I had an interesting conversation with Prof. Orin Kerr on Twitter yesterday. An op-ed at ZDNet proclaimed the passage of CISPA to be the death of the Fourth Amendment. Kerr tweeted that CISPA has nothing to do with the Fourth Amendment, and I countered that laypersons don't understand the difference between Fourth Amendment warrant requirements and statutory warrant requirements. (As a corollary, I also think that laypersons don't understand the difference between Fourth Amendment warrant requirements and statutory requirements for court orders, such as §2703(d) orders.)

Kerr asked what statutory warrant requirements CISPA eliminates. This is a complicated question, and although I attempted to answer via twitter, I think a blog post would detail the various issues more clearly. I've performed this analysis to the best of my abilities given my knowledge of CISPA and the law. I am not an authoritative source, and in fact I hope that the concerns that I am raising here are completely unwarranted, but I think that they are worth raising.

The primary concern with CISPA is that it allows service providers to disclose cyber threat information to the government notwithstanding any other law. Is this a good idea or not? Because this provision is so broad it is difficult to be sure that one has considered every law that could possibly prohibit such an information disclosure and determined whether or not one agrees that exceptions to each are acceptable.

Statutory warrant requirements (and court order requirements)

One category of statutory requirements for either warrants or court orders that I think CISPA implicates are requirements for compelled access to certain kinds of data that may not be well protected by the Fourth Amendment, such as the requirements created by the Stored Communications Act. There are a variety of similar privacy laws that raise the same concerns, but for the sake of simplicity I'm going to focus this analysis on the SCA.

The SCA's warrant and court order requirements have to do with compelled information disclosure. CISPA does not create a process for the government to compel service providers to disclose information to them. CISPA does allow these service providers to voluntarily disclose any information they find that directly pertains to efforts to commit a computer crime, but the Stored Communications Act already allows service providers to disclose any information pertaining to the commission of any crime, so CISPA does not appear at first blush to create any new voluntary information disclosure power beyond what the SCA already affords.

However, one open question re... [ Read More (0.9k in body) ]