On Friday, April 27, The House of Representatives if scheduled to take up House Resolution 3523, the Cyber Intelligence Sharing & Protection Act. If passed, it could severely affect not only the internet, but our First & Fourth Amendments rights and liberties to the point we will be forced to execute our rights under the 2nd AMENDMENT. The following is a brief outline of the points of contention within CISPA, which many believe is even more dangerous than SOPA could have ever been. You couple this with Department of Homeland Security initiatives already in place and you are looking at a complete and total erosion of speech, privacy and liberty…
- CISPA could allow any private company to share vast amounts of sensitive, private data about its customers with the government.
- CISPA would override all other federal and state privacy laws, and allow a private company to share nearly anything—from the contents of private emails and Internet browsing history to medical, educational and financial records—as long as it “directly pertains to” a “cyber threat,” which is broadly defined.
- CISPA does not require that data shared with the government be stripped of unnecessary personally-identifiable information. A private company may choose to anonymize the data it shares with the government. However, there is no requirement that it does so—even when personally-identifiable information is unnecessary for cybersecurity measures. For example, emails could be shared with the full names of their authors and recipients. A company could decide to leave the names of its customers in the data it shares with the government merely because it does not want to incur the expense of deleting them. This is contrary to the recommendations of the House Republican Cybersecurity Task Force and other bills to authorize information sharing, which require companies to make a reasonable effort to minimize the sharing of personally-identifiable information.
- CISPA would allow the government to use collected private information for reasons other than cybersecurity. The government could use any information it receives for “any lawful purpose” besides “regulatory purposes,” so long as the same use can also be justified by cybersecurity or the protection of national security. This would provide no meaningful limit—a government official could easily create a connection to “national security” to justify nearly any type of investigation.
- CISPA would give Internet Service Providers free rein to monitor the private communications and activities of users on their networks. ISPs would have wide latitude to do anything that can be construed as part of a “cybersecurity system,” regardless of any other privacy or telecommunications law.
- CISPA would empower the military and the National Security Agency (NSA) to collect information about domestic Internet users. Other information sharing bills would direct private information from domestic sources to civilian agencies, such as the Department of Homeland Security. CISPA contains no such limitation. Instead, the Department of Defense and the NSA could solicit and receive information directly from American companies, about users and systems inside the United States.
- CISPA places too much faith in private companies, to safeguard their most sensitive customer data from government intrusion. While information sharing would be voluntary under CISPA, the government has a variety of ways to pressure private companies to share large volumes of customer information. With complete legal immunity, private companies have few clear incentives to resist such pressure. There is also no requirement that companies ever tell their customers what they have shared with the government, either before or after the fact. As informed consumers, Americans expect technology companies to have clear privacy policies, telling us exactly how and when the company will use and share our personal data, so that we can make informed choices about which companies have earned our trust and deserve our business.
One of the most frightening portion of this bill are the definitions. As you can plainly see, the definitions outlined in this bill are so vague and broad in scope that nearly anything could be meant or implied by the definitions. These definitions show that the bill seeks to subvert our right to privacy under the guise of protecting our private information from being stolen and/or misused by inspecting that private information to find out if it’s been stolen or misused…
To provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities, and for other purposes.
“Other Purposes” is not defined or addressed in the bill. This is a HUGE hole.
‘(1) IN GENERAL-
‘(A) CYBERSECURITY PROVIDERS- Notwithstanding any other provision of law, a cybersecurity provider, with the express consent of a protected entity for which such cybersecurity provider is providing goods or services for cybersecurity purposes, may, for cybersecurity purposes–
‘(i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such protected entity; and
‘(ii) share such cyber threat information with any other entity designated by such protected entity, including, if specifically designated, the Federal Government.
‘(B) SELF-PROTECTED ENTITIES- Notwithstanding any other provision of law, a self-protected entity may, for cybersecurity purposes–
Same as (i) and (ii) above ~
If this is signed into law, it empowers any company to “use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property” of the company. “Notwithstanding any other provision of law” is the operative term in this and other subsections of the bill – Essentially it allows entities to ignore individuals’ right to privacy in everything from email and private online storage to search queries and remotely stored photos, ignoring any relevant privacy protection laws in effect. This means that companies providing cybersecurity services to other companies, or companies utilizing cybersecurity to protect their own systems – can use those cybersecurity systems to mine the data passing through or stored by their system – This means internet providers and/or website operators and hosts monitoring your email, monitoring website or forum posts, even medical records and so on, ad infinitum.
‘(3) EXEMPTION FROM LIABILITY- No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider, acting in good faith–
‘(A) for using cybersecurity systems or sharing information in accordance with this section; or
‘(B) for not acting on information obtained or shared in accordance with this section.
This section is obvious in its intent: to protect those who would inspect and share our data from criminal or civil litigation. It allows the sharing of private information WITHOUT JUDICIAL OVERSIGHT OR WARRANT. It amounts to a violation of the 4th Amendment right to protection from unreasonable search or seizure.‘(4) RELATIONSHIP TO OTHER LAWS REQUIRING THE DISCLOSURE OF INFORMATION- The submission of information under this subsection to the Federal Government shall not satisfy or affect any requirement under any other provision of law for a person or entity to provide information to the Federal Government.
This section further isolates information from protections under any other provision of law.
‘(c) Federal Government Use of Information-
‘(1) LIMITATION- The Federal Government may use cyber threat information shared with the Federal Government in accordance with subsection (b) for any lawful purpose only if–
‘(A) the use of such information is not for a regulatory purpose; and
‘(B) at least one significant purpose of the use of such information is–
‘(i) a cybersecurity purpose; or
‘(ii) the protection of the national security of the United States.
‘(g) Definitions- In this section:
‘(1) CERTIFIED ENTITY- The term ‘certified entity’ means a protected entity, self-protected entity, or cybersecurity provider that–
‘(A) possesses or is eligible to obtain a security clearance, as determined by the Director of National Intelligence; and
‘(B) is able to demonstrate to the Director of National Intelligence that such provider or such entity can appropriately protect classified cyber threat intelligence.
‘(2) CYBER THREAT INFORMATION- The term ‘cyber threat information’ means information directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from–
‘(A) efforts to degrade, disrupt, or destroy such system or network; or
‘(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.
‘(3) CYBER THREAT INTELLIGENCE- The term ‘cyber threat intelligence’ means information in the possession of an element of the intelligence community directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from–
(same as (A) and (B) above)
‘(4) CYBERSECURITY PROVIDER- The term ‘cybersecurity provider’ means a non-governmental entity that provides goods or services intended to be used for cybersecurity purposes.
‘(5) CYBERSECURITY PURPOSE- The term ‘cybersecurity purpose’ means the purpose of ensuring the integrity, confidentiality, or availability of, or safeguarding, a system or network, including protecting a system or network from–
(same as (A) and (B) above)
‘(6) CYBERSECURITY SYSTEM- The term ‘cybersecurity system’ means a system designed or employed to ensure the integrity, confidentiality, or availability of, or safeguard, a system or network, including protecting a system or network from–
(same as (A) and (B) above)
‘(7) PROTECTED ENTITY- The term ‘protected entity’ means an entity, other than an individual, that contracts with a cybersecurity provider for goods or services to be used for cybersecurity purposes.
‘(8) SELF-PROTECTED ENTITY- The term ‘self-protected entity’ means an entity, other than an individual, that provides goods or services for cybersecurity purposes to itself…’
One of the most frightening portion of this bill are the definitions. As you can plainly see, the definitions outlined in this bill are so vague and broad in scope that nearly anything could be meant or implied by the definitions. These definitions show that the bill seeks to subvert our right to privacy under the guise of protecting our private information from being stolen and/or misused by inspecting that private information to find out if it’s been stolen or misused.
When coupled with current and ongoing DHS social-media monitoring and information gathering operations, CISPA once again brings to the forefront major government intrusions/violations of privacy/free speech/freedom of assembly that would have occurred with the passage of SOPA. DO NOT allow your Congressmen and Senators to destroy of inherent rights to life, liberty and the pursuit of happiness. CALL TODAY and tell them NO to CISPA!