I am never more reminded of how smart people can succumb to groupthink than I am when I read HN posts about CISPA. There are a lot of misconceptions about the law, including what kind of data gets shared (only relevant threat data, this isn't your bank account info, and the RIAA can't sue you if shared data reveals you to be torrenting movies - can elaborate more on this if there's interest), who does the sharing (orgs share to the government voluntarily), who has access to the sharing (government and people the government decide to share the data with), etc.
I saw an infographic a little while back that I thought made a pretty good representation of what the bill actually proposes, I wonder if anyone has a link available to it.
-- any large internet company can share your data with the government; they can't be sued for it. The U.S. will end up with large data hoses stuck into all large internet companies.
-- any large internet company can share your data with the RIAA/MPAA/private copyright police; they can't be sued for it. The copyright police will end up with large data hoses stuck into all large internet companies.
That's about the start and the end of it. If you think it's great that the RIAA/MPAA will end up with the ability to suck down everything that Google/Facebook/Twitter/Verizon/Comcast/etc. know about you, with no subpoena or other legal process required, based on their allegation that you are infringing their copyrights, then you should be cool with this bill. If you think it's great that the NSA will end up with the ability to suck down everything those companies know about you based on their allegation that you are a threat to national security, again with no legal process required, then you should be cool with this bill.
If you don't think that's great, you should probably oppose this bill.
This is one of the better analyses I've seen of CISPA. I'll save tptacek some time and quote liberally from the article:
"It's unclear why new legislation is needed to allow this kind of uncontroversial information sharing to occur. Network administrators and security researchers at private firms have shared threat information with one another for decades. And the law also allows information sharing between private firms and the government in many circumstances. For example, a private company is already free to notify the FBI if it detects an attempt to hack into its network."
[...]
"The "notwithstanding" approach to cybersecurity is fundamentally flawed because it's almost impossible to predict which parts of US law might be effectively changed by the new law, or to prevent unintended consequences from unduly broad sharing. It would be far better for Congress to figure out which specific privacy laws (if any) prevent effective network security responses and explicitly reform those provisions."
[...]
"Given the roaring success of the Internet's backlash against the Stop Online Piracy Act, CISPA opponents have an irresistable temptation to compare the two bills. Both bills represent attacks on the rights of Internet users, but the similarity largely ends there.
A better analogy is the 2008 FISA Amendment Act, which granted major telecommunications incumbents retroactive immunity for their participation in warrantless wiretapping and eliminated judicial oversight for a broad category of government surveillance. CISPA is likely to further erode the already weak legal restraints on government surveillance of Americans, and there's no meaningful judicial oversight of information shared under the "cyber threat" program."
Your time would be better spent reading the CISPA bill itself, which goes to some length to define "sharing" and "security". I can summarize, but the firsthand sources are surprisingly readable:
As regards "opt-in": it's inherently opt-in, because it provides no mechanism for the government to demand information from any provider. Obviously, the government can already use court orders to get access to information. Beyond that, the bill explicitly prevents the government from making such demands; for instance: "Nothing in this section shall be construed to permit the Federal Government to... ‘(A) require a private-sector entity to share information with the Federal Government;".
As regards "security": the bill actually defines this term (a novel twist in "cyber security" legislation):
‘(i) a vulnerability of a system or network of a government or private
entity;
‘(ii) a threat to the integrity, confidentiality, or availability of a
system or network of a government or private entity or any information
stored on, processed on, or transiting such a system or network;
‘(iii) efforts to deny access to or degrade, disrupt, or destroy a
system or network of a government or private entity; or
‘(iv) efforts to gain unauthorized access to a system or network of a
government or private entity, including to gain such unauthorized
access for the purpose of exfiltrating information stored on,
processed on, or transiting a system or network of a government or
private entity.
Please read the actual text of CISPA before making any judgements. It's reasonably short and not all that hard to understand. It's also nowhere near as evil as it is being made out to be.
As far as I can tell, it appears to be essentially a data-sharing bill for network intrusions, to allow companies and government to get around existing barriers to investigate network intrusions. I'm certainly open to the possibility that it is somehow worse, but I am really having a hard time seeing how.
Forgive my ignorance but can I get a clarification on what specific parts of the bill will be damaging to privacy? From what I've read so far of the bill it will permit government organizations with classified intelligence about a possible threat to tell those that might be attacked without going through a lengthy declassification process. While that is certainly valuable, I gather there are other provisions that allow for sharing of user data without consent by those under threat?
EDIT: Seeing now that the measure does not require participants to remove user data, but it doesn't prohibit that, correct?
EDIT2: The CISPA Myths vs. Facts and the EFF articles are informative. Regardless, I think it is important to note that because of classification this information may not have been able to be communicated to organizations prior to something like this bill being in place. I would highly recommend encapsulating each constructive measure in its own bill (and I favor that for all legislative endeavors) however that may not work given the difficulty of the process these days.
* Bills start as draft language. The draft is circulated so that organizations like ACLU can point out things like "this bill gives too much deference to content rightsholders". The bill's authors then say, "that's not at all the intent of the bill" and then fix the language. It is very weird to complain about this, since it's the system actually working in the public interest. So, sorry, you're going to have to keep reading the bill. Also: CISPA is tiny. You can read it inside of 5 minutes. It isn't PPACA, the bill Pelosi commented on.
* I don't think software vulnerabilities are the best or most likely example of information that will be shared from the USG to the private sector under CISPA, but to the extent it is, you can simply assume that a (say) OpenSSH bug disclosed under CISPA to (say) Facebook is going to be patched immediately. I am a vulnerability researcher; that's my profession. It is a near-consensus among vulnerability researchers that the sooner vulnerability data is published, the safer we all are. I find it difficult to be concerned that CISPA might get OpenSSL flaws published faster. If that happens, great.
* If organizations don't want to share vulnerability information with the USG, they don't have to. CISPA is entirely opt-in. Moreover: vulnerabilities are a bad example of information CISPA enables sharing for. Companies can already lawfully share vulnerabilities with the USG. There is a whole cottage industry of small companies that sell vulnerabilities to the intelligence services. To the extent that your concerns about CISPA involve trafficking in privacy-harming exploit code (a very legitimate concern in general), you are (respectfully) ill informed about the current state of cybersecurity regulation.
* The reason CISPA preempts existing privacy laws and provides protection from liability is because there are lots of different privacy regulations on the books that make it difficult for companies operating in certain verticals to share any data without expensive legal review. If you deal with classroom data, you've got FERPA. If you have driver records, you have DPPA. CISPA does not repeal DPPA or HIPAA or FERPA; instead, it simply says that as long as companies are dealing in good faith with attack data --- "cyber threat information", a term the bill goes to some lengths to define --- they can reasonably assume they won't get sued for violating HIPAA by sharing that attack data.
* Individuals are exempted as private entities to protect individual privacy. The intent of that definition as stated by the bill's authors was to prevent CISPA from being interpreted as a mechanism for ISPs and the USG to enter into agreements to track individual customers. See "Myths and Facts About CISPA" at the House Intelligence Committee page. So: you have that concern exactly backwards.
* I don't have any response to your concern that the USG should not be liable for negligence in publishing sensitive data. I see it as a good thing that the bill creates accountability for the handling of the data, and wish there was more accountability in the bill, not less.
There are other questions in your comment that I didn't address because I didn't understand them, sorry.
CISPA is flawed but doesn't have most of the provisions that SOPA contained. I wish the folks agitating against it would at least read the bill. (The other pending cyberintelligence bills are probably better than CISPA, though.)
Informed people who believe that CISPA is a privacy threat are typically taking a narrow reading of the ECPA's information sharing provision (for instance, reading into it the idea that "information required to maintain one's network" would not include "detailed information about ongoing network attacks"). If you believe that ECPA prevents Facebook or AT&T from sharing information about attacks --- something backbone providers already do --- then CISPA creates a new authorization to share that information.
The idea that CISPA would be a vector for DHS and DOJ to get warrantless access to email and Facebook messages, though, is hyperbolic and more than a little silly, because DHS and DOJ already have a warrantless way to get most of that information --- court orders.
It's ?totally? reasonable to be concerned about the ease with which the government can get access to information via court orders. But that's a concern that's orthogonal to CISPA; if anyone meant CISPA as an an additive to the mechanisms the government already uses to get email, the bill would be written differently.
It is as always worth mentioning that CISPA is an opt-in measure.
According to this site, CISPA would "end" online privacy; it urges you to send letters to Congress saying "this bill would have given federal agencies unlimited access to virtually any of my personal data and online communication-- without a warrant."
But of course, CISPA does nothing of the sort. It is:
* An opt-in measure that can't be forced on a private company by the government
* Restricted to "cyber threat information", a term carefully (relative to any other online legislation) defined to apply only to attacks on the confidentiality/integrity/availability of systems and applications
* Specifically restricted from applying to Aaron Swartz-style ToS violations, or, for that matter, to intellectual property misappropriation
* Written to exclude "individuals" from "protected entities" to avoid any reading that would permit ISPs to use it to hand over records for individual targeted customers
And, while it exempts private companies from suits for good-faith attack data sharing (that is the point of the measure), it deliberately makes the government liable for any damages from misuse of shared information.
As Declan McCullagh pointed out in another thread here recently, private companies operate under a bewildering stack of regulations that make it legally dicey to share even innocuous data during attacks. In addition to ECPA and SCA, the two omnibus federal electronic privacy laws, there are a number of domain-specific laws ranging from HIPAA for medical privacy to DPPA for drivers records. Companies who handle protected data currently either don't share attack data, or incur legal risks when they do, or incur legal expenses when they have their sharing practices reviewed.
CISPA is a straightforward (and short) bill that attempts to remedy that problem. I don't support it (I don't think it will do much to help), but it's not evil, and organizations that try to fundraise off the idea that it is are playing games with your attention.
> I've been informed since I started reading and discussing CISPA that a primary purpose of this bill is actually the opposite of what people are worried about: that instead of getting private companies to share with the government, CISPA exists largely to provide a legal framework for the government to share information with private companies, so that when government systems are hit with new (say) Microsoft Office malware and "spear phishing" attacks, they can notify stakeholders in private industry.
I honestly wouldn't have a problem with that (who would?), but I have to wonder exactly what sort of legal problems they were having in doing this and why they couldn't create private agreements allowing that?
Uh, the first line of CISPA is probably is big reason why EFF is critical and involved that 4th Amendment issue I mentioned (which is a direct concern about CISPA... where's your hostility coming from?). The Act is only 10 pages, I and many others read it.
"IN GENERAL.—The Director of National Intelligence shall establish procedures to allow elements of the intelligence community to share cyber threat intelligence with private-sector entities and to encourage the sharing of such intelligence."
In case it's vague which direction the sharing is allowed (it's both):
"[Private sector may] share such cyber threat information with any other entity designated by such protected entity, including, if specifically designated, the Federal Government."
Sharing is secret:
"shall be exempt from disclosure
under section 552 of title 5, United States Code"
No recourse for sharing:
"No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self- protected entity, or cybersecurity provider, acting in good faith"
Edit: to reply to your next comment, you frame this as centered on "attacks" but it's more generally characterized as "threats" and also includes any intellectual property theft (which broadens this by several orders of magnitude). And it also includes efforts to degrade a network. Pretty sure my cell phone provider thinks I've made efforts to degrade their network and steal IP since Android was released.
I've been pretty consistently disappointed with how EFF has been portraying this bill (which I don't support), to the point where it's causing me to re-evaluate the EFF as a whole.
The ACLU has had a much more measured response. Instead of trying to mobilize opposition to the bill by depicting it as "SOPA 2" (which it clearly isn't), they provided a list of suggestions for narrowing and refining the language in CISPA. The new draft reflects many of their concerns.
At its heart, CISPA is mostly a publicity measure meant to provide its sponsors with a veneer of having "done something" about the growing threat to industry by determined nation-state attackers (which is a real, if perhaps overhyped, threat to our national security). The kernel of intervention in CISPA --- the only thing CISPA actually "does" --- is an "official" provision for sharing information between service providers.
Some things you should know before you make up your mind about how dangerous that sharing is:
* It is already broadly allowed by the pre-PATRIOT 1986 Electronic Communications Privacy Act, which requires only that information be shared in conjunction with an actual effort to maintain services by the provider of the service itself, establishes no limits on the amount of information share or who it's shared with, explicitly carves out the ability for providers to share information with officials acting under color of law during criminal investigations (without a warrant!), and makes no mention whatsoever of anonymizing or stripping PII (ironically unlike CISPA).
* It reflects already- in- place common industry practice: providers are already sharing often-detailed information about attacks.
* The "monitoring" of your emails is already so commonplace and widely accepted that it forms the basis for products like Google Mail; the capture and sharing of your email during criminal investigations is, sadly, already allowed without a warrant in many US venues!
It is one thing to suggest that the state of affairs for electronic privacy is sad indeed, and to militate in favor of better laws. Count me in.
It's another thing entirely to attempt to twist every meaningless, do-nothing piece of legislation to come out of Washington as an attempt to rewire the Internet in favor of the MPAA, which is exactly what the EFF appears to be doing here.
I felt like the concern over SOPA was slightly overblown but at least fundamentally valid. Here I see virtually no validity to the concerns, and any epsilon of valid concern that is present is so outweighed by hysteria that the net effect on civic discourse is negative, not positive.
Support organizations that aren't trying to play off your emotions.
Organizations ranging from Mozilla and the ACM, to the EFF and ACLU, to grassroots activist groups of the left and right didn't share your casual confidence in the reasonableness of 2012 CISPA.
Their analysis was that once a determination of a 'cyber threat' was made and shared, private communications and other data that would usually require stronger cause could (and probably would) then be handed over ('shared') on government request. The words "voluntary opt-in" are not reassuring, if it's a service provider opting-in customer data to law-enforcement, disregarding traditional expectations of privacy or even explicitly agreed terms.
When you say 2012 CISPA "remove[d] IP from a list of assets protected by the bill", they could only 'remove' it because the original draft had it in. And, that's the sort of insider-wishlist-item that can be re-added as the bill progresses, or perhaps even interpreted-back-in when the bill contains vague language.
The 2013 language includes in its definition of covered 'cybersecurity crimes': "a violation of any provision of title 18, United States Code, created or amended by the Computer Fraud and Abuse Act of 1986 (Public Law 99-474)."
That's the same CFAA as used in the recent prosecutions of Swartz and Aurenheimer. It has the open-ended "exceeding authorized access" and "obtains anything of value" language that lets the violation of terms-of-service and unauthorized acquisition of commercially-valued copyrighted material become serious federal crimes.
Advocates of new security powers tend to portray their scope as small and reasonable, before passage, but then manage to find a more expansive interpretation, when it behooves them after passage. Because such bills keep changing and stretching, I tend to trust the EFF and ACLU, who will actually litigate cases under the enacted legal regime, about the bill's likely effects.
If people would actually read the text of the bill, they'd see two things:
(1) It's not perfect and needs fleshing out. I have a fear that since it doesn't really do anything but give FOIA and liability exceptions and push everything to the DNI, then it may not really go anywhere.
(2) It's nowhere near as bad as SOPA. CISPA is bad because it may not accomplish what it wants, but it doesn't deal with blocking, advertising & payment providers, subpoenas, or even directly with law enforcement. It's managed by the intel community, taking away the process from DOJ (Infragard) and DHS (US-CERT and USSS).
This is a surveillance bill packed with purposefully vague language, and I attended a Town Hall with House Intelligence supporters of the bill that defended the need for its vague language - while telling the room of engineers, founders, journalists and security professionals that it would help defend the US against China and that we need the bill to protect us from hackers that do infringement. They actually said this.
The room was flummoxed. But besides that fact that the people that created and support the bill can't explain the difference between an ISP and a server, I'd like to encourage you to look at what this bill does: allows Homeland Security to obtain all the data on an individual and intercept - and alter or stop - communications of anyone they suspect of "disrupting" a network. And no, there is no concrete definition of network. In addition, it looks tailor-made to go after individuals that publish security bugs or exploits as a means to get these issues addressed.
The bill is also designed to protect companies that play ball with Homeland Security, effectively undoing decades of privacy laws. There is nothing to protect individuals, consumers, or users.
This is a serious problem. There are dozens of alarming articles from respected media sources, plentiful online campaigns to stop CISPA, activism by the EFF and Center for Democracy and Technology, attacks on pro-CISPA companies by Anonymous, protests by the ACLU and Free Press - and 3/4 of a million people have signed a petition to stop it.
Nah. It's bad. Here's a simple argument that covers just one part of the bill.
CISPA would give a safe harbor from other privacy rules to companies that share information with the government as long as that information is about "cyber threats". Now, let's say someone breaks into your database server and you're at a company with not-too-skilled IT people. The government shows up and says "hey, what can you tell us about the attack you experienced? PS - we'd be happy to analyze your data for you."
What do your IT people do? They say "screw it, we'll just send in all the logs we have and let the feds figure it out." And so they do that.
What if the law protects the information in those logs? What if the information is sensitive (like health or financial information) and is protected under a special privacy regime like HIPAA? Or what if the information is protected from disclosure by contract (like in a TOS/TOU document)? CISPA says that the disclosure is exempt from whatever sanctions/punishments would happen under those protection regimes because Cyber Threats Are Important (tm).
Disclosure: I am not a lawyer. Even after it's passed into law, only a court can decide exactly what the safe harbor in CISPA means.
This bill is nothing like SOPA and whoever is campaigning on this basis is doing a massive disservice to themselves because people can tell the difference.
CISPA is just a continuation of clear "wiretapping" landgrabs by the US Federal Government, in this case using the basis of "cybersecurity". The US government have been trying to do this for decades and they will almost certainly succeed, no matter the resistance.
What is new is that it seeks to indemnify specific third parties who wiretap or even hack on their behalf.
As for the current version of the bill (H.R.3523.RFS), apart from the obviously broad language, there is only one section, on the use of information, that I would be greatly concerned with if I were a US resident, Section 2.C.1 (specifically part A):
LIMITATION- The Federal Government may use cyber threat information shared with the Federal Government in accordance with subsection (b)--
`(A) for cybersecurity purposes;
`(B) for the investigation and prosecution of cybersecurity crimes;
`(C) for the protection of individuals from the danger of death or serious bodily harm and the investigation and prosecution of crimes involving such danger of death or serious bodily harm;
`(D) for the protection of minors from child pornography, any risk of sexual exploitation, and serious threats to the physical safety of such minor, including kidnapping and trafficking and the investigation and prosecution of crimes involving child pornography, any risk of sexual exploitation, and serious threats to the physical safety of minors, including kidnapping and trafficking, and any crime referred to in 2258A(a)(2) of title 18, United States Code; or
`(E) to protect the national security of the United States.
What does "(A)" mean and why is it present when both "(B)" and "(E)" are already present? Without further highly specific legal binding, "for cybersecurity purposes" is far too broad an entry for the use at which the information may be put!
I saw an infographic a little while back that I thought made a pretty good representation of what the bill actually proposes, I wonder if anyone has a link available to it.
reply