Updated Thoughts on CISPA

Since I wrote my last post on CISPA a few weeks ago, a number of things have changed and my own opinion has evolved some as well. I still feel that the EFF’s interpretation was perpetuation a great amount of FUD, but that doesn’t really justify the merits of CISPA. There are many things to say about CISPA but I thought I would share some random thoughts here:

The Quayle Amendment Changed Things

While there is some debate whether this amendment is good or bad from the perspective of privacy is debatable, the question here is why was that amendment necessary? And why was the vote pushed forward right after including this amendment? In my opinion, this amendment alone is reason enough to hate this bill. I want to get that out first because although I agree with the premise of the bill, the risks of passing it as it stands are just to great. I don’t agree with the FUD involved in fighting this bill, such as saying it is the new SOPA, but I am always very wary of unintended consequences and it since it is so much harder to undo a law, this must be approached with great caution.

How Much are they Spying Already?

I’m not saying they should pass this bill because they already spy on you, I am saying that if this is a big concern we need to put more effort into laws that limit what they are already doing. Most companies already have intrusion detection and spam prevention systems in place to identify and log attacks and other unwanted threats to their networks. Much of this involves deep packet inspection and storing personal information about those who trigger alerts, including the many false alerts. There really aren’t many rules on what these companies can and cannot do with that information and their terms of service open us all up to huge intrusions of privacy. We do need legislation that clearly defines a threat and clearly defines (and limits) what can be done with that information.

And then there’s the NSA. Certainly we can’t even imagine how much information they gather on every one of us. Really, that just need stop, I don’t remember any U.S. citizens getting any say in allowing them to do that.

It appears that this law allows for better coordinated sharing of information but the fact is we are already threatened with huge invasions of our privacy. If you can be called a customer, an employee, or a citizen, you can be spied on.

Terms of Service vs Law is a Big Distinction

One very important thing to remember is that a company spying on it’s users is often covered under it’s terms of service. You agree to allow that in exchange for using their service. However, law enforcement agencies are limited by law which is much more restrictive. A law such as CISPA would allow law enforcement to fall under the umbrella of terms of service which would greatly expand their access. While this is good in the sense that it would make certain evidence legally admissible in court, the potential for unintended consequences are huge.

We Need Buffers for Stretched Interpretations

We have already seen how easily law enforcement can stretch interpretations or employ secret interpretations of laws. As a parent I see that, like children, you need to be very specific about things or law enforcement will go with the absolute most permissive interpretation. CISPA simply does not do this. Laws are difficult to reverse so we must be very careful before allowing laws that could have great potential for abuse.

Who Profits from CISPA?

Many have said that the RIAA and MPAA are clearly behind this bill but I don’t buy that. I certainly hate everything about the RIAA, MPAA, and anything they back, but I just don’t see this bill benefiting them that much without greatly stretching the interpretation and exposing themselves to significant liability. I’m not saying that is out of the question, it just doesn’t seem to fit here.

Nevertheless, whenever Congress passes any bill nowadays I am always suspicious of who stands to profit here. Yes I am sure there are some sincere motivations here but since when has a law been passed based on it’s sincerity?

Don’t Forget Who Makes the Decision, But Does it Matter?

I have seen a number of misleading articles state that CISPA would allow the Government can go trolling for information and take anything they want in the name of cybersecurity. First of all, I think law enforcement already has enough power through the Patriot Act and other laws that they can already demand just about anything. However, it is important to note that CISPA does not allow the Government to demand this information, it only allows companies to volunteer the information.

Now having said that, if the Government starts paying good money for that info, I’m sure that most companies would be happy to volunteer anything that law enforcement asks for.

Long is Bad but so is Short

One thing that always bothered me about the Patriot Act is how in just a matter of days after September 11th, the Justice Department produce such a huge, sweeping bill. In fact, whenever I see a ny100+ page bill introduced to Congress I get suspicious of how many lobbyists had their hand in this. Complexity is the best weapon that special interests have in introducing loopholes that line their pockets. Which is why seeing the short, simple CISPA was so refreshing and reassuring.

But as we have seen, being short has it’s problems too. Complexity introduces loopholes but vagueness can be just as bad. One thing nice about CISPA is that it is probably much easier to fix few pages of vagueness than to scale back a thousand pages of complexity.

There’s a Bigger Message

I think that it is important to look past the words on the bill and see what the opposition here is really about. It’s not so much about who shares what and how, it is that the American people are getting tired of never-ending legislation that continually gives the Government more power and slowly erodes at our rights of privacy. Do we really even need this bill? Yes there are some specific cases where it would be helpful, but we just don’t know how many more doors we are opening.

We are already tired of constantly hearing how law enforcement agencies are stretching and abusing current laws, do we really want to give them even more power? Will using the Internet become just as personally intrusive as the security gates at an airport? Is there greedy some special interest involved here paying off Congress to make themselves even richer?

The fight against SOPA energized many of us and demonstrated that for once the people do have a voice and we are going to use it. Despite any legitimate benefits of CISPA, Congress is voting on a law that most people just don’t want.

Now there is something to agree with.

Did the EFF Get it Wrong on CISPA?

My first reaction in seeing the recent headlines about CISPA (HR 3523), like many others, was simply being outraged at yet another attempt by the US government to open the doors for spying and censorship. In fact, we have seen so much of this lately and with so many cries that this is worse than SOPA I didn’t even bother reading the bill.

Even the EFF came out with a statement against it and many other respectable organizations have subsequently chimed in and asked for support to block this.

But then someone brought up to me the fact that this bill really isn’t that bad. I spent a few minutes reading the short bill to prove them wrong but in fact I was surprised that this bill is not as evil as everyone has made it out to be. In fact, having worked in the security industry for so long I can see how helpful this law could actually be.Let me explain where I think the EFF got it wrong.

Update: Many have interpreted this post as supporting CISPA, which I do not. I do agree with the premise of CISPA, but the point here is that fear, uncertainty, and doubt really have no place anywhere and I would think that the EFF would be above this. Here are some of my updated thoughts on CISPA.

The Free Pass

The EFF claims that this law gives “companies a free pass to monitor and collect communications, including huge amounts of personal data like your text messages and emails, and share that data with the government and anyone else.”

In fact, the law specifically says that an organization may, for cybersecurity purposes, identify and obtain information about threats to their own rights and property:

(A) CYBERSECURITY PROVIDERS- Notwithstanding any other provision of law, a cybersecurity provider, with the express consent of a protected entity for which such cybersecurity provider is providing goods or services for cybersecurity purposes, may, for cybersecurity purposes
(i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such protected entity; and
(ii) share such cyber threat information with any other entity designated by such protected entity, including, if specifically designated, the Federal Government.

The Cybersecurity Purpose

The EFF says that “vaguely-defined ‘cybersecurity threats'” could be used “as a shortcut to bypassing the law.” They go on to say that “Worst of all, the stated definition of “cybersecurity” is so broad, it leaves the door open to censor any speech that a company believes would ‘degrade the network.'”

So what is a cybersecurity purpose? I think the law defines that pretty clearly as well:

(4) CYBERSECURITY PURPOSE- The term `cybersecurity purpose’ means the purpose of ensuring the integrity, confidentiality, or availability of, or safeguarding, a system or network, including protecting a system or network from–
(A) efforts to degrade, disrupt, or destroy such system or network; or
(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.

So a cybersecurity purpose is protecting a network or system from a direct attack on the service or a theft of data from that network or system. I just don’t see this as broad and it certainly would be a huge stretch for an organization to say that speech degrades a network.

Intellectual Property

The EFF statement says that “The bill specifically mentions that cybersecurity can include protecting against the “theft or misappropriation of private or government information” including ‘intellectual property.’ Such sweeping language would give companies and the government new powers to monitor and censor communications for copyright infringement.”

As mentioned above, the law states that a cybersecurity purpose is to protect a an organization’s systems or networks from an attack or theft of information, not protecting intellectual property in a general sense. So if someone is breaking into a movie studio’s network to steal a movie that would fall under this law but there is nothing that grants them any rights beyond the scope of their own network.

Monitoring and Censoring

The EFF claims that CISPA allows “a company like Google, Facebook, Twitter, or AT&T could intercept your emails and text messages, send copies to one another and to the government, and modify those communications or prevent them from reaching their destination if it fits into their plan to stop cybersecurity threats.”

But does it really allow this? The bill states that “the term `cyber threat information’ means information directly pertaining to a vulnerability of, or threat to a system or network of a government or private entity…” There is nothing here that allows companies to intercept emails and share them with everyone, the information must directly pertain to a vulnerability or threat and this info must have been gathered in the process of protecting their own network or systems.

There is also nothing that allows or even implies that an organization can modify or block information. This law only addresses the sharing of threats and says nothing about how an organization may deal with those threats.

So what about sharing any info with government? That is actually a good thing because there can be some ambiguity with evidence that I actually wrote about ten years ago. The ability for an organization to share information about an attack with law enforcement without the threat of being sued is a big step in being able to prosecute attackers. Furthermore, the law allows organizations to choose how little information they share with the government in these cases.

Civil and Criminal Immunity

The EFF says that CISPA will “let companies spy on users and share private information with the federal government and other companies with near-total immunity from civil and criminal liability. It effectively creates a ‘cybersecurity’ exemption to all existing laws.”

This too is a stretch. Organizations will not automatically be immune from spying. The law states that the immunity applies if the organization is “acting in good faith” for the purpose of protecting themselves and reading and sharing everyone’s emails hardly falls under acting in good faith. Furthermore, the bill does put oversight in place to address privacy and civil liberty concerns.


So Did the EFF Get it Wrong?

When it came to SOPA I hated those who defended it but in this case I think the EFF got it wrong. While I certainly cannot imagine all consequences of this law and some of the points  surely could use some clarification (such as explicitly saying this info cannot be used other than addressing specific threats), I think the EFF is wrong on this and has created quite a bit of misguided anger. Yes we need to protect our rights but this is not the bill we should be freaking out over.

Don’t take my word for it, go read the short bill and see what you think.