Cyber Intelligence Sharing and Protection Act (CISPA), formally known as H.R. 3523, is a cybersecurity bill currently in the House of Representatives that allows the US Government to share confidential “cyber threat intelligence” with private companies, and the other way round.
Although well-known companies such as AT&T, Microsoft, Facebook, Boeing, IBM, etc, have expressed their support for CISPA, privacy advocates didn’t hesitate to point out that the bill, through its intentionally broad scope- basically anything related to cyber threats or national security- and less than clear language, will provide corporations not only with the capacity, but also with the incentive to share any type of information with the Government,
To what extent the Cyber Intelligence Sharing and Protection Act interferes with our lives?
Another strong anti CISPA bill argument is that the bill does not set any limit as to the type of data that might be the object of such transfer, which raises questions as to what might happen in the case of e-mails or private messages sent through social networks. In addition to that, it is the Department of Homeland Security that initially processes the private information obtained in this way, but this info could be passed on to other Government bodies to be used for other “national security” or “cybersecurity” purposes that the bill does not or cannot specify.
Speaking of cybersecurity, one of the basic tenets of today’s digital world is that there is no breach proof system. Therefore, the question that first comes to mind when contemplating the possibility of enforcing the CISPA provisions is what happens if a cybercriminal circumvents the DHS security systems or exploits any of their possible vulnerabilities and accesses all the private information stored on Government servers. Is there any limit to what an ill meaning individual or organization might do once they get hold of this “treasure”?
On to the other side of the problem: the ethics of info sharing. Under its current wording, CISPA gives unequivocal imperviousness to companies that hand data over to the Government, as long as the respective data is used for cybersecurity or national security purposes. That is why numerous voices support a series of proposed amendments that would prevent info disclosure in case of a wrongful purpose, lack of a legal or factual justification of such act or if the harm caused by such disclosure outweighs its benefits.
Anonymity and privacy with a twist
A psychological approach to the matter is also relevant. Consider human behavior in the virtual world: people voluntarily share personal and sensitive information for various reasosn – to maintain relationships with the others, to trigger others’ admiration, to be accepted into a group.etc. Studies have shown that this type of exposure is fuelled on the one hand by users’ illusion of being protected by an imagined anonymity and, on the other hand, by the online disinhibition effect which causes them to act within the virtual environment less cautiously than they would in a similar situation in real life. Moreover, each individual has different levels of apprehension about his/her own privacy, based on his/her own perceptions and values (Joinson & Paine, 2007). That is why disclosing information within an online social network – an ambiguous and intangible concept-, might be considered less risky than doing exactly the same thing while performing other online activities.
There’s a twist to this situation: if exactly the same information is copied and reposted by an individual other than the initial publisher, the situation changes dramatically as this act is considered to be a breach of privacy. Compare this to a situation in which the private information published on or transferred via the Internet is stored and can be used by a government organization.
This parallel brings back into the spotlight the Communication Privacy Management (CPM) theory. According to this theory, the risk of privacy disclosure leads to the need to set up limits around public and private information (Clarke, 1999; Petronio, 2002). CPM also suggests that people feel they own their sensitive information and even if they share any of this kind of information, they should still be able to control it within certain boundaries.
Despite all risks and the CISPA threat, individuals continue to choose to disclose personal information on the Internet (Lee, Im, & Taylor, 2008) while also claiming to be concerned about online privacy. Ironically enough, they even end up signing up petitions on different sites against laws that would allow third parties to access their personal information. Petitions that also require providing full names, e-mails, addresses, or other private information. But for a good cause. Or, at least, what looks like a good cause.
1. Clarke, R. (1999). Internet privacy concerns confirm the case for intervention. Communications of the ACM, 42(2), 60–67.
2. Joinson, A. N., & Paine, C. B. (2007). Self-disclosure, privacy and the Internet. In A. N. Joinson, K. Y. A. McKenna, T. Post
3. Lee, D. H., Im, S., Taylor, C. (2008). Voluntary self-disclosure of information on the Internet: a multimethod study of the motivations and consequences of disclosing information on blogs. Psychology & Marketing, 25, 692-710
4. Petronio, S. (2002). Boundaries of Privacy, Suny Press.