligence Sharing and Protection Act (CISPA) is a bill that originally was introduced by Republican US Representative Mike Rogers of Michigan in both 2011 and 2013 where it passed the House, but never went past the Senate.

This time, however, it’s Democrat US Representative Dutch Ruppersberger III who is reintroducing CISPA into the House of Representatives as bill HR 234 in 2015. While the early reactions are fairly predictable depending on what side of the argument an individual was on before, there’s still a lot to understand about this bill.

What Is CISPA And Why Should You Care?

The intent of CISPA is clear. This is a security bill that deals with online access to potentially sensitive information. If passed CISPA would allow government agencies, as well as private companies, to share information on potential cyber security threats.

In theory this would allow a swifter and more comprehensive response to threats to cyber security. The idea with this bill is that attacks like the Sony hacking incident and any full cyber attacks on military sites or computers could be more easily tracked and dealt with.

The reason individual voters might care is that this bill allows a large scale sharing of information that currently is considered private. Some privacy advocates see this as an overreach of government supervision, while others worry that there are not enough checks and balances in place to prevent abuse. Others are worried about the scope of power this gives private businesses to prosecute individuals without any official law enforcement supervision.

Is CISPA A Single Party Issue?

CISPA is interesting in that its supporters as well as its detractors seem to cross party lines. There are a number of conservative groups who support CISPA as the next important step to greater security while there are also conservative groups who condemn the bill as being far too vague and offering too much of an overreach.

The same can be said with traditionally liberal or democratic leaning groups. The fact that CISPA was re-introduced by Dutch Ruppersberger III shows that there is bi-partisan support for the idea of a cyber security bill that helps deal with these new attacks in the information age, but finding common ground seems to be a sticking point.

What Are The Sticking Points With CISPA?

The largest sticking point for opponents of this CISPA bill is the language. In the past many security bills have had intentionally vague language to allow the government greater leniency in how they interpreted the bill and how it could be acted upon.

The problem with having vague language in a security bill that involves corporations is the worry that this could be abused. What if Facebook, Google, or Amazon could sell private data to one another or to other companies? While this does not seem to be the intention of the CISPA bill, there’s questions about whether or not the current language prevents that very breach of privacy from happening.

The additional issue that seems to be coming up with Representative Ruppersberger’s version is that it doesn’t seem to be revised from the last failed bill. The same issues seem to exist in this version that doomed the previous one.

President Obama has commented on putting forward a cyber security bill that would attempt to address the same issues that CISPA is meant to handle, while attempting to also take on some of the concerns about restrictions on when the data can be gathered, and especially on shielding agencies or companies from prosecution if they abuse the powers this bill would grant them.

What Are The Chances Of CISPA Passing?

CISPA has failed twice already to make it to a vote in the Senate. There’s no guarantee it would pass there, either, and President Obama has already made the statement that CISPA as is would be vetoed.

The recent Sony cyber attacks and growing online threat still will put on the pressure to pass some type of a bill to deal with them. Whether CISPA is that bill or not remains to be seen.

Pseudonymous Data For Debate In Future EU Regulation

The European Union may have standard unified data protection laws by 2014, and the European Commission is currently debating what kind of data falls under their proposed protection scheme.  The potentially far-reaching law, called the General Data Protection Regulation (GDPR), aims to update the current EU directive that does not take into account social media data or the complexities of cloud computing.  Where pseudonymous data fits into this new law, however, is subject to heated debate.

Pseudonymous data refers to online information that may not identify an individual directly, but often allows indirect identification rather easily.  This includes anything from Internet user names to IP addresses to user-generated data such as forum posts, search terms, or friend lists on social media.  While some argue that this pseudonymous data does not require the same stringent protection as clearly personal online information, others claim that this data demands the same privacy protection.

In a March 2013 speech in Brussels, Valerie Reding, Vice-President of the EU Commission in charge of GDPR, strongly stated her support for vigilant protection of data, pseudonymous or otherwise.  “Data protection is a fundamental right,” she said, “[and] privacy is an integral part of human dignity and personal freedom.”  She continued to clarify: “Pseudonymous data is personal data . . . [it] must not become a Trojan horse at the heart of the regulation, allowing the non-application of its provisions.”  Reding made clear that she supports data protection including indirect personal data, or any data that allows for eventual accurate identification of an individual.  She ended her address by calling for “robust safeguards” for citizens while also making solutions workable for businesses.

The Washington-based Center for Democracy and Technology (CDT) further clarifies the definition of pseudonymous data and argues for its broad protection.  In a position paper the CDT claims that data should be protected that makes indirect links to an individual or an individual’s device, as device-level information such as IP addresses can be easily linked today to a real name identity.  IP addresses in particular require new and strong protection, the CDT paper explains, because currently companies process and obtain IP addresses simply when a user downloads content from a webpage.  The key to unified privacy regulation like GDPR would be a system where “a data controller cannot readily tie the data to an individual . . .it should not be sufficient that a party has the ability to link but does not intend to.”  The CDT argues that regulations and incentives for companies to follow them will encourage Internet companies to collect data more often in pseudonymous rather than directly personal form, and will give pseudonymous data the protection level it needs.

Online privacy advocates argue that this regulation is explicitly required because business interests will continue to work toward collecting and eventually selling their user data.  As Fredrik Soderblom, owner of the Swedish company Storesafe.com, told the EU Observer: “if you have properly anonymized data it wouldn’t be commercially interesting to buy it because you want it to be able to pinpoint the individual so you can direct the advertising [at them].”  Adopting strict privacy regulation with obligation to protect on the part of industry would curb such misuse of personal and traceable data, advocates hope.

Other privacy provisions that may end up as law under the GDPR include mandatory notification of individual data breaches, required consent for user data collection and a clear statement of the purpose of the collection, and the Right to Be Forgotten, which would require an organization to delete personal data once that consent has been revoked by the user.  European Commission negotiations will continue until 2014, and they will ultimately determine if pseudonymous data fits under the protective umbrella of the GDPR.