Aletho News

ΑΛΗΘΩΣ

Supporters Say All The Wrong Things to Try and Pass CISPA

By Mark M. Jaycox | EFF | April 8, 2013

Ever since reintroducing CISPA, the so-called “cybersecurity bill,” its supporters promote the bill with craftily worded or just plain misleading claims. Such claims have been lobbed over and over again in op-eds, at hearings, and in press materials.  One “fact sheet” by Rep. Rogers and Ruppersberger titled “Myth v. Fact” is so dubious that we felt we had to comment.

Here are some of the statements supporters of CISPA are pushing and why they’re false:

Supporters of CISPA say, “There are no broad definitions”

Supporters are keen to note that the bill doesn’t have broad definitions. In the “Myth v. Fact” sheet, the authors of CISPA specifically point to the definition of “cyber threat information.” Cyber threat information is information about an online threat that companies can share with each other and with any government agency—including the NSA. In hearings, experts have said that they don’t need to share personally identifiable information to combat threats. But the definition in the bill allows for any information related to a perceived threat or vulnerability—including sensitive personal information—to be shared. Cyber threat information should be a narrowly defined term.

Another example of a broad (or missing) definition is the term “cybersecurity system.”  Companies can use a “cybersecurity system” to “identify or obtain” information about a potential threat (“cyber threat information”). The definition is critical to understanding the bill, but is circular.  CISPA defines a “cybersecurity system” as “a system designed or employed” for a cybersecurity purpose (i.e. to protect against vulnerabilities or threats). The language is not limited to network security software or intrusion detection systems, and is so broadly written that one wonders if a “system” involving a tangible item—e.g., locks on doors—could be considered a “cybersecurity system.”  In practical terms, it’s unclear what is exactly covered by such a “system,” because the word “system” is never defined.

The best example of a dangerous undefined term in the bill is found within the overly broad legal immunity for companies. The clause grants a company who acts in “good faith” immunity for “any decisions made” based off of the information it learns from the government or other companies. Does this cover decisions to violate other laws, like computer crime laws? Or privacy laws intended to protect users? Companies should not be given carte blanche immunity to violate long-standing computer crime and privacy law. And it is notoriously hard to prove that a company acted in bad faith, in the few circumstances where you would actually find out your privacy had been violated.

Supporters of CISPA say, “The bill is not a government surveillance program”

Supporters are adamant CISPA doesn’t create a wide-ranging “government surveillance program.” It’s true the bill doesn’t create such a surveillance program like the one described in the ongoing warrantless wiretapping lawsuits.

But the trick here is what is meant by “government surveillance.”  We think that if the bill aims at having our information flow to the government, it’s tantamount to government surveillance, whether or not the government initially collected the information.

The bill creates a loophole in the privacy laws that prevented companies from disclosing your information to the government and gives companies broad legal immunity for sharing information with the government. As a result, CISPA makes it more likely that companies will surveil their own users and then disclose that information.  The sly wording dodges the key issue: that CISPA encourages companies to conduct surveillance on their networks and hand “cyber threat information” to the government. In short, the bill encourages a de facto private spying regime, with the same end result.

Supporters of CISPA say, “The government can’t read your private email”

Reps. Rogers and Ruppersberger are adamant CISPA doesn’t grant the government access to read private emails. The claim was recently repeated by James Lewis, a fellow at the Center for Strategic and International Studies. But the broad definitions do allow for personal information to be gathered by companies and then sent to the government without any mandatory minimization of personal information. And under the vague definitions an aggressive company could claim that private messages are related to the threat, obtain them, and share then with the government.  If Reps. Rogers and Ruppersberger did want content of emails disclosed under CISPA, it would be easy enough to exclude them explicitly.

Supporters say, “CISPA follows advice from privacy and civil liberty advocates”

In his introduction of the bill, Rep. Rogers assured the audience that he has listened to the privacy and civil liberties community.

This year’s CISPA does contain some language added after privacy and civil liberties advocates complained in 2012.  But those changes didn’t address some big issues that were raised last year, and this year’s privacy and civil liberties complaints about CISPA remain unaddressed.

Let’s Stop CISPA

Reps. Rogers and Ruppersberger are on a strong publicity offensive to make sure the bill passes. The American public deserves full explanations and clear meanings about what CISPA can do and the extent to which it can do it. The public doesn’t need carefully worded messaging materials that obfuscate and mislead a discussion on CISPA. The issues at stake—like the broad legal immunity and new spying powers that allow for companies to collect private, and sensitive, user information—are too serious.

To stop this type of misinformation—and to stop CISPA—we urge you to tell your members of Congress to stand up for privacy.

Related articles

April 9, 2013 Posted by | Civil Liberties, Full Spectrum Dominance | , , , , , , , | Leave a comment

The Disturbing Privacy Dangers in CISPA

By Trevor Timm | EFF | April 15, 2012

This week, EFF – along with a host of other civil liberties groups – are protesting the dangerous new cybersecurity bill known as CISPA that will be voted on in the House on April 23. Here is everything you need to know about the bill and why we are protesting:

What is “CISPA”?

CISPA stands for The Cyber Intelligence Sharing and Protection Act, a cybersecurity bill written by Rep. Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD) (H.R. 3523). The bill purports to allow companies and the federal government to share information to prevent or defend from cyberattacks. However, the bill expressly authorizes monitoring of our private communications, and is written so broadly that it allows companies to hand over large swaths of personal information to the government with no judicial oversight—effectively creating a “cybersecurity” loophole in all existing privacy laws.  Because the bill is so hotly debated now, unofficial proposed amendments are also being circulated [link] and the actual bill language is in flux.

Under CISPA, can a private company read my emails?

Yes.  Under CISPA, any company can “use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property” of the company. This phrase is being interpreted to mean monitoring your communications—including the contents of email or private messages on Facebook.

Right now, well-established laws, like the Wiretap Act and the Electronic Communications Privacy Act, prevent companies from routinely monitoring your private communications.  Communications service providers may only engage in reasonable monitoring that balances the providers’ needs to protect their rights and property with their subscribers’ right to privacy in their communications.  And these laws expressly allow lawsuits against companies that go too far.  CISPA destroys these protections by declaring that any provision in CISPA is effective “notwithstanding any other law” and by creating a broad immunity for companies against both civil and criminal liability.  This means companies can bypass all existing laws, as long as they claim a vague “cybersecurity” purpose.

What would allow a company to read my emails?

CISPA has such an expansive definition of “cybersecurity threat information” that many ordinary activities could qualify. CISPA is not specific, but similar definitions in two Senate bills provide clues as to what these activities could be. Basic privacy practices that EFF recommends—like using an anonymizing service like Tor or even encrypting your emails—could be considered an indicator of a “threat” under the Senate bills. As we have stated previously, the bills’ definitions “implicate far more than what security experts would reasonably consider to be cybersecurity threat indicators—things like port scans, DDoS traffic, and the like.”

A more detailed explanation about what could constitute a “cybersecurity purpose” or “cyber security threat indicator” in the various cybersecurity bills can be read here.

Under CISPA, can a company hand my communications over to the government without a warrant?

Yes. After collecting your communications, companies can then voluntarily hand them over to the government with no warrant or judicial oversight whatsoever as long is the communications have what the companies interpret to be “cyber threat information” in them. Once the government has your communications, they can read them too.

Under CISPA, what can I do if a company improperly hands over private information to the government?

Almost nothing. CISPA would affirmatively prevent users from suing a company if they hand over their private information to the government in virtually all cases. A broad immunity provision in the proposed amendments gives companies complete protection from user lawsuits unless information was given to the government:

(I) intentionally to achieve a wrongful purpose;
(II) knowingly without legal or factual justification; and
(III) in disregard of a known or obvious risk that is so great as to make it highly probably that the harm of the act or omission will outweigh the benefit.

As Techdirt concluded, “no matter how you slice it, this is an insanely onerous definition of willful misconduct that makes it essentially impossible to ever sue a company for wrongly sharing data under CISPA.” This proposed immunity provision is actually worse than the prior version of the bill, under which companies could be sued if they acted in “bad faith.”

What government agencies can look at my private information?

Under CISPA, companies are directed to hand “cyber threat information” to the Department of Homeland Security (DHS). Once it’s in DHS’s hands, the bill says that DHS can then hand the information to other intelligence agencies, including the National Security Agency, at its discretion.

Can the government use my private information for other purposes besides “cybersecurity” once they have it?

Yes. When the bill was originally drafted, information could be used for all other law enforcement purposes besides “regulatory purposes.” A new amendment narrows this slightly. Now—even though the information was passed along to the government for only cybersecurity purposes—the government can use your personal information for either cybersecurity or national security investigations. And as long as it can be used for one of those purposes, it can be used for any other purpose as well.

Can the government use my private information to go after alleged copyright infringers and whistleblower websites?

Up until last Friday the answer was yes, and now it’s changed to maybe. In response to the overwhelming protest from the Internet community that this bill would become a backdoor for SOPA 2, the bill authors have proposed an amendment that rids the bill of any reference to “intellectual property.”

The bill previously defined “cyber threat intelligence” and “cybersecurity purpose” to include “theft or misappropriation of private or government information, intellectual property, or personally identifiable information.” Now the text reads:

(B) efforts to gain unauthorized access to a system or network, including efforts to gain such unauthorized access to steal or misappropriate private or government information

But it is important to remember that this proposed amendment is just that: proposed. The House has not voted it into the bill yet, so they still must follow through and remove it completely.

A more detailed explanation of how this provision could be used for copyright enforcement and censoring whistleblower sites like WikiLeaks can be read here.

What can I do to stop the government from misusing my private information?

CISPA does allow users to sue the government if they intentionally or willfully use their information for purposes other than what is described above.  But any such lawsuit will be difficult to bring.  For instance, the statute of limitations for such a lawsuit is two years from the date of the actual violation.  It’s not at all clear how an individual would know of such misuse if it were kept inside the government.

Moreover, suing the government where classified information or the “state secrets privilege” is involved is difficult, expensive, and time consuming. EFF has been involved for years in a lawsuit over Fourth Amendment and statutory violations stemming from the warrantless wiretapping program run by the NSA—a likely recipient of “cyber threat information.” Despite six years of litigation, the government continues to maintain that the “state secrets” privilege prevents the lawsuit from being heard.

Given that DHS is notorious for classifying everything—even including their budget and number of employees—they may attempt to prevent users from finding out exactly how this information was ever used. And if the information is in the hands of the NSA and they claim “national security,” then it would get even harder.

In addition, while CISPA does mandate an Inspector General should issue a report to Congress over the government’s use of this information, its recommendations or remedies do not have to be followed.

Why are Facebook and other companies supporting this legislation?

Facebook and other companies have endorsed this legislation because they want to be able to receive information about network security threats from the government. This is a fine goal, but unfortunately CISPA would do far more than that—it would eviscerate existing privacy laws by allowing companies to voluntarily share users’ private information with the government.

Facebook released a statement Friday saying that they are concerned about users’ privacy rights and that the provision allowing them to hand user information to the government “is unrelated to the things we liked about HR 3523 in the first place.” As we explained in our analysis of Facebook’s response: the “stated goal of Facebook—namely, for companies to receive data about cybersecurity threats from the government—does not necessitate any of the CISPA provisions that allow companies to routinely monitor private communications and share personal user data gleaned from those communications with the government.” Read more about why Facebook should withdraw support from CISPA until privacy safeguards are in place here.

What can I do to stop this bill?

It’s vital that concerned Internet users tell Congress to stop this bill. Use EFF’s action center to send an email to your Congress member urging them to oppose this bill.

Related articles

April 16, 2012 Posted by | Civil Liberties, Full Spectrum Dominance | , , , , , , | 4 Comments