The Obama administration has hardly been a consistent defender of digital privacy. Recall, for example, its support for the reauthorization of the Patriot Act, or its position—unanimously rejected by the Supreme Court in U.S. v. Jones—that we should have no expectations of privacy in public. Recently, however, the administration gave friends of digital privacy a reason to dance in the chat rooms: On April 25, Obama threatened to veto the Cyber Intelligence Sharing and Protection Act (CISPA), the dreadful cyber security bill that would have allowed Internet companies to share private emails and web browsing records with the NSA.
But while this was a real success for online privacy activists, it’s far too early to declare victory. There is another cyber security bill currently being considered by the Senate. This is one is nearly as bad as CISPA—and not only is Obama unlikely to threaten another veto, the administration has already indicated its support.
The idea behind CISPA isn’t inherently objectionable. No one denies that an effective approach to cyber security could allow telecommunications and Internet service providers to share information about cyber-threats with the government. But although it’s possible to design an information sharing program that protects privacy as well as security, the leading bills that have been considered by the House and Senate do no such thing.
As originally drafted, CISPA would have allowed private companies to share vast amounts of private data with any government agency, including the NSA, without meaningfully limiting what the government could do with the information. That means Comcast or AT&T could choose to give the government an ocean of private data; the government could then go fishing for evidence, not only for cyber threats but for any low-level crime. This could be the equivalent of a perpetual wiretap on any citizen without individualized suspicion, creating what’s known as a “Nixon effect.” (When the Nixon administration wanted to retaliate against Vietnam protesters, it scoured their tax returns and threatened them with exposure, chilling their speech as a result.)
The Senate cyber security bill, which was introduced by Joseph Lieberman, does have stronger privacy protections than CISPA. For example, the Lieberman bill requires that reasonable efforts be made to strip away personal information unrelated to cybercrime. But like CISPA, the Lieberman bill doesn’t prohibit the government from prosecuting the unrelated crimes if it finds them.For this reason, it too poses a risk of the Nixon effect: If the Department of Homeland Security were interested in retaliating against one of its critics, for example, it could request that Internet service providers share any email or web communications that are “indicative” of a cyber threat. If, after fishing for wrongdoing, government investigators find evidence of a crime unrelated to cyber security, the critics could be prosecuted for that crime, no matter how low-level. (The Center for Democracy and Technology provides a detailed comparison of the House and Senate bills.)
Both CISPA and the Lieberman bill also allow Internet service providers to share private communications with military authorities such as the NSA. So, for example, if I send an email to a privacy advocate who communicates with a lawyer who communicates with a terrorist suspect, the NSA could designate me as a person of interest and put me under long-term surveillance, or could demand that my Internet Service provider supply more information about the people with whom I’m communicating.
If Congress and the administration were truly interested in shoring up cyber security without expanding unnecessary surveillance, there’s a clear solution they could adopt. As Orrin Kerr of George Washington University has argued, the law could allow widespread collection of data, but only allow it to be shared for law enforcement purposes when it produces evidence of terrorism or cyber security crimes. These restrictions—known as “use limitations”—are familiar in European privacy law: The German intelligence services, for example, have broad authority to collect private data, but they can only share information with German law enforcement if they find evidence of terrorism or violent crimes: Evidence of lower level wrongdoing can’t be shared or prosecuted, preventing the government from retaliating against its critics.
The Obama administration could also demand a more narrow definition for the information that can be shared. A now defunct House bill, originally sponsored by Representative Dan Lungren, would have only allowed Internet service providers to share information that is “necessary to identify or describe” one of six carefully defined categories of information related to cyber attacks.
Until now, these kinds of limitations on information sharing have had no reliable political constituency in America: Both big government Democrats and Republicans have argued that the government should be able to use its expanded surveillance authority to prosecute any crimes, no matter how trivial. But political constituencies are not set in stone, as the digital activism that successfully killed SOPA should have taught us. And as the first round of deliberations over CISPA shows, digital activism has the potential to transform our privacy debates, forcing even big government Democrats—like the Obama administration—to respond to privacy concerns.
Now is the time for digital privacy activists to use their newfound power to demand that the Obama administration reconsider its overly hasty endorsement of the Lieberman bill. The law that finally emerges from Congress needs to be narrowly focused on preventing cyber threats; it shouldn’t also empower the government to spy on citizens in search of trivial offenses that have nothing to do with cyber crime or terrorism.
Jeffrey Rosen is legal affairs editor of The New Republic.