CISPA and You – A Guide To Privacy


Spread the word, if you can. It’d be appreciated. Also, IANAL, but I have a pretty extensive mastery of legal-ese, as well as a penchant for word problems.

cispa

If you are eligible to vote in the United States, please take a break from whatever you’re doing today and call your member of the US House of Representatives. Tell the staff member who answers the phone that you value your privacy. And tell him or her that you are deeply unhappy that the House seems poised to destroy everyone’s online, and by extension offline, privacy by passing the CISPA.

Also for those who missed, about 900 websites have taking part in an online blackout today to protest the Cyber Intelligence Sharing and Protection Act. The web-based demonstration, organized by Anonymous

Oh yeah lulz. You might also mention that you’re not a “14-year-old tweeter in the basement,” which is how the chief backer of this wretched legislation has described its countless opponents.

I’ll be referencing this iteration of CISPA as of April 21st, 2012.

List of Acronyms, because I’m lazy — Definitions are bolded when they’re introduced in the bill, or when I feel adding a definition is important.

CTI – Cyber Threat Information

CSC – Cybersecurity Crimes

FG – Federal Government

CSP – Cybersecurity provider

SPE – Self-protected entity

DHS – Department of Homeland Security

SHS – Secretary of Homeland Security

DNI – Director of National Intelligence

SOD – Secretary of Defense

FOIA – Freedom of Information Act

NSA1947 – National Security Act of 1947

SECTION 1. SHORT TITLE.

Nothing important

SEC. 2. FEDERAL GOVERNMENT COORDINATION WITH RESPECT TO CYBERSECURITY. a) Coordinated Activities

The US Government will share all (ideally necessary but no language prevents sharing all) information it receives with “appropriate” entities. These entities will be defined in a later section.

(b) Coordinated Information Sharing (1) DESIGNATION OF COORDINATING ENTITY FOR CYBER THREAT INFORMATION / (2) DESIGNATION OF A COORDINATING ENTITY FOR CYBERSECURITY CRIMES

Subsections 1 and 2 define a new division of the DHS and DOJ for handling this information. A “civilian Federal employee” is one that is not an active military member, a federal police officer, or any other peace officer. However, these civilians will require advanced security clearance, and will probably be made of ex-intelligence officers and former military. The takeaway is that there are two distinct entities – one for “cyber threat information (defined later, search in this post for the whole word for definition)” and “cybersecurity crimes (defined later, search in this post for the whole word for definition).

(3) SHARING BY COORDINATING ENTITIES

Subsection 3 states that the entities in subsection 1 and 2 “shall share cyber threat information,” meaning that this is required. It references an addition to the National Security Act of 1947, which is introduced in this bill.

(4) PROCEDURES

Subsection A allows for CTI to be shared with all appropriate departments and agencies of the FG in real time. The addition of “national security mission” is a misnomer – there is always a national security mission being run by the NSA.

Subsection B means that this information is then shared with all departments and agencies of the FG.

Subsection C means that this information will be shared among the FG and state, local, tribal and territorial governments, as well as cybersecurity providers and SPE.

(5) PRIVACY AND CIVIL LIBERTIES (A) POLICIES AND PROCEDURES

Subsection A defines who will always have access to this information, and the scope of the information. It is important to note the term “non-publicly available CTI,” suggesting that such information will not be accessible through FOIA. As a result, the first subsection, “minimize the impact on privacy and civil liberties” is a joke. How can you know your privacy and civil liberties are being violated if you don’t know what information is in the database? That’s the point. “Reasonably limit” is more fluff, because no one will know what limits are in place without proper security clearance, and discussion of such limits will constitute a violation of national security. “Include requirements to safeguard non-publicly available CTI” means that they’ll keep the information locked in servers not connected to the internet. “Protect the confidentiality of CTI” means that they won’t share it beyond the allowed groups (FG’s, SPE’s, etc.). We’ll discuss who and what can have access to this information later. “Not delay or impede the flow of CTI” means nothing will keep this information from moving along – no laws, no inquiries, no FOIA requests, nothing.

(B) SUBMISSION TO CONGRESS

This says that the groups listed will share these policies and procedures above with Congress. Of course, it won’t be all of Congress, but most likely a security-based congressional committee. Whether they form a new committee or use an existing one is still up for debate.

(C) IMPLEMENTATION

This simply states that any FG department or agency that receives CTI (if you see above, this means all departments and agencies) will use the same policies and procedures, as well as notify everyone else when they find a violation of these policies and procedures. This assumes the “left hand knows what the right hand is doing,” which is not always the case.

(D) OVERSIGHT-

This is a big one… the only oversight committee for policies and procedures will be created by SHS, the Attorney General, the DNI and SOD. The Congressional committee referenced in 5.B will not have any say over whether these procedures and policies are “kosher.” They get to know about them, but are unable to do anything about them.

(6) INFORMATION SHARING RELATIONSHIPS

The short-and-sweet is that CTI sharing agreements between the DOD and defense industrial base are unaltered. New agreements can be made, but really this is more for weeding-out spies (Google Chi Mak, I almost served on the jury). Additionally, it won’t alter existing CTI sharing relationships between CSPs, protected entities, SPEs and the FG. It also references the new changes to the NSA1947 and, for some reason, says it won’t affect agreements of sharing CTI with the Department of Treasury and the financial services sector, though I wonder why they’d be included in this specifically. Perhaps CTI will include assets and finances, which they don’t want bleeding over to the financial sector.

(7) TECHNICAL ASSISTANCE-

Subsection A basically states that the FG can ask for tech support from a CSP or SPE, or share CTI with a CSP or SPE to combat vulnerabilities. Think of anti-malware kits and patches you download from Microsoft but for CTI.

Subsection B means the FG has to tell the DHS when it asks for tech support or shares CTI-related vulnerabilities. Any information involved goes to the DHS and all other FG agencies/departments.

Subsection C just says that either one or both of the entities within the DHS and DOJ will be sharing this information with everyone else.

(c) Reports on Information Sharing

Subsection 1 states that a new report will be generated for “appropriate congressional committees (keep in mind no specific congressional committees have been named in the bill, so the number of committees could effectively be zero)” on how the FG and everyone involved use the information. Note that it won’t include what information, or how it was obtained, but just what they did with the information. It’s also supposed to include when the FG used the information for a purpose “other than a cybersecurity purpose,” but since cybersecurity is yet to be defined, this is supposed to make it more palatable. The main idea is to see how well the system is working, which groups are taking the longest to turn the information around, and what they can do to make it better.

Subsection 2 just says that there’s a report from the Privacy and Civil Liberties Officer of the DHS, to minimize or mitigate the privacy and civil liberties impact (note that it doesn’t say remove, so they admit there will be some privacy and civil liberty violations).

Subsection 3 states the reports will be unclassified (with possible classified annexes), though this doesn’t mean it’ll be readily available, nor how much of the report will be unclassified (if any at all).

(d) Definitions

With the exception of naming the “appropriate congressional committees,” everything is pushed off to the second-half of CISPA, and really the most dangerous part – the changes to NSA1947. The committees named are

  1. Committee on Homeland Security (House)
  2. Committee on the Judiciary (House)
  3. Permanent Select Committee on Intelligence (House)
  4. Committee on Armed Services (House)
  5. Committee on Homeland Security and Governmental Affairs (Senate)
  6. Committee on the Judiciary (Senate)
  7. Select Committee on Intelligence (Senate)
  8. Committee on Armed Services (Senate)

NSA1947 – National Security Act of 1947

SEC. 3. CYBER THREAT INTELLIGENCE AND INFORMATION SHARING. (a) In General- Title XI of the National Security Act of 1947 (50 U.S.C. 442 et seq.) is amended by adding at the end the following new section: (a) Intelligence Community Sharing of Cyber Threat Intelligence With Private Sector and Utilities

This is the big part of CISPA – it alters the language found in NSA1947 to include the internet. When people complain about CISPA, they’re usually referring to this section, as Section 1 and 2 are mostly dependent on Section 3.

(1) IN GENERAL

This section simply sums-up the idea behind the changes. It allows for “elements” of the intelligence community (no specifically named departments, so it may be a few or all) to share information with private companies, and to encourage sharing between all parties.

(2) SHARING AND USE OF CLASSIFIED INTELLIGENCE

What I like to call the “WikiLeaks clause.” It specifically states who can share the information. The list is pretty vague, but is limited to, “an element of the intelligence community (see above)” with a certified entity (nothing yet on how one would qualify), and people with appropriate security clearance. The rest is pretty standard. I call this the “WikiLeaks clause” because while Bradley Manning was charged with military-level crimes (UCMJ), there’s no civilian equivalent. With this, any intelligence WikiLeaks puts up that can be deemed “harmful” to the US will result in pretty heavy ramifications, at the very least censor in the US. This is the censorship portion people complain about.

(3) SECURITY CLEARANCE APPROVALS

What I’m calling the “deputizing” clause. It allows for the head of an intelligence group to designate someone with security clearance (temp or perm) to an employee, independent contractor (this is a big one), or officer of a certified entity (another big one). Basically, and I’m going to skip ahead a bit to explain this section; anyone that can acquire a security clearance, and can show that they won’t get hacked (highly unlikely) qualifies as a certified entity, and therefore can have access to this information. That’s all you need. No demonstration of why or what you plan to do with the info, just that you can obtain a security clearance and can protect it from people not allowed to see it.

(4) NO RIGHT OR BENEFIT

Basically, anyone with access that isn’t a FG employee can’t claim a right to the information if their access is revoked, and just because someone could have access to this information doesn’t mean they automatically get access.

(5) RESTRICTION ON DISCLOSURE OF CYBER THREAT INTELLIGENCE

The “Bradley Manning” clause. This prevents anyone with access to the information from sharing it with anyone that isn’t part of the group already. Though when we see how easy it is to join the group, this part is rather pointless.

(b) Use of Cybersecurity Systems and Sharing of Cyber Threat Information (1) IN GENERAL- (A) CYBERSECURITY PROVIDERS

The “Surveillance Clause.” Basically says that these protected entities can collect information with no regard for any current law (“Notwithstanding any other provision of law”). The techniques, equipment and data can be obtained without any regard for the law (including due process and the 4th amendment), and, this is the big one, share such cyber threat information with any other entity designated by such protected entity. You may wonder, “Sense, who is the ‘any other entity?’” That’s a good question – the answer is “anyone.” Literally, any other entity. Not a SPE, not a “certified entity,” but any other entity.

(B) SELF-PROTECTED ENTITIES

“Surveillance Clause” for SPEs. See above.

(2) USE AND PROTECTION OF INFORMATION- Cyber threat information shared in accordance with paragraph (1)

Says that SPEs can share the information however they want, so long as they include “appropriate anonymization,” though who knows what that specifically means. Also, it removes the ability of these groups to hide information from the FG when they share such info, so if some private citizen tells anyone that has access to this information about a potential security hole, they can’t do so anonymously. Subsection B is worded strangely, but basically means that if Company A learns something about competing Company B through this sharing, they can’t use it in advertising (“Company B was hacked 27 times this year, but Company A wasn’t hacked at all, so you should use Company A – paid for by Company A”). Subsection C says it can only be used by non-FG until shared with the FG.

(D) if shared with the Federal Government—

Subsection D means that (1) any information shared with the FG is exempt from FOIA, (2) isn’t able to be shared unless the group that gave it to the FG says so, (3) won’t be used for FG regulation (of utility companies, SPEs, etc.), or (4) won’t be shared if it has to do with another agency of the FG (think cross-agency whistleblowing), unless the POTUS says so. It finishes by saying that the FG will decide what it does with the information. Subsection E is the exemption for State-level FOIA (that is, state laws that mimic FOIA at the state level).

(3) EXEMPTION FROM LIABILITY-

Basically, no one is liable for anything – no one can be sued (civil) or tried (criminal) for the information obtained, how it’s obtained, who it’s shared with (see the “Surveillance Clause” above), or what is done with the information, so long as it’s all done “in good faith (without malice or the desire to defraud others).”

Want a hypothetical situation that could be a real situation if CISPA passes? Company A, a SPE with security clearance, sees your browsing habits in their “cybersecurity department,” decides to “share” (“share” really means “sell”) the information with the “cybersecurity department” of Company B, an advertisement company, who then uses it to market things to you. This is all perfectly legal, and you can’t sue anyone, nor can the companies be tried in court. Doesn’t that sound wonderful?

(4) RELATIONSHIP TO OTHER LAWS REQUIRING THE DISCLOSURE OF INFORMATION-

The first part is interesting – it says that the companies aren’t required to share the information with the FG, though I’m sure there’ll be some sort of conditional when companies try to “join the group.” It ends with more “no FOIA requests” language. Seems like they’re trying really hard to hide the information.

(5) RULE OF CONSTRUCTION

This prevents CSPs from snooping outside of the company they’re hired by, or for those companies to snoop outside of their own networks. Of course, when ISP’s hire CSPs, this section will be completely pointless; ISP’s could claim all information being sent through their servers is part of their own network, and subject to snooping. This will result in the ISP’s getting a cut when the CSP sells the information (remember the “CSP and the advertisement firm” example? Now the ISP gets some money, too. Kinda makes sense why so many companies are for CISPA, huh?).

(c) Federal Government Use of Information (1) LIMITATION

Basically says that the FG can use information it receives for cybersecurity purposes, investigating and prosecuting cybersecurity crimes, protect individuals from death or harm (what does that have to do with cybersecurity? Who knows), or prevent child pornography. “But Sense,” you may say, “what does child pornography have to do with cybersecurity?” The answer is “nothing,” but this allows pro-CISPA people to claim that those that are against it are A-OK with child pornography. Ridiculous, I know, but nevertheless there it is. Also, you may wonder how a CSP or SPE would find child pornography if they are only looking for cybersecurity information, as indicated by the rest of the law. I’m curious of this as well.

(2) AFFIRMATIVE SEARCH RESTRICTION

The FG can’t go fishing through the information for anything other than what is in subsection 1, though really subsection 1 is vague enough to allow the FG to go fishing in spite of this section.

(3) ANTI-TASKING RESTRICTION

Says that the FG can’t force anyone to share the info, or give incentive or threaten to get someone to share. Well, not explicitly. I’m sure legal means like kickbacks and whatnot will suffice.

(4) PROTECTION OF SENSITIVE PERSONAL DOCUMENTS

Basically states what the FG won’t accept for information. It doesn’t matter, though; the FG knows all of that information without CISPA anyways.

(5) NOTIFICATION OF NON-CYBER THREAT INFORMATION

“The FG will say when it doesn’t want that information.”

(6) RETENTION AND USE OF CYBER THREAT INFORMATION

“The FG will only keep or use information that has to do with (1) LIMITATION above,” though in reality that means they can keep or use everything, since “cybersecurity purposes” is so vague.

NSA1947 – National Security Act of 1947

(d) Federal Government Liability for Violations of Restrictions on the Disclosure, Use, and Protection of Voluntarily Shared Information

Basically, the FG will pay either $1,000 or more when it violates either b-2-D (typo, it says b-3-D, but that’s old. It really means b-2-D, (2) USE AND PROTECTION OF INFORMATION – (D) if shared with FG) or Subsection c (Federal Government Use of Information), in addition to reasonable attorney fees. Seems nice, but you’ll never know if this happens since all of the information is exempt from FOIA, and the FG isn’t going to tell you it violated your rights.

The rest just says where such a hearing would occur, and a statute of limitations of 2 years (“feel good” language, you’ll never know if/when they violated your liberties, but should you ever find out it’ll be too late). It finishes with saying that the “burden of proof” is on the violated, which is just silly.

(e) Federal Preemption

“FG > all.”

(f) Savings Clauses (1) EXISTING AUTHORITIES

“Any State or local police force can use a system to gather information.” In essence, CISPA trickles down all the way to the local level.

(2) LIMITATION ON MILITARY AND INTELLIGENCE COMMUNITY INVOLVEMENT IN PRIVATE AND PUBLIC SECTOR CYBERSECURITY EFFORTS

CISPA doesn’t allow the DOD or NSA to control, modify, require or direct private-sector or any governmental entity on how to do their cybersecurity, unless they can do it somewhere else. Surprise, the Patriot Act allows this, so this is moot.

(3) INFORMATION SHARING RELATIONSHIPS

Except the contradiction between C (“this law doesn’t mean information sharing with the FG is required”) and E (“this law can’t keep the FG from making information sharing required in ‘serious situations’), there’s nothing really important here.

(4) LIMITATION ON FEDERAL GOVERNMENT USE OF CYBERSECURITY SYSTEMS

No one other than the FG can use FG-controlled cybersecurity systems, unless the FG says it’s ok.

(5) NO LIABILITY FOR NON-PARTICIPATION

The FG can’t punish groups for not sharing information, or anything that happens when they don’t share the information. If Company A knew about the Boston Marathon bombing, and did nothing, they’re not liable for what happened. Rather disgusting piece of language, and completely out of touch with the point of the law.

(6) USE AND RETENTION OF INFORMATION

“The FG will only keep or use information that has to do with (1) LIMITATION above,” though in reality that means they can keep or use everything, since “cybersecurity purposes” is so vague.

(7) LIMITATION ON SURVEILLANCE- Nothing in this section shall be construed to authorize the Department of Defense or the National Security Agency or any other element of the intelligence community to target a United States person for surveillance.

This is fine and dandy, except it’s meaningless. The Patriot Act allows for surveillance of US citizens, and the basis for the Patriot Act is, surprise, NSA1947. By including cybersecurity language in NSA1947, the Patriot Act (specifically Section 218) is made big enough to circumvent this limitation (and that pesky 4th Amendment) in the interest of “national security,” and thus the FG can spy on US citizens. It also expands the Patriot Act’s Section 214 by including the content of such communications.

(g) Definitions

Of note are (2) CERTIFIED ENTITY, (4) CYBER THREAT INFORMATION (summarized as anything Anonymous does, with the exception of social engineering), and (5) CYBER THREAT INTELLIGENCE (See 4, but just imagine it’s information that the FG already has). The bill actually defines them pretty well, so long as you remember “cybersecurity information” is pretty vague.

(6) CYBERSECURITY CRIME

THE BIG ONE

This part means that the Patriot Act can be used to prosecute both Anonymous and US citizens for “computer crimes,” which can be anything from DDoS’ing to hacking to cracking software to pirating. It also includes anything under Title 18 of the USC.

The rest of Section 3 is simple definitions, though it says that CISPA would go into effect no more than 60 days after it passes.

SEC. 4. SUNSET

This section states that, unless extended by Congress or the POTUS, Section 3’s changes to NRA1947 are removed after 5 years. This is pretty standard for just about any Act.

SEC. 5. SENSE OF CONGRESS ON INTERNATIONAL COOPERATION.

This just means that CISPA, and it’s changes to NSA1947, should be an international thing. The US should (not will, or shall, meaning it’s optional) share what it finds with relevant countries, and those countries should do the same.

SEC. 6. RULE OF CONSTRUCTION RELATING TO CONSUMER DATA.

This section appears to say that this Act, or the changes in NSA1947, shouldn’t include selling personal information for marketing… though we know that companies do this anyways with impunity (see Facebook and Google, for instance). It’s simply language to make people feel better about it, when in reality it doesn’t mean anything at all.

SEC. 7. SAVINGS CLAUSE WITH REGARD TO CYBERSECURITY PROVIDER OBLIGATION TO REPORT CYBER THREAT INCIDENT INFORMATION TO FEDERAL GOVERNMENT.

This just says that any information that isn’t a threat to the FG isn’t required to be shared with the FG. It’s superfluous, and said a few times already in the language.

This concludes the overview of CISPA (H.R. 624).

For a short and sweet ELI5-version of CISPA…

CISPA creates a way for the US Government and companies like Facebook, Google and others to share information with the US Government, as well as each other. It also includes laws making it illegal to share information with people that shouldn’t know (what Bradley Manning did), to share that information among others that shouldn’t know (what WikiLeaks does), and allows for companies to trade personal information without getting in trouble. It also allows for the US Government to spy on US citizens, to prosecute people that pirate movies, games or music, and does all of this without telling you. You will also never know it’s happening.

The extreme version is people violating CISPA can be labeled “domestic terrorists” through a combination of CISPA and the Patriot Act, which is what the US Government really wants to do to Anonymous.

Many companies (nearly all that support CISPA, actually) stand to make money from this Act – new companies will be hired by every company on the internet for “cybersecurity,” as well as by the US Government, and everyone from internet providers to social networking sites will make money from the trading of information. This is why there are so few companies fighting CISPA, and more reason for us citizens to protect our freedoms and liberties from “Big Brother.”

Advertisements

One thought on “CISPA and You – A Guide To Privacy

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s