Stop the Secrecy

EFF: New Cybersecurity Proposal Patches Serious Privacy Vulnerabilities

Sat, 07/21/2012 - 00:00 -- Anonymous (not verified)
Image from Hyku on Flickr

The last time we checked in with the controversial CISPA Bill, it had been rushed through a vote in the US House of Representatives and passed. The implications of CISPA included a broad definition of shared data with government, liberal abilities of using personal information and warrantless invasions of privacy. Just a few days ago, our coalition partners at @EFF shared new revisions to CISPA that heed to our calls for greater Internet openness and address these privacy vulnerabilities.

From the Electronic Frontier Foundation:

For months, we’ve been raising the alarm about the serious civil liberties implications of the cybersecurity bills making their way through the Senate. Hours ago, we received some good news. A new bill called the Cybersecurity Act of 2012 (S 3414) is replacing the prior Lieberman-Collins Cybersecurity Act (S 2150). This new bill drastically improves upon the previous bill by addressing the most glaring privacy concerns. This is huge, and it’s thanks to the outcry of Internet users like you worried about their online privacy. Check out the new bill (PDF).

Make no mistake—we remain unpersuaded that any of the proposed cybersecurity measures are necessary and we still have concerns about certain sections of the bill, especially the sections on monitoring and countermeasures. But this was a big step in the direction of protecting online rights, and we wouldn’t be here without the support of Internet users contacting Congress in droves.

Here’s what you need to know about the new privacy-protective package. Major new privacy protections added to the bill:

  • Ensuring that only civilian agencies—not the National Security Agency—are in charge of our nation’s cybersecurity systems. Let’s face it, we don’t want the agency that’s been spearheading the illegal warrantless wiretapping program for over 11 years to be charged with protecting citizens’ privacy interests in the realm of cybersecurity.

  • Ensuring data isn’t shared with law enforcement except in very specific, limited circumstances. Language in the first Lieberman-Collins Cybersecurity Act would have allowed data collected under cybersecurity purposes to be passed to law enforcement if there was evidence of criminal activity. This raised major concerns about our online service providers snooping through our communications for potentially incriminating data and passing it to the government without a warrant—a digital Big Brother. The new language of the bill limits data flowing to the government to information which appears to pertain to 1. A cybersecurity crime investigation; 2. An imminent threat of death or serious bodily harm; and 3. A serious threat to minors, like sexual exploitation and threats to physical safety.

  • Ensuring that data collected through cybersecurity programs can’t be used to prosecute other, unrelated crimes. The early version of the bill would have allowed data collected through cybersecurity programs to prosecute any crime—like copyright infringement or immigration status or drug usage. Now, the only crimes that can be prosecuted using data collected through S 3414 are violations of state or federal laws relating to computer crimes.

  • Carve-outs for free speech and terms of service violations. The new privacy package makes it clear that Constitutionally-protected free speech and terms of service violations won’t constitute a “cybersecurity threat.”

There is also some language about net neutrality intended to ensure that nothing in the bill can be construed as granting new authority to engage in non-neutral behavior.

Of course, the bill has its shortcomings. The most significant problem remaining has to do with the language around monitoring and countermeasures. Currently, the bill specifically authorizes companies to use cybsersecurity as an excuse for engaging in nearly unlimited monitoring of user data or countermeasures (like blocking or dropping packets). We’ve argued that this language is overly broad and could be interpreted by an overzealous ISP to let them block privacy-protective technologies like Tor. When the bill goes to the floor next week, we’re going to be throwing our weight behind amendments to address these ongoing flaws. Read more >>

Let's ensure that when parliament resumes in Canada, they in turn listen to their own concerned constituents and help Stop Online Spying.