Recent precedent shows that even when the privacy of Americans is unlawfully violated, the interlopers never pay a price.
On Thursday evening, the House of Representatives passed legislation called the Cyber Intelligence Information Sharing Protection Act, or CISPA. Sponsors of the bill say its purpose is to permit the government and private companies to share information with one another in order to thwart cyberthreats that could imperil national security. For example, say that spies in China were trying to hack into the personal email accounts of various government officials, the server of a hospital, or the database of a "too big to fail" bank. If CISPA is signed into law, these entities and the federal government would be able to share customer data "to identify and obtain cyber threat information," even if that data is currently unlawful to reveal (thanks to laws passed to ensure that companies don't share sensitive consumer information with the government).
Civil-liberties groups have various objections to the bill.
The ACLU conjures up a problematic scenario that could happen if it passes. "Imagine you are emailing your doctor from your Gmail account about a medical condition. Your doctor pulls up your medical records from his cloud storage server and sends them your way. Somewhere in that communication, a virus crops up," staffer Zachary Katznelson writes. "Under CISPA, Google could send your emails, including the electronic copy of your medical records, to the NSA, so they can gather information on the virus. But, Google would be under no obligation whatsoever to scrub out your private details -- which have nothing to do with the virus. And now your medical records are in government hands indefinitely -- and the government can use them."
Before the House vote, backers of the bill were considering various amendments to address the concerns of privacy advocates and civil libertarians. The Cato Institute's Julian Sanchez articulates their mistake. "Instead of indiscriminately adding a cyber-security loophole to every statute on the books, why not figure out which specific kinds of information are useful to security professionals without compromising privacy, figure out which laws raise obstacles to that sharing, and then craft appropriately narrow exemptions?" he writes. "The exceptions could be appropriately narrowly tailored depending on the sensitivity of the information involved."
In other words, rather than establish the general standard that invoking national security justifies ignoring privacy laws, why not say that everyone enjoys existing privacy protections, except in a very few specific circumstances when very specific types of customer information can be shared? As Scott M. Fulton puts it at Read Write Web, "The privacy of American citizens and the national security of the United States are too important to be left to intentionally vague regulations and legislation." He goes on to suggest that lawmakers should "stipulate that these are the circumstances in which exceptions must be made to protect vital national security interests. Then, establish an audit trail. State that all transactions must be registered, and the log of those registries may be obtained by public request, pending the approval of a judge."
Which is to say, if we're going to allow private companies and government to snoop into our private information for the narrow purpose of protecting national security, there needs to be a way to monitor what goes on so that there's at least the possibility that abuses could be caught.
Critics of CISPA are right to be wary, for all of the aforementioned reasons specific to the legislation -- but also because of the abysmal record that government and industry have amassed lately. The Bush Administration engaged in illegal warrantless wiretapping for years. All the while, the National Security Agency collaborated with America's major telecommunications companies. AT&T gave government officials unsupervised access to all data flowing through major hubs, including email messages, phone calls, web-browsing data, and private network traffic.