On Monday, President Obama gave a speech kicking off his big push on cybersecurity
, with many of the details being released on Tuesday
, and they don't look very good. There are a lot of different pieces, but we'll just highlight the two that concern us the most.
First up: information sharing/"cybersecurity." The key issue here: is it the return of CISPA? CISPA, of course, is the cybersecurity "information sharing" bill that is introduced each year, but which is really about giving the NSA a tool to pressure companies into sharing their information (by granting immunity from liability to those companies). In 2012, President Obama rejected the CISPA approach
as not having enough protections for privacy and civil liberties. And, indeed, contrary to what some have said, the official proposal
is not "endorsing CISPA." The approach is definitely more limited and the most major concern is addressed. Rather than giving the information to the NSA (or the FBI), Homeland Security gets it. DHS isn't wonderful, but it's better
than the other two alternatives. Companies can
still give the info to the NSA or FBI (or others), but won't get full immunity from lawsuits if they do.
But, where the new proposal falls woefully short is in its lack of privacy protections
. It basically handwaves its way through the privacy question, saying there will be guidelines, but the guidelines aren't written yet, and they're fairly important here. Instead, there's just a plan to make them:
The Attorney General, in coordination with the Secretary of
Homeland Security and in consultation with the Chief Privacy and Civil Liberties Officers at the
Department of Homeland Security and Department of Justice, the Secretary of Commerce, the
Director of National Intelligence, the Secretary of Defense, the Director of the Office of
Management and Budget, the heads of sector-specific agencies and other appropriate agencies,
and the Privacy and Civil Liberties Oversight Board, shall develop and periodically review
policies and procedures governing the receipt, retention, use, and disclosure of cyber threat
indicators by a Federal entity obtained in connection with activities authorized in this Act.
Yes, it promises that those guidelines will limit the "acquisition, interception, retention, use and disclosure" of information, but it's still not entirely clear what the final guidelines will be. The second problem, still not addressed in all of this, is explaining why this is needed
. People keep saying that we need "information sharing" because of "cyberthreats," but no one argues why that information sharing can't happen today, or points out what regulations today
get in the way. That's because they don't. Companies can share information today, but the focus of this bill is to try to grant them broad immunity in case they share the wrong (private) info and it gets out.
The second concerning proposal is with the update to the CFAA
(the Computer Fraud and Abuse Act). The CFAA, of course, is the widely misused "anti-hacking" law that has been stretched and twisted by law enforcement and prosecutors over time to argue that merely disobeying a terms of service could be seen as "hacking." While some
courts have limited that ridiculous interpretation, the changes here seem fairly messy and could bring back that possibility. The language involves a lot of careful picking through to interpret it, and it appears that it may fix some small issues with the CFAA, but opens up other massive holes that are seriously problematic. The White House claims this fix would "enhance [the CFAA's] effectiveness against attacks on computers and computer networks."
But that's not the problem with the CFAA
. The problem is that it's already seriously overbroad and used in dangerous ways. That's barely addressed. The main "fix" is that if you "intentionally exceed authorized access," there are conditions necessary to meet to trip the CFAA wire -- and a key one is that the value of the information obtained must "exceed $5,000." But, of course, with the way the gov't inflates the value of information... that seems like a pretty small hurdle. The really big problem, though, comes in section (e)(6) which adds in a troubling definitional change to "exceeds authorized access." This is the whole bit that's been used as evidence of "terms of service" violations. The key case that rejected this theory is the Nosal
case and that seems to be completely wiped out with this little addition to exceeding authorized access:
for a purpose that the accesser knows is not authorized by the computer owner;
This is likely to be interpreted to mean that if a terms of service bans a certain type of use, they have "knowledge" and thus violating that kind of use is back to being a problem under the CFAA. As Orrin Kerr argues
, this could be read to mean that if your employer says you can only use a computer for work reasons, and you surf for personal reasons, you've broken the law. It is also possible to read this section to mean that using someone else's Netflix or HBO GO password... could violate the law. Yikes!
Of course, one hopes that law enforcement wouldn't go after those types of violations, but a more serious concern may be the impact on security research. Finding a hole in a website online, allowing you to access data that was publicly exposed could be seen as exceeding access, on the basis that whoever finds it "knows [it] is not authorized by the computer owner." Basically, it requires the government to argue that whoever they're going after should have known
that the computer owner "wouldn't like" it. That... opens up a big can of worms that the DOJ will abuse like crazy.
The new bill also
says that you can be charged with racketeering related to CFAA violations, so long as the government can tie you to other people and claim that it's an "organized crime group." It also ups the penalties for things that might be considered "actual hacking" (i.e., getting around technological barriers to access a computer) -- making it automatically a felony with up to 10 years in jail (rather than the existing law, under which it could be a misdemeanor or a felony and the limit is 5 years in jail). And, of course, it expands civil forfeiture procedures so that law enforcement can seize (and likely keep) all your computer equipment if it thinks you're violating the CFAA. Looks like law enforcement can now go "shopping" for computers.
Once again, we seem to be facing a situation where the administration is more focused on what law enforcement
wants, while paying lip service to the protections of the public from likely law enforcement and intelligence community abuse.
That's really unfortunate. A massive missed opportunity to actually do something productive here.