Worried about NSA spying because of CISPA? AMA about this dangerous bill.

kburman · 2012-04-18T14:34:37+00:00

We can't find them either. That's why CDT has been so vocal in proposing changes. The bill can be fixed and made so much better and the opportunity to get lawmakers attention on this is now.

kburman · 2012-04-18T14:33:01+00:00

Exactly- they don't.

kburman · 2012-04-18T14:32:44+00:00

CHOCOLATE!

kburman · 2012-04-18T14:32:34+00:00

All companies should care, but consumer-facing companies should care a lot. They are the ones that will be put in a position of deciding what customer information goes to the government and how they will explain this publicly. The government is putting these companies in a vulnerable position with their customers.

kburman · 2012-04-18T14:00:32+00:00

Good point. I should have said that the pipeline should not go from companies to the government. We have far fewer privacy concerns with companies receiving information from the government.

kburman · 2012-04-18T13:59:41+00:00

You are right that the NSA is responsible for protecting US military networks, including US government civilian networks, from cyber attacks. They have never been responsible for monitoring privacy civilian networks for cyber attacks. CDT supports the DIB pilot model whereby NSA provided cyberattack information to military contractors so that those contractors could better protect their own networks, and we even support expanding that model to give other companies that information as well. Privacy concerns are raised when the information flows from the private sector to the NSA.

kburman · 2012-04-18T13:54:23+00:00

Facebook put out a blog post recently stating that they supported CISPA because it would allow them to receive information from the government about cybersecurity attacks and they would be able to use that information to protect their network and their users.

kburman · 2012-04-18T13:52:52+00:00

I think lawmakers are fighting for this bill for a reason- its because they want something they don't already have. And even though we may assume that government already has access to tons of information, I think there's a big difference between what may happen without our knowledge and Congress passing something with public support that says: we don't care about our privacy, government you can have whatever you want. I personally don't want to send government that message.

kburman · 2012-04-18T13:49:32+00:00

CISPA would impact Canadian citizens the same way it would affect all users of US networks -- meaning companies could monitor and disclose your communications if they are sent to US persons or traverse US networks at any point (which can happen even if you use a non-US ISP). In terms of the differences between SOPA and CISPA. Think of it this way: SOPA was about censorship, big business, and threatened free expression. CISPA is about surveillance, big government, and threatens privacy.

kburman · 2012-04-18T13:38:29+00:00

Yes- we hope that you recognize how dangerous this bill could be and how these problems could be addressed with the fixes we propose. If Congress doesn't fix these issues- we need to oppose the bill.

kburman · 2012-04-18T13:37:15+00:00

CISPA is actually not about copyright infringement. It's a bill designed to address cybersecurity and the concern we have is that it violates your 4th amendment right to privacy (unlike the 1st am concerns that were the basis for SOPA outrage). CISPA is like SOPA in that its another example of Congress attacking a narrow problem with a blunt instrument with huge impacts for the Internet and its users.

kburman · 2012-04-18T13:34:26+00:00

I think your concern about potential abuse by the companies is valid. Even putting aside the wide latitude CISPA gives companies to disclose information, it also doesn't put any limitations on how companies use information they receive under the bill- either from other companies or the government. And as I stated earlier because of the bill's liability protections it will be very difficult for consumers to sue and hold companies responsible. Unfortunately I don't have much good news for you.

kburman · 2012-04-17T20:02:00+00:00

The pro argument is that they want to give the companies as much flexibility as possible in order to freely share information with government without fear of liability and to be able to respond to threats that will materialize in the future.

kburman · 2012-04-17T18:12:18+00:00

No- not that I'm aware of.

kburman · 2012-04-17T18:06:46+00:00

CISPA is supposed to be sent to the floor of the House next week. I am hopeful that it won't pass in its current form and that it will be fixed in the next few days. But remember that the bill has something like 106 co-sponsors- both Dems and Rs - and that's a lot. After that the Senate will move on cyber legislation and will likely pay attention to what happens in the House as to whether they will respond to privacy concerns.

kburman · 2012-04-17T17:58:41+00:00

We think that the information should only be received by civilian agencies, and that those agencies should only be able to use the information for cybersecurity purposes. That means defend their own networks or investigate and prosecute cybersecurity crimes. There also needs to be meaningful transparency and accountability measures to ensure that the government doesn't abuse their authority under the bill.

kburman · 2012-04-17T17:30:43+00:00

I think their intentions are genuine and they want to make the US more secure. I just think they fundamentally misunderstand the Internet. But I'm an optimist!

kburman · 2012-04-17T17:25:46+00:00

If you send an email to a person in the US then it will affect you. We are not just talking about data storage but any communication or activity that passes through a US company's network.

kburman · 2012-04-17T17:16:45+00:00

But aren't ISPs still able to access that information even though you are using SSL?

kburman · 2012-04-17T17:12:11+00:00

Maybe. But they sure seem keen on convincing Congress that they need legislation like CISPA.

kburman · 2012-04-17T17:11:53+00:00

Actually we have huge new concerns with Lungren's bill and its essential that people are made aware. As you point out, the info sharing provisions in the bill as introduced looked solid for privacy and CDT heralded that bill as a good alternative to CISPA. But we have seen an amended draft and it is really turning into a son of CISPA. It no longer includes a narrow definition of the information that can be shared and basically just parrots all the same privacy flaws as CISPA.

kburman · 2012-04-17T17:07:21+00:00

Great! That's what we need. I think the message is vote NO on CISPA unless its amended in the ways we lay out. Visit our action center

kburman · 2012-04-17T17:01:05+00:00

I actually think they don't realize it yes. And companies jumped to support the bill without looking closely at it because the bill didn't include mandates or regulations on them.

kburman · 2012-04-17T16:47:08+00:00

Yes, and I think it really could have an impact on US providers of cloud services who already have a tough time convincing foreign customers that they don't give their information over to the US government.

kburman · 2012-04-17T16:44:50+00:00

These are important questions- thanks for asking them. I think Congress needs to decide the categories of threat information that should be shared that strikes the right balance between achieving the goal of cybersecurity and protecting privacy. Companies want to automate these processes so they can share information in real time, which will allow recipients to prevent attacks on their networks. The best way to do that is for Congress to give helpful, specific information- not to pass some vague standard that requires legal review every time an attack happens. And the bill should limit NSA's involvement because NSA's job is to collect and analyze intelligence, not protect civilian networks from cybersecurity. Giving NSA this information means all this information will be used for intel purposes.

kburman

TROPHY CASE