Skip navigation

 CISPA:  While You Were Sleeping…

While the American People were watching Washington’s grand Production of MARTIAL LAW: BOSTON, The U.S. House of Representatives passed CISPA. CISPA negates the privacy agreements made by Internet Providers and Internet Services and encourages the sharing of your private information to Uncle Sam. In addition due process is removed allowing the Feds to shut down sites without a warrant, as well as violate the privacy of your inbox, Facebook, twitter, other social media, and cloud storage accounts.

None of this will make the Internet Safer…it only empowers the US government to persecute dissenters and censor opinions it does not agree with.

The EFF on CISPA
https://www.eff.org/cybersecurity

CISPA purports to allow companies and the federal government to “share” threat information for a “cybersecurity” purpose—to protect and defend against attacks against computer systems and networks. But the bill is written broadly enough to permit your communications service providers to identify, obtain, and share your emails and text messages with the government. While business leaders have conceded that they do not need to share personally identifying information to combat computer threats, the bill provides an exception to existing law designed to protect your personal information.

The newly granted powers are intended to thwart computer security threats against a company’s rights and property. But the definitions are broad and vague. The terms allow purposes such as guarding against “improper” information modification and ensuring “timely” access to information, functions that are not necessarily tied to attacks.

Once handed over, the government is able to use this information for investigating crimes that are unrelated to the underlying security threat and, more broadly, for “national security” purposes, which is a poorly defined term that includes “threats to the United States, its people, property, or interests” and “any other matter bearing on United States national or homeland security.”

The bill’s vague definitions like “cybersecurity purpose” and “cybersecurity system” also raise the frightening possibility of a company using aggressive countermeasures. If a company wants to combat a threat, it is empowered to use “cybersecurity systems” to identify and obtain “cyber threat information.” But the bill does not define exactly how far a company can go, leaving it open to the possibility of abuse.

Companies would also be immune from both civil and criminal liability for any action, including but not limited to violating a user’s privacy, as long as the company used the powers granted by CISPA in “good faith.” The immunity even extends to “decisions made based on” any information “directly pertaining” to a security threat. The consequences of such a clause are far-reaching.

While our Government declared Martial Law, locking down an entire 90 Mile Square radius of a Metropolitan Area, CISPA was quietly passed. CISPA, a bill so unpopular that its previous incarnations failed EVERY TIME they came up for debate, was passed in total while we watched our government drag Home owners out of their own homes at gunpoint, while looking for ONE MAN. CISPA is the Patriot Act of the Internet, it is no different than the Martial Law in Boston, they are one and the same.

CISPA Questions

Under CISPA, what can a private company do?

Under CISPA, any company can “use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property” of the company, and then share that information with third parties, including the government, so long as it is for “cybersecurity purposes.” Whenever these prerequisites are met, CISPA is written broadly enough to permit your communications service providers to share your emails and text messages with the government, or your cloud storage company could share your stored files.

Right now, well-established laws like the Cable Communications Policy Act, the Wiretap Act, the Video Privacy Protection Act, and the Electronic Communications Privacy Act provide judicial oversight and other privacy protections that prevent companies from unnecessarily sharing your private information, including the content of your emails.

And these laws expressly allow lawsuits against companies that go too far in divulging your private information. CISPA threatens these protections by declaring that key provisions in CISPA are effective “notwithstanding any other law,” a phrase that essentially means CISPA would override the relevant provisions in all other laws—including privacy laws. CISPA also creates a broad immunity for companies against both civil and criminal liability. CISPA provides more legal cover for companies to share large swaths of potentially personal and private information with the government.

Does CISPA do enough to prevent abuse of the law for copyright enforcement?

No. Early versions of CISPA included language that specifically mentioned intellectual property, but that was taken out after significant outcry from the Internet community that the language could be used as a copyright enforcement bill similar to SOPA. (Great job, Internet community!)

CISPA’s definition of “cyber threat information” includes information directly pertaining to a threat to “confidentiality.” But what does confidentiality mean? The definition encompasses measures designed for preserving “authorized restrictions on access,” including means for protecting “proprietary information.” “Proprietary information” is not defined, and could be read to include copyrighted information. For example, one type of restriction on access that is designed to protect proprietary information is digital rights management (DRM).

Legitimate security researchers have routinely bypassed restrictions on proprietary information in order to research and publish information pertaining to vulnerabilities. Vulnerability research should not be considered a cyber threat, and the movie and music industry should not be given immunity for “decisions based on” this information, good faith or not.

What triggers these new corporate powers?

CISPA allows a company to obtain and share “cyber threat information” if it has both a “cybersecurity purpose” and believes it is protecting its rights and property.

A “cybersecurity purpose” only means that a company has to think that a user is trying to harm its network. What does that mean, exactly? The definition is broad and vague. The definition allows purposes such as guarding against “improper” information modification, ensuring “timely” access to information or “preserving authorized restrictions on access…protecting…proprietary information” (i.e. DRM).

Under CISPA, what can I do if a company improperly hands over private information to the government?

Almost nothing. Even if the company violates your privacy beyond what CISPA would permit, the government does not have to notify the user whose information was improperly handed over—the government only notifies the company.

CISPA provides legal immunity to a company for many actions done to or with your private information, as long as the company acted in “good faith.” This is an extremely powerful immunity, because it is quite hard to show that a company did not act in good faith. These liability protections can cover actions the company uses to identify and obtain threat information and the subsequent sharing of that information with others—including the government. The immunity also covers “decisions made based on cyber threat information,” a dangerously vague provision that has never been defined.

Do companies need to share users’ personally identifying information (PII) to enhance information security?

No. At a recent hearing on CISPA, Governor John Engler, President of the Business Roundtable, and Paul Smocer, President of BITS, the technology policy division of the financial industry group called the Financial Services Roundtable, testified in support of the bill. Smocer admitted that “there is very little private data, PII, being exchanged today in the threat information world,” and that it would “not be an issue” to remove personally identifiable information before sharing. CISPA, however, authorizes sharing PII, and leaves redaction to the companies’ discretion.

The most useful threat information that should be shared includes previously unknown software and network vulnerabilities, malware signatures, and other technical characteristics that identify an attack or its methodology—all of which can be shared without PII. If companies need to share an email, such as a phishing email message, existing exceptions allow the recipient to divulge the information; there is no need for the blanket authority in CISPA. Mandiant’s recent report on Chinese hacking is just one of many instances where companies have shared a great deal of useful threat information without authority beyond what is granted to them by current law.

Can a company hack a perceived threat under CISPA (“hack back”)?

CISPA provides companies with immunity “for decisions made based on cyber threat information” as long as they are acting in good faith.  But CISPA doesn’t define “decisions made.” Aggressive companies could interpret this immunity to cover “defensive”—and what some would consider offensive—countermeasures like DDOSing suspected intruders, third parties, or even innocent users. Private defense contractors have already advocated for this power. These actions should not be allowed by such expansive wording. It leaves the bill ripe for abuse.

What is a “cybersecurity system”?

The bill’s definition of “cybersecurity system” is circular. It defines a “cybersecurity system” as “a system designed or employed” to protect against, among others, vulnerabilities or threats. The language is not limited to network security software or intrusion detection systems, and is so poorly written that any “system” involving a tangible item could be considered a “cybersecurity system.”

In practical terms, it’s unclear what is exactly covered by such a “system.” Does it include port-scanning or other basic defensive software tools or could it mean more aggressive offensive countermeasures? The drafters of this legislation leave it unclear whether the term “cybersecurity system” is trying to refer to a computer, a network of computers, security software, or something else entirely.

This definition is critical to understanding the bill. The information that a company can “identify or obtain” is limited by the term, which, in turn, limits what the company can share with the government. The definition is yet another reason why CISPA is dangerously vague.

What government agencies can look at my private information?

Under CISPA, companies can hand “cyber threat information” to any government agency with or without limitations on what agency can receive the information. Generally, the information will be given to a central hub in the Department of Homeland Security (DHS). But once it’s in DHS’s hands, the bill says that DHS can then hand the information to other agencies, including the National Security Agency.

Can the government use my private information for other purposes besides “cybersecurity” once it has it?

Yes. Even though the information was passed along to the government for only “cybersecurity purposes”—the government can use your personal information for cybersecurity, investigating any cybersecurity crime or criminal exploitation of minor, protecting individuals from death or serious physical injury, or protecting the national security of the United States. Under the National Security Act, which CISPA amends, national security interests can include:

(i) threats to the United States, its people, property, or interests;

(ii) the development, proliferation, or use of weapons of mass destruction; or

(iii) any other matter bearing on United States national or homeland security.

This broad definition gives the government too much power to use private information without safeguards.

What can I do to stop the government from misusing my private information?

CISPA does allow users to sue the government if it intentionally or willfully uses or retains their information for purposes other than what is permitted by the law. But any such lawsuit will be difficult to bring because it’s not at all clear how an individual would know of such misuse. An individual could not even use transparency laws, like FOIA, to find out, because the information shared is exempt from disclosure.

Isn’t it important to protect computer systems and networks?

Absolutely. Strong information security is critical to privacy and civil liberties, and can protect users and companies from the activities of malicious actors, be they authoritarian regimes or common criminals. Everyday, millions of ordinary users rely upon the information security of software vendors and online service providers to keep their personal information private and secure, to conduct transactions, and to express their ideas and beliefs.

CISPA, however, only addresses a small piece of the information security puzzle: sharing threat information. It does nothing to, for example, encourage stronger passphrases, promote two-factor authentication, or educate users on detecting and avoiding social engineering attacks, which is the cause of a majority of attacks on corporations. CISPA also does not address promoting more security research, more responsible disclosure or faster patches to known vulnerabilities, nor fixing the troublesome Certificate Authority system.

Who Voted FOR CISPA?
http://clerk.house.gov/evs/2013/roll117.xml

Aderholt
Alexander
Amodei
Bachus
Barber
Barletta
Barr
Barrow (GA)
Barton
Beatty
Benishek
Bera (CA)
Bilirakis
Bishop (GA)
Bishop (NY)
Black
Bonner
Boustany
Brady (TX)
Brooks (AL)
Brooks (IN)
Brown (FL)
Brownley (CA)
Buchanan
Bucshon
Burgess
Bustos
Butterfield
Calvert
Camp
Campbell
Cantor
Capito
Cárdenas
Carney
Carter
Cassidy
Castor (FL)
Chabot
Chaffetz
Clarke
Clay
Cleaver
Clyburn
Coble
Coffman
Cole
Collins (GA)
Collins (NY)
Conaway
Connolly
Cook
Cooper
Costa
Cotton
Cramer
Crawford
Crenshaw
Cuellar
Culberson
Daines
Denham
Dent
DesJarlais
Deutch
Diaz-Balart
Dingell
Duckworth
Duffy
Duncan (TN)
Ellmers
Enyart
Farenthold
Fincher
Fitzpatrick
Fleischmann
Flores
Forbes
Fortenberry
Foster
Foxx
Frankel (FL)
Franks (AZ)
Frelinghuysen
Fudge
Gallego
Garamendi
Garcia
Gardner
Gerlach
Gibbs
Gingrey (GA)
Goodlatte
Gowdy
Granger
Graves (GA)
Graves (MO)
Green, Al
Green, Gene
Griffin (AR)
Griffith (VA)
Grimm
Guthrie
Gutierrez
Hanabusa
Hanna
Harper
Harris
Hartzler
Hastings (FL)
Hastings (WA)
Heck (NV)
Heck (WA)
Hensarling
Higgins
Himes
Horsford
Hoyer
Hudson
Huizenga (MI)
Hultgren
Hunter
Hurt
Israel
Issa
Jeffries
Jenkins
Johnson (OH)
Johnson, E. B.
Johnson, Sam
Jordan
Joyce
Kaptur
Kelly (IL)
Kelly (PA)
Kilmer
Kind
King (IA)
King (NY)
Kinzinger (IL)
Kirkpatrick
Kline
Kuster
LaMalfa
Lamborn
Lance
Langevin
Lankford
Larsen (WA)
Latham
Latta
Lipinski
LoBiondo
Long
Lucas
Luetkemeyer
Lujan Grisham (NM)
Luján, Ben Ray (NM)
Lummis
Maffei
Maloney, Sean
Marino
Matheson
McCarthy (CA)
McCarthy (NY)
McCaul
McHenry
McIntyre
McKeon
McKinley
McMorris Rodgers
Meehan
Meeks
Meng
Messer
Mica
Miller (FL)
Miller (MI)
Moran
Mullin
Mulvaney
Murphy (FL)
Murphy (PA)
Neugebauer
Noem
Nunes
Nunnelee
Olson
Owens
Palazzo
Pastor (AZ)
Paulsen
Payne
Pearce
Perlmutter
Perry
Peters (CA)
Peterson
Petri
Pittenger
Pitts
Poe (TX)
Pompeo
Price (GA)
Quigley
Radel
Rahall
Rangel
Reed
Reichert
Renacci
Ribble
Rice (SC)
Richmond
Roby
Roe (TN)
Rogers (AL)
Rogers (KY)
Rogers (MI)
Rokita
Rooney
Ros-Lehtinen
Roskam
Ross
Rothfus
Royce
Ruiz
Runyan
Ruppersberger
Ryan (WI)
Salmon
Sanchez, Loretta
Scalise
Schneider
Schock
Schrader
Schwartz
Schweikert
Scott, Austin
Scott, David
Sessions
Sewell (AL)
Shuster
Simpson
Sinema
Sires
Smith (NE)
Smith (NJ)
Smith (TX)
Smith (WA)
Southerland
Stewart
Stivers
Stutzman
Swalwell (CA)
Terry
Thompson (CA)
Thompson (MS)
Thompson (PA)
Thornberry
Tiberi
Tipton
Titus
Turner
Upton
Valadao
Vargas
Veasey
Vela
Wagner
Walberg
Walden
Walorski
Weber (TX)
Webster (FL)
Wenstrup
Westmoreland
Whitfield
Williams
Wilson (SC)
Wittman
Wolf
Womack
Woodall
Yoder
Young (AK)
Young (FL)
Young (IN)

I know this particular piece is not my best work, but it IS important information and also my lunch break.

Stand Up, Speak Out, and Talk HARD!!!

-Prometheus Unchained
04/22/2013

https://prometheusunchainedus.wordpress.com
prometheus@prometheusunchained.us

Advertisements

One Comment

  1. Well, I’m living in MA, and the martial law you speak of wasn’t really how you described.

    That being said, I agree completely that CISPA is bad and needs to be stopped. I especially like the list of reps you provided who voted for this bill!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: