CISPA Is A Really Bad Bill, And Here's Why
from the time-to-speak-up dept
Update: There is now a new draft of CISPA that has rendered some (though unfortunately not all) of this analysis obsolete.
The forces behind HR 3523, the dangerous Cyber Intelligence Sharing and Protection Act which is going to move forward in Congress at the end of the month, are beginning to get cagey about the growing backlash from the internet community. In an attempt to address some of the key concerns, the bill's authors, representatives Mike Rogers and Dutch Ruppersberger, hosted a conference call specifically geared at digital reporters. The invitation was for "Cyber Media and Cyber Bloggers" (seriously) and took place at 7am Silicon Valley time—thus demonstrating that they are totally in touch with the tech community. During the call, the representatives were intent on hammering certain points home: that the bill respects privacy and civil liberties, is not about surveillance, is targeted at actions by foreign states, and is nothing like SOPA.
Unfortunately, none of that is really true. The text of the bill, even with the two key amendments made since (all pdf links and embedded below), is still full of extremely broad definitions which fail to create the safeguards that the representatives insist are present, and which leave room for dangerous unintended consequences.
CISPA at a Glance
In broad terms, CISPA is about information sharing. It creates broad legal exemptions that allow the government to share "cyber threat intelligence" with private companies, and companies to share "cyber threat information" with the government, for the purposes of enhancing cybersecurity. The problems arise from the definitions of these terms, especially when it comes to companies sharing data with the feds.
Is CISPA the new SOPA?
This is the notion that the reps behind the bill are most desperate to kill. Their primary response is that CISPA has nothing to do with seizing domains or censoring websites, but that's only true on the surface. The bill defines "cybersecurity systems" and "cyber threat information" as anything to do with protecting a network from:‘(A) efforts to degrade, disrupt, or destroy such system or network; or
‘(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.
It's easy to see how that definition could be interpreted to include things that go way beyond network security—specifically, copyright policing systems at virtually any point along a network could easily qualify. And since one of the recipients of the shared information would be Homeland Security—the department that includes ICE and its ongoing domain seizures—CISPA creates the very real possibility for this information to be used as part of a SOPA-like crusade to lock down the internet. So while the bill itself has nothing to do with domain seizures, it gives the people behind such seizures a potentially powerful new weapon.
The reps insist that when they refer to intellectual property, they are not thinking about media piracy or even counterfeiting, but about foreign-based attacks on domestic companies to steal their research and development (they tout examples like the plans for jet fighters). Unfortunately, the bill's definitions create no such restriction, leaving the door wide open for more creative interpretations.
How can the government use the information?
The original text of the bill was really bad, simply saying the government cannot use the information for "regulatory purposes." This was amended to be more restrictive, but not by much: now, the same broad "cybersecurity" definition applies to what they can use the data for, and as if that wasn't enough, they can also use it for "the protection of the national security of the United States." I don't need to tell you that the government is not exactly famous for narrowly interpreting "national security."
So is CISPA a surveillance bill?
The bill specifically prohibits the government from requiring anyone to hand over information, or offering any sort of "quid pro quo" data sharing arrangement. Sharing information is voluntary, and as far as the bill's supporters are concerned, that should end the debate. Of course, as we've seen with things like the warrantless wiretapping scandal, complicity between companies and the government, even when legally questionable, is common and widespread. But even if the safeguards work, CISPA will undoubtedly allow for invasions of privacy that amount to surveillance.
Firstly, while the reps insist that the bill only applies to companies and not individuals, that's very disingenuous. CISPA states that the entity providing the information cannot be an individual or be working for an individual, but the data they share (traffic, user activity, etc.) will absolutely include information about individuals. There is no incentive in the bill to anonymize this data—there is only a clause permitting anonymization, which is meaningless since the choice of what data to share is already voluntary. Note that any existing legal protections of user privacy will not apply: the bill clearly states that the information may be shared "notwithstanding any other provision of law".
So we've got the government collecting this data, potentially full of identifying information of users in the U.S. and elsewhere, and they are free to use it for any of those broadly defined cybersecurity or national security purposes. But, it gets worse: the government is also allowed to affirmatively search the information for those same reasons—meaning they are by no means limited to examining the data in relation to a specific threat. If, for example, a company were to provide logs of a major attack on their network, the government could then search that information for pretty much anything else they want.
Can CISPA be fixed?
Most of the new provisions currently being considered for CISPA have to do with adding oversight and liability to prevent the government from violating any of the terms—but that doesn't address the problems in the bill at all, since the terms are already so broad. CISPA would require significant new restrictions to come anywhere close to being a good bill—a fact that points to Congress' inability to effectively design internet regulation. Moreover, there isn't even clear evidence that new cybersecurity laws are necessary. This is a bill that needs to die.
The EFF has a tool to help you contact your representative about CISPA and the broader issue of cybersecurity legislation. The bill is going to the House the week of April 23rd, so now is the time to get involved. As with SOPA, this is not an issue that solely effects Americans: the data may come from U.S. companies, but it will involve people from all over the world—and, indeed, foreign entities are one of the bill's prime targets. It's once again time for the internet to speak up and send a clear message to Congress: don't mess with something you don't understand.
Sunday, April 21, 2013
CISPA Is A Really Bad Bill, And Here's Why | Techdirt