The things people are saying in this thread and the things you read about the CISPA bill in various news blogs are very alarming. So alarming that I actually went and found the text of the original CISPA bill (as it was presented to the Senate, so including all amendments made in the House), read through it entirely, then read through all of the amendments that were made and the transcribed discussions around them. Then I read up on numerous interpretations of what the bill would cause or allow to happen. Then I read through the entire bill again.
Personally I think the intention behind this bill is actually positive. I don't think this is an attempt by the government to invade anyone's personal life, to track and monitor the average American's internet activity, to crack down on the freedom of the internet, control the internet, or any number of the other doomsday cries you see all over the place. The intent really does seem to be to allow a legal avenue in which companies can, within boundaries, share specific information with other companies or with the federal government, for the express purpose of improving their information and network security.
This is not to say the bill is perfect. A few things I take issue with (note that the below is based on my interpretation and understanding of the bill, which is by no means guaranteed to be accurate, and I am not an expert on law by any stretch of the imagination):
1. There doesn't seem to be any wording in the bill to indicate that a company participating in this new form of information sharing has any legal responsibility to notify their employees or customers (or even make the information publicly available in any way shape or form). Maybe this is covered unintentionally under other laws, I don't know, but I would want it explicitly stated.
2. The following sections are probably what I am most uncomfortable with:
3 (c) FEDERAL GOVERNMENT USE OF INFORMATION.
4
5 (1) LIMITATION.The Federal Government
6 may use cyber threat information shared with the
7 Federal Government in accordance with subsection
8 (b)
9 (A) for cybersecurity purposes;
10 (B) for the investigation and prosecution
11 of cybersecurity crimes;
12 (C) for the protection of individuals from
13 the danger of death or serious bodily harm and
14 the investigation and prosecution of crimes
15 involving such danger of death or serious bodily
16 harm;
17 (D) for the protection of minors from
18 child pornography, any risk of sexual exploitation,
19 and serious threats to the physical safety
20 of such minor, including kidnapping and
21 trafficking and the investigation and prosecution
22 of crimes involving child pornography, any
23 risk of sexual exploitation, and serious threats
24 to the physical safety of minors, including
25 kidnapping and trafficking, and any crime referred
1 to in 2258A(a)(2) of title 18, United States
2 Code; or
3 (E) to protect the national security of the
4 United States.
5 (2) AFFIRMATIVE SEARCH RESTRICTION.
6 The Federal Government may not affirmatively
7 search cyber threat information shared with the
8 Federal Government under subsection (b) for a
9 purpose other than a purpose referred to in paragraph
10 (1)(B).
I struggle to understand how information related to personal bodily harm or child pornography would ever even be captured as part of 'cyber threat information'. The only thing that is being legally protected for sharing is 'cyber threat information', which is given a fairly strict definition in the bill, and I just don't see how a system built to identify 'cyber threat information' as it is defined would ever include the sort of information referred to in sections (C) and (D) above.
I can understand that this may be in here for 'just-in-case' purposes, that should the fed government ever come across such a threat in the process of analyzing data received from a company under the protection provided in this bill, then they at least have the legal authority to act on it (and its important to remember here that we are talking about information that a private sector company willingly handed over to the federal government as part of a mutual agreement, not information that was coerced or that the government collected itself). It also helps that they include an 'affirmative search restriction' clause, effectively saying they are not allowed to intentionally search the data that is shared with them for evidence of any activities not specified in section (B) above (and 'cybersecurity crimes' is also fairly strictly defined for those who haven't read the bill).
It still does not sit right with me though, it seems to be the one thing in this bill that really opens the door for potential abuse and future expansion of power beyond what is needed.
3. The 'exemption from liability' clause for private sector companies that want to participate in this is far too broad. I understand that for any company to buy in to this, they must have a reasonable expectation that they are protected under the law to share certain information and not be taken to court for anything and everything. But this is too open to interpretation. Companies still need to be held accountable for protecting the data they share (while in their possession and during transfer), and that they take all possible steps (within reason) to ensure that the entities they are sharing this data with are reliable and can also be expected to protect and not misuse that data (backed up by legally binding contracts, ideally).
There also needs to be an honest and concerted effort on the part of the information provider to ensure they are only sharing data that is relevant to the definition of 'cyber threat information', and if not they need to be able to be held accountable for that. For example I can't think of a single reason that someones personal email would be a valid candidate for 'cyber threat information', and if some company decided to start sending peoples email out under this guise of 'cyber threat information', then regardless of whether it was intended for malicious purposes or not, there should be repercussions.
4. Government liability and oversight. While the government liability clause is stricter than for the companies sharing the information, it does not seem to allow a person to sue for simple negligence in the disclosure, use, or protection of the information they receive, which has become fairly common these days. Ignorance and laziness are not an excuse for mishandling sensitive data, and the government doesn't get a free pass.
There is also not a lot of oversight built in to the process. While the rules themselves do a reasonably good job of stating what the government is allowed to do with the data that is shared with them, the only explicitly stated oversight is a yearly report to 'congressional intelligence committees'. Given the nature of what we're talking about here I don't think this is enough.
5. It might be worth considering requiring companies that want to be considered 'cybersecurity providers' under the provisions of this bill to meet some sort of standard or be designated by the government as such. I don't think this is necessarily required, but it would go a long way towards shoring up some of the potential for abuse.
6. I'd like to see a strict data retention policy spelled out within the bill. As far as I can tell there is nothing in it at the moment that requires them to ever dispose of the data. I'm not sure exactly how long I'd be comfortable with, but it shouldn't be passed until there is some guarantee that the government can't just sit on all of that data forever, it doesn't further the stated goals of the bill in any way, and can only lead to bad things.
Well that's what I have for now. I'm sure I've missed some things. Anyways, the nature of the amendments that were pushed through gives me some hope that this bill has a chance of getting to where it needs to be. The new version that is being presented to the House is not yet publicly available (I couldn't find it at least, if its out there I'd appreciate a link), but some reports are saying its basically the same as when it died in the Senate. I guess we'll know soon enough.
Now for some quotes from this thread. I'm really bad at imagining the loopholes and backdoors that are sometimes built in to laws, so forgive me if I need some things spelled out in plain English.
What it does is give more power to them and less power to us. All under the guise of more security.
This order will make America a safer place to raise your children.
What power do you see being taken away from you as a result of this bill? Please use references to the actual bill as support if possible.
Yet again the Internet is under attack by copyright extremism.
I'm not an expert but I don't recall seeing anything in this bill that is even remotely related to copyright violations. I'd like to know if I'm missing something though (entirely possible), so if it is in there could you please direct me to those sections.
I don't know if it adds or removes any protections to do the same for private entities handling your information, but I'm not sure there was a layer of protection involved in the previous version.
Private entities are given what seems to be a free pass as long as they are 'acting in good faith' when they screw up. I'd really like a definition of 'acting in good faith' present in the bill, and then a chance to dispute it, before I would support the bill being passed.
But I wouldn't approve this bill's passing if it continues to include the anti-piracy measures. They are far too broad, and could be far too damaging with little interpretation of individual situations based on over-exaggerated results derived from flawed calculations.
I don't recall seeing anything about anti-piracy in the amended version from May 2012.
It is basically legalizing what they are already doing... That is... logging pretty much all internet traffic, especially emails.
I'm not sure how this bill could be construed to be legalizing the logging of all internet traffic. This bill does not actually expand the governments ability to do anything on the internet, let alone log activity. It is opening up a voluntary legal avenue for private sector companies to share only the information they want to with the government (and only certain information is allowed to be shared, Anandtech can't just decide to send out the entire history of every post on this forum for example). The government then has a fairly limited set of legally acceptable activities it can do with that data.
If you disagree, please support your position with references to the actual bill if possible.
Facebook
Twitter