President Obama's Plan For 'Securing Cyberspace' Has A Lot Of Problems
from the not-the-public's dept
On Monday, President Obama gave a speech kicking off his big push on cybersecurity, with many of the details being released on Tuesday, and they don't look very good. There are a lot of different pieces, but we'll just highlight the two that concern us the most.First up: information sharing/"cybersecurity." The key issue here: is it the return of CISPA? CISPA, of course, is the cybersecurity "information sharing" bill that is introduced each year, but which is really about giving the NSA a tool to pressure companies into sharing their information (by granting immunity from liability to those companies). In 2012, President Obama rejected the CISPA approach as not having enough protections for privacy and civil liberties. And, indeed, contrary to what some have said, the official proposal is not "endorsing CISPA." The approach is definitely more limited and the most major concern is addressed. Rather than giving the information to the NSA (or the FBI), Homeland Security gets it. DHS isn't wonderful, but it's better than the other two alternatives. Companies can still give the info to the NSA or FBI (or others), but won't get full immunity from lawsuits if they do.
But, where the new proposal falls woefully short is in its lack of privacy protections. It basically handwaves its way through the privacy question, saying there will be guidelines, but the guidelines aren't written yet, and they're fairly important here. Instead, there's just a plan to make them:
The Attorney General, in coordination with the Secretary of Homeland Security and in consultation with the Chief Privacy and Civil Liberties Officers at the Department of Homeland Security and Department of Justice, the Secretary of Commerce, the Director of National Intelligence, the Secretary of Defense, the Director of the Office of Management and Budget, the heads of sector-specific agencies and other appropriate agencies, and the Privacy and Civil Liberties Oversight Board, shall develop and periodically review policies and procedures governing the receipt, retention, use, and disclosure of cyber threat indicators by a Federal entity obtained in connection with activities authorized in this Act.Yes, it promises that those guidelines will limit the "acquisition, interception, retention, use and disclosure" of information, but it's still not entirely clear what the final guidelines will be. The second problem, still not addressed in all of this, is explaining why this is needed. People keep saying that we need "information sharing" because of "cyberthreats," but no one argues why that information sharing can't happen today, or points out what regulations today get in the way. That's because they don't. Companies can share information today, but the focus of this bill is to try to grant them broad immunity in case they share the wrong (private) info and it gets out.
The second concerning proposal is with the update to the CFAA (the Computer Fraud and Abuse Act). The CFAA, of course, is the widely misused "anti-hacking" law that has been stretched and twisted by law enforcement and prosecutors over time to argue that merely disobeying a terms of service could be seen as "hacking." While some courts have limited that ridiculous interpretation, the changes here seem fairly messy and could bring back that possibility. The language involves a lot of careful picking through to interpret it, and it appears that it may fix some small issues with the CFAA, but opens up other massive holes that are seriously problematic. The White House claims this fix would "enhance [the CFAA's] effectiveness against attacks on computers and computer networks."
But that's not the problem with the CFAA. The problem is that it's already seriously overbroad and used in dangerous ways. That's barely addressed. The main "fix" is that if you "intentionally exceed authorized access," there are conditions necessary to meet to trip the CFAA wire -- and a key one is that the value of the information obtained must "exceed $5,000." But, of course, with the way the gov't inflates the value of information... that seems like a pretty small hurdle. The really big problem, though, comes in section (e)(6) which adds in a troubling definitional change to "exceeds authorized access." This is the whole bit that's been used as evidence of "terms of service" violations. The key case that rejected this theory is the Nosal case and that seems to be completely wiped out with this little addition to exceeding authorized access:
for a purpose that the accesser knows is not authorized by the computer owner;This is likely to be interpreted to mean that if a terms of service bans a certain type of use, they have "knowledge" and thus violating that kind of use is back to being a problem under the CFAA. As Orrin Kerr argues, this could be read to mean that if your employer says you can only use a computer for work reasons, and you surf for personal reasons, you've broken the law. It is also possible to read this section to mean that using someone else's Netflix or HBO GO password... could violate the law. Yikes!
Of course, one hopes that law enforcement wouldn't go after those types of violations, but a more serious concern may be the impact on security research. Finding a hole in a website online, allowing you to access data that was publicly exposed could be seen as exceeding access, on the basis that whoever finds it "knows [it] is not authorized by the computer owner." Basically, it requires the government to argue that whoever they're going after should have known that the computer owner "wouldn't like" it. That... opens up a big can of worms that the DOJ will abuse like crazy.
The new bill also says that you can be charged with racketeering related to CFAA violations, so long as the government can tie you to other people and claim that it's an "organized crime group." It also ups the penalties for things that might be considered "actual hacking" (i.e., getting around technological barriers to access a computer) -- making it automatically a felony with up to 10 years in jail (rather than the existing law, under which it could be a misdemeanor or a felony and the limit is 5 years in jail). And, of course, it expands civil forfeiture procedures so that law enforcement can seize (and likely keep) all your computer equipment if it thinks you're violating the CFAA. Looks like law enforcement can now go "shopping" for computers.
Once again, we seem to be facing a situation where the administration is more focused on what law enforcement wants, while paying lip service to the protections of the public from likely law enforcement and intelligence community abuse.
That's really unfortunate. A massive missed opportunity to actually do something productive here.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cfaa, cispa, cybersecurity, obama administration
Reader Comments
Subscribe: RSS
View by: Time | Thread
Pointless to hold him to his word in anything. Or to even believe anything he says. Obama is his own biggest fan.
[ link to this | view in chronology ]
Re:
Cruz does not have to be a politician you like to be right about it.
In fact I would not trust either part at this time not to do just exactly what you wrote (say one thing but do another)... the citizens will be screwed one way or another, and anyone willing to still trust someone like Obama just deserves to be lied to.
[ link to this | view in chronology ]
Re: Re:
anyone willing to still trust politicians just because they're in the right party just deserves to be lied to.
FIFY
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Bwahahaha! Hee hee! To think that law enforcement wouldn't press any charge they think they can get away with against someone they want to punish! Best laugh I've had all morning.
... what? You were serious?
[ link to this | view in chronology ]
There's no help coming here
Of course that won't stop those seeking to grandstand for political gain or to inflate the already-expansive powers of law enforcement or spy agencies: in fact, it will encourage them, because less security is a boon to both.
My best advice -- which certainly won't be accepted -- to all three branches of government is:
1. Sit down.
2. Shut up.
3. Read everything written by Spafford, Appelbaum, Felten, Boyd, Robbins, Landau, Ranum, Forno, Schneier, Bellovin, Cheswick, Halderman, Kamnisky, Soghoian, Vixie, Weinstein &etc.
4. Stop doing the things they say are bad ideas.
5. Start doing the things they say are good ideas.
6. Return to step 1.
[ link to this | view in chronology ]
Re: There's no help coming here
[ link to this | view in chronology ]
Re: Re: There's no help coming here
[ link to this | view in chronology ]
Re: There's no help coming here
[ link to this | view in chronology ]
Re: Re: There's no help coming here
[ link to this | view in chronology ]
Re: Re: Re: There's no help coming here
[ link to this | view in chronology ]
So basically what there saying, if we do something bad, we're protected by the laws WE create................tell me again we live in these supposed free societies
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Operation:Foot Through The Door
A tiresome maneuver
[ link to this | view in chronology ]
Really?
[ link to this | view in chronology ]
Re: Really?
[ link to this | view in chronology ]
Obama still wrestling with proportional response
[ link to this | view in chronology ]
If this worked both ways ,It maybe a good thing. The companies asked to give information over violate my rights and "exceed authorized access." ..to use a stingray device is to "exceed authorized access." and my spying on my communications email and such will surely "exceed authorized access."
[ link to this | view in chronology ]
I dont even think they should have the system built to give this exploitive tool, but they have it, and they built it in secret, if snowden had'nt interrupted their drive, when would we have found out, HOW integrated would it of been THEN
The more they implement, the harder its gonna be, with any reasonable assurances, to completely shut it down, if it becomes the perfect tool for corruptable folks
[ link to this | view in chronology ]
Firstly, hackers who "hack" to improve security should not be in this category, as a user, i think they are doing a service to us users
Secondly, i'd classify all intelligence services as criminal hackers, DEFFINATLY in the group of "organized crime"
Im interested to know who put the quotes for "actual hacking" techdirt, or the gov
[ link to this | view in chronology ]
The value of intangibles
The monetary value of most private information is no more or less than what the information owner says it is. So, unless there is some stringent language to set out how this value can be determined, the monetary threshold is entirely without meaning.
[ link to this | view in chronology ]
Instead of a law that would upset business, we get a law that upsets users, who do they represent again
[ link to this | view in chronology ]
Racketeering...
[ link to this | view in chronology ]
Diametrically Opposed Purposes
We are trying to protect the net from them.
This will not end well for either side - but guess which side will suffer the most casualties...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
We need another Internet blackout. Imagine if instead of simply changing a few colors, companies actually shut down for a day. Our government and law enforcement all need a "time out"; like a little child standing in the corner.
[ link to this | view in chronology ]
This is about control
[ link to this | view in chronology ]