New Draft Of CISPA Announced: Some Progress, Still Big Problems

from the it's-a-start-I-guess dept

The House Intelligence Committee has published a new draft of CISPA (pdf and embedded below), which includes the two amendments that were already approved, plus several other additions and changes. In some areas, there is genuine progress—in others, things actually seem to have gotten worse. Unfortunately, some of the biggest problems with the bill remain, and some of the new language seems to have little effect at all. Some changes I will discuss in future posts, but there are two that I wanted to look at right away:

A Narrower Definition Of Cybersecurity
This is the one clearly positive change in the bill. Previously, the definition of cybersecurity and cyber threat information was:

(A) efforts to degrade, disrupt, or destroy such system or network; or

(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.

While the first part remains unchanged, the second part is now much narrower:

(B) efforts to gain unauthorized access to a system or network, including efforts to gain such unauthorized access to steal or misappropriate private or government information

Where the original language could be construed to include all sorts of activity that goes beyond what most people could consider "cybersecurity", the new definition makes it clear that we are talking about unauthorized network access. Most notably, it removes the reference to "intellectual property", which makes sense: the authors have always insisted that they were talking about the misappropriation of secret R&D by foreign entities, which is sufficiently covered by language referring to privacy and unauthorized access. Including "intellectual property" opened it up to all sorts of additional interpretations that went beyond this stated intent.

Now, there's still reason to be a little concerned here, because the attempts to charge people for "unauthorized access" under the CFAA have been ridiculous in the past. If this language in CISPA were construed to include things like violating terms of service (as some have claimed of the CFAA language) then it would be very dangerous. However, with last week's Ninth Circuit ruling which narrowly construed unauthorized access, legal thinking on this matter seems to be heading in the right direction. There's still some gray area, and I think there's still room for a much better definition of cybersecurity in CISPA (I know they want to future-proof it, but it doesn't have to be that short and vague) but this is still a significant improvement over the previous draft.

Extremely Limited Liability For Companies
The new draft of CISPA includes a whole new section carving out the requirements for a company to be held liable if they share information improperly. Basically, a company that shares data with the government receives immunity from all existing privacy laws unless you can show that their actions caused you injury and constituted "willful misconduct"—which is very specifically defined in CISPA as an action taken:

(I) intentionally to achieve a wrongful purpose;
(II) knowingly without legal or factual justification; and
(III) in disregard of a known or obvious risk that is so great as to make it highly probably that the harm of the act or omission will outweigh the benefit.

Yes: and. A company's actions need to satisfy all three of those conditions. I'm not even sure how that's possible. They have to be trying to harm you, knowingly breaking the law and, in a bizarre third clause, they also have to know there is a risk that the harm to you will outweigh the benefits to them. How you are supposed to weigh the harm to individuals whose private data is handed to the government, versus the benefits to cybersecurity services who improve their networks with data, is beyond me. But no matter how you slice it, this is an insanely onerous definition of willful misconduct that makes it essentially impossible to ever sue a company for wrongly sharing data under CISPA.

Overall, despite the progress made on the definition of cybersecurity, CISPA is still a highly problematic bill which still doesn't properly safeguard people's privacy. One of the biggest problems—the fact that the government can use, retain and affirmatively search the information they gather for vaguely defined "national security" purposes—is untouched in the new draft. There are some attempts to alter the rules on how federal agencies can share information between themselves, but many of those changes seem essentially meaningless. It's good to see some reaction from Congress, but if CISPA is to be fixed (a prospect I'm still dubious about) there is still a long way to go.



Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, Apr 13th, 2012 @ 5:14pm

    "Fix the bill? You mean fix it passing through, right? Fix it after it passes?"

    *After it passes*

    "SORRY, WE HAVE OTHER THINGS TO FOCUS ON RIGHT NOW

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    Watchit (profile), Apr 13th, 2012 @ 6:02pm

    at least some progress was made.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Eric Jaffa, Apr 13th, 2012 @ 8:40pm

    Still a bill against whistle-blowers

    After a newspaper publishes a story about wrongdoing at an organization, someone can contact the journalist's email-provider and get the emails sent to the journalist, saying that files which show the wrongdoing may have been obtained through "unauthorized access."

    Without a warrant.

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    Leigh Beadon (profile), Apr 13th, 2012 @ 8:47pm

    Re: Still a bill against whistle-blowers

    That's not really true... CISPA doesn't work that way. Its problems exist on a broader scale to do with how the government is going to collect and mine this data, and the sort of actions it may end up supporting - but it wouldn't be possible for the government to wield CISPA as a weapon against a single journalist like that. I can definitely see ways that CISPA could be used to stifle whisleblowing - but not in such a surgical manner, I don't think

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Pixelation, Apr 13th, 2012 @ 11:01pm

    "including efforts to gain such unauthorized access to steal or misappropriate private...information."

    Wouldn't IP fit within that definition? Wouldn't downloading a song without permission be "unauthorized access"?

    Just sayin'

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Apr 14th, 2012 @ 1:58am

    Re:

    my thoughts exactly. i bet the entertainment industries will be interpreting that part in exactly the way you and i have. we all know their rules. if there is a way for a piece of text to be twisted round and used to their advantage, gaining a way to sue a person for so-called 'copyright infringement', the entertainment industries will do so.
    if a Bill is to be introduced for specific purposes, then have the balls to state all of those specific purposes in a clear, well defined and open manner, so everyone can understand. dont wait until some poor fucker does something wrong, totally unintentionally, then crap all over him!

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Apr 14th, 2012 @ 2:24am

    Re:

    More like "Fix the bill? We don't know what's wrong with it yet! Pass it first, then talk."

    *after it passes*

    "What do you mean there's something wrong with the bill? You should have said so before it passed; we can't change it now it's passed! It's your fault!"

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Apr 14th, 2012 @ 5:43am

    Re: Re:

    i bet the entertainment industries will be interpreting that part in exactly the way you and i have.

    It matters little what anyone other than the judge thinks.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Apr 14th, 2012 @ 6:54am

    Response to: Pixelation on Apr 13th, 2012 @ 11:01pm

    If you are referring to file sharing, no because the access isn't unauthorized.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Apr 14th, 2012 @ 6:57am

    Response to: Pixelation on Apr 13th, 2012 @ 11:01pm

    The provision says unauthorized access to a system or network not the information.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Rekrul, Apr 14th, 2012 @ 8:00am

    But no matter how you slice it, this is an insanely onerous definition of willful misconduct that makes it essentially impossible to ever sue a company for wrongly sharing data under CISPA.

    That's exactly what they were aiming for. They want it to look like they included liability, without actually including any at all.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Pixelation, Apr 14th, 2012 @ 9:35am

    What about protests?

    What if people protest against a company or government agency by "disrupting" the system or network?

    Will flooding a Senators servers with letters be considered disruption?

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Apr 14th, 2012 @ 11:50am

    Re:

    but it will be a piece of piss to sue a member of the public!

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    cj, Apr 14th, 2012 @ 1:15pm

    (III) in disregard of a known or obvious risk that is so great as to make it highly probably that the harm of the act or omission will outweigh the benefit.

    So what will this do to people who post security risk? Sometimes the only way to get the security bug fixed is to post it online.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Apr 14th, 2012 @ 3:22pm

    Re: Re: Re:

    That is exactly the scary part.

     

    reply to this | link to this | view in thread ]

  16.  
    icon
    Watchit (profile), Apr 14th, 2012 @ 9:56pm

    Re: Re: Re: Re:

    ^this. seconded.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Idwal, Apr 16th, 2012 @ 11:29am

    Re:

    We need to be careful of thinking like that. That's their tactic. Scare -> Amend -> Pass -> Ratchet

    This bill passes in any form, it's a dozen steps backward. Congress shouldn't get any credit for passing a terrible bill instead of a disasterous one. The Congresscritters who are willing to slay these legislative beasts, however, should get elected for life.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    I've had it., Apr 17th, 2012 @ 4:36pm

    Why does this keep happening?

    First two bills and an international treaty trying to censor information, and now a massive privacy invasion bill?

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This