Risk
4/17/2012
10:23 AM
Connect Directly
RSS
E-Mail
50%
50%

CISPA Bill: 5 Main Privacy Worries

Privacy rights groups have launched a week of protests against the House bill, warning that CISPA will weaken current wiretapping and electronic communication laws.

Does the Cyber Intelligence Sharing and Protection Act (CISPA) threaten people's privacy in unacceptable ways?

That's one criticism being leveled at CISPA, the House cybersecurity bill introduced by Rep. Mike Rogers (R-Mich.) and Dutch Ruppersberger (D-Md.) in November, 2011. Many privacy watchers, notably, have said that the 11-page bill, which focuses on government monitoring, suffers a similar problem to the Stop Online Piracy Act (SOPA), which was defeated earlier this year after a wave of mass protests. Namely, the language of CISPA is so broad, that while it attempts to tackle a real issue--in this case, government monitoring--it may spur unintended and detrimental side effects.

As a result, numerous civil rights groups--including the American Civil Liberties Union, the Center for Democracy & Technology (CDT), the Electronic Frontier Foundation (EFF), and Reporters Without Borders--announced Monday that they were launching a "Stop Cyber Spying" week of protests against CISPA, before a scheduled House of Representatives vote on the bill next week.

What are the privacy-related worries with CISPA? Civil liberties groups have detailed 5 main concerns:

1. Widespread Employee Monitoring. The CISPA bill states that any business can "use cybersecurity systems to identify and obtain cyber threat information to protect [its] rights and property"--which privacy watchers said will include email or Facebook message contents--while having immunity from prosecution or lawsuits under any other law. According to the EFF, that provision would subvert privacy protections offered by existing wiretapping laws and electronic privacy communications laws, allowing companies to "bypass all existing laws, as long as they claim a vague 'cybersecurity' purpose," without threat of reprisal.

[ What can enterprises learn from a recent security fight against Anonymous? See Anonymous Vs. DNS System: Lessons For Enterprise IT. ]

2. No Information-Sharing Restrictions. Another criticism of CISPA is that, as worded, it doesn't restrict the reasons for which information may be gathered. "It lacks meaningful use restrictions--it should be made clear that information shared for cybersecurity should be used for cybersecurity purposes, not unrelated national security purposes or criminal investigations," said CDT senior counsel Greg Nojeim in a statement.

3. Information May Be Shared With NSA. Under CISPA, companies could voluntarily share any communications they like with the Department of Homeland Security (DHS). "After collecting your communications, companies can then voluntarily hand them over to the government with no warrant or judicial oversight whatsoever as long is the communications have what the companies interpret to be 'cyber threat information' in them," said the EFF. DHS would also then be free to share the information with other government agencies, including the National Security Agency, over which there's little oversight, according to civil rights groups.

4. Bill May Encourage Broad Surveillance. As with SOPA and PIPA, many privacy watchers aren't lobbying for no legislation. Rather, privacy groups say that they want more carefully constructed bills, which take into account existing civil liberties, and which monitor government access to people's personal communications. "We need cybersecurity legislation, not surveillance legislation," said CDT President Leslie Harris, in a statement criticizing CISPA.

5. CISPA Alternatives Do Exist. Better alternatives to CISPA may already exist, according to privacy groups. For example, the CDT is backing a different cybersecurity bill, known as the PRECISE Act, which was written by Rep. Dan Lungren (R-Calif.). According to the CDT, that bill "has information-sharing language that offers a better alternative to CISPA, balancing cybersecurity, industry, and civil liberties concerns." Might CISPA succeed where SOPA and PIPA failed? Last week, members of the hacktivist group Anonymous launched a series of distributed denial-of-service (DDoS) attacks against Boeing, as well as the trade associations TechAmerica and USTelecom, all of which have publicly backed CISPA.

In other words, before CISPA might pass into law, you can expect to see the fight to scuttle CISPA intensify.

At a time when cybercrime has never been more prolific and sophisticated, budgets are being cut. In response, IT is taking a hard look using third-party services--outsourcing--to meet security challenges. Our Making The Security Outsourcing Decision report outlines the various security outsourcing options available. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
4/20/2012 | 2:37:52 AM
re: CISPA Bill: 5 Main Privacy Worries
On point 1 - every organization that I've been involved with has made it very clear that any information accessed or input on their systems is their property. Data that travels across their circuits (which were procured under the guise of empowering employees to do work) also becomes their property - whether they choose to examine it or not. Having built a sniffer system in the past for a previous employer, it is not only possible for them to examine that data, but also look at it in near real time. When you are using an employer's computing facilities to do personal tasks (e-mail, Facebook, eBay, etc.) you may be in violation of the terms of usage agreement that you may have signed prior to being granted access on the network. Point blank - don't use company resources for personal tasks.

On point 2 - who makes the determination as to what information should be passed along as being threat-related and who redacts that information to protect the civil liberties of the users? Then, who watches these watchers? Could turn into a downward logical spiral.

On point 3 - this really isn't a new item. Anyone, anywhere, at any time, can share any information they want with the National Security Agency. It's when the NSA or any of the other alphabet-soup organizations come looking for your information that the "rules of engagement" change.

On point 4 - it sounds to me like we either need to a) elect officials who actually know the difference between cybersecurity threats and fried green tomatoes or b) have the lobbyist groups draft the legislation and put it before a group of legislators that still don't know the difference between cybersecurity threats and fried green tomatoes. Passing legislation on things that you know little to nothing about is a recipe for disaster.

On point 5 - see point 4 and look for the fried green tomatoes. Passing legislation on things that you know little to nothing about is a recipe for disaster. I'm quite convinced that no piece of legislation in this arena is going to satisfy all parties and stakeholders. It's generally accepted that something needs to be done, but how it gets done is a point of contention that brings out the best in some people, even Anonymous, apparently.

Andrew Hornback
InformationWeek Contributor
Bprince
50%
50%
Bprince,
User Rank: Ninja
4/18/2012 | 3:56:57 PM
re: CISPA Bill: 5 Main Privacy Worries
@readers - numbers 2 and 3 touch on the issue of information sharing, which some in the critical infrastructure companies and intelligence community say there isn't enough of, while critics here say it could be dangerous. How should the balance be struck here between the need to share information and the need to protect civil liberties?
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

CVE-2012-5487
Published: 2014-09-30
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

CVE-2012-5488
Published: 2014-09-30
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

CVE-2012-5489
Published: 2014-09-30
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.