Did CISPA Actually Get Better Before Passing? Not Really

from the depends-on-how-you-define-"better" dept

Yesterday, after I asserted that CISPA had gotten much worse before it was passed in a rushed vote, I heard from several people (even those in the anti-CISPA camp) who took the opposite position. They feel that, while CISPA is still a highly problematic bill, the Quayle amendment which I roundly criticized actually represented a significant last-minute improvement to the text. I still don’t see it that way, for reasons I explain below, but they did make an important point that is worth calling attention to.

Basically, under their reading of the previous text, it allowed the government to use the data for any non-regulatory purpose as long as it has one cybersecurity or national security purpose. I hadn’t initially read it that way but I completely agree, and that is indeed a troublesome wild card to hand to the government. The amendment removed the broad “any lawful purpose” language, replacing it with the list of five specific uses (cybersecurity, cyber crime, protecting people from harm, protecting children from exploitation, and national security), thus closing that gaping hole in the bill. In that sense, it’s a good amendment.

But, does it really improve CISPA? That depends on how you look at it. CISPA is supposed to be a “cybersecurity” bill, and both its supporters and its opponents in Congress have repeatedly stated that cybersecurity means protecting networks and systems from disruption, hacking and malicious code—primarily coming from overseas. Even during yesterday’s debate, virtually every representative who spoke opened with a speech on this topic, and Ruppersberger himself insisted that CISPA’s sole purpose was allowing companies and the government to share “formulas, Xs and Os, the virus code”. (I’m pretty sure he meant “1s and 0s”, but what do you expect from someone who doesn’t understand the thing he’s trying to legislate?)

Now, critics of the bill have of course been saying all along that it could be used for things way beyond this stated cybersecurity purpose. But the response from supporters has been consistent: no, it can’t, and even if it can, it won’t be. [Insert another impassioned speech about the cyber-threat from China.] Then, suddenly, only a few minutes before the final vote, the representatives near-unanimously amend CISPA to include these brand new targets of bodily harm and child exploitation, which have nothing to do with cybersecurity and which have rarely if ever been mentioned in relation to the bill.

Basically, the amendment closes a loophole but opens a door. It takes away some of the language that allows overreach of the bill, but then explicitly endorses the exact things people were worried the government would do with that language—as in, start using the data to investigate and build cases against American citizens without regard for the laws that would normally protect their privacy.

Is that an improvement? CISPA would now grant the government less vague power, which is good, but would also grant it brand new specific powers, which is bad and frankly pretty insulting. Because, if this is indeed an improvement and a narrowing of the government’s power, how are we to take that if not as a confession that virtually every representative has been baldly lying this whole time? They have said over and over again that they don’t want or plan to use the bill for anything except shoring up network security, but we’re supposed to see the addition of these brand new applications as limiting CISPA’s target? To me, that sounds like they’re saying: “Okay, you got us—we really wanted to secretly do all this other stuff. As long as you still let us do that, we’ll change the bill.”

So the way I see it, there are two ways to look at the Quayle amendment: either it made the bill worse, by massively expanding its stated purpose to whole new areas of the law such that it can no longer accurately be called a “cybersecurity” bill at all, or else it made the bill better by codifying the ways it can be abused for non-cybersecurity purposes.

Of course, it’s not as though everyone trusted what supporters were saying about the bill’s purpose before. We all knew it would be used for these other things. But simply getting them to admit that is not really progress. It’s accurate to say that the amendment has limited the government’s power under CISPA by changing the language, but it’s also ludicrous to say that turning a cybersecurity/national-security bill into a cybersecurity/cybercrime/violent-crime/child-exploitation/national-security bill at the last minute represents narrowing or improving it. In fact, the only way that’s an improvement is if the representatives are admitting that they were planning on it being used for even more unstated purposes all along, but are now content with choosing only a few of the things they have repeatedly denied they wanted. I see how that can be framed as progress, but it’s not exactly something that the House deserves any praise for.

Filed Under: , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Did CISPA Actually Get Better Before Passing? Not Really”

Subscribe: RSS Leave a comment
32 Comments
Capt ICE Enforcer says:

Protecting from harm

Attention All:

Subject: Typing may cause Carpal Tunnel, & Arthritis.

Good news my fellow Americans. Science has found that typing can cause Carpal Tunnel & Arthritis. These have been known to harm people of all ages. So in order to keep you safe. The US Government will use CISPA and monitor all use of your electronic devices. To include but not limited to what keys you type, and where the information get sent to. Using this information will not help you in any way. But is the perfect excuse for us to monitor you.

Best intentions can result in the Worst outcome.

Capt ICE Enforcer Out.

Anonymous Coward says:

CISPA, the Child/Infant Safety and Protection Act

I’m surprised they’re still calling it a cybersecurity bill. Why not call it a child protection bill? Then they could brand everyone who opposes it a pedophile.

And did you know there are children in other countries? It’s true! Clearly there need to be more extradition treaties like the UK’s, so children all over the world can be protected by CISPA.

Michael Long (profile) says:

A couple of things are better…

2) …and ensure that those who negligently cause injury through the use of cybersecurity systems or the sharing of information are not exempt from potential civil liability.

This helps remove one of the major carrots for companies to voluntarily share data.

4) Would make clear that regulatory information already required to be provided remains FOIAable under current law.

15) Would sunset the provisions of the bill five years after the date of enactment.

Rich Kulawiec (profile) says:

There's a political angle to this as well

Consider:

House passes bill.
Senate passes bill.
President vetos bill.
Something bad happens.
GOP seizes opportunity for gotcha! moment in election year.

Of course, “something bad” happens just about every day — read the “Dataloss” mailing list. So it’s not like anything particularly bad would need to turn up, and it’s not like it would even have to be something covered by the bill. “Credit card company loses hard drive with 28 million customer accounts” would do just fine, because the computer-illiterate public will have no clue whether this had anything to do with CISPA.

Here’s the thing: the worse the bill is, the better it works for this, because the more pressure the President will be under not to sign it. So there is substantial motivation to load the bill up with as many due process violations, as many civil rights issues, and as much wildly unconstitutional language as possible: the idea isn’t to get it signed, the idea is to get it vetoed, because then it can serve its purpose.

Oh. One more thing. This is also why the House has studiously avoided asking anyone who has even half a clue about security to testify, and has instead focused on the OMG!OMG!CYBERWAR cheerleaders. There is no way that sanity and expertise can be allowed anywhere near this process because that might accidentally result in a better bill.

Rich Kulawiec (profile) says:

[…] and Ruppersberger himself insisted that CISPA’s sole purpose was allowing companies and the government to share “formulas, Xs and Os, the virus code”. (I’m pretty sure he meant “1s and 0s”, but what do you expect from someone who doesn’t understand the thing he’s trying to legislate?)

Do you have a source for this quote from Ruppersberger?

Cowardly Anonymous says:

Re:

1s and 0s are purely symbolic representations, and don’t even map to the same voltages across all devices. True, they have become a standard in the industry and it is highly unlikely that a politician understands these basic principles, but understanding the binary nature of computer data is a far cry better than calling the internet a series of tubes.

Now, technically, they should be looking to share the disassembled code, rather than the bit by bit representation. Still, this is at least evidence that they can learn, if it is screamed at them loud enough.

Erik says:

Just to clarify, when that congressman was talking about Xs and Os he wasn’t talking about coding. He was talking about sharing anti-cyber security strategies. Its a term often found in the sport of American Football because players are indicated by Xs and Os in playbooks.

I wouldn’t expect a bunch of nerds to understand that. 😛 I kid, I kid.

Frank Bennett (profile) says:

Sunsetting

A sunset provision in legislation with effects this deep isn’t really aimed at decommissioning — no one has suggested that the issues addressed by this bill will have faded in five years. Rather, expiration of the legislation will trigger campaign contributions from private firms and industry groups that by then will have integrated its provisions into their business practices. It’s all pretty ugly.

Anonymous Coward says:

Re:

i just love that Mac thornberry, after one minute in the video
talks about cyber security and that it’s monitored and destroyed and what-not…does he realize that the very bill is
exactly the same?
That instead of POTENTIAL hackers watching us, we are GUARANTEED to have a FBI agent watching us, while he’s whatching the (possibly) non-exsisting hacker that is watching us.
This is a freaky hack-seption, and i don’t know if i like the thought that not only hackers can get my identity and/or money, but now the state can too. tThey can also incriminate me without trial, in any country…i’m seriously disturbed by this (I’m just a 16, year old from Sweden, and even I can feel a wind of change comming)

sry for the long post, but i’m happy you took up this issue (would be glad if i could get a response)

Anonymous Coward says:

Re:

i just love that Mac thornberry, after one minute in the video
talks about cyber security and that it’s monitored and destroyed and what-not…does he realize that the very bill is
exactly the same?
That instead of POTENTIAL hackers watching us, we are GUARANTEED to have a FBI agent watching us, while he’s whatching the (possibly) non-exsisting hacker that is watching us.
This is a freaky hack-seption, and i don’t know if i like the thought that not only hackers can get my identity and/or money, but now the state can too. tThey can also incriminate me without trial, in any country…i’m seriously disturbed by this (I’m just a 16, year old from Sweden, and even I can feel a wind of change comming)

sry for the long post, but i’m happy you took up this issue (would be glad if i could get a response)

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...