Did CISPA Actually Get Better Before Passing? Not Really

from the depends-on-how-you-define-"better" dept

Yesterday, after I asserted that CISPA had gotten much worse before it was passed in a rushed vote, I heard from several people (even those in the anti-CISPA camp) who took the opposite position. They feel that, while CISPA is still a highly problematic bill, the Quayle amendment which I roundly criticized actually represented a significant last-minute improvement to the text. I still don't see it that way, for reasons I explain below, but they did make an important point that is worth calling attention to.

Basically, under their reading of the previous text, it allowed the government to use the data for any non-regulatory purpose as long as it has one cybersecurity or national security purpose. I hadn't initially read it that way but I completely agree, and that is indeed a troublesome wild card to hand to the government. The amendment removed the broad "any lawful purpose" language, replacing it with the list of five specific uses (cybersecurity, cyber crime, protecting people from harm, protecting children from exploitation, and national security), thus closing that gaping hole in the bill. In that sense, it's a good amendment.

But, does it really improve CISPA? That depends on how you look at it. CISPA is supposed to be a "cybersecurity" bill, and both its supporters and its opponents in Congress have repeatedly stated that cybersecurity means protecting networks and systems from disruption, hacking and malicious code—primarily coming from overseas. Even during yesterday's debate, virtually every representative who spoke opened with a speech on this topic, and Ruppersberger himself insisted that CISPA's sole purpose was allowing companies and the government to share "formulas, Xs and Os, the virus code". (I'm pretty sure he meant "1s and 0s", but what do you expect from someone who doesn't understand the thing he's trying to legislate?)

Now, critics of the bill have of course been saying all along that it could be used for things way beyond this stated cybersecurity purpose. But the response from supporters has been consistent: no, it can't, and even if it can, it won't be. [Insert another impassioned speech about the cyber-threat from China.] Then, suddenly, only a few minutes before the final vote, the representatives near-unanimously amend CISPA to include these brand new targets of bodily harm and child exploitation, which have nothing to do with cybersecurity and which have rarely if ever been mentioned in relation to the bill.

Basically, the amendment closes a loophole but opens a door. It takes away some of the language that allows overreach of the bill, but then explicitly endorses the exact things people were worried the government would do with that language—as in, start using the data to investigate and build cases against American citizens without regard for the laws that would normally protect their privacy.

Is that an improvement? CISPA would now grant the government less vague power, which is good, but would also grant it brand new specific powers, which is bad and frankly pretty insulting. Because, if this is indeed an improvement and a narrowing of the government's power, how are we to take that if not as a confession that virtually every representative has been baldly lying this whole time? They have said over and over again that they don't want or plan to use the bill for anything except shoring up network security, but we're supposed to see the addition of these brand new applications as limiting CISPA's target? To me, that sounds like they're saying: "Okay, you got us—we really wanted to secretly do all this other stuff. As long as you still let us do that, we'll change the bill."

So the way I see it, there are two ways to look at the Quayle amendment: either it made the bill worse, by massively expanding its stated purpose to whole new areas of the law such that it can no longer accurately be called a "cybersecurity" bill at all, or else it made the bill better by codifying the ways it can be abused for non-cybersecurity purposes.

Of course, it's not as though everyone trusted what supporters were saying about the bill's purpose before. We all knew it would be used for these other things. But simply getting them to admit that is not really progress. It's accurate to say that the amendment has limited the government's power under CISPA by changing the language, but it's also ludicrous to say that turning a cybersecurity/national-security bill into a cybersecurity/cybercrime/violent-crime/child-exploitation/national-security bill at the last minute represents narrowing or improving it. In fact, the only way that's an improvement is if the representatives are admitting that they were planning on it being used for even more unstated purposes all along, but are now content with choosing only a few of the things they have repeatedly denied they wanted. I see how that can be framed as progress, but it's not exactly something that the House deserves any praise for.



Reader Comments (rss)

(Flattened / Threaded)

  •  
    identicon
    Capt ICE Enforcer, Apr 27th, 2012 @ 10:26am

    Protecting from harm

    Attention All:

    Subject: Typing may cause Carpal Tunnel, & Arthritis.


    Good news my fellow Americans. Science has found that typing can cause Carpal Tunnel & Arthritis. These have been known to harm people of all ages. So in order to keep you safe. The US Government will use CISPA and monitor all use of your electronic devices. To include but not limited to what keys you type, and where the information get sent to. Using this information will not help you in any way. But is the perfect excuse for us to monitor you.

    Best intentions can result in the Worst outcome.

    Capt ICE Enforcer Out.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Apr 27th, 2012 @ 10:29am

    Mhhm.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Apr 27th, 2012 @ 10:37am

    CISPA, the Child/Infant Safety and Protection Act

    I'm surprised they're still calling it a cybersecurity bill. Why not call it a child protection bill? Then they could brand everyone who opposes it a pedophile.

    And did you know there are children in other countries? It's true! Clearly there need to be more extradition treaties like the UK's, so children all over the world can be protected by CISPA.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Michael Long (profile), Apr 27th, 2012 @ 10:37am

    A couple of things are better...

    2) ...and ensure that those who negligently cause injury through the use of cybersecurity systems or the sharing of information are not exempt from potential civil liability.

    This helps remove one of the major carrots for companies to voluntarily share data.

    4) Would make clear that regulatory information already required to be provided remains FOIAable under current law.

    15) Would sunset the provisions of the bill five years after the date of enactment.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Leigh Beadon (profile), Apr 27th, 2012 @ 10:39am

      Re:

      Yeah - some of the other amendments that passed are pretty good. Another is the clarification that merely violating terms of service doesn't constitute hacking.

      However, I still think all that pales in comparison to this amendment, that is essentially a core change to the stated purpose of the bill, and flies in the face of what everyone involved has said CISPA is for.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        A Dan (profile), Apr 27th, 2012 @ 11:14am

        Re: Re:

        One reason I gave my congressman that I opposed this bill is that it didn't contain safeguards to keep the information from being used to prosecute other types of crimes which were not in any way related to "cybersecurity". Based on the amendment, that was apparently intentional.

         

        reply to this | link to this | view in chronology ]

    •  
      icon
      RyanRadia (profile), Apr 28th, 2012 @ 9:48pm

      Re:

      Unfortunately, the amendment to make companies liable for sharing information that causes injury (Conyers #2) was not offered on the floor, so it's not part of CISPA as passed. The final engrossed House-passed bill, with all amendments included, is here: http://www.gpo.gov/fdsys/pkg/BILLS-112hr3523eh/pdf/BILLS-112hr3523eh.pdf

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    Baldaur Regis (profile), Apr 27th, 2012 @ 10:38am

    ...Ruppersberger himself insisted that CISPA's sole purpose was allowing companies and the government to share "formulas, Xs and Os, the virus code".
    Xs and Os. Yeah, this is exactly the guy I would hire to protect computer systems.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      :Lobo Santo (profile), Apr 27th, 2012 @ 11:08am

      Re: Xs and Os

      He probably reads the raw binary, mumbling to himself and occasionally shouting "yahtzee!"

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      Chuck Norris' Enemy (deceased) (profile), Apr 27th, 2012 @ 12:54pm

      Re:

      Man...but can't you feel the love? Maybe he is looking into sexbots?

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Cowardly Anonymous, Apr 28th, 2012 @ 10:00am

      Re:

      1s and 0s are purely symbolic representations, and don't even map to the same voltages across all devices. True, they have become a standard in the industry and it is highly unlikely that a politician understands these basic principles, but understanding the binary nature of computer data is a far cry better than calling the internet a series of tubes.

      Now, technically, they should be looking to share the disassembled code, rather than the bit by bit representation. Still, this is at least evidence that they can learn, if it is screamed at them loud enough.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        Leigh Beadon (profile), Apr 28th, 2012 @ 10:17am

        Re: Re:

        Heh - I was thinking afterwards about how, yeah, Xs and Os would work just as well for symbolizing binary information. However, I think it's a stretch to say he understands the binary nature of computer data. When you watch the speech (link is in the comments here if you want to check it out) he clearly just has these things as talking points to some degree - and I think he actually stumbled slightly when he said "formulas" (someone probably explained algorithms/code to him as being kind of like a math formula), and then that put algebra in his brain, which is where the "Xs" came from, which derailed his brain yet again into "Xs and Os" (a tragic blend of algebra's Xs and Ys, binary's 1s and 0s and, um, tic-tac-toe). "The virus code" is the only thing he sounds slightly confident about saying, and I get the impression that the other stuff is how someone tried to explain to him what "virus code" actually is.

        Obviously I'm just guessing from looking at the man's face and listening to his voice - but definitely nothing about him radiated "understanding". This doesn't show they can learn if it's screamed at them loud enough, it shows they can't even properly memorize by rote when it's screamed at them loudly.

         

        reply to this | link to this | view in chronology ]

    •  
      icon
      Frank Bennett (profile), Apr 29th, 2012 @ 1:21am

      Re: Sunsetting

      A sunset provision in legislation with effects this deep isn't really aimed at decommissioning -- no one has suggested that the issues addressed by this bill will have faded in five years. Rather, expiration of the legislation will trigger campaign contributions from private firms and industry groups that by then will have integrated its provisions into their business practices. It's all pretty ugly.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Apr 27th, 2012 @ 12:14pm

    98% of adults online are child predators!! Some people only think it's only 2%. And those people are just elitists!

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Liz (profile), Apr 27th, 2012 @ 12:19pm

      Re:

      Only if you're a guy. If you're a woman, there's a good chance you're jail bait or someone's Mom. Of course the axiom is that there are no girls on the internet. And that 15 year old is really a 33 year old FBI agent.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    Liz (profile), Apr 27th, 2012 @ 12:16pm

    "National Security" as a reason for this law seems like a HUGE gaping hole when it comes to government enforcement. It's like a catch-all term for "We can do what we wish without consequence."

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    corwin155 (profile), Apr 27th, 2012 @ 12:18pm

    list of five specific uses (cybersecurity, cyber crime, protecting people from harm, protecting children from exploitation, and national security)

    in other words
    you a criminal without rights
    we will be watching you

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Apr 27th, 2012 @ 12:24pm

    I wonder what Bill Whittle has to say about CISPA?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Rich Kulawiec, Apr 27th, 2012 @ 12:37pm

    There's a political angle to this as well

    Consider:

    House passes bill.
    Senate passes bill.
    President vetos bill.
    Something bad happens.
    GOP seizes opportunity for gotcha! moment in election year.

    Of course, "something bad" happens just about every day -- read the "Dataloss" mailing list. So it's not like anything particularly bad would need to turn up, and it's not like it would even have to be something covered by the bill. "Credit card company loses hard drive with 28 million customer accounts" would do just fine, because the computer-illiterate public will have no clue whether this had anything to do with CISPA.

    Here's the thing: the worse the bill is, the better it works for this, because the more pressure the President will be under not to sign it. So there is substantial motivation to load the bill up with as many due process violations, as many civil rights issues, and as much wildly unconstitutional language as possible: the idea isn't to get it signed, the idea is to get it vetoed, because then it can serve its purpose.

    Oh. One more thing. This is also why the House has studiously avoided asking anyone who has even half a clue about security to testify, and has instead focused on the OMG!OMG!CYBERWAR cheerleaders. There is no way that sanity and expertise can be allowed anywhere near this process because that might accidentally result in a better bill.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Rich Kulawiec, Apr 27th, 2012 @ 2:50pm

    [...] and Ruppersberger himself insisted that CISPA's sole purpose was allowing companies and the government to share "formulas, Xs and Os, the virus code". (I'm pretty sure he meant "1s and 0s", but what do you expect from someone who doesn't understand the thing he's trying to legislate?)

    Do you have a source for this quote from Ruppersberger?

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Leigh Beadon (profile), Apr 27th, 2012 @ 6:35pm

      Re:

      Do you have a source for this quote from Ruppersberger?

      It is in this House session:
      http://www.c-spanvideo.org/program/HouseSession5327

      I am tracking down the exact spot in the video now.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      Leigh Beadon (profile), Apr 27th, 2012 @ 6:48pm

      Re:

      Okay: He starts speaking at 03:15:50, and the specific quote comes about a minute after that.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Rich Kulawiec, Apr 28th, 2012 @ 5:26am

        Re: Re:

        Many thanks, this is terrific and precisely what I was looking for! I owe you one. Maybe two.

         

        reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Apr 30th, 2012 @ 5:17pm

        Re: Re:

        i just love that Mac thornberry, after one minute in the video
        talks about cyber security and that it's monitored and destroyed and what-not...does he realize that the very bill is
        exactly the same?
        That instead of POTENTIAL hackers watching us, we are GUARANTEED to have a FBI agent watching us, while he's whatching the (possibly) non-exsisting hacker that is watching us.
        This is a freaky hack-seption, and i don't know if i like the thought that not only hackers can get my identity and/or money, but now the state can too. tThey can also incriminate me without trial, in any country...i'm seriously disturbed by this (I'm just a 16, year old from Sweden, and even I can feel a wind of change comming)

        sry for the long post, but i'm happy you took up this issue (would be glad if i could get a response)

         

        reply to this | link to this | view in chronology ]

  •  
    icon
    littlebiggygirl (profile), Apr 27th, 2012 @ 4:19pm

    why does invoking national security justify ignoring privacy laws?
    www.littlebiggy.org/4722867

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Erik, Apr 28th, 2012 @ 8:30pm

    Just to clarify, when that congressman was talking about Xs and Os he wasn't talking about coding. He was talking about sharing anti-cyber security strategies. Its a term often found in the sport of American Football because players are indicated by Xs and Os in playbooks.

    I wouldn't expect a bunch of nerds to understand that. :P I kid, I kid.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Jeff Rowberg (profile), Apr 30th, 2012 @ 10:55am

    Xs and Os

    Internet, n: A series of tubes through which Xs and Os flow, mostly containing virus code, stolen intellectual property, and child pornography. (New Political Dictionary, 2nd Ed., 2012)

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Apr 30th, 2012 @ 5:18pm

    Re: Re:

    i just love that Mac thornberry, after one minute in the video
    talks about cyber security and that it's monitored and destroyed and what-not...does he realize that the very bill is
    exactly the same?
    That instead of POTENTIAL hackers watching us, we are GUARANTEED to have a FBI agent watching us, while he's whatching the (possibly) non-exsisting hacker that is watching us.
    This is a freaky hack-seption, and i don't know if i like the thought that not only hackers can get my identity and/or money, but now the state can too. tThey can also incriminate me without trial, in any country...i'm seriously disturbed by this (I'm just a 16, year old from Sweden, and even I can feel a wind of change comming)

    sry for the long post, but i'm happy you took up this issue (would be glad if i could get a response)

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This