Before the House vote, backers of the bill were considering various amendments to address the concerns of privacy advocates and civil libertarians. The Cato Institute's Julian Sanchez articulates their mistake. "Instead of indiscriminately adding a cyber-security loophole to every statute on the books, why not figure out which specific kinds of information are useful to security professionals without compromising privacy, figure out which laws raise obstacles to that sharing, and then craft appropriately narrow exemptions?" he writes. "The exceptions could be appropriately narrowly tailored depending on the sensitivity of the information involved."
In other words, rather than establish the general standard that invoking national security justifies ignoring privacy laws, why not say that everyone enjoys existing privacy protections, except in a very few specific circumstances when very specific types of customer information can be shared? As Scott M. Fulton puts it at Read Write Web, "The privacy of American citizens and the national security of the United States are too important to be left to intentionally vague regulations and legislation." He goes on to suggest that lawmakers should "stipulate that these are the circumstances in which exceptions must be made to protect vital national security interests. Then, establish an audit trail. State that all transactions must be registered, and the log of those registries may be obtained by public request, pending the approval of a judge."
Which is to say, if we're going to allow private companies and government to snoop into our private information for the narrow purpose of protecting national security, there needs to be a way to monitor what goes on so that there's at least the possibility that abuses could be caught.
WHY NEITHER INDUSTRY NOR GOVERNMENT CAN BE TRUSTED
Critics of CISPA are right to be wary, for all of the aforementioned reasons specific to the legislation -- but also because of the abysmal record that government and industry have amassed lately. The Bush Administration engaged in illegal warrantless wiretapping for years. All the while, the National Security Agency collaborated with America's major telecommunications companies. AT&T gave government officials unsupervised access to all data flowing through major hubs, including email messages, phone calls, web-browsing data, and private network traffic.
When the NSA program was finally revealed, Bush Administration officials weren't prosecuted and jailed. In fact, Thomas Drake, an NSA whistleblower who complained about a separate warrantless surveillance project, was prosecuted by both the Bush and the Obama Administrations.
This helps explain why civil libertarians are perturbed. Take Sanchez. Explaining why he wasn't satisfied by some of the last minute safeguards added onto CISPA, he cited recent history:
When civil liberties advocates cried foul at the prospect of such vast quantities of private data being handed over to government on a silver platter, the bill's supporters tried to placate them by tacking on an array of after-the-fact anonymization requirements and use restrictions -- forbidding the use of the data except for a "cybersecurity purpose" or for "the protection of the national security of the United States."
That wasn't much consolation to anyone who's watched how the government has tried to interpret similar "purpose" restrictions in the past. In 2002, for example, then-Solicitor General Ted Olson argued for a highly expansive view of the "foreign intelligence purposes" for which information obtained through national security wiretaps could be used, including using evidence of misconduct unrelated to terrorism or espionage to force people to become informants. If a wiretap turned up evidence of tax evasion or rape, for instance, Olson suggested the government "could go to that individual and say we've got this information and we're prosecuting and you might be able to help us. I don't want to foreclose that." It's no great leap to imagine a future solicitor general arguing that extorting the cooperation of hackers, penetration testers, or other tech professionals would similarly serve a "cybersecurity purpose."
In a statement objecting to CISPA as currently written, the Obama Administration stated that "citizens have a right to know that corporations will be held legally accountable for failing to safeguard personal information adequately." Damn right they do! But Obama has done nothing to hold anyone accountable for spying on Americans during the Bush years. And Bush-era abuses -- coupled with the failure to hold anyone accountable for them, the prosecution of whistleblowers, and ongoing warrantless surveillance -- are indirectly but powerfully relevant to CISPA.