This article was published on April 11, 2012

CISPA: The rhetoric vs. the reality


CISPA: The rhetoric vs. the reality

I’ve been a bit buried in the last few weeks, and so CISPA has remained somewhat in the back of my head as something that I need to get to, when I have a spare moment. I trust you are in the same boat. And since that moment hasn’t appeared, I’m simply going to do us both a favor, and lay out what both sides are saying about the bill, to bring a little clarity.

Up first, brass tacks: CISPA stands for the “Cyber Intelligence Sharing and Protection Act,” it has a raft of co-sponsors, and is moving with decent alacrity towards passage. Its broad congressional support is being met with stiff resistance from activists (please never say ‘netroots’ again) using various methods, including the Internet, to push back against the bill.

Interestingly, the battle lines are drawn slightly differently this time around, with the likes of Facebook, and Microsoft (who was shamed into switching teams on SOPA), lending CISPA their John Hancock (and by that we mean endorsement; if you didn’t get the reference, go here). For a fuller list of firms that are backing the legislation, many of which you know and whose products you employ, head here.

Now, we can’t go much further in this post without taking a peek at what the bill does. Lifehacker, as always, is succinct:

If passed, CISPA would amend the National Security Act of 1947 to allow government agencies to swap customer data from Internet service providers and websites if that data is a threat to “cyber-security.” On a basic level the bill is meant to provide a means for companies and the government to share information with one another to fight against cyber threats.

That’s the main thrust of what we are talking about, data sharing. To get a view of what this means in actuality, we’re going to look at the pro-, and anti-CISPA positions, starting with those arguing for the bill. Let’s go:

CISPA Is Awesome, Will Keep You Safe

Fearing the same sort of backlash that brought down the unsinkable SOPA, congresspeople behind CISPA are trying to allay the fearful by being upfront. They’ve had a call with ‘Cyber Media and Cyber Bloggers’ (you can laugh at them for calling it that, welcome to 1995!), and have provided numerous remarks on the subject.

The best article summarizing how the sponsors view the bill, or at least how they want people to perceive how they view it, comes from The Hill. I’m going to drag out a few of the important quoted quips here, but if you want the full monty, head to the link. Here we go:

Rogers stressed on a call with reporters that the direction House Judiciary Committee Chairman Lamar Smith (R-Texas) went with SOPA is “completely different from where we are [with CISPA].”

A congressional staffer familiar with the CISPA stressed that its requirements are “totally voluntary” and do not require private companies to share information with the military, as some have claimed.

“Nobody [in the private sector] … is required to provide anything to anyone else, or required to do anything,” the staffer said.

Just taking that at its face value, CISPA sounds like a darn good idea. As Congressman Rogers went on to say to The Hill, the hackers that the US faces in terms of security threats are not individuals, but “nation-states.” In other words, this bill is a requirement for keeping the integrity of the US infrastructure secure.

I’ll wander out a bit on a limb and assume that the idea here is that digital foreign attacks could come in any number of forms, and therefore to be able to shuffle information between ISPs and the government could boost response times. It sounds a bit hysterical to me, but I can understand the gist of it.

So long as what can be deemed a ‘cyber threat’ is narrow, and personal information is not disclosed except when expressly required to combat such a threat, this could be reasonable. However, in the eyes of some, both of those requirements are not being met, and that’s a very real issue.

CISPA Is A Disaster, Bring It Down, Legolas!

We now turn to those who view CISPA, despite perhaps having good intentions, as going too far, thus creating some rather unsettling potentialities. Let’s begin with how CISPA defines a ‘cyber threat,’ the situation that it is designed to help with:

‘(A) efforts to degrade, disrupt, or destroy such system or network; or

‘(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.

Well, the first one fits what the Congresspeople were talking about. The second deals with the ‘theft’ of IP, and private data. That sounds like piracy to me. Of course, you might not read it that way. However, I’m not alone in my thoughts. I turn now to the lovely TechDirt:

It’s easy to see how that definition could be interpreted to include things that go way beyond network security—specifically, copyright policing systems at virtually any point along a network could easily qualify. And since one of the recipients of the shared information would be Homeland Security—the department that includes ICE and its ongoing domain seizures—CISPA creates the very real possibility for this information to be used as part of a SOPA-like crusade to lock down the internet. So while the bill itself has nothing to do with domain seizures, it gives the people behind such seizures a potentially powerful new weapon.

The reps insist that when they refer to intellectual property, they are not thinking about media piracy or even counterfeiting, but about foreign-based attacks on domestic companies to steal their research and development (they tout examples like the plans for jet fighters). Unfortunately, the bill’s definitions create no such restriction, leaving the door wide open for more creative interpretations.

I have to admit that TechDirt’s argument is compelling. Especially given how powerful and well-funded the lobbies are that would push for just such a ‘creative,’ and therefore broad, interpretation of the bill. However, we have more work to do.

Earlier I mentioned personal data, and that it should be protected. For example, if an ISP noticed an attack that degraded its network, and wanted to share information with the government, personal data should be masked, encrypted, or otherwise not included or obfuscated. However, again according to TechDirt, CISPA doesn’t require any such thing:

[W]hile the reps insist that the bill only applies to companies and not individuals, that’s very disingenuous. CISPA states that the entity providing the information cannot be an individual or be working for an individual, but the data they share (traffic, user activity, etc.) will absolutely include information about individuals.

That crosses the line. A new conduit that can, under very broad and hard to stem circumstances, send large amounts of private data to the government is too much. What recourse does the individual have? Does the ISP inform them that their information has been sent? That it has even been stored for transfer? I’m not that bad a guy, but I certainly don’t want Uncle Sam digging through my Internet history.

Do I sound a bit paranoid? In a sense, provided that the government could only use provided data from an ISP for a, and I use the word again, narrow purpose. However, one final TechDirt extract drives what I feel is the final nail into the CISPA coffin:

[T]he government is also allowed to affirmatively search the information for those same reasons—meaning they are by no means limited to examining the data in relation to a specific threat. If, for example, a company were to provide logs of a major attack on their network, the government could then search that information for pretty much anything else they want.

And now they’ve lost my support. I’m all for things that keep us safe. CISPA on the other hand, even if written in good conscience, is too loosely worded to be trusted, and too free in consequence to be what it claims to be: a ‘cyber security’ bill. This law, if passed, has the potential to unmask your Internet life for the government’s perusal, because, essentially, they can. No thanks.

As always with posts like this, I have linked and extracted more than normal. I did so to encourage you to hit all the blue underlines and get more informed. This post is at best a primer.

Get the TNW newsletter

Get the most important tech news in your inbox each week.