Hidden Dangers of CISPA

Have you heard of the Cyber Intelligence Sharing and Protection Act? If not, you’re in for a crash course. Leading privacy and civil rights groups have declared last week Stop Cyber Spying Weekin an effort to get the word out about CISPA – yet another meaningless acronym that threatens to redefine the Internet as we know it.

CISPA could be the most important piece of digital legislation since the Digital Millennium Copyright Act. And like the DMCA, which was written to thwart file sharers and DVD rippers but ended up being used to enforce copyrights on garage door openers and shut down blogs critical of corporations, it has at least as much potential for abuse.

But let’s get a few things straight. CISPA is not SOPA or PIPA. Those two separated-at-birth bills aimed to make it harder to buy illegal knockoffs and pirated content in this country by forcing Internet providers to make those pirate domains invisible to US Web surfers.

The problem with SOPA/PIPA is that a) it was too easy to snag legitimate sites that shared the same IP address as the pirate sites, b) allegedly illegal Web sites could be taken out based on accusations alone, c) innocent sites that got snagged by mistake would have a hard time getting back online, and d) they would force ISPs to break the Internet’s DNS system in order to make them work, using techniques similar to those employed by repressive regimes like China and Iran. All in all, a couple of sh*y laws.

CISPA is a different animal altogether. It amends the National Security Act of 1947 to allow private corporations and US intelligence services to share intel about cyber threats – essentially breaking down the walls between the spooks and the suits.

The problems with CISPA come from the definition of “cyber threat” and the loosey-goosey rules about what information can be shared by whom.

Here’s how the law defines ‘cyber threat’:

… information directly pertaining to a vulnerability of, or threat to a system or network of a government or private entity, including information pertaining to the protection of a system or network from--

`(A) efforts to degrade, disrupt, or destroy such system or network; or

`(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.

That’s a pretty broad net that could also snag whistleblowing sites like WikiLeaks, Apple rumor blogs, complaint sites run by disgruntled employees, legit journalism sites, the Pirate Bay, and everything Anonymous has done for the past three years. It’s a little bit of SOPA and a whole lot more.

The other problem is that CISPA allows fairly indiscriminate sharing of any information, normal privacy protections be damned. Per the text of the bill:

Notwithstanding any other provision of law, a self-protected entity may, for cybersecurity purposes… share such cyber threat information with any other entity, including the Federal Government.

As CNET’s Declan McCullough points out, that opens the doors to sharing all kinds of information – user names and passwords, account histories, the contents of email messages, and the like – that are currently prohibited by wiretap and other laws.

By including the word "notwithstanding… [CISPA] would trump wiretap laws, Web companies' privacy policies, gun laws, educational record laws, census data, medical records, and other statutes that protect information, warns the ACLU's Richardson.

There’s a third really big difference between CISPA and those other bits of legislation: PIPA/SOPA were opposed by the leading companies of the Internet age – Google, Facebook, Microsoft, etc. CISPA is not. In fact, that bill boasts some 800 corporate sponsors, if you count all the members of trade groups like the CTIA and The Business Roundtable separately.

So you’re not going to see partial blackouts of Google or Wikipedia this time around. We’re on our own in this fight.

Facebook published a letter defending its CISPA support in February, and doubled down on it last week in a blog post by VP Joel Kaplan. The salient bit:

… we recognize that a number of privacy and civil liberties groups have raised concerns about the bill – in particular about provisions that enable private companies to voluntarily share cyber threat data with the government. The concern is that companies will share sensitive personal information with the government in the name of protecting cybersecurity. Facebook has no intention of doing this and it is unrelated to the things we liked about HR 3523 in the first place -- the additional information it would provide us about specific cyber threats to our systems and users. [emphasis in original]

Let me translate: Yes, CISPA may suck but it does things we want, so we’re behind it. And besides, you can trust us, can’t you?

The notion that our only protection against rampant cyberspying is to trust Facebook not to share our personal information with the Feds should be enough to convince you just how truly sucky CISPA is.

Just to be clear: Sharing information about legitimate cyber threats is a good idea. Using cyber threats to give a blank check to corporations so they can bypass our Constitutional rights? Not a good idea.

What can you do about it? Educate your local Congressional representatives about the Internet. Sign online petitions (like the ones here and here). Tweet your concerns. Tell Facebook’s Kaplan to take that blog post and stuff it where the CISPA doesn’t shine. Bang on pots and pans. Complain, loudly and incessantly. 

In short, Occupy the Internet.

And hope somebody in DC comes to what few senses they have remaining and amends this bill into something we all can live with or dumps it entirely. Before it’s too late.

Got a question about social media? TY4NS blogger Dan Tynan may have the answer (and if not, he’ll make something up). Visit his snarky, occasionally NSFW blog eSarcasm or follow him on Twitter: @tynanon tech. For the latest IT news, analysis and how-to’s, follow ITworld on Twitter and Facebook.

Subscribe to the Security Watch Newsletter

Comments