WebProNews

Tag: CISPA

  • Rep. Mike Rogers Is Not Giving Up On CISPA

    Rep. Mike Rogers Is Not Giving Up On CISPA

    Back in April, the House once again passed CISPA – a controversial cybersecurity bill that would allow the government to share information with private companies and vice versa. At the time, opponents said it didn’t have enough privacy safeguards to prevent the NSA from nabbing subscriber data, but recent revelations regarding the agency have already shown such actions to be taking place. Since then, CISPA has been all but forgotten, but one of its biggest proponents isn’t going to let it die.

    House Intelligence Chairman and NSA defender Mike Rogers recently spoke at a panel discussion hosted by the Center for Strategic and International Studies. The topic of CISPA and how it’s fairing in light of the recent NSA leaks obviously came up. Instead of painting a picture of doom and gloom for his legislation, Rogers simply said that CISPA is “a little ill.” He’s confident, however, that the bill is “not dead yet.”

    That’s certainly one way to put it, but CISPA is pretty much dead. The Senate, despite Senate Intelligence Chairwoman Dianne Feinstein’s best efforts, has pretty much dropped the legislation, and is instead working on its own cybersecurity legislation. The new bill, being drafted by Senate Commerce, Science and Transportation Committee Chairman Jay Rockefeller, wouldn’t allow the government and companies to share data. Instead, it would set up voluntary standards and best practices that power plants and other critical infrastructure would be encouraged to follow.

    Despite this, Rogers is still confident that Feinstein, his counterpart in the Senate, will succeed in crafting a Senate version of CISPA. He’s also working to rewrite some parts of his own bill to address some of the concerns that privacy proponents have brought forward in light of the NSA leaks.

    Of course, any improvements from Rogers or Feinstein should be taken with a grain of salt as both are staunch defenders of the NSA. Feinstein, in particular, has said she would introduce legislation that would make the NSA more transparent, but would otherwise leave the agency’s many controversial surveillance programs, including its bulk collection of Americans’ cellphone metadata, fully intact.

    In short, the same people who say the NSA has done nothing wrong are moving ahead with legislation that would fully legalize the act of private companies handing over your data to the NSA all in the name of cybersecurity. After all, hackers and terrorists are apparently the most dangerous threat facing this country – not an incompetent Congress.

    [Image: Mike Rogers/Facebook]
    [h/t: The Hill]

  • Senate Finally Gets Around To Drafting A Cybersecurity Bill

    Earlier this year, the House proved yet again that it doesn’t care about your privacy by passing CISPA. The controversial cybersecurity bill would let the government and private companies easily share information to counter cyber threats. Now the Senate has finally gotten around to drafting its own legislation, but it’s nothing like CISPA. It’s not like it matters though.

    The Hill reports that the Senate Commerce, Science and Transportation Committee has drafted a bill that would address the nation’s lack of cybersecurity standards.

    So, who would be creating these standards? As it stands, the bill tasks the National Institute of Standards and Technology to create “voluntary cybersecurity standards and best practices for critical infrastructure, such as banks and power plants.”

    The bill doesn’t stop there, however, as it would also help improve research and education relating to cybersecurity. The latter is especially important as many people still aren’t aware of just how much malware is on the Web.

    As you can see, the proposed bill contains nothing about information sharing. That doesn’t mean the Senate doesn’t want to pass its own version of CISPA though. Sen. Jay Rockefeller, who just so happens to be the chairman of the Committee for Commerce, Science and Transportation, says he would support legislation that enabled information sharing. That won’t come until later down the road, however, and the Senate bill will probably once again look different from the House’s CISPA.

    It should be noted that bills like CISPA and CSA are actually kind of pointless. We now know that the NSA is collecting information on foreign threats and Americans alike through programs like PRISM. Leaked documents have also shown that the data collected by the agency can be used for cybersecurity purposes. Kind of makes the White House’s response to CISPA seem a little disingenuous in light of recent statements from the administration.

    But I digress, cybersecurity standards are incredibly important, and its encouraging to see the Senate only make them voluntary. It’s not like I don’t have faith in the National Institute for Standards and Technology, but mandatory standards are rarely a good thing when it comes to technology. The ever changing nature of it requires people that actually know what they’re doing to apply new standards as new threats emerge.

  • Google Has Some Thoughts On What You Can Do To Help Stop Bills Like SOPA

    Google Has Some Thoughts On What You Can Do To Help Stop Bills Like SOPA

    One of the most valuable allies in the fight against SOPA last year was Google. The search giant gave millions of Internet users the tools necessary to contact their representatives to voice their opposition to the bill. Now Google is back giving tips on how developers and users can influence tech policy.

    During Google I/O 2013, Derek Slater, Jen Pahlka and others hosted a session titled “Beyond SOPA: What You Can Do To Influence Tech Policy:”

    From SOPA/PIPA and CISPA, to immigration and patent reform, government is taking a renewed interest in the Internet and the businesses we’re building on it — in some cases, there is even a new focus on the use of technology which can solve government problems.

    As a result, government is looking for input from our community of entrepreneurs and developers about what our needs are as a community, and how they can build better public policy in our interest.

    So, what are the most efficient, easy ways for you to get involved? Join us for a panel of some leaders in the Internet advocacy space to learn how you, as a developer, can get more involved in creating better policies that can affect your business.

  • For What It’s Worth, The House Thinks The Government Shouldn’t Control The Internet

    Does the government want to regulate the Internet? It really depends on who you ask. Internet freedom fighters say legislation like SOPA and CISPA are thinly veiled attempts to regulate the Internet. The government, however, claims that it’s strictly taking a hands-off approach.

    The House reaffirmed its hands-off approach in legislation it passed yesterday evening. The bill, H.R. 1580, is titled “To affirm the policy of the United States regarding Internet governance.” If you couldn’t tell from the title, it’s simply a resolution saying that the United States will continue supporting the multi-stakeholder approach in regards to Internet development.

    It’s encouraging then that the bill was passed unanimously. Of course, no congressman would be caught dead voting against the bill as it would suggest that they were in favor of some rather unpopular suggestions made during a U.N. meeting on Internet governance late last year.

    The bill’s sponsor, Greg Walden, praised the multi-stakeholder approach to the Internet on the House floor last night, and confirmed that the bill is meant to send a message to other governments:

    “Government’s hands-off approach has enabled the Internet’s rapid growth and made it a powerful engine of social and economic freedom. This bipartisan bill is designed to combat recent efforts by some in the international community to regulate the Internet, which can jeopardize not only its vibrancy, but also the benefits that it brings to the entire world.”

    Now, this is a good thing. It’s nice to see that at least the House is all for an Internet free from government control, but it’s unfortunate that the House sees a difference between control and intervention. SOPA, PIPA and CISPA wouldn’t hand over control of the Internet to the government, but it would give the government untold powers to intervene.

    It’s much the same argument that countries like Saudi Arabia and China made during the ITU conference last year. They weren’t arguing that the Internet be placed entirely under their control. Instead, they argued that they should be given power over their corner of the Internet to intervene when things got out of control. Granted, CISPA and SOPA were never advocating something like the Great Firewall of China, but they could spiral into something similar if allowed to take effect.

    In short, the Internet is a precious resource that has flourished thanks to the current multi-stakeholder model. It’s encouraging to see the U.S. government continue to recognize this, but it’s high time the U.S. government also recognizes that its attempts to regulate the Internet would violate the very legislation the House passed last night.

    [h/t: The Hill]

  • White House Finally Responds To CISPA Petition, Says Cybersecurity Legislation Must Respect Privacy

    CISPA is all but dead once again, and the Senate is moving ahead with its own cybersecurity legislation. That doesn’t mean the fight is over though. In fact, the Senate might just propose a bill that’s worse, but the White House says that it won’t let that happen.

    In an official response to the “Stop CISPA” petition on the We The People Web site, the White House says that any new cybersecurity legislation “must not violate Americans’ right to privacy.” The administration says that’s the reason why it issued a veto threat against CISPA earlier this month. That veto threat may led to CISPA’s death, but the White House says it’s still open to working with everybody to pass cybersecurity legislation.

    To that end, the White House says that cybersecurity legislation is a must to counter the “constant threat of cyber crime, espionage, and attacks.” The administration, unlike the House, does admit there are already tools in place, however, to facilitate cooperation between the government and private companies to share threat information. It just feels that the current tools in place aren’t enough:

    But you might ask, “Isn’t this collaboration already happening?” The simple answer is yes, but inefficiently. When it comes to information sharing, we need clearer rules to promote collaboration and protect privacy. Right now, each company has to work out an individual arrangement with the government and other companies on what information to share about cyberthreats. This ambiguity can lead to harmful delays.

    There is broad consensus on the need for more threat-related information sharing — including among the leading privacy advocates we regularly engage on the issue. The essential question on which people across the spectrum disagree isn’t if we can share cybersecurity information and preserve the principles of privacy and liberty that make the United States a free and open society — but how.

    The White House has admirable goals, but we’ve heard all of this before from the House. We were promised that CISPA would respect privacy and civil liberties, but that obviously wasn’t the case in the end.

    To allieve the concerns of citizens, the White House says that it will only support cybersecurity legislation that adheres to these three principles:

    It’s important that any information shared under a new cybersecurity law must be limited to what’s relevant and necessary for cybersecurity purposes. That also means minimizing information that can be used to identify specific individuals. For example, if a utility company is looking for government assistance to respond to a cyber attack, it is unlikely that it needs to share the personal information of its customers, like contact information or energy-use history, with the government.

    Cybersecurity legislation needs to preserve the traditional roles for civilian and intelligence agencies that we all understand. Specifically, if legislation authorizes new information sharing between the private sector and the government, then that new information should enter the government through a civilian department rather than an intelligence agency. That doesn’t mean breaking the existing mechanisms that already work. For example, victims of cyber crime ought to continue to report those violations to federal law enforcement agencies and public-private information-sharing relationships that already exist should be preserved.

    Any new legislation ought to provide legal clarity for companies that follow the rules and appropriately share data with the government. But it should not provide broad immunity for businesses and organizations that act in ways likely to cause damage to third parties or result in the unwarranted disclosure of personal information.

    In short, the above takes care of pretty much every complaint privacy advocates had with the original CISPA. The White House says it will continue to apply the above principles in its on-going discussions with those in the Senate currently crafting cybersecurity legislation.

    CISPA may be dead, but the issue of cybersecurity is far from over. We’ll continue to follow the Senate’s efforts as it works on its own cybersecurity legislation.

  • CISPA Add-On Banning Employers from Seeking Facebook Passwords Killed

    As you probably know, on Thursday the U.S. House of Representatives passed the Cyber Intelligence Sharing and Protection Act, better known as CISPA. The bill, which aims to help the government react to cybersecurity threats by making it easier to share information between itself and private companies, saw bipartisan support. Opponents of CISPA have argued that the bill is a a massive invasion of privacy, and will be used to justify wholesale spying on the American public by making companies who give up private user info immune from suits or prosecution.

    Although CISPA as a whole saw bipartisan support, one last-minute amendement that looked to curtail a worrisome practice by employers was shot down on party lines.

    Colorado Democrat Ed Perlmutter attempted to tack on a provision to CISPA that would make it illegal for employers to require prospective employees to hand over their social media passwords as a condition of acquiring or keeping a job.

    Has an employer even demanded one of your social media passwords as a condition of being hired or keeping your job? What was your reaction? Let us know in the comments.

    The proposal was voted down 224-189, with Republicans in the majority.

    “People have an expectation of privacy when using social media like Facebook and Twitter. They have an expectation that their right to free speech and religion will be respected when they use social media outlets. No American should have to provide their confidential personal passwords as a condition of employment. Both users of social media and those who correspond share the expectation of privacy in their personal communications. Employers essentially can act as imposters and assume the identity of an employee and continually access, monitor and even manipulate an employee’s personal social activities and opinions. That’s simply a step too far,” said Perlmutter.

    This isn’t the first time that Perlmutter has introduced this sort of legislation. Last year, the same employee password protection language was rejected in the House.

    Last year, the practice of employers demanding the Facebook passwords of prospective employees became a hot topic. Both state legislatures and the U.S. Congress introduced measures to counteract the rising trend. One particular bill, the Password Protection Act of 2012, was introduced in both the House and the Senate, but went nowhere.

    That bill was introduced by Democratic Senator Richard Blumenthal. Before the bill was presented, back in May of 2012, he, along with Senator Chuck Schumer (D-NY) sent a letter to both the Department of Justice and the U.S. Equal Employment Opportunity Commission asking them to “launch a federal investigation into a disturbing new trend.”

    Soon after that letter was sent, a motion called “Mind Your Own Business on Passwords” failed in Congress. It would have made the employee password issue one monitored by the Federal Communication Commission. They would have had the right to declare the practice illegal.

    So, the Password Protection Act of 2012 moved forward. The language made it a crime that any employer “for the purposes of employing, promoting, or terminating employment, compels or coerces any person to authorize access, such as by providing a password or similar information through which a computer may be accessed.”

    But it died, and has been referred back to committee.

    The Password Protection Act of 2012 isn’t the only federal bill proposed to deal with the issue. Say hello to SNOPA, or the Social Networking Online Protection Act. It aims to do what the PPA tried to do, but with even clearer languge:

    To prohibit employers and certain other entities from requiring or requesting that employees and certain other individuals provide a user name, password, or other means for accessing a personal account on any social networking website.

    It’s been introduced, and referred to committee. No movement yet.

    On the flip side, some states have had success in passing bans on the practice. First, the state of Maryland enacted a law banning password snooping. And this year, laws in both California and Illinois went into effect.

    “It’s not déjà vu — this is the same amendment I introduced twice last year, so people have had plenty of time to study and discuss it. It has bipartisan support. It wouldn’t kill the underlying cyber-security bill; it wouldn’t send it back to committee. It merely safeguards an individuals’ personal privacy as they use their own personal social media accounts,” said Perlmutter of his CISPA add-on.

    It’s important to note that Perlmutter did in fact vote yes on CISPA.

    But despite those claims, the provision was crushed. If the past year is any indication, password protection legislation must be tackled at the state level, as it’s the only place that its been able to see any sort of success.

    Do you think that we need a federal law banning the practice of password snooping by employers? Do you think that it’s better left to the states? Or, do you see no reason for any such legislation on any level? Let us know in the comments.

  • CISPA Is Kind Of Dead, But Not Really

    Last week, a cry rang out from privacy advocates everywhere as the House overwhelmingly passed CISPA. Those same advocates soon gathered up their forces for a fight in the Senate, but it looks like the Senate got to killing CISPA before they could.

    US News reports that the Senate has decided not to take up CISPA. In short, CISPA is dead. The bill that would have given companies full legal immunity when sharing your personal information with the government will have its remains scattered on the winds of history yet again.

    It seems that CISPA’s death can be largely attributed to two factors. For one, Sen. Jay Rockefeller, chairman of the Committee on Commerce, Science and Transportation, came out against CISPA saying it lacked privacy protections. Rockefeller holds considerable sway in the Senate, and his committee would have had a lot of say over CISPA. Secondly, President Obama’s veto threat most likely played a major role in the Senate’s rejection of CISPA.

    We can relax now that CISPA is dead, right? Unfortunately, the answer is a little unclear at this point. An unnamed representative on Rockefeller’s committee says that “issues and key provisions” of CISPA will be divvied up and made into separate bills. In other words, CISPA will be broken up into smaller, separate bills in the Senate. The problem with this approach is that some of the less vile, but still damaging, provisions of CISPA can make it through as they won’t be attached to the really bad stuff.

    Of course, there’s always the possibility that the Senate will craft a handful of bills that narrowly target the areas not covered by President Obama’s cybersecurity executive order without sacrificing civil liberties. It would certainly be nice, but the Senate’s past attempts at writing cybersecurity legislation certainly don’t inspire confidence.

    Either way, we won’t be seeing any cybersecurity legislation out of the Senate for a while. The unnamed representative says the Senate currently has its hands full with a number of other bills that take priority over cybersecurity, including the controversial Marketplace Fairness Act.

  • Senate To Take Up Email Privacy Bill Today

    UPDATE: And it passed.

    Last week, Sen. Patrick Leahy said that the Senate Judiciary Committee would be marking up an update to the Electronic Communications Privacy Act. The decades old bill allows law enforcement to obtain emails without a warrant as long as said email is 180 days old.

    The Hill reports that both the Senate and the House will be taking up their respective email privacy bills today. The Senate Judiciary Committee will be taking a look at Leahy’s bill – S. 607 – that simply requires the police to obtain a warrant when accessing any electronic communication, including email.

    In the original announcement of the mark up, Leahy said that ECPA must be updated to counter concerns over the “growing and unwelcome intrusions into our private lives in cyberspace.” Those concerns certainly came to a head earlier this month when documents obtained by the ACLU revealed that the IRS told its agents that they could obtain emails without a warrant. The agency also said that “Internet users do not have a reasonable expectation of privacy.”

    Since then, IRS Commissioner Steven Miller said that his agency always obtains a warrant before searching emails. Miller also said that his agency never snoops through email during civil investigations. It wasn’t exactly reassuring, but an updated ECPA would ensure that the IRS, or any government agency for that matter, would never be able to obtain emails without a warrant.

    It should be noted that the House will be making a mockery of itself this week by discussing an update to the ECPA after passing CISPA. The House Judiciary Committee will be discussing whether or not the ECPA should be updated to require that law enforcement obtain a warrant before accessing geolocation data. The irony here is that CISPA, in its current form, would allow mobile carriers to share geolocation data with the government without a warrant. Even if the carrier was found in violation of an updated ECPA, it would enjoy full legal immunity under CISPA.

    Even so, we’ll continue to follow both discussions and keep you up to date on any changes. The Senate seems to have made an updated ECPA a priority so we may see a final vote as early as next week. That is, of course, if the Senate doesn’t run into any problems with its current controversial bill – the Marketplace Fairness Act.

  • Technology Subreddit Goes Dark In Protest Of CISPA

    Technology Subreddit Goes Dark In Protest Of CISPA

    Last year, all of Reddit went dark in protest of SOPA. It doesn’t look like the site will be doing it again for CISPA, but one of its more popular subreddits will.

    The popular technology subreddit, which has almost 3 million readers, has gone dark today in protest of CISPA. It’s not like the subreddit has become unavailable, but rather the entire page, except for the ad, is now encased in a darkness that makes reading the links rather uncomfortable on the eyes.

    Technology Subreddit Goes Dark For CISPA Protest

    The link at the top of the subreddit redirects users to a post on the Stand subreddit with information on what CISPA means for everyday Internet users. It also contains links to helpful tools that allow users to encrypt not just their Internet connections, but everything on their computer.

    Out of all the other tech-related subreddits, it seems that /r/technology is the only one to have gone dark today. There are probably some other smaller subreddits that have also gone dark, but few have the amount of subscribers that /r/technology enjoys. Unfortunately, those who frequent /r/technology are probably already well aware of CISPA. It would have been far more effective for Reddit’s front page to go dark while providing a link to Reddit co-founder Alexis Ohanian’s video calling for action against CISPA.

    Still, it’s nice to see at least one mainstream site go dark today in protest of CISPA. Anonymous called for an Internet blackout, but only managed to sign up a little over 400 Web sites. The Web sites that had signed up were not very well known either thus limiting the spread of the message.

    UPDATE: Since publishing this story, a number of other popular subreddits have also gone dark in protest of CISPA. Most of the subreddits, including /r/pics, /r/funny, /r/politics, and /r/askreddit include the same link to the post on /r/stand at the top.

    One popular subreddit has done something different though. The much loved (or much hated) /r/atheism has a banner protesting CISPA (click to enlarge):

    Technology Subreddit Goes Dark In Protest Of CISPA

  • Anonymous Organizes CISPA Blackout, Not Many Web Sites Show Up

    The SOPA blackout protest was something else. Google, Wikipedia, Reddit and other major online players blacked out part or all of their Web sites in opposition to a proposed bill that would have given the U.S. government unchecked power to regulate the Internet as it saw fit.

    Likewise, CISPA gives the government and corporations the ability to share your private information without a warrant and without much oversight. The bill has been met with some resistance, but not enough. The House passed it with relative ease, and now the fight will go to the Senate. Now everybody’s favorite (or most hated) hacktivist group wants to send the Senate a message with a blackout of its own.

    Last week, Anonymous announced that it was organizing a CISPA blackout similar to the SOPA blackout of early 2012. Anonymous had hoped to coerce a number of Web sites into going dark today, but it only managed to get a little over 400 volunteers.

    Getting over 400 Web sites to go dark for a day is no small feat, but it just doesn’t compare to the thousands that went dark in protest of SOPA.

    Of course, a CISPA blackout could be effectual if Web sites frequently visited by millions of Internet users went dark. Unfortunately, the heavy hitters behind the SOPA blackout (i.e. Google, Reddit, Wikipedia) are refusing to go dark today in protest of CISPA. There are probably a number of reasons for this, but we can only guess at a few of them.

    For starters, CISPA isn’t an immediate threat to companies. SOPA would burden Web sites with the responsibility of policing their own content. CISPA encourages companies to share private customer data with the government while granting them complete immunity from legal recourse. CISPA may not present any immediate threat to Internet companies, but Rep. Jared Polis argued last week that it would cause some pretty serious damage all the same:

    “[CISPA] directly hurts the confidence of Internet users. Internet users – if this were to become law – would be much more hesitant to provide their personal information – even if assured under the terms of use that it will be kept personal because the company would be completely indemnified if they ‘voluntarily’ gave it to the United States government.”

    The other thing standing in the way of an organized CISPA blackout is the organizers themselves. Even among anti-CISPA Web sites like Mozilla, Reddit and others, Anonymous isn’t exactly well-liked. The group’s intentions may be pure this time around, but there’s an argument to be made that CISPA was crafted in response to attacks from Anonymous and other hacking groups.

    Anonymous’ planned blackout isn’t a failure, but it isn’t much of a success either. That being said, it at least shows that large groups of people are in opposition to CISPA. It might not be opposed by the teenagers who use Wikipedia to write term papers, but those in the tech community are rightly concerned about the overly broad legislation. It’s unfortunate then that Congress seems to think that only 14-year-olds living in their basements are the only ones opposed to CISPA.

    [h/t: RT]

  • House Passes CISPA, Controversial Cybersecurity Bill Moves To Senate

    During a vote in the House today, a majority of representatives voted in favor of passing CISPA for the second year in a row. Now the bill heads to the Senate where it will either live or die. Free Internet advocates and privacy proponents would much prefer the latter.

    To recap, CISPA is a proposed bill that aims to boost the government’s ability to respond to cyber threats and cyber attacks by sharing private customer information between itself and companies. Its opponents claim the bill is a massive invasion of privacy that serves no use in combatting cyberattacks, but rather will be used to spy on American citizens by granting immunity to those companies that share information.

    With CISPA’s passage in the House, the EFF vows to take its fight to the Senate:

    “This bill undermines the privacy of millions of Internet users,” said Rainey Reitman, EFF Activism Director. “Hundreds of thousands of Internet users opposed this bill, joining the White House and Internet security experts in voicing concerns about the civil liberties ramifications of CISPA. We’re committed to taking this fight to the Senate and fighting to ensure no law which would be so detrimental to online privacy is passed on our watch.”

    If history repeats itself, the EFF won’t have much of a fight in the Senate. CISPA died in the Senate last year as its members argued over its own law – the Cybersecurity Act of 2012. It was a marked improvement over CISPA, but it did have its own issues. The bill died after it failed a Senate floor vote and CISPA was never taken up.

    For this year, the Senate will be debating the Cybersecurity and American Cyber Competitiveness Act of 2013. Like CSA, it’s a bit better than CISPA, but its lack of bipartisan sponsorship doesn’t bode well. It also doesn’t help that the bill still hasn’t even been picked up by its respective committee yet.

    So, what happens if CISPA somehow makes its way through the Senate? It has to get signed into law by the president, and his administration just recently threatened to veto CISPA if it makes it to his desk. The administration suggested a number of common sense additions to CISPA that would make it far more pro-privacy, but the House ignored those suggestions. Now its up to the Senate to decide if it will actually listen to the thousands of people who are against CISPA.

  • CISPA Amendment Stripped Of Its Pro-Privacy Provision

    We reported yesterday that CISPA was finally shaping up. Rep. Mike McCaul introduced an amendment late into the game that would have forced companies to share customers’ private information only with the Department of Homeland Security. It sounded too good to be true. Unfortunately, it was.ci

    The Hill reports that the amendment we saw yesterday is entirely different from the amendment that actually wound up in the bill. The amendment has been stripped of its requirement that companies only share information with the DHS. With that requirement gone, the amendment is worthless. It’s only purpose now is to make it seem like CISPA actually respects your privacy.

    Needless to say, pro-privacy groups are not happy. The EFF wrote a scathing review of the amendment last night:

    The amendment in question does not strike or amend the part of CISPA that actually deals with data flowing from companies to other entities, including the federal government. The bill still says that: “Notwithstanding any other provision of law, a self-protected entity may, for cybersecurity purposes…share such cyber threat information with any other entity, including the Federal Government.” The liability immunity provisions also remain.

    While this amendment does change a few things about how that information is treated within the government, it does not amend the primary sharing section of the bill and thus would not prevent companies from sharing data directly with military intelligence agencies like the National Security Agency if they so choose.

    The amendment looks bad, and it will probably remain that way. That being said, there might be some changes made to it and the overall bill today before it heads to the floor for final vote. A House aide reportedly said that the sponsors of this latest amendment are in discussions to fix the language in it. If that was the case, why did they change the original text of the amendment that actually did some good? Are they just going to change the amendment back to what it was?

    At this point, it’s hard to believe that we’ll actually see any positive changes in CISPA. After all, the bill’s sponsors believe that only 14-year-olds hate CISPA.

  • House Approves Pro-Privacy CISPA Amendment

    UPDATE: The amendment no longer contains pro-privacy language. The language requiring companies to share information only with the DHS was removed before being added to the bill. More on that here.

    Original story continues below:

    It seemed that CISPA couldn’t get any worse, but its sponsors proved that it could during a rules hearing yesterday. All the of the pro-privacy amendments being proposed were unceremoniously blocked without much of a debate. Now the bill’s sponsors have backtracked by finally supporting a good amendment.

    The Hill reports that Rep. Mike McCaul offered up an amendment to CISPA today that has the full backing of CISPA sponsors Reps. Mike Rogers and Dutch Ruppersberger. The amendment would ensure that all cyberthreat information being submitted to the government would first go through an entity created by the Departments of Justice and Homeland Security, both of which are civilian agencies. The amendment was approved in a 227-192 vote.

    In the words of Ruppersberger, “This is a huge concession.” Why? The original text of CISPA allowed companies to share cyberthreat information with any governmental agency, including military agencies like the NSA. Privacy advocates demanded that all identifiable information go through a civilian agency first to reduce the chance of abuse.

    So, why did Rogers and Ruppersberger back this amendment when they were adamant about not backing any pro-privacy amendments yesterday? It seems that the veto threat from the White House spooked them into backing more pro-privacy amendments in a bid to get Obama’s signature.

    “Rogers and I are just trying to deal with the issue of the White House concerns, realizing that if we pass a bill here and it doesn’t pass the Senate and the president doesn’t sign it, we have no bill,” Ruppersberger said. “This threat is so severe, the cyber threat, that we have to do something.”

    The amendment is a great first step, but it doesn’t address all the issues that the White House and privacy advocates have with the bill. CISPA in its current state, even with this new amendment, does not address the issue of private information being removed only after it’s already in the government’s hands. The bill also doesn’t remove the provision that grants total immunity to companies that break the law when handing your information over to the government.

    CISPA is on track for a full vote on the House floor tomorrow. We’ll be sure to bring you the final vote at that time.

  • Rep. Mike Rogers Blocks Pro-Privacy Amendments From Being Added To CISPA

    The House will vote on CISPA this week. This vote will decide whether or not the House majority thinks companies should be able to share your private online information with the government while enjoying total legal immunity. The second debate of the bill shows that the bill’s proponents don’t care about your privacy at all.

    The EFF reports that CISPA went up for debate before the rules committee. During the hearing, congressmen were able to question the bill’s author, Rep. Mike Rogers, on the more troubling parts of the bill. The entire report is a little depressing as Rogers argued that CISPA has enough privacy protections already, and that the bill’s opponents are 14-year-olds living in their basement.

    Those who questioned CISPA at the hearing had the same concerns that the White House expressed in its veto threat. The two main concerns were that not enough was being done to protect private information before it’s sent to the government, and that the bill doesn’t require the bill to go through a civilian agency first. Two valid concerns, and concerns that Rogers says are moot points.

    In response to the first concern, Rogers says that identifiable information can’t be sent to the government because it’s all “zeroes and ones.” He seems to be under the impression that the government will be too busy scanning binary for cyberthreats that it will never collect any personally identifiable information from the content being shared with it either. Roger’s view displays a level of ignorance that shouldn’t be tolerated among Congress.

    The second concern was framed in the context of how it would hurt the Web economy. Rep. Jared Polis said that allowing companies to share your private information with the government, including military agencies, would decrease the users’ trust in the Internet. He argues that online services would see a decrease in business thanks to decreased trust in their services:

    This directly hurts the confidence of Internet users. Internet users – if this were to become law – would be much more hesitant to provide their personal information -even if assured under the terms of use that it will be kept personal because the company would be completely indemnified if they ‘voluntarily’ gave it to the United States government.

    It appears that Rogers didn’t even provide a proper response to this concern. He just said that it wouldn’t be a problem and moved on.

    Rogers’ response is why CISPA is so dangerous to begin with. Every concern that’s brought up is met with a simple response of “It won’t be a problem.” Such a response does nothing to dissuade fears. In fact, it makes us fear CISPA more if its author can’t even mount a proper response to its critics. In any other debate, arguing that a problem isn’t a problem without the proper evidence to back it up would be laughed off the stage. It’s apparently not only welcome, but encouraged, in the House though.

    After providing non-responses to the concerns brought forward by other representatives, Rogers also blocked a number of pro-privacy amendments from making into the final CISPA that will go before the House for a floor vote. One such amendment came from Rep. Adam Schiff that would have automated the removal of identifiable information from data before it was shared with the government. In the current CISPA, the bill leaves it up to the government to remove any identifiable information after it’s already in their hands.

    We’re likely to see a vote on CISPA today or tomorrow. The vote isn’t likely to last long, and Rogers will most likely attempt to just ram it through without any more debate. We’ll let you know how the vote went, but don’t expect good news.

  • White House Threatens To Veto CISPA, Recommends Fixes To Bill’s Language

    White House Threatens To Veto CISPA, Recommends Fixes To Bill’s Language

    Last week, the White House said that CISPA still had some problems that weren’t addressed by the amendments added during its markup period. Unfortunately, the administration didn’t issue a veto threat at that time, but now it has.

    In a statement released by the White House today, the Obama administration laid out its beef with CISPA. The first issue it has with the legislation is that it still doesn’t do enough to protect private information:

    The Administration, however, remains concerned that the bill does not require private entities to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or other private sector entities. Citizens have a right to know that corporations will be held accountable – and not granted immunity – for failing to safeguard personal information adequately. The Administration is committed to working with all stakeholders to find a workable solution to this challenge. Moreover, the Administration is confident that such measures can be crafted in a way that is not overly onerous or cost prohibitive on the businesses sending the information.

    Now this is huge. The administration is saying that companies should not be granted immunity if it uses your private information in an inappropriate fashion. Corporate immunity is one of the cornerstones of CISPA and one of the main reasons the tech industry is so in love with it. If the immunity provision is removed, the backing of the tech industry will vanish along with it.

    The other issue is that it doesn’t like how CISPA allows companies to share private information with any agency of its choosing, including the NSA. The White Houses says that all private information should enter government through a civilian agency:

    The Administration supports the longstanding tradition to treat the Internet and cyberspace as civilian spheres, while recognizing that the Nation’s cybersecurity requires shared responsibility from individual users, private sector network owners and operators, and the appropriate collaboration of civilian, law enforcement, and national security entities in government. H.R. 624 appropriately seeks to make clear that existing public-private relationships – whether 2 voluntary, contractual, or regulatory – should be preserved and uninterrupted by this newly authorized information sharing. However, newly authorized information sharing for cybersecurity purposes from the private sector to the government should enter the government through a civilian agency, the Department of Homeland Security.

    So, what does the White House want to see out of CISPA or any other cybersecurity bill? Pretty much what CISPA is now, but with better privacy protections:

    The Administration believes that carefully updating laws to facilitate cybersecurity information sharing is one of several legislative changes essential to protect individuals’ privacy and improve the Nation’s cybersecurity. While there is bipartisan consensus on the need for such legislation, it should adhere to the following priorities: (1) carefully safeguard privacy and civil liberties; (2) preserve the long-standing, respective roles and missions of civilian and intelligence agencies; and (3) provide for appropriate sharing with targeted liability protections.

    If Congress can’t agree on a cybersecurity bill that meets the above criteria, the White House says that “senior advisors would recommend that [the president] veto the bill” if it were presented as it is now.

    The threat of a veto might help certain amendments to be added onto CISPA before it goes to the floor for a vote this week, but I wouldn’t hold my breath. The bill’s authors seem pretty adamant on passing CISPA as is, and it will most likely die another ignoble death in the Senate as its members push for their own cybersecurity bill.

    [h/t: TechDirt]

  • Civil Liberty Groups Still Don’t Like CISPA, Issue Open Letter To Congress

    After a closed door markup, CISPA emerged from the House Intelligence Committee with some new amendments. Rep. Mike Rogers, the author of the bill, said the amendments would address concerns from civil liberty groups. Those same groups could not be in more disagreement as they are still saying that CISPA needs to be changed, or just ditched altogether.

    The Electronic Frontier Foundation alongside 33 other civil liberty groups, including the ACLU and Fight for the Future, have sent an open letter Congress urging members of the House to reject CISPA during its vote this week.

    Earlier this year, many of our organizations wrote to state our opposition to H.R. 624, the Cyber Intelligence Sharing and Protection Act of 2013 (CISPA). We write today to express our continued opposition to this bill following its markup by the House Permanent Select Committee on Intelligence (HPSCI). Although some amendments were adopted in markup to improve the bill’s privacy safeguards, these amendments were woefully inadequate to cure the civil liberties threats posed by this bill. In particular, we remain gravely concerned that despite the amendments, this bill will allow companies that hold very sensitive and personal information to liberally share it with the government, including with military agencies.

    It’s the idea of sharing information with military agencies that has these groups so concerned. They feel that CISPA would be much more effective if any information sharing was narrowly defined as between companies and civilian agencies:

    CISPA creates an exception to all privacy laws to permit companies to share our information with each other and with the government in the name of cybersecurity. Although a carefully-crafted information sharing program that strictly limits the information to be shared and includes robust privacy safeguards could be an effective approach to cybersecurity, CISPA lacks such protections for individual rights. CISPA’s information sharing regime allows the transfer of vast amounts of data, including sensitive information like Internet records or the content of emails to any agency in the government including military and intelligence agencies like the National Security Agency or the Department of Defense Cyber Command.

    Finally, the letter questions the need for CISPA at all after President Obama’s cybersecurity executive order, and other laws already on the books, do what CISPA does minus the massive privacy infringement:

    Developments over the last year make CISPA’s approach even more questionable than before. First, the President recently signed Executive Order 13636, which will increase information sharing from the government to the private sector. Information sharing in this direction is often cited as a substantial justification for CISPA and will proceed without legislation. Second, the cybersecurity legislation the Senate considered last year, S. 3414, included privacy protections for information sharing that are entirely absent from CISPA, and the Obama administration, including the intelligence community, has confirmed that those protections would not inhibit cybersecurity programs. These included provisions to ensure that private companies send cyber threat information only to civilian agencies, and a requirement that companies make “reasonable efforts” to remove personal information that is unrelated to the cyber threat when sharing data with the government. Finally, witnesses at a hearing before the House Permanent Select Committee on Intelligence confirmed earlier this year that companies can strip out personally identifiably information that is not necessary to address cyber threats, and CISPA omits any requirement that reasonable efforts be undertaken to do so.

    These groups represent a pretty formidable opposition, but they have their work cut out for them. TechDirt reported on Monday that IBM will be sending 200 executives to Washington as part of a lobbying effort to see CISPA passed. Why does IBM want to see CISPA passed so badly? The official line is that it wants information sharing between corporations and government to be easier, but the company’s president has also flat out admitted that he wants to be able to send personal information to the NSA because the agency “know[s] the most” about cyber threats.

    IBM and other companies that are pushing for CISPA could have nothing but admirable intentions, but it’s hard to believe that when they’re all pushing for a law that would give them complete immunity when sharing your private information with the government.

    We’ll continue to follow CISPA as it heads to the House floor for a vote later this week. Don’t get your hopes up though – it passed the House with flying colors last year. We can only assume that the House will do so again this year.

  • Senate Judiciary Committee To Debate ECPA Reform This Week

    ECPA, or the Electronic Communications Privacy Act, has long been in need of an update. The Senate tried last year, but ran out of time. Now it’s a priority and it will hopefully get the time it deserves this week.

    The Hill reports that the Senate Judiciary Committee plans to mark-up Sen. Patrick Leahy’s ECPA amendment on Thursday morning. S.607 would require law enforcement to obtain a warrant when requesting emails as part of an investigation. The current law under ECPA requires a warrant only if the email is less than 180 days old. An older email, or one that’s already been opened, only requires a subpoena under current law.

    Sen. Leahy issued the following statement today in regards to the mark-up:

    “Like many Americans, I am concerned about the growing and unwelcome intrusions into our private lives in cyberspace. I have long believed that our government should obtain a search warrant — issued by a court — before gaining access to our email and other private communications. This week the Senate Judiciary Committee will begin consideration of legislation that I authored with Republican Senator Mike Lee to reform the Electronic Communications Privacy Act to make sure that this occurs, and that the overall privacy protections for our email and other electronic communications are strengthened. Safeguarding Americans’ privacy rights is not a Democratic issue or a Republican issue — it is something that is important to all Americans, regardless of political party or ideology. I hope that all members of Congress share this view and will support this timely and significant legislation that upholds Americans’ privacy rights.”

    Sen. Leahy’s proposed ECPA amendment was introduced in late March, but one event in particular may have forced his hand to push ECPA reform faster than he may have planned. The ACLU obtained a number of documents from the IRS that suggested the agency obtained emails without a warrant, and said that Internet users “do not have a reasonable expectation of privacy.”

    In response, Rep. Charles Boustany sent a letter to the IRS asking the agency to explain its email policy. It’s highly unlikely that the agency would answer all of the questions posed by Rep. Boustany, but it did say that it “treats taxpayers with respect” and “does not use emails to target taxpayers.”

    Sen. Leahy’s bill is a great first step to updating the decades old ECPA, but a House vote this week could be a different first step in making an updated ECPA a moot point. CISPA, a bill that would let companies share you private information with the government, will go to the House floor for a vote this week. If it somehow makes its way into law, it would allow companies to share your emails and much more with the government while enjoying total immunity in the case the government uses that information for anything illegal. Fortunately, the White House has serious reservations, but it didn’t go so far as to issue a veto threat.

    We’ll keep following both ECPA and CISPA as they make their way through the legislature over the coming months. We can only hope that the former makes its way all way through, and the latter is treated to the same ignoble death its predecessor was dealt last year.

  • Obama Administration Says CISPA Still Has Some Issues

    On Wednesday, CISPA came closer to reality as it passed the markup phase in the House Intelligence Committee. Now the bill has to make it through the House, then the Senate, and finally the President’s desk. That last one may have just become a little harder, however, as the administration doesn’t necessarily like what it sees in the cybersecurity bill.

    The Obama Administration has finally issued a statement in regards to its stance on the controversial CISPA bill that’s expected to go before the House next week. The statement, written by Caitlin Hayden, a National Security Council spokesperson, says the newly amended CISPA is a good start, but doesn’t go far enough in protecting civil liberties:

    “We continue to believe that information sharing improvements are essential to effective legislation, but they must include privacy and civil liberties protections, reinforce the roles of civilian and intelligence agencies, and include targeted liability protections. The Administration seeks to build upon the productive dialogue with Chairman Rogers and Ranking Member Ruppersberger over the last several months, and the Administration looks forward to continuing to work with them to ensure that any cybersecurity legislation reflects these principles. Further, we believe the adopted committee amendments reflect a good faith-effort to incorporate some of the Administration’s important substantive concerns, but we do not believe these changes have addressed some outstanding fundamental priorities.”

    This new statement comes almost a year after the White House issued its first statement in opposition to CISPA. At that time, the statement was much longer, and tore CISPA a new one. The old statement also ended with a veto threat.

    It’s unfortunate then that this new statement contains no such thing. The new one doesn’t even address any of the specific failings in CISPA. It would have been nice to see the administration explicitly state it was against granting companies immunity when they share private information with government, or that it was against the bill allowing companies to share information directly with the NSA. We could assume that the administration, based upon last year’s statement, was against these provisions in CISPA yet again, but its silence doesn’t inspire confidence.

    Regardless, it’s nice to see that the White House still has some issues with CISPA. It would have been even nicer to see the administration issue a veto threat, but this will have to do for now. Now we can only hope that the White House finally addresses the CISPA petition that got over 100,000 signatures last month.

    [LA Times via TechDirt]

  • CISPA Advances: Do You Trust Congress With Your Privacy?

    Well, that didn’t take long. The Hill reports that the House Intelligence Committee met in secret Wednesday to mark up CISPA and approve any last amendments before it made its way to the House floor. CISPA was approved on a vote of 18-2.

    Now CISPA is heading to the House floor, but the question still remains – will CISPA protect your privacy? The amendments approved during the mark up point to a bill that’s well intentioned, but some privacy advocates still aren’t convinced. Those very same privacy advocates are now leading the fight to improve or kill what they feel is an attack on their online freedoms.

    Are you concerned about CISPA? Do you think it will pass the House? Let us know in the comments.

    The big question is whether or not the House Intelligence Committee actually improved CISPA during the mark up. There were six amendments approved, and all six were backed by the bill’s authors – Reps. Mike Rogers and Dutch Ruppersberger. The amendments talk a big game, but do they really take your privacy seriously?

    Speaking to reporters, Rogers claims that this year’s CISPA addresses all the problems privacy advocates had with the bill:

    “What we came up with, we think, is the right approach. It is the one bill out of everything you’ve seen on both sides of this great institution of the United States Congress that protects a free and open Internet and allows people to share cyber threat information to protect their clients, their business, their [personally identifiable information].”

    One of the more publicized amendments would require the government to strike any personally identifiable information from the data it receives. The same would be required of companies receiving information from the government. The problem with these seemingly well intentioned amendments, at least according to TechDirt, is that the information isn’t wiped before it reaches the government. There’s an expectation that the government will wipe any personally identifiable information from the data as soon as they receive it, but it’s hard to say when that data will be wiped. Will the government wipe the data as soon as it receives it, or will it wipe it when it’s most convenient?

    Another amendment would forbid companies from using the information it receives from the government for marketing purposes. This is definitely the most troublesome amendment only because it admits that CISPA would allow this sort of thing if left unchecked. According to the folks in Washington, CISPA is meant to combat cybersecurity. Why does the bill have to address something like marketing then? There are bigger problems with a cybersecurity bill when the kind of information it shares can be used for marketing purposes.

    Alongside the amendments, the committee also struck some language from CISPA that said the information the government receives could be used for “national security purposes.” Critics said the language was too broad, and feared that information received under CISPA would be used in criminal investigations that have nothing to do with national security.

    Despite these amendments, two members of the House Intelligence Committee still voted against CISPA. Rep. Adam Schiff threatened to vote against CISPA if his amendment wasn’t taken up, and he stayed true to his word. It’s a shame too as his amendment would have addressed a few major concerns privacy advocates have with the bill.

    Schiff’s amendment would do what Rogers’ amendment does in that it removes personally identifiable information from data the government receives from companies. The only difference is that Schiff’s bills called for an automated system that would strike the information from data before it reached the government’s hands. It’s not said why the committee didn’t go with Schiff’s amendment, but some lawmakers have already shown that they don’t trust algorithmic software.

    Even if the privacy protections actually protected users’ privacy, opponents of the bill are still sour over CISPA’s willingness to grant legal immunity to companies that share data with the government. In other words, you can’t sue a company that mishandles your information as long as that data was being used for “national security purposes.”

    Opponents are also still unhappy with the bill not explicitly stating which government agency companies must share data with. Privacy advocates think the information should be sent to a civilian agency, like the Department of Homeland Security, but there’s nothing stopping a company from sharing information with the National Security Agency, a secretive organization that has little governmental oversight and is already rumored to be illegally collecting online communications.

    Do you think the amendments approved by the House Intelligence Committee do enough to protect your privacy? Let us know in the comments.

    CISPA may have passed committee, but now the real fight begins. The first obstacle standing in its way is the rest of Washington as both the White House and Senate were opposed to CISPA last year. The Senate’s insistence on passing the doomed CSA ultimately doomed CISPA as well. Schiff is also confident that the White House will come out against the bill again:

    “I do think that the reservations that the White House has stated to the bill are still there and my expectation is that they would be appreciative of the steps that were taken, but also call for additional steps.”

    Another obstacle standing in CISPA’s way is a renewed Internet grassroots movement dedicated to making sure the bill doesn’t pass. Groups like the ACLU and EFF are leading the charge while Reddit co-founder Alexis Ohanian has teamed up with Fight For The Future to launch a petition aimed directly at stopping CISPA.

    Despite all of this, CISPA will probably make it past the House again. It did last year, and the 2012 elections didn’t dramatically alter the House in a way that would make its members more likely to reject the bill.

    It’s going to get really interesting, however, when the Senate reveals its own cybersecurity legislation. Will it be another bill similar to last year’s CSA or will the Senate adopt something similar to CISPA this time around? Another big question is whether or not the White House will reject it again as the Obama administration has remained quiet on the debate so far despite a White House petition calling for the death of CISPA reaching 100,000 signatures.

    Do you think CISPA has any chance of passing the Senate? Will senators better take your privacy into account? Let us know in the comments.

    [Image: EFF]

  • Reddit Co-Founder Alexis Ohanian Calls Up Larry Page To Talk CISPA

    Reddit Co-Founder Alexis Ohanian Calls Up Larry Page To Talk CISPA

    Pro-privacy proponents and Internet activists are obviously concerned about CISPA. The bill would allow corporations to share private user data with the government while enjoying complete legal immunity. What’s more concerning, however, is that major Internet companies that deal in private data aren’t saying anything about CISPA.

    To find out what these companies think, Reddit co-founder Alexis Ohanian attempted to call Google CEO Larry Page, Facebook CEO Mark Zuckerberg and Twitter CEO Dick Costolo to ask them about their stance on CISPA. Humorously enough, the Google representative claims that there’s no Larry Page at Google, but then says that he’s just not in. Similar situations unfolded when he attempted to contact the others:

    Sure, the video is a little humorous, but it ties into an important campaign from Fight For The Future called “Save Your Privacy Policy.” It’s a petition that will be sent to the above CEOs asking them to publicly come out against CISPA, and defend their users’ right to privacy.

    Speaking of petitions, the petition asking the White House to stand against CISPA crossed the 100,000 signature threshold in early March. There has yet to be a response, but the Obama administration stood against CISPA last year. We can only hope that they will do so again.

    [h/t: Reddit]

  • CISPA Is Looking Better, But Privacy Proponents Still Aren’t Satisfied

    Rep. Adam Schiff announced on Friday that he would be introducing a pro-privacy amendment to CISPA that would force companies to remove any identifiable information from data it shares with the government. Surprisingly enough, the bill’s authors seem to be taking this amendment, and other pro-privacy amendments, seriously.

    The Hill reports that House Intelligence Committee Chairman Mike Rogers and ranking member Dutch Ruppersberger will be adding a number of amendments to CISPA during its markup this week. Rogers insists that CISPA is “not a surveillance bill” and the proposed amendments will reportedly clear up any misconceptions people have about it.

    So, what kind of misconceptions will these amendments clear up? The first would strictly limit what government agencies could use the collected information for. Opponents suggest the current CISPA would allow government agencies to use collected information for non-national security purposes. The amendment would make it clear that any information collected under CISPA must be used only for national security purposes.

    Another amendment would make sure companies are held to the same standard as government agencies. In other words, it would require companies to use any information they receive from government agencies for cybersecurity purposes only.

    One of the more interesting amendments would forbid companies from launching retaliatory attacks against those who launch attacks against them. It’s not exactly a pro-privacy amendment, but it would help keep trigger happy companies under check while the authorities investigate cyberattacks.

    Privacy proponents are obviously happy to see CISPA being improved, but they still have one major issue with the bill. They feel that any information obtained by the government should be sent to a civilian agency, like the Department of Homeland Security. The current bill isn’t exactly clear on which agency companies would share information with, but one interpretation sees CISPA allowing companies to share information directly with NSA, a spy agency with little governmental oversight.

    The currently proposed amendments don’t address all the problems, but it shows that the House Intelligence Committee is at least wanting to address some of the problems privacy proponents have with CISPA. That’s more than what the committee did last year as it passed CISPA without even allowing arguments for proposed amendments to be heard.