How the Newest Cybersecurity Bill Makes It Easier for the NSA to Spy On Your Online Activities

As the Internet helpfully reminds us, there are very few times when it is permissible to use the prefix “cyber.” If you are William Gibson, it’s fine. If you’re typing a dirty IM, we’ll let it pass. Notably absent from the list of exceptions? If you’re a member of Congress trying to make it easier for government intelligence agencies to work with big tech corporations to spy on Americans’ online activity. But that’s exactly what a majority of House Republicans and 42 House Democrats did last week when they voted 248 to 168 to pass the Cyber Intelligence Sharing and Protection Act (CISPA), which would make it easier for Internet companies to provide information about their users and their networks to government intelligence agencies. And they passed it with minimal recognition of the very real privacy concerns critics have about the law.

The problem with CISPA, as with so many tech-sector laws, is that the legislative language is vague enough that it creates a big potential loophole — in this case for domestic spies to track individual activity. As CNet’s Declan McCullagh explains, the law “wouldn’t formally grant the NSA or Homeland security any additional surveillance authority,” but it “would usher in a new era of information sharing between companies and government agencies — with limited oversight and privacy safeguards.”

The idea behind CISPA is to facilitate corporate information sharing between government tech spies and the corporations who run online communications networks — which includes everything from web portals and social networking sites like Google and Facebook to Internet Service Providers like Comcast and Verizon.

The rationale for the law, as Cato Institute tech policy expert (and Reason contributing editor) Julian Sanchez points out, is that those companies have the best access to usage data that could be used to detect patterns that might represent potential threats. Currently, however, those companies are prohibited from sharing such information on an informal basis, in part to protect these highly regulated businesses from federal "nudges" intended to get them to “voluntarily” share information about network traffic or users. Under CISPA, tech companies could more easily share “cyber threat information” with other other tech companies as well as with the government. They wouldn’t be forced to do so, but CISPA would override existing legal barriers to information sharing and collection.

If it’s all voluntary, is there really any reason to worry? Unfortunately, yes. One problem is that “threat information” is defined far too broadly. The language basically covers anything that anyone deems potentially a threat to any “system or network of a government or private entity,” including information “information directly pertaining to a vulnerability” in such a network. Information on attack patterns would be covered, but as Sanchez notes, depending on how you read the legislative language, “it might also include Julian Assange’s personal IM conversations (assuming he ever had an unencrypted one), or e-mails between security researchers.” Label any information a potential network threat, and it can be shared without the usual legal protections.

It's the potential to override those existing protections that's most worrying. As CNet's McCullagh writes:

What sparked significant privacy worries is the section of CISPA that says "notwithstanding any other provision of law," companies may share information "with any other entity, including the federal government." It doesn't, however, require them to do so.

By including the word "notwithstanding," House Intelligence Committee Chairman Mike Rogers (R-Mich.) and ranking member Dutch Ruppersberger (D-Md.) intended to make CISPA trump all existing federal and state civil and criminal laws. (It's so broad that the non-partisan Congressional Research Service once warned (PDF) that using the term in legislation may "have unforeseen consequences for both existing and future laws.")

"Notwithstanding" would trump wiretap laws, Web companies' privacy policies, gun laws, educational record laws, census data, medical records, and other statutes that protect information, warns the ACLU's Richardson: "For cybersecurity purposes, all of those entities can turn over that information to the federal government."

If CISPA were enacted, "part of the problem is we don't know exactly what's going to happen," says Lee Tien, an attorney at the Electronic Frontier Foundation, which sued AT&T over the Bush administration's warrantless wiretapping program. "I worry that you can get a version of cybersecurity warrantless wiretapping out of this."

Numerous civil liberties organizations, libertarian policy shops, and tech activist groups have come out against the bill: The American Civil Liberties Union warns that the bill “would create a loophole in all existing privacy laws, allowing companies to share Internet users' data with the National Security Agency, part of the Department of Defense, and the biggest spy agency in the world — without any legal oversight.” Tech Freedom’s Berin Szoka has posted a number of strong criticisms of the bill, including worries that it would allow for the sort of coercion of corporations that the existing information gathering rules were designed to help prevent.

But as of now, most Internet businesses aren’t speaking out about the bill. Unlike the last major tech proposals to hit Congress — the Internet-breaking anti-piracy bills SOPA and PIPA — CISPA is not widely opposed by major forces in the tech industry. Indeed, many are quietly supporting it. Which isn’t entirely surprising: the law facilitates sharing between tech industry players, who would presumably like to be able to more easily access information from their peers and competitors, as it does between tech companies and government authorities. But as of yesterday, at least one notable tech has come out in explicit opposition to the bill: Mozilla, maker of the browser Firefox, told Forbes that CISPA “infringes on our privacy, includes vague definitions of cybersecurity, and grants immunities to companies and government that are too broad around information misuse. We hope the Senate takes the time to fully and openly consider these issues with stakeholder input before moving forward with this legislation.” Sorry, Congress. It's still not OK to say cyber. 

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  • Pound. Head. On. Desk.||

    Well, if they had used the word "Web," that would have made it the "Web Intelligence Sharing and Protection Act" (WISPA), which would make it sound like a bad thing.

  • ||

    Seeing as the idea is to pay for user data from third-parties, hey should've called it The Generating Oversight and Defense of Web-Entity Security Utilizing Commoditized Knowledge Act, or GODWESUCK for short.

  • R C Dean||

    Cyber? I hardly know her!

  • Soc Indv Sparky||

    infringes on our privacy, includes vague definitions of cybersecurity, and grants immunities to companies and government that are too broad around information misuse.

    Duh, that's the whole point.

    We hope the Senate takes the time to fully and openly consider these issues with stakeholder input before moving forward with this legislation.

    The Senate sees your objection and is not amused. A SWAT team is on its way to put a stop to your terrorist business.

  • Heroic Mulatto||

    But...but...Terrorists...Internet drug deals....child pornography....THE CHINESE!!!!

    We must do something! Something I tell you!

  • Fist of Etiquette||

    Crafted by and voted on by idiots.

  • Soc Indv Sparky||

    Idiots that were voted into office by idiots. Apparently it's idiots all the way down.

  • ||

    Idiots all the way down.....good one sparky, I like that.

  • ||

    Idiots, yes. But I'm sure the vagueness was on purpose. They may be idiots, but they know how to expand their own power. They're not idiots about that.

  • BakedPenguin||

    And they're giving power to faceless bureaucrats, not directly to themselves. If they were power hungry for greed, lust, or other desires, it would at least be understandable. The most they'll get out of this is to sit in on some secret report where the spooks let them in on some hidden, stolen info.

    This is what our freedom is being destroyed for.

  • ||

    Oh, they gain power. Just think of what they can do to a company or person that pisses them off: they point their faceless bureaucrats at them and go "get 'em, boy!"

    Empowering the bureaucracy empowers those who control the bureaucracy.

  • Pip||

    CRUCIFY THEM!

  • ||

    They dont want the power directly because that might entail some accountability. This way they have a curtain of faceless bureaucrats to hide behind. They arent so much interested in having control over minutia as they are being in an insulated position of vast wealth where they only have to make the occasional decree.

  • BakedPenguin||

    Epi / Suth - it still seems odd to me. It's not like they're lacking in pointless regulations to use against the recalcitrant already.

  • ||

    The power hungry can never have too much, or even "enough" power, BP.

  • sarcasmic||

    The purpose of power is to keep and extend it.

  • ||

    Hey, once you get your fix, you need more junk to get your next fix.

  • Scruffy Nerfherder||

    More laws makes it more likely they can find one to use in a pinch.

    Fascists advocate a state-directed, regulated economy that is dedicated to the nation; the use and primacy of regulated private property and private enterprise contingent upon service to the nation

  • Paul.||

    And they're giving power to faceless bureaucrats, not directly to themselves. If they were power hungry for greed, lust, or other desires, it would at least be understandable.

    It gives them plausible deniability.

  • Jerryskids||

    Oy vey! Mr. Hitler, G-d forbid I should kvetch, but some schlemiel has gone and put the shower-room locks on the outside! I'm thinking a mensch will be along to fix this mishegas. Nu?

  • ||

    It's also OK to use "cyber-" when talking about orphanariums.

  • BakedPenguin||

    "It's not easy being an orphan. Not if I have anything to do with it."

  • ||

    "You know, seeing that strange robot force 12 children to do his bidding makes me think about kids of our own."

  • tarran||

    "Not now, kids; Dad's trying to score with some cheap floozie."

  • tarran||

    "Not now, kids; Dad's trying to score with some cheap floozie."

  • ||

    "You're under arrest for child endangerment, depriving children of food, selling children as food, and misrepresenting the weight of livestock!"

  • AlmightyJB||

    We pass the bill to see what it does. Seems to me this is much worse then what was done in the Bush wietapping situation, but I'm guessing nothing but crickets chirping from the msm and the left. Hell the rights not gonna care either, they'll just be pissed they did'nt think of it first.

  • sarcasmic||

    Olivia Wilde makes my tongue hard.

  • Tim||

    That chick from Iron Man looks better in leather.

  • sarcasmic||

    Gwyneth Paltrow? That's a tough call.

  • Tim||

    No the other one, pouty face.

  • sarcasmic||

    Don't tell my wife, but the only reason I started watching House with her was because of Olivia Wilde. The only reason I keep watching it with her now that Olivia has moved on is because it's the last season.

  • Tim||

    Yeah, I told my wife it's because the crabby Doctor is so dramatically compelling.

  • ||

    The fact that neither of you said "because of Odette Annable" makes me wonder about things.

  • sarcasmic||

    There was the personality factor as well that the prison prude doesn't have.

  • ||

    Personality? On a fucking fictional character? Oh, you are deep in there, sarcasmic.

  • sarcasmic||

    Body language, clothing, things like that.
    Olivia's character dripped "fuck me", while Odette's does not.

  • ||

    HAHAHAHAHAHAHAHAHAHAHAHAHAHAHA

    Keep going, dude. This is priceless.

  • JW||

    Admit it, you want to hump Park.

    Knowing that Wilde was raised a silver-spoon brat in Georgetown by a couple of DC limousine liberals, reduces her attractiveness to me a bit, but only a bit.

    And Annable is way hotter than Wilde.

  • Tim||

    She played a bitch in Beverly Hills Chihuaha 2.

  • sarcasmic||

    She played a bitch in Beverly Hills Chihuaha 2.

    I'll take your word for it.

  • Tim||

    The Taco Bell dog mounts her in an alley.

  • Scruffy Nerfherder||

    (Googles Odette..... Sets TIVO to Hot!)

  • Pip||

    Just Google imaged "Odette Annable"

    Wow!

  • Paul.||

    because the crabby Doctor is so dramatically compelling.

    And unrealistic. Usually, the crabbier the doctor, the higher the level of incompetence. Based on my brief 25 years of working with doctors, House would spend less time practicing medicine and more time trying to build his own network in his office using beta versions of Apple products, then bitching at the I.S. people when it predictably failed.

  • Tim||

    "It's like taking your daughter to go food shopping," she told NBC 4 New York at her Nutley, N.J. home on Tuesday after being released on $25,000 bail. "There's tons of moms that bring their children in."

    http://usnews.msnbc.msn.com/_n.....rment?lite

  • Pip||

    tan =/= burned off face

  • Heroic Mulatto||

    The fuck? That woman tans darker than me!

  • R||

    You know when a character in a movie starts turning into an animal? She look's like she's at stage 1 of the transformation, just as the fur starts growing in.

  • ||

    Mac: (to the tan clerk about the baby) We just wanna put him in there for a couple of minutes.

    Dee: Just to get a base.

    Mac: Just to get a base.

  • TingoZing||

    SOunds like a deal to me dude.

    www.Privacy-Guys.tk

  • Kai||

    Foster Gamble posted a poignant video blog talking about the NSA and its plans in building a new spy center in Utah, and what it means for American citizens. Corroborates well with this push in legislation. Check it out here:

    http://www.thrivemovement.com/.....state.blog

GET REASON MAGAZINE

Get Reason's print or digital edition before it’s posted online

  • Video Game Nation: How gaming is making America freer – and more fun.
  • Matt Welch: How the left turned against free speech.
  • Nothing Left to Cut? Congress can’t live within their means.
  • And much more.

SUBSCRIBE

advertisement