We just noted how Rep. Mike Rogers, the sponsor for the CISPA cybersecurity bill that wipes out a variety of privacy protections for companies handing private info to the government had told the House Rules Committee that the only real opposition was 14-year-olds in their basement. It seems that many opponents to CISPA think Rogers is ignorant. A campaign quickly went viral on Twitter in which people are tweeting at Rep. Rogers' account about how they're not 14, not in their basement, but still very much opposed to CISPA. In just an hour or so, there have been well over 1,500 tweets, and the number keeps growing rapidly. By the time this post is edited and live, it will almost certainly be well over 2,000 and growing.
Those are just two quick screenshots showing some of the top complaints. That's not me pulling out a few, those were just the most recent ones and new ones keep piling up.
Perhaps Congressman Mike Rogers might want to rethink his assessment of the opposition and recognize that maybe there are legitimate privacy concerns that he has chosen to not properly address in his bill.
The House Committee on Rules has been debating CISPA and what will be covered in the official floor debate and what amendments will be presented tomorrow or the next day (whenever it hits the floor). Much of it was routine stuff, but there were some typical bogus grandstanding about the giant threat of a cyberattack that's going to kill us all (be afraid!) if we don't do something (no worry about if that something will actually help). Representative Mike Rogers, the sponsor of CISPA and its main backer, decided that he was going to take the lowest road possible in talking about the concerns of privacy advocates by saying that the only opposition is "14-year-olds in their basement." That statement followed the claim that "Silicon Valley CEOs support CISPA."
This is insulting on a whole variety of levels. First of all, it suggests that privacy advocates are nothing more than children. That's ridiculous. The White House, who have raised privacy concerns about the bill, are 14-year-olds in their basement? Rogers honestly thinks insulting the President is the way to get CISPA passed? The ACLU are 14-year-olds in their basement? Really? The tens of thousands of people who have contacted Congress in the past few weeks about this are all 14-year-olds in their basement? Rogers owes the public he represents a massive apology.
Second, the comment about Silicon Valley CEOs is not true. Yes, there are some tech companies who are in favor of CISPA, mainly because of the liability protections they would get. But it is hardly an across the board belief. Many, many tech companies are all quite concerned about CISPA and what it will mean for the privacy of their users. Both Mozilla and Reddit have strongly spoken out against CISPA. Do they not count?
Third, the idea that because some Silicon Valley CEOs support CISPA, it means that there couldn't possibly be any concern. This is a outgrowth of the myth that SOPA was only stopped because tech companies spoke out. As such, politicians like Rogers think all they need to do is appease tech CEOs, and not the public, whom they're supposed to represent. That Rogers would so outwardly admit that as long as a small group of tech CEOs favor the bill (which is already a highly questionable statement), that he can ignore the public and insult them, is really stunning.
Of course, what this really shows is Rep. Mike Rogers' absolute disdain for privacy. He doesn't take the concerns of the public, of privacy advocates, and even of the White House seriously. Instead, he sees privacy as something that should be mocked and those who support it insulted. Why should such a person be in charge of wiping out privacy laws on the internet?
While it had hinted at a veto threat earlier, the White House has now put out a statement on CISPA that, if privacy protections are not added to the bill, it will likely veto the bill. I know some cynical folks will note the possibility of an out, and the chance that he'll sign the bill anyway, but hopefully the meaningful threat of a veto will convince Congress to think twice about passing a bad bill that wipes out privacy protections.
Both government and private companies need cyber threat information to allow them to identify, prevent, and respond to malicious activity that can disrupt networks and could potentially damage critical infrastructure. The Administration believes that carefully updating laws to facilitate cybersecurity information sharing is one of several legislative changes essential to protect individuals' privacy and improve the Nation's cybersecurity. While there is bipartisan consensus on the need for such legislation, it should adhere to the following priorities: (1) carefully safeguard privacy and civil liberties; (2) preserve the long-standing, respective roles and missions of civilian and intelligence agencies; and (3) provide for appropriate sharing with targeted liability protections.
The Administration recognizes and appreciates that the House Permanent Select Committee on Intelligence (HPSCI) adopted several amendments to H.R. 624 in an effort to incorporate the Administration's important substantive concerns. However, the Administration still seeks additional improvements and if the bill, as currently crafted, were presented to the President, his senior advisors would recommend that he veto the bill. The Administration seeks to build upon the continuing dialogue with the HPSCI and stands ready to work with members of Congress to incorporate our core priorities to produce cybersecurity information sharing legislation that addresses these critical issues.
There are some good amendments proposed, which would help protect privacy, but it's unclear how likely they are to pass.
Furthermore, it's still quite troubling that no one seems willing to explain why this is needed, and what existing laws are somehow getting in the way of important information being shared. We keep asking that question, and it seems odd that no one replies other than "but... but... but... cyberattacks from China!!"
We've talked about various tech companies supporting CISPA, which is really shameful and short-sighted. Yes, it protects them from liability if they trample all over your privacy and provide your private info to the government -- which is why they support it. But if they were truly customer focused companies, they would know that violating your privacy is no way to build a loyal customer base. And, apparently, the right to violate your privacy and hand that info to the government is so important to IBM that it has sent 200 executives to Capital Hill today to lobby in favor of passing CISPA. CISPA is expected to go to a floor vote in the House either this Wednesday or Thursday.
Nearly 200 senior IBM executives are flying into Washington to press for the passage of a controversial cybersecurity bill that will come up for a vote in the House this week.
The IBM executives will pound the pavement on Capitol Hill Monday and Tuesday, holding nearly 300 meetings with lawmakers and staff. Over the course of those two days, their mission is to convince lawmakers to back a bill that’s intended to make it easier for industry and government to share information about cyber threats with each other in real time.
What they still can't explain is what laws currently get in the way of this information sharing? We've been asking for years and no one has answered. Everyone agrees that information sharing around an attack can be useful in stopping it, but no one has explained why that information sharing (a) requires a new law or (b) can't be done without wiping out all basic privacy protections for personal info currently provided under existing law.
Even more ridiculous is that IBM flat out admits that they want to be able to send your info to the NSA. We've pointed out for a while that one of the major concerns with CISPA is that the NSA -- a military agency -- would get access to your info, despite the general prohibition on spying on Americans. Of course, the NSA has twisted that mandate ridiculously, such that it believes it can now spy on anything so long as they claim it may help them in finding a foreign threat. Technically, the law is about the "target" of the information, and the NSA (and potentially the secret ruling from the FISA Court) has interpreted this to mean that as long as the target of the investigation is as foreign threat, then the NSA can snoop through anything in pursuit of that target.
Of course, most folks have been trying to play down the fact that the NSA would get the info. But not IBM. Nope, they're thrilled to send your private info right to the NSA:
[IBM VP of government affairs Chris] Padilla, however, says companies need to be able to share threat data directly with the NSA “because that’s where the expertise is.”
“It really is a simple matter. The expertise in the U.S. government on cybersecurity largely rests in one place, and that's the National Security Agency,” he said. “They tend to know the most, the soonest about cyber threats and I think, frankly, there is a certain amount of feeling in the business community that you should be able to work directly and share information directly with the agency that has the most expertise.”
While the NSA does have some knowledge on cybersecurity, it's an exaggeration to suggest that they have "the expertise" on the subject. It also does nothing to explain why your private info should be included.
We continue to believe that information sharing improvements are essential to effective legislation, but they must include privacy and civil liberties protections, reinforce the roles of civilian and intelligence agencies, and include targeted liability protections. The Administration seeks to build upon the productive dialogue with Chairman Rogers and Ranking Member Ruppersberger over the last several months, and the Administration looks forward to continuing to work with them to ensure that any cybersecurity legislation reflects these principles. Further, we believe the adopted committee amendments reflect a good faith-effort to incorporate some of the Administration's important substantive concerns, but we do not believe these changes have addressed some outstanding fundamental priorities.
Though it doesn't raise the possibility of a veto, and even avoids explicitly taking a position of support or opposition, it serves as a fairly clear indication that the administration will not be supporting CISPA. Nevertheless, it's a little disappointing in its meekness.
Whenever someone spends that many words acknowledging the "good faith" of their opponent and boasting about "productive dialogue", it's a good sign that neither of those things are true. As we noted earlier, the amendments that were adopted during markup do not just fail to address the issues, they raise serious questions about just how much "good faith" has really been involved in this debate on the side of those who are pushing for the legislation. The dialogue, much like the one with CISPA last year, tends to go a lot like this:
Opponents: We are concerned that the bill will be abused in the following ways... Supporters: No, we're not going to do those things. Opponents: Good, but the language still makes it a possibility. You should re-write it to be more clear. Supporters: Okay, we've rewritten it with a more detailed list of restrictions and exceptions. Opponents: But these exceptions are all for exactly the things we were worried about in the first place. Supporters: Sure, but we're not going to do those things.
The truth is, there's little evidence of any real effort to address the concerns of privacy and civil liberties advocates, the administration, or the general public. The markup session in which the final changes were adopted was closed to the public, and the responses from the bill's supporters when pressed on these issues have been somewhat less than comforting. Moreover, we shouldn't even be in the final stages of drafting legislation to solve a problem that nobody has clearly described in the first place. It's good that the White House is not giving CISPA any support, but here's hoping they go a step further and make their opposition to this whole broken approach to cybersecurity legislation explicit.
As expected, CISPA passed the House Intelligence Committee today after a closed markup session. The vote was 18-2, and according to Tony Romm at Politico, all of the amendments that were backed by the original authors of the bill were adopted. If that's the case, we're talking about a bunch of changes that sound nice but don't accomplish much, such as dropping the "national security" provisions while broadening the definition of cybersecurity to encompass almost anything, requiring the government to remove personal information from shared data (once it's already in the hands of the government), and explicitly preventing companies from using data they receive for marketing purposes (which seems to go against previous insistence that the information shared would only be highly technical threat data).
CISPA is expected to go to the full house for a vote next week. As we get a closer look at the bill in its latest state, we'll do a more detailed analysis — but as it stands there's little reason to believe that any of the core problems have been fixed (and we're still waiting for someone to explain in clear, specific terms why this bill is needed at all).
Since the beginning of the cybersecurity FUDgasm from Congress, we've been asking for proof of the actual problem. All we get are stories about how airplanes might fall from the sky, but not a single, actual example of any serious problem. Recently, some of the rhetoric shifted to how it wasn't necessarily planes falling from the sky but Chinese hackers eating away at our livelihoods by hacking into computers to get our secrets and destroy our economy. Today, Congress is debating CISPA (in secret) based on this assumption. There's just one problem: it's still not true.
The 27 largest U.S. companies reporting cyber attacks say they sustained no major financial losses, exposing a disconnect with federal officials who say billions of dollars in corporate secrets are being stolen.
MetLife Inc., Coca-Cola Co. (KO), and Honeywell International Inc. were among the 100 largest U.S. companies by revenue to disclose online attacks in recent filings with the Securities and Exchange Commission, according to data compiled by Bloomberg. Citigroup Inc. (C) reported “limited losses” while the others said there was no material impact.
So what's this all really about? It goes back to what we said from the very, very beginning. This is all FUD, engineered by defense contractors looking for a new way to charge the government tons of money, combined with a willing government who sees this as an opportunity to further take away the public's privacy by claiming that it needs to see into corporate networks to prevent these attacks.
If this was a real problem, wouldn't we see at least some evidence?
As we mentioned last week, CISPA is scheduled for markup tomorrow, and the markup will be done behind closed doors without any public scrutiny allowed. This makes no sense. They are not debating the reason for the law, but rather the text of the law itself. The law will be public, and any debate about the language and amendments included should be public as well. As Julian Sanchez points out, it makes perfect sense for intelligence briefings to be held in secret, but it never makes sense to hold debates about what the law should be in secret. So why is Congress doing so?
In the meantime, it appears that the main backers of the bill will be supporting some amendments (and may release a manager's amendment), which marginally limits how the information it gets from companies can be used. However, this does little to deal with the real problems of the bill: the immunity companies get for sharing pretty much any private info with any government agency. At the very least, there's no reason that CISPA shouldn't require that companies strip personally identifiable information from any data they share with the government.
But, really, this deserves to go much further. At no point -- in the many years that cybersecurity legislation has been discussed -- has anyone in Congress explained why we need this. Yes, they've given FUD-like horror stories about planes falling from the sky, or they've pointed to Chinese hackers. But what they have not done is show how (a) current law gets in the way of the necessary information sharing to help combat any threats or (b) how CISPA will help stop such attacks. You'd think that both of these points would be at the top of the list of the things that Congress would be explaining to get support for this bill. Instead, we hear scare stories about evil hackers out to destroy us, and an awful lot of "trust us." It's tough to trust the government, though, when they won't even let you know what they're debating.
Back when this hype about "cybersecurity" and "cyberwar" first started to hit the mainstream (early on, "cyberwar" was more common, but lately people focus on "cybersecurity"), we had an article which suggested that much of this really seemed to be about scaring up a panic for the sake of throwing money at defense contractors who wanted to charge crazy huge sums for "helping" with cybersecurity. And, as we noted, that push was leading to hundreds of millions of dollars in government contracts. It appears that, with cybersecurity FUD only getting bigger and bigger, the folks who are making out like bandits are all those defense contractors who are jumping in to fan the flames of FUD... and then taking our taxpayer money to "fix" the problem.
In that link above, they talk about Lockheed and Raytheon signing agreements with Homeland Security in which they get to "help" the government out by scanning email and other info collected by the NSA.
Under the program, critical infrastructure companies will pay the providers, which will use the classified information to block attacks before they reach the customers. The classified information involves suspect Web addresses, strings of characters, email sender names and the like.
None of this necessarily means that online attacks aren't a real threat... but I'd feel a lot more comfortable about where things were heading if there weren't a whole bunch of defense contractors gleefully rubbing their hands together as they scoop up more and more contracts while the FUD keeps spreading.
from the does-the-council-of-economic-advisors-need-your-emails? dept
One of the key complaints about CISPA is the fact that it does absolutely nothing to make sure any data of yours that is shared with the government by third parties is sent narrowly to folks working to protect us from cybersecurity threats. Instead, the information can be shared with any agency of the government, so long as they can claim, vaguely, that it's being used for "cybersecurity purposes." But, as the EFF points out, without any limitations on who in the government can see your data, every government agency can see your data. They've even put together a helpful "list."
One question we sometimes get is: Under CISPA, which government agencies can receive this data? For example, could the FBI, NSA, or Immigration and Customs Enforcement receive data if CISPA were to pass?
The answer is yes. Any government agency could receive data from companies if this were to pass, meaning identifiable data could be flowing to the Bureau of Alcohol, Tobacco, Firearms and Explosives, the National Security Agency, or even the Food and Drug Administration.
We've reposted the list below as well, just so you can get an idea of which government agencies could get access to your data on CISPA (and which ones thought that, perhaps, that's not such a good idea).