April 25, 2013, 12:16 PM — Cybersecurity and online privacy are two critical interests that seem destined never to get along. Sure, you want malicious hackers, spammers, and other Internet lowlifes brought to justice--but you also want to protect your online data.
A big part of cybercrime-fighting, however, demands gathering a haystack's worth of aggregated online data and scanning it for an elusive needle of suspicious activity. Your online data could be swept into one of these piles and scanned. What happens to it along the way is anyone's guess.
That's why you'll want to keep an eye on the Cyber Intelligence Sharing and Protection Act (CISPA), which passed the U.S. House of Representatives last week and is now being considered by the Senate, where it's currently in committee. CISPA aims to loosen restrictions that currently govern the sharing of data among cybersecurity investigators. That may sound reasonable enough, but the controversy arises over how the data is handled--specifically, how it's shared, and how personally identifiable information (PII) is minimized.
In addition, the bill creates a high level of immunity from lawsuits for the government and private companies that share data. This isn't exactly comforting when they're sharing your data.
When, not if, your data is scanned and shared
The first step in understanding how cybersecurity works is to accept that your online data is already being scanned. Government, law enforcement, and private companies are all on the lookout for suspicious-looking Internet activity. Spammers, botnets, and malicious hacks into sites like Twitter fall into one broad category of cybercrime. Of even greater concern are attempts to attack "critical infrastructure" (such as power and water utilities, and communication networks), or civilians.
CISPA would let private companies share data with law enforcement officials and government agencies if the data qualifies as what the bill calls "cyber threat information" that could help solve a crime. That term's vagueness is a big part of the privacy problem, says Jeramie Scott, national security fellow at the Electronic Privacy Information Center. "It uses terms like 'vulnerability to a network' and 'threat to the integrity of a network' in its definition that are left to the private sector to interpret," Scott says.
Definitions covering data are vague enough to invite oversharing
CISPA's vagueness gives private companies a lot of wiggle room to overshare information. "Say a social networking site suffers a denial-of-service attack," Scott says. "The site could just offer the more relevant diagnostic details to the government, but it could also provide the personal information on all the profiles affected--including, for example, who you're connected with, and profile bio details--as long as the social network deemed the information part of the 'cyber threat information.'"
According to legislative counsel Michelle Richardson of the American Civil Liberties Union, every stupid spam you receive from Nigeria could make your data fair game for further investigation. "These are everyday occurrences that are cybersecurity events under the bill," says Richardson. Rainey Reitman, activism director at the Electronic Frontier Foundation, says that a service could share any data that it deemed "cyber threat information" and could do so "without legal process, so long as it was in 'good faith' and for a 'cybersecurity purpose.'", "
Data sharing will be easier--or automatic
The ACLU's Richardson adds that under CISPA, the data sharing will be smooth--really smooth. Instead of going through a process in which the government specifically requests information, "they are talking about some sort of process that is automatically going to forward stuff to the government," says Richardson.
If data is going to be routed automatically, when and how PII gets stripped from the data becomes a bigger issue. Unfortunately, no one is talking about making user identities completely anonymous. No, the people behind CISPA are satisfied with mere "minimization"--making a reasonable effort to remove PII. Here's where the definition of "cyber threat information" once again comes into play, says EPIC's Scott: "CISPA does not require [a private company] to remove or otherwise narrow the information provided to the government as long as it falls under the broad umbrella of cyber threat information."
Though it would seem to make sense for the providing company to strip PII from the data they share, under CISPA that task falls to the government. David LeDuc is senior director of public policy for the Software & Information Industry Association, a major trade group representing software developers and digital content businesses, which supports CISPA. LeDuc downplays the importance of PII in cybersecurity, saying that it isn't what interests professionals engaged in fighting cybercrime. "Security experts look for trends," he says, "the prevalence of certain behaviors, and propagation patterns for malware--not at personal information."
LeDuc also points out that CISPA was amended from making government-based minimization optional to making it mandatory. "The federal government must minimize information it receives from the private sector to take out information about specific persons not necessary to respond to a cyber threat," he says.
However, this amendment doesn't address the question of what happens to data shared between private companies. Because only the government has the job of minimizing PII under CISPA, private companies may share relatively PII-rich data among themselves without making any effort toward minimization. In speaking before the House vote on CISPA, Representative Adam Schiff (D-California) made clear his disapproval. "Private entities can share information with each other without ever going through the government," he said. "In those circumstances, how can the government minimize what it never possesses? So government-side minimization alone, which is all this bill includes, is not enough."
Congressman Schiff had introduced an amendment to address this loophole, but he complains that CISPA's sponsors never brought it before the House for a vote.
What private companies care about: lawsuits
Beneath all this talk of sharing and minimizing, what CISPA really seems to be about is protecting the companies that provide the data from being sued for doing so. When asked what was the most important thing for consumers to know about CISPA, SIIA's LeDuc said that liability risks were thwarting cybersecurity efforts. "Unfortunately, under the current legal framework, companies, or any private entities, face risk of regulatory or legal action for sharing information that they believe could be valuable for preventing or mitigating a cybersecurity threat or incident," he says.
The prospect of litigation is somewhat quaint. After all, with these huge data-scanning efforts, most of us will have no idea whether our data is being used or misused, unless it comes back to bite us. If that were to happen, however, it would be nice to have a process for legal recourse. Here again, CISPA's vague language makes privacy harder to protect. The ACLU's Richardson says, "It's not just what you can share, but any decisions you make based upon the information shared are also immunized. They actually use that term, 'decisions made,' which is incredibly broad."
'Good faith' covers a lot of well-intentioned damage
But SIIA's LeDuc insists that there is a process. "Individual citizens do not lose their ability to sue or utilize the courts for redress," he says. "Any case where a company has been found to not act in 'good faith,' they would likely be liable for harm to an individual."
Reitman of the EFF says that the cover of "good faith" could easily go too far. Protected from liability, companies could share more data more freely. For example, says Reitman, "Netflix could give to the government a list of the names, credit card numbers, home addresses, and account activity for everyone who watched the movie Hackers during the three weeks leading up to Netflix suffering a mild DDOS attack." CISPA currently provides for civilian oversight of data sharing through the Department of Homeland Security and other entities, but if the data then gets passed along to a military entity, the oversight ends.
"We would never know what they did with that data," says Reitman. "We don't think that would be in good faith, but it would be hard for the customers to discover and later prove."
CISPA may not get far
This is CISPA's second attempt to win Senate approval, and its success is far from certain--especially given the President's clearly stated intention to veto CISPA in its current form. Though no piece of legislation is perfect, opponents point to CISPA's vagueness and loopholes as game-stoppers. ACLU's Richardson says, "People are talking about China breaking in and stealing intellectual property. If they had written a bill about that, we'd have fewer complaints. CISPA's broad and sweeps up a lot of everyday activity."
Senators are also preparing alternative cybersecurity legislation--though that didn't work last year, either. Senator John D. (Jay) Rockefeller (D-West Virginia) is sponsoring the Cybersecurity and American Cyber Competitiveness Act of 2013 (as he did a similar 2012 effort that stalled). In a press release posted after the House vote on CISPA, Senator Rockefeller said, "Today's action in the House is important, even if CISPA's privacy protections are insufficient. We need action on all the elements that will strengthen our cybersecurity, not just one, and that's what the Senate will achieve." Reached earlier this week, Senator Dianne Feinstein (D-California), a co-sponsor of the same bill, said, "We are currently drafting a bipartisan information sharing bill and will proceed as soon as we come to an agreement."
The bill as it stands shows the complicated tug of war between online privacy and cybersecurity efforts. The ACLU's Richardson believes that CISPA will inspire the Senate to find a better solution. "Everyone else in this game is looking at something more targeted and strategic and privacy-protected." The imperfect answer is out there somewhere, hopefully with as much protection for the little guy as there seems to be for big data.