CISPA Amendment Proves Everyone's Fears Were Justified While Failing To Assuage Them

from the the-more-things-change dept

The single biggest criticism of CISPA is that it could be used by the federal government in a way that infringes on people’s privacy, allowing government agencies, including the NSA, to sift through the private data of American citizens with little to no oversight. It’s pretty obvious why that fear exists — just look at the relevant paragraph in what, until the recent and final round of markup, was the text of the bill:

(7) PROTECTION OF INDIVIDUAL INFORMATION—The Federal Government may, consistent with the need to protect Federal systems and critical information infrastructure from cybersecurity threats and to mitigate such threats, undertake reasonable efforts to limit the impact on privacy and civil liberties of the sharing of cyber threat information with the Federal Government pursuant to this subsection.

So, um, the feds may worry about privacy, if they want to and as long as it doesn’t hinder their cybersecurity efforts. It’s disconcerting that this even needed to be spelled out, and it certainly doesn’t count as a safeguard. The response to criticism from the bill’s authors has been the same since last year: they deny that this bill has anything to do with spying on people, and insist it’s just about sharing technical threat data. Just this week, Rep. Rogers flatly stated this is not a surveillance bill. Still, in an attempt to placate the opposition, they backed an amendment (pdf and embedded below) from Rep. Hines replacing that paragraph, which passed in the markup phase. Here’s the new text:


(A) POLICIES AND PROCEDURES.—The Director of National Intelligence, in consultation with the Secretary of Homeland Security and the Attorney General, shall establish and periodically review policies and procedures governing the receipt, retention, use, and disclosure of non-publicly available cyber threat information shared with the Federal Government in accordance with paragraph (1). Such policies and procedures shall, consistent with the need to protect systems and networks from cyber threats and mitigate cyber threats in a timely manner—

(i) minimize the impact on privacy and civil liberties;
(ii) reasonably limit the receipt, retention, use, and disclosure of cyber threat information associated with specific persons that is not necessary to protect systems or networks from cyber threats or mitigate cyber threats in a timely manner;
(iii) include requirements to safeguard non-publicly available cyber threat information that may be used to identify specific persons from unauthorized access or acquisition;
(iv) protect the confidentiality of cyber threat information associated with specific persons to the greatest extent practicable; and
(v) not delay or impede the flow of cyber threat information necessary to defend against or mitigate a cyber threat.

It seems to me they are hoping that by making the section longer and more complicated, people will miss the fact that very little has changed. But what’s truly astonishing is that this new text reads like a confession that CISPA does involve all the stuff that they’ve been insisting it has nothing to do with.

The big thing, of course, is that this oversight now involves civilian agencies, which is really the only meaningful change — and its impact has been rather minimized. Rather than putting the DHS or another agency in between the public and military agencies like the NSA, they’ve simply given them some input — and it’s hard to say how meaningful that input will be. The provisions are bookended by escape clauses: first we’re told that they only count when “consistent with the need to protect systems and networks from cyber threats”, and then at the end we’re reminded that they must “not delay or impede the flow of cyber threat information”. That alone renders the rest of the text virtually moot, and it also seems to be acknowledging that the type of information sharing they want to do does threaten privacy.

If that weren’t clear enough, there’s a third out hiding in clause (ii), where we’re reminded that personal information will only be limited if it’s “not necessary to protect systems or networks from cyber threats”. If this bill is really just about getting technical threat data, why would personal information ever be necessary? Once again, it serves as both an escape clause and a tacit admission that they do plan on doing the things that they have denied so vocally, or at least that they want to keep the option open.

But you can bet that the next time Rep. Rogers or Ruppersberger is questioned about it, they’ll insist that CISPA has nothing to do with personal information and couldn’t possibly threaten anyone’s privacy. They’ll insist that they addressed any concerns with this amendment, when in fact all they did was confirm just how warranted those concerns are. Nothing has changed: CISPA is still a dangerous bill, perhaps more explicitly so now than ever.

Filed Under: , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “CISPA Amendment Proves Everyone's Fears Were Justified While Failing To Assuage Them”

Subscribe: RSS Leave a comment
Ninja (profile) says:

The bill is not needed and we all know it. They know it. The only goal of this bill is to make it much easier to spy on their own citizens and prevent protests, insurrection. When asked they’ll keep yelling “BUT… BUT… CYBERZOMBIEAPOCALYPSE!” in an attempt to bury criticism and discussion under the weight of all the FUD.

It’s clear that if you keep any system updated (good maintenance), have provisions to quickly mitigate any attack ready (system monitoring) and spread the word in case any sensitive info is accessed (efficient communication) then the damage will always be kept to a minimum. It helps when you are not deliberately trying to break the system (SOPA) or hoarding all the data with little to no oversight (CISPA) in systems that may have several holes.

Anonymous Coward says:

If there is even the most remote of possibilities that something in the bill will be abused, it’s a guarantee that it will be abused. No amount of reassuring will change that. That goes for all bills and laws. There is no good faith, only time until abuse. The government and various lawyers have proven that to be 100% true.
Even when the language is clear, there’s still the whole unique interpretation routine, national security claim, loophole or routing around to get what they want. Then when those fail, they often just do it anyway.

So tell me again how something that can be used for abuse won’t be used for abuse? Because I’m not buying what you’re selling.

Anonymous Coward says:

“So, um, the feds may worry about privacy, if they want to and as long as it doesn’t hinder their cybersecurity efforts.”

If only more criminals were like that.

“I MAY worry about what stealing all of your money will do you financially, if I want to, as long as it doesn’t hinder my efforts to get rich quick no matter how many people I have to steal from.”

Anonymous Coward says:

What is incredible is that there is no safeguards, zero ways to watch what is being done and spot abuse, is like lawmakers are out of their depth and don’t know what they are actually voting on.

All investigations should at the very least be fully disclosed after closure or a year so the procedures used can be reviewed, this clearly would mitigate the risk of abuse, furthermore if any case needs more than one year it should get a court order and be reviewed by others to get a fraking special permission to continue without disclosure where, and it should be disclosed to a non-profit organization that they need it.

This BS can’t go on forever there responsible ways of doing things and this is not one of them, not by a long shot.

Anonymous Coward says:

why keep pissing about? just tell it like it is! the USA is now the democratic equivalent of China! if it isn’t happening already, it will very soon be that no one will be able to do anything, go anywhere, say anything via any means without being spied on 100% of the time, even in their own homes, by a government that is supposed to be one of the foremost on freedom, privacy and democracy in general. instead, it has become so paranoid that even it’s own people are being classed and treated as if they are enemies about to commit the most heinous of crimes! what the hell has happened to the USA? when did this drastic change take place? what has happened to make it one of the most despised places under one of the most hated regimes of all? it is now so close to being no better than a Police State, no better than the countries that were fought against for trying to do the exact same things 70 years ago! when a government becomes so afraid of what may happen that it makes enemies out of every one of it’s own citizens, it is in deep trouble!

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...