Alrighty... analysis time. Now this analysis is about the bill as it passed the House. There are a number of limitations that were added to the bill, including the restriction on "affirmative search", which definitely protects our privacy.http://www.govtrack.us/congress/bills/112/hr3523/text
The above is the bill as it passed the House. Frankly, I'm surprised this isn't happening already. I've personally been operating as if this bill has always existed: actions you do online are tracked by various companies. Even if this bill weren't passed, companies have been collaborating with the Feds for years.
Don't yall remember? The NSA was brought into the Google hacks
as well as the Nasdaq hacks
. And when Anonymous was doing their thing two years back, 35 Arrest Warrents were issued by the FBI
How do you think the FBI got that information? They asked companies to give them IP logs and other such information... BEFORE
they got warrants obviously.
What the bill does is grease the wheels a bit so that companies are encouraged to share such data with the government. But ultimately, I'm of the opinion that this is already happening. Companies still have the right to refuse to give information out.
‘(5) NO LIABILITY FOR NON-PARTICIPATION- Nothing in this section shall be construed to subject a protected entity, self-protected entity, cyber security provider, or an officer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider, to liability for choosing not to engage in the voluntary activities authorized under this section.
I'm not sure if we got better privacy from this, but there are now clearer limitations on these "powers". For example:
‘(c) Federal Government Use of Information-
‘(1) LIMITATION- The Federal Government may use cyber threat information shared with the Federal Government in accordance with subsection (b)--
‘(A) for cybersecurity purposes;
‘(B) for the investigation and prosecution of cybersecurity crimes;
‘(C) for the protection of individuals from the danger of death or serious bodily harm and the investigation and prosecution of crimes involving such danger of death or serious bodily harm;
‘(D) for the protection of minors from child pornography, any risk of sexual exploitation, and serious threats to the physical safety of such minor, including kidnapping and trafficking and the investigation and prosecution of crimes involving child pornography, any risk of sexual exploitation, and serious threats to the physical safety of minors, including kidnapping and trafficking, and any crime referred to in 2258A(a)(2) of title 18, United States Code; or
‘(E) to protect the national security of the United States.
‘(2) AFFIRMATIVE SEARCH RESTRICTION- The Federal Government may not affirmatively search cyber threat information shared with the Federal Government under subsection (b) for a purpose other than a purpose referred to in paragraph (1)(B).
I should note. The Affirmative Search Restriction is one of the privacy protections that were pushed onto this bill right before it passed the house. I don't fully understand what it means however
‘(3) ANTI-TASKING RESTRICTION- Nothing in this section shall be construed to permit the Federal Government to--
‘(A) require a private-sector entity to share information with the Federal Government; or
‘(B) condition the sharing of cyber threat intelligence with a private-sector entity on the provision of cyber threat information to the Federal Government.
‘(4) PROTECTION OF SENSITIVE PERSONAL DOCUMENTS- The Federal Government may not use the following information, containing information that identifies a person, shared with the Federal Government in accordance with subsection (b):
‘(A) Library circulation records.
‘(B) Library patron lists.
‘(C) Book sales records.
‘(D) Book customer lists.
‘(E) Firearms sales records.
‘(F) Tax return records.
‘(G) Educational records.
‘(H) Medical records.
‘(5) NOTIFICATION OF NON-CYBER THREAT INFORMATION- If a department or agency of the Federal Government receiving information pursuant to subsection (b)(1) determines that such information is not cyber threat information, such department or agency shall notify the entity or provider sharing such information pursuant to subsection (b)(1).
‘(6) RETENTION AND USE OF CYBER THREAT INFORMATION- No department or agency of the Federal Government shall retain or use information shared pursuant to subsection (b)(1) for any use other than a use permitted under subsection (c)(1).
‘(7) PROTECTION OF INDIVIDUAL INFORMATION- The Federal Government may, consistent with the need to protect Federal systems and critical information infrastructure from cybersecurity threats and to mitigate such threats, undertake reasonable efforts to limit the impact on privacy and civil liberties of the sharing of cyber threat information with the Federal Government pursuant to this subsection.
More important than whats listed here is what is NOT
listed here. The Government cannot use the powers in the bill to look for petty theft (unless the theft happened online). Outside of child pornography, potential death / serious bodily harm, "cybersecurity", and "national security" the powers contained in this bill cannot be used.
I admit, this is vague here. Its important for the "limits" to be well defined. IMO, I think I'd be fine with the bill if "cybersecurity" were defined better, and if "national security" were removed. But if shady people walked up to Google and said "give me information because of NATIONAL SECURITY
", I can practically guarantee you that Google will give up the information freely. Its the culture of our society: we trust the higher-ups with information.
I'm not necessarily saying its right, but its how this country works. And the fact that we've got a law that reflects reality is a good thing IMO. (Even if reality isn't something that you necessarily agree with)
Anyway, I'd like to know what everyone's thoughts are on the limitations above. Where do you think they go wrong? IMO, I'd rather have a bill like this pass that formalizes the relationship between the Government and Companies. I honestly think this stuff is already going on, and its better to know what the limits are.
ATM, I don't see whats so bad about this bill actually... (Actually, I can see where companies can hide behind a veil of anonymity if they gave up information like this. IE: If this bill passes... I don't think the FBI has to say "Google has given us this information". The FBI probably can say "A Large Internet Company has given us this information, and the identity of this company is protected by CISPA". True, it reduces liability and encourages companies to share information with the Government. But in the majority of cases, I don't think this would make a difference)
EDIT: Actually, I found the definition for Cybersecurity thingies.
‘(4) CYBER THREAT INFORMATION-
‘(A) IN GENERAL- The term ‘cyber threat information’ means information directly pertaining to--
‘(i) a vulnerability of a system or network of a government or private entity;
‘(ii) a threat to the integrity, confidentiality, or availability of a system or network of a government or private entity or any information stored on, processed on, or transiting such a system or network;
‘(iii) efforts to deny access to or degrade, disrupt, or destroy a system or network of a government or private entity; or
‘(iv) efforts to gain unauthorized access to a system or network of a government or private entity, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network of a government or private entity.
‘(B) EXCLUSION- Such term does not include information pertaining to efforts to gain unauthorized access to a system or network of a government or private entity that solely involve violations of consumer terms of service or consumer licensing agreements and do not otherwise constitute unauthorized access.
So Cybersecurity threats actually seem reasonably defined to me. I agree with the definition, there seem to be some good restraints (see limitations section), and the entire bill is voluntary. (no one is forcing anyone to do anything).
Is it really that bad? Like SOPA, I'm sure the devil is in the details. But upon my initial analysis, I really don't see the major privacy concerns that everyone is talking about. (at least... when compared to the status quo. IE: whats already being done without this bill)
First Strike +1/+1 and Indestructible.