A point-by-point examination of whether changes to the CISPA legislation successfully address its flaws.
Yesterday I wrote a piece detailing a range of issues with the Cyber Intelligence Sharing and Protection Act that is scheduled to go before Congress for a vote this Friday. By the time that piece would have run, it was already outdated: Last minute opposition from privacy and civil liberties advocates including the Electronic Frontier Foundation, The American Civil Liberties Union, and the Center for Democracy and Technology have convinced the bill's authors to support a set of amendments at the 11th hour intended to address some of the most problematic aspects of the bill. Below is a discussion of some of the issues I (and others) had with the original version and how the new amendments address (or fail to address) these issues.
The goal of CISPA (full text), ostensibly, is "to allow elements of the intelligence community to share cyber threat intelligence with private-sector entities and to encourage the sharing of such intelligence." CISPA is written on the reasonable assumption that cyber threats with national security significance could target a range of privately held networks or infrastructure and that in such an event it would behoove us all to have open lines of communication. Prior to the recent amendments, CISPA went far beyond merely streamlining information sharing, to threaten individual civil liberty, and would have potentially introduced a back-door intellectual-property-enforcement regime. For example, The Electronic Frontier Foundation concluded that the original draft of the bill could be used against WikiLeaks and Pirate Bay.
Basically CISPA authorizes companies and government agencies to share customer data from ISPs and websites for the purpose of dealing with cybersecurity threats. Specifically, the bill allows companies (or the cybersecurity firms they have contracted with) to "use cybersecurity systems to identify and obtain cyber threat information to protect [their] rights and property" and then share that information with any other private company or the federal government.
Overly Broad Definitions:
One of the major problems with the original language of the bill stemmed from its incredibly broad definition of "cybersecurity." In the old draft of CISPA a cybersecurity purpose was anything done to "ensur[e] the integrity, confidentiality, or availability" of a system or network, as well as safeguarding against "efforts to degrade, disrupt, or destroy such system or network." This first part of the definition fit with common sense: cybersecurity purpose meant, basically, "anything that prevents a network from crashing or being breached and hijacked," right? But the bill went on to include anything done to prevent "theft or misappropriation of private or government information, intellectual property, or personally identifiable information." Critics -- myself included -- feared that this provision could be used as a back-door for SOPA-like intellectual-property enforcement.
The proposed Definitions Amendment (PDF) deals, at least to some extent, with this issue. The clause that included preventing "theft or misappropriation of information, intellectual property" etc. as a cybersecurity purpose was dropped and replaced with a much more precise definition. The new definition lays out four types of threats, the protection against which constitutes a cybersecurity purpose: 1) a vulnerability of a system or network; 2) "a threat to the integrity, confidentiality, or availability" of a network or of the information passing through the network; 3) "efforts to degrade, disrupt, or destroy a system or network" and 4) "efforts to gain unauthorized access," including for the purpose of misappropriating information (presumably including intellectual property).
As far as intellectual property is concerned the previous definition might have included preventing any file-sharing activity as a "cybersecurity purpose," whereas this definition would only seem to cover things like breaking into a proprietary database to access copyrighted content. This is an appropriately more limited definition.
The amendment goes on to limit this definition so as to exclude unauthorized access that only violates consumer terms of service or licensing agreements and don't otherwise constitute unauthorized access. This is also a promising change. It ensures that CISPA sharing is only appropriate for actual crimes, rather than having the U.S. intelligence community function as a de-facto enforcement mechanism for the content industry's (often ridiculous) Terms of Service agreements.
Scope-Creep in the Use of Information:
The original version of CISPA allowed the government to use all of the information they have been given for "any lawful purpose" as long as it can be argued that one purpose of that use was cyber-security related. This would seem to have left a back-door wide open for SOPA-like intellectual property enforcement. The bill did not include any form of judicial oversight to check increasingly lenient and inclusive interpretations of this provision. In the absence of such oversight, it seemed likely that -- in an environment of extreme pressure from organizations like the RIAA and MPAA -- scope creep would lead to the use of CISPA provisions for much more than protecting critical national security infrastructure.
Here too the recently proposed amendments offer some significantly positive changes. The Use Amendment (PDF) changes the bill from allowing the information to be used for "any lawful purpose" to allowing the information to be used for five distinct purposes. Under these new restrictions the government will be able to use information shared under CISPA for 1) cybersecurity purposes -- limited more meaningfully by the definitions amendment; 2) for the investigation and prosecution of cybersecurity crimes; 3) "for the protection of individuals from the danger of death or serious bodily harm and the investigation and prosecution of crimes involving such danger of death or serious bodily harm"; and 4) for protecting minors from childpornography, exploitation, trafficking etc.; 5) to protect national security.
Of course, this is still fairly broad; it is likely that action against WikiLeaks could still be justified under these definitions. However, they do seem to help ensure that the use of information does not exceed reasonable cybersecurity bounds by too much. It is still troubling, however, that information shared under CISPA could be used in criminal proceedings against individuals, since it can be collected without any Fourth Amendment considerations.
The Minimization Retention and Notification Amendment (PDF) offers another positive improvement. This amendment requires that if the Federal Government receives any information that is deemed not to be relevant to cyber threats they must notify the private entities that they have shared non-relevant information. It would be nice to see this provision include a public report exposing private companies for repeated over-sharing so people could make informed decisions about providing their data to entities that are over eager sharers.