Can Last-Minute Amendments Redeem the Troubling Cybersecurity Bill?

A point-by-point examination of whether changes to the CISPA legislation successfully address its flaws.


Yesterday I wrote a piece detailing a range of issues with the Cyber Intelligence Sharing and Protection Act that is scheduled to go before Congress for a vote this Friday. By the time that piece would have run, it was already outdated: Last minute opposition from privacy and civil liberties advocates including the Electronic Frontier Foundation, The American Civil Liberties Union, and the Center for Democracy and Technology have convinced the bill's authors to support a set of amendments at the 11th hour intended to address some of the most problematic aspects of the bill. Below is a discussion of some of the issues I (and others) had with the original version and how the new amendments address (or fail to address) these issues.

The goal of CISPA (full text), ostensibly, is "to allow elements of the intelligence community to share cyber threat intelligence with private-sector entities and to encourage the sharing of such intelligence." CISPA is written on the reasonable assumption that cyber threats with national security significance could target a range of privately held networks or infrastructure and that in such an event it would behoove us all to have open lines of communication. Prior to the recent amendments, CISPA went far beyond merely streamlining information sharing, to threaten individual civil liberty, and would have potentially introduced a back-door intellectual-property-enforcement regime. For example, The Electronic Frontier Foundation concluded that the original draft of the bill could be used against WikiLeaks and Pirate Bay.

Basically CISPA authorizes companies and government agencies to share customer data from ISPs and websites for the purpose of dealing with cybersecurity threats. Specifically, the bill allows companies (or the cybersecurity firms they have contracted with) to "use cybersecurity systems to identify and obtain cyber threat information to protect [their] rights and property" and then share that information with any other private company or the federal government.

Overly Broad Definitions:

One of the major problems with the original language of the bill stemmed from its incredibly broad definition of "cybersecurity." In the old draft of CISPA a cybersecurity purpose was anything done to "ensur[e] the integrity, confidentiality, or availability" of a system or network, as well as safeguarding against "efforts to degrade, disrupt, or destroy such system or network." This first part of the definition fit with common sense: cybersecurity purpose meant, basically, "anything that prevents a network from crashing or being breached and hijacked," right? But the bill went on to include anything done to prevent "theft or misappropriation of private or government information, intellectual property, or personally identifiable information." Critics -- myself included -- feared that this provision could be used as a back-door for SOPA-like intellectual-property enforcement.

The proposed Definitions Amendment (PDF) deals, at least to some extent, with this issue. The clause that included preventing "theft or misappropriation of information, intellectual property" etc. as a cybersecurity purpose was dropped and replaced with a much more precise definition. The new definition lays out four types of threats, the protection against which constitutes a cybersecurity purpose: 1) a vulnerability of a system or network; 2) "a threat to the integrity, confidentiality, or availability" of a network or of the information passing through the network; 3) "efforts to degrade, disrupt, or destroy a system or network" and 4) "efforts to gain unauthorized access," including for the purpose of misappropriating information (presumably including intellectual property).

As far as intellectual property is concerned the previous definition might have included preventing any file-sharing activity as a "cybersecurity purpose," whereas this definition would only seem to cover things like breaking into a proprietary database to access copyrighted content. This is an appropriately more limited definition.

The amendment goes on to limit this definition so as to exclude unauthorized access that only violates consumer terms of service or licensing agreements and don't otherwise constitute unauthorized access. This is also a promising change. It ensures that CISPA sharing is only appropriate for actual crimes, rather than having the U.S. intelligence community function as a de-facto enforcement mechanism for the content industry's (often ridiculous) Terms of Service agreements.

Scope-Creep in the Use of Information:

The original version of CISPA allowed the government to use all of the information they have been given for "any lawful purpose" as long as it can be argued that one purpose of that use was cyber-security related. This would seem to have left a back-door wide open for SOPA-like intellectual property enforcement. The bill did not include any form of judicial oversight to check increasingly lenient and inclusive interpretations of this provision. In the absence of such oversight, it seemed likely that -- in an environment of extreme pressure from organizations like the RIAA and MPAA -- scope creep would lead to the use of CISPA provisions for much more than protecting critical national security infrastructure.

Here too the recently proposed amendments offer some significantly positive changes. The Use Amendment (PDF) changes the bill from allowing the information to be used for "any lawful purpose" to allowing the information to be used for five distinct purposes. Under these new restrictions the government will be able to use information shared under CISPA for 1) cybersecurity purposes -- limited more meaningfully by the definitions amendment; 2) for the investigation and prosecution of cybersecurity crimes; 3) "for the protection of individuals from the danger of death or serious bodily harm and the investigation and prosecution of crimes involving such danger of death or serious bodily harm"; and 4) for protecting minors from childpornography, exploitation, trafficking etc.; 5) to protect national security.

Of course, this is still fairly broad; it is likely that action against WikiLeaks could still be justified under these definitions. However, they do seem to help ensure that the use of information does not exceed reasonable cybersecurity bounds by too much. It is still troubling, however, that information shared under CISPA could be used in criminal proceedings against individuals, since it can be collected without any Fourth Amendment considerations.

The Minimization Retention and Notification Amendment (PDF) offers another positive improvement. This amendment requires that if the Federal Government receives any information that is deemed not to be relevant to cyber threats they must notify the private entities that they have shared non-relevant information. It would be nice to see this provision include a public report exposing private companies for repeated over-sharing so people could make informed decisions about providing their data to entities that are over eager sharers.

More importantly, however, this amendment goes on to explicitly prohibit the government from retaining or using any information shared under CISPA for any purpose other than those explicitly allowed. Finally this amendment states that "The Federal Government may... undertake reasonable efforts to limit the impact on privacy and civil liberties of the sharing of cyber threat information with the Federal Government." This is another positive step. However, this language does not seem to create a duty to limit the impact, but rather allows for it. It would be nice to see it worded as "The Federal Governement shall..." rather than "The Federal Government may...."

What the Amendments Don't Fix:

These amendments go a long way to assuaging my fears that CISPA will be used as a crude anti-piracy bludgeon. However, that doesn't mean that the current, amended iteration of CISPA is a good bill. There remain a significant spate of issues with the bill that threaten individual privacy.

Timothy Lee at Ars Technica noted that there are numerous laws on the books that regulate what kinds of private information a company can disclose about its customers.

For example, the 1986 Electronic Communications Privacy Act regulates when and how network providers can disclose the contents of their customers' electronic communications. [Other laws protect] privacy of consumers' health care records, financial information, educational records, video rentals, and more.

The new amendments don't fix the fact that CISPA completely ignores this existing legislation, instead allowing almost unlimited disclosure as long as it is seen to be serving a cybersecurity purpose. The provisions allowing for companies to collect and disclose "cybersecurity information" are written using a sneaky little bit of legalese that would appear to circumvent all existing statutory limitations. The main provisions are introduced with the phrase "Not-withstanding any other provision of law." This phrase, essentially, renders all existing privacy protections irrelevant as long as it can be claimed that the information being collected and shared is relevant to a cybersecurity purpose.

In fact, this "notwithstanding" trick is well-known to be problematic: the non-partisan Congressional Research Service cautioned (PDF) that its use can lead to "unforeseen consequences for both existing and future laws." Your medical records, private emails or other communication, web-history, Amazon or Ebay purchases, anything you store in the cloud, is all fair game for a company (like your ISP) to collect and hand over to the government. This is limited, of course, to information that they can argue is useful for a "cybersecurity purpose." The original incredibly vague and broad definition of cybersecurity purpose would likely have made this is a very low hurdle to clear. The more specific definitions offered in the amendment are likely to make abuse somewhat harder, but not as hard as it would be if existing privacy protections were respected.

While some form of judicial oversight could act as a bulwark against abuse, a degree of transparency in the process could serve the same purpose. The bill does call for the Inspector General of the Intelligence Community to submit a report to congressional intelligence communities detailing the use of information shared under its provisions. This report is to include a summary of the government use of information shared under CISPA for "purposes other than a cybersecurity purpose," as well as "metrics to determine the impact of the sharing... on privacy and civil liberties." While this is a step in the right direction, there does not seem to be a requirement that this report be made publically available.  Worse still, the bill ensures that all information shared under CISPA is expressly exempt from disclosure under Freedom of Information requests ( section 552 of title 5, United States Code ).

CISPA is like some perverse but-wait-there's-more infomercial of bad policy. And more there is. Any use of a cybersecurity system to gather information as well as any disclosure of that information under CISPA is expressly exempt from liability. This would seem to mean that if you felt Facebook, Google or your Internet Service provider were in breech contract by violated their own privacy policies and disclosing your personal information, there would likely be nothing you could do about it. Of course, you would probably never know they had shared the information in the first place.

CISPA supporters -- a list that surprisingly includes SOPA opponent Congressman Darrell Issa -- are quick to point out that the bill does not obligate disclosure of any kind. Participation is "totally voluntary." They are right, of course, there is no obligation for a private company to participate in CISPA information sharing. However, this misses the point. The cost of this information sharing - in terms of privacy lost and civil liberties violated - is borne by individual customers and Internet users. For them, nothing about CISPA is voluntary and for them there is no recourse. CISPA leaves the protection of peoples' privacy in the hands of companies who don't have a strong incentive to care. Sure, transparency might lead to market pressure on these companies to act in good conscience; but CISPA ensures that no such transparency exists. Without correctly aligned incentives, where control over the data being gathered and shared (or at least knowledge of that sharing) is subject to public accountability and respectful of individual right to privacy, CISPA will inevitably lead to an eco-system that tends towards disclosure and abuse.

UPDATE: As of this evening the Office of the President issued a statement threatening to veto CISPA as it is currently written because the bill does not include appropriate "privacy, confidentiality, and civil liberties safeguards."