The United States Cyber Intelligence Sharing and Protection Act (CISPA) has passed in the US House of Representatives despite vocal online opposition, and the surprising threat of veto from the White House. H.R. 3523 drew criticism because it is purported to be a threat to privacy as it encourages Internet services to share user information with government agencies (full final text here).
While online groups were very vocal against CISPA, they failed to reach the same level of opposition as they did with SOPA and PIPA. It is possible that privacy is just not as sexy a subject as copyright infringement. It is possible that CISPA’s proponents were much more aware of the way in which the Internet defeated the previous two bills, and how it is on the verge of giving ACTA the killing blow. But perhaps the reason why the bill passed is because nowadays users assume that they have no online privacy anyway. It does feel like Big Brother is constantly watching us, so what damage could one more piece of legislation do?
In previous articles related to US legislative efforts, we have commented that laws passed in the United States have a lot of relevance for the rest of the world because of that country’s importance in the Web’s architecture. This assessment is also proved historically; consider the DMCA’s notice and take-down regime, which has become a de facto international standard, but there is also the fact that it has had considerable extra-territorial effects knocking down content in countries where the law was not supposed to have effect.
So, is CISPA a threat abroad as well? Does the pontiff subscribe to the Roman Catholic theology? Do members of the ursine species perform bodily functions in heavily-wooded areas?
From the start the Bill was advertised with an unhealthy dose of jingoism, its proponents sold it as a way to defend against foreign cyber-threats. While not mentioned specifically, the Act talks mostly about US intelligence agencies sharing information with private parties (with adequate security clearance) and viceversa. Checks and balances are supposedly placed on the use of that information and how it is to be stored and handled by the US government. The heavy implication here is that these threats come from abroad, or that is how the proponents sold it to the tech industry and to the media. The reality is that the final ACT is horrendously vague, and seems to create a private intelligence apparatus. My greatest concern about CISPA is that it will create surveillance sub-departments in technology companies, just like there are DMCA compliance offices everywhere.
CISPA becomes truly worrying in Sec. 1104.(b)(1), which cites the private entities that will be subject to the law. These are “cybersecurity providers” and “self-protected entities”. The definitions for these are too vague, to say the least. A cybersecurity provider is “a non-governmental entity that provides goods or services intended to be used for cybersecurity purposes.” In other words, this covers anyone who manufactures anything which can be used to secure information online, including certificate authorities and other similar security intermediaries. The clear threat here is that these intermediaries will have to snoop on their users and report back to the US federal government. Interestingly, I think that the definition clearly covers VPN and proxy providers! Similarly, a self-protected entity is “an entity, other than an individual, that provides goods or services for cybersecurity purposes to itself.” In other words, any company with antivirus software and a firewall is subject to the law. Nice piece of legislative jiggery. So, what are the responsibilities of these service providers? The Act states:
“(1) IN GENERAL-
`(A) CYBERSECURITY PROVIDERS- Notwithstanding any other provision of law, a cybersecurity provider, with the express consent of a protected entity for which such cybersecurity provider is providing goods or services for cybersecurity purposes, may, for cybersecurity purposes–
`(i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such protected entity; and
`(ii) share such cyber threat information with any other entity designated by such protected entity, including, if specifically designated, the Federal Government.
`(B) SELF-PROTECTED ENTITIES- Notwithstanding any other provision of law, a self-protected entity may, for cybersecurity purposes–
`(i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such self-protected entity; and
`(ii) share such cyber threat information with any other entity, including the Federal Government.”
This is truly terrifying. The vagueness in the definition of terms seems to be on purpose to cover all internet intermediaries, from the big to the small. Another worrying aspect is that CISPA spends more time reassuring businesses that all proprietary information is to be maintained as such, and that the data shared will not be used by another private entity to gain a competitive commercial advantage, than it does ensuring user privacy. Furthermore, CISPA creates a blanket exemption from liability for privacy breaches sanctioned by the Act. It reads:
“`(4) EXEMPTION FROM LIABILITY- No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider, acting in good faith–
`(A) for using cybersecurity systems to identify or obtain cyber threat information or for sharing such information in accordance with this section; or
`(B) for decisions made based on cyber threat information identified, obtained, or shared under this section.”
For the above, read “If you spy for us, we won’t sue you”.
If you think that CISPA won’t affect us in the rest of the world, you better think again. As stated above, the US has such a prominent central role in the Web’s architecture that chances are you are already covered by the legislation. Think of the purposeful vagueness in the cited sections. The obvious implication is that if you use an American certificate authority, you will be subject to the law. Similarly, if you use a US-based or US-hosted antivirus, firewall, VPN, or proxy service , you should consider all of your traffic insecure. In my opinion, CISPA is clearly intended to bring into the fold the anonymising industry based in the US. But what worries me is that the law, as drafted, includes every other service provider, from search engines to social networks, from World of Warcraft to Instagram. If the law passes through the entire legislative process, we are all subject to it.
The solution is simple. The rest of the world needs to continue moving away from the incredible push towards the application of US supra-national jurisdiction that we have experienced in the last few years. Just vote with our feet and start using services that are not subject to such controls. That is, at least, until our governments buckle under the pressure and adopt similar compliance legislation and treaties.
But every cloud has a silver lining… at least your fire gun sales records are exempt from scrutiny!