by Mike Masnick
Thu, Apr 18th 2013 10:21am
by Mike Masnick
Thu, Apr 18th 2013 5:38am
from the no-conflict,-no-interest dept
It has seemed quite strange to see how strongly Rogers has been fighting for CISPA, refusing to even acknowledge the seriousness of the privacy concerns. At other times, he can't even keep his own story straight about whether or not CISPA is about giving information to the NSA (hint: it is). And then there was the recent ridiculousness with him insisting that the only opposition to CISPA came from 14-year-old kids in their basement. Wrong and insulting.
Of course, as we've noted all along, all attempts at cybersecurity legislation have always been about money. Mainly, money to big defense contractors aiming to provide the government with lots of very expensive "solutions" to the cybersecurity "problem" -- a problem that still has not been adequately defined beyond fake scare stories. Just last month, Rogers accidentally tweeted (and then deleted) a story about how CISPA supporters, like himself, had received 15 times more money from pro-CISPA group that the opposition had received from anti-CISPA groups.
So it seems rather interesting to note that Rogers' wife, Kristi Clemens Rogers, was, until recently, the president and CEO of Aegis LLC a "security" defense contractor company, whom she helped to secure a $10 billion (with a b) contract with the State Department. The company describes itself as "a leading private security company, provides government and corporate clients with a full spectrum of intelligence-led, culturally-sensitive security solutions to operational and development challenges around the world."
Hmm. Sounds like a company like that would benefit greatly to seeing a big ramp up in cybersecurity FUD around the globe, and, with it, big budgets by various government agencies to spend on such things. Indeed, just a few months ago, Rogers penned an article for Washington Life Magazine all about evil hackers trying to "steal information." In it, there's a line that might sound a wee-bit familiar, referring to the impression of hackers as being "the teenager in his or her parent's basement with bunny slippers and a Mountain Dew." Apparently, both of the Rogers really have a thing about teens in basements. The article is typical FUD, making statements with no proof, including repeating the NSA's ridiculous allegation that hackers have led to the "greatest transfer of wealth in American history." It's such a good line, except that it's completely untrue. The top US companies have recently admitted to absolutely no damage from such attacks. The article also lumps in "hacktivists" like Anonymous, as if they're a part of this grand conspiracy that needs new laws.
Tellingly, in the print version of Washington Life that this article appeared in, which you can see embedded below, you'll note that there's a side bar right next to her article about the importance of passing cybersecurity legislation in Congress. Guess what's not mentioned anywhere at all? The fact that Kristi Rogers, author of the fear-mongering article, happens to be married to Rep. Mike Rogers, the guy in charge of pushing through cybersecurity legislation. That sure seems like a rather key point, and a major conflict of interest that neither seemed interested in disclosing. Oh, and Kristi Rogers recently changed jobs as well, such that she's now the "managing director of federal government affairs and public policies" at Manatt a big lobbying firm, where (surprise, surprise) she's apparently focused on "executive-level problem solving in the defense and homeland security sectors." I'm sure having CISPA in place will suddenly create plenty of demand for such problem solving.
A few months ago, on one of his FUD-filled talks about why we need cybersecurity, Rogers claimed that it was all so scary that he literally couldn't sleep at night until CISPA was passed due to an "unusual source" threatening us. The whole statement seemed odd, until you realize that his statement came out at basically the same time as his wife's fear-mongering article about cybersecurity. I guess when your pillow talk is made up boogeyman stories about threats that don't actually exist, it might make it difficult to fall asleep.
Either way, even if we assume that everything here was done aboveboard -- and we're not suggesting it wasn't -- this is exactly the kind of situation that Larry Lessig has referred to as soft corruption. It's not bags of money shifting hands, but it appears highly questionable to the public, leading the public to trust Congress a lot less. At the very least, in discussing all of this stuff, when Mrs. Rogers is writing articles that help the push for CISPA, it seems only fair to disclose that she's married to the guy pushing for the bill. And when Mr. Rogers is pushing for the bill, it seems only right to disclose that his wife almost certainly would benefit from the bill passing. And yet, that doesn't seem to have happened... anywhere.
by Leigh Beadon
Thu, Apr 18th 2013 3:31am
from the same-old-thing-with-a-new-coat-of-paint dept
Update: It has become a little unclear what the status of this amendment is now. Yesterday we heard that it had passed, but now it seems to have been changed, and it's back up for debate on the floor. We'll get you more updates on whether or not it goes through, and the latest changes, as soon as we can.
In the latest round of changes to CISPA, the House passed a new amendment that supposedly (according to CISPA supporters) addresses the privacy and civil liberty concerns about the bill. The amendment (pdf and embedded below) ostensibly establishes civilian agency control (through Homeland Security) over information shared under CISPA, since many people are reasonably worried about all this data ending up in the hands of the NSA. Unfortunately, as the EFF determined in their initial analysis, it doesn't really change anything—it just lets the DHS go along for the ride:
The amendment in question does not strike or amend the part of CISPA that actually deals with data flowing from companies to other entitities, including the federal government. The bill still says that: “Notwithstanding any other provision of law, a self-protected entity may, for cybersecurity purposes...share such cyber threat information with any other entity, including the Federal Government." The liability immunity provisions also remain.
While this amendment does change a few things about how that information is treated within the government, it does not amend the primary sharing section of the bill and thus would not prevent companies from sharing data directly with military intelligence agencies like the National Security Agency if they so choose.
Indeed, the text of the amendment appears to create a significant role for the DHS in information sharing procedures, but gives it little power in terms of actually protecting privacy or filtering information—the amendment mandates that information still be shared with other agencies in realtime, and it still appears to allow companies and organizations to bypass the DHS entirely.
A portion of the amendment outlines certain privacy guidelines, but they are the same as those we discussed before: filled with enough release valves and escape routes to render them virtually meaningless, closer to a list of "best practices" than actual rules. The fact is that, despite what the bill's supporters and some of the media reporting on it would have you believe, the core problems with CISPA have not been addressed, nor have any of the "efforts" in that direction amounted to much more than a smokescreen. With a final CISPA vote looming at any time, it's never been more important to voice your opposition to the bill.
by Mike Masnick
Wed, Apr 17th 2013 1:02pm
from the let's-get-real dept
One of the key points that Rogers keeps saying over and over again is that this bill is not a "surveillance" bill. Why? Because it doesn't allow the NSA or others to go in and automatically get info. But Rogers is choosing his words very carefully, such that he absolutely misrepresents how the bill can and almost certainly will be used. And while he and other CISPA supporters will (and have) argued that the possible abuses of CISPA are crazy conspiracy theories that wouldn't happen in practice, we have too many examples of how the US government's intelligence infrastructure very quickly expands to make use of every single loophole provided to them within the law -- sometimes going so far as to interpret laws in ways clearly contrary to Congressional intent, just because they can. Let's just highlight two examples:
- The FISA Amendments Act, which was passed in association with the Patriot Act, supposedly to give the NSA more powers to scoop up communications of folks involved in terrorist activity. Now, the NSA is -- by mandate -- not allowed to spy on Americans. And yet, multiple whistleblowers and hints from folks who know in Congress have made it quite clear that the NSA has interpreted the FISA Amendments Act to allow exactly that -- even as many in Congress clearly don't understand how the bill is being used.
While it's still not official, enough information has been revealed to show that the NSA interprets the requirement that its surveillance target foreign persons to mean that as long as it's looking for foreign terrorist activity, it can spy on everyone. Get that? It's a sneaky trick that many have not realized. The NSA argues -- likely with agreement from a secret court ruling -- that so long as it can claim that it is investigating a foreign threat somewhere, somehow, the prohibition on spying on Americans does not apply. There is increasing evidence that this now means that the NSA is scooping up pretty much all data it can get its hands on. While it may not be going through it in real time, it appears to believe that as long as it can make the argument that it's searching for a foreign threat, that it can delve into that treasure chest of, well, everything.
- Next: the "national security letters" (NSL) issue. While a court recently ruled these unconstitutional, this process has been widely abused by the FBI for years to get private information on people without a warrant and with a gag order on recipients. Every time it's been investigated, it's been shown that the FBI has widely abused its NSL powers. However, since there's almost no oversight, the FBI still feels free to make widespread use of the tool, which was only supposed to be used in extreme circumstances.
Along those lines, the FBI has gotten so comfortable with asking companies for data without a warrant or any formal oversight process, that it was revealed a few years ago that, rather than going through the drudge of actually processing paperwork to get private info from AT&T, some agents simply used Post-It Notes to make their requests, which AT&T readily coughed up without question.
CISPA supporters also like to claim that since CISPA is "voluntary," companies will have no reason to give up your private info. That's nice in theory. And, sure, perhaps some principled companies will resist, but we've already seen the AT&T example above. And, even more importantly, we've seen how pressure from the US government, or even threats of the government shaming them publicly for not "helping" have been incredibly effective in making "voluntary" action suddenly seem obligated.
The saying goes "fool me once, shame on you. Fool me twice, shame on me." We've been fooled many times by the US government insisting that certain laws won't be used to violate our privacy, when it later comes out that they were used in exactly that way. So forgive us for calling bullshit on Mike Rogers' claims that CISPA doesn't "allow" the government to spy on Americans. It absolutely does. It opens up a clear path for law enforcement and intelligence agencies (and others!) to hide behind the liability protections within the law to pressure companies to reveal whatever they want with absolutely no repercussions.
That seems like a pretty serious issue, and one that Congress and supporters of CISPA don't seem to want to admit.
by Berin Szoka
Wed, Apr 17th 2013 9:55am
from the all-talk dept
At that Committee meeting (1:01:45), the bill's chief sponsor Chairman Rogers emphatically repeated his earlier assertions that CISPA wouldn't breach private contracts in response to questions from Jared Polis:
Polis: Why wouldn't it work to leave it up, getting back to the contract part, and I think again there may be a series of amendments to do this, if a company feels, if it's voluntary for companies, why not allow them the discretion to enter into agreements with their customers that would allow them to share the information? ...And yet... CISPA will go to the House floor as written, providing an absolute immunity from "any provision of law," including private contracts and terms of service.
Rogers: I think those companies should make those choices on their own. They develop their own contracts. I think they should develop their own contracts. They should enforce their own contracts in the way they do now in civil law. I don't know why we want to get in that business.
Only in Congress can you swear up and down that your bill doesn't do X, then refuse to amend it so that it really doesn't do X—and then lecture those who note the disconnect, like Polis, with patronizing comments like "once you understand the mechanics of the bill..." (1:02:50).
It brings to mind what Galileo said after he was forced to sign a confession recanting belief in Copernicus's heretical idea that the Earth revolves around the sun: "And yet, it moves."
And yet... for all Rogers' bluster, CISPA moots private contracts—and House Republican leadership won't fix the problem, even when five of their GOP colleagues offer a simple, elegant fix.
This is the same stubborn refusal to accept criticism and absorb new information that brought us SOPA, PIPA and a host of other ill-conceived attempts to regulate the Internet. It's the very opposite of what should be the cardinal virtue of Internet policy: humility. Tinkering with the always-changing Internet is hard work. But it's even harder when you stuff your fingers in your ears and chant "Lalalala, I can't hear you."
The good news is that, as with SOPA, this fight transcended partisan lines, uniting a Democrat like Jared Polis (an openly gay progressive from Boulder) with a strict constitutionalist like Justin Amash (the "Ron Paul Republican" from Grand Rapids Michigan)—and four more traditional Republicans. This is precisely the realignment predicted 15 years ago by Virginia Postrel in The Future and Its Enemies. On one side are those profoundly uncomfortable with change, desperate to control and plan the future, and so insecure about their own understanding of technology that they inevitably perceive criticism as a personal attack. On the other are those far more humble and more willing to let the future play out in all its messy unpredictability. The first camp is always pushing for the one, right piece of legislation that will avert a crisis. The second camp admits they don't know the one, best way to deal with a problem like encouraging sharing of cyberthreat information while protecting user privacy, so they reject static rules that can only be changed by Congress. They want simple rules for a complex world. At a minimum, they want what law Professor Richard Epstein argues in his book Simple Rules for a Complex World--the perfect slogan for this camp--"the most ubiquitous legal safety hatch adds three words to the formal statement of any rule: unless otherwise agreed."
It's not a battle between Left and Right, or conservatives and progressives. It's a battle between attitudes towards the future: the stasis mentality of Congressmen like Mike Rogers and Lamar Smith (of SOPA infamy) and the dynamism of Justin Amash and Jared Polis, and SOPA foes like Republicans Darrell Issa and Jason Chaffetz and Democrats Ron Wyden and Zoe Lofgren.
The dynamists may have lost this battle. But, like Galileo, we'll eventually win the war. The only questions are: How many more poorly crafted, one-size-fits-all laws will the stasists put on the books in the meantime? How long it will take to clear the real "legislative thicket"--all the complex laws that attempt to provide a single answer for a complex and unknowable future? And when will it finally become unacceptable for Congressmen like Mike Rogers to ram through legislation that doesn't even do what they claim?
Berin Szoka (@BerinSzoka) is President of TechFreedom (@TechFreedom), a dynamist tech policy think tank.
by Tim Cushing
Wed, Apr 17th 2013 5:40am
from the the-2nd-was-continuing-taxation-long-after-representation-ceased-to-exist dept
The US government is already fighting wars on several fronts, including the perpetual War on Terror. "War is the health of the state," as Randolph Bourne stated, and the state has never been healthier, using this variety of opponents as excuses to increase surveillance, curtail rights and expand power.
Bruce Schneier highlights a piece written by Molly Sauter for the Atlantic which poses the question, "If hackers didn't exist, would the government have to invent them?" The government certainly seems to need some sort of existential hacker threat in order to justify more broadly/badly written laws (on top of the outdated and overbroad CFAA). But the government's portrayal of hackers as "malicious, adolescent techno-wizards, willing and able to do great harm to innocent civilians and society at large," is largely false. If teen techno-wizards aren't taking down site after site, how is all this personal information ending up in hackers' hands? Plain old human carelessness.
According to the Privacy Rights Clearinghouse, the loss or improper disposal of paper records, portable devices like laptops or memory sticks, and desktop computers have accounted for more than 1,400 data-breach incidents since 2005 -- almost half of all the incidents reported. More than 180,000,000 individual records were compromised in these breaches...By comparison, only 631 breaches were attributed to actual hacking, or at least hacking as it's portrayed by the government. Private entities aren't very worried about being hacked either, at least not from the outside. Their main concern, according to the Privacy Rights Clearinghouse, is "inside jobs" by disgruntled employees.
Nonetheless, the narrative advanced by the government (and passed along by the largely credulous mainstream media) of unstoppable hackers and their omnipresent threat to major companies, the government itself, average Americans and underlying infrastructure, continues nearly unimpeded. This narrative is essential to those in the government who wish to justify large-scale surveillance of anything and anyone connected to the internet. The scarier the image, the more it can get away with.
It is the hacker -- a sort of modern folk devil who personifies our anxieties about technology -- who gets all the attention. The result is a set of increasingly paranoid and restrictive laws and regulations affecting our abilities to communicate freely and privately online, to use and control our own technology, and which puts users at risk for overzealous prosecutions and invasive electronic search and seizure practices. The Computer Fraud and Abuse Act, the cornerstone of domestic computer-crime legislation, is overly broad and poorly defined. Since its passage in 1986, it has created a pile of confused caselaw and overzealous prosecutions.We've seen the overzealous prosecution and expressed disbelief and amazement at some of the interpretations of this outdated law. (Amazingly, Sauter's post was written before the most recent cases of overzealous prosecution.) And instead of fixing the CFAA, legislators are actively working to make it worse, even as overly-broad cybersecurity legislation is being negotiated in secret.
The "modern folk devil" image has become part of the mass consciousness. Anonymous and its various offshoots roam the internet, at turns wreaking havoc and helping the oppressed, like an electronic manifestation of Loki, the Distributed. These activities are duly reported by the media in ominous tones, further driving home the image of the hacker at Millennial Public Enemy No. 1. The acts and the perception of the damage caused by this hacking are miles apart, as is perfectly illustrated by xkcd.
Many members of the American public are already convinced something should be done about hackers. Many of our representatives feel the same way. A lack of knowledge of the underlying technology, much less the methods or culture, hasn't deterred legislators from crafting an overbroad response with the CISPA bill. Examining the issues more closely or reconsidering the legislation doesn't seem to be an option. After all, a "cyber Pearl Harbor" is all but inevitable, a conclusion confirmed by shouting "HACKER!" in the halls of Congress and hearing it echoed back by like-minded representatives, sympathetich government agencies, the media and a subset of the American public.
In the effort to protect society and the state from the ravages of this imagined hacker, the US government has adopted overbroad, vaguely worded laws and regulations which severely undermine internet freedom and threaten the Internet's role as a place of political and creative expression.The endgame is more control, and the "hacker" provides an ominous, omnipresent threat that, because of the hacker's naturally secretive nature, can neither be confirmed or denied with any veracity. Much like the War on Terror, this War on Hacking takes rights from the American public, carves out huge chunks and sends the gutted remains back to citizens in a package marked "Safety."
by Mike Masnick
Tue, Apr 16th 2013 4:14pm
Thousands Of People Tweet To Rep. Mike Rogers That They're Not 14, Not In Their Basement, And They Still Oppose CISPA
from the speak-up dept
Perhaps Congressman Mike Rogers might want to rethink his assessment of the opposition and recognize that maybe there are legitimate privacy concerns that he has chosen to not properly address in his bill.
by Mike Masnick
Tue, Apr 16th 2013 3:39pm
from the because,-privacy,-pshah,-who-needs-it? dept
All of these seemed like reasonable responses to the privacy concerns raised by the White House and others. And they were all rejected before they even got to the floor. Yes, this wasn't about them being voted down by the whole House. Rather, the Rules Committee voted not to even let them be voted on by the House. Why? As far as I could tell from the hearing, the answer was "because [reasons]." Also some garbage about how no one intended the law to be misused. Um. If that's the case, why not put it in the law to block it from being abused?
There is one amendment, from Rep. Jackson Lee, contains a few nods towards privacy, and does make clear that service providers are not required to provide info. It would also seek to protect a very specific class of private data (that stored by a company that also provides info services to the government), but that's got little to do with the key privacy protections proposed elsewhere. There is also an amendment from Rep. Barton that stops companies from using any info they get from each other for marketing purposes, but that's really not a huge issue with the CISPA related data. Neither of these are serious privacy protections, and neither are definitely going to get adopted either.
So, now the CISPA fight will go to the floor of the House without any serious meaningful amendments concerning privacy, and (as is typical) the House is likely to pass it. The next fight will be in the Senate to see what sort of awful proposal comes out of there as well, and whether or not it matches up with CISPA.
by Mike Masnick
Tue, Apr 16th 2013 1:47pm
from the taking-the-high-road? dept
Update: Sina Khanifer has uploaded a video of Rogers making these comments.
Second, the comment about Silicon Valley CEOs is not true. Yes, there are some tech companies who are in favor of CISPA, mainly because of the liability protections they would get. But it is hardly an across the board belief. Many, many tech companies are all quite concerned about CISPA and what it will mean for the privacy of their users. Both Mozilla and Reddit have strongly spoken out against CISPA. Do they not count?
Third, the idea that because some Silicon Valley CEOs support CISPA, it means that there couldn't possibly be any concern. This is a outgrowth of the myth that SOPA was only stopped because tech companies spoke out. As such, politicians like Rogers think all they need to do is appease tech CEOs, and not the public, whom they're supposed to represent. That Rogers would so outwardly admit that as long as a small group of tech CEOs favor the bill (which is already a highly questionable statement), that he can ignore the public and insult them, is really stunning.
Of course, what this really shows is Rep. Mike Rogers' absolute disdain for privacy. He doesn't take the concerns of the public, of privacy advocates, and even of the White House seriously. Instead, he sees privacy as something that should be mocked and those who support it insulted. Why should such a person be in charge of wiping out privacy laws on the internet?
by Mike Masnick
Tue, Apr 16th 2013 1:18pm
from the now-carry-through dept
Both government and private companies need cyber threat information to allow them to identify, prevent, and respond to malicious activity that can disrupt networks and could potentially damage critical infrastructure. The Administration believes that carefully updating laws to facilitate cybersecurity information sharing is one of several legislative changes essential to protect individuals' privacy and improve the Nation's cybersecurity. While there is bipartisan consensus on the need for such legislation, it should adhere to the following priorities: (1) carefully safeguard privacy and civil liberties; (2) preserve the long-standing, respective roles and missions of civilian and intelligence agencies; and (3) provide for appropriate sharing with targeted liability protections.There are some good amendments proposed, which would help protect privacy, but it's unclear how likely they are to pass.
The Administration recognizes and appreciates that the House Permanent Select Committee on Intelligence (HPSCI) adopted several amendments to H.R. 624 in an effort to incorporate the Administration's important substantive concerns. However, the Administration still seeks additional improvements and if the bill, as currently crafted, were presented to the President, his senior advisors would recommend that he veto the bill. The Administration seeks to build upon the continuing dialogue with the HPSCI and stands ready to work with members of Congress to incorporate our core priorities to produce cybersecurity information sharing legislation that addresses these critical issues.
Furthermore, it's still quite troubling that no one seems willing to explain why this is needed, and what existing laws are somehow getting in the way of important information being shared. We keep asking that question, and it seems odd that no one replies other than "but... but... but... cyberattacks from China!!"