CISPA

It’s been a bad week for anyone who pays attention to security.

Remember CISPA, the bill that would have allowed companies to share pretty much any customer information with the government and each other in the name of “cybersecurity”? CISPA passed in the House, but never made it out of the Senate. Of course, no bad bill ever really dies, and this year’s zombie version zipped through the House with little opposition. In late October, the Senate passed their own version, known as CISA (Cybersecurity Information Sharing Act).

Late last week, Infoworld reported that assorted Congress critters have been meeting to reconcile the House’s CISPA and the Senate’s CISA, and potentially merge them with two other related bills, PCNA (Protecting Cyber Networks Act) and NCPAA (National Cybersecurity Protection Advancement Act).

Is anyone surprised that the changes being discussed relate to removing what few privacy protection measures the bills included? Or that the combined bill would potentially make the NSA–yes, the same NSA whose charter is to spy on potential threats outside the United States–into the lead agency to manage the sharing of information?

Well, this week it got even better. “Better” for anyone who wants to give the NSA more authority to monitor Americans inside the U.S., that is. Worse for anyone who honestly believes they have a right to privacy. The new and “improved” version of CISA, stripped of those weak privacy protections, was–according to Engadget–included in the budget bill introduced Tuesday.

Yes, the budget bill that has to be passed in order to avoid another government shutdown like the one we had in October of 2013. The one that must be passed so quickly nobody’s going to have time to read all 2,000 pages, much less understand their implications.

Joy.

Meanwhile, the Federal Aviation Administration has released its regulations regarding drone registrations. All drones, even those purchased before the rules go into effect on Monday, must be registered. Failure to do so leaves the owner liable for civil fines of $27,500 and criminal penalties as high as $250,000.
Registering a drone will cost you. There’s a charge of $5, and you’ll need to re-register every three years. And yes, the FAA will be taking your credit card information in order to charge you. So, not only will they have your name, address, and other personal information, they’ll have your card information. Shall we start a pool on how long it’ll take for someone to hack the database and start selling the information?

For the record, a “drone” is defined as an unmanned aircraft weighing more than 0.55 pounds but less than 55 pounds, controlled remotely (which exempts paper airplanes* and Frisbees), and operated outdoors. So, if you’re planning to smuggle a remote-controlled airplane into the next basketball game you attend, you don’t need to register it, but you will if you’re going to a football game (no roof on most football stadiums, so they’d be “outdoors” by definition).

* The PowerUp gadget that lets you remote-control a paper airplane with your smartphone is, fortunately, well under the 250 gram lower weight limit. A typical paper airplane with a PowerUp attached will weigh less than 15 grams.

And then there’s the latest example of what security guru Bruce Schneier calls “CYA security”: doing something in the face of a threat so nobody can accuse you of taking any risks.

Tuesday, every school–more than 900–in Los Angeles was closed. Why? Because of a bomb threat. According to an anonymous e-mail, a coordinated attack would be made against every school in the city with bombs, assault rifles, and nerve gas.

Never mind the fact that such an attack would take far more than the thirty-two people the message claimed would be involved. Forget that the letter failed to capitalize “Allah”–a mistake no Islamic extremist would ever make. Disregard the recent episodes of the TV show Homeland which involved an extremely similar threat.

Far better to cancel school for 600,000 students and spend thousands of dollars searching every single school for explosive devices than to allow any perception that the school district is taking chances with the lives of children. Remember, there are elections coming up. (There are always elections coming up.)

At least administrators in New York, who received an identical e-mail, recognized it as a hoax. Maybe the LA school district was swayed by their proximity to Hollywood, where any threat is a credible one.

This is just tacky. Inevitable, but tacky none the less.

Mike McCaul, a Republican congressman from Texas, is using the Boston Marathon bombing as an argument for passing the CISPA bill currently pending in Congress. Said McCaul: “I think if anything, the recent events in Boston demonstrate, that we have to come together to get this done in name. In the case of Boston, they were real bombs. In this case they’re digital bombs. These bombs are on their way. That’s why this legislation is so urgent. For if we don’t and those digital bombs land and attack the United States, and Congress failed to act, then Congress has that on his hands.”

The CISPA legislation would allow companies to share any information – including customer’s personal details and private emails – with “any other entity” if there is some relationship to “cybersecurity”. I’m not a lawyer, but as I read the proposed wording, this would allow any company that provides cybersecurity to itself to send customer data not only to the government but to any other company that provides cybersecurity to itself.

Again, as I read it, it’s so broadly written that encrypting customer’s passwords on their website could be construed as a providing cybersecurity, and mistyping a password could be interpreted as a hacking attempt (a “cyberthreat”). So under this legislation, I could see, say, Microsoft sending a list of customers who had failed logins (including all known information – names, addresses, income, SSN, and so on) to a marketing affiliate with a cover along the lines of “The following individuals may have been the subject of a cyberthreat. Please be on the alert for further attempts to access their information.”

Think I’m being alarmist? Note that the bill includes language (“Notwithstanding any other provision of law”) which many advocacy groups believe would protect companies from any violation of laws protecting privacy rights or even their own privacy policies. Note also that the Computer Fraud and Abuse Act (intended to be used against malicious hackers) was used to prosecute a woman last year for setting up a fake MySpace profile as part of an online harassment campaign. Even better, according to the ACLU, amendments supposedly made to improve privacy actually decrease it by adding library and tax information to the category of information that can be collected and shared.

Even more delightful: if the company sends your information to anyone, you’ll never know – the company is under no obligation to tell you that your information is being shared, and even in the case where the information is sent to a government agency, that agency will notify the company about the validity of the alleged threat, but not you.

Note that CISPA was passed by the House last year and died in the Senate. A package of amendments to add some protections (including limitations on police ability to request information without a warrant and confirmation that privacy policies can be legally enforced) was rejected by the House Rules committee Tuesday.

So, coming back to McCaul’s tactic. He’s saying that you have no right to privacy because you might be a bomber, a hacker, or a liar and that it’s not only the government’s responsibility to monitor everything you say or do online in case you decide to tell a lie, but it’s also the responsibility of every company you do business with to do the same.

The really depressing thing is that tacky or overblown, it appears that McCaul’s tactic worked. Today’s vote on CISPA in the House passed by a larger margin than it did last year.

President Obama threatened to veto the bill if it gets to him, but a promise isn’t worth much in the face of appearing soft on terrorism. The bill goes on to the Senate now. Contact your senators now and let them know that you oppose CISPA’s sharing of your personal information.