Facebook justifies its support for CISPA, a bad cyber security bill
April 13, 2012 5:08 PM
After lots of public outcry, Facebook has published a letter today explaining its support for controversial cyber-security legislation, the Cyber Intelligence Sharing and Protection Act, or CISPA (PDF).
CISPA intends to grant companies more leeway when it comes to collecting and sharing data about their consumers (or users, in the case of social networks) — specifically, data regarding security threats. Essentially, the bill’s goal is to enable companies to share this information with the government to help fight and prevent cyber security attacks. Currently, most businesses are hesitant to share such precious information with third parties for fear of violating antitrust laws. The bill has broad support from over 100 House co-sponsors from both sides of the aisle.
Critics of CISPA often incorrectly refer to it as a new version of international copyright infringement bill SOPA, which would have given the government the authority to shut down websites accused of internationally committing acts of piracy. But while CISPA only intends to thwart security threats, many believe it could end up paving the way for copyright holders to begin policing the net. Critics also point out that it promotes the idea of companies creating extensive user databases, intercepting or modifying communications under the guise of security, and blindly complying with government requests for private user information.
Facebook, however, believes CISPA’s cyber security benefits greatly outweigh any of the potential negative impacts critics have cited.
“We recognize that a number of privacy and civil liberties groups have raised concerns about the bill – in particular about provisions that enable private companies to voluntarily share cyber threat data with the government. The concern is that companies will share sensitive personal information with the government in the name of protecting cybersecurity,” wrote Facebook VP of Public Policy Joel Kaplan in the letter. “Facebook has no intention of doing this and it is unrelated to the things we liked about HR 3523 [a.k.a. CISPA] in the first place — the additional information it would provide us about specific cyber threats to our systems and users.”
Facebook isn’t alone in its support of CISPA. Other companies that support the bill include AT&T, Microsoft, Verizon, IBM, Intel, and over 25 others.
Facebook’s entire statement follows below.
“More than 845 million people trust Facebook with their information, and maintaining that trust is at the core of everything we do. Keeping the site secure to protect our users and their information requires a combination of technological innovations; around-the-clock coverage from our dedicated staff; and relationships within the broader security community.
A successful defense against bad actors also requires that we have timely information about cyber threats. One challenge we and other companies have had is in our ability to share information with each other about cyber attacks. When one company detects an attack, sharing information about that attack promptly with other companies can help protect those other companies and their users from being victimized by the same attack. Similarly, if the government learns of an intrusion or other attack, the more it can share about that attack with private companies (and the faster it can share the information), the better the protection for users and our systems.
A number of bills being considered by Congress, including the Cyber Intelligence Sharing and Protection Act (HR 3523), would make it easier for Facebook and other companies to receive critical threat data from the U.S. government. Importantly, HR 3523 would impose no new obligations on us to share data with anyone –- and ensures that if we do share data about specific cyber threats, we are able to continue to safeguard our users’ private information, just as we do today.
That said, we recognize that a number of privacy and civil liberties groups have raised concerns about the bill – in particular about provisions that enable private companies to voluntarily share cyber threat data with the government. The concern is that companies will share sensitive personal information with the government in the name of protecting cybersecurity. Facebook has no intention of doing this and it is unrelated to the things we liked about HR 3523 in the first place — the additional information it would provide us about specific cyber threats to our systems and users.
The overriding goal of any cybersecurity bill should be to protect the security of networks and private data, and we take any concerns about how legislation might negatively impact Internet users’ privacy seriously. As a result, we’ve been engaging directly with key lawmakers as well as industry and consumer groups about potential changes to the bill to help address privacy concerns.
The bill’s sponsors, House Intelligence Committee Chairman Mike Rogers and Ranking Member Dutch Ruppersberger, have stated publicly that they are working with privacy and civil liberties groups to address legitimate questions and concerns about how information might be shared with the government under the bill. They’ve made clear that the door is still open to change the bill before it comes to the House floor for consideration.
We hope that as Congress moves forward in considering this and any other cyber legislation, the result will be legislation that helps give companies like ours the tools we need to protect our systems and the security of our users’ information, while also providing those users confidence that adequate privacy safeguards are in place.
Plastic toy soldiers photo via jcjgphotography/Shutterstock