Blog - With SOPA Shelved, Congress Readies its Next Attack on the Internet

One of the things that became clear in Congress’ push to pass Hollywood’s web censorship bills is that powerful corporations and the federal government do not want the rule of law to apply on the internet. The attitude that our basic freedoms and legal protections are somehow not valid on the internet is partly just the kind of reaction you would expect from entrenched powers whenever new technologies emerge, but it’s also a response to the particular peer-to-peer features of the internet that threaten to make their key sources of power — control of information flow — less relevant.

Not surprisingly, with SOPA and PIPA indefinitely shelved, some members of Congress are getting ready to introduce a new internet power grab bill. The bill, which is still in draft form, is called the “Cybersecurity Information Sharing Act of 2012.” The basic idea is to promote the sharing of information regarding perceived cybersecurity threats between private entities and the federal government. Of course, sharing information about cybersecurity threats is already perfectly legal, provided that the parties involved follow basic legal guidelines for protecting the privacy of individuals who are not criminal suspects. According to a review of the draft text by an experience legislative expert, the first thing the bill would do is throw out those legal guidelines and replace them with a blanket understanding that information monitoring and sharing that is done in the name of cybersecurity is essentially above the law and immune from legal recourse. Jim Harper at Cato Institute explains based on his reading of the draft:

Reading over the draft, I was struck by sweeping language purporting to create “affirmative authority to monitor and defend against cybersecurity threats.” To understand the strangeness of these words, we must start at the beginning:

We live in a free country where all that is not forbidden is allowed. There is no need in such a country for “affirmative” authority to act. So what does this section do as it in purports to permit private and governmental entities to monitor their information systems, operate active defenses, and such? It sweeps aside nearly all other laws controlling them.

“Consistent with the Constitution of the United States and notwithstanding and other provision of law,” it says (emphasis added), entities may act to preserve the security of their systems. This means that the only law controlling their actions would be the Constitution.

It’s nice that the Constitution would apply, but the obligations in the Privacy Act of 1974 would not. The Electronic Communications Privacy Act would be void. Even the requirements of the E-Government Act of 2002, such as privacy impact assessments, would be swept aside.

The Constitution doesn’t constrain private actors, of course. This language would immunize them from liability under any and all regulation and under state or common law. Private actors would not be subject to suit for breaching contractual promises of confidentiality. They would not be liable for violating the privacy torts. Anything goes so long as one can make a claim to defending “information systems,” a term that refers to anything having to do with computers.

Elsewhere, the bill creates an equally sweeping immunity against law-breaking so long as the law-breaking provides information to a “cybersecurity exchange.” This is a breath-taking exemption from the civil and criminal laws that protect privacy, among other things.

This is analogous to SOPA and PIPA’s provisions that would allow corporations to block access to entire websites suspected of containing links to copyright infringement without having to seek court approval. The cybersecurity bill appears to allow corporations and the government to share internet-user information freely, in a wholesale manner, as long as it is done in the name of protecting cybersecurity. Corporations would be given full legal immunity for all of the private information of innocent, non-suspect internet users they hand over to the government, just as they would for all of the legal internet content they would be empowered to censor under SOPA and PIPA.

The bill is scheduled to be officially introduced next week by Senate Honeland Security Chairman Joe Lieberman [I, CT]. Majority Leader Harry Reid [D, NV] is planning to bring it the Senate floor for a vote in early 2012 (i.e. as soon as possible). The bill language could still be changed from the draft reviewed by Harper before it is introduced. We’ll be watching it closely.