Facebook says it has 'no intention' to abuse CISPA

Today, Facebook released more details about its backing of CISPA. The company underlined the advantages of having such legislation pass, including the fact it lets companies and the government share information with each other about cyber attacks, as well as how this can help protect firms and their users from being victimized by the same attack. Facebook also admitted CISPA has some questionable sections, but said it will not abuse them. Instead, Menlo Park wants these parts changed.

Here's what I said in my previous article:

That's the main point, but CISPA also includes portions about protecting intellectual property, reminding many of SOPA and PIPA. If an IP thief is considered a threat to cyber security, then his website, or where he posted the content, could technically be blocked by CISPA. If a government agency believed you were planning a cyber attack, and were discussing it on Facebook, it could ask the social networking giant for every piece of information about you.

Facebook could, of course, say no. That's important to emphasize. The bill would not force Facebook to hand over all the data it normally does when it legally has to (Here's what Facebook sends the cops in response to a subpoena).

Facebook agrees. Here's the relevant part of the statement saying the company wants to protect its users with CISPA:

Importantly, HR 3523 would impose no new obligations on us to share data with anyone –- and ensures that if we do share data about specific cyber threats, we are able to continue to safeguard our users' private information, just as we do today.

That said, we recognize that a number of privacy and civil liberties groups have raised concerns about the bill – in particular about provisions that enable private companies to voluntarily share cyber threat data with the government. The concern is that companies will share sensitive personal information with the government in the name of protecting cybersecurity. Facebook has no intention of doing this and it is unrelated to the things we liked about HR 3523 in the first place -- the additional information it would provide us about specific cyber threats to our systems and users.

There's more. Here is what the Electronic Frontier Foundation (EFF) had to say about CISPA:

Under Rep. Mike Rogers' Cyber Intelligence Sharing and Protection Act of 2011 (CISPA),and Sen. John McCain's SECURE IT Act, there are almost no restrictions on what information can be spied upon and how it can be used. That means a company like Google, Facebook, Twitter, or AT&T could intercept your emails and text messages, send copies to one another and to the government, and modify those communications or prevent them from reaching their destination if it fits into their plan to stop "cybersecurity" threats.

Worst of all, the stated definition of "cybersecurity purpose" is so broad that it leaves the door open to censor any speech that a company believes would "degrade the network." Parts of the proposed legislation specifically state that cybersecurity purpose includes protecting against the "theft or misappropriation of private or government information" including "intellectual property." Such sweeping language would give companies and the government new powers to monitor and censor communications for copyright infringement. It could also be a powerful weapon to use against whistleblower websites like WikiLeaks.

Here is how Facebook addresses the EFF's complaints:

The overriding goal of any cybersecurity bill should be to protect the security of networks and private data, and we take any concerns about how legislation might negatively impact Internet users' privacy seriously. As a result, we've been engaging directly with key lawmakers as well as industry and consumer groups about potential changes to the bill to help address privacy concerns.

The bill's sponsors, House Intelligence Committee Chairman Mike Rogers and Ranking Member Dutch Ruppersberger, have stated publicly that they are working with privacy and civil liberties groups to address legitimate questions and concerns about how information might be shared with the government under the bill. They've made clear that the door is still open to change the bill before it comes to the House floor for consideration.

Let's recap. SOPA and PIPA were about intellectual property, and allowed courts to remove DNS listings for any website hosting pirated content. CISPA is meanwhile about security, and makes it possible for companies to share user information with the U.S. government (and vice versa) if the parties believe it is needed for the greater cyber security good.

That being said, CISPA has loopholes that allow it to be abused, especially when it comes to Intellectual Property and privacy. Facebook says it will not do that, and will instead work on closing these loopholes.

Frankly, I think Facebook should only back CISPA when the bill is in a state worthy of getting support in the first place.

See also:

• Facebook spent $1.35 million on lobbying in 2011
• Facebook: anti-SOPA post was removed in error
• Facebook CEO Mark Zuckerberg talks SOPA, PIPA
• Facebook not part of SOPA blackout, but users still protest
• Don't expect Facebook to go dark for SOPA
• Here's what Facebook sends the cops in response to a subpoena