Did the EFF Get it Wrong on CISPA?
My first reaction in seeing the recent headlines about CISPA (HR 3523), like many others, was simply being outraged at yet another attempt by the US government to open the doors for spying and censorship. In fact, we have seen so much of this lately and with so many cries that this is worse than SOPA I didn’t even bother reading the bill.
Even the EFF came out with a statement against it and many other respectable organizations have subsequently chimed in and asked for support to block this.
But then someone brought up to me the fact that this bill really isn’t that bad. I spent a few minutes reading the short bill to prove them wrong but in fact I was surprised that this bill is not as evil as everyone has made it out to be. In fact, having worked in the security industry for so long I can see how helpful this law could actually be.Let me explain where I think the EFF got it wrong.
Update: Many have interpreted this post as supporting CISPA, which I do not. I do agree with the premise of CISPA, but the point here is that fear, uncertainty, and doubt really have no place anywhere and I would think that the EFF would be above this. Here are some of my updated thoughts on CISPA.
The Free Pass
The EFF claims that this law gives “companies a free pass to monitor and collect communications, including huge amounts of personal data like your text messages and emails, and share that data with the government and anyone else.”
In fact, the law specifically says that an organization may, for cybersecurity purposes, identify and obtain information about threats to their own rights and property:
(A) CYBERSECURITY PROVIDERS- Notwithstanding any other provision of law, a cybersecurity provider, with the express consent of a protected entity for which such cybersecurity provider is providing goods or services for cybersecurity purposes, may, for cybersecurity purposes–
(i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such protected entity; and
(ii) share such cyber threat information with any other entity designated by such protected entity, including, if specifically designated, the Federal Government.
The Cybersecurity Purpose
The EFF says that “vaguely-defined ‘cybersecurity threats'” could be used “as a shortcut to bypassing the law.” They go on to say that “Worst of all, the stated definition of “cybersecurity” is so broad, it leaves the door open to censor any speech that a company believes would ‘degrade the network.'”
So what is a cybersecurity purpose? I think the law defines that pretty clearly as well:
(4) CYBERSECURITY PURPOSE- The term `cybersecurity purpose’ means the purpose of ensuring the integrity, confidentiality, or availability of, or safeguarding, a system or network, including protecting a system or network from–
(A) efforts to degrade, disrupt, or destroy such system or network; or
(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.
So a cybersecurity purpose is protecting a network or system from a direct attack on the service or a theft of data from that network or system. I just don’t see this as broad and it certainly would be a huge stretch for an organization to say that speech degrades a network.
The EFF statement says that “The bill specifically mentions that cybersecurity can include protecting against the “theft or misappropriation of private or government information” including ‘intellectual property.’ Such sweeping language would give companies and the government new powers to monitor and censor communications for copyright infringement.”
As mentioned above, the law states that a cybersecurity purpose is to protect a an organization’s systems or networks from an attack or theft of information, not protecting intellectual property in a general sense. So if someone is breaking into a movie studio’s network to steal a movie that would fall under this law but there is nothing that grants them any rights beyond the scope of their own network.
Monitoring and Censoring
The EFF claims that CISPA allows “a company like Google, Facebook, Twitter, or AT&T could intercept your emails and text messages, send copies to one another and to the government, and modify those communications or prevent them from reaching their destination if it fits into their plan to stop cybersecurity threats.”
But does it really allow this? The bill states that “the term `cyber threat information’ means information directly pertaining to a vulnerability of, or threat to a system or network of a government or private entity…” There is nothing here that allows companies to intercept emails and share them with everyone, the information must directly pertain to a vulnerability or threat and this info must have been gathered in the process of protecting their own network or systems.
There is also nothing that allows or even implies that an organization can modify or block information. This law only addresses the sharing of threats and says nothing about how an organization may deal with those threats.
So what about sharing any info with government? That is actually a good thing because there can be some ambiguity with evidence that I actually wrote about ten years ago. The ability for an organization to share information about an attack with law enforcement without the threat of being sued is a big step in being able to prosecute attackers. Furthermore, the law allows organizations to choose how little information they share with the government in these cases.
Civil and Criminal Immunity
The EFF says that CISPA will “let companies spy on users and share private information with the federal government and other companies with near-total immunity from civil and criminal liability. It effectively creates a ‘cybersecurity’ exemption to all existing laws.”
This too is a stretch. Organizations will not automatically be immune from spying. The law states that the immunity applies if the organization is “acting in good faith” for the purpose of protecting themselves and reading and sharing everyone’s emails hardly falls under acting in good faith. Furthermore, the bill does put oversight in place to address privacy and civil liberty concerns.
So Did the EFF Get it Wrong?
When it came to SOPA I hated those who defended it but in this case I think the EFF got it wrong. While I certainly cannot imagine all consequences of this law and some of the points surely could use some clarification (such as explicitly saying this info cannot be used other than addressing specific threats), I think the EFF is wrong on this and has created quite a bit of misguided anger. Yes we need to protect our rights but this is not the bill we should be freaking out over.
Don’t take my word for it, go read the short bill and see what you think.