Techdirt. Stories filed under "cybersecurity"

Want To Destroy Any Hope Of Serious Cybersecurity? Give The DOJ Its Desired Backdoor Wiretaps On All Communications

Mike Masnick — Fri, 17 May 2013 14:34:00 PDT

The Obama administration has supposedly been "considering" the latest version of the DOJ's plan to require backdoor wiretapping abilities in any form of digital communication. If you don't recall, the FBI asks for this basically every year. The latest version would lead to fines for any company that doesn't build in a backdoor wiretapping ability. We've been pointing out for quite some time that putting in such backdoors only makes us all less safe, because those with malicious intent will find and use those backdoors.

A new report has been released, put together by some of the best known technologists and security experts out there, saying that the plan, as being considered would effectively undermine any cybersecurity regime. At a time when the administration and Congress keep insisting that we need better cybersecurity, to undermine it all with wiretapping backdoors would be ridiculous. And let's not even begin discussing how this would play out if it passed and number one CISPA backer Mike Rogers then became head of the FBI.

Among the report's authors are names you might recognize, like Ed Felten, Peter Neumann, Bruce Schneier and Phil Zimmerman. You can read the full report (pdf) to see all the details. As Ed Felten told the NY Times:

“It’s a single point in the system through which all of the content can be collected if they can manage to activate it,” said Edward W. Felten, a computer science professor at Princeton and one of the authors of the report... “That’s a security vulnerability waiting to happen, as if we needed more,” he said.

Once again, all of this suggests that the efforts around "cybersecurity" have always been more of a cover story to try to make it easier for law enforcement to access data, rather than any legitimate effort at improving security.

Permalink | Comments | Email This Story

CISPA Sponsor Mike Rogers May Go On To Lead The FBI

Mike Masnick — Tue, 14 May 2013 12:53:19 PDT

We've often heard stories of politicians passing legislation soon before they left office, only to have that very same legislation help them in their next job (coincidentally, we're sure). So it does seem interesting that Rep. Mike Rogers, the main champion behind CISPA, the privacy-destroy cybersecurity bill, is apparently a top candidate to head the FBI -- so much so that the FBI Agents Association, representing 12,000 FBI agents, has officially stated that it would like him to take the job. I'm sure it would be much easier to run the FBI if it could have companies violate the privacy of their users without any possible liability (even if they promised to protect that privacy), which is exactly what CISPA would allow. For what it's worth, there are a number of other candidates for the job, though it's somewhat horrifying to see one other top candidate be Neil MacBride. He's the former "anti-piracy" VP for the Business Software Alliance, who is now the US Attorney who has been driving the case against Kim Dotcom. Just imagine what kind of FBI there would be under his watch...

Permalink | Comments | Email This Story

US's 'Cyberwar' Strategy: Making The Public Less Secure In The Name Of 'Security'

Tim Cushing — Tue, 14 May 2013 08:44:00 PDT

The US government seems to be responding to "cyber Pearl Harbor" by heading out on bombing runs of its own. All the concern for the safety of the American public displayed in Congress during the CISPA push seems to have been nothing more than the empty words we expect from our representatives. Americans and American companies are now being caught in the crossfire -- some of it "friendly."

The US government is waging electronic warfare on a vast scale — so large that it's causing a seismic shift in the unregulated grey markets where hackers and criminals buy and sell security exploits, Reuters reports.

Former White House cybersecurity advisors Howard Schmidt and Richard Clarke say this move to "offensive" cybersecurity has left US companies and average citizens vulnerable, because it relies on the government collecting and exploiting critical vulnerabilities that have not been revealed to software vendors or the public.

"If the US government knows of a vulnerability that can be exploited, under normal circumstances, its first obligation is to tell US users," Clarke told Reuters. "There is supposed to be some mechanism for deciding how they use the information, for offense or defense. But there isn't."

I'm not sure how increasing user vulnerability helps win a cyberwar, but no doubt any home team casualties will be written off as sacrifices for the greater good. Even more troubling than the government's willingness to sacrifice security for security (??) is the fact that it's unwilling to share this information. What good are those provisions in CISPA and President Obama's recent cybersecurity executive order about the government sharing cybersecurity info with companies, if the government hoards the information for their own hacking purposes? More details from the Reuters report.

Top U.S. officials told Congress this year that poor Internet security has surpassed terrorism to become the single greatest threat to the country and that better information-sharing on risks is crucial. Yet neither of the two major U.S. initiatives under way - sweeping cybersecurity legislation being weighed by Congress and President Barack Obama's February executive order on the subject - asks defense and intelligence agencies to spread what they know about vulnerabilities to help the private sector defend itself.

When a U.S. agency knows about a vulnerability and does not warn the public, there can be unintended consequences. If malign forces purchase information about or independently discover the same hole, they can use it to cause damage or to launch spying or fraud campaigns before a company like Microsoft has time to develop a patch. Moreover, when the U.S. launches a program containing an exploit, it can be detected and quickly duplicated for use against U.S. interests before any public warning or patch.

Is it any surprise the public distrusts the government? It claims to be fighting a cyberwar in order to make us more secure and yet, when it goes on the attack, it values its own secretive efforts over the security of the public.

As the government purchases more of these exploits to help fight its cyberwar, the lines on the battlefield are continuously redrawn and obscured. Buying exploits from independent hackers leaves them free to sell to other high bidding countries when not using the exploits themselves. This arms race also creates a perverse set of incentives. As the demand for new exploits increases, security companies and contractors that used to release information to those affected are now keeping their discoveries to themselves to preserve "market value."

The Reuters report also notes that this new breed of security contractor is offering up, among other things, keys to criminal botnets. Endgame, a heavily funded tech startup with close ties to the intelligence community, is more than willing to hand over control of thousands of zombie computers for the right price.

Some of Endgame's activities came to light in purloined emails published by hackers acting under the banner Anonymous. In what appear to be marketing slides, the company touted zero-day subscriptions as well as lists of exactly which computers overseas belonged to specific criminal "botnets" - networks of compromised machines that can be mobilized for various purposes, including stealing financial passwords and knocking websites offline with traffic attacks.

The point was not to disinfect the botnet's computers or warn the owners. Instead, Endgame's customers in the intelligence agencies wanted to harvest data from those machines directly or maintain the ability to issue new commands to large segments of the networks, three people close to the company told Reuters.

So, we're engaged in a cyberwar that's going to help us by hurting us, is that it? I understand that no one wants to be outgunned when facing the enemy, but what's being detailed here looks like a whole lot of collateral damage in the pursuit of unattainable goals. The same exploits will be used on both sides of the battle, and with end users and the companies they rely on being cut out of the loop, it will be the civilians who fare the poorest. We'll just be asked to pretend the government's saving us from something even worse.

Permalink | Comments | Email This Story

No Good Can Come Of Any Cybersecurity Bill Without A Clear Definition Of The Problem

Leigh Beadon — Wed, 1 May 2013 11:56:00 PDT

With CISPA dead (mercifully) from a critical case of Senate disinterest, the conversation has inevitably turned to what the next cybersecurity bill should look like. Over at Wired, Julian Sanchez has laid out some guidelines for a cybersecurity bill that actually works, achieving the stated goals of CISPA without butchering civil liberties. His key point is that, according to CISPA's authors, the bill's sole purpose is to let companies and the government share technical data (or as Dutch Ruppersberger adorably called it last year, "formulas, Xs and Os, the virus code") to help shore up network security and anticipate major attacks — and there's no real reason that has to conflict with privacy at all.

Few object to what technology companies and the government say they want to do in practice: pool data about the activity patterns of hacker-controlled “botnets,” or the digital signatures of new viruses and other malware. This information poses few risks to the privacy of ordinary users. Yet CISPA didn’t authorize only this kind of narrowly limited information sharing. Instead, it gave companies blanket immunity for feeding the government vaguely-defined “threat indicators” — anything from users’ online habits to the contents of private e-mails — creating a broad loophole in all federal and state privacy laws and even in private contracts and user agreements.

...

There’s no need to share [personally identifiable] data for security purposes anyway: Kevin Mandia, head of the cybersecurity firm Mandiant, insisted at a February hearing on CISPA that in 20 years in the industry, he had “never seen a package of threat intelligence that’s actionable” that included personally identifiable information.

Sanchez suggests some straightforward basic requirements for a cybersecurity bill that might actually get consensus from privacy watchdogs and the broader public: the removal of personal information before data reaches the government, a limited lifespan on the data (CISPA's authors have stated that real-time information sharing to deal with immediate threats is the key point of the bill anyway), and the ability for companies to respect their contracts with customers. As written, CISPA would have exonerated service providers from keeping any promise they made to not share user data. Even a service provider that wanted to offer you the contractual certainty that they would protect your data would have been unable to do so.

The reason for that is a key piece of language that's been drifting around CISPA since the beginning: "notwithstanding any other provision of law." There are lots of bits and pieces to the bill, but that line is the exemption granted to companies that wish to share cyber threat information with the government, and it's incredibly broad, allowing companies to ignore even the contracts they have with their customers.

So why is it there? That's the question nobody seems to want to answer, and that's the real issue with the whole push for cybersecurity legislation. Supposedly, according to the message that has accompanied CISPA and similar bills from the beginning, companies and the government are currently prevented from doing some harmless, common-sense information sharing to improve network security, because existing laws block such sharing. But... what laws? That has never been clear. Why does CISPA need to provide immunity "notwithstanding any other provision of law" rather than simply creating specific exceptions to the specific laws that are causing a problem? Why has nobody in Congress even been able to point out these problematic laws?

Perhaps it's not just one or two laws; perhaps it's a whole cluttered legal framework that can't easily be cleaned up and needs some broad, sweeping exceptions. But... nobody has made that case either. They just keep saying, non-specifically, "existing laws prevent it". And yet we know that's not true, at least to some degree: the FBI has had a system for sharing threat information back and forth with companies for 15 years. Why is that model not sufficient? Again, if there are reasons, nobody in Congress is offering them.

I'd like to say Sanchez's guidelines make an excellent starting point for cybersecurity legislation, but a starting point for legislation has to be a definition of the problem it's trying to solve, and we still don't have that. Nevertheless, they do serve as an excellent set of rules to hold Congress to if it is really so intent on barreling forward blindly. Cybersecurity grandstanders are likely to say that such restrictions would gut the legislation. Whether that's ignorance, cognitive dissonance or a tacit admission of dishonesty I'm not sure, but the restrictions suggested by Sanchez, the EFF, the ACLU and others would do nothing to hinder CISPA's stated and largely innocuous purpose — they would only interfere with the other much scarier potential uses that Congress insists aren't going to happen.

The longer Congress offers only the vaguest of vague definitions of the problem it's trying to solve, while at the same time seeming to betray even that vague definition with its response to suggested safeguards and restrictions, the harder it gets to afford them even one iota of trust on the subject of cybersecurity.

Permalink | Comments | Email This Story

As Expected, Senate Has No Interest In CISPA; Planning Its Own Cybersecurity Bill Instead

Mike Masnick — Fri, 26 Apr 2013 11:15:00 PDT

It's really looking like the cybersecurity legislation fight for 2013 is merely a remake of the 2012 edition. First, the House passes CISPA in April, despite widespread privacy concerns (and CISPA's backers pretending they've taken care of them). Then, the Senate goes in a totally different direction with a bigger, more complex cybersecurity bill (last year there were multiple versions before the compromise Cybersecurity Act became the bill of choice) that at least (eventually, with amendments) is a little more conscious of privacy issues, but which then fails to pass the Senate because the Chamber of Commerce freaks out about "something something regulations." And, then cybersecurity regulations, CISPA and all, die out until the following year. At least the first part of that, with CISPA happened both years, and now the Senate has made clear that it's going in its own direction again in part because it feels that CISPA does not do enough to protect privacy (whether or not that's the real reason is left open to speculation). Who knows if the rest of the script will play out the same, or if the sequel will have some plot-defying twists. Either way, it seems pretty clear that CISPA, as written, is officially stalled out. And that's a good thing, though we'll be paying close attention to what comes out of the Senate in the months ahead.

Permalink | Comments | Email This Story

Somewhere Everywhere, Big Brother Is Smiling: Congress Sells Your Privacy For A Cool $84 Million

Tim Cushing — Mon, 22 Apr 2013 07:31:00 PDT

In case you were wondering why so many Democrats switched sides during the most recent CISPA vote, the answer is exactly what you think it is: $$$. And lots of it. Last year's CISPA vote only managed to secure 40 Democrat supporters. This time around, the number leapt to 92.

[A] new coalition of special interests, which include America's two largest cellular service providers AT&T, Inc. and Verizon Wireless -- jointly owned by Verizon Communications Inc. and Vodafone Group Plc. -- as well as two of the nation's largest software firms Microsoft Corp. and Intel Corp., came together to create a similar data grab bill (Microsoft has since renounced its support). Security firms like Symantec Corp. also backed the bill.

Pushing the bill through was $84M USD in funding from special interest backers.

$84 million is change-of-heart money, although one imagines those contributing checked and double-checked their "sponsored" representatives to make sure they were all on the same page. As DailyTech points out, nearly $86 million went into the SOPA push and most of that turned out to be wasted money.

Last Monday, two hundred IBM executives visited the White House to make a last minute push for CISPA. Whatever they said or did must have been very persuasive. By the end of the day, 36 new sponsors had signed on to the bill, up from a very lonely two previous to IBM's visit. Unsurprisingly, financial motivation was involved, according to numbers gathered by Maplight.

New co-sponsors have received 38 times as much money ($7,626,081) from interests supporting CISPA than from interests opposing ($200,362).

Members of the House in total have received 16 times as much money ($67,665,694) from interests supporting CISPA than from interests opposing ($4,164,596).

Now, it's up to Senate to come up with some sort of cyber-security bill that has a chance to get passed and dodge a Presidential veto. Fortunately, there's no clear favorite at the moment (although Lieberman's bill seems to have the President's blessing) and with the limited number of voters, the Senate is much more prone to be gridlocked by partisan politics. Of course, a daylong visit by a few lobbyists could win over just enough hearts and minds to be dangerous. In the meantime, it would probably do these senators a world of good to hear from their constituents, if only to remind them that there are plenty of actual people out there who have to live with the consequences of bad legislation.

Permalink | Comments | Email This Story

CISPA Passes The House, As 288 Representatives Don't Want To Protect Your Privacy

Mike Masnick — Thu, 18 Apr 2013 10:21:23 PDT

This is not wholly surprising, but after some debate and some half-hearted attempts at pretending they care about the public's privacy rights, the House has passed CISPA, 288 votes against 127. The vote breakdown did not go fully along party lines, though it was clearly Republican driven. 196 Republicans voted for it, while just 29 voted against it (despite numerous conservative groups coming out against the bill). The Democrats split down the middle. 92 Dems voted for it and 98 against. If you compare this to last year, it looks like a lot more Democrats went from opposing to being in favor of trampling your privacy rights. Last year, 140 Dems voted against CISPA and only 42 for it. Either way, this seems like a pretty bi-partisan decision to shaft the American public on their privacy rights. That said, there is still the threat of a Presidential veto (though, with the vote today, the House is close to being able to override a veto). The bigger question is now the Senate, which couldn't agree on a cybersecurity bill last year, and has shown no signs of improvement this year. If you want to protect your privacy, it's time to focus on the Senate, and make sure they know not to pass a privacy-destroying bill like CISPA.

Permalink | Comments | Email This Story

Oh Look, Rep. Mike Rogers Wife Stands To Benefit Greatly From CISPA Passing...

Mike Masnick — Thu, 18 Apr 2013 05:38:54 PDT

It would appear that Rep. Mike Rogers, the main person in Congress pushing for CISPA, has kept rather quiet about a very direct conflict of interest that calls into serious question the entire bill. It would appear that Rogers' wife stands to benefit quite a lot from the passage of CISPA, and has helped in the push to get the bill passed. It's somewhat amazing that no one has really covered this part of the story, but it highlights, yet again, the kind of activities by folks in Congress that make the public trust Congress less and less.

It has seemed quite strange to see how strongly Rogers has been fighting for CISPA, refusing to even acknowledge the seriousness of the privacy concerns. At other times, he can't even keep his own story straight about whether or not CISPA is about giving information to the NSA (hint: it is). And then there was the recent ridiculousness with him insisting that the only opposition to CISPA came from 14-year-old kids in their basement. Wrong and insulting.

Of course, as we've noted all along, all attempts at cybersecurity legislation have always been about money. Mainly, money to big defense contractors aiming to provide the government with lots of very expensive "solutions" to the cybersecurity "problem" -- a problem that still has not been adequately defined beyond fake scare stories. Just last month, Rogers accidentally tweeted (and then deleted) a story about how CISPA supporters, like himself, had received 15 times more money from pro-CISPA group that the opposition had received from anti-CISPA groups.

So it seems rather interesting to note that Rogers' wife, Kristi Clemens Rogers, was, until recently, the president and CEO of Aegis LLC a "security" defense contractor company, whom she helped to secure a $10 billion (with a b) contract with the State Department. The company describes itself as "a leading private security company, provides government and corporate clients with a full spectrum of intelligence-led, culturally-sensitive security solutions to operational and development challenges around the world."

Hmm. Sounds like a company like that would benefit greatly to seeing a big ramp up in cybersecurity FUD around the globe, and, with it, big budgets by various government agencies to spend on such things. Indeed, just a few months ago, Rogers penned an article for Washington Life Magazine all about evil hackers trying to "steal information." In it, there's a line that might sound a wee-bit familiar, referring to the impression of hackers as being "the teenager in his or her parent's basement with bunny slippers and a Mountain Dew." Apparently, both of the Rogers really have a thing about teens in basements. The article is typical FUD, making statements with no proof, including repeating the NSA's ridiculous allegation that hackers have led to the "greatest transfer of wealth in American history." It's such a good line, except that it's completely untrue. The top US companies have recently admitted to absolutely no damage from such attacks. The article also lumps in "hacktivists" like Anonymous, as if they're a part of this grand conspiracy that needs new laws.

Tellingly, in the print version of Washington Life that this article appeared in, which you can see embedded below, you'll note that there's a side bar right next to her article about the importance of passing cybersecurity legislation in Congress. Guess what's not mentioned anywhere at all? The fact that Kristi Rogers, author of the fear-mongering article, happens to be married to Rep. Mike Rogers, the guy in charge of pushing through cybersecurity legislation. That sure seems like a rather key point, and a major conflict of interest that neither seemed interested in disclosing. Oh, and Kristi Rogers recently changed jobs as well, such that she's now the "managing director of federal government affairs and public policies" at Manatt a big lobbying firm, where (surprise, surprise) she's apparently focused on "executive-level problem solving in the defense and homeland security sectors." I'm sure having CISPA in place will suddenly create plenty of demand for such problem solving.

A few months ago, on one of his FUD-filled talks about why we need cybersecurity, Rogers claimed that it was all so scary that he literally couldn't sleep at night until CISPA was passed due to an "unusual source" threatening us. The whole statement seemed odd, until you realize that his statement came out at basically the same time as his wife's fear-mongering article about cybersecurity. I guess when your pillow talk is made up boogeyman stories about threats that don't actually exist, it might make it difficult to fall asleep.

Either way, even if we assume that everything here was done aboveboard -- and we're not suggesting it wasn't -- this is exactly the kind of situation that Larry Lessig has referred to as soft corruption. It's not bags of money shifting hands, but it appears highly questionable to the public, leading the public to trust Congress a lot less. At the very least, in discussing all of this stuff, when Mrs. Rogers is writing articles that help the push for CISPA, it seems only fair to disclose that she's married to the guy pushing for the bill. And when Mr. Rogers is pushing for the bill, it seems only right to disclose that his wife almost certainly would benefit from the bill passing. And yet, that doesn't seem to have happened... anywhere.

Permalink | Comments | Email This Story

Latest CISPA 'Privacy' Amendment Is More Of The Same: Minor Changes Dressed Up As Real Solutions

Leigh Beadon — Thu, 18 Apr 2013 03:31:54 PDT

Update: It has become a little unclear what the status of this amendment is now. Yesterday we heard that it had passed, but now it seems to have been changed, and it's back up for debate on the floor. We'll get you more updates on whether or not it goes through, and the latest changes, as soon as we can.

In the latest round of changes to CISPA, the House passed a new amendment that supposedly (according to CISPA supporters) addresses the privacy and civil liberty concerns about the bill. The amendment (pdf and embedded below) ostensibly establishes civilian agency control (through Homeland Security) over information shared under CISPA, since many people are reasonably worried about all this data ending up in the hands of the NSA. Unfortunately, as the EFF determined in their initial analysis, it doesn't really change anything—it just lets the DHS go along for the ride:

The amendment in question does not strike or amend the part of CISPA that actually deals with data flowing from companies to other entitities, including the federal government. The bill still says that: “Notwithstanding any other provision of law, a self-protected entity may, for cybersecurity purposes...share such cyber threat information with any other entity, including the Federal Government." The liability immunity provisions also remain.

While this amendment does change a few things about how that information is treated within the government, it does not amend the primary sharing section of the bill and thus would not prevent companies from sharing data directly with military intelligence agencies like the National Security Agency if they so choose.

Indeed, the text of the amendment appears to create a significant role for the DHS in information sharing procedures, but gives it little power in terms of actually protecting privacy or filtering information—the amendment mandates that information still be shared with other agencies in realtime, and it still appears to allow companies and organizations to bypass the DHS entirely.

A portion of the amendment outlines certain privacy guidelines, but they are the same as those we discussed before: filled with enough release valves and escape routes to render them virtually meaningless, closer to a list of "best practices" than actual rules. The fact is that, despite what the bill's supporters and some of the media reporting on it would have you believe, the core problems with CISPA have not been addressed, nor have any of the "efforts" in that direction amounted to much more than a smokescreen. With a final CISPA vote looming at any time, it's never been more important to voice your opposition to the bill.

Permalink | Comments | Email This Story

Government Has Already Fooled Us More Than Once On Privacy; History Belies How CISPA Will Be Used

Mike Masnick — Wed, 17 Apr 2013 13:02:00 PDT

One of the key things we've seen in the pushback on CISPA is that its backers insist that people arguing against it don't really understand how the bill works, and that it does protect privacy. CISPA sponsor Rep. Mike Rogers himself took to Twitter this morning to tell the EFF that it's misreading his bill. But, of course, as we've seen, it seems that Rogers himself is the one being misleading when it comes to privacy. If he truly believed in privacy protections, he would have supported a variety of straightforward amendments that made it clear how privacy could be protected. But he didn't. Instead, he clearly left it open for abuse.

One of the key points that Rogers keeps saying over and over again is that this bill is not a "surveillance" bill. Why? Because it doesn't allow the NSA or others to go in and automatically get info. But Rogers is choosing his words very carefully, such that he absolutely misrepresents how the bill can and almost certainly will be used. And while he and other CISPA supporters will (and have) argued that the possible abuses of CISPA are crazy conspiracy theories that wouldn't happen in practice, we have too many examples of how the US government's intelligence infrastructure very quickly expands to make use of every single loophole provided to them within the law -- sometimes going so far as to interpret laws in ways clearly contrary to Congressional intent, just because they can. Let's just highlight two examples:

The FISA Amendments Act, which was passed in association with the Patriot Act, supposedly to give the NSA more powers to scoop up communications of folks involved in terrorist activity. Now, the NSA is -- by mandate -- not allowed to spy on Americans. And yet, multiple whistleblowers and hints from folks who know in Congress have made it quite clear that the NSA has interpreted the FISA Amendments Act to allow exactly that -- even as many in Congress clearly don't understand how the bill is being used.

While it's still not official, enough information has been revealed to show that the NSA interprets the requirement that its surveillance target foreign persons to mean that as long as it's looking for foreign terrorist activity, it can spy on everyone. Get that? It's a sneaky trick that many have not realized. The NSA argues -- likely with agreement from a secret court ruling -- that so long as it can claim that it is investigating a foreign threat somewhere, somehow, the prohibition on spying on Americans does not apply. There is increasing evidence that this now means that the NSA is scooping up pretty much all data it can get its hands on. While it may not be going through it in real time, it appears to believe that as long as it can make the argument that it's searching for a foreign threat, that it can delve into that treasure chest of, well, everything.
Next: the "national security letters" (NSL) issue. While a court recently ruled these unconstitutional, this process has been widely abused by the FBI for years to get private information on people without a warrant and with a gag order on recipients. Every time it's been investigated, it's been shown that the FBI has widely abused its NSL powers. However, since there's almost no oversight, the FBI still feels free to make widespread use of the tool, which was only supposed to be used in extreme circumstances.

Along those lines, the FBI has gotten so comfortable with asking companies for data without a warrant or any formal oversight process, that it was revealed a few years ago that, rather than going through the drudge of actually processing paperwork to get private info from AT&T, some agents simply used Post-It Notes to make their requests, which AT&T readily coughed up without question.

The point, hopefully, is clear. We've never seen law enforcement show any hint of not making use of any and all powers it has at its disposal to twist and interpret laws to allow it to get private information on people without a warrant or any real oversight. While the latest version of CISPA pays some tiny lip service to privacy, the simple fact is that, by definition, it wipes out all privacy laws in protecting companies entirely from liability for coughing up your information.

CISPA supporters also like to claim that since CISPA is "voluntary," companies will have no reason to give up your private info. That's nice in theory. And, sure, perhaps some principled companies will resist, but we've already seen the AT&T example above. And, even more importantly, we've seen how pressure from the US government, or even threats of the government shaming them publicly for not "helping" have been incredibly effective in making "voluntary" action suddenly seem obligated.

The saying goes "fool me once, shame on you. Fool me twice, shame on me." We've been fooled many times by the US government insisting that certain laws won't be used to violate our privacy, when it later comes out that they were used in exactly that way. So forgive us for calling bullshit on Mike Rogers' claims that CISPA doesn't "allow" the government to spy on Americans. It absolutely does. It opens up a clear path for law enforcement and intelligence agencies (and others!) to hide behind the liability protections within the law to pressure companies to reveal whatever they want with absolutely no repercussions.

That seems like a pretty serious issue, and one that Congress and supporters of CISPA don't seem to want to admit.

Permalink | Comments | Email This Story

CISPA Renders Online Privacy Agreements Meaningless, But Sponsor Sees No Reason To Fix That

Berin Szoka — Wed, 17 Apr 2013 09:55:28 PDT

CISPA's sponsors insist the law is 100% voluntary—it doesn't compel companies to do anything. But as we've been warning for a year and warned again yesterday, the bill's blanket immunity provision doesn't merely clear a "legislative thicket" of laws restricting information-sharing about cyber threats. It also bars companies from making enforceable promises to their users about how they might share users' information with the government or other companies in the name of protecting cybersecurity. Yesterday the House Rules Committee refused to allow a bipartisan amendment, sponsored by Rep. Justin Amash to fix this problem, to be brought to the floor for a vote.

At that Committee meeting (1:01:45), the bill's chief sponsor Chairman Rogers emphatically repeated his earlier assertions that CISPA wouldn't breach private contracts in response to questions from Jared Polis:

Polis: Why wouldn't it work to leave it up, getting back to the contract part, and I think again there may be a series of amendments to do this, if a company feels, if it's voluntary for companies, why not allow them the discretion to enter into agreements with their customers that would allow them to share the information? ...

Rogers: I think those companies should make those choices on their own. They develop their own contracts. I think they should develop their own contracts. They should enforce their own contracts in the way they do now in civil law. I don't know why we want to get in that business.

And yet... CISPA will go to the House floor as written, providing an absolute immunity from "any provision of law," including private contracts and terms of service.

Only in Congress can you swear up and down that your bill doesn't do X, then refuse to amend it so that it really doesn't do X—and then lecture those who note the disconnect, like Polis, with patronizing comments like "once you understand the mechanics of the bill..." (1:02:50).

It brings to mind what Galileo said after he was forced to sign a confession recanting belief in Copernicus's heretical idea that the Earth revolves around the sun: "And yet, it moves."

And yet... for all Rogers' bluster, CISPA moots private contracts—and House Republican leadership won't fix the problem, even when five of their GOP colleagues offer a simple, elegant fix.

This is the same stubborn refusal to accept criticism and absorb new information that brought us SOPA, PIPA and a host of other ill-conceived attempts to regulate the Internet. It's the very opposite of what should be the cardinal virtue of Internet policy: humility. Tinkering with the always-changing Internet is hard work. But it's even harder when you stuff your fingers in your ears and chant "Lalalala, I can't hear you."

The good news is that, as with SOPA, this fight transcended partisan lines, uniting a Democrat like Jared Polis (an openly gay progressive from Boulder) with a strict constitutionalist like Justin Amash (the "Ron Paul Republican" from Grand Rapids Michigan)—and four more traditional Republicans. This is precisely the realignment predicted 15 years ago by Virginia Postrel in The Future and Its Enemies. On one side are those profoundly uncomfortable with change, desperate to control and plan the future, and so insecure about their own understanding of technology that they inevitably perceive criticism as a personal attack. On the other are those far more humble and more willing to let the future play out in all its messy unpredictability. The first camp is always pushing for the one, right piece of legislation that will avert a crisis. The second camp admits they don't know the one, best way to deal with a problem like encouraging sharing of cyberthreat information while protecting user privacy, so they reject static rules that can only be changed by Congress. They want simple rules for a complex world. At a minimum, they want what law Professor Richard Epstein argues in his book Simple Rules for a Complex World--the perfect slogan for this camp--"the most ubiquitous legal safety hatch adds three words to the formal statement of any rule: unless otherwise agreed."

It's not a battle between Left and Right, or conservatives and progressives. It's a battle between attitudes towards the future: the stasis mentality of Congressmen like Mike Rogers and Lamar Smith (of SOPA infamy) and the dynamism of Justin Amash and Jared Polis, and SOPA foes like Republicans Darrell Issa and Jason Chaffetz and Democrats Ron Wyden and Zoe Lofgren.

The dynamists may have lost this battle. But, like Galileo, we'll eventually win the war. The only questions are: How many more poorly crafted, one-size-fits-all laws will the stasists put on the books in the meantime? How long it will take to clear the real "legislative thicket"--all the complex laws that attempt to provide a single answer for a complex and unknowable future? And when will it finally become unacceptable for Congressmen like Mike Rogers to ram through legislation that doesn't even do what they claim?

Berin Szoka (@BerinSzoka) is President of TechFreedom (@TechFreedom), a dynamist tech policy think tank.

Permalink | Comments | Email This Story

The Greatest Trick The Government Ever Pulled Was Convincing The Public The 'Hacker Threat' Exists

Tim Cushing — Wed, 17 Apr 2013 05:40:58 PDT

The US government is already fighting wars on several fronts, including the perpetual War on Terror. "War is the health of the state," as Randolph Bourne stated, and the state has never been healthier, using this variety of opponents as excuses to increase surveillance, curtail rights and expand power.

Bruce Schneier highlights a piece written by Molly Sauter for the Atlantic which poses the question, "If hackers didn't exist, would the government have to invent them?" The government certainly seems to need some sort of existential hacker threat in order to justify more broadly/badly written laws (on top of the outdated and overbroad CFAA). But the government's portrayal of hackers as "malicious, adolescent techno-wizards, willing and able to do great harm to innocent civilians and society at large," is largely false. If teen techno-wizards aren't taking down site after site, how is all this personal information ending up in hackers' hands? Plain old human carelessness.

According to the Privacy Rights Clearinghouse, the loss or improper disposal of paper records, portable devices like laptops or memory sticks, and desktop computers have accounted for more than 1,400 data-breach incidents since 2005 -- almost half of all the incidents reported. More than 180,000,000 individual records were compromised in these breaches...

By comparison, only 631 breaches were attributed to actual hacking, or at least hacking as it's portrayed by the government. Private entities aren't very worried about being hacked either, at least not from the outside. Their main concern, according to the Privacy Rights Clearinghouse, is "inside jobs" by disgruntled employees.

Nonetheless, the narrative advanced by the government (and passed along by the largely credulous mainstream media) of unstoppable hackers and their omnipresent threat to major companies, the government itself, average Americans and underlying infrastructure, continues nearly unimpeded. This narrative is essential to those in the government who wish to justify large-scale surveillance of anything and anyone connected to the internet. The scarier the image, the more it can get away with.

It is the hacker -- a sort of modern folk devil who personifies our anxieties about technology -- who gets all the attention. The result is a set of increasingly paranoid and restrictive laws and regulations affecting our abilities to communicate freely and privately online, to use and control our own technology, and which puts users at risk for overzealous prosecutions and invasive electronic search and seizure practices. The Computer Fraud and Abuse Act, the cornerstone of domestic computer-crime legislation, is overly broad and poorly defined. Since its passage in 1986, it has created a pile of confused caselaw and overzealous prosecutions.

We've seen the overzealous prosecution and expressed disbelief and amazement at some of the interpretations of this outdated law. (Amazingly, Sauter's post was written before the most recent cases of overzealous prosecution.) And instead of fixing the CFAA, legislators are actively working to make it worse, even as overly-broad cybersecurity legislation is being negotiated in secret.

The "modern folk devil" image has become part of the mass consciousness. Anonymous and its various offshoots roam the internet, at turns wreaking havoc and helping the oppressed, like an electronic manifestation of Loki, the Distributed. These activities are duly reported by the media in ominous tones, further driving home the image of the hacker at Millennial Public Enemy No. 1. The acts and the perception of the damage caused by this hacking are miles apart, as is perfectly illustrated by xkcd.

Many members of the American public are already convinced something should be done about hackers. Many of our representatives feel the same way. A lack of knowledge of the underlying technology, much less the methods or culture, hasn't deterred legislators from crafting an overbroad response with the CISPA bill. Examining the issues more closely or reconsidering the legislation doesn't seem to be an option. After all, a "cyber Pearl Harbor" is all but inevitable, a conclusion confirmed by shouting "HACKER!" in the halls of Congress and hearing it echoed back by like-minded representatives, sympathetich government agencies, the media and a subset of the American public.

In the effort to protect society and the state from the ravages of this imagined hacker, the US government has adopted overbroad, vaguely worded laws and regulations which severely undermine internet freedom and threaten the Internet's role as a place of political and creative expression.

The endgame is more control, and the "hacker" provides an ominous, omnipresent threat that, because of the hacker's naturally secretive nature, can neither be confirmed or denied with any veracity. Much like the War on Terror, this War on Hacking takes rights from the American public, carves out huge chunks and sends the gutted remains back to citizens in a package marked "Safety."

Permalink | Comments | Email This Story

Thousands Of People Tweet To Rep. Mike Rogers That They're Not 14, Not In Their Basement, And They Still Oppose CISPA

Mike Masnick — Tue, 16 Apr 2013 16:14:00 PDT

We just noted how Rep. Mike Rogers, the sponsor for the CISPA cybersecurity bill that wipes out a variety of privacy protections for companies handing private info to the government had told the House Rules Committee that the only real opposition was 14-year-olds in their basement. It seems that many opponents to CISPA think Rogers is ignorant. A campaign quickly went viral on Twitter in which people are tweeting at Rep. Rogers' account about how they're not 14, not in their basement, but still very much opposed to CISPA. In just an hour or so, there have been well over 1,500 tweets, and the number keeps growing rapidly. By the time this post is edited and live, it will almost certainly be well over 2,000 and growing.
Those are just two quick screenshots showing some of the top complaints. That's not me pulling out a few, those were just the most recent ones and new ones keep piling up.

Perhaps Congressman Mike Rogers might want to rethink his assessment of the opposition and recognize that maybe there are legitimate privacy concerns that he has chosen to not properly address in his bill.

Permalink | Comments | Email This Story

CISPA Sponsor Claims Opposition Is '14 Year Olds In Their Basement'

Mike Masnick — Tue, 16 Apr 2013 13:47:53 PDT

The House Committee on Rules has been debating CISPA and what will be covered in the official floor debate and what amendments will be presented tomorrow or the next day (whenever it hits the floor). Much of it was routine stuff, but there were some typical bogus grandstanding about the giant threat of a cyberattack that's going to kill us all (be afraid!) if we don't do something (no worry about if that something will actually help). Representative Mike Rogers, the sponsor of CISPA and its main backer, decided that he was going to take the lowest road possible in talking about the concerns of privacy advocates by saying that the only opposition is "14-year-olds in their basement." That statement followed the claim that "Silicon Valley CEOs support CISPA."

Update: Sina Khanifer has uploaded a video of Rogers making these comments. This is insulting on a whole variety of levels. First of all, it suggests that privacy advocates are nothing more than children. That's ridiculous. The White House, who have raised privacy concerns about the bill, are 14-year-olds in their basement? Rogers honestly thinks insulting the President is the way to get CISPA passed? The ACLU are 14-year-olds in their basement? Really? The tens of thousands of people who have contacted Congress in the past few weeks about this are all 14-year-olds in their basement? Rogers owes the public he represents a massive apology.

Second, the comment about Silicon Valley CEOs is not true. Yes, there are some tech companies who are in favor of CISPA, mainly because of the liability protections they would get. But it is hardly an across the board belief. Many, many tech companies are all quite concerned about CISPA and what it will mean for the privacy of their users. Both Mozilla and Reddit have strongly spoken out against CISPA. Do they not count?

Third, the idea that because some Silicon Valley CEOs support CISPA, it means that there couldn't possibly be any concern. This is a outgrowth of the myth that SOPA was only stopped because tech companies spoke out. As such, politicians like Rogers think all they need to do is appease tech CEOs, and not the public, whom they're supposed to represent. That Rogers would so outwardly admit that as long as a small group of tech CEOs favor the bill (which is already a highly questionable statement), that he can ignore the public and insult them, is really stunning.

Of course, what this really shows is Rep. Mike Rogers' absolute disdain for privacy. He doesn't take the concerns of the public, of privacy advocates, and even of the White House seriously. Instead, he sees privacy as something that should be mocked and those who support it insulted. Why should such a person be in charge of wiping out privacy laws on the internet?

Permalink | Comments | Email This Story

White House Threatens To Veto CISPA If Privacy Is Not Protected

Mike Masnick — Tue, 16 Apr 2013 13:18:02 PDT

While it had hinted at a veto threat earlier, the White House has now put out a statement on CISPA that, if privacy protections are not added to the bill, it will likely veto the bill. I know some cynical folks will note the possibility of an out, and the chance that he'll sign the bill anyway, but hopefully the meaningful threat of a veto will convince Congress to think twice about passing a bad bill that wipes out privacy protections.

Both government and private companies need cyber threat information to allow them to identify, prevent, and respond to malicious activity that can disrupt networks and could potentially damage critical infrastructure. The Administration believes that carefully updating laws to facilitate cybersecurity information sharing is one of several legislative changes essential to protect individuals' privacy and improve the Nation's cybersecurity. While there is bipartisan consensus on the need for such legislation, it should adhere to the following priorities: (1) carefully safeguard privacy and civil liberties; (2) preserve the long-standing, respective roles and missions of civilian and intelligence agencies; and (3) provide for appropriate sharing with targeted liability protections.

The Administration recognizes and appreciates that the House Permanent Select Committee on Intelligence (HPSCI) adopted several amendments to H.R. 624 in an effort to incorporate the Administration's important substantive concerns. However, the Administration still seeks additional improvements and if the bill, as currently crafted, were presented to the President, his senior advisors would recommend that he veto the bill. The Administration seeks to build upon the continuing dialogue with the HPSCI and stands ready to work with members of Congress to incorporate our core priorities to produce cybersecurity information sharing legislation that addresses these critical issues.

There are some good amendments proposed, which would help protect privacy, but it's unclear how likely they are to pass.

Furthermore, it's still quite troubling that no one seems willing to explain why this is needed, and what existing laws are somehow getting in the way of important information being shared. We keep asking that question, and it seems odd that no one replies other than "but... but... but... cyberattacks from China!!"

Permalink | Comments | Email This Story

IBM Sends 200 Execs To Capitol Hill To Demand The Right To Send Your Private Info To The NSA

Mike Masnick — Mon, 15 Apr 2013 11:59:22 PDT

We've talked about various tech companies supporting CISPA, which is really shameful and short-sighted. Yes, it protects them from liability if they trample all over your privacy and provide your private info to the government -- which is why they support it. But if they were truly customer focused companies, they would know that violating your privacy is no way to build a loyal customer base. And, apparently, the right to violate your privacy and hand that info to the government is so important to IBM that it has sent 200 executives to Capital Hill today to lobby in favor of passing CISPA. CISPA is expected to go to a floor vote in the House either this Wednesday or Thursday.

Nearly 200 senior IBM executives are flying into Washington to press for the passage of a controversial cybersecurity bill that will come up for a vote in the House this week.

The IBM executives will pound the pavement on Capitol Hill Monday and Tuesday, holding nearly 300 meetings with lawmakers and staff. Over the course of those two days, their mission is to convince lawmakers to back a bill that’s intended to make it easier for industry and government to share information about cyber threats with each other in real time.

What they still can't explain is what laws currently get in the way of this information sharing? We've been asking for years and no one has answered. Everyone agrees that information sharing around an attack can be useful in stopping it, but no one has explained why that information sharing (a) requires a new law or (b) can't be done without wiping out all basic privacy protections for personal info currently provided under existing law.

Even more ridiculous is that IBM flat out admits that they want to be able to send your info to the NSA. We've pointed out for a while that one of the major concerns with CISPA is that the NSA -- a military agency -- would get access to your info, despite the general prohibition on spying on Americans. Of course, the NSA has twisted that mandate ridiculously, such that it believes it can now spy on anything so long as they claim it may help them in finding a foreign threat. Technically, the law is about the "target" of the information, and the NSA (and potentially the secret ruling from the FISA Court) has interpreted this to mean that as long as the target of the investigation is as foreign threat, then the NSA can snoop through anything in pursuit of that target.

Of course, most folks have been trying to play down the fact that the NSA would get the info. But not IBM. Nope, they're thrilled to send your private info right to the NSA:

[IBM VP of government affairs Chris] Padilla, however, says companies need to be able to share threat data directly with the NSA “because that’s where the expertise is.”

“It really is a simple matter. The expertise in the U.S. government on cybersecurity largely rests in one place, and that's the National Security Agency,” he said. “They tend to know the most, the soonest about cyber threats and I think, frankly, there is a certain amount of feeling in the business community that you should be able to work directly and share information directly with the agency that has the most expertise.”

While the NSA does have some knowledge on cybersecurity, it's an exaggeration to suggest that they have "the expertise" on the subject. It also does nothing to explain why your private info should be included.

Permalink | Comments | Email This Story

White House Says It's Still Unhappy With CISPA, But Stops Short Of Veto Threat

Leigh Beadon — Thu, 11 Apr 2013 13:35:17 PDT

Ever since CISPA passed the markup phase, people have been waiting to see how the administration would respond to the changes. Today, we got the official statement from the White House:

We continue to believe that information sharing improvements are essential to effective legislation, but they must include privacy and civil liberties protections, reinforce the roles of civilian and intelligence agencies, and include targeted liability protections. The Administration seeks to build upon the productive dialogue with Chairman Rogers and Ranking Member Ruppersberger over the last several months, and the Administration looks forward to continuing to work with them to ensure that any cybersecurity legislation reflects these principles. Further, we believe the adopted committee amendments reflect a good faith-effort to incorporate some of the Administration's important substantive concerns, but we do not believe these changes have addressed some outstanding fundamental priorities.

Though it doesn't raise the possibility of a veto, and even avoids explicitly taking a position of support or opposition, it serves as a fairly clear indication that the administration will not be supporting CISPA. Nevertheless, it's a little disappointing in its meekness.

Whenever someone spends that many words acknowledging the "good faith" of their opponent and boasting about "productive dialogue", it's a good sign that neither of those things are true. As we noted earlier, the amendments that were adopted during markup do not just fail to address the issues, they raise serious questions about just how much "good faith" has really been involved in this debate on the side of those who are pushing for the legislation. The dialogue, much like the one with CISPA last year, tends to go a lot like this:

Opponents: We are concerned that the bill will be abused in the following ways...
Supporters: No, we're not going to do those things.
Opponents: Good, but the language still makes it a possibility. You should re-write it to be more clear.
Supporters: Okay, we've rewritten it with a more detailed list of restrictions and exceptions.
Opponents: But these exceptions are all for exactly the things we were worried about in the first place.
Supporters: Sure, but we're not going to do those things.

The truth is, there's little evidence of any real effort to address the concerns of privacy and civil liberties advocates, the administration, or the general public. The markup session in which the final changes were adopted was closed to the public, and the responses from the bill's supporters when pressed on these issues have been somewhat less than comforting. Moreover, we shouldn't even be in the final stages of drafting legislation to solve a problem that nobody has clearly described in the first place. It's good that the White House is not giving CISPA any support, but here's hoping they go a step further and make their opposition to this whole broken approach to cybersecurity legislation explicit.

Permalink | Comments | Email This Story

CISPA Passes Markup Phase, But It Doesn't Look Like Much Was Fixed

Leigh Beadon — Wed, 10 Apr 2013 15:06:10 PDT

As expected, CISPA passed the House Intelligence Committee today after a closed markup session. The vote was 18-2, and according to Tony Romm at Politico, all of the amendments that were backed by the original authors of the bill were adopted. If that's the case, we're talking about a bunch of changes that sound nice but don't accomplish much, such as dropping the "national security" provisions while broadening the definition of cybersecurity to encompass almost anything, requiring the government to remove personal information from shared data (once it's already in the hands of the government), and explicitly preventing companies from using data they receive for marketing purposes (which seems to go against previous insistence that the information shared would only be highly technical threat data).

CISPA is expected to go to the full house for a vote next week. As we get a closer look at the bill in its latest state, we'll do a more detailed analysis — but as it stands there's little reason to believe that any of the core problems have been fixed (and we're still waiting for someone to explain in clear, specific terms why this bill is needed at all).

Permalink | Comments | Email This Story

As Congress Debates CISPA, Companies Admit No Real Damage From Cyberattacks

Mike Masnick — Wed, 10 Apr 2013 07:46:56 PDT

Since the beginning of the cybersecurity FUDgasm from Congress, we've been asking for proof of the actual problem. All we get are stories about how airplanes might fall from the sky, but not a single, actual example of any serious problem. Recently, some of the rhetoric shifted to how it wasn't necessarily planes falling from the sky but Chinese hackers eating away at our livelihoods by hacking into computers to get our secrets and destroy our economy. Today, Congress is debating CISPA (in secret) based on this assumption. There's just one problem: it's still not true.

The 27 largest companies have now admitted to the SEC that cyberattacks are basically meaningless and have done little to no damage.

The 27 largest U.S. companies reporting cyber attacks say they sustained no major financial losses, exposing a disconnect with federal officials who say billions of dollars in corporate secrets are being stolen.

MetLife Inc., Coca-Cola Co. (KO), and Honeywell International Inc. were among the 100 largest U.S. companies by revenue to disclose online attacks in recent filings with the Securities and Exchange Commission, according to data compiled by Bloomberg. Citigroup Inc. (C) reported “limited losses” while the others said there was no material impact.

So what's this all really about? It goes back to what we said from the very, very beginning. This is all FUD, engineered by defense contractors looking for a new way to charge the government tons of money, combined with a willing government who sees this as an opportunity to further take away the public's privacy by claiming that it needs to see into corporate networks to prevent these attacks.

If this was a real problem, wouldn't we see at least some evidence?

Permalink | Comments | Email This Story

The Law Should Never Be Secret, So Why Will CISPA Debate Be Secret?

Mike Masnick — Tue, 9 Apr 2013 22:55:00 PDT

As we mentioned last week, CISPA is scheduled for markup tomorrow, and the markup will be done behind closed doors without any public scrutiny allowed. This makes no sense. They are not debating the reason for the law, but rather the text of the law itself. The law will be public, and any debate about the language and amendments included should be public as well. As Julian Sanchez points out, it makes perfect sense for intelligence briefings to be held in secret, but it never makes sense to hold debates about what the law should be in secret. So why is Congress doing so?

In the meantime, it appears that the main backers of the bill will be supporting some amendments (and may release a manager's amendment), which marginally limits how the information it gets from companies can be used. However, this does little to deal with the real problems of the bill: the immunity companies get for sharing pretty much any private info with any government agency. At the very least, there's no reason that CISPA shouldn't require that companies strip personally identifiable information from any data they share with the government.

But, really, this deserves to go much further. At no point -- in the many years that cybersecurity legislation has been discussed -- has anyone in Congress explained why we need this. Yes, they've given FUD-like horror stories about planes falling from the sky, or they've pointed to Chinese hackers. But what they have not done is show how (a) current law gets in the way of the necessary information sharing to help combat any threats or (b) how CISPA will help stop such attacks. You'd think that both of these points would be at the top of the list of the things that Congress would be explaining to get support for this bill. Instead, we hear scare stories about evil hackers out to destroy us, and an awful lot of "trust us." It's tough to trust the government, though, when they won't even let you know what they're debating.

Permalink | Comments | Email This Story

Shockingly Unshocking: 'Cybersecurity' FUD Has Been Big Big Business For Contractors

Mike Masnick — Wed, 27 Mar 2013 13:25:08 PDT

Back when this hype about "cybersecurity" and "cyberwar" first started to hit the mainstream (early on, "cyberwar" was more common, but lately people focus on "cybersecurity"), we had an article which suggested that much of this really seemed to be about scaring up a panic for the sake of throwing money at defense contractors who wanted to charge crazy huge sums for "helping" with cybersecurity. And, as we noted, that push was leading to hundreds of millions of dollars in government contracts. It appears that, with cybersecurity FUD only getting bigger and bigger, the folks who are making out like bandits are all those defense contractors who are jumping in to fan the flames of FUD... and then taking our taxpayer money to "fix" the problem.

In that link above, they talk about Lockheed and Raytheon signing agreements with Homeland Security in which they get to "help" the government out by scanning email and other info collected by the NSA.

Under the program, critical infrastructure companies will pay the providers, which will use the classified information to block attacks before they reach the customers. The classified information involves suspect Web addresses, strings of characters, email sender names and the like.

None of this necessarily means that online attacks aren't a real threat... but I'd feel a lot more comfortable about where things were heading if there weren't a whole bunch of defense contractors gleefully rubbing their hands together as they scoop up more and more contracts while the FUD keeps spreading.

Permalink | Comments | Email This Story

The List Of Government Agencies That Can Get Your Data Under CISPA

Mike Masnick — Mon, 25 Mar 2013 15:02:05 PDT

One of the key complaints about CISPA is the fact that it does absolutely nothing to make sure any data of yours that is shared with the government by third parties is sent narrowly to folks working to protect us from cybersecurity threats. Instead, the information can be shared with any agency of the government, so long as they can claim, vaguely, that it's being used for "cybersecurity purposes." But, as the EFF points out, without any limitations on who in the government can see your data, every government agency can see your data. They've even put together a helpful "list."

One question we sometimes get is: Under CISPA, which government agencies can receive this data? For example, could the FBI, NSA, or Immigration and Customs Enforcement receive data if CISPA were to pass?

The answer is yes. Any government agency could receive data from companies if this were to pass, meaning identifiable data could be flowing to the Bureau of Alcohol, Tobacco, Firearms and Explosives, the National Security Agency, or even the Food and Drug Administration.

We've reposted the list below as well, just so you can get an idea of which government agencies could get access to your data on CISPA (and which ones thought that, perhaps, that's not such a good idea).

Permalink | Comments | Email This Story

Rather Than Fix The CFAA, House Judiciary Committee Planning To Make It Worse... Way Worse

Mike Masnick — Mon, 25 Mar 2013 05:43:55 PDT

So, you know all that talk about things like Aaron's Law and how Congress needs to fix the CFAA? Apparently, the House Judiciary Committee has decided to raise a giant middle finger to folks who are concerned about abuses of the CFAA. Over the weekend, they began circulating a "draft" of a "cyber-security" bill that is so bad that it almost feels like the Judiciary Committee is doing it on purpose as a dig at online activists who have fought back against things like SOPA, CISPA and the CFAA. Rather than fix the CFAA, it expands it. Rather than rein in the worst parts of the bill, it makes them worse. And, from what we've heard, the goal is to try to push this through quickly, with a big effort underway for a "cyberweek" in the middle of April that will force through a bunch of related bills. You can see the draft of the bill here (or embedded below. Let's go through some of the pieces.

Adds computer crimes as a form of racketeering

The bill adds to the current definition of "racketeering activity" so that it would now link back to the CFAA, such that if you are found to violate the CFAA as part of an activity that involves a variety of other crimes, you can now also be charged with racketeering. More specifically, if you look at that long list of related statutes in the definition to 18 USC 1961 (1), it will also include: "‘section 1030 (relating to fraud and related activity in connection with computers)." Basically, this just gives the DOJ yet another tool to use against "computer criminals" when they want to bring the hammer down on someone they don't like. Not only could you be charged with computer fraud, but now racketeering as well. Because, you know, all you hackers are just like the Mob.

Expanding the ways in which you could be guilty of the CFAA -- including making you just as guilty if you plan to "violate" the CFAA than if you actually did so

Section 103 of the proposed bill makes a bunch of "changes" to the CFAA, almost all of which expand the CFAA, rather than limit it. For example, they make a small change to subsection (b) in 18 USC 1030 (the CFAA) such that it will now read:

Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided for the completed offense in subsection (c) of this section.

All they did was add the "for the completed offense," to that sentence. That may seem like a minor change at first, but it would now mean that they can claim that anyone who talked about doing something ("conspires to commit") that violates the CFAA shall now be punished the same as if they had "completed" the offense. And, considering just how broad the CFAA is, think about how ridiculous that might become. Now if you talk with others about the possibility of violating a terms of service -- say, talking to your 12 year old child about helping them sign up for Facebook even though the site requires you to be 13 -- you may have already committed a felony that can get you years in jail. That seems fair, right?

Ratchets up many of the punishments

They change around a bunch of the "penalties" that you can get for various CFAA infractions, shaking up a variety of things and basically raising the maximum sentences available for certain infractions.

A very, very minor adjustment to limit "exceeding authorized access."

This one is a very, very tiny step in the right direction, but just barely. Under the old CFAA, "accessing a computer without authorization" and "exceeding authorized access" were lumped together as a a form of breaking the law. The new bill keeps the basic terms of accessing a computer without authorization the same and just ever so slightly trims back the "crime" of exceeding authorized access. Now, to violate the law by "exceeding" authorized access, you'd have to get access to "information from any protected computer" (or financial institution or US gov't agency) and the "value" of that info would need to be over $5,000 (who determines that?) and the access had to have been "committed for purposes of obtaining sensitive or non-public information of an entity or another individual (including such information in possession of a third party), including medical records, wills, diaries, private correspondence, financial records, photographs of a sensitive or private nature, trade secrets, or sensitive or non-public commercial business information" and was committed "in furtherance of any criminal act."

While it's good to see them ever so slightly roll back the issue of "exceeding authorized access," it still seems broad enough that all sorts of activities that shouldn't be seen as criminal would easily get lumped in here by aggressive prosecutors. Rather than "streamlining" the bill and getting rid of the ridiculous "exceeds authorized access" trigger -- as folks like Orin Kerr have suggested -- this tends to just muddle matters even more.

Update: On second look, it turns out that this initial analysis was wrong. This part is worse too! More details here, but basically all those "and" statements are actually "or" which actually push back on how the courts have interpreted the CFAA... and make it worse

And... at the same time, they do something else to make "exceeding unauthorized access" worse. Which brings us to:

Expanding the definition of "exceeding authorized access" in a very dangerous way

That's because the new bill says that you can exceed authorized access: "even if the accesser may be entitled to obtain or alter the same information in the computer for other purposes." Yes, read that again. Even if you are allowed to obtain info via your authorization on your computer, they're now saying that if you use that information in a way that runs afoul of the info above, you can be found to have exceeded authorized access.

Make it easier for the federal government to seize and forfeit anything

We've seen how federal seizure and forfeiture laws are frequently abused to seize goods, which the government claims are used in the commission of a crime (even if they never charge anyone for the crime). And we've seen, with cases like the Dajaz1 case, how the government will use such tools to take and censor websites on no actual basis. And now the CFAA will make it even easier for the government to do such things. It amends the existing sections to basically expand what can be forfeited, because it's not like the government hasn't abused that one before...

The rest of the bill deals with two other things: first a section on "cybersecurity" which includes punishment for those damaging "critical infrastructure" computers, another section that tells the courts to figure out how secure their computers are, and finally a part that creates a "National Cyber Investigative Joint Task Force," to be led by the FBI, because they're an unbiased party.

The final part of the bill relates to "breach notifications." A number of states already have various laws in place that require companies and websites that have data breaches to inform impacted users. This creates a federal law that supersedes those state laws. You can read the details, but basically companies will have to let people (and other companies) know of such breaches within a short period of time -- unless there are law enforcement or national security reasons to delay such notification. It also requires companies to tell the FBI or Secret Service of certain kinds of breaches. If companies don't do this, they can be fined between $500,000 and $1 million -- but only by the DOJ (i.e., individuals or companies can't go after organizations for screwing this up).

Those last two sections are really somewhat unrelated to the rest of the CFAA parts. But the CFAA parts are troubling. Rather than fixing the law, they're expanding it so that computer "crimes" can be hit with racketeering charges, and expanding the general language and punishments for part of the bill. This is not a good thing. The fact that this is being passed around by the House Judiciary Committee suggests that it's likely to be backed by HJC chair Bob Goodlatte, which is unfortunate. You would have hoped that Goodlatte and others on the HJC would recognize that now is the time to fix the CFAA, not to make it worse.

Permalink | Comments | Email This Story

Time To Speak Up About CISPA: We Shouldn't Be Scared Into Giving Up Our Privacy

Mike Masnick — Tue, 19 Mar 2013 14:10:00 PDT

A bunch of groups are teaming up this week to call for a week of action against CISPA just as Congress is gearing up, yet again, to push through this cybersecurity bill based on a lot of FUD, with little to back it up. To be clear, there are a lot of challenges around online (can we dump the stupid "cyber" prefix?) security out there, and it's clear that there is plenty of malicious and government-sponsored hacking and attacks. But we need to put this all in perspective. First off, there is already tremendous incentive to combat these attacks, and there are existing methods to do so. Second, no one has given a reasonable response to explain how something like CISPA will do anything at all to help prevent such attacks in the future. Third, while these attacks may be economically damaging, there is little evidence of them creating real physical harm to date. That's not to say it's not possible in the future, but stories of airplanes falling from the sky are quite exaggerated. Fourth, and most importantly, no one has explained why we all need to sacrifice our own privacy for these vague and undefined benefits.

A bunch of groups are fighting this, and now is the time to take part. EFF and Fight for the Future have put together a simple page to help you take action. As they point out there are three key objectionable parts to CISPA:

Eviscerating existing privacy laws by giving overly broad legal immunity to companies who share users' private information, including the content of communications, with the government.
Authorizing companies to disclose users' data directly to the NSA, a military agency that operates secretly and without public accountability.
Broad definitions that allow users' sensitive personal information to be used for a range of purposes, including for "national security," not just computer and network security.

None of these are even remotely necessary to allow for effectively combating online attacks, but all certainly would be quite handy in helping the government snoop on the activities of citizens (and non-citizens) without much oversight. Considering how often we've seen other laws passed in a flurry of FUD around other "threats" later turn out to be abused by government officials for the sake of snooping, rather than any legitimate reason, we should be very concerned about these efforts here.

Permalink | Comments | Email This Story

Why CISPA Could Actually Lead To More Hacking Attacks

Mike Masnick — Wed, 13 Mar 2013 14:01:22 PDT

One thing we've talked about for years is that lawmakers are notoriously bad at thinking through the unintended consequences of legislation they put forth. They seem to think that whatever they set the law to be will work perfectly, and that there won't be any other consequences. This is one reason why we're so wary of simple "fixes" even when the idea or purpose sound good up front. "Protecting artists" sounds good... unless it destroys the kinds of services artists need. Cybersecurity sounds good, unless it actually makes it easier to violate your privacy. And, now, people are realizing that not only may cybersecurity rules like CISPA be awful for privacy, but they could potentially lead to more "cyber" attacks, as companies look to "hack back" against those who attack them. As Politico describes:

The idea is known as "active defense" to some, "strike-back" capability to others and "counter measures" to still more experts in the burgeoning cybersecurity field. Whatever the name, the idea is this: Don't just erect walls to prevent cyberattacks, make it more difficult for hackers to climb into your systems — and pursue aggressively those who do.

So, how would cybersecurity rules create more hacking? Well, possibly by encouraging this kind of behavior by providing some amount of cover for it. The Cybersecurity bill in the Senate last year included an undefined allowance for "counter measures." CISPA doesn't explicitly mention that, but some in the security field are interpreting the bill to provide some amount of cover for such "counter measures" in which they could "perform hacks against threats." But, if you're trying to discourage online attacks, that seems like a problem. The likelihood of someone attacking the wrong target is quite high, and it could create quite a mess.

Thankfully, the folks behind CISPA suggest that they're willing to change the bill to make it more explicit that such countermeasures are not allowed, but until that's in place, it's a serious concern:

Some of those fears have reached Rep. Mike Rogers (R-Mich.), chairman of the chamber's Intelligence Committee and one of CISPA's lead authors. In fact, panel aides told POLITICO they're open to revising the relevant definitions in the bill. And Rogers himself this year has railed on the idea of an aggressive active defense, describing it as a "disaster for us" at a time when the country's digital defenses remain subpar.

Even if they fix this particular hole, it's these kinds of things that should worry all of us about broad laws that provide things like blanket immunity over ill-defined concepts like "cybersecurity" and "cyberattacks." The likelihood of it being abused is quite high, especially in an ever changing technology world. Just look at computer laws like the CFAA and ECPA, which cover various computer crimes and privacy today. Both are ridiculously outdated, with concepts that are laughable by any rational view today. And thus, there are massive unintended consequences associated with both laws. Before we rush into creating new laws with big broad vague terms, perhaps we should focus on fixing the old laws and proceeding with caution on any new ones.

Permalink | Comments | Email This Story