CISPA Take 3: Feinstein & Chambliss Draft Another Cybersecurity Bill, Designed To Wipe Out Your Privacy

from the only-massive-amounts-of-government-can-keep-you-safe dept

Washington DC: where no bad idea ever truly dies. CISPA, the infamous "cybersecurity" bill that has twice failed to cross the President's desk is back again. This is the Senate's attempt at a cybersecurity bill, so it doesn't sport the same gaudy initials (those belong to the House), but it's still the same set of terrible ideas.

The Senate's previous attempts to write its own cybersecurity bill were supposedly prompted by privacy concerns, something the House version treated as wholly irrelevant to securing our nation from cyberattacks. This new bill may decide privacy is the only thing irrelevant to national security, seeing as it's been crafted by Dianne Feinstein and Saxby Chambliss, both largely supportive of the NSA's (recently exposed) activities.

The new bill sports the following title: Cybersecurity Information Sharing Act of 2014. CISPA without the "p," apparently. Out with the "protection" (which was nominal) and in with the oversharing of cyberthreat information.

The bill, like others before it, grants broad immunity to participating companies, stripping away one of the few reasons these entities might stick up for their customers (and their data) and consider plugging the security hole before turning that info over to both the military, national security agencies and, well, any number of government agencies or competitors. The text of the bill leaves that almost completely unspecified.

The new, 39-page draft bill, written by Sen. Dianne Feinstein (D-Calif.), chairman of the intelligence committee, and Sen. Saxby Chambliss (Ga.), the ranking Republican, states that no lawsuit may be brought against a company for sharing threat data with “any other entity or the federal government” to prevent, investigate or mitigate a cyberattack.
This immunity screws up incentives and encourages questionable behavior, as it to be expected when accountability is removed.

There's a small nod to privacy in the bill, but it carries with it some potential weasel words that could completely undermine the protection.
An entity sharing cyber threat indicators pursuant to this Act shall, prior to such sharing, remove any information contained within such indicators that is known to be personal information of or identifying a United States person, not directly related to a cybersecurity threat in order to ensure that such information is protected from unauthorized disclosure to any other entity or the Federal Government.
Considering what the NSA and others have deemed "relevant" to their counterterrorism efforts, lots of personal data could easily be construed as being "directly related" to a potential cybersecurity threat.

Other protections are equally as malleable. Law enforcement agencies are allowed to avail themselves of cyberthreat information, but only if given written consent from the entity(ies) involved. But that "only" isn't actually a limitation. The paragraph immediately following the "written consent" stipulation creates the same sort of loophole that agencies like the FBI have abused to the point of surreality in the past.
If the need for immediate use prevents obtaining written consent, such consent may be provided orally with subsequent documentation of the consent.
IN CASE OF EMERGENCY, BREAK PROTECTIONS.

Giving law enforcement or indeed any agency this sort of manual override undercuts anything stipulated previously. This encourages a culture of asking forgiveness, rather than permission. Grab the data and justify it post facto. That's no protection at all, especially when granted immunity gives companies absolutely no reason to push back on these oral requests.

This may only be the draft version, and there will be several changes made before it goes up for a vote, but this groundwork is far from heartening. It appears as though no one involved has learned anything from CISPA's two troubled trips through the House, not to mention the new concerns prompted by leaked NSA documents.

Further gestures in the direction of civil liberties and privacy protections are made later in the bill (under a heading "Privacy and Civil Liberties" no less), but those protections are roughly identical to existing policies governing the NSA's (and FBI's) mass collection of American metadata -- oversight and minimization, both of which have been subverted by these agencies.

The bill also consolidates more power within the DHS, creating an "all roads lead to the DHS" method of managing cyberthreat information. If there's one entity which has proven time and time again to be both a) mostly useless and b) prone to abusive behavior, it's the DHS. And yet, the bill calls for the agency to be the central cyberthreat repository.
IN GENERAL.—Not later than 90 days after the date of the enactment of this Act, the Secretary of Homeland Security, in coordination with the heads of the appropriate Federal entities, shall develop and implement a capability and process within the Department of Homeland Security that—

(A) shall accept from any entity in real time cyber threat indicators and countermeasures in an electronic format, pursuant to this section;

(B) shall, upon submittal of the certification under paragraph (2) that such capability and process fully and effectively operates as described in such paragraph, be the process by which the Federal Government receives cyberthreat indicators and countermeasures in an electronic format that are shared by an entity with the Federal Government…
Unfortunately, as terrible as the DHS is at determining threats and sharing information, there's probably no way to route around it. The post-9/11 agency is now the government's national security clearinghouse, and everything flows to it, even if it's usually the agency least likely to make productive use of the information. While cyberthreats pile up, DHS agents will be chasing down people taking pictures of public structures.

Believe it or not, this bill putting DHS as the central authority is actually one half-step better than the likely alternative, which is making NSA the central player. For many years now, there's actually been something of a turf war between DHS and NSA over who gets to control the (increasingly massive) cybersecurity budget. And a bill that designates DHS as the "winner" of that turf battle at least gives it a slight preference over the NSA -- though, unfortunately, this bill would let DHS share info with NSA freely, which is yet another problem.

CISPA may have seemed at least half-dead, but Feinstein and Chambliss are breathing life into its lumbering carcass. You would think the last several months, combined with CISPA's earlier struggles, would have resulted in a better cybersecurity bill. Instead, it actually seems worse.
“This is definitely a step back,” said Gabe Rottman, legislative counsel and policy adviser for the American Civil Liberties Union, who was shown a copy of the draft. “The problem is the definitions of what can be shared and who it can be shared with are too broad. In this draft, companies can share data with the military and the NSA. Given the past revelations, I think it’s important to keep this information in civilian hands.”
And that's just one of several problems. Combine the bill's wording with the administration's tacit approval of the NSA's exploit stockpile and you've got something that will generate millions of dollars worth of budget line items while doing very little to make anyone -- even the government itself -- any safer.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cisa, cispa, cybersecurity, dhs, dianne feinstein, homeland security, immunity, information sharing, nsa, privacy, saxby chambliss


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    That One Guy (profile), 29 Apr 2014 @ 10:08am

    Here's hoping for the usual short-sightedness

    If the NSA and DHS have been having a little spat over the years over funding, hopefully the NSA will see this as an 'attack' against their power and start pressuring their cheerleaders to shoot the bill down.

    Mind, the fact that one of their more strident 'defenders' is involved in writing the bill doesn't bode well for that, but hopefully the NSA's ego will manage to re-assert itself and they'll be back to attacking any perceived 'threats' to their power and authority.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Apr 2014 @ 10:19am

    I bet they will call this one the "Privacy Protection Act" or something 1984-ish like that.

    link to this | view in chronology ]

    • icon
      That One Guy (profile), 29 Apr 2014 @ 10:26am

      Re:

      Nah, they like to cycle through a handful of buzzwords, I'm guessing it'll be touted with the good old 'Because terrorists!', because FSM knows everyone still falls for that tired old line.

      link to this | view in chronology ]

    • icon
      James Clapper (profile), 29 Apr 2014 @ 10:39am

      Re: Actually the bill is called...

      The O.D.I.O.U.S Bill of 2014

      Orwellian
      Data &
      Information
      Obretion
      Universal
      Statist

      bill...

      And even with that name it might pass, At least I hope it does.

      link to this | view in chronology ]

    • icon
      Ninja (profile), 29 Apr 2014 @ 10:49am

      Re:

      The BBB. Big Brother Bill. Beware of copyright lawsuits.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Apr 2014 @ 10:23am

    Not much I can do...

    I would gladly contact my senator and let them know how I feel about this - but in my case, that's Feinstein.

    link to this | view in chronology ]

    • icon
      That One Guy (profile), 29 Apr 2014 @ 10:30am

      Re: Not much I can do...

      Ouch, though even still, might be worth some time to point out that nobody actually believes that this sort of crap has anything to do with protecting the people, and everything to do with protecting the spy agencies/activities she's so enamored with.

      I imagine the response would be the standard 'Everything is fine citizen, this is all for your protection, so sit back down and be silent' crap that usually gets sent out in response to any and all criticism on stuff like this, but even so, pointing out that she's fooling no-one is worth saying.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 29 Apr 2014 @ 11:15am

        Re: Re: Not much I can do...

        Yes, just like when she tried to push CISPA, the canned response back are usually pretty worthless and pretty much: "we know what we're doing, we're protecting everyone"

        link to this | view in chronology ]

      • icon
        OrganizedThoughtCrime (profile), 29 Apr 2014 @ 2:38pm

        Re: Re: Not much I can do...

        Agreed that it's worth saying anyway. Words have power. Even if nothing else, someday in the future someone might look back at records and see a bill like this passing despite widespread opposition in many forms (where they otherwise might not).

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 Apr 2014 @ 1:39pm

      Re: Not much I can do...

      I lol'd but it's most important that you "harass" her with email, fax, letters, all coming from "different" people if you're surrounded by boneheads.

      link to this | view in chronology ]

    • icon
      The Wanderer (profile), 7 Sep 2014 @ 6:42am

      Re: Not much I can do...

      That just makes it more important to contact her about it - to explain counter-positions as best you can, and to make it clear that you will not be voting for her if she supports this sort of thing.

      link to this | view in chronology ]

  • identicon
    Anonymous Anonymous Coward, 29 Apr 2014 @ 10:33am

    Targeted Marshal Law

    Why don't they just come out and admit it? They want marshal law, targeted of course, at anyone that hiccups offensively, plus 3 degrees of separation there of. (Used to be six degrees of separation, but somebody blinked).

    What I don't understand is that when more than half the population is in prison, with another third of the population guarding them, and another third producing what is needed to drive the first two, who's gonna be left to watch their stupid movies?

    link to this | view in chronology ]

  • icon
    Ninja (profile), 29 Apr 2014 @ 10:40am

    If the need for immediate use prevents obtaining written consent, such consent may be provided orally with subsequent documentation of the consent.

    Like being in state of war for decades now? Indeed, emergencies are overrated.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Apr 2014 @ 10:44am

    Retroactive immunity for everyone! Not only for the telephone companies, but now for everyone!

    Why don't the people who write these bills just come out and say what they're really thinking. Which is, "Screw the US Constitution!"

    The worst part is, all the dangerous hackers launching cyber attacks, are smart enough to cover their tracks by purchasing a Virtual Private Server on Amazon Cloud, using a stolen credit card. Plus bouncing their connection through 5 VPN networks located in 5 different countries, plus through TOR.

    Meanwhile, average Joe citizen is having all their personal information handed over to DHS, FBI, NSA, CIA, and God knows who else. All the while the real 'cyber criminals' are laughing their asses off and sipping martinis on a tropical beach somewhere after hitting Target up for millions of dollars.

    But don't let that stop you from passing a bill that scarifies everyone's civil rights in return for no security what so ever. Go ahead and do what you do best, Sen. Spystein. Go ahead and grand that retroactive immunity blanket you're so fond of.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Apr 2014 @ 10:56am

    I'm not concerned with what some opium farmer overseas might do. I'm more concerned with what the people in our own system are doing.

    Between this and the erosion of Net Neutrality, it's safe to say we're the next Soviet Union. This is why the likes of Brazil and the Eurozone will be the new paragons of freedom and economic success while the USA will go down in history as yet another repressive regime that eventually collapsed under its own weight.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Apr 2014 @ 10:59am

    out of curiosity, how long do readers give the USA before it becomes a worse example of the very thing, Fascism, which it helped to defeat 70 years ago? we are sure heading that way and damn fast, when the government is going to either know or want to know every single thing about everybody? i give it less than 5 years, probably nearer 2 years. Lord help us then because we will be in such shit order, we wont be able to help ourselves!

    link to this | view in chronology ]

    • icon
      John Fenderson (profile), 29 Apr 2014 @ 11:11am

      Re:

      In my opinion, we are a fascist nation right now.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 29 Apr 2014 @ 1:51pm

        Re: Re:

        Just with enough opportunities of choice between Coke and Pepsi.

        Canada isn't there yet, if numbers are right, Emperor Harper will be kicked out next year.

        I'm gonna have such a boner. No for real. Even if they end up with a thinly in power minority government. I really love the fact he's being bitchslapped by Obama over the Keystone XL pipeline. Liberals + NDP should form a coalition to prevent them a minority government, but these 2 are hard to re conciliate because the Liberals view the extremely high (and first time official opposition) voting in their favour instead of them in 2011 cos it left a bitter taste in the Libs mouth. But petty politics will lose when it comes against a "majority" government that got barely 38% of the votes.

        We live under crypto-fascism when tories are in power because they do not hide they represent a foreign power more than their own country (England) while Liberals have brought in the constitution 30 years ago and ignore the british royal family and that is why Canada always accumulates surplus under Liberals.

        link to this | view in chronology ]

    • icon
      OrganizedThoughtCrime (profile), 29 Apr 2014 @ 2:49pm

      Re:

      I would agree that things are likely going to be significantly worse ~2-3 years from now.

      I also agree with John Fenderson that some of it is not only here already, but has been for years now.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Apr 2014 @ 11:03am

    How many times ate they going to ram this bill through congress? The people didn't want it the first time, they didn't want it the second time, now its just insulting. Obama and his cronies are just going to keep pushing his CISPA until he gets it through or they lose their offices.

    Please people, if any of these statist cronies serve your area and are up for reelection, dont vote them back in, they've proven that they will sell you out to the dogs. Even if you have to bite the bullet and vote the opposite party, the worse that they can do is merely maintain the status quo.

    link to this | view in chronology ]

    • icon
      That One Guy (profile), 29 Apr 2014 @ 11:17am

      Re:

      Oiy, no need to insult dogs there, dogs at least have some standards and limits on what they will and will not do.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Apr 2014 @ 11:18am

    These Rep[resentyative should be forced to resign under the federal Tyranny laws. As well as the Constitution.

    But no, there's too much comedy/shenanigans involved.

    link to this | view in chronology ]

    • icon
      GEMont (profile), 30 Apr 2014 @ 2:05pm

      Re:

      Just a guess, but when the MAFIA took over Wall Street with all the tax-free drug money they made in the previous half century, they did not consider that keeping the Constitution was really worth the effort it would take to constantly circumvent it while pretending publicly to uphold it.

      So they got George Bush to suspend it right after 9/11 when he secretly declared war on anyone who gets in the way of their progress.

      Now the Corporate Government; otherwise known as a Fascist Business Venture, only allows the constitution to be used in cases where it has no effect on Federal Operations.

      In other words, the Constitution no longer applies unless the Fed wants it to apply, because its been secretly suspended for the duration of the secret war effort.

      You wouldn't know this of course, because you are after all, the enemy. :)

      link to this | view in chronology ]

  • icon
    gorehound (profile), 29 Apr 2014 @ 1:50pm

    Of course it was coming back and we also will probably see another SOPA/PIPA one too.
    Welcome to the land of the Oligarchs !
    Bow low to the master.

    link to this | view in chronology ]

  • identicon
    Loki, 29 Apr 2014 @ 2:12pm

    It appears as though no one involved has learned anything from CISPA's two troubled trips through the House, not to mention the new concerns prompted by leaked NSA documents.

    Wrong. The lesson they learned is the same lesson they've gotten for years: that they can do whatever the hell they want, whenever they want.

    Oh, sure they meet some resistance from time to time, like with SOPA/PIPA, but what REAL consequences did any of them face? They've all still got their jobs, and until that starts happening in signficant numbers, they aren't going to give a shit about the people (and I can't say I blame them - if I stood on a balcony and spat on people all day, and people complained but never had me removed from the balcony, why would I stop spitting on them?)

    link to this | view in chronology ]

    • icon
      GEMont (profile), 30 Apr 2014 @ 1:54pm

      Re:

      By George, methinks ye got it smack on the head that time.

      No consequences means no reason to change and in fact offers a very clear rationale for expansion and escalation.

      link to this | view in chronology ]

  • identicon
    CyberKender, 29 Apr 2014 @ 2:24pm

    It's moments like this...

    ...that I kind of wish the US had a Vote of No Confidence for Congress critters...

    link to this | view in chronology ]

  • icon
    GEMont (profile), 30 Apr 2014 @ 1:51pm

    Cash Cows not Sheep

    "Combine the bill's wording with the administration's tacit approval of the NSA's exploit stockpile and you've got something that will generate millions of dollars worth of budget line items while doing very little to make anyone -- even the government itself -- any safer."

    Hey, no probs!
    After all, you, the taxpayer, are good for it.

    Besides, safer aint the plan.

    Weaker, stupider, busier, drunker, sicker and suggestible, now that's the plan, cuz then the taxpayer aint just good for it, he won't even mind being buggered, if he even ever realizes he's footing the bill for his own destruction.

    And with China considering foreclosing on their loan to finance the US war effort abroad, you'd damn well better be good for it cuz the fed is up to its ass in debts and is NOT considering spending less any tine soon.

    link to this | view in chronology ]

    • icon
      OrganizedThoughtCrime (profile), 30 Apr 2014 @ 4:30pm

      Re: Cash Cows not Sheep

      "Weaker, stupider, busier, drunker, sicker and suggestible, now that's the plan..."

      You've got that right.

      link to this | view in chronology ]

      • icon
        GEMont (profile), 30 Apr 2014 @ 11:06pm

        Re: Re: Cash Cows not Sheep

        Forgot the most important one: Poorer.

        Poorer citizens need to keep their shitty jobs, so they will just tow the line and shut the fuck up like good little wage slaves.

        Poorer population means more minions for hire to do the dirty deeds of the rich and powerful.

        Poorer people have no voice and will waste their energy in prayer, especially if they fear and hate each other.

        Poorer people cannot counteract the diseases that will be introduced to make them sicker and will beg for free vaccinations laced with with even nastier diseases and heavy metals.

        Yep, really can't forget Poorer.

        Its probably the most important part of the plan.

        link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.