CISPA Amendment Proves Everyone's Fears Were Justified While Failing To Assuage Them

from the the-more-things-change dept

Thu, Apr 11th 2013 7:28am — Leigh Beadon

The single biggest criticism of CISPA is that it could be used by the federal government in a way that infringes on people's privacy, allowing government agencies, including the NSA, to sift through the private data of American citizens with little to no oversight. It's pretty obvious why that fear exists — just look at the relevant paragraph in what, until the recent and final round of markup, was the text of the bill:

(7) PROTECTION OF INDIVIDUAL INFORMATION—The Federal Government may, consistent with the need to protect Federal systems and critical information infrastructure from cybersecurity threats and to mitigate such threats, undertake reasonable efforts to limit the impact on privacy and civil liberties of the sharing of cyber threat information with the Federal Government pursuant to this subsection.

So, um, the feds may worry about privacy, if they want to and as long as it doesn't hinder their cybersecurity efforts. It's disconcerting that this even needed to be spelled out, and it certainly doesn't count as a safeguard. The response to criticism from the bill's authors has been the same since last year: they deny that this bill has anything to do with spying on people, and insist it's just about sharing technical threat data. Just this week, Rep. Rogers flatly stated this is not a surveillance bill. Still, in an attempt to placate the opposition, they backed an amendment (pdf and embedded below) from Rep. Hines replacing that paragraph, which passed in the markup phase. Here's the new text:

PRIVACY AND CIVIL LIBERTIES.—

(A) POLICIES AND PROCEDURES.—The Director of National Intelligence, in consultation with the Secretary of Homeland Security and the Attorney General, shall establish and periodically review policies and procedures governing the receipt, retention, use, and disclosure of non-publicly available cyber threat information shared with the Federal Government in accordance with paragraph (1). Such policies and procedures shall, consistent with the need to protect systems and networks from cyber threats and mitigate cyber threats in a timely manner—

(i) minimize the impact on privacy and civil liberties;
(ii) reasonably limit the receipt, retention, use, and disclosure of cyber threat information associated with specific persons that is not necessary to protect systems or networks from cyber threats or mitigate cyber threats in a timely manner;
(iii) include requirements to safeguard non-publicly available cyber threat information that may be used to identify specific persons from unauthorized access or acquisition;
(iv) protect the confidentiality of cyber threat information associated with specific persons to the greatest extent practicable; and
(v) not delay or impede the flow of cyber threat information necessary to defend against or mitigate a cyber threat.

It seems to me they are hoping that by making the section longer and more complicated, people will miss the fact that very little has changed. But what's truly astonishing is that this new text reads like a confession that CISPA does involve all the stuff that they've been insisting it has nothing to do with.

The big thing, of course, is that this oversight now involves civilian agencies, which is really the only meaningful change — and its impact has been rather minimized. Rather than putting the DHS or another agency in between the public and military agencies like the NSA, they've simply given them some input — and it's hard to say how meaningful that input will be. The provisions are bookended by escape clauses: first we're told that they only count when "consistent with the need to protect systems and networks from cyber threats", and then at the end we're reminded that they must "not delay or impede the flow of cyber threat information". That alone renders the rest of the text virtually moot, and it also seems to be acknowledging that the type of information sharing they want to do does threaten privacy.

If that weren't clear enough, there's a third out hiding in clause (ii), where we're reminded that personal information will only be limited if it's "not necessary to protect systems or networks from cyber threats". If this bill is really just about getting technical threat data, why would personal information ever be necessary? Once again, it serves as both an escape clause and a tacit admission that they do plan on doing the things that they have denied so vocally, or at least that they want to keep the option open.

But you can bet that the next time Rep. Rogers or Ruppersberger is questioned about it, they'll insist that CISPA has nothing to do with personal information and couldn't possibly threaten anyone's privacy. They'll insist that they addressed any concerns with this amendment, when in fact all they did was confirm just how warranted those concerns are. Nothing has changed: CISPA is still a dangerous bill, perhaps more explicitly so now than ever.

CISPA Himes Minimization Amendment (PDF)CISPA Himes Minimization Amendment (Text)

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cispa, nsa, privacy

20 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Ninja (profile), 11 Apr 2013 @ 5:44am

The bill is not needed and we all know it. They know it. The only goal of this bill is to make it much easier to spy on their own citizens and prevent protests, insurrection. When asked they'll keep yelling "BUT... BUT... CYBERZOMBIEAPOCALYPSE!" in an attempt to bury criticism and discussion under the weight of all the FUD.

It's clear that if you keep any system updated (good maintenance), have provisions to quickly mitigate any attack ready (system monitoring) and spread the word in case any sensitive info is accessed (efficient communication) then the damage will always be kept to a minimum. It helps when you are not deliberately trying to break the system (SOPA) or hoarding all the data with little to no oversight (CISPA) in systems that may have several holes.
[ link to this | view in chronology ]
Anonymous Coward, 11 Apr 2013 @ 7:41am

If there is even the most remote of possibilities that something in the bill will be abused, it's a guarantee that it will be abused. No amount of reassuring will change that. That goes for all bills and laws. There is no good faith, only time until abuse. The government and various lawyers have proven that to be 100% true.
Even when the language is clear, there's still the whole unique interpretation routine, national security claim, loophole or routing around to get what they want. Then when those fail, they often just do it anyway.

So tell me again how something that can be used for abuse won't be used for abuse? Because I'm not buying what you're selling.
[ link to this | view in chronology ]
Anonymous Coward, 11 Apr 2013 @ 7:54am

"So, um, the feds may worry about privacy, if they want to and as long as it doesn't hinder their cybersecurity efforts."

If only more criminals were like that.

"I MAY worry about what stealing all of your money will do you financially, if I want to, as long as it doesn't hinder my efforts to get rich quick no matter how many people I have to steal from."
[ link to this | view in chronology ]
Michael, 11 Apr 2013 @ 7:55am

Error
You made a minor mistake in the opening sentence.

The single biggest goal of CISPA is that it could be used by the federal government in a way that infringes on people's privacy, allowing government agencies, including the NSA, to sift through the private data of American citizens with little to no oversight.

all better.
[ link to this | view in chronology ]
Pixelation, 11 Apr 2013 @ 8:08am

*Sniff, sniff*...Yep, still stinks.
[ link to this | view in chronology ]
jupiterkansas (profile), 11 Apr 2013 @ 8:11am

I hope they don't change it too much. I'm already working on my secret interpretation.
[ link to this | view in chronology ]
Anonymous Coward, 11 Apr 2013 @ 8:11am

What is incredible is that there is no safeguards, zero ways to watch what is being done and spot abuse, is like lawmakers are out of their depth and don't know what they are actually voting on.

All investigations should at the very least be fully disclosed after closure or a year so the procedures used can be reviewed, this clearly would mitigate the risk of abuse, furthermore if any case needs more than one year it should get a court order and be reviewed by others to get a fraking special permission to continue without disclosure where, and it should be disclosed to a non-profit organization that they need it.

This BS can't go on forever there responsible ways of doing things and this is not one of them, not by a long shot.
[ link to this | view in chronology ]
Zakida Paul (profile), 11 Apr 2013 @ 8:12am

*Sniff, sniff* Do you smell that?
*Sniff, sniff* Sheep, is it?
*Sniff, sniff* Cow?
*Sniff, sniff* No, I know what that is. It's bullshit.

That is all that comes out of government these days. A never ending stream of smelly, steaming bullshit.
[ link to this | view in chronology ]
Anonymous Coward, 11 Apr 2013 @ 8:12am

Last minute bill changes to insert unwanted legislation is how Congress has always worked. This is why all bills should be required to have at least two months of public review after any amendments are made.
[ link to this | view in chronology ]
Anonymous Coward, 11 Apr 2013 @ 8:20am

why keep pissing about? just tell it like it is! the USA is now the democratic equivalent of China! if it isn't happening already, it will very soon be that no one will be able to do anything, go anywhere, say anything via any means without being spied on 100% of the time, even in their own homes, by a government that is supposed to be one of the foremost on freedom, privacy and democracy in general. instead, it has become so paranoid that even it's own people are being classed and treated as if they are enemies about to commit the most heinous of crimes! what the hell has happened to the USA? when did this drastic change take place? what has happened to make it one of the most despised places under one of the most hated regimes of all? it is now so close to being no better than a Police State, no better than the countries that were fought against for trying to do the exact same things 70 years ago! when a government becomes so afraid of what may happen that it makes enemies out of every one of it's own citizens, it is in deep trouble!
[ link to this | view in chronology ]
- Michael, 11 Apr 2013 @ 8:22am
  
  Re:
  the USA is now the democratic equivalent of China!
  
  We became a democracy again?
  [ link to this | view in chronology ]
  - The Real Michael, 11 Apr 2013 @ 8:27am
    
    Re: Re:
    We're a Constituional Republic... supposedly.
    [ link to this | view in chronology ]
    - John Fenderson (profile), 11 Apr 2013 @ 8:41am
      
      Re: Re: Re:
      A constitutional republic combined with representative democracy, you mean.
      [ link to this | view in chronology ]
      - Anonymous Coward, 11 Apr 2013 @ 9:11am
        
        Re: Re: Re: Re:
        Translation:
        
        Meta-democracy.
        [ link to this | view in chronology ]
        
        Anonymous Coward, 11 Apr 2013 @ 9:42am
        
        Re: Re: Re: Re: Re:
        Metacracy.
        [ link to this | view in chronology ]
        
        Anonymous Coward, 11 Apr 2013 @ 7:36pm
        
        Re: Re: Re: Re: Re: Re:
        Mediocracy.
        [ link to this | view in chronology ]
        
        Killer_Tofu (profile), 12 Apr 2013 @ 6:23am
        
        Re: Re: Re: Re: Re: Re: Re:
        Idiocracy
        (the documentary from the future)
        [ link to this | view in chronology ]
Anonymous Coward, 11 Apr 2013 @ 8:24am

....So Congress is trying the John Steele Book of Truth?
[ link to this | view in chronology ]
- Anonymous Coward, 11 Apr 2013 @ 9:38am
  
  Re:
  Doesnt seem to work for Steele, so it is bound to work now!
  [ link to this | view in chronology ]
Anonymous Coward, 11 Apr 2013 @ 12:29pm

Almost reads as if they weren't allowed to even allowed "undertake reasonable efforts to limit the impact on privacy and civil liberties" before this was added.
[ link to this | view in chronology ]