According to this site, CISPA would "end" online privacy; it urges you to send letters to Congress saying "this bill would have given federal agencies unlimited access to virtually any of my personal data and online communication-- without a warrant."
But of course, CISPA does nothing of the sort. It is:
* An opt-in measure that can't be forced on a private company by the government
* Restricted to "cyber threat information", a term carefully (relative to any other online legislation) defined to apply only to attacks on the confidentiality/integrity/availability of systems and applications
* Specifically restricted from applying to Aaron Swartz-style ToS violations, or, for that matter, to intellectual property misappropriation
* Written to exclude "individuals" from "protected entities" to avoid any reading that would permit ISPs to use it to hand over records for individual targeted customers
And, while it exempts private companies from suits for good-faith attack data sharing (that is the point of the measure), it deliberately makes the government liable for any damages from misuse of shared information.
As Declan McCullagh pointed out in another thread here recently, private companies operate under a bewildering stack of regulations that make it legally dicey to share even innocuous data during attacks. In addition to ECPA and SCA, the two omnibus federal electronic privacy laws, there are a number of domain-specific laws ranging from HIPAA for medical privacy to DPPA for drivers records. Companies who handle protected data currently either don't share attack data, or incur legal risks when they do, or incur legal expenses when they have their sharing practices reviewed.
CISPA is a straightforward (and short) bill that attempts to remedy that problem. I don't support it (I don't think it will do much to help), but it's not evil, and organizations that try to fundraise off the idea that it is are playing games with your attention.
That it's technically 'opt in' doesn't matter much if it biases the incentives for bulk sharing. Agencies can say: "Share anything potentially cyber-crime-related with us, companies, and you'll get blanket immunity, for not just the sharing but all 'decisions' made from the info we give you." Zero risk from sharing, and possibly wind up on law enforcement's 'shit list' for withholding? That makes wide sharing the only thinkable option for risk-minimizing companies.
The terms "cyber threat" and "cybersecurity crime" are very expansively defined in the bill text previously referenced (http://www.govtrack.us/congress/bills/112/hr3523/text). It looks to me like every federal crime where a computer is involved is covered, including unauthorized acquisition of copyrighted material. The lawyers at the EFF and elsewhere also seem to think CISPA will be usable in intellectual property investigations and prosecutions. What's your reference that it's not?
The Swartz prosecution wasn't about mere ToS-violations and it's disingenuous of you to suggest that. ToS violations aren't even mentioned in the original Swartz indictment (http://web.mit.edu/bitbucket/Swartz,%20Aaron%20Indictment.pd...). Swartz's actions, and Auernheimer's, were prosecuted under the CFAA, and the CFAA is specifically named in the CISPA bill text as one of the definitional sources for applicable 'cybersecurity crimes'.
You're giving an awful lot of weight to what prosecutors and law-enforcement say this bill will do. But they tend to downplay new powers when they're being discussed, and then expansively interpret them after passage (and until yanked back by the courts). That's why the EFF and ACLU -- expert organizations who actually fight court cases under this sort of vague language -- should be trusted on matters of practical effects once passed.
And given how bills can expand through amendments to include law enforcement wishlist items at any time, the suggestion that this bill needs no well-funded opposition makes it more likely it will grow into something even worse, via amendment or expansive interpretation. The warnings from privacy advocates that you're criticizing, on the other hand, help make sure CISPA will fail or be better-limited through the amendment process.
(B) EXCLUSION - Such term does not include information pertaining to efforts to gain unauthorized access to a system or network of a government or private entity that solely involve violations of consumer terms of service or consumer licensing agreements and do not otherwise constitute unauthorized access.
Why does 2013 CISPA have this proviso and the original draft bill not? Because the intention of CISPA is not to harass people for downloading Photoshop, but rather to give enterprises tools for dealing with botnets. But it's hard to learn that from sites like the one we're commenting on, which go out of their way to lie and say that CISPA is an anti-piracy bill.
This proviso doesn't mention intellectual property, so I'm still wondering what basis you have for the claim that CISPA is now "specifically restricted from applying… to intellectual property misappropriation".
This proviso wouldn't have helped Swartz (13 count indictment: 2 counts 'Wire Fraud' to obtain valuables; 5 counts 'Computer Fraud' to obtain unauthorized computer access and valuables; 5 counts 'Unlawfully Obtaining Information from a Protected Computer'; 1 count 'Recklessly Damaging a Protected Computer'). It wouldn't have helped Auernheimer (2 count indictment: 'Conspiracy to Access a Computer without Authorization', and 'Fraud in Connection with Personal Information').
Scanning this EXCLUSION verbiage, it's hard to imagine cases where there are "efforts to gain unauthorized access" but it's an act that "solely involve[s] violations of consumer terms of service", and yet still does not "otherwise constitute unauthorized access". It's almost self-contradictory, with that last 'otherwise' clause ruling most things back in. Law enforcement can allege in 'good faith', during the CISPA information-sharing that happens before court proceedings, that almost any anomalous traffic pattern is (or is working up towards) "unauthorized access". So send the feds all the suspicious maybe-cybersecurity-crime logs, it's the low-risk path.
I suppose this exclusion might theoretically help someone who maybe used 'curl' to access a website when the 'consumer terms of service' said only a desktop browser is allowed. But then if this curl-user went so far as to change the User-Agent to do this? That's now Computer/Wire Fraud – to circumvent the technical (not ToS) access protections. So send the feds all the related logs, just to be safe.
Similarly, say a user tampers with cookies to exceed a technically-enforced (but unmentioned in the ToS) 10-article-quota. That seems to still "otherwise constitute unauthorized access" beyond any ToS violation. So send the feds all the related logs, it's only prudent.
>This proviso wouldn't have helped Swartz (13 count indictment: 2 counts 'Wire Fraud' to obtain valuables; 5 counts 'Computer Fraud' to obtain unauthorized computer access and valuables; 5 counts 'Unlawfully Obtaining Information from a Protected Computer'; 1 count 'Recklessly Damaging a Protected Computer'). It wouldn't have helped Auernheimer (2 count indictment: 'Conspiracy to Access a Computer without Authorization', and 'Fraud in Connection with Personal Information').
Of course not. That's covered by the CFAA. The purpose of this bill is to get an information pipeline for cyber attacks on American companies or infrastructure. You cannot be charged with a "CISPA violation".
It was tptacek who touted CISPA as "specifically restricted from applying to Aaron Swartz-style ToS violations". That claim is false -- CISPA could and would be used to hoover up evidence that leads to Swartz-style Computer Fraud and Abuse Act prosecutions. So no citizen will be charged for a 'CISPA violation'... but they might be arrested, searched, or convicted based on data hoovered-up via CISPA.
(And here, 'hoover' refers to both the vacuum cleaner and the abusive 20th-century FBI director.)
CISPA would not authorize JSTOR to share information about a user exceeding the bounds of MIT's licensing agreement with the site. It says so explicitly. There was no need for it to say that; nobody was clamoring for CISPA to make abuse investigations harder. But it does, because the bill is not about TOS violations and they wanted to be clear. I do not understand why you're pretending that it isn't clear about this.
Huh? JSTOR, and MIT, and law enforcement thought -- and indeed the DoJ spent over a year prosecuting the idea -- that a CFAA 'cybersecurity crime' had been committed. Such alleged crimes are specifically what CISPA covers.
None of the 13 counts the DoJ charged (http://www.wired.com/images_blogs/threatlevel/2012/09/swartz...) relied on any "consumer terms of service" or "consumer license agreement" violation, so the exception you've quoted is irrelevant. (Also, there's no chance law enforcement would be advancing your strict short-leash interpretation of that exception, in actual practice. They'd try for an expansive idea of what 'cybersecurity crimes' are happening, and wait for the courts to maybe later snap them back. That amounts in most cases to a 'free look', because those whose information is 'shared' will usually never know unless prosecuted.)
Of course, even without CISPA, these parties were able to share information just fine. And if say law enforcement had wanted other Boston ISPs or cellular networks to reveal if they'd ever seen any similar traffic, CISPA would have allowed them to assert a 'good faith' interest in investigating an ongoing CFAA 'cybersecurity crime', and request more potential evidence from usage logs and customer accounts. All through immunized 'sharing', rather than formal subpoenas.
You've made the claim: "[CISPA is] specifically restricted from applying to Aaron Swartz-style ToS violations, or, for that matter, to intellectual property misappropriation".
As documented above, the Swartz case wasn't about ToS violations, so CISPA would be used to collect evidence against alleged future Swartz-like activities.
And I've asked for where CISPA specifically excludes IP crimes; you've not provided any reference to related bill text or expert interpretation. Maybe it exists; you haven't provided it when requested. Where did you get that idea?
Until I see that, forgive me for not accepting your repetitive assertions about what CISPA is really "about", when the available bill text and trusted legal experts suggest otherwise.
tptacek: Thanks for the call-out in this thread! To continue our (I think) polite disagreement from before, I think your description is accurate in specifics but doesn't address the broader privacy and surveillance landscape. Remember the debate five years ago over retroactive immunity for the telecommunications companies that opened their networks to the NSA in violation of the law?
By overriding every federal and state law on the books -- the wildcard approach -- CISPA encourages this kind of broad data hoovering for cybersecurity purposes. Defenders of CISPA claim "cybersecurity" purposes is narrowly defined; reasonable people may disagree. And I have yet to hear a good reason why a wildcard approach is necessary, when even CRS raises questions about unintended consequences.
That said, I agree that some advocacy groups may overstate the privacy concerns about CISPA. I think the charitable interpretation is that they're overly eager or misinformed, not that they're trying to profit off of misinformation. People do this sort of advocacy work out of their hearts, not because they're trying to get rich.* I extend the same charitable explanation to CISPA's drafters.
* That's why people become entrepreneurs and try to get into YC! :)
If not the wildcard approach, then what is the acceptable alternative? This is my biggest problem with the opposition to CISPA--they jumped straight to "kill the bill". The cynical take on that is that "do or die" campaigns are easier, more fun, and more lucrative to nonprofits than nuanced policy proposals.
There's nothing wrong with saying: "If this bill is bad, let's kill it." The proponents are free to fix it and try again.
To answer your question more directly, if privacy law $i or $j or $k interferes with information sharing, then let's identify those privacy laws and have a discussion about how to amend them to allow information sharing in the case of an ACTUAL cyberattack. As anyone who's made a mistake with /bin/rm knows, wildcards can be dangerous and have unintended consequences. I haven't seen this argument answered directly, and I'd like to read a thoughtful response.
It just seems to me that if "kill the bill" is the sole entirety of the message, then there is no way to move forward on the issue. Your 2nd paragraph makes a lot of sense, but as far as I know has not been offered or endorsed by any of the opposition groups. If I'm wrong please let me know.
It is interesting that you think it's a better idea to revisit and reweigh the privacy decisions of every privacy bill that could interfere with attack data sharing, so that we can relitigate the sensitivity of driver's records or patient health information, rather than simply crafting a measure that says "leave intact every privacy regulation on the books, don't crack open laws that settled policy disputes about privacy years or decades ago, and instead just do the commonsense thing and let IT people at companies share Netflow and botnet information."
I think there are multiple points in the "CISPAISBACK.ORG" site that are misleading, and from what I understand of the bill (having read multiple drafts and also survived approximately 900 different HN debates on it), the infographic at the bottom of the page that purports to explain the bill language is in some ways directly false:
* The bill does not cover "intellectual property"
* The bill does not pertain to Photoshop and Nickelback albums
* The bill does not give you no legal recourse if your information is abused; you can sue the government, under liability established explicitly in CISPA
* The bill has nothing whatsoever to do with the objectives of SOPA
Reading the bill it does seem like the purpose of the bill is less about private companies sharing any old information with government agencies and more about making it easier for businesses to share information with government agencies when they have been victims of "cyberattacks".
Also, this section does suggest that the bill is not about making it easier for the government to request information about specific people:
(3) ANTI-TASKING RESTRICTION- Nothing in this section shall be construed to permit the Federal Government to--
(A) require a private-sector entity to share information with the Federal Government;
But I am not a lawyer, so am not an expert at interpreting such things.
If this is being misrepresented by the people over at The Internet Defence League, it would be very disappointing. I don't like spin and I don't like being manipulated.
I do, actually, think that are organizations like the IDL and the EFF are misrepresenting this for attention, as it will ostensibly boost their donations.
To be fair, I also think this is the nature of the beast, and almost all advocacy groups do exactly this. I just think these groups, in this specific case, are doing it rather... severely, due to the tendency of the Internet community to react so viscerally towards any legislation that's in any way related to the Internet. When the government uses the word 'cyber' in their legislation proposals, Internet people tend to get nervous.
They're playing on a lot of very legitimate fears that Washington doesn't understand the Internet and seeks to cause harm to its openness. Fears which I hold, to be clear, but not fears which are warranted in this particular case.
They'd gain back a lot of my respect if they prominently focused on the bill's text rather than summaries without citations, and offered explicit amendments which would satisfy their issues. Of course the problem with this is that a great deal of what they're saying isn't citable (it's hard to cite factually dubious statements), and their complaints about the bill are nebulous and nonspecific, so I understand why their rhetoric is not focused on the bill's content (examples of this "the content of the bill doesn't matter, it's the precedent" argument can even be found in this very thread).
I'm sorry, but do you honestly believe that the specific provisions of this bill matter? Do you honestly believe that whatever it says won't be stretched to justify the most invasive and overbearing applications? The corporations under discussion here--whatever leeway they may have to opt-in or opt-out--are the same enlightened creatures who have (for example) interpreted the DMCA in all of our best interests.
This is not about CISPA. This is about drilling the message into Congress that we don't need any new regulation of the Internet--or any expansion of the post-9/11 surveillance regime, period--no matter how well-intentioned.
If the terms of this bill don't matter, then neither do the ones in ECPA and SCA, and we can all stop pretending like any of these bills matter and just let the content industry pass SOPA while they're at it.
>An opt-in measure that can't be forced on a private company by the government
Allowing companies to "opt-in" to sharing data currently prohibited from being shared by privacy laws could still be something we shouldn't like. Especially if it doesn't restrict what they can do with it after they've shared it.
>Restricted to "cyber threat information", a term carefully (relative to any other online legislation) defined to apply only to attacks on the confidentiality/integrity/availability of systems and applications
This the actual definition from the bill FWIW:
‘(A) IN GENERAL- The term ‘cyber threat information’ means information directly pertaining to--
‘(i) a vulnerability of a system or network of a government or private entity;
‘(ii) a threat to the integrity, confidentiality, or availability of a system or network of a government or private entity or any information stored on, processed on, or transiting such a system or network;
‘(iii) efforts to deny access to or degrade, disrupt, or destroy a system or network of a government or private entity; or
‘(iv) efforts to gain unauthorized access to a system or network of a government or private entity, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network of a government or private entity.
>* Specifically restricted from applying to Aaron Swartz-style ToS violations, or, for that matter, to intellectual property misappropriation
This is the remainder of the definition:
‘(B) EXCLUSION- Such term does not include information pertaining to efforts to gain unauthorized access to a system or network of a government or private entity that solely involve violations of consumer terms of service or consumer licensing agreements and do not otherwise constitute unauthorized access.
I don't see anything about intellectual property. I think what you're referring to is that intellectual property in the early drafts was explicitly included and was removed. But I don't see anywhere it's explicitly excluded and EFF seems to think the replacement wording could still be read to cover it in various cases. 
>* Written to exclude "individuals" from "protected entities" to avoid any reading that would permit ISPs to use it to hand over records for individual targeted customers
If that was the intention then they did a pretty crappy job, because if you're a "protected entity" then sharing requires your "express consent" and qualifies you for the immunity provision if you share information or make "decisions" based on it, and I don't see anything prohibiting the sharing of information on individuals who aren't protected entities.
There is a list of categories of information in (c)(4) that can't be used, but it's ridiculously inadequate and in any event only applies to the federal government.
>As Declan McCullagh pointed out in another thread here recently, private companies operate under a bewildering stack of regulations that make it legally dicey to share even innocuous data during attacks.
I think this is probably true, and perhaps warrants some kind of a response. But this bill as written looks to me like a minefield of unintended consequences.
First, let's be clear about the debate. I am not saying that it's unreasonable to oppose CISPA. My beef is with organizations who are dishonest about what the bill contains.
So, for instance, when it comes to "intellectual property" enforcement, an issue brought up directly by the site we're commenting on, IPR protection was removed from the 2012 CISPA bill before it was voted on. The term "intellectual property" occurs in the (incorrect) callout of the bill text on this site.
Next, as regards the definition of "cyber threat information", I'll only say again: this is a narrower, more specific definition of online security threats than in any other piece of online security legislation I've ever read. The intent of that language seems straightforward to me. And the explicit exemption of consumer terms of service and licensing is unprecedented, which makes it all the more jarring to see the bill compared to SOPA.
Regarding the "protected entities" and "individuals", should this issue come before a court, the court won't have to look far to see the intent of the language, since the House Select Committee on Intelligence published a FAQ that states directly that the intent of that language is to prevent ISPs from sharing information about one of its individual customers.
If you want to lay out a comprehensive case against CISPA, or even a few selected valid ones, I'd welcome the input. I'm afraid we don't have much good critique of the bill to work from. I know I sound like a CISPA booster, but I'm not; I'm a "not getting played by interest groups" booster.
>as regards the definition of "cyber threat information", I'll only say again: this is a narrower, more specific definition of online security threats than in any other piece of online security legislation I've ever read.
I don't think the definition is particularly abominable. The issue is that given the level of immunity provided if something is classified as "cyber threat information," there is going to be a huge incentive to shovel the whole wide world into those words, so anything that even resembles breadth is going to be abused. For example, if you should provide "cyber threat information" constituting all of the traffic that passes over your network to someone so that they can monitor it for threats of the kind envisioned by the statute (or whatever), there you go. And now they have it and can do what you please with it, not limited to the original purpose.
>Regarding the "protected entities" and "individuals", should this issue come before a court, the court won't have to look far to see the intent of the language, since the House Select Committee on Intelligence published a FAQ that states directly that the intent of that language is to prevent ISPs from sharing information about one of its individual customers.
Legislative history generally isn't binding on courts. They can look at it if they want, but if you want something to be in the law, put it in the bill.
>I know I sound like a CISPA booster, but I'm not; I'm a "not getting played by interest groups" booster.
You and me both.
It's really kind of sad actually. You have all these people with good intentions and bad facts, who are wrong on the details but mostly right on the big picture, running around discrediting themselves and everyone who agrees with them by spreading misinformation. WTF.
First, thanks for this post, which helped bring me down from righteous indignation to just righteous anger. However, I'd like to have a few things clarified. I'm not worried about IP anymore, or RIAA influence on this, but I am concerned with privacy implications. You seem to claim the definition of "information" is narrow, but I would disagree given the language in the bill:
> or any information stored on, processed on, or transiting such a system or network
This would imply the following:
a) Any system that is "attacked" (under the slightly broad definition provided) may share ALL of its data. This means everything I've done on that website, including both logs and content. Given that an entity like Facebook is "attacked" multiple times per day, now the government can obtain all of my data without a warrant.
b) Any network that has been "attacked" (under broad definition) may be wiretapped without a warrant and all information transmitted to the government.
What language in the bill will reasonably limit these two scenarios? Given the progress of our government in reducing individual liberty over the past 12 years, can you not see potential danger in the existing language? My warning bells are going off, because it seems like an underhanded way to strengthen provisions that allow my "secure papers" to be obtained without warrant.
(ii) says this: a threat to the integrity, confidentiality, or availability of a system or network of a government or private entity or any information stored on, processed on, or transiting such a system or network;
It's the last half of this I'm most concerned with.
Here's what dismays me about this. We killed it once. It's back again. Let's say it's bad and we want to kill it, and we succeed again.
What's to say it won't come back again? How long do we have to keep doing this dance? Even if it is worth killing every time, will our attention spans be long enough to keep fighting it every single time for the decades that may still come?
A complete answer to this question is really nothing less than a comprehensive study of the entire field of political science. The reality is that you have two choices: you either defer your right of governance to someone else and just stop caring, or you will never be free of this.
No victory is eternal. There is no such thing as victory.
In a sense, this is actually why it keeps coming up. The reality of governance is such an immense expanse of tedium that a great many people buckle under it and try to imagine themselves as heroes or rebels or old wise men. They go looking for enemies where there are none and make them up to fight, making meaning where none was needed before.
In any case, the answer to your question is, "Until you're dead, and someone else will have to keep it up after that."
It is the common fate of the indolent to see their rights become a prey to the active. The condition upon which God hath given liberty to man is eternal vigilance; which condition if he break, servitude is at once the consequence of his crime and the punishment of his guilt.
The new (shortened) "version" is somewhat more pithy, and far more easy to distribute. So maybe someone other that Curran deserves some of the credit.
I wrote "unknown" as the quote is often mis/attributed to Thomas Jefferson, but the evidence is not strong here.
I actually think that it's a pretty good characteristic of the US government that unpopular proposed laws have to be re-proposed rather than rammed through without any debate or legislative process by some sort of dictatorship.
I went ahead and signed the petition.
The comments I've read so far seem pretty thoughtful both pro and con.
And for the most part, the US government acts in good faith.
BUT, on occasion we find ourselves looking pretty foolish when we believe uncritically what a government says (Iraq war) or horrified at what seems to be gratuitous heavy-handedness on the government's part (Swartz.)
And despite what former Secretary Clinton would like you to believe, there is no reset button on government legitimacy. Like an individual's reputation, it takes years to restore what was eroded in hours.
And while cyber attacks seem to represent a threat best countered by an organization that commands resources on a national scale, can we really trust them to do the right thing?
Hell, they put a PFC in a position to disseminate State Department messages. Anyone who's done a stint in the Army knows not to put a PFC in charge of anything except maybe a trigger, and even then under the guidance of an NCO.
I forward the hypothesis that the government has more interest in tracking (untaxed) financial transactions than thwarting cyber attacks.
The government's ability to fund itself has come to rely heavily on the Fed buying US debt, which some might call "printing money".
The longer that continues, the less credible the US dollar becomes in world finance.
The only thing keeping the dollar afloat is the rather poor state of the euro and yen, and the world's reluctance to trust China or Russia.
So the US is going fishing for sources of loot.
If the hypothesis is true, CISPA might be a godsend to Joe Six-Pack, or at least better than what's happening in Cyprus.
But in the end I think we'll get CISPA and Cyprus.
Received this message from the Internet Defence League a short while ago:
Dear Internet Defense League member,
Last year, right on the heels of our historic victory against SOPA, a piece of really nasty legislation almost passed that would have radically undermined online privacy.
It was called CISPA. And it raced through the US House of Representatives, passing before any of us had a chance to react. We stalled the bill in the Senate, but now CISPA is back, and we don't want to make the same mistake twice. Before there is any movement on the bill, we want to send a strong message to Congress that CISPA shouldn't pass.
That's why we're partnering with the Electronic Frontier Foundation to launch an Internet Defense League action starting tomorrow, Tuesday March 19th.
And help get more people signed up by sharing this page with your social network.
Wait, what is CISPA? And why does it matter so much?
CISPA (the Cyber Intelligence Sharing and Protection Act) would give companies complete freedom to share your personal data with the US government. It doesn't require them to do so, but if the government asked it would be hard to say no, and they'd have no reason to-- CISPA would free them from any promises made to customers in public statements or privacy policies.
Your emails, your Facebook account, your bank statements, the websites you visit, your real-time location (courtesy of your cellphone company)-- all of it could soon belong to a slew of government agencies and even local police, who could use it against you without a warrant.
1.) I have never needed or sought your permission.
2.) If an "Internet Defense League" member wished--with your permission, of course--to read the text of the bill he's been asked to oppose and promote opposition to, this email offers no assistance. In polite terms, I think this is an oversight.