CISPA, Boom, Bah - View - Jeff and Carol / Jeff Egnaczyk

CISPA, Boom, Bah
The big news last week was the House of Representatives passing the Cyber Intelligence Sharing and Protection Act (CISPA), while the Obama administration threatened a veto. If the veto threat holds up it would be another big victory for digital freedom. With bills like SOPA/PIPA and ACTA as well as opposition to net neutrality, the fight for digital freedom is becoming harder and harder. Four years ago I based my votes in large part on where candidates stood on health care. I think in the near future the most important fight may be against the loss of rights online.

Now CISPA was actually much worse up until recently. Before it defined a cyber threat as:

(A) efforts to degrade, disrupt, or destroy such system or network; or

(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.

As Tech Dirt points out, the second part of the definition has been narrowed to:

(B) efforts to gain unauthorized access to a system or network, including efforts to gain such unauthorized access to steal or misappropriate private or government information

I’m actually slightly heartened by that. As it was before, part (B) would have obviously been used to fight copyright violations rather than national security. Now it looks like the bill’s supporters have been forced to remove this backdoor and focus on attacks on networks, which more closely resemble “cyber threats”.

Still, I have my doubts. As Tim Berners-Lee notes, the bill overrides all previous privacy laws and immunizes corporations from lawsuits resulting from sharing. Lee has a better idea:

But rather than trying to identify which specific privacy laws hamper cyber-security efforts and reforming them, Rep. Rogers took the easy way out. His legislation provides that companies are authorized to share "cyber threat information" with other private companies or the government "notwithstanding any other provision of law." That appears to mean that if a company decides that your private emails, your browsing history, your health care records, or any other information would be helpful in dealing with a "cyber threat," the company can ignore laws that would otherwise limit its disclosure. The legislation also immunizes firms who share "cyber threat information" from customer lawsuits.

Earlier this week, the bill's sponsors circulated a revised version of the bill, but it suffers from most of the same problems that plagued the original version. The new version does feature a more precise definition of "cybersecurity," which focuses on unauthorized network access. But it doesn't provide any meaningful limits on what kids of materials can be regarded as "cybersecurity"-related, nor does it provide for any judicial oversight to ensure the definition is adhered to.

The "notwithstanding" approach to cybersecurity is fundamentally flawed because it's almost impossible to predict which parts of US law might be effectively changed by the new law, or to prevent unintended consequences from unduly broad sharing. It would be far better for Congress to figure out which specific privacy laws (if any) prevent effective network security responses and explicitly reform those provisions.

Much like the Patriot Act, instead of identifying the specific reasons a crime was able to be committed, this law tries to cover everything. “See something, do everything” is what I like to call it. It’s a cover your ass mentality at best. At worst it's a sneaky way to give law enforcement more power than it needs. Speaking of the Patriot Act, that law is basically why I don’t trust this law.

As you can see with the this graph of sneak-and-peek warrants, some of the Patriot Act's major provisions aren’t being used correctly and/or weren’t needed at all.

”graph

The same goes for National Security Letters:

The major problem is the lack of judicial oversight and the deterioration of due process. Law enforcement is getting more power, which is bad enough in and of itself. Worse though is that agencies like the FBI are having to show less and less probable cause, a major reason the American system of justice is, even with all of its problems, one of the most fair and effective in the world. And as you can see with the national security letters, it’s important for law enforcement to show cause, because otherwise they’re just snooping on people for no pertinent reason other than to monitor them. Close to 200,000 NSLs with only one terrorism conviction indicates that a lot of NSLs were not needed. But now that information has been collected and there are no provisions that law enforcement divest itself of it.

You can bet this will continue with CISPA. Corporations aren’t required to share information with the government, but it will be pretty easy for law enforcement agencies to compel them to with threats of investigations into anti-trust, labor law, or environmental violations. It probably won’t take that much given the history. Tim Berners Lee reminds us of the warrantless wiretapping that telcoms helped the government with, and were retroactively immunized against:

A better analogy is the 2008 FISA Amendment Act, which granted major telecommunications incumbents retroactive immunity for their participation in warrantless wiretapping and eliminated judicial oversight for a broad category of government surveillance. CISPA is likely to further erode the already weak legal restraints on government surveillance of Americans, and there's no meaningful judicial oversight of information shared under the "cyber threat" program.

This is a scary time for freedom in America. More and more of our lives will be lived online this century, but at the same time more and more restrictions are being placed on our rights while we act in the digital world. A lot of people like to bring up “the Founders” when arguing about new legislation (I don’t), so I would ask those same people, what would “the Founders” say about the erosion of the 4th Amendment in the digital world? I see no reason why those protections shouldn’t exist there.

	[Click for Comment Policy] Comment Policy: Please comment on the discussion. If you know me and want to tell me that you're coming to Boston this weekend then at least humor me with a relevant comment (or you could always just call me). Please keep it clean. That means no malicious personal insults or threats. Please don't spam me either. I reserve the right to delete any post if it violates any of the above based on my interpretation of that. You can use <b>bold</b> for bold, <i>italics</i> for italics , <blockquote>Some long quote<blockquote> for some long quote and <a href = "http://www.jeffandcarol.com/">World's Greatest Website</a> for links (World's Greatest Website). It's all legal. Anything else will be stripped and you will look like a silly man with your <script> tags in there.
	New addition to comment policy: first time comments (denoted by your email address) go into moderation so I can get a grip on my yummy spam problem. * indicates a required field. I would never ever display your email address. promise. xoxo

* Name:

* Email:

URL


	Check to remember

Back to Jeff Main

JeffandCarol Home

Jeff's Posts in RSS!

Comments in RSS!

Reviews in RSS!
Archives
Site Updates
and Suggestions

boonville blog, by jeff egnaczyk - you are listening to me talk