Update - Facebook says it has 'no intention' to abuse CISPA
When the Internet erupted earlier this year to rally against the U.S. anti-piracy legislation Stop Online Piracy Act (SOPA) and PROTECT IP Act (PIPA), Facebook joined in. Facebook co-founder and CEO Mark Zuckerberg, Facebook COO Sheryl Sandberg, and Facebook VP Elliot Schrage all posted their criticisms of the bills. Zuckerberg even tweeted about it – a very rare occurrence.
Now, Facebook is supporting the Cyber Intelligence Sharing and Protection Act (CISPA), which was written to "provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities, and for other purposes." CISPA isn't exactly like SOPA or PIPA, but it's still a cause for concern, according to activists like the Electronic Frontier Foundation (EFF).
SOPA and PIPA were about intellectual property, and allowed courts to remove DNS listings for any website hosting pirated content. CISPA is meanwhile about security, and makes it possible for companies to share user information with the U.S. government (and vice versa) if the parties believe it is needed for the greater cyber security good.
As with many bills, CISPA has room for abuse. It "means a company like Google, Facebook, Twitter, or AT&T could intercept your emails and text messages, send copies to one another and to the government, and modify those communications or prevent them from reaching their destination if it fits into their plan to stop 'cybersecurity' threats," an EFF spokesperson said in a statement. "Worst of all, the stated definition of 'cybersecurity purpose' is so broad that it leaves the door open to censor any speech that a company believes would 'degrade the network.'"
That's the main point, but CISPA also includes portions about protecting intellectual property, reminding many of SOPA and PIPA. If an IP thief is considered a threat to cyber security, then his website, or where he posted the content, could technically be blocked by CISPA. If a government agency believed you were planning a cyber attack, and were discussing it on Facebook, it could ask the social networking giant for every piece of information about you.
Facebook could, of course, say no. That's important to emphasize. The bill would not force Facebook to hand over all the data it normally does when it legally has to (Here's what Facebook sends the cops in response to a subpoena).
"Parts of the proposed legislation specifically state that cybersecurity purpose includes protecting against the 'theft or misappropriation of private or government information' including 'intellectual property,'" an EFF spokesperson said in a statement. "Such sweeping language would give companies and the government new powers to monitor and censor communications for copyright infringement. It could also be a powerful weapon to use against whistleblower websites like WikiLeaks."
CISPA currently has over 100 co-sponsors in Congress and 28 corporate supporters (full list), one of which is Facebook. I asked Facebook for a statement regarding its support, but the company declined to comment on this article. Instead, a spokesperson pointed me to Facebook's letter about the bill (PDF).
I've typed up the body of the letter for easier reading, and so I could add my own comments. Joel Kaplan, Facebook Vice President of U.S. Public Policy, addresses House members Mike Rogers and Dutch Ruppersberger with the following introduction:
I am writing on behalf of Facebook to commend you on your legislation, the "Cyber Intelligence Sharing and Protection Act of 2011," which addresses critical needs in cyber security. Your thoughtful, bipartisan approach will enhance the ability of companies like Facebook to address cyber threats.
Then he explains why, noting that Facebook just wants to protect consumers and help combat malicious Internet activity:
Effective security requires private and public sector cooperation, and successful cooperation necessitates information sharing. Your legislation removes burdensome rules that currently can inhibit protection of the cyber ecosystem, and helps provide a more established structure for sharing within the cyber community while still respecting the privacy rights and expectations of our users. Through timely sharing of threat information, both public and private entities will be able to more effectively combat malicious activity in cyberspace and protect consumers.
In other words, Facebook is supporting CISPA because it takes the pressure of regulating users off the company. While SOPA required private companies to monitor, and held them responsible for, what their users were doing, CISPA is written so the government is responsible.
More than 800 million people worldwide entrust Facebook with their information, and maintaining that trust is vital to our success and the core of everything we do. Securing information requires a multi-pronged approach and we employ legal, security, and engineering experts to ensure the integrity of the site. We work regularly with analysts, engineers, fraud experts, and security investigators to prevent abuse, defeat criminals, and help maintain Facebook as a trusted environment. We work closely with the rest of the security community to defend against existing threats, anticipate new ones, and arm people with the tools they need to protect themselves. Your bill will assist our efforts by facilitating this kind of cooperation.
In short, Facebook is happy the bill will protect it from being sued by a user for handing over their information to authorities.
We want to thank you again for your legislation addressing demonstrated cyber security needs, and look forward to continuing to work with you and your colleagues on this important issue.
Facebook is supporting CISPA because it benefits if the bill passes. I doubt the company will change its stance, even if there is a huge uproar against the bill like there was for SOPA and PIPA.
Update - Facebook says it has 'no intention' to abuse CISPA