Granick on CISPA’s Deficiencies (With Some of My Own Comments)

By guest-blogger Jennifer Granick (with comments from Eric)

[Eric’s introduction: Some guest visitors to the blog need no introduction, and that surely describes Jennifer Granick (her Wikipedia page). She’s cast huge shadows over cyberlaw in her various stints, including being a leading criminal defense attorney for technology crimes, an EFF attorney and director of Stanford’s Cyberlaw Clinic. I’m so glad Jennifer was willing to share her unique perspective on CISPA. I have some remarks after hers. Jennifer has also posted a supplemental line-by-line commentary of CISPA.]

The Cyber Intelligence Sharing and Protection Act (“CISPA”) is the latest example of a depressingly common situation in Washington DC — well-meaning legislators unfamiliar with technology try to rush through a statute about a high-profile Internet issue (here, cybersecurity). Proponents of the bill say they want to faciliate information sharing between the federal government and the private sector. What they don’t seem to understand is that existing laws already permit most kinds of cybersecurity information sharing. In their eagerness, the supporters of CISPA would undermine our existing system of accountability for sharing of private data and, by doing so, cause a number of unintended consequences that would harm both state and federal efforts to protect consumer privacy.

CISPA’s Unintended Consequences: I firmly believe sharing cybersecurity information is a public good, which is why I have made a career of representing security professionals and hacker hobbyists who want to investigate and report on vulnerabilities. But CISPA (1) fails to comprehend the ways in which existing laws allow sharing, but with accountability; (2) runs roughshod over federal and state laws protecting privacy; (3) could inadvertently immunize retaliatory hack-back security techniques; and (4) creates an “inner circle” of private entities willing to share and share alike with the government, but leaves disfavored service providers in the cybersecurity dark.

(1) Current Law Does Not Interfere With Sharing for Security Purposes: The vast majority of what security professionals consider cybersecurity information is not personally identifing or protected from sharing by any law. Attack signatures, vulnerabilities, exploits and other classic computer security data are freely shareable. For the subset of data that may identify a particular individual, existing laws allow sharing. The most relevant laws, the Wiretap Act and the Electronic Communications Privacy Act, allow a provider to collect and share data for protection of the providers’ rights or property. It is true that such sharing is subject to minor but long-standing privacy-enhancing conditions* which CISPA would simply dispose of.

[*FN: My line by line analysis of CISPA (link) highlights where in the text safeguards and dangers would be codified. I strongly oppose this legislation, but can envision a much better, streamlined, privacy respecting, bill that accomplishes the purported cybersecurity purpose.]

As for information protected by HIPAA, VPPA or FERPA, one would not ordinarily think such data is subject to CISPA disclosure and use, except that CISPA specifically calls out sensitive health, educational, firearms, library and bookstore records as the kind of information that private entities can be expected to disclose. Otherwise private information, including video rental records, book rentals, newspaper subscriptions, online reading or data protected by state consumer protection laws (like utility usage records) may freely be shared under CISPA, despite existing privacy rules and sharing safeguards.

(2) State Governments Should Oppose CISPA: States, especially California and New York, protect consumers and consumer privacy with statutes regulating the collection, use and disclosure of sensitive information. Such California laws include electronic surveillance statutes, Shine the Light notifications, Smart Meter utility data protection, the Financial Information Privacy Act, the Reader Privacy Act, Security of Personal Information Law and more. While a comprehensive review of state consumer protection rules that could be preempted by CISPA is beyond the scope of this blog post, it isn’t hard to see how California, New York and other states might have serious, perhaps fatal, reservations about CISPA as it currently stands.

(3) CISPA Could Categorically Immunize Even Reckless, Privacy Invasive or Damaging Cybersecurity “Active Defense” Techniques. The definition of cybersecurity system is broad enough to include common “active defense” techniques like remote exploit of an attacking system in order to collect data about the attack, or denial of service attacks to take the offending system offline. For more discussion of those kinds of defenses, see this article in The Atlantic. The statute then categorically immunizes good faith use of such cybersecurity systems. So entities that recklessly use active defense or “hack back” technologies to exploit, disable or destroy attacking machines, even when those machines are innocent zombies controlled and misused by the actual attacker, have no incentive to behave responsibly.

(4) The Cybersecurity One Percent: CISPA sets up a heirarchy of network and service providers. At the bottom are those owned and operated by individuals, who get nothing out of the statute. Next are those entites the government doesn’t feel like sharing with, for whatever reason–including the retaliatory motivation that the company hasn’t been forthcoming with its own cybersecurity (and customer) data. At the top are the golden firms that get preferrential treatment in the form of state-of-the-art security information. The big businesses that support CISPA probably think they are going to be in the room and get the shiny apple. But CISPA instantiates inequities that the computer security community has been managing for over twenty years, problems which inevitably arise from secretive and selective distribution of important security information. See e.g. Schneier, “Full Disclosure of Security Vulnerabilities a ‘Damned Good Idea” (Jan 2007); Microsoft Security Response Center: Announcing Coordinated Vulnerability Disclosure (July 22, 2010); National Infrastructure Advisory Counsel, Vulnerability Disclosure Framework (January 13, 2004); Andy Greenberg, Meet The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees), Forbes, March 21, 2012. CISPA proponents neither understand nor address the complexities of acheiving the worthy goal of cybersecurity information sharing.


Comments from Eric

Many commentators have drawn parallels between CISPA and SOPA, even though they putatively address very different issues (cybersecurity and IP infringement, respectively). I’d like to unpack some of the parallels. The most obvious parallel between the two laws: who thinks up crazy shit like this? As a prize for their creative thinking, the architects of CISPA and SOPA should get a one-way ticket away from Washington DC. Two other parallels between CISPA and SOPA:

1) No use case. I never understood SOPA’s use case. Only one target was named: The Pirate Bay. However, the way it was drafted, SOPA wouldn’t have applied to The Pirate Bay. So if SOPA was intended to shut down The Pirate Bay but the statutory drafting didn’t reach that far, then the statute lacked any clear justification–and especially no payoff that would justify its multitudinous adverse collateral consequences.

Similarly, I’m not clear what problem CISPA is designed to solve. Indeed, some have said CISPA is a solution in search of a problem. If we can’t define the problem clearly and succinctly, it’s a good sign that either there’s no justification for the law, or (more likely) someone is gaming the legislative system for their own benefit.

CISPA and SOPA have another parallel on this front: we don’t understand the use case because the proponents never thought they had to justify the statute. In SOPA’s case, the copyright owners expected members of Congress to pass the law without serious questions, which almost happened. When the copyright owners have so many financially supported friends in the corridors of power, they don’t need to provide specific rationales for their requests; it’s simply enough that the copyright owners wanted it, and their patrons are expected to deliver the quid-pro-quo on demand.

CISPA may not been such a blatant case of rent-seeking, but it too was designed to proceed without opposition because it was part of an anti-cyberwar effort. For reasons that remain entirely unclear to me, many DC insiders apparently have convinced themselves that we are waging a surreptitious cyberwar that the bad guys are winning. Perhaps there really is a cyberwar raging behind the scenes, but evidence of a cyberwar sure hasn’t leaked outside the DC insider community. This makes me wonder if maybe there’s a little too much paranoia running around in DC. Or, maybe there’s rent-seeking behind the efforts to hype the cyberwar threat?

Worse, to the extent CISPA is an anti-cyberwar effort, it is poorly designed for that effort. At minimum, its definitions are way too broad to address just cyberwar concerns. One of my biggest objections to CISPA is that it defines cybersecurity issues to include ordinary Internet activities such as competitive scraping and sharing of copyrighted materials. The broad sweep of the bill only reinforces the lack of a clear use case about the problem it’s trying to solve.

2) Hack of the Internet’s infrastructure. SOPA attacked the Internet’s basic infrastructure. Putting aside the poorly conceived domain name cutoff provisions that would have undermined the DNS’s stability, SOPA was designed to deputize intermediaries to resolve problems they had little financial incentive to handle carefully. The result would be a massive circumscribing of socially legitimate behavior by intermediaries asked to intervene in problems they didn’t care about.

In a different way, CISPA also hacks up the Internet’s infrastructure. Over the decades, we have developed a delicate system of checks and balances on the government’s ability to monitor its citizens’ behavior. CISPA would completely gut that system, giving the government virtually any online information it wanted whenever it wanted it without meaningful restrictions on the government’s ability to misuse the information. Thus, CISPA engages in the worst kind of Internet exceptionalism by turning the Internet into an all-you-can-eat smorgasbord buffet of information for ever-curious government officials, while presumably a more robust checks-and-balance system would still be in place offline. Making the Internet worse is not what we as Internet users want!

The resulting public outcry against SOPA and CISPA demonstrates that. The public at large does not want technologically clueless members of Congress messing up the Internet’s infrastructure for uncertain/unclear payoffs. We give a lot of deference to Congress to screw things up, but when it comes to wrecking the Internet, THAT’S worth fighting against.