In the last several years, the United States Congress has proposed various laws to combat cyber threats, all of which have raised controversial questions regarding online privacy. One, the Cyber Intelligence Sharing and Protection Act, or CISPA, is a proposed law that was passed by the House of Representatives in 2013, and again in 2015. Its stated aim is “to provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities, and for other purposes.”1 A similar law, the Cybersecurity Information Sharing Act, or CISA, passed the Senate in 2015. The stated aim of CISA is “to improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.”2 Neither bill has passed in both houses, but both have received considerable support in Congress, while also generating considerable controversy among online communities. But given the similarity between the two bills, and the fact that each has passed in one house of Congress, many think it is likely that some version will become law soon.
Both bills call for government agencies, businesses and other organizations to share information about cybersecurity threats with one another, and require the Director of National Intelligence, along with the Departments of Homeland Security, Justice and Defense, to develop procedures to share cyber threat information with both private companies and nonfederal government agencies. Furthermore, both bills allow and encourage private companies to share information relevant to addressing cyber threats with the federal government, and, in some cases, with authorized nonfederal government agencies and other private entities. Both bills would also provide liability protection to private companies that voluntarily share and receive cyber threat indicators and defensive measures with other entities or the government.
Senator Dianne Feinstein, one of the most prominent supporters of CISA, argues that passing such a law “is an important step to shore up our cybersecurity, and that it “balances security, personal privacy and liability protection.”3 Feinstein, and other proponents of CISA, argue that cyber threat information sharing between the government and private companies will help these different groups better prepare themselves to identify and defend against hackers trying to steal information from their online systems. Furthermore, they argue that because all such information sharing is voluntary, and the proposed measures require private companies and the government to review all information prior to sharing in order to remove any irrelevant personally-identifiable information, such a law would not infringe on the privacy rights of these companies or their users.
Opponents counter that the language of the proposed laws leaves plenty of room for abuse by companies and government agencies, effectively making CISA an authorization of government surveillance of private citizens. The Center for Democracy and Technology, which opposes CISA, argues that the proposed laws permit “information shared under the bill to be used for a myriad purposes completely unrelated to cybersecurity, including prosecuting espionage and trade secrets violations and other crimes,” as well as “responding to or mitigating an imminent threat of death, serious bodily harm, or serious economic harm.”4 Thus, they argue, CISA allows for pervasive and deeply unethical infringement of the privacy rights of consumers by both companies and the government.
(1) What is the moral relevance of the fact that CISA concerns specifically online privacy?
(2) When, and with whom, is it morally acceptable for companies to share user information?
(3) Under what circumstances, if any, is it morally acceptable to infringe privacy rights?