Did CISPA Actually Get Better Before Passing? Not Really
from the depends-on-how-you-define-"better" dept
Yesterday, after I asserted that CISPA had gotten much worse before it was passed in a rushed vote, I heard from several people (even those in the anti-CISPA camp) who took the opposite position. They feel that, while CISPA is still a highly problematic bill, the Quayle amendment which I roundly criticized actually represented a significant last-minute improvement to the text. I still don't see it that way, for reasons I explain below, but they did make an important point that is worth calling attention to.
Basically, under their reading of the previous text, it allowed the government to use the data for any non-regulatory purpose as long as it has one cybersecurity or national security purpose. I hadn't initially read it that way but I completely agree, and that is indeed a troublesome wild card to hand to the government. The amendment removed the broad "any lawful purpose" language, replacing it with the list of five specific uses (cybersecurity, cyber crime, protecting people from harm, protecting children from exploitation, and national security), thus closing that gaping hole in the bill. In that sense, it's a good amendment.
But, does it really improve CISPA? That depends on how you look at it. CISPA is supposed to be a "cybersecurity" bill, and both its supporters and its opponents in Congress have repeatedly stated that cybersecurity means protecting networks and systems from disruption, hacking and malicious code—primarily coming from overseas. Even during yesterday's debate, virtually every representative who spoke opened with a speech on this topic, and Ruppersberger himself insisted that CISPA's sole purpose was allowing companies and the government to share "formulas, Xs and Os, the virus code". (I'm pretty sure he meant "1s and 0s", but what do you expect from someone who doesn't understand the thing he's trying to legislate?)
Now, critics of the bill have of course been saying all along that it could be used for things way beyond this stated cybersecurity purpose. But the response from supporters has been consistent: no, it can't, and even if it can, it won't be. [Insert another impassioned speech about the cyber-threat from China.] Then, suddenly, only a few minutes before the final vote, the representatives near-unanimously amend CISPA to include these brand new targets of bodily harm and child exploitation, which have nothing to do with cybersecurity and which have rarely if ever been mentioned in relation to the bill.
Basically, the amendment closes a loophole but opens a door. It takes away some of the language that allows overreach of the bill, but then explicitly endorses the exact things people were worried the government would do with that language—as in, start using the data to investigate and build cases against American citizens without regard for the laws that would normally protect their privacy.
Is that an improvement? CISPA would now grant the government less vague power, which is good, but would also grant it brand new specific powers, which is bad and frankly pretty insulting. Because, if this is indeed an improvement and a narrowing of the government's power, how are we to take that if not as a confession that virtually every representative has been baldly lying this whole time? They have said over and over again that they don't want or plan to use the bill for anything except shoring up network security, but we're supposed to see the addition of these brand new applications as limiting CISPA's target? To me, that sounds like they're saying: "Okay, you got us—we really wanted to secretly do all this other stuff. As long as you still let us do that, we'll change the bill."
So the way I see it, there are two ways to look at the Quayle amendment: either it made the bill worse, by massively expanding its stated purpose to whole new areas of the law such that it can no longer accurately be called a "cybersecurity" bill at all, or else it made the bill better by codifying the ways it can be abused for non-cybersecurity purposes.
Of course, it's not as though everyone trusted what supporters were saying about the bill's purpose before. We all knew it would be used for these other things. But simply getting them to admit that is not really progress. It's accurate to say that the amendment has limited the government's power under CISPA by changing the language, but it's also ludicrous to say that turning a cybersecurity/national-security bill into a cybersecurity/cybercrime/violent-crime/child-exploitation/national-security bill at the last minute represents narrowing or improving it. In fact, the only way that's an improvement is if the representatives are admitting that they were planning on it being used for even more unstated purposes all along, but are now content with choosing only a few of the things they have repeatedly denied they wanted. I see how that can be framed as progress, but it's not exactly something that the House deserves any praise for.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cispa, congress, cybersecurity
Reader Comments
Subscribe: RSS
View by: Time | Thread
Protecting from harm
Subject: Typing may cause Carpal Tunnel, & Arthritis.
Good news my fellow Americans. Science has found that typing can cause Carpal Tunnel & Arthritis. These have been known to harm people of all ages. So in order to keep you safe. The US Government will use CISPA and monitor all use of your electronic devices. To include but not limited to what keys you type, and where the information get sent to. Using this information will not help you in any way. But is the perfect excuse for us to monitor you.
Best intentions can result in the Worst outcome.
Capt ICE Enforcer Out.
[ link to this | view in chronology ]
Re: Protecting from harm
[ link to this | view in chronology ]
[ link to this | view in chronology ]
CISPA, the Child/Infant Safety and Protection Act
And did you know there are children in other countries? It's true! Clearly there need to be more extradition treaties like the UK's, so children all over the world can be protected by CISPA.
[ link to this | view in chronology ]
Re: CISPA, the Child/Infant Safety and Protection Act
http://www.theglobeandmail.com/news/politics/john-ibbitson/tories-on-e-snooping-stand-wit h-us-or-with-the-child-pornographers/article2336889/
[ link to this | view in chronology ]
2) ...and ensure that those who negligently cause injury through the use of cybersecurity systems or the sharing of information are not exempt from potential civil liability.
This helps remove one of the major carrots for companies to voluntarily share data.
4) Would make clear that regulatory information already required to be provided remains FOIAable under current law.
15) Would sunset the provisions of the bill five years after the date of enactment.
[ link to this | view in chronology ]
Re:
However, I still think all that pales in comparison to this amendment, that is essentially a core change to the stated purpose of the bill, and flies in the face of what everyone involved has said CISPA is for.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: Xs and Os
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Now, technically, they should be looking to share the disassembled code, rather than the bit by bit representation. Still, this is at least evidence that they can learn, if it is screamed at them loud enough.
[ link to this | view in chronology ]
Re: Re:
Obviously I'm just guessing from looking at the man's face and listening to his voice - but definitely nothing about him radiated "understanding". This doesn't show they can learn if it's screamed at them loud enough, it shows they can't even properly memorize by rote when it's screamed at them loudly.
[ link to this | view in chronology ]
Re: Sunsetting
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
in other words
you a criminal without rights
we will be watching you
[ link to this | view in chronology ]
[ link to this | view in chronology ]
There's a political angle to this as well
House passes bill.
Senate passes bill.
President vetos bill.
Something bad happens.
GOP seizes opportunity for gotcha! moment in election year.
Of course, "something bad" happens just about every day -- read the "Dataloss" mailing list. So it's not like anything particularly bad would need to turn up, and it's not like it would even have to be something covered by the bill. "Credit card company loses hard drive with 28 million customer accounts" would do just fine, because the computer-illiterate public will have no clue whether this had anything to do with CISPA.
Here's the thing: the worse the bill is, the better it works for this, because the more pressure the President will be under not to sign it. So there is substantial motivation to load the bill up with as many due process violations, as many civil rights issues, and as much wildly unconstitutional language as possible: the idea isn't to get it signed, the idea is to get it vetoed, because then it can serve its purpose.
Oh. One more thing. This is also why the House has studiously avoided asking anyone who has even half a clue about security to testify, and has instead focused on the OMG!OMG!CYBERWAR cheerleaders. There is no way that sanity and expertise can be allowed anywhere near this process because that might accidentally result in a better bill.
[ link to this | view in chronology ]
Do you have a source for this quote from Ruppersberger?
[ link to this | view in chronology ]
Re:
It is in this House session:
http://www.c-spanvideo.org/program/HouseSession5327
I am tracking down the exact spot in the video now.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
talks about cyber security and that it's monitored and destroyed and what-not...does he realize that the very bill is
exactly the same?
That instead of POTENTIAL hackers watching us, we are GUARANTEED to have a FBI agent watching us, while he's whatching the (possibly) non-exsisting hacker that is watching us.
This is a freaky hack-seption, and i don't know if i like the thought that not only hackers can get my identity and/or money, but now the state can too. tThey can also incriminate me without trial, in any country...i'm seriously disturbed by this (I'm just a 16, year old from Sweden, and even I can feel a wind of change comming)
sry for the long post, but i'm happy you took up this issue (would be glad if i could get a response)
[ link to this | view in chronology ]
www.littlebiggy.org/4722867
[ link to this | view in chronology ]
I wouldn't expect a bunch of nerds to understand that. :P I kid, I kid.
[ link to this | view in chronology ]
Xs and Os
[ link to this | view in chronology ]
Re: Re:
talks about cyber security and that it's monitored and destroyed and what-not...does he realize that the very bill is
exactly the same?
That instead of POTENTIAL hackers watching us, we are GUARANTEED to have a FBI agent watching us, while he's whatching the (possibly) non-exsisting hacker that is watching us.
This is a freaky hack-seption, and i don't know if i like the thought that not only hackers can get my identity and/or money, but now the state can too. tThey can also incriminate me without trial, in any country...i'm seriously disturbed by this (I'm just a 16, year old from Sweden, and even I can feel a wind of change comming)
sry for the long post, but i'm happy you took up this issue (would be glad if i could get a response)
[ link to this | view in chronology ]