Yet again, there is now an entirely new bill that threatens our experience on the net.
Its called the Cyber Intelligence Sharing and Protection Act. The SOPA-like bill would give companies the power to collect information on their subscribers and hand it over to the government and all they have to do is request it. And considering that the lobbiests who push for these bills are paid by greedy hollywood sleezeballs, even uploading a copyrighted song that has entered public domain would be taken out of context and seen as infringement.
Sorry, but we are expecting politicians, who take money from lobbyist and do their bidding because they dont want their allowance taken away, to actually do something that isn't overreaching.
If we beat this back again, it will just come back. At some point, something will give. Either the citizens who state their opposition to this will be labels as either terrorist, anarchist, thief, or some other derogatory term, or the government will finally, after seeing they can't get it past "WE THE PEOPLE", will just enact it without telling anyone and hope no one notices.
The truth of the matter is they're never going to get the picture until a united people stand together in saying "We're not gonna take it". They will simply continue to erode away at our freedom until either it is gone or the people realize that the Constitution is We the People of the United States of America granting authority to a government with constitutional limits to protect its constituents from that very government overstepping its authority. Any government has as much power as their people allow them to take. I'm not saying "take up arms" or "start another civil war". I'm saying people need to wake up and quit voting for old Washington bureaucrats whose priorities are bending over backwards to accommodate business moguls and special interest groups or pushing some sort of personal unconstitutional agenda *cough* ObamaCare *cough*. The change will never come from Washington. It must come from the people. Our government is broken at every level. In my opinion, the change must start locally with each city, township, and county or parish. I realize those people will be persecuted publicly by the government as "AstroTurf" (thank you Nancy Pelosi) or labelled terrorists but this sort of McCarthyism should not be tolerated at all. Anyways, I'm gonna quit rambling now. I think that is enough for one post. :)
Well, I think its about high time that we start creating solutions for this whole piracy thing. Something that goes after the real pirates and protects the kids who were just using intellectual material for non-profit purposes.
Perhaps a bill that states that every video-sharing website online must have a copyright team that handles issues of potential copyright infringement. It would allow websites to enforce copyright law w/o federal involvement, and protects online users from facing a prision sentance because some copyright company freaked out that a 30 second clip from a movie or video game got uploaded without there permission.
Yeah, but in this case. They would have to debate whether the user has uploaded content for purposes of online piracy, or if they just used a small clip to create original content.
most websites don't have to enforce the Safe Harbor provision of the DMCA. In this case, this proposed department would have to debate whether the uploaded content and the user should be granted the Safe Harbor provision.
Youtube enforces the Safe Harbor provision, but alot of other video-sharing sites dont.
OK, I wrote this for elsewhere. I've been following the cybersecurity debate in the Senate for a while, through a few channels, and wanted to write a summary of what's going on without the hysteria and with as many details left in as I possibly could. This is long. I'm splitting posts as much as makes sense.
The House acting on this was largely not expected which is why the administration came out hard and fast with a veto threat here. There has been extensive work and debate in the Senate over cybersecurity legislation, which is likely to be ongoing and shape the eventual bill. What happens next really depends on that Senate debate.
There are two main sections to the cybersecurity proposals. Information sharing and infrastructure regulation.
Information sharing. This is where all the attention is being paid. The problem being addressed is that of companies knowing things that they can't legally tell others but which might be of significant value to law enforcement or others charged with protecting or maintaining critical infrastructure.
The proposal is to provide immunity from other laws for sharing information that falls into a certain set of categories, which then may only be used for a certain set of purposes. All of the problems come from what these categories and purposes should be and how to define them. Ignoring the House bill, because that's already passed, there are two perspectives in the Senate. The Republican view, headed by McCain, and the 'Democratic' proposal, headed by Lieberman.
In this there are three components. What information can be shared. Who it can be shared with. What it can be used for.
A) What information can be shared; Both bills define the categories of information that can be shared by making extensive lists of ways that cyber intrusions could be conducted and then defining any information relating to these as shareable. This is actually a narrow approach to the problem; previous proposals have used far broader terms as ways to catch all possible threats rather than listing the acceptable, actionable ones. It's even arguable that this limits the value of the bill by potentially excluding new threats. On the flip side, both also make information 'indicative of a threat' shareable. That makes things pretty broad again. The Republican bill then has a further broadening factor of 'network activity' indicative of 'malicious activity', which is left undefined. That part is scary.
The Democratic side has an additional provision that any such information must have been (or rather reasonable efforts made) scrubbed of personal information unrelated to the thread prior to sharing, otherwise the immunity doesn't apply. This is missing from the Republican proposal.
As a side note, the House bill passed takes a very broad approach to defining the information to be shared. VERY broad. There were some amendments passed late in the process supposed to add privacy protections and others supposed to both narrow (removing IP theft) and broaden (not clear on this) the types of information to be shared. I haven't read these or solid analysis of them yet so won't comment.
B) Who it can be shared with; This is almost the biggest fight in the Senate.
The Democratic bill gives the DHS authority to authorise a lead "Federal information sharing center". It may also authorise other sharing centres in both the public and private sector. It seems very likely this would lead to the DHS being the lead centre, although it's arguably undermanned and not optimal for this role. Broadly speaking this is the civilian option, keeping the DHS as the primary actor. The exact shape of this option is down to the DHS Secretary, and that's a presidential appointment (right now, Janet Napolitano). A future administration could easily shift control over to another body.
This sharing centre is then a hub for such information. They receive any information and determine what bodies (including other private companies) it should be shared with.
The Republican bill takes a somewhat different approach. It makes a list of many Federal bodies that are then permitted to act as sharing centres in the same manner as the Democratic bill. These include the NSA and other military bodies, as well as the FBI, Commerce and other groups that address a far wider spectrum of criminal activity than the DHS. There is then a requirement that the other federal bodies share their information in turn with the NSA. This is based on the view that the NSA is the best prepared body to confront such threats and that the military should have point on cybersecurity issues.
Both bills also allow for direct company-to-company sharing, bypassing the sharing centres. The Democratic bill only allows information to be shared with companies that directly manage critical infrastructure, or if simultaneously shared with a sharing centre. The Republican bill lacks these restrictions.
The Republican bill has an extra provision that requires any federal contractor to disclose any cyber security information that may relate to that contract.
C) What can the information be used for; When it comes to private companies using the information the Democratic bill is narrower than the Republican.
In the Democratic proposal information shared between private companies may only be used to protect from cyber threats (as defined). They explicitly may not use such information to gain a commercial or competitive advantage. In addition to these two blanket restrictions the organisation sharing the information may add whatever additional restrictions they see fit to how the information may be used.
The Republican bill lacks the first provision, so the only restrictions on use are that it may not be to a competitive advantage and whatever the sharing party decide to add. This makes for potentially broad uses of information shared using the already more lenient private-to-private sharing provisions.
For federal/law enforcement use it's not a fun story.
The Democratic bill allows information held by sharing centres to share any information "that appears to relate to a crime", committed or planned, with any law enforcement agency concerned with that crime. This is extremely broad.
The Republican bill has an apparent limiter on it's version of this provision; it only allows information to be shared if the crime being discussed is one where a wiretap order may be sought. Not that such an order needs to be sought, just that such an order could be under the relevant law. In reality this is an extensive list and barely narrower than the Democratic rule. It then has an additional allowance for non-cyber 'national security' purposes.
I'd again note that this is where the House bill is fucking awful. The only restriction I'm aware of of the use of information on the Federal side is 'regulatory purpose'. That's it.
So what needs doing here? I'd say you could scrap this whole section, but enough people in government do believe there is a need and we are likely to see something passed eventually. Personally, if this were to be passed, I'd want the Democratic bill with three major changes.
- Add a liability clause and strong enforcement of restrictions. That is, where information is either shared or used outside the narrow authorised definitions there should be a cause for private action against the sharing entity. In many cases such sharing will be actionable under existing law, but I'd want to toughen that up. I'd also like to see the sharing centres policing such violations actively, informing individuals if their rights are violated in such a manner.
- Remove the law enforcement sharing provision (and certainly the Republican 'national security' one). This is literally warrantless wiretapping, as tacitly admitted in the McCain bill when they restrict the crimes to those that may be wiretapped. Frankly, any communications that are actionable by law enforcement should be intercepted and acted on by existing provisions and laws, not through this system designed for a narrow purpose. I'm mostly OK with this law so long as it's used to cover cybersecurity holes. Once it's used to chase and track individual action it becomes a fourth amendment violation.
- I'd want the sole sharing centre to be defined as within the DHS, with an additional budget to ensure it is brought up to scratch. I'm uncomfortable giving this sort of work to the military or an agency with it's primary role in other areas (such as Commerce or the FBI).
On top of these three major changes I'd also want some elements of the language tightened. Remove the 'indicative of a threat' provisions and require only the minimum of information required to describe a threat to be shared. Tighten up the restrictions on sharing private data to ensure no to minimal identifying information can be shared and that that shared can't be acted on. Etc.
I've been narrow here and only addressed the issues of the two Senate bills. There are additional questions that could be addressed, such as international cooperation. I'm not interested in that right now.
Regulation This is the administration's (and Democratic bill's) priority. Needless to say this half was entirely missing from the House Republican's bill (the one that passed). The veto threat was based partially on the lack of privacy protections and partially on the lack of regulation.
Similarly, McCain's Republican bill in the Senate originally lacked regulatory provisions. I don't believe this is likely to change. This suggests to me that Senate Republicans are likely to stand strong against regulation and that any regulatory language is unlikely to pass, even if an agreement could be reached on information sharing. That alone could be enough for an Obama veto, especially if civil liberties groups can't be brought on board with the sharing language.
In any case, there are such regulatory provisions in the Democratic bill so I'll give them a quick summary. Or as quick as you can be with such language without entirely missing the purpose.
The bill covers cyber infrastructure that could cause "catastrophic interruption of life-sustaining services", "catastrophic economic damage" or "severe degradation of national security capabilities" if disrupted. The actual designation will be left to the DHS Secretary, first by determining what sectors these might apply to and then determining what would qualify as critical systems within that sector. At this point actual systems could be designated as such. The owners may then sue in federal court to have such a designation removed. This may be over their qualification as critical infrastructure or to determine their status as a "commercial IT product" due to an exception for such in the bill. That exception seems strange to me and I'm not 100% sure I understand it.
In addition any infrastructure already regulated under another federal agency won't be covered by this bill. An additional exemption is made for an organisation that has already taken the necessary voluntary steps to protect it's infrastructure. This latter one basically means that if you meet the new standards they don't apply, which is odd.
Any remaining covered infrastructure will be required to meet new federal standards, again to be determined by the DHS Secretary through consultation with the private sector.
This is all incredibly vague, which is probably a good thing. If congress were writing these rules they would likely be out of date before they could be passed. The DHS might not be the most nimble organisation on the planet, but at least there there can be an appropriate ongoing process of review and refinement with feedback from private and public bodies.
Actual enforcement of these standards looks reasonable if on the weak side. Annual self-certification is likely to be the standard, although third party certification is an option (not that third party review bodies exist). Penalties and enforcement process are to be determined by the DHS.
One massive problem with all this is that it's slow. Arguably companies could delay any such regulations for up to a decade. Even if the DHS could keep relatively up-to-date standards and have realistic provisions to improve infrastructure security it seems likely that legal and judicial review, combined with other limiting factors, will greatly reduce the efficiency of any such regulations. It's entirely possible that this is simply an area that can't be made more secure by any level of government regulation.
In short, cybersecurity might be simply impossible, and any attempts to improve it through regulation are doomed to failure before they start.
I'm kinda attracted to the idea of minimum standards for important IT infrastructure, even if I'm not entirely sold on the security need side of things or the likelihood of real strides in improved security being made. Unless they are willing to scrap all current Windows systems running critical infrastructure that is...
So I'm almost entirely agnostic on this side of the bill. There isn't anything I think is bad, I'm just not convinced there is a strong enough indication it's either needed or likely enough to work to justify the fight that Republicans will undoubtedly put up.
My summary; The information sharing provisions are worrying even in their best form (Lieberman's Senate Democrat bill), primarily by creating effective warrantless wiretapping by sharing information with law enforcement agencies but with lesser problems in other areas. Most of this could be fixed with further input from civil liberties groups to pose a minimal risk to privacy, potentially, but I'm doubtful it will go as far as I'd like to see. The need for them is (IMO) fairly low, but they are the most likely way that congress will try to address cybersecurity and so I'd be willing to buy into them with strident protections. I'd also argue that certain areas (again, the law enforcement sharing) would be fourth amendment violations and actionable in federal court, so might not last that long if actually passed and used.
The regulatory provisions are an interesting and attractive idea to me, but unlikely to do all that much and of debatable value. The Republicans aren't going to allow this anyway, either in the Senate or House.
Looking at the politics of this, Obama seems to want the regulations badly enough to play chicken with the whole bill. This could potentially be a negotiating tool to get a minimally damaging (from a civil liberties point of view) version of the information sharing provisions passed. I don't doubt that the administration wants some form of cybersecurity power. Arguably they have some form already, but all previous references I'm aware of are in military authorisation legislation, and Obama wants this to be civilian (as do I).
My view; Either massive improvements to the information sharing language are made or the whole thing should be dumped. Better to have an extended debate on regulation after the elections on the merits than a fist fight over civil liberties during the election season. Although it looks like we are going to get both.
For americans, were more afraid that this bill would be a sort of "gateway act", encouraging more legislation that would violate privacy and essential rights as listed under the United States Constitution.
Plus, theres a quote that one of the founding fathers of the United States once said that simplifies our rejection of this sort of legislature:
"...he whom would trade his liberty for security deserves neither..." - Benjamin Franklin
OK, is the guy who doesn't live in the US the only guy who pays attention to how the constitution works?
Legislation like this can't violate constitutional rights. If (and I believe is possible) a component of the bill violates the fourth amendment then that component can (and likely will) be struck down by the courts.
Further, because of the way the legislature works, it's this Senate debate that people need to pay attention to. Understanding the bills and political positions and debate around them is vital to actually understand both what might happen and how to change that. Political lobbying, even online petitions and emails to your Senators, carry a lot more weight if it actually address the real legislation and the real issues as the legislators see it. Firing off what is effectively spam or a narrowly written petition that gets details wrong is utterly ineffective.
My problem with all this is people comparing this bill to SOPA when it is absolutely nothing like it (although IMO few people bothered trying to understand SOPA, which was largely technically infeasible from the start). Only one small component even comes close to mentioning intellectual property, and that was in one version of the four proposals and was eventually removed. A second provisions is technically broader and a bigger reason to worry, but people online have laser focus on IP law and piracy and the worry that copyright law might actually start being enforced. It's getting depressing just how uninterested people are in what legislation actually does.
Then what of the programs that would be used if this bill is passed?
Even if this bill is worded in a way that its not a violation of the consititution, the bill would require computer programs in order to execute what they are purposing. Such software would be an extremely powerful tool in the arsenal of any intelligence agency.
However, as history has shown, no website or system on earth is safe from the malicious intent of online hackers. Its only a matter of time before a hacker (or group) figures out how to access such systems and use it to steal sensitive information. And it wouldn't be just small time hackers planning for a big score. Other governments would love the chance to steal critical information from the US using a program that was designed by the US for its own cybersecurity.
Now, if there smart, it will probably be several different programs that all monitor different sectors of online activity. But it would only be a matter of time before someone figured out which one to go after, and how to accomplish it.
the bill would require computer programs in order to execute what they are purposing
At the core of what they are proposing, in the information sharing section, is only an exemption from data protection laws for certain shared information.
That is, I'm running a company. I come across information that someone is running a botnet or similar, targeting another company that runs a very important set of servers. I want to share that information to prevent the attack.
The problem is I can't, at least not legally. I could maybe report it to the police, but they might not be equipped or authorised to deal with such attacks, and probably couldn't release the information to the other company before the attack takes place. Such private information is usually held by companies in stewardship for their users, so sharing it is a violation of the laws protecting those users rights.
These bills are designed, primarily, to make such information sharing exempt from such laws, within circumstances described by the bills themselves. How narrow or broad those circumstances are, how well they protect individual privacy or abide by the Constitution, that depends on which text you are talking about. And that's where losing sight of the nuance loses you the argument.
Read back the first two posts of that dump above. See what exactly the proposals are about and how they are supposed to work. Then try to find the actual problems. I kinda highlighted a few of them, but I'm sure looking at the House bill or the Senate texts and discussions themselves you could find others.