Numerous commentators have noted the sore thumb in the group of supporters for The Cyber Intelligence Sharing and Protection Act (CISPA): Facebook. Why would a social network be endorsing a bill that would allow companies to pass personal information about Internet users to the government without any form of judicial oversight? A number of recent articles have discussed the issue, and already one digital rights group has launched a campaign to convince Facebook to drop support of the bill. In response to the criticisms, Facebook’s Vice President of US Public Policy Joel Kaplan published a statement on Friday admitting that there were privacy concerns with the bill. He also noted that Facebook’s major cybersecurity goal is to receive more data about cybersecurity threats from the government—something that doesn’t necessitate the sweeping data sharing provisions currently outlined in CISPA.
In the statement, Kaplan stated:
[W]e recognize that a number of privacy and civil liberties groups have raised concerns about the bill—in particular about provisions that enable private companies to voluntarily share cyber threat data with the government. The concern is that companies will share sensitive personal information with the government in the name of protecting cybersecurity.
Even as he noted the civil liberties criticisms, Kaplan assured users that Facebook has "no intention" of sharing private user data with the government and stated that CISPA "would impose no new obligations on us to share data with anyone."
But let’s be clear: Internet users don’t want promises from companies not to intercept our private communications and share that data with one another and the government. We want strong laws that make such egregious privacy violations illegal, that require the government to follow legal process (judicial oversight in most case), and that allow us or the government to sue persons who break the law. Ironically, hard-won, long-standing privacy laws—like the Wiretap Act and the Electronic Communications Privacy Act—already exist, although they are by no means ideal. There are already too many exceptions that allow the government to gain access to sensitive user data. But CISPA would upend these existing legal protections and leave the door wide open to companies handing sensitive personal information to the government without so much as a subpoena, let alone a warrant.
Kaplan discussed Facebook’s motivation for supporting the bill: "if the government learns of an intrusion or other attack, the more it can share about that attack with private companies (and the faster it can share the information), the better the protection for users and our systems." He also noted that the "things we liked about HR 3523 in the first place—[were] the additional information it would provide us about specific cyber threats to our systems and users." This stated goal of Facebook—namely, for companies to receive data about cybersecurity threats from the government—does not necessitate any of the CISPA provisions that allow companies to routinely monitor private communications and share personal user data gleaned from those communications with the government.
Kaplan expressed hope that Congress would produce "legislation that helps give companies like ours the tools we need to protect our systems and the security of our users’ information, while also providing those users confidence that adequate privacy safeguards are in place." If Facebook wants more timely and accurate data about cybersecurity threats from the government while providing "adequate" privacy safeguards, it should withdraw support from CISPA until those safeguards are in place.