Did CISPA Actually Get Better Before Passing? Not Really

from the depends-on-how-you-define-"better" dept

Fri, Apr 27th 2012 10:05am — Leigh Beadon

Yesterday, after I asserted that CISPA had gotten much worse before it was passed in a rushed vote, I heard from several people (even those in the anti-CISPA camp) who took the opposite position. They feel that, while CISPA is still a highly problematic bill, the Quayle amendment which I roundly criticized actually represented a significant last-minute improvement to the text. I still don't see it that way, for reasons I explain below, but they did make an important point that is worth calling attention to.

Basically, under their reading of the previous text, it allowed the government to use the data for any non-regulatory purpose as long as it has one cybersecurity or national security purpose. I hadn't initially read it that way but I completely agree, and that is indeed a troublesome wild card to hand to the government. The amendment removed the broad "any lawful purpose" language, replacing it with the list of five specific uses (cybersecurity, cyber crime, protecting people from harm, protecting children from exploitation, and national security), thus closing that gaping hole in the bill. In that sense, it's a good amendment.

But, does it really improve CISPA? That depends on how you look at it. CISPA is supposed to be a "cybersecurity" bill, and both its supporters and its opponents in Congress have repeatedly stated that cybersecurity means protecting networks and systems from disruption, hacking and malicious code—primarily coming from overseas. Even during yesterday's debate, virtually every representative who spoke opened with a speech on this topic, and Ruppersberger himself insisted that CISPA's sole purpose was allowing companies and the government to share "formulas, Xs and Os, the virus code". (I'm pretty sure he meant "1s and 0s", but what do you expect from someone who doesn't understand the thing he's trying to legislate?)

Now, critics of the bill have of course been saying all along that it could be used for things way beyond this stated cybersecurity purpose. But the response from supporters has been consistent: no, it can't, and even if it can, it won't be. [Insert another impassioned speech about the cyber-threat from China.] Then, suddenly, only a few minutes before the final vote, the representatives near-unanimously amend CISPA to include these brand new targets of bodily harm and child exploitation, which have nothing to do with cybersecurity and which have rarely if ever been mentioned in relation to the bill.

Basically, the amendment closes a loophole but opens a door. It takes away some of the language that allows overreach of the bill, but then explicitly endorses the exact things people were worried the government would do with that language—as in, start using the data to investigate and build cases against American citizens without regard for the laws that would normally protect their privacy.

Is that an improvement? CISPA would now grant the government less vague power, which is good, but would also grant it brand new specific powers, which is bad and frankly pretty insulting. Because, if this is indeed an improvement and a narrowing of the government's power, how are we to take that if not as a confession that virtually every representative has been baldly lying this whole time? They have said over and over again that they don't want or plan to use the bill for anything except shoring up network security, but we're supposed to see the addition of these brand new applications as limiting CISPA's target? To me, that sounds like they're saying: "Okay, you got us—we really wanted to secretly do all this other stuff. As long as you still let us do that, we'll change the bill."

So the way I see it, there are two ways to look at the Quayle amendment: either it made the bill worse, by massively expanding its stated purpose to whole new areas of the law such that it can no longer accurately be called a "cybersecurity" bill at all, or else it made the bill better by codifying the ways it can be abused for non-cybersecurity purposes.

Of course, it's not as though everyone trusted what supporters were saying about the bill's purpose before. We all knew it would be used for these other things. But simply getting them to admit that is not really progress. It's accurate to say that the amendment has limited the government's power under CISPA by changing the language, but it's also ludicrous to say that turning a cybersecurity/national-security bill into a cybersecurity/cybercrime/violent-crime/child-exploitation/national-security bill at the last minute represents narrowing or improving it. In fact, the only way that's an improvement is if the representatives are admitting that they were planning on it being used for even more unstated purposes all along, but are now content with choosing only a few of the things they have repeatedly denied they wanted. I see how that can be framed as progress, but it's not exactly something that the House deserves any praise for.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cispa, congress, cybersecurity

32 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Capt ICE Enforcer, 27 Apr 2012 @ 10:26am

Protecting from harm
Attention All:

Subject: Typing may cause Carpal Tunnel, & Arthritis.

Good news my fellow Americans. Science has found that typing can cause Carpal Tunnel & Arthritis. These have been known to harm people of all ages. So in order to keep you safe. The US Government will use CISPA and monitor all use of your electronic devices. To include but not limited to what keys you type, and where the information get sent to. Using this information will not help you in any way. But is the perfect excuse for us to monitor you.

Best intentions can result in the Worst outcome.

Capt ICE Enforcer Out.
[ link to this | view in chronology ]
- gorehound (profile), 27 Apr 2012 @ 11:40am
  
  Re: Protecting from harm
  But we must protect the Children from Online Predators !!!
  [ link to this | view in chronology ]
Anonymous Coward, 27 Apr 2012 @ 10:29am

Mhhm.
[ link to this | view in chronology ]
Anonymous Coward, 27 Apr 2012 @ 10:37am

CISPA, the Child/Infant Safety and Protection Act
I'm surprised they're still calling it a cybersecurity bill. Why not call it a child protection bill? Then they could brand everyone who opposes it a pedophile.

And did you know there are children in other countries? It's true! Clearly there need to be more extradition treaties like the UK's, so children all over the world can be protected by CISPA.
[ link to this | view in chronology ]
- Anonymous Coward, 3 May 2012 @ 10:21pm
  
  Re: CISPA, the Child/Infant Safety and Protection Act
  The Public Safety minister did it in Canada.
  
  http://www.theglobeandmail.com/news/politics/john-ibbitson/tories-on-e-snooping-stand-wit h-us-or-with-the-child-pornographers/article2336889/
  [ link to this | view in chronology ]
Michael Long (profile), 27 Apr 2012 @ 10:37am

A couple of things are better...

2) ...and ensure that those who negligently cause injury through the use of cybersecurity systems or the sharing of information are not exempt from potential civil liability.

This helps remove one of the major carrots for companies to voluntarily share data.

4) Would make clear that regulatory information already required to be provided remains FOIAable under current law.

15) Would sunset the provisions of the bill five years after the date of enactment.
[ link to this | view in chronology ]
- Leigh Beadon (profile), 27 Apr 2012 @ 10:39am
  
  Re:
  Yeah - some of the other amendments that passed are pretty good. Another is the clarification that merely violating terms of service doesn't constitute hacking.
  
  However, I still think all that pales in comparison to this amendment, that is essentially a core change to the stated purpose of the bill, and flies in the face of what everyone involved has said CISPA is for.
  [ link to this | view in chronology ]
  - A Dan (profile), 27 Apr 2012 @ 11:14am
    
    Re: Re:
    One reason I gave my congressman that I opposed this bill is that it didn't contain safeguards to keep the information from being used to prosecute other types of crimes which were not in any way related to "cybersecurity". Based on the amendment, that was apparently intentional.
    [ link to this | view in chronology ]
- RyanRadia (profile), 28 Apr 2012 @ 9:48pm
  
  Re:
  Unfortunately, the amendment to make companies liable for sharing information that causes injury (Conyers #2) was not offered on the floor, so it's not part of CISPA as passed. The final engrossed House-passed bill, with all amendments included, is here: http://www.gpo.gov/fdsys/pkg/BILLS-112hr3523eh/pdf/BILLS-112hr3523eh.pdf
  [ link to this | view in chronology ]
Baldaur Regis (profile), 27 Apr 2012 @ 10:38am

...Ruppersberger himself insisted that CISPA's sole purpose was allowing companies and the government to share "formulas, Xs and Os, the virus code".
Xs and Os. Yeah, this is exactly the guy I would hire to protect computer systems.
[ link to this | view in chronology ]
- :Lobo Santo (profile), 27 Apr 2012 @ 11:08am
  
  Re: Xs and Os
  He probably reads the raw binary, mumbling to himself and occasionally shouting "yahtzee!"
  [ link to this | view in chronology ]
- Chuck Norris' Enemy (deceased) (profile), 27 Apr 2012 @ 12:54pm
  
  Re:
  Man...but can't you feel the love? Maybe he is looking into sexbots?
  [ link to this | view in chronology ]
- Cowardly Anonymous, 28 Apr 2012 @ 10:00am
  
  Re:
  1s and 0s are purely symbolic representations, and don't even map to the same voltages across all devices. True, they have become a standard in the industry and it is highly unlikely that a politician understands these basic principles, but understanding the binary nature of computer data is a far cry better than calling the internet a series of tubes.
  
  Now, technically, they should be looking to share the disassembled code, rather than the bit by bit representation. Still, this is at least evidence that they can learn, if it is screamed at them loud enough.
  [ link to this | view in chronology ]
  - Leigh Beadon (profile), 28 Apr 2012 @ 10:17am
    
    Re: Re:
    Heh - I was thinking afterwards about how, yeah, Xs and Os would work just as well for symbolizing binary information. However, I think it's a stretch to say he understands the binary nature of computer data. When you watch the speech (link is in the comments here if you want to check it out) he clearly just has these things as talking points to some degree - and I think he actually stumbled slightly when he said "formulas" (someone probably explained algorithms/code to him as being kind of like a math formula), and then that put algebra in his brain, which is where the "Xs" came from, which derailed his brain yet again into "Xs and Os" (a tragic blend of algebra's Xs and Ys, binary's 1s and 0s and, um, tic-tac-toe). "The virus code" is the only thing he sounds slightly confident about saying, and I get the impression that the other stuff is how someone tried to explain to him what "virus code" actually is.
    
    Obviously I'm just guessing from looking at the man's face and listening to his voice - but definitely nothing about him radiated "understanding". This doesn't show they can learn if it's screamed at them loud enough, it shows they can't even properly memorize by rote when it's screamed at them loudly.
    [ link to this | view in chronology ]
- Frank Bennett (profile), 29 Apr 2012 @ 1:21am
  
  Re: Sunsetting
  A sunset provision in legislation with effects this deep isn't really aimed at decommissioning -- no one has suggested that the issues addressed by this bill will have faded in five years. Rather, expiration of the legislation will trigger campaign contributions from private firms and industry groups that by then will have integrated its provisions into their business practices. It's all pretty ugly.
  [ link to this | view in chronology ]
Anonymous Coward, 27 Apr 2012 @ 12:14pm

98% of adults online are child predators!! Some people only think it's only 2%. And those people are just elitists!
[ link to this | view in chronology ]
- Liz (profile), 27 Apr 2012 @ 12:19pm
  
  Re:
  Only if you're a guy. If you're a woman, there's a good chance you're jail bait or someone's Mom. Of course the axiom is that there are no girls on the internet. And that 15 year old is really a 33 year old FBI agent.
  [ link to this | view in chronology ]
  - R.H. (profile), 28 Apr 2012 @ 10:08am
    
    Re: Re:
    I read the axiom, about 15 years ago, as, "The Internet, where men are men, women are men, and children are FBI agents."
    [ link to this | view in chronology ]
Liz (profile), 27 Apr 2012 @ 12:16pm

"National Security" as a reason for this law seems like a HUGE gaping hole when it comes to government enforcement. It's like a catch-all term for "We can do what we wish without consequence."
[ link to this | view in chronology ]
corwin155 (profile), 27 Apr 2012 @ 12:18pm

list of five specific uses (cybersecurity, cyber crime, protecting people from harm, protecting children from exploitation, and national security)

in other words
you a criminal without rights
we will be watching you
[ link to this | view in chronology ]
Anonymous Coward, 27 Apr 2012 @ 12:24pm

I wonder what Bill Whittle has to say about CISPA?
[ link to this | view in chronology ]
Rich Kulawiec, 27 Apr 2012 @ 12:37pm

There's a political angle to this as well
Consider:

House passes bill.
Senate passes bill.
President vetos bill.
Something bad happens.
GOP seizes opportunity for gotcha! moment in election year.

Of course, "something bad" happens just about every day -- read the "Dataloss" mailing list. So it's not like anything particularly bad would need to turn up, and it's not like it would even have to be something covered by the bill. "Credit card company loses hard drive with 28 million customer accounts" would do just fine, because the computer-illiterate public will have no clue whether this had anything to do with CISPA.

Here's the thing: the worse the bill is, the better it works for this, because the more pressure the President will be under not to sign it. So there is substantial motivation to load the bill up with as many due process violations, as many civil rights issues, and as much wildly unconstitutional language as possible: the idea isn't to get it signed, the idea is to get it vetoed, because then it can serve its purpose.

Oh. One more thing. This is also why the House has studiously avoided asking anyone who has even half a clue about security to testify, and has instead focused on the OMG!OMG!CYBERWAR cheerleaders. There is no way that sanity and expertise can be allowed anywhere near this process because that might accidentally result in a better bill.
[ link to this | view in chronology ]
Rich Kulawiec, 27 Apr 2012 @ 2:50pm

[...] and Ruppersberger himself insisted that CISPA's sole purpose was allowing companies and the government to share "formulas, Xs and Os, the virus code". (I'm pretty sure he meant "1s and 0s", but what do you expect from someone who doesn't understand the thing he's trying to legislate?)

Do you have a source for this quote from Ruppersberger?
[ link to this | view in chronology ]
- Leigh Beadon (profile), 27 Apr 2012 @ 6:35pm
  
  Re:
  Do you have a source for this quote from Ruppersberger?
  
  It is in this House session:
  http://www.c-spanvideo.org/program/HouseSession5327
  
  I am tracking down the exact spot in the video now.
  [ link to this | view in chronology ]
- Leigh Beadon (profile), 27 Apr 2012 @ 6:48pm
  
  Re:
  Okay: He starts speaking at 03:15:50, and the specific quote comes about a minute after that.
  [ link to this | view in chronology ]
  - Rich Kulawiec, 28 Apr 2012 @ 5:26am
    
    Re: Re:
    Many thanks, this is terrific and precisely what I was looking for! I owe you one. Maybe two.
    [ link to this | view in chronology ]
    - Leigh Beadon (profile), 28 Apr 2012 @ 10:10am
      
      Re: Re: Re:
      I suspect you also enjoy the part where he calls it "the secret sauce" :)
      [ link to this | view in chronology ]
  - Anonymous Coward, 30 Apr 2012 @ 5:17pm
    
    Re: Re:
    i just love that Mac thornberry, after one minute in the video
    talks about cyber security and that it's monitored and destroyed and what-not...does he realize that the very bill is
    exactly the same?
    That instead of POTENTIAL hackers watching us, we are GUARANTEED to have a FBI agent watching us, while he's whatching the (possibly) non-exsisting hacker that is watching us.
    This is a freaky hack-seption, and i don't know if i like the thought that not only hackers can get my identity and/or money, but now the state can too. tThey can also incriminate me without trial, in any country...i'm seriously disturbed by this (I'm just a 16, year old from Sweden, and even I can feel a wind of change comming)
    
    sry for the long post, but i'm happy you took up this issue (would be glad if i could get a response)
    [ link to this | view in chronology ]
littlebiggygirl (profile), 27 Apr 2012 @ 4:19pm

why does invoking national security justify ignoring privacy laws?
www.littlebiggy.org/4722867
[ link to this | view in chronology ]
Erik, 28 Apr 2012 @ 8:30pm

Just to clarify, when that congressman was talking about Xs and Os he wasn't talking about coding. He was talking about sharing anti-cyber security strategies. Its a term often found in the sport of American Football because players are indicated by Xs and Os in playbooks.

I wouldn't expect a bunch of nerds to understand that. :P I kid, I kid.
[ link to this | view in chronology ]
Jeff Rowberg (profile), 30 Apr 2012 @ 10:55am

Xs and Os
Internet, n: A series of tubes through which Xs and Os flow, mostly containing virus code, stolen intellectual property, and child pornography. (New Political Dictionary, 2nd Ed., 2012)
[ link to this | view in chronology ]
Anonymous Coward, 30 Apr 2012 @ 5:18pm

Re: Re:
i just love that Mac thornberry, after one minute in the video
talks about cyber security and that it's monitored and destroyed and what-not...does he realize that the very bill is
exactly the same?
That instead of POTENTIAL hackers watching us, we are GUARANTEED to have a FBI agent watching us, while he's whatching the (possibly) non-exsisting hacker that is watching us.
This is a freaky hack-seption, and i don't know if i like the thought that not only hackers can get my identity and/or money, but now the state can too. tThey can also incriminate me without trial, in any country...i'm seriously disturbed by this (I'm just a 16, year old from Sweden, and even I can feel a wind of change comming)

sry for the long post, but i'm happy you took up this issue (would be glad if i could get a response)
[ link to this | view in chronology ]