CISPA Destroys Privacy and Shares Data with Government

CISPARemember SOPA and PIPA, the two legislative Bills out of Washington aimed at combating online piracy, both of which failed passage? Both were highly criticized by online giants such as Wikipedia and Google, so much so, that Wikipedia shutdown its website for a day out of protest. Well, the government is at it again, except this time they have sweetened the pot, and hundreds of companies are now on-board. Why? Because if CISPA passes, any company will be legally allowed to share your private data for profit and have complete immunity from prosecution. It gets even worse as you’ll see below.

The name of the bill is Cyber Intelligence and Sharing Protection Act (CISPA). The title alone should speak volumes about its intent; Cyber Intelligence (think government) Sharing (your information) Protection (protect those who share it) Act. There is a big difference between SOPA and CISPA. The SOPA bill dealt with online software piracy and the governmental power to shut those sites down. CISPA on the other hand deals with the sharing of proprietary and private data with the Federal Government. In my opinion, this is far worse.

So once again, let’s break down the bill into smaller pieces to better understand what they are trying to pass. As I always do, I’ll provide a direct link to the CISPA Bill so you can read it in its entirety. It can be found on the House of Representatives website, and fortunately, it’s only 18 pages.

Here’s the first excerpt from the Bill that sets the stage for what we are dealing with. It looks as if the government wants to combat cybersecurity risks pertaining to your security, and national security by collecting data:

IN GENERAL.—

(A) CYBERSECURITY PROVIDERS.— Notwithstanding any other provision of law, a cybersecurity provider, with the express consent of a protected entity for which such cybersecurity provider is providing goods or services for cybersecurity purposes, may, for cybersecurity
purposes—

(i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such protected entity; and

(ii) share such cyber threat information with any other entity designated by such protected entity, including, if specifically designated, the Federal Government.

In short, any private company can share its data with other private or public companies, or specifically the Federal Government. Why does this bill specifically state the Federal Government? Because they don’t want any ambiguity on who the data can be exchanged with. At the same time, they are ambiguous when they say “Federal Government”. The reason being, they want it to be readily available to all federal agencies including, but not limited to, the NSA, FBI, CIA and Department of Homeland Security, Department of Agriculture, and many more. There’s proof of this below. Here’s where the flood gates open and all the information goes viral within the Federal Government:

(B) REQUEST TO SHARE WITH ANOTHER DEPARTMENT OR AGENCY OF THE FEDERAL GOVERNMENT.—An entity sharing cyber threat information that is provided to the National Cybersecurity and Communications Integration Center of the Department of Homeland Security under subparagraph (A) or paragraph (1) may request the head of such Center to, and the head of such Center may, provide such information to another department or agency of the Federal Government.

They can share this information with any and all other federal agencies. Nowhere in the bill does it state what the Federal Government can and cannot do with the information. I presume those agencies are going to store it in a massive database for data mining purposes. Furthermore, nowhere does it state how long the information can be kept. So it’s safe to presume they will keep it forever.

In the opening paragraph, I mentioned how CISPA sweetened the pot for the private companies. This is the paragraph that grants anyone sharing information exemption from liability, meaning, they cannot be prosecuted for sharing your private information.

EXEMPTION FROM LIABILITY.— No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, selfprotected entity, or cybersecurity provider, acting in good faith—

(A) for using cybersecurity systems or sharing information in accordance with this section; or

(B) for decisions made based on cyber threat information identified, obtained, or shared under this section.

That’s what you call “Diplomatic Immunity”! No involved parties can be prosecuted for sharing information provided it’s in “good faith”. Strangely, the term “good faith” is found nowhere else in the bill, not even at the end of the bill under the Definitions section. So, it would appear we have our first loophole or deliberately ambiguous wording in the bill.

Here’s the bullshit clause, as I call it. It’s makes you think they are limited in what they can use the information for, but it’s completely subjective and distracts you from the bigger picture:

LIMITATION.— The Federal Government may use cyber threat information shared with the Federal Government in accordance with subsection (b) for any lawful purpose only if—

(A) the use of such information is not for a regulatory purpose; and

(B) at least one significant purpose of the use of such information is
(i) a cybersecurity purpose; or
(ii) the protection of the national security of the United States.

All they need is one bit of the entire chunk of information to be deemed a threat to national security or related to cybersecurity, and they can use that information. I presume the term “use” implies in a court of law.

Here’s the unnerving part; where does it say the government can’t keep the information if it’s not a cybersecurity threat, or if it wasn’t shared in “good faith”? It doesn’t. It just says the government can’t use it. But again, what does “use” mean in this context? If they can’t use it in a court of law, can they use it for other things? Can they use the information to see what people are buying? To see where people are going? To see how people are voting? To see what people are eating? To see what people are listening to? It appears so, and they aren’t even trying to hid it in the bill with ambiguous language.

This next section should really sound the alarm bells. As the CISPA bill states, the Federal Government cannot force any company to provide this information. You might think, what’s wrong with that? I don’t want any company forced to share potentially private information.

ANTI-TASKING RESTRICTION.— Nothing in this section shall be construed to permit the Federal Government to—

(A) require a private-sector entity to share information with the Federal Government; or

(B) condition the sharing of cyber threat intelligence with a private-sector entity on the provision of cyber threat information to the Federal Government.

This is the 4th Amendment circumvention. The government is not illegally seizing information directly from you. The are not retrieving data from your home computer or off any system that belongs to you. It’s being given to them by a service you use. Remember, companies sharing this information cannot be prosecuted under CISPA.

Let me ask you this: How do you think the Federal Government is going to persuade these private companies into sharing their information? After all, why would any company spend millions of their own dollars to hire personnel to buy and setup the servers, infrastructure, code, and network links to push the data from their data centers to the Federal Government? They aren’t going to do it for free, that’s for sure. And I seriously doubt they are going to burn millions of CDs and DVDs and snail mail them to the government (or maybe this is the new plan to save the Postal Service?). I suspect the Federal government will pay them. Could you imagine the revenue stream and profits that would be generated if these companies were to sell your information to the Federal Government? Could this be why over 800+ companies support this bill? Look at the names on this list. How is Cambpell Soup Company a cyber threat? What about DirecTV? Wal-mart? Dolby? Current TV? Gospel Music Channel? Seriously?

And that brings up an interesting thought. Why would a company endorse this bill, let alone 800+ companies? Are they trying to persuade public opinion into thinking this bill is good for us? Do you really think these companies are looking out for your safety and want to protect you from cybersecurity threats? Trust me, they are not looking out for your best interests. They want something in return. They want money, and if the government gives them immunity from the law, what more could they ask for?

Here’s the section of the bill that speaks about punishment for wrongful use of the information:

IN GENERAL.— If a department or agency of the Federal Government intentionally or willfully violates subsection (b)(3)(C) or subsection (c) with respect to the disclosure, use, or protection of volun1tarily shared cyber threat information shared under this section, the United States shall be liable to a person adversely affected by such violation in an amount equal to the sum of—

(A) the actual damages sustained by the person as a result of the violation or $1,000, whichever is greater;

That $1,000 dollar fine is a distraction and is nothing more than chump change to the Federal Government. It has no bite. Had they made it a million dollars, then maybe they’d be more concerned over the misuse of this information. But the fact of the matter is, they don’t want to punish themselves too harshly for misusing this information.

Concerns

My concerns are as follows. No company is going to design, build and man the infrastructure required to transmit data from their data centers to the Federal Government for free. This costs a lot of money, time and resources. The only way that’s going to happen is if the companies sell their data to the Federal Government for profit. The CISPA bill creates a revenue stream for the big companies, who will be eager to sell the data, especially when they have complete unambiguous immunity from the law.

Why else would Google, Microsoft (Bing), Symantec, Verizon, AT&T, Aetena, Campbell Soup Company, Chevron, Comcast, Grainger, Hertz, Mastercard, Visa, QVC and a ton of other companies be on-board with supporting this bill? Selling data they already have would be a huge revenue stream and make them some big money, especially when the Federal Government is their customer. Why would all those companies be against SOPA and PIPA, but flip a complete 180 and support CISPA? It would appear they sold out their principals to the Federal Government for money. Here’s the list of supporters again … 800+ and growing.

Nowhere does the CISPA bill define what “data” is, but rather they use the far more generic term cybersecurity (I didn’t think you could get more generic than “data” but this bill has convinced me otherwise). It could be emails, text messages, search engine queries, downloaded data, VoIP traffic, any and all TCP/UDP traffic (geeky network talk), cell phone conversations (yes, that is considered “data” because it is digital and transverses networks), Facebook, MySpace, online purchases, and lots more. It’s basically anything and everything that is stored on a computer or transmitted over a network device.

This bill is aimed at gathering private and personal data. Period. There is no question the bill provides legal immunity for all companies that share the information with each other and the Federal Government. In affect, the Federal Government will have annexed all private sector proprietary data and in large part have bypassed the 4th Amendment if CISPA passes. The entire technological world (all 800+ companies and growing) are now an extension to the Federal Government, who will most likely be paid with taxpayer money to relinquish all there is to know about you to the Federal Government.

Do we really need to give up our privacy in the name of cybersecurity? I think not.

Real World Example

Let’s examine what kind of information they are talking about …

Your computer, router or smart-phone is assigned an IP address by your internet service or data plan provider (Qwest, Comcast, AT&T … all on the list). That IP address is tied to a MAC address of your router or computer (a MAC address is unique for all network devices on the planet). Your internet provider knows your home or work mailing address because that MAC address is tied to a port on one of their thousands of routers and switches which has wires or fiber optic cabling directly connected to your home.

… your ISP sells that IP/MAC address data to the Federal Government …

While on your computer, you search Google, Bing or YouTube (all on the list) for the term “Occupy Wall Street”, “buy hand gun”, “airplane crash”, “tea party”, or any other term. Google, Bing and YouTube can track what IP address was used for that query.

… Google and Bing sell that search engine data to the Federal Government …

You log into Facebook or MySpace (both on the list) and post your dislike of the Tea Party or Occupy Wall Street Movement. You talk about how upset you are with the president, or how much you dislike President Bush. How depressed you are. How much you hate your schoolmates for picking on you. So much so, that you could just kill them. Not only is your name attached to that post, but so is your IP address.

… Facebook and MySpace sell that data to the Federal Government …

You send private email using Gmail, Yahoo mail, CenturyLink, Qwest, MSN, or any email service provider. That email is stored on servers. Maybe you’re talking about the medical procedure you’re about to have and how your insurance company is going to cover it (Aetena, Tenet Healthcare Corp, Cardinal Health, Kindred Healthcare, UnitedHealth Group, Universal Health Services and a lot more are all on the list of 800+ companies who support CISPA).

… those healthcare providers and email service companies sell that information to the Federal Government …

You talk on your AT&T, Sprint or Verizon cell phone (all are on the list), or send text messages back and forth about what you’re up to. Maybe you’re heading to the local mall, the gun store, or you’re on your way to protest the CISPA bill, the Occupy Wall Street movement, or the Tea Party, or anything at all. Maybe you’re chatting about what time you are going to school to confront that person you dislike. How you are about to go to your job for which you hate. How you’re heading to a mosque for prayer. Or that you’re on your way to church.

… AT&T and Verizon sell that information to the Federal Government …

As you hop into you car, you realize you need gas. You pull over and use your American Express, Visa, Mastercard or Discovery Card to fill up your tank (all are on the list). Maybe you run some other errands at the same time, buy some fertilizer at Home Depot for your lawn, maybe you go to the local gun store and buy some ammunition. Maybe you buy some extra food at the grocery store.

… all those financial institutions sell that information to the Federal Government …

As you are driving around town, there are traffic and commercial security cameras pointing everywhere, taking video of you, who you’re with, what car you are driving and when … 24 hours a day, 7 days a week.

… any of those private companies can sell that data to the Federal Government …

And that’s only scratching the surface. Look at the companies who support this bill! Do you buy or interact with them in any way shape or form for any reason!?

You might say, they aren’t allowed to use that information because it doesn’t pose a cybersercurity threat or endanger national security. You are right. But the CISPA bill doesn’t say they can’t keep it, even if it was not transmitted in “good faith”. Remember, there is diplomatic immunity for all those who share the data.

The Federal government can build an immense database on your behaviors, who you talk to, what you are saying, what you are texting, what you buy, what you eat, your political affiliations, your behaviors, your spending habits, your health status, your financial status. They can profile you into any demographic they want for any reason. If they wrongfully use that data, no one will know. If someone does blow the whistle, they may get $1,000 fine. Big deal.

Where will this data be stored? Look what the NSA is building in the Utah desert.

Conclusion

Ben Franklin was right: Those who trade liberty for security have neither. Nothing good can come of this Bill. It’s downright scary. Worse than SOPA or PIPA, because this Bill collects and archives your personal health, financial and consumption trends.

UPDATE: Now that the cat is out of the bag, major companies are rescinding their support of this bill. They haven’t outright said they don’t support it, but they are scared. The backlash is being felt. Don’t be fooled, though. They may try a slow back-peddle by stating they have no intention of sending the information to the Federal Government. But there is a huge difference between an “intention” now, and what happens in the future. We need an outright non-support statement like we got with SOPA and PIPA.

Leave a Comment