Anonymous has had an extraordinary run of success lately. It somehow managed to hack into North Korea's closed Internet network – twice – which must have agitated its military leadership to no end. It also used social media tools to bring to light the hideous acts at the center of teen suicides in several communities in North America.
But, unfortunately, the hacker collective largely failed recently to derail the Cyber Intelligence Sharing and Protection Act (CISPA) in much the same way that earlier efforts helped derail the Stop Online Piracy Act (SOPA). As a result, CISPA is still rolling along through Congress, despite efforts by civil liberties groups to slow it down.
Anonymous had called for an Internet blackout recently to protest CISPA, a new cyber-security bill that would shield big companies that turn over private information to the government. A similar effort helped derail SOPA a year ago.
But SOPA attracted opposition from lots of big tech companies along with civil liberties groups. For that reason, many of them supported the efforts to derail SOPA, including an Internet blackout where tens of thousands of sites took part.
That's not the case with CISPA, which passed the House of Representatives recently and is now before the Senate. A very long list of major companies – including AT&T, Verizon, Intel, HP, Time Warner Cable, IBM, Comcast, McAfee, Oracle, Google and Facebook – like CISPA because it lets them off the hook. So when Anonymous called for a blackout to protest CISPA, it fell on deaf ears to the big tech, Internet and cable companies responsible for vast swaths of the Internet.
For this reason, the recent Anonymous-led Internet blackout drew support from just a few hundred small websites. Basically, no one noticed – largely because the big tech companies didn't help oppose CISPA as they did with SOPA.
So why do these big tech and Internet companies like CISPA?
For starters, they don't have to monitor users' activity. When federal agencies ask for personal information, the companies can provide that information without worrying about it. It becomes the government's responsibility. Companies won't be liable for breaking terms of service by giving up personal information.
Here's how CISPA would work. Imagine that Iran launches a cyber-security attack against Google or Facebook. The Department of Homeland Security asks those companies to turn over users' private information it believes will be helpful in tracking the source and nature of the threat.
But, in turning over that user information, the companies aren't required to anonymize the data. That would be expensive, and a burden to companies, their lobbyists have argued. What's more, it might also make DHS' job harder. An effort to require companies to anonymize user information before turning it over to federal authorities didn't work – though an amendment added in the House requiring the government to do so before it passes information on to companies did succeed.
As written now in the CISPA language, private user information isn't required to be made anonymous before Internet sites and companies provide it to federal authorities. Only the government, on its end, is required to anonymize such personal information.
"CISPA essentially would override the relevant provisions in all other laws – including privacy laws," the non-profit group Electronic Frontier Foundation says in a statement. "CISPA is written broadly enough to permit your communications service providers to share your emails and text messages with the government, or your cloud storage company could share your stored files."
CISPA passed the House last year, and then died in the Senate – largely because of privacy concerns. It's possible that could happen again in 2013, but increased online threats from China and Iran have made cyber-security threats much more urgent now.
President Barack Obama has threatened to veto the bill because of the privacy issues. The administration is "concerned that the bill does not require private entities to take reasonable steps to remove irrelevant personal information when sending cyber-security data to the government or other private sector entities. Citizens have a right to know that corporations will be held accountable – and not granted immunity – for failing to safeguard personal information adequately," the White House said in a statement.
But CISPA's supporters argue that the privacy concerns are overblown, and that the bill is needed to keep data safe from foreign hackers who attempt to steal information from U.S.-based companies. They also point out that federal authorities need the ability to move quickly to deal with emerging, fast-moving threats, and cumbersome or expensive efforts to anonymize data harms that effort.
A few things have changed with CISPA from 2012 to 2013 as well, which make its passage much more likely. Companies can't use shared information for commercial purposes; federal authorities can't hold on to shared information indefinitely under the guise of "national security"; and there are much clearer rules on which branches of the U.S. government have access to shared data.
Sadly, if CISPA as it's written were to become law, individuals wouldn't even know if their information had been improperly shared. Let's say Google improperly shares your Gmail messages to DHS in a way that's beyond the CISPA guidelines. You aren't told about it. The government would just tell Google about it – not you.
And just to add insult to injury, CISPA would actually provide legal immunity to Google or any other company that provides personal information to federal authorities if it was acting in "good faith" to deal with a cyber-security threat. So even if you wanted to complain, you'd have no legal basis.
There is still time on CISPA, and the former owner of Reddit, Alexis Ohanian, is making the most of it. He posted an interesting video a few days ago in an effort to convince the leaders at Google, Facebook and Twitter to get serious about the privacy concerns in CISPA.
"I'm hoping that all of these tech companies take the stand that their privacy policies matter, their users' privacy matters, and no legislation like CISPA should take that away," Ohanian said in the video. "If someone wants access to our private home or to our mail we would say, well, go get a warrant. Right? CISPA basically says, uh, not necessary. Your digital privacy is irrelevant."
The video then shows Ohanian trying to call the CEO of Google, Larry Page. The Google employee answering the call tells him that no one by that name works at Google. "I am pretty sure there's a Larry Page at Google," Ohanian deadpans in the video.
So I guess this means that Google won't be sharing Larry Page's personal information with the government if CISPA should become law.