by Dana Tierney, Senior Editor
Silicon Valley, Wednesday, April 25, 2012 — A bill coming up for a vote in the US House of Representatives this week, HR 3523, otherwise known as the Cyber Intelligence Sharing and Protection Act (CISPA), had not previously attracted much attention since it was approved by the House Permanent Select Intelligence Committee in December. The Electronic Frontier Foundation (EFF) and the Center for Democracy and Technology (CDT) have, however, been warning that the sweeping language of some provisions — particularly the immunity granted to companies that share their users' data
"notwithstanding any other provision of law" — may trump all existing privacy and wiretap law.
CISPA is one of at least four cybersecurity laws that are currently being debated in Congress. The administration has said that it wants to require minimal security standards — such as making sure that those who manage nuclear power plants aren't running commercial software with a default password. (Lest you think I'm joking, I have seen this in demos!)
No one is debating the need to shore up our Internet security; the debate is all about whether CISPA accomplishes what it sets out to do — to allow government and private organizations to share information for security purposes while protecting the rights of individuals online. And it's hard to judge when the bill itself keeps changing. It's a moving target. Yesterday, still more amendments were added to the bill in an effort to address concerns put forth by the bill's opponents.
Hackers and Founders, a California-based business support network, hosted a town hall meeting at the CNET offices in San Francisco. The meeting, moderated by CNET political correspondent Declan McCullagh, covered both sides of the argument and tried to shed some light on what CISPA means to the individual, to business, and to the government.
"Do we really need this law?" asked Dan Auerbach, a staff technologist with the Electronic Frontier Foundation (EFF), later adding that
"the language is incredibly unclear. It talks about cybersecurity systems, and those are so vaguely defined." A clearly frustrated Jamil Jaffer, legislative staffer with the House Permanent Select Intelligence Committee, urged the audience to
"read the bill" and declared
"there's no secret agenda here."
The heart of opponents' concerns lies in the bill's definitions. Besides the broad immunity it grants to businesses who share user data with the government, the legislation authorizes a company to
"use cybersecurity systems to identify and obtain cyber threat information". The Electronic Frontier foundation is deeply suspicious of that language and says it is broad enough to cover Wikileaks and Pirate Bay, especially since early versions of the bill mentioned threats to intellectual property.
Town hall participant Engine Advocacy, an organization that lobbies on behalf of startups, withdrew its opposition to CISPA after a new draft of the bill removed references to intellectual property theft as a cybersecurity threat. Despite that language being removed from the bill, the idea is still being actively discussed in Congress and could very well end up passing in some form. For example, in a recent subcommittee hearing of the House Committee on Homeland Security, the opening remarks of subcommittee chairman Michael T. McCaul (R-TX) included theft of intellectual property in his list of cyber threats. The hearing was called
"America Is Under Cyber Attack: Why Urgent Action Is Needed," and McCaul's broad interpretation of what constitutes an attack goes far in revealing his mindset:
The CDT's Jim Dempsey suggested at the town hall that even companies that like the bill have expressed some concern over user privacy, and said his group does not believe that the NSA should be allowed to utilize user data for situational awareness. Auerbach seemed to agree, saying that while the bill may be good for tech companies, he did not believe it was good for users.
While groups like the EFF and CDT have voiced their concerns about the bill's privacy issues, the response of the Internet industry as a whole is puzzling.
Although industry groups have come out in support of the bill, internet companies have mostly been silent over CISPA, except for Facebook, which has said it commends the bill because of
"the additional information it would provide us about specific cyber threats to our systems and users." Bill sponsor Mike Rogers (R-MI) has described Google as
"supportive" and involved in finding the
"right language" for the bill. Although Google belongs to trade associations that have expressed support for the bill, it has not publicly taken a position on the legislation.
Though it commended the bill because of the information it would receive from the government, Facebook has also said that it is not interested in the provisions that relate to sharing information with the government and doesn't plan to do so. Despite Facebook's stated intentions, the bill?s current language would allow it to share anything it likes without penalty. While taking Facebook to task over their stance on the bill, the EFF did note in an answering blog post that receiving information from the feds need not require sending user data back.
In a post at Talking Points Memo, Carl Franzen pointed out that the EFF's comparison of CISPA to the recently defeated SOPA bill was inaccurate.
"The [CISPA] bill is simply talking about sharing information about perceived threats. It says nothing about taking down websites, obtaining court orders or using the information in any sort of expanded way that hasn?t been available before," said Franzen. The comparison obscures the issue as well, because here, the constitutional concerns involve the Fourth, not the First Amendment.
Tech groups that have voiced support for the measure include the Information Technology Industry Council, the Technology CEO Council, TechAmerica, CTIA, the Internet Security Alliance and the Software and Information Industry Association.
The federal government currently shares threat information through the United States Computer Emergency Readiness Team (US-CERT) and the National Vulnerability Database (NVD). However, CISPA would allow sharing of classified data as well. What's unclear is why information that needs to be shared and is important enough to warrant this legislation is classified in the first place. It's difficult to evaluate the value of secrecy without eliminating it, of course.
National security is indeed at risk in some cyberattacks. The many default installations of SCADA software with default passwords come to mind, but these threats are common knowledge. In addition, the Chinese government, according to many US officials, encourages or participates in cyberattacks against US businesses. The Chinese deny this, but their participation at least as far back as Operation Aurora in 2009 is generally accepted. How the user data of American consumers would help combat such attacks is unclear, however.
"The only argument from the pro-CISPA camp on this front is, 'Don't worry. Trust us.' But we don't, and we won't, and we shouldn't," says Andrew Couts of Digital Trends, noting that the American Civil Liberties Union has described
The federal government does have a history of overreaching even when threats exist. A recent example, the seizure of an anonymizing co-location server allegedly involved in emailed bomb threats against the University of Pittsburg also shut down many legitimate and uninvolved businesses. Beyond the collateral damage, you have to wonder what data they hope to gather from a server specifically designed not to log any information. Its operator, Riseup Networks, called the seizure "extrajudicial punishment."
The number of examples I can give is enormous, but rather than look at more of the same, let's look at what data actually is. Your smartphone is all user data. Your GPS location is user data. Your purchase habits, as stored in a merchant's database, are user data. Your credit card, your passport, your metrocard — all user data. Every word you say, on email, Facebook or Twitter, every place you go, every site you visit, every search you make, every interaction you have with any site that stores your data can now be tracked, not only by that site, but by anyone else who requests and receives that data.
And everyone who has this data would be able to share it with the government, and you would have no recourse at all. That's what this bill would allow. If there's no limit on what data the government can receive or how they can use it, then you might as well kiss privacy goodbye.
Dana Tierney is the Senior Editor at House of Fusion, where she causes authors to cry over their once-thought perfect articles. They recover, and their articles are better for it. But still, the sound of grown men weeping...