President Obama does not usually accuse Republicans of being too hawkish. From ordering the killings of bin Laden and al-Awlaki to doubling troops in Afghanistan, Obama has been assertive with American power, and his re-election campaign talks far more about Afghanistan than Iraq. Yet breaking with those political dynamics, Obama has decided to prioritize civil liberties over claims of national security in an escalating battle with Congressional Republicans.
The issue is significant but largely obscure: a proposed bill, the Cyber Intelligence Sharing and Protection Act (CISPA), that would create new powers for technology companies and the government to gather and share information about American citizens. The information would include the kind of private data that is currently subject to warrants, which ensure some independent court oversight. And if a future president wanted to apply an aggressive interpretation of the bill, the powers might be invoked for massive surveillance with no link to national security.
Still, the legislation does aim at a real threat. The prospect of cyber attacks on infrastructure, government or companies inside the United States is at an all-time high. And Congress has been slow to update federal law on this score.
The National Security Act, which passed after World War II and governs today’s military and intelligence apparatus, has never been amended to address cybercrime. Meanwhile, substantial cyber attacks have recently occurred in Iran, Saudi Arabia, Estonia and India, to name a few examples. Richard Clarke, a respected former counterterrorism official and author of Cyber War: The Next National Security Threat and What to Do About It, argues that Internet service providers should play a larger role in filtering online activity for security threats.
That is part of the approach in CISPA, and companies like Facebook and Microsoft have backed the bill because it provides a framework for them to legally share threat information, both with other companies and the government.
Under current law, companies can be liable under private lawsuits for releasing certain customer data. That may sound like a relatively minor concern, but similar rules were a costly and significant priority for telecommunications companies in the battle over the NSA’s domestic surveillance program. (Congress ultimately granted them retroactive immunity, which helped shield the surveillance from legal oversight.)
CISPA defines threats so broadly, however, that it could amount to a privatized surveillance of all electronic communications—the emails people read and write, the websites they visit and even information stored privately online. “All private electronic communications could be obtained by the government [under CISPA],” argues the American Library Association, and used “for many purposes” other than security. Which brings us back to Obama.
The librarians’ civil liberties concerns found support at the White House, which has issued an official policy statement “strongly” opposing CISPA in its current form.
“The bill would allow broad sharing of information with governmental entities without establishing requirements for both industry and the Government to minimize and protect personally identifiable information,” says the administration. Citing “privacy” and “civil liberties” concerns, the policy statement concludes that CISPA does not have “sufficient limitations on the sharing” of personal information nor safeguards to ensure “data is used only for appropriate purposes.”
Perhaps most surprisingly, in contrast to Obama’s past support for broad telecom immunity, the White House also explicitly singled out CISPA’s immunity clause as “inappropriate.”
Broad immunity would “shield companies from any suits where a company’s actions are based on cyber threat information,” the administration stated, even if the conduct “violated Federal criminal law or results in damage or loss of life.” (The proposed blanket immunity for any potential cyber or security-related death does seem like both terrible policy and political overreaching.) Some Democratic critics go much further; Congressman Jared Polis argues that the bill would literally roll back “every single privacy law ever enacted in the name of cybersecurity.”
On Saturday, the Republican-controlled House passed CISPA by a wide margin. Now it sits in the Senate, where related bills have been proposed by Senators John McCain and Joe Lieberman. Harry Reid has suggested there could be a vote as early as this month. Passing legislation matching the House bill would seem to court a veto from President Obama, however. Few observers are optimistic about Republicans making significant compromises.
Obama has not publicly explained why civil liberties concerns played such a strong role in his position on this bill, especially in contrast to telecom immunity, let alone his policies on assassination and drone attacks. The president has not been asked, either, which may provide one clue to the politics at play.
Even after passing the House, the White House press pool has never asked a single question about CISPA at the daily press briefing, let alone in discussion with the president or senior officials. Out of all public transcripts and statements, there is only a single CISPA reference on the White House website, from the administration’s proactive policy announcement. (There are over seventy references to “long form birth certificate,” to compare another topic.) In standoffs between civil liberties and national security claims, sometimes it’s easiest to do the right thing when no one is paying attention.
Photo Credit: Csete