Ever since reintroducing CISPA, the so-called “cybersecurity bill,” its supporters promote the bill with craftily worded or just plain misleading claims. Such claims have been lobbed over and over again in op-eds, at hearings, and in press materials. One “fact sheet” by Rep. Rogers and Ruppersberger titled “Myth v. Fact” is so dubious that we felt we had to comment.
Here are some of the statements supporters of CISPA are pushing and why they’re false:
Supporters of CISPA say, “There are no broad definitions”
Supporters are keen to note that the bill doesn’t have broad definitions. In the “Myth v. Fact” sheet, the authors of CISPA specifically point to the definition of “cyber threat information.” Cyber threat information is information about an online threat that companies can share with each other and with any government agency—including the NSA. In hearings, experts have said that they don’t need to share personally identifiable information to combat threats. But the definition in the bill allows for any information related to a perceived threat or vulnerability—including sensitive personal information—to be shared. Cyber threat information should be a narrowly defined term.
Another example of a broad (or missing) definition is the term “cybersecurity system.” Companies can use a “cybersecurity system” to “identify or obtain” information about a potential threat (“cyber threat information”). The definition is critical to understanding the bill, but is circular. CISPA defines a “cybersecurity system” as “a system designed or employed” for a cybersecurity purpose (i.e. to protect against vulnerabilities or threats). The language is not limited to network security software or intrusion detection systems, and is so broadly written that one wonders if a “system” involving a tangible item—e.g., locks on doors—could be considered a “cybersecurity system.” In practical terms, it’s unclear what is exactly covered by such a “system,” because the word “system” is never defined.
The best example of a dangerous undefined term in the bill is found within the overly broad legal immunity for companies. The clause grants a company who acts in “good faith” immunity for “any decisions made” based off of the information it learns from the government or other companies. Does this cover decisions to violate other laws, like computer crime laws? Or privacy laws intended to protect users? Companies should not be given carte blanche immunity to violate long-standing computer crime and privacy law. And it is notoriously hard to prove that a company acted in bad faith, in the few circumstances where you would actually find out your privacy had been violated.
Supporters of CISPA say, “The bill is not a government surveillance program”
Supporters are adamant CISPA doesn’t create a wide-ranging “government surveillance program.” It’s true the bill doesn’t create such a surveillance program like the one described in the ongoing warrantless wiretapping lawsuits.
But the trick here is what is meant by “government surveillance.” We think that if the bill aims at having our information flow to the government, it’s tantamount to government surveillance, whether or not the government initially collected the information.
The bill creates a loophole in the privacy laws that prevented companies from disclosing your information to the government and gives companies broad legal immunity for sharing information with the government. As a result, CISPA makes it more likely that companies will surveil their own users and then disclose that information. The sly wording dodges the key issue: that CISPA encourages companies to conduct surveillance on their networks and hand “cyber threat information” to the government. In short, the bill encourages a de facto private spying regime, with the same end result.
Supporters of CISPA say, “The government can’t read your private email”
Reps. Rogers and Ruppersberger are adamant CISPA doesn’t grant the government access to read private emails. The claim was recently repeated by James Lewis, a fellow at the Center for Strategic and International Studies. But the broad definitions do allow for personal information to be gathered by companies and then sent to the government without any mandatory minimization of personal information. And under the vague definitions an aggressive company could claim that private messages are related to the threat, obtain them, and share then with the government. If Reps. Rogers and Ruppersberger did want content of emails disclosed under CISPA, it would be easy enough to exclude them explicitly.
Supporters say, “CISPA follows advice from privacy and civil liberty advocates”
In his introduction of the bill, Rep. Rogers assured the audience that he has listened to the privacy and civil liberties community.
This year’s CISPA does contain some language added after privacy and civil liberties advocates complained in 2012. But those changes didn’t address some big issues that were raised last year, and this year’s privacy and civil liberties complaints about CISPA remain unaddressed.
Let’s Stop CISPA
Reps. Rogers and Ruppersberger are on a strong publicity offensive to make sure the bill passes. The American public deserves full explanations and clear meanings about what CISPA can do and the extent to which it can do it. The public doesn’t need carefully worded messaging materials that obfuscate and mislead a discussion on CISPA. The issues at stake—like the broad legal immunity and new spying powers that allow for companies to collect private, and sensitive, user information—are too serious.
To stop this type of misinformation—and to stop CISPA—we urge you to tell your members of Congress to stand up for privacy.
Yesterday, Republican Senators introduced a rewrite of their cybersecurity bill, known as SECURE IT. Advocates registered their opposition to the bill last month and its CISPA-like expansion of military authority to collect sensitive information on Americans’ internet use.
Despite claims the contrary, the new bill has not been substantially amended and still does not meaningfully limit the amount or type of information that the government can collect from companies that hold very private and personal data. Most importantly,
• SECURE IT still allows companies to give sensitive American information directly to the National Security Agency and other military agencies. The ACLU has long argued, and even the Obama administration agrees: domestic cybersecurity programs must be run by civilian agencies.
• The bill lacks any requirement that companies first remove personally identifiable information unrelated to cybersecurity from what they share with each other or the government. That’s right – companies that have access to what we buy, what we read, and where we go don’t even have to attempt to suppress identifying information.
• SECURE IT-collected information can be used by the government not only for cybersecurity purposes, but for undefined national security purposes and to prosecute a long list of crimes unrelated to cybersecurity.
Senate Majority Leader Harry Reid has promised cybersecurity will be brought to the floor in July. So it looks like we’ll see a vote in the next few weeks. Now’s the time to contact your Senators and tell them to vote against any legislation that lets the government start cyber spying!
Google bosses were informed their Street View cars would collect e-mails, names, addresses and other personal data from Wi-Fi users around the world, a government report shows. But the company insists the message didn’t get through.
Neither a mistake nor the work of an unauthorized engineer was behind Google’s massive harvesting of Wi-Fi communications that included e-mails, passwords and other sensitive personal information across three continents in 2007-2010, indicates the recent report filed by the US Federal Communications Commission (FCC).
The supervisors of the Street View program were well aware Google cars would go beyond photographing streetscapes. Or at least they should have been.
On Saturday, the web giant releases their own version of report – with employees’ names blacked out. An earlier version provided by the FCC had whole blocks of text blacked out.
The search giant said it wanted a more transparent version to be shown to the public as evidence that any wrongdoing by the company was inadvertent. Apparently, the company wants to avoid speculation over what could have been withheld from the initial release and thus limit any damage.
The report confirms Google’s engineer behind the data-collecting software voluntarily embarked on a project to gather personal e-mails and Web searches of potentially hundreds of millions of people. Identified as Engineer Doe, the individual declined to speak to the FCC, invoking Fifth Amendment rights, which protects citizens from being compelled to testify against themselves.
The design document prepared by Engineer Doe clearly shows his intention to collect payload data in addition to taking panoramic snapshots, as Google’s cars drove by. The private data would “be analyzed offline for use in other initiatives,” like finding how well Google’s other services are used, the document said.
Privacy consideration did come to his mind. “A typical concern might be that we are logging user traffic along with sufficient data to precisely triangulate their position at a given time, along with information about what they were doing,” the document says.
Engineer Doe decided that no harm will be done because Google’s data harvesters would not remain in the vicinity of any particular Wi-Fi user for “an extended period of time.” Nevertheless he added the following “to do” item: “Discuss privacy considerations with Product Counsel.”
“That never occurred,” the FCC report says.
The employee also “specifically told two engineers working on the project, including a senior manager, about collecting payload data.” It actually appears that at least seven Street View engineers had “wide access” to the plan to collect payload data back in 2007.
Engineer Doe’s code was used to collect some 200 gigabytes of payload data across the US between January 2008 and April 2010. Similar logging of private data happened across the world, which made Google the butt of investigations by respective authorities.
The report further cites a number of other people involved in the project as failing to recall knowing that collecting of payload data was happening at the time. Those include an engineer, whose job was reviewing Engineer Doe’s code line by line for bugs and a senior manager, who said he pre-approved the man’s document before it was written.
Following the investigation the FCC fined Google $25,000 for obstructing its investigation, including withholding an email, that openly discussed the engineer’s review of payload data with a senior manager on the Street view project.
It ruled that since the payload data collected was not encrypted, the act didn’t violate American wiretapping law, but said it has “significant factual questions” about why this ever happened.
Google denied stonewalling the probe and blamed the FCC for any delays.
- Google staffers knew Street View cars collected private data (digitaltrends.com)
This week, EFF – along with a host of other civil liberties groups – are protesting the dangerous new cybersecurity bill known as CISPA that will be voted on in the House on April 23. Here is everything you need to know about the bill and why we are protesting:
What is “CISPA”?
CISPA stands for The Cyber Intelligence Sharing and Protection Act, a cybersecurity bill written by Rep. Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD) (H.R. 3523). The bill purports to allow companies and the federal government to share information to prevent or defend from cyberattacks. However, the bill expressly authorizes monitoring of our private communications, and is written so broadly that it allows companies to hand over large swaths of personal information to the government with no judicial oversight—effectively creating a “cybersecurity” loophole in all existing privacy laws. Because the bill is so hotly debated now, unofficial proposed amendments are also being circulated [link] and the actual bill language is in flux.
Under CISPA, can a private company read my emails?
Yes. Under CISPA, any company can “use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property” of the company. This phrase is being interpreted to mean monitoring your communications—including the contents of email or private messages on Facebook.
Right now, well-established laws, like the Wiretap Act and the Electronic Communications Privacy Act, prevent companies from routinely monitoring your private communications. Communications service providers may only engage in reasonable monitoring that balances the providers’ needs to protect their rights and property with their subscribers’ right to privacy in their communications. And these laws expressly allow lawsuits against companies that go too far. CISPA destroys these protections by declaring that any provision in CISPA is effective “notwithstanding any other law” and by creating a broad immunity for companies against both civil and criminal liability. This means companies can bypass all existing laws, as long as they claim a vague “cybersecurity” purpose.
What would allow a company to read my emails?
CISPA has such an expansive definition of “cybersecurity threat information” that many ordinary activities could qualify. CISPA is not specific, but similar definitions in two Senate bills provide clues as to what these activities could be. Basic privacy practices that EFF recommends—like using an anonymizing service like Tor or even encrypting your emails—could be considered an indicator of a “threat” under the Senate bills. As we have stated previously, the bills’ definitions “implicate far more than what security experts would reasonably consider to be cybersecurity threat indicators—things like port scans, DDoS traffic, and the like.”
A more detailed explanation about what could constitute a “cybersecurity purpose” or “cyber security threat indicator” in the various cybersecurity bills can be read here.
Under CISPA, can a company hand my communications over to the government without a warrant?
Yes. After collecting your communications, companies can then voluntarily hand them over to the government with no warrant or judicial oversight whatsoever as long is the communications have what the companies interpret to be “cyber threat information” in them. Once the government has your communications, they can read them too.
Under CISPA, what can I do if a company improperly hands over private information to the government?
Almost nothing. CISPA would affirmatively prevent users from suing a company if they hand over their private information to the government in virtually all cases. A broad immunity provision in the proposed amendments gives companies complete protection from user lawsuits unless information was given to the government:
(I) intentionally to achieve a wrongful purpose;
(II) knowingly without legal or factual justification; and
(III) in disregard of a known or obvious risk that is so great as to make it highly probably that the harm of the act or omission will outweigh the benefit.
As Techdirt concluded, “no matter how you slice it, this is an insanely onerous definition of willful misconduct that makes it essentially impossible to ever sue a company for wrongly sharing data under CISPA.” This proposed immunity provision is actually worse than the prior version of the bill, under which companies could be sued if they acted in “bad faith.”
What government agencies can look at my private information?
Under CISPA, companies are directed to hand “cyber threat information” to the Department of Homeland Security (DHS). Once it’s in DHS’s hands, the bill says that DHS can then hand the information to other intelligence agencies, including the National Security Agency, at its discretion.
Can the government use my private information for other purposes besides “cybersecurity” once they have it?
Yes. When the bill was originally drafted, information could be used for all other law enforcement purposes besides “regulatory purposes.” A new amendment narrows this slightly. Now—even though the information was passed along to the government for only cybersecurity purposes—the government can use your personal information for either cybersecurity or national security investigations. And as long as it can be used for one of those purposes, it can be used for any other purpose as well.
Can the government use my private information to go after alleged copyright infringers and whistleblower websites?
Up until last Friday the answer was yes, and now it’s changed to maybe. In response to the overwhelming protest from the Internet community that this bill would become a backdoor for SOPA 2, the bill authors have proposed an amendment that rids the bill of any reference to “intellectual property.”
The bill previously defined “cyber threat intelligence” and “cybersecurity purpose” to include “theft or misappropriation of private or government information, intellectual property, or personally identifiable information.” Now the text reads:
(B) efforts to gain unauthorized access to a system or network, including efforts to gain such unauthorized access to steal or misappropriate private or government information
But it is important to remember that this proposed amendment is just that: proposed. The House has not voted it into the bill yet, so they still must follow through and remove it completely.
A more detailed explanation of how this provision could be used for copyright enforcement and censoring whistleblower sites like WikiLeaks can be read here.
What can I do to stop the government from misusing my private information?
CISPA does allow users to sue the government if they intentionally or willfully use their information for purposes other than what is described above. But any such lawsuit will be difficult to bring. For instance, the statute of limitations for such a lawsuit is two years from the date of the actual violation. It’s not at all clear how an individual would know of such misuse if it were kept inside the government.
Moreover, suing the government where classified information or the “state secrets privilege” is involved is difficult, expensive, and time consuming. EFF has been involved for years in a lawsuit over Fourth Amendment and statutory violations stemming from the warrantless wiretapping program run by the NSA—a likely recipient of “cyber threat information.” Despite six years of litigation, the government continues to maintain that the “state secrets” privilege prevents the lawsuit from being heard.
Given that DHS is notorious for classifying everything—even including their budget and number of employees—they may attempt to prevent users from finding out exactly how this information was ever used. And if the information is in the hands of the NSA and they claim “national security,” then it would get even harder.
In addition, while CISPA does mandate an Inspector General should issue a report to Congress over the government’s use of this information, its recommendations or remedies do not have to be followed.
Why are Facebook and other companies supporting this legislation?
Facebook and other companies have endorsed this legislation because they want to be able to receive information about network security threats from the government. This is a fine goal, but unfortunately CISPA would do far more than that—it would eviscerate existing privacy laws by allowing companies to voluntarily share users’ private information with the government.
Facebook released a statement Friday saying that they are concerned about users’ privacy rights and that the provision allowing them to hand user information to the government “is unrelated to the things we liked about HR 3523 in the first place.” As we explained in our analysis of Facebook’s response: the “stated goal of Facebook—namely, for companies to receive data about cybersecurity threats from the government—does not necessitate any of the CISPA provisions that allow companies to routinely monitor private communications and share personal user data gleaned from those communications with the government.” Read more about why Facebook should withdraw support from CISPA until privacy safeguards are in place here.
What can I do to stop this bill?
It’s vital that concerned Internet users tell Congress to stop this bill. Use EFF’s action center to send an email to your Congress member urging them to oppose this bill.
- Worse than SOPA? CISPA to censor Web in name of cybersecurity (alethonews.wordpress.com)
- Facebook defends CISPA support, completely misses the point (digitaltrends.com)
- What You Need to Know About CISPA (readwriteweb.com)
- What Facebook Wants in Cybersecurity Doesn’t Require Trampling On Our Privacy Rights (eff.org)
- Say ‘hello’ to CISPA, it will remind you of SOPA (news.cnet.com)