But of course, CISPA does nothing of the sort. It is:
* An opt-in measure that can't be forced on a private company by the government
* Restricted to "cyber threat information", a term carefully (relative to any other online legislation) defined to apply only to attacks on the confidentiality/integrity/availability of systems and applications
* Specifically restricted from applying to Aaron Swartz-style ToS violations, or, for that matter, to intellectual property misappropriation
* Written to exclude "individuals" from "protected entities" to avoid any reading that would permit ISPs to use it to hand over records for individual targeted customers
And, while it exempts private companies from suits for good-faith attack data sharing (that is the point of the measure), it deliberately makes the government liable for any damages from misuse of shared information.
As Declan McCullagh pointed out in another thread here recently, private companies operate under a bewildering stack of regulations that make it legally dicey to share even innocuous data during attacks. In addition to ECPA and SCA, the two omnibus federal electronic privacy laws, there are a number of domain-specific laws ranging from HIPAA for medical privacy to DPPA for drivers records. Companies who handle protected data currently either don't share attack data, or incur legal risks when they do, or incur legal expenses when they have their sharing practices reviewed.
CISPA is a straightforward (and short) bill that attempts to remedy that problem. I don't support it (I don't think it will do much to help), but it's not evil, and organizations that try to fundraise off the idea that it is are playing games with your attention.
The terms "cyber threat" and "cybersecurity crime" are very expansively defined in the bill text previously referenced (http://www.govtrack.us/congress/bills/112/hr3523/text). It looks to me like every federal crime where a computer is involved is covered, including unauthorized acquisition of copyrighted material. The lawyers at the EFF and elsewhere also seem to think CISPA will be usable in intellectual property investigations and prosecutions. What's your reference that it's not?
The Swartz prosecution wasn't about mere ToS-violations and it's disingenuous of you to suggest that. ToS violations aren't even mentioned in the original Swartz indictment (http://web.mit.edu/bitbucket/Swartz,%20Aaron%20Indictment.pd...). Swartz's actions, and Auernheimer's, were prosecuted under the CFAA, and the CFAA is specifically named in the CISPA bill text as one of the definitional sources for applicable 'cybersecurity crimes'.
You're giving an awful lot of weight to what prosecutors and law-enforcement say this bill will do. But they tend to downplay new powers when they're being discussed, and then expansively interpret them after passage (and until yanked back by the courts). That's why the EFF and ACLU -- expert organizations who actually fight court cases under this sort of vague language -- should be trusted on matters of practical effects once passed.
And given how bills can expand through amendments to include law enforcement wishlist items at any time, the suggestion that this bill needs no well-funded opposition makes it more likely it will grow into something even worse, via amendment or expansive interpretation. The warnings from privacy advocates that you're criticizing, on the other hand, help make sure CISPA will fail or be better-limited through the amendment process.
Why does 2013 CISPA have this proviso and the original draft bill not? Because the intention of CISPA is not to harass people for downloading Photoshop, but rather to give enterprises tools for dealing with botnets. But it's hard to learn that from sites like the one we're commenting on, which go out of their way to lie and say that CISPA is an anti-piracy bill.
This proviso wouldn't have helped Swartz (13 count indictment: 2 counts 'Wire Fraud' to obtain valuables; 5 counts 'Computer Fraud' to obtain unauthorized computer access and valuables; 5 counts 'Unlawfully Obtaining Information from a Protected Computer'; 1 count 'Recklessly Damaging a Protected Computer'). It wouldn't have helped Auernheimer (2 count indictment: 'Conspiracy to Access a Computer without Authorization', and 'Fraud in Connection with Personal Information').
Scanning this EXCLUSION verbiage, it's hard to imagine cases where there are "efforts to gain unauthorized access" but it's an act that "solely involve[s] violations of consumer terms of service", and yet still does not "otherwise constitute unauthorized access". It's almost self-contradictory, with that last 'otherwise' clause ruling most things back in. Law enforcement can allege in 'good faith', during the CISPA information-sharing that happens before court proceedings, that almost any anomalous traffic pattern is (or is working up towards) "unauthorized access". So send the feds all the suspicious maybe-cybersecurity-crime logs, it's the low-risk path.
I suppose this exclusion might theoretically help someone who maybe used 'curl' to access a website when the 'consumer terms of service' said only a desktop browser is allowed. But then if this curl-user went so far as to change the User-Agent to do this? That's now Computer/Wire Fraud – to circumvent the technical (not ToS) access protections. So send the feds all the related logs, just to be safe.
Similarly, say a user tampers with cookies to exceed a technically-enforced (but unmentioned in the ToS) 10-article-quota. That seems to still "otherwise constitute unauthorized access" beyond any ToS violation. So send the feds all the related logs, it's only prudent.
This isn't a very reassuring 'EXCLUSION'.
Of course not. That's covered by the CFAA. The purpose of this bill is to get an information pipeline for cyber attacks on American companies or infrastructure. You cannot be charged with a "CISPA violation".
(And here, 'hoover' refers to both the vacuum cleaner and the abusive 20th-century FBI director.)
None of the 13 counts the DoJ charged (http://www.wired.com/images_blogs/threatlevel/2012/09/swartz...) relied on any "consumer terms of service" or "consumer license agreement" violation, so the exception you've quoted is irrelevant. (Also, there's no chance law enforcement would be advancing your strict short-leash interpretation of that exception, in actual practice. They'd try for an expansive idea of what 'cybersecurity crimes' are happening, and wait for the courts to maybe later snap them back. That amounts in most cases to a 'free look', because those whose information is 'shared' will usually never know unless prosecuted.)
Of course, even without CISPA, these parties were able to share information just fine. And if say law enforcement had wanted other Boston ISPs or cellular networks to reveal if they'd ever seen any similar traffic, CISPA would have allowed them to assert a 'good faith' interest in investigating an ongoing CFAA 'cybersecurity crime', and request more potential evidence from usage logs and customer accounts. All through immunized 'sharing', rather than formal subpoenas.
You've made the claim: "[CISPA is] specifically restricted from applying to Aaron Swartz-style ToS violations, or, for that matter, to intellectual property misappropriation".
As documented above, the Swartz case wasn't about ToS violations, so CISPA would be used to collect evidence against alleged future Swartz-like activities.
And I've asked for where CISPA specifically excludes IP crimes; you've not provided any reference to related bill text or expert interpretation. Maybe it exists; you haven't provided it when requested. Where did you get that idea?
Until I see that, forgive me for not accepting your repetitive assertions about what CISPA is really "about", when the available bill text and trusted legal experts suggest otherwise.
By overriding every federal and state law on the books -- the wildcard approach -- CISPA encourages this kind of broad data hoovering for cybersecurity purposes. Defenders of CISPA claim "cybersecurity" purposes is narrowly defined; reasonable people may disagree. And I have yet to hear a good reason why a wildcard approach is necessary, when even CRS raises questions about unintended consequences.
Also the recent EO accomplishes a lot in terms of info-sharing, and it's worth reading:
That said, I agree that some advocacy groups may overstate the privacy concerns about CISPA. I think the charitable interpretation is that they're overly eager or misinformed, not that they're trying to profit off of misinformation. People do this sort of advocacy work out of their hearts, not because they're trying to get rich.* I extend the same charitable explanation to CISPA's drafters.
* That's why people become entrepreneurs and try to get into YC! :)
edit: FAQ link: http://news.cnet.com/8301-31921_3-57422693-281/how-cispa-wou...
To answer your question more directly, if privacy law $i or $j or $k interferes with information sharing, then let's identify those privacy laws and have a discussion about how to amend them to allow information sharing in the case of an ACTUAL cyberattack. As anyone who's made a mistake with /bin/rm knows, wildcards can be dangerous and have unintended consequences. I haven't seen this argument answered directly, and I'd like to read a thoughtful response.
Are you saying that the Internet Defence League (http://internetdefenseleague.org/) is deliberately misrepresenting this issue? (not trolling, honest question)
* The bill does not cover "intellectual property"
* The bill does not pertain to Photoshop and Nickelback albums
* The bill does not give you no legal recourse if your information is abused; you can sue the government, under liability established explicitly in CISPA
* The bill has nothing whatsoever to do with the objectives of SOPA
Also, this section does suggest that the bill is not about making it easier for the government to request information about specific people:
(3) ANTI-TASKING RESTRICTION- Nothing in this section shall be construed to permit the Federal Government to--
(A) require a private-sector entity to share information with the Federal Government;
But I am not a lawyer, so am not an expert at interpreting such things.
If this is being misrepresented by the people over at The Internet Defence League, it would be very disappointing. I don't like spin and I don't like being manipulated.
To be fair, I also think this is the nature of the beast, and almost all advocacy groups do exactly this. I just think these groups, in this specific case, are doing it rather... severely, due to the tendency of the Internet community to react so viscerally towards any legislation that's in any way related to the Internet. When the government uses the word 'cyber' in their legislation proposals, Internet people tend to get nervous.
They're playing on a lot of very legitimate fears that Washington doesn't understand the Internet and seeks to cause harm to its openness. Fears which I hold, to be clear, but not fears which are warranted in this particular case.
They'd gain back a lot of my respect if they prominently focused on the bill's text rather than summaries without citations, and offered explicit amendments which would satisfy their issues. Of course the problem with this is that a great deal of what they're saying isn't citable (it's hard to cite factually dubious statements), and their complaints about the bill are nebulous and nonspecific, so I understand why their rhetoric is not focused on the bill's content (examples of this "the content of the bill doesn't matter, it's the precedent" argument can even be found in this very thread).
This is not about CISPA. This is about drilling the message into Congress that we don't need any new regulation of the Internet--or any expansion of the post-9/11 surveillance regime, period--no matter how well-intentioned.
>An opt-in measure that can't be forced on a private company by the government
Allowing companies to "opt-in" to sharing data currently prohibited from being shared by privacy laws could still be something we shouldn't like. Especially if it doesn't restrict what they can do with it after they've shared it.
>Restricted to "cyber threat information", a term carefully (relative to any other online legislation) defined to apply only to attacks on the confidentiality/integrity/availability of systems and applications
This the actual definition from the bill FWIW:
‘(A) IN GENERAL- The term ‘cyber threat information’ means information directly pertaining to--
‘(i) a vulnerability of a system or network of a government or private entity;
‘(ii) a threat to the integrity, confidentiality, or availability of a system or network of a government or private entity or any information stored on, processed on, or transiting such a system or network;
‘(iii) efforts to deny access to or degrade, disrupt, or destroy a system or network of a government or private entity; or
‘(iv) efforts to gain unauthorized access to a system or network of a government or private entity, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network of a government or private entity.
>* Specifically restricted from applying to Aaron Swartz-style ToS violations, or, for that matter, to intellectual property misappropriation
This is the remainder of the definition:
‘(B) EXCLUSION- Such term does not include information pertaining to efforts to gain unauthorized access to a system or network of a government or private entity that solely involve violations of consumer terms of service or consumer licensing agreements and do not otherwise constitute unauthorized access.
>* Written to exclude "individuals" from "protected entities" to avoid any reading that would permit ISPs to use it to hand over records for individual targeted customers
If that was the intention then they did a pretty crappy job, because if you're a "protected entity" then sharing requires your "express consent" and qualifies you for the immunity provision if you share information or make "decisions" based on it, and I don't see anything prohibiting the sharing of information on individuals who aren't protected entities.
There is a list of categories of information in (c)(4) that can't be used, but it's ridiculously inadequate and in any event only applies to the federal government.
>As Declan McCullagh pointed out in another thread here recently, private companies operate under a bewildering stack of regulations that make it legally dicey to share even innocuous data during attacks.
I think this is probably true, and perhaps warrants some kind of a response. But this bill as written looks to me like a minefield of unintended consequences.
So, for instance, when it comes to "intellectual property" enforcement, an issue brought up directly by the site we're commenting on, IPR protection was removed from the 2012 CISPA bill before it was voted on. The term "intellectual property" occurs in the (incorrect) callout of the bill text on this site.
Next, as regards the definition of "cyber threat information", I'll only say again: this is a narrower, more specific definition of online security threats than in any other piece of online security legislation I've ever read. The intent of that language seems straightforward to me. And the explicit exemption of consumer terms of service and licensing is unprecedented, which makes it all the more jarring to see the bill compared to SOPA.
Regarding the "protected entities" and "individuals", should this issue come before a court, the court won't have to look far to see the intent of the language, since the House Select Committee on Intelligence published a FAQ that states directly that the intent of that language is to prevent ISPs from sharing information about one of its individual customers.
If you want to lay out a comprehensive case against CISPA, or even a few selected valid ones, I'd welcome the input. I'm afraid we don't have much good critique of the bill to work from. I know I sound like a CISPA booster, but I'm not; I'm a "not getting played by interest groups" booster.
I don't think the definition is particularly abominable. The issue is that given the level of immunity provided if something is classified as "cyber threat information," there is going to be a huge incentive to shovel the whole wide world into those words, so anything that even resembles breadth is going to be abused. For example, if you should provide "cyber threat information" constituting all of the traffic that passes over your network to someone so that they can monitor it for threats of the kind envisioned by the statute (or whatever), there you go. And now they have it and can do what you please with it, not limited to the original purpose.
>Regarding the "protected entities" and "individuals", should this issue come before a court, the court won't have to look far to see the intent of the language, since the House Select Committee on Intelligence published a FAQ that states directly that the intent of that language is to prevent ISPs from sharing information about one of its individual customers.
Legislative history generally isn't binding on courts. They can look at it if they want, but if you want something to be in the law, put it in the bill.
>I know I sound like a CISPA booster, but I'm not; I'm a "not getting played by interest groups" booster.
You and me both.
It's really kind of sad actually. You have all these people with good intentions and bad facts, who are wrong on the details but mostly right on the big picture, running around discrediting themselves and everyone who agrees with them by spreading misinformation. WTF.
> or any information stored on, processed on, or transiting such a system or network
This would imply the following:
a) Any system that is "attacked" (under the slightly broad definition provided) may share ALL of its data. This means everything I've done on that website, including both logs and content. Given that an entity like Facebook is "attacked" multiple times per day, now the government can obtain all of my data without a warrant.
b) Any network that has been "attacked" (under broad definition) may be wiretapped without a warrant and all information transmitted to the government.
What language in the bill will reasonably limit these two scenarios? Given the progress of our government in reducing individual liberty over the past 12 years, can you not see potential danger in the existing language? My warning bells are going off, because it seems like an underhanded way to strengthen provisions that allow my "secure papers" to be obtained without warrant.
* DIRECTLY PERTAINING TO
(i) a vulnerability
(ii) a threat to integrity, confidentiality, availability
(iii) efforts to deny access, degrade, disrupt, destroy
(iv) efforts to gain unauthorized access
(All this subject to the "Exclusion", detailed upthread, of ToS violations).
It's the last half of this I'm most concerned with.
What's to say it won't come back again? How long do we have to keep doing this dance? Even if it is worth killing every time, will our attention spans be long enough to keep fighting it every single time for the decades that may still come?
No victory is eternal. There is no such thing as victory.
In a sense, this is actually why it keeps coming up. The reality of governance is such an immense expanse of tedium that a great many people buckle under it and try to imagine themselves as heroes or rebels or old wise men. They go looking for enemies where there are none and make them up to fight, making meaning where none was needed before.
In any case, the answer to your question is, "Until you're dead, and someone else will have to keep it up after that."
More like a TL;DR version of it :-)
The full quote from John Philpot Curran is:
It is the common fate of the indolent to see their rights become a prey to the active. The condition upon which God hath given liberty to man is eternal vigilance; which condition if he break, servitude is at once the consequence of his crime and the punishment of his guilt.
The new (shortened) "version" is somewhat more pithy, and far more easy to distribute. So maybe someone other that Curran deserves some of the credit.
I wrote "unknown" as the quote is often mis/attributed to Thomas Jefferson, but the evidence is not strong here.
But meanwhile, now, - let's do something positive and try to avert that bill that facilitates violations of essential liberties!
It is an out of control machine of death seeking to criminalize as much behavior as possible.
The U.S. has the highest incarceration rate. They have the most weapons.
This kind of thing will not end until the government collapses in on itself or people have an entire paradigm shift in the way that they think of their relation to their fellow person.
The vested moneyed interests are in control, and will be until the people wake up from their stupor and pay attention.
I'm not worried about it. However, I may not be entirely correct in my analysis. Would be interested in feedback.
The comments I've read so far seem pretty thoughtful both pro and con.
And for the most part, the US government acts in good faith.
BUT, on occasion we find ourselves looking pretty foolish when we believe uncritically what a government says (Iraq war) or horrified at what seems to be gratuitous heavy-handedness on the government's part (Swartz.)
And despite what former Secretary Clinton would like you to believe, there is no reset button on government legitimacy. Like an individual's reputation, it takes years to restore what was eroded in hours.
And while cyber attacks seem to represent a threat best countered by an organization that commands resources on a national scale, can we really trust them to do the right thing?
Hell, they put a PFC in a position to disseminate State Department messages. Anyone who's done a stint in the Army knows not to put a PFC in charge of anything except maybe a trigger, and even then under the guidance of an NCO.
I forward the hypothesis that the government has more interest in tracking (untaxed) financial transactions than thwarting cyber attacks.
The government's ability to fund itself has come to rely heavily on the Fed buying US debt, which some might call "printing money".
The longer that continues, the less credible the US dollar becomes in world finance.
The only thing keeping the dollar afloat is the rather poor state of the euro and yen, and the world's reluctance to trust China or Russia.
So the US is going fishing for sources of loot.
If the hypothesis is true, CISPA might be a godsend to Joe Six-Pack, or at least better than what's happening in Cyprus.
But in the end I think we'll get CISPA and Cyprus.
Dear Internet Defense League member,
Last year, right on the heels of our historic victory against SOPA, a piece of really nasty legislation almost passed that would have radically undermined online privacy.
It was called CISPA. And it raced through the US House of Representatives, passing before any of us had a chance to react. We stalled the bill in the Senate, but now CISPA is back, and we don't want to make the same mistake twice. Before there is any movement on the bill, we want to send a strong message to Congress that CISPA shouldn't pass.
That's why we're partnering with the Electronic Frontier Foundation to launch an Internet Defense League action starting tomorrow, Tuesday March 19th.
Can you participate? If so, get the code for your site here: http://members.internetdefenseleague.org
And help get more people signed up by sharing this page with your social network.
Wait, what is CISPA? And why does it matter so much?
CISPA (the Cyber Intelligence Sharing and Protection Act) would give companies complete freedom to share your personal data with the US government. It doesn't require them to do so, but if the government asked it would be hard to say no, and they'd have no reason to-- CISPA would free them from any promises made to customers in public statements or privacy policies.
Your emails, your Facebook account, your bank statements, the websites you visit, your real-time location (courtesy of your cellphone company)-- all of it could soon belong to a slew of government agencies and even local police, who could use it against you without a warrant.
Get the code: http://members.internetdefenseleague.org
The IDL action will display only tomorrow. The banner looks like this: http://i.imgur.com/mVG9kVX.png The modal looks like this: http://i.imgur.com/tCOtoEC.png
And they both link to this action page hosted by the EFF: https://action.eff.org/o/9042/p/dia/action/public/?action_KE...
Please spread the word.
Holmes Wilson - Internet Defense League
P.S. If you'd like to learn more about CISPA, the EFF has a great FAQ page here: https://www.eff.org/cybersecurity-bill-faq
Why wouldn't you read the bill yourself?
2.) If an "Internet Defense League" member wished--with your permission, of course--to read the text of the bill he's been asked to oppose and promote opposition to, this email offers no assistance. In polite terms, I think this is an oversight.