More Thoughts on CISPA

HR3523, the Cyber Intelligence Sharing and Protection Act (CISPA), which passed the House today, has been making news as of late. If passed into law, the bill would allow government agencies to share data with one another and allow private corporations to share data with the state without concerning themselves with any contractual obligations:

At that Committee meeting (1:01:45), the bill’s chief sponsor Chairman Rogers emphatically repeated his earlier assertions that CISPA wouldn’t breach private contracts in response to questions from Jared Polis:

Polis: Why wouldn’t it work to leave it up, getting back to the contract part, and I think again there may be a series of amendments to do this, if a company feels, if it’s voluntary for companies, why not allow them the discretion to enter into agreements with their customers that would allow them to share the information? …

Rogers: I think those companies should make those choices on their own. They develop their own contracts. I think they should develop their own contracts. They should enforce their own contracts in the way they do now in civil law. I don’t know why we want to get in that business.


And yet… for all Rogers’ bluster, CISPA moots private contracts—and House Republican leadership won’t fix the problem, even when five of their GOP colleagues offer a simple, elegant fix.

This is the same stubborn refusal to accept criticism and absorb new information that brought us SOPA, PIPA and a host of other ill-conceived attempts to regulate the Internet. It’s the very opposite of what should be the cardinal virtue of Internet policy: humility. Tinkering with the always-changing Internet is hard work. But it’s even harder when you stuff your fingers in your ears and chant “Lalalala, I can’t hear you.”

I think this brings up an important point that is often lost on people. As it currently stands most people rely on the service provider to protect their privacy. People who use services such as Gmail, Yahoo! Mail, Facebook, Twitter, etc. assume that those companies will prevent prying eyes from viewing unauthorized third-parties. This is a poor assumption for multiple reasons. First, most service providers make their money off of selling their customers’ information. There is an assumption that such information is anonymized to a point but there is no guarantee. I believe the conflict of interest is obvious. Reason number two is that even if a service provider does protect your privacy there is no guarantee that unauthorized third-parties won’t gain access by bypassing implemented security measures. The third reason is that customer information is often an asset that is sold off when a company becomes insolvent. If your e-mail provider were to enter bankruptcy they may be required to sell you information as part of their asset sale. Fourth, the state reserves the right to render contractual agreements irrelevant with the mere issuance of a subpoena. CISPA, ultimately, isn’t granting private entities the ability to violate their contractual agreements without legal consequences, it merely removes the requirement that a subpoena be issued before the contract can be violated.

The reason I advocate crypto-anarchy is because it’s a solution to all of the above mentioned problems. Imagine a world where everybody encrypted their e-mails. While the e-mails may be stored on an e-mail provider’s server the data would be unusable to them or unauthorized third-parties. The same applies to encrypted instant messages, web page requests, etc. Anonymizing tools can prevent service providers and anybody with access to their data from identifying your person or your location. Having encrypted data from an unknown person makes decryption difficult since you don’t know who to coerce the required keys out of.

Even if CISPA is passed there are many ways for your information to fall into unauthorized hands. Crypto-anarchy renders all of these threats irrelevant while begging politicians to not pass CISPA doesn’t. Solve all of the problems instead of a single minor one, use cryptographic tools today.