Sunday, April 21, 2013

CISPA passes U.S. House: Death of the Fourth Amendment?

Summary: The controversial cybersecurity Bill has passed the U.S. House and is now on its way to the Senate chamber. Privacy groups believe this tramples on the Fourth Amendment.
The controversial Cyber Intelligence Sharing and Protection Act (CISPA) just passed the U.S. House, and will now head to the upper Senate chamber for further deliberation.
Rinse and repeat. This isn't the first time that this has happened, but it still poses a major threat to Fourth Amendment rights, according to civil liberties campaigners.
capdometwi7610x430-620x366-620x366
CISPA's passing will lead to a second round of debate and amendments in the U.S. Senate, which a year ago the same Bill stalled in favor of the upper house's own draft cybersecurity legislation. (Image: CNET)
The Bill was passed 288-127 in favor of the Bill after two days of debate and discussion on the House floor. Only 18 members of the House abstained from the vote.
CISPA will allow private sector firms to search personal and sensitive user data of ordinary U.S. residents to identify "threat information," which can then be shared with other opt-in firms and the U.S. government — without the need for a court-ordered warrant.
This means a company like Facebook, Twitter, Google, or any other technology or telecoms company, including your cell service provider, would be legally able to hand over vast amounts of data to the U.S. government and its law enforcement — for whatever purpose it deems necessary — and face no legal reprisals.
And despite numerous amendments and changes, there are no requirements that personal data, such as health records or banking information, should be anonymized before sharing it with the government.
It's hoped that the data can be used in real time to stop cyberattacks in their tracks, or even trace back to the source of the attack. Because cyberattacks nowadays as weapons in the virtual battlefield could lead to all-out war.
The Bill will also amend the National Security Act to allow U.S. intelligence services to hand over classified information to entities and people that do not have security clearance. The idea is that this will be used in order to help companies fight back against and prevent cyberattacks on their systems in the future.
A great deal of controversy has stirred around this Bill. Having amendments passed in a veil of secrecy did not help matters, either.
To make things even more complicated, a new amendment, voted down by lawmakers on Wednesday in the U.S. House, would have allowed U.S. companies to keep their privacy policies intact and their promises valid, including terms of service, legally enforceable in the future.
It means that the many who signed up to such services under terms that promised their data would not be shared with anyone — unless a subpoena or court order was served — would no longer have such rights going forward.
Though it would have weakened CISPA's overall weight, now it gives additional legal immunity to companies sharing their customer data. Rep. Jared Polis (D-CO), in speaking to ZDNet's sister site CNET, said that such firms are "completely exonerated from any risk of liability."

Hello Fourth Amendment, goodbye Fourth Amendment

The key provision of CISPA is that it allows government entities to acquire your data without a warrant, should a private company holding your data hand it over.
The Fourth Amendment of the U.S. Constitution states:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
"Upon probable cause." That means the U.S. government has to seek out data based on evidence and intelligence. But while the U.S. government and its law enforcement agencies, intelligence services, and more than 600 agencies that can use your data cannot force a company to hand over data, it doesn't mean your data is safe.
The Fourth Amendment does not protect private companies from accessing and data mining your information for its own gain. It only protects against the U.S. government unlawfully accessing your data without a search warrant.
CISPA bridges a gap between the private firms that can access your data for nefarious purposes — they would likely never do this — to the U.S. government.
U.S. firms voluntarily handing data along the one-way street to the U.S. government effectively means the Fourth Amendment doesn't have to apply; it's not snooping if it was handed to the government under "cybersecurity" grounds.
By this point, the U.S. government can do just about anything it likes with your data once it's in its hands, in spite of the Fourth Amendment and notwithstanding lacking a search warrant. The kicker is that this is allowed as long as it's lawful and pertains to "cybersecurity purposes," rather than "national security" purposes. But because the language in CISPA is so ill defined, it could be used for many more reasons than were initially considered.
According to privacy and civil liberties group the Electronic Frontier Foundation (EFF), even though the data was passed to the government for reasons pertaining only to "cybersecurity," it can then be used to investigate other crime, not limited to cybersecurity crime, such as the "criminal exploitation of minor, protecting individuals from death or serious physical injury, or protecting the national security of the United States."
But it all flows through the U.S. Department of Justice, first and foremost, which can then be disseminated throughout government and its agencies, onto the FBI, the National Security Agency (NSA), Immigration and Customs, and so on. Even the U.S. Department of Agriculture can take on your data and use it against you, should you be fishing without a license.
And because this is done behind the scenes and private companies do not have to tell you that they've handed your data to the government, you may never know about it. And private firms are exempt from Freedom of Information (FOI) requests, with such provisions disallowed under CISPA.
The EFF said on its site:
As it stands, CISPA is dangerously vague, and should not allow for any expansion of government powers through a series of poorly worded definitions. If the drafters intend to give new powers to the government's already extensive capacity to examine your private information, they should propose clear and specific language so we can have a real debate.
The American Civil Liberties Union (ACLU) has called CISPA "fatally flawed."
"The core problem is that CISPA allows too much sensitive information to be shared with too many people in the first place, including the National Security Agency," the privacy group said. In a statement today, it went further, calling the Bill "extreme."
CISPA is an extreme proposal that allows companies that hold our very sensitive information to share it with any company or government entity they choose, even directly with military agencies like the NSA, without first stripping out personally identifiable information.

What next?

Exactly how this goes forward in the Senate remains unclear.
Many civil liberties campaigners are hoping for similar action based on last year's events, when the upper house chamber shelved the Bill as it sought to develop its own cybersecurity legislation.
CISPA will likely face yet another roadblock when it reaches President Obama's desk. This week, the White House threw its weight behind a threat that would see CISPA vetoed by President Obama should it pass through Congress unimpeded.
It repeats a similar sentiment by the Obama administration last year, when CISPA reached as far as passing the House but failed in the upper Senate chamber.
In a letter, the White House said: "The administration still seeks additional improvements, and if the Bill, as currently crafted, were presented to the president, his senior advisors would recommend that he veto the Bill."
Topics: Security, Privacy

No comments:

Post a Comment