[x-pubpol] Techdirt on CISPA

Tue Apr 10 23:54:05 PDT 2012

 CISPA Is A Really Bad Bill, And Here's Why
by Leigh Beadon <http://www.techdirt.com/user/leigh>

Tue, Apr 10th 201

The forces behind HR 3523 <http://www.govtrack.us/congress/bills/112/hr3523>,
the dangerous Cyber Intelligence Sharing and Protection Act which is going
to move forward in Congress at the end of the month, are beginning to get
cagey about the growing backlash from the internet community. In an attempt
to address some of the key concerns, the bill's authors, representatives
Mike Rogers and Dutch Ruppersberger, hosted a conference call specifically
geared at digital reporters. The invitation was for "Cyber Media and Cyber
Bloggers" (seriously) and took place at 7am Silicon Valley time—thus
demonstrating that they are *totally* in touch with the tech community.
During the call, the representatives were intent on hammering certain
points home: that the bill respects privacy and civil liberties, is not
about surveillance, is targeted at actions by foreign states, and is
nothing like SOPA.

Unfortunately, none of that is really true. The text of the
bill<http://www.gpo.gov/fdsys/pkg/BILLS-112hr3523ih/pdf/BILLS-112hr3523ih.pdf>,
even with the two
keyamendments<http://intelligence.house.gov/sites/intelligence.house.gov/files/documents/RogersRuppersbergerAmendment%20toHR3523.pdf>
 made since<http://intelligence.house.gov/sites/intelligence.house.gov/files/documents/ThompsonAmendmenttoHR3523.pdf>
(all
pdf links and embedded below), is still full of extremely broad definitions
which fail to create the safeguards that the representatives insist are
present, and which leave room for dangerous unintended consequences.

*CISPA at a Glance*
In broad terms, CISPA is about information sharing. It creates broad legal
exemptions that allow the government to share "cyber threat intelligence"
with private companies, and companies to share "cyber threat information"
with the government, for the purposes of enhancing cybersecurity. The
problems arise from the definitions of these terms, especially when it
comes to companies sharing data with the feds.

*Is CISPA the new SOPA?*
This is the notion that the reps behind the bill are most desperate to
kill. Their primary response is that CISPA has nothing to do with seizing
domains or censoring websites, but that's only true on the surface. The
bill defines "cybersecurity systems" and "cyber threat information" as
anything to do with protecting a network from:

*‘(A) efforts to degrade, disrupt, or destroy such system or network; or

‘(B) theft or misappropriation of private or government information,
intellectual property, or personally identifiable information.*

It's easy to see how that definition could be interpreted to include things
that go way beyond network security—specifically, copyright policing
systems at virtually any point along a network could easily qualify. And
since one of the recipients of the shared information would be Homeland
Security—the department that includes ICE and its ongoing domain
seizures—CISPA creates the very real possibility for this information to be
used as part of a SOPA-like crusade to lock down the internet. So while the
bill itself has nothing to do with domain seizures, it gives the people
behind such seizures a potentially powerful new weapon.

The reps insist that when they refer to intellectual property, they are not
thinking about media piracy or even counterfeiting, but about foreign-based
attacks on domestic companies to steal their research and development (they
tout examples like the plans for jet fighters). Unfortunately, the bill's
definitions create no such restriction, leaving the door wide open for more
*creative* interpretations.

*How can the government use the information?*
The original text of the bill was *really* bad, simply saying the
government cannot use the information for "regulatory purposes." This was
amended to be more restrictive, but not by much: now, the same broad
"cybersecurity" definition applies to what they can use the data for, and
as if that wasn't enough, they can also use it for "the protection of the
national security of the United States." I don't need to tell you that the
government is not exactly famous for narrowly interpreting "national
security."

*So is CISPA a surveillance bill?*
The bill specifically prohibits the government from *requiring* anyone to
hand over information, or offering any sort of "quid pro quo" data sharing
arrangement. Sharing information is voluntary, and as far as the bill's
supporters are concerned, that should end the debate. Of course, as we've
seen with things like the warrantless
wiretapping<http://www.techdirt.com/blog/?tag=warrantless+wiretapping>
scandal,
complicity between companies and the government, even when legally
questionable, is common and widespread. But even if the safeguards work,
CISPA will undoubtedly allow for invasions of privacy that amount to
surveillance.

Firstly, while the reps insist that the bill only applies to companies and
not individuals, that's very disingenuous. CISPA states that the entity *
providing* the information cannot be an individual or be working for an
individual, but the data they share (traffic, user activity, etc.) will *
absolutely* include information about individuals. There is no incentive in
the bill to anonymize this data—there is only a clause *permitting*
anonymization,
which is meaningless since the choice of what data to share is already
voluntary. Note that any existing legal protections of user privacy will
not apply: the bill clearly states that the information may be shared
*"notwithstanding
any other provision of law"*.

So we've got the government collecting this data, potentially full of
identifying information of users in the U.S. and elsewhere, and they are
free to use it for any of those broadly defined cybersecurity or national
security purposes. But, it gets worse: the government is also allowed
to*affirmatively
search* the information for those same reasons—meaning they are by no means
limited to examining the data in relation to a specific threat. If, for
example, a company were to provide logs of a major attack on their network,
the government could then search that information for pretty much *anything
else they want*.

-- 
---------------------------------------------------------------
Joly MacFie  218 565 9365 Skype:punkcast
WWWhatsup NYC - http://wwwhatsup.com
 http://pinstand.com - http://punkcast.com
 VP (Admin) - ISOC-NY - http://isoc-ny.org
--------------------------------------------------------------
-
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.isoc-ny.org/pipermail/x-pubpol-isoc-ny.org/attachments/20120411/1cc3f001/attachment-0001.htm>