Techdirt has a new story up about how the recent CISPA amendments are thought by many to have “fixed” the bill, when that’s far from being the case.
Government networks are protected by a network security system called Einstein, which is being steadily expanded to do things like analyze the content of communications.
Such software meets all the criteria of a “cybersecurity system” under CISPA, and there is serious concern that the bill would permit the government to offer Einstein or a similar system to private cybersecurity companies.
By CISPA’s definitions, everything collected by such a system would qualify as “cyber threat information” and thus be open game for sharing with the government—and nothing in the bill would prevent these private systems from being connected live to government databases, effectively uniting them with the government’s own security network.
I’d also note that there’s nothing preventing private companies from developing and using their own software to monitior networks and network traffic, and offering to share that information with the government.
Who, as explained earlier, can then use that information in any way deemed necessary to the “national security” of the US.
Under CISPA, a company could read your email (network traffic) under the grounds that they’re scanning for viruses and other threats to security. They can then share that “data” with the government. After that it’s free game.
The national security loophole has already been used, for example, to feed “terrorist” data collected under the Patriot Act to the DEA in order to curtail drug smuggling. Is drug smuggling illegal? Yes. Is it a “national security” issue? Apparently.
All of this is completely legal under CISPA. As long as there’s a “cyber sececurity” purpose, of course.
In fact, CISPA exists primarily to give sharing private information with the government a legal basis, to block disclosure of such under the FOA, and to provide a legal “get out of jail” card to companies that cooperate “voluntarily”.
And once such monitoring systems are in place, we’re probably just one terrorist attack — or even just the threat of an attack — away from the government passing an emergency measure requiring companies to hand over their collected data.
One such emergency is how we ended up with the “Patriot Act”, after all.
Paranoid? Perhaps. But one should note that many of these potential loopholes could be closed with some relatively simple language changes, or by simply setting clear and unambiguous limits on use…
Which they are not doing.
- CISPA Amended : Still Needs Work
- House Intelligence Committee Starts Its Pro-CISPA Twitter Campaign
- CISPA Is The New SOPA: Help Kill It