CISPA: Congress wants to create unlimited Internet spying powers - KILL THIS BILL! KILL IT WITH FIRE!

CISPA is the latest Congressional proposal to do something unbelievably horrible with the Internet -- this time, it's letting US law enforcement and intelligence service raid all of your data, all the time, without letting you know, regardless of your service provider's privacy policy, in the name of preventing "cyberattacks," whatever they are.

It's about as horrible as it can be: the House Rules Committee won't even allow privacy-protecting amendments on the agenda; the bill's sponsor Rep. Mike Rogers dismisses people who oppose CISPA as 14-year-olds in their parents' basements; and a bunch of tech companies are lobbying in favor of CISPA because the bill cannily immunizes them from liability for firehosing your personal, sensitive information all over the place.

The sole bright light is this: the Obama White House has taken an uncharacteristically progressive stance on privacy this time around, and has threatened to veto the bill.

The Electronic Frontier Foundation is, as always, the best place to go to find things you can (and should, and MUST) do to kill this insane proposal.


    1.  Not mine.  I didn’t vote for anyone currently in office (and yes, I voted) at the Federal level.

  1. “the Obama White House has taken an uncharacteristically progressive stance on privacy this time around, and has threatened to veto the bill.”
    obama has threatened to veto bills before, and then when push comes to shove he backs down and signs it into a bill. this got me wondering: has obama ever vetoed a bill.
    thus far he has vetoed: 2 bills. he has vetoed far fewer bills than bush who was regularly lambasted for not vetoing bills.
    obama will sign this if it gets to him, guarantee it. and if people go thinking it’s a done deal and dead in the water because the president said he would veto it it definitely WILL get to him

    1. Obama likes to chicken out.  He is nothing if not a moral coward, who telegraphs all the positions that he plans to abandon in advance, so why should his opponents even bother negotiating with him if they know he’ll cave?  

    1. IBM, the company that made the WWII genocide adding machines for logging who had been gassed, burned or shot for Hitler?

  2. You can always count on one of the supporters of such insane bills to produce a ridiculous soundbite, providing meme fodder to the online efforts to defeat them.

  3. I wish someone who cared was in a position to ask these people why the internet in America should be more like it is in China, Iran or under the Assad regime’s on live TV. 

    1. Why is this guy selling flags that have “been flown over the capital”?

      Because there’s no market for plenary indulgences anymore.

  4. Copied from HN but this makes me feel like people are blowing stuff out of proportion here

    What did you think happened when law enforcement investigated serious computer crimes? If a financial institution has a key database popped and the Secret Service is called in to investigate, was it your expectation that the victim was required to carefully anonymize and blind all the data in that database? How could any criminal investigation work if that was the requirement? (Cliff’s Notes: That’s not the requirement).The bill as written, even before the narrowing amendments, acknowledges the risk this subthread discusses. It does that by trying to define “cyber threat information”, as information directly implicated in an attack. In the sponsor’s notes on the bill on the House site, they explain that the definition of “protected entity” was changed specifically to prevent individual people from being considered as entities, so that person-specific data couldn’t be handed over under CISPA authority.
    The basic problem the bill addresses is this: large companies are under continuous attack. Let’s stipulate that attacks come in two flavors: DDOS and targeted malware.
    In both cases, there is clear utility in allowing companies to collaborate with other companies and with the government.
    In the DDOS case, you want to share NetFlow information with your upstream ISPs and with DDOS trackers, because those are the organizations that generate black-hole and IP filtering rules, and they all work better if they have lots of different vantage points to work from. At the very least, you want to push sources back up to your immediate upstream providers so they can soak them up on their infrastructure rather than saturating your uplinks.
    In the malware case, you want to share forensic information that would help identify (a) the vulnerability the malware exploits, (b) the C&C system the malware is using, (c) any evidence of the source of the malware, and (d) forensic information that would help investigators discern the intent of the malware.
    In both cases, your company’s general counsel is apt to inform you that the legal risk of sharing just that information is potentially unbounded, because nobody can predict exactly what claims could be made under ECPA, SCA, DPPA, HIPAA, FERPA, &c; nobody even knows what traces of information, overt or statistical, might be lurking in NetFlow.
    So the situation we have today is that there is information sharing when attacks happen, but much of it is sub rosa, and you have to be in the right clubs to get access to the right sharing networks.
    It does not make intuitive sense to me that electronic privacy should mean that basic low-level systems information incident to a real attack should incur unbounded legal risk when shared with other companies directly involved in mitigating those attacks.You might disagree, and that’s fine. But the notion that CISPA is actually intended to allow NSA to read your email is just not supported by the language of the bill, by any advocacy for the bill, or by any of the bill’s amendments, and the problem the bill is addressing is a real problem (I have some limited professional exposure to it)”

Comments are closed.