The United States Cyber Intelligence Sharing and Protection Act (CISPA) has passed in the US House of Representatives despite vocal online opposition, and the surprising threat of veto from the White House. H.R. 3523 drew criticism because it is purported to be a threat to privacy as it encourages Internet services to share user information with government agencies (full final text here).

While online groups were very vocal against CISPA, they failed to reach the same level of opposition as they did with SOPA and PIPA. It is possible that privacy is just not as sexy a subject as copyright infringement. It is possible that CISPA’s proponents were much more aware of the way in which the Internet defeated the previous two bills, and how it is on the verge of giving ACTA the killing blow. But perhaps the reason why the bill passed is because nowadays users assume that they have no online privacy anyway. It does feel like Big Brother is constantly watching us, so what damage could one more piece of legislation do?

In previous articles related to US legislative efforts, we have commented that laws passed in the United States have a lot of relevance for the rest of the world because of that country’s importance in the Web’s architecture. This assessment is also proved historically; consider the DMCA’s notice and take-down regime, which has become a de facto international standard, but there is also the fact that it has had considerable extra-territorial effects knocking down content in countries where the law was not supposed to have effect.

So, is CISPA a threat abroad as well? Does the pontiff subscribe to the Roman Catholic theology? Do members of the ursine species perform bodily functions in heavily-wooded areas?

From the start the Bill was advertised with an unhealthy dose of jingoism, its proponents sold it as a way to defend against foreign cyber-threats. While not mentioned specifically, the Act talks mostly about US intelligence agencies sharing information with private parties (with adequate security clearance) and viceversa. Checks and balances are supposedly placed on the use of that information and how it is to be stored and handled by the US government. The heavy implication here is that these threats come from abroad, or that is how the proponents sold it to the tech industry and to the media. The reality is that the final ACT is horrendously vague, and seems to create a private intelligence apparatus. My greatest concern about CISPA is that it will create surveillance sub-departments in technology companies, just like there are DMCA compliance offices everywhere.

CISPA becomes truly worrying in Sec. 1104.(b)(1), which cites the private entities that will be subject to the law. These are “cybersecurity providers” and “self-protected entities”. The definitions for these are too vague, to say the least. A cybersecurity provider is “a non-governmental entity that provides goods or services intended to be used for cybersecurity purposes.” In other words, this covers anyone who manufactures anything which can be used to secure information online, including certificate authorities and other similar security intermediaries. The clear threat here is that these intermediaries will have to snoop on their users and report back to the US federal government. Interestingly, I think that the definition clearly covers VPN and proxy providers! Similarly, a self-protected entity is “an entity, other than an individual, that provides goods or services for cybersecurity purposes to itself.” In other words, any company with antivirus software and a firewall is subject to the law. Nice piece of legislative jiggery. So, what are the responsibilities of these service providers? The Act states:

“(1) IN GENERAL-
`(A) CYBERSECURITY PROVIDERS- Notwithstanding any other provision of law, a cybersecurity provider, with the express consent of a protected entity for which such cybersecurity provider is providing goods or services for cybersecurity purposes, may, for cybersecurity purposes–
`(i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such protected entity; and
`(ii) share such cyber threat information with any other entity designated by such protected entity, including, if specifically designated, the Federal Government.
`(B) SELF-PROTECTED ENTITIES- Notwithstanding any other provision of law, a self-protected entity may, for cybersecurity purposes–
`(i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such self-protected entity; and
`(ii) share such cyber threat information with any other entity, including the Federal Government.”

This is truly terrifying. The vagueness in the definition of terms seems to be on purpose to cover all internet intermediaries, from the big to the small. Another worrying aspect is that CISPA spends more time reassuring businesses that all proprietary information is to be maintained as such, and that the data shared will not be used by another private entity to gain a competitive commercial advantage, than it does ensuring user privacy. Furthermore, CISPA creates a blanket exemption from liability for privacy breaches sanctioned by the Act. It reads:

“`(4) EXEMPTION FROM LIABILITY- No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider, acting in good faith–
`(A) for using cybersecurity systems to identify or obtain cyber threat information or for sharing such information in accordance with this section; or
`(B) for decisions made based on cyber threat information identified, obtained, or shared under this section.”

For the above, read “If you spy for us, we won’t sue you”.

If you think that CISPA won’t affect us in the rest of the world, you better think again. As stated above, the US has such a prominent central role in the Web’s architecture that chances are you are already covered by the legislation. Think of the purposeful vagueness in the cited sections. The obvious implication is that if you use an American certificate authority, you will be subject to the law. Similarly, if you use a US-based or US-hosted antivirus, firewall, VPN, or proxy service , you should consider all of your traffic insecure. In my opinion, CISPA is clearly intended to bring into the fold the anonymising industry based in the US. But what worries me is that the law, as drafted, includes every other service provider, from search engines to social networks, from World of Warcraft to Instagram. If the law passes through the entire legislative process, we are all subject to it.

The solution is simple. The rest of the world needs to continue moving away from the incredible push towards the application of US supra-national jurisdiction that we have experienced in the last few years. Just vote with our feet and start using services that are not subject to such controls. That is, at least, until our governments buckle under the pressure and adopt similar compliance legislation and treaties.

But every cloud has a silver lining… at least your fire gun sales records are exempt from scrutiny!


3 Comments

Avatar

Rwolf · May 2, 2012 at 6:27 am

Government Asset Forfeiture To Escalate If U.S. Senate Passes CISPA Legislation.

CISPA the Cyber Intelligence Sharing and Protection Act if signed into law will allow——the military and NSA warrant-less spying on Americans’ confidential electronic Communications; any transmitted private information circumventing the fourth amendment. CISPA will allow any self-protected cyber entity to share with the Feds any person’s private information that might allegedly relate to a cyber threat or crime. Considering the U.S. Government’s current business relationship with telephone and Internet companies, it should be expected the feds would use CISPA to gain unprecedented access to lawful Americans’ private electronic communications. Almost every week news media reports corrupt police arrested for selling drugs, taking bribes and perjury. It is foreseeable that broad provisions in CISPA that call for private businesses / cyber entities to share among themselves and with Spy Agencies confidential information will open the door for corrupt government and police to sell a corporations’ confidential information to its competitors, foreign government and others. CISPA provides insufficient safeguards to control disposition of (shared) confidential corporate / cyber entity information, including confidential information shared by spy agencies with private entities derived from spying on Americans.

The recent House Passed Cyber Security Bill overrides the Fourth Amendment. Government may use against Americans in Criminal, Civil and Administrative courts (any information) derived from CISPA warrant-less Internet spying.

CISPA will open the door for U.S. Government spy agencies such as NSA; the FBI; government asset forfeiture contractors, any private entity (to take out of context) any innocent—hastily written email, fax or phone call to allege a crime or violation was committed to cause a person’s arrest, assess fines and or civilly forfeit a business or property. There are more than 350 laws and violations that can subject property to government asset forfeiture. Government civil asset forfeiture requires only a civil preponderance of evidence for police to forfeit property, little more than hearsay.

CISPA (warrant-less electronic surveillance) will enable the U.S. Justice Department to bypass the Fourth Amendment, use information extracted from CISPA electronic surveillance) of Americans’ Web Server Records, Internet Activity, transmitted emails, faxes, and phone calls to issue subpoenas in hopes of finding evidence or to prosecute Citizens for any alleged crime or violation. If the current CISPA is signed into law it is problematic federal, state and local law enforcement agencies and private government contractors will want access to prior Bush II NSA and other government illegally obtained electronic records to secure evidence to arrest Americans; civilly forfeit their homes, businesses and other assets under Title 18USC and other laws. Of obvious concern, what happens to fair justice in America if police become dependent on “Asset Forfeiture” to help pay their salaries and budget operating costs?

Note: the passed “Civil Asset Forfeiture Reform Act of 2000” (effectively eliminated) the “five year statue of limitations” for Government Civil Asset Forfeiture of property: the statute now runs five years (from the date) police allege they “learned” an asset became subject to forfeiture. If CISPA takes affect, allows (no warrant) electronic government surveillance of Americans, it is expected CISPA will be used by government not only to thwart cyber threats, but to aggressively prosecute Americans and businesses for any alleged crime: U.S. Government spy and police agencies; quasi government contractors for profit, will relentlessly sift through Citizen and businesses’ (government retained Internet data), emails and phone communications) to discover possible crimes or civil violations.

A corrupt U.S. Government Administration too easily use CISPA no-warrant-seized emails, faxes, Internet data and phone call information) to target, blackmail and extort its political opposition; target any Citizen, corporation and others in the manner Hitler used his Nazi passed legislation that permitted no-warrant Nazi police searches and seizure of Citizens and businesses or to extort support for the Nazi fascist government. Hitler Nazi Laws made it possible for the Nazis to strong-arm German parliament to pass Hitler’s 1933 Discriminatory Decrees that suspended the Constitutional Freedoms of German Citizens. History shows how that turned out.

CISPA warrant-less electronic surveillance) has the potential of turning America into a Fascist Police State.

If CISPA Is Such A Threat, Why Is Silicon Valley Silent? | The Moderate Voice · April 29, 2012 at 8:06 am

[…] Technology Editor in Science & Technology.Apr 29th, 2012 | no responses TechnoLlama, with a view from abroad: From the start the Bill was advertised with an unhealthy dose of jingoism, its proponents sold it […]

ANONYMOUS: House Passes CISPA, The Fight Is Just Beginning – Message to U.S. Citizens « Hidden Agendas · April 29, 2012 at 6:27 pm

[…] Why CISPA is a threat to the world (technollama.co.uk) […]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.