The passage of CISPA (the Cyber Intelligence Security and Protection Act) in the US House of Representatives has reignited the debate over online security versus personal privacy. Less publicly, it has also created a debate over how much work the US government can compel tech companies to perform in order to meet government-set security objectives.
CISPA is a large and complex amendment to the National Security Act of 1947, intended to update that act to deal with the growing threat of cyber attacks on both government information systems and private companies. Although it has many provisions, at its core it creates a program through which companies can share users’ personal information with the government and the government can share intelligence with private companies in order to avert cyber threats.
As such, the passage of CISPA creates a few issues for hosting companies, the most critical of which are:
Determining Participation For a hosting company, sharing users’ information with the government is voluntary. Given the firestorm of controversy sure to surround any law that involves giving the government access to private, personal information, it’s a good bet that watchdog groups will sprout up to report on just how much sharing a hosting company engages in. As a result, participating in the programs that will make CISPA effective may be PR suicide for a VPS hosting company.
Defining Privacy In the physical universe, law enforcement can argue that any evidence in “plain view” can be used without obtaining a search warrant, but in the universe of information it is much more difficult to determine what “plain view” means. Hosting companies will have to subscribe to a definition – which thanks to nebulous language isn’t clearly spelled out in the bill as written – in order to define how and when they will share information.
Because of a threatened veto, the bill will have to evolve as it moves through the Senate if it is to have any chance of passing President Obama’s desk, and this could create another issue for hosting companies. A current amendment to the bill requires the government to remove personal identification from information it shares with private companies, and the Administration has stated that it will veto the bill unless the final version also requires companies to remove personal identification from information it shares with the government.
That could create considerable extra work for hosting companies in the event that they spot a potential threat. After determining how, when, and to what extent they will share information with the government, they will also have to establish protocols and workflow to remain in compliance with the bill’s data-handling requirements.