CISPA Amendment Proves Everyone's Fears Were Justified While Failing To Assuage Them
from the the-more-things-change dept
The single biggest criticism of CISPA is that it could be used by the federal government in a way that infringes on people's privacy, allowing government agencies, including the NSA, to sift through the private data of American citizens with little to no oversight. It's pretty obvious why that fear exists — just look at the relevant paragraph in what, until the recent and final round of markup, was the text of the bill:
(7) PROTECTION OF INDIVIDUAL INFORMATION—The Federal Government may, consistent with the need to protect Federal systems and critical information infrastructure from cybersecurity threats and to mitigate such threats, undertake reasonable efforts to limit the impact on privacy and civil liberties of the sharing of cyber threat information with the Federal Government pursuant to this subsection.
So, um, the feds may worry about privacy, if they want to and as long as it doesn't hinder their cybersecurity efforts. It's disconcerting that this even needed to be spelled out, and it certainly doesn't count as a safeguard. The response to criticism from the bill's authors has been the same since last year: they deny that this bill has anything to do with spying on people, and insist it's just about sharing technical threat data. Just this week, Rep. Rogers flatly stated this is not a surveillance bill. Still, in an attempt to placate the opposition, they backed an amendment (pdf and embedded below) from Rep. Hines replacing that paragraph, which passed in the markup phase. Here's the new text:
PRIVACY AND CIVIL LIBERTIES.—
(A) POLICIES AND PROCEDURES.—The Director of National Intelligence, in consultation with the Secretary of Homeland Security and the Attorney General, shall establish and periodically review policies and procedures governing the receipt, retention, use, and disclosure of non-publicly available cyber threat information shared with the Federal Government in accordance with paragraph (1). Such policies and procedures shall, consistent with the need to protect systems and networks from cyber threats and mitigate cyber threats in a timely manner—
(i) minimize the impact on privacy and civil liberties;
(ii) reasonably limit the receipt, retention, use, and disclosure of cyber threat information associated with specific persons that is not necessary to protect systems or networks from cyber threats or mitigate cyber threats in a timely manner;
(iii) include requirements to safeguard non-publicly available cyber threat information that may be used to identify specific persons from unauthorized access or acquisition;
(iv) protect the confidentiality of cyber threat information associated with specific persons to the greatest extent practicable; and
(v) not delay or impede the flow of cyber threat information necessary to defend against or mitigate a cyber threat.
It seems to me they are hoping that by making the section longer and more complicated, people will miss the fact that very little has changed. But what's truly astonishing is that this new text reads like a confession that CISPA does involve all the stuff that they've been insisting it has nothing to do with.
The big thing, of course, is that this oversight now involves civilian agencies, which is really the only meaningful change — and its impact has been rather minimized. Rather than putting the DHS or another agency in between the public and military agencies like the NSA, they've simply given them some input — and it's hard to say how meaningful that input will be. The provisions are bookended by escape clauses: first we're told that they only count when "consistent with the need to protect systems and networks from cyber threats", and then at the end we're reminded that they must "not delay or impede the flow of cyber threat information". That alone renders the rest of the text virtually moot, and it also seems to be acknowledging that the type of information sharing they want to do does threaten privacy.
If that weren't clear enough, there's a third out hiding in clause (ii), where we're reminded that personal information will only be limited if it's "not necessary to protect systems or networks from cyber threats". If this bill is really just about getting technical threat data, why would personal information ever be necessary? Once again, it serves as both an escape clause and a tacit admission that they do plan on doing the things that they have denied so vocally, or at least that they want to keep the option open.
But you can bet that the next time Rep. Rogers or Ruppersberger is questioned about it, they'll insist that CISPA has nothing to do with personal information and couldn't possibly threaten anyone's privacy. They'll insist that they addressed any concerns with this amendment, when in fact all they did was confirm just how warranted those concerns are. Nothing has changed: CISPA is still a dangerous bill, perhaps more explicitly so now than ever.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
It's clear that if you keep any system updated (good maintenance), have provisions to quickly mitigate any attack ready (system monitoring) and spread the word in case any sensitive info is accessed (efficient communication) then the damage will always be kept to a minimum. It helps when you are not deliberately trying to break the system (SOPA) or hoarding all the data with little to no oversight (CISPA) in systems that may have several holes.
[ link to this | view in thread ]
Even when the language is clear, there's still the whole unique interpretation routine, national security claim, loophole or routing around to get what they want. Then when those fail, they often just do it anyway.
So tell me again how something that can be used for abuse won't be used for abuse? Because I'm not buying what you're selling.
[ link to this | view in thread ]
If only more criminals were like that.
"I MAY worry about what stealing all of your money will do you financially, if I want to, as long as it doesn't hinder my efforts to get rich quick no matter how many people I have to steal from."
[ link to this | view in thread ]
Error
The single biggest goal of CISPA is that it could be used by the federal government in a way that infringes on people's privacy, allowing government agencies, including the NSA, to sift through the private data of American citizens with little to no oversight.
all better.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
All investigations should at the very least be fully disclosed after closure or a year so the procedures used can be reviewed, this clearly would mitigate the risk of abuse, furthermore if any case needs more than one year it should get a court order and be reviewed by others to get a fraking special permission to continue without disclosure where, and it should be disclosed to a non-profit organization that they need it.
This BS can't go on forever there responsible ways of doing things and this is not one of them, not by a long shot.
[ link to this | view in thread ]
*Sniff, sniff* Sheep, is it?
*Sniff, sniff* Cow?
*Sniff, sniff* No, I know what that is. It's bullshit.
That is all that comes out of government these days. A never ending stream of smelly, steaming bullshit.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
We became a democracy again?
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re:
Meta-democracy.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re:
(the documentary from the future)
[ link to this | view in thread ]