New Draft Modifies CISPA’s Holes But Doesn’t Exactly Patch Them
CISPA has now passed in the House and has gotten a few more amendments. You can read about that here. The information below is still accurate.
When you’re dealing with a contentious bill, there’s always the hope that it might get better, and the fear that it might get worse. Or, what seems to be the case with the new draft of CISPA, where it just gets different. This new draft, which incorporates two previous amendments along with some other modifications, changes a significant amount of language in the bill, and adds a lot more as well. Whether or not that really changes anything in a particularly meaningful way, however, is a bit of a different question. CISPA had its problems before, and the new draft definitely shuffles things around a little, but it looks like we’re still dealing with a similar amount of similar issues.
Of course, there are a whole lot of little things that changed, and you can look at them all here, if you’re into that sort of thing. If you aren’t — and who could blame you — I’m going to try and cover some of the broad strokes.
The new CISPA draft expands the number of entities allowed to share and recieve information under it, adding “utilities.”
Perviously, CISPA dealt with “Protected Entities” and “Self-Protected Entities,” which are non-individuals (corporations, organizations, etc.) that are at all worried about cybersecurity. Protected entities are ones that basically hire some sort of cybersecurity firm to be their bodyguard of sorts while self-protected entities, for example, install an antivirus and keep an eye on things themselves. That’s already pretty broad. This new draft brings “utilities” into the equation, which are:
[Entities] providing essential services (other than law enforcement or regulatory services), including electricity, natural gas, propane, telecommunications, transportation, water, or wastewater services
Now, pretty much anyone who has digital records and tries to keep them private (read: everyone) can already be considered a protected or self-protected entity anyway, so this isn’t a huge shift. It does, however, lengthen the list of who’s explicitly allowed to share and receive information under CISPA to “practically everyone” to “really though, pretty much literally everyone.”
The new CISPA has a modified definition of a “cybersecurity purpose” that removes the phrase “intellectual property.”
This particular change is a marked improvement. Under the definition of a “cybersecurity purpose” — which is the only reason information can be shared under CISPA — a weird references to intellectual property has been removed. Where it used to read:
(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.
It now reads:
(B) efforts to gain unauthorized access to a system or network, including efforts to gain such unauthorized access to steal or misappropriate private or government information
The improvement here is that while that old language with the intellectual property bit could have been construed to concern piracy and copyright infringement, the new language can’t be, considering that copyright protected works, while being intellectual property, are definitely not “private information.”
“Unauthorized access” is still a bit vague considering there have been arguments made that breaching a Terms of Service agreement makes your access unauthorized, but a recent ruling has said that breaches of ToS, while technically still illegal, are not to be prosecuted under the Computer Fraud and Abuse Act. One would assume the same logic would carry over to CISPA. It is, however, worth noting that it took an overturned conviction and an appeals court ruling to get that all straightened out.
The new CISPA draft allows for entities who share or receive information to be held liable for misuse under a set of pretty specific circumstances.
One of the issues with the earlier version of CISPA was that everyone involved in the sharing was pretty much exempt from any kind of suit regarding what they did or didn’t do with any data they shared or received. This new version changes that, but only slightly. The changes apply only to entities involved that aren’t the government, and states that said entities can face liability if and only if somebody can prove “willful misconduct.” Willful misconduct, as far as CISPA is concerned, covers acts or omissions that were intentional and for a wrongful purpose. Literally, the bill says that wrongful misconduct involves using data to:
(I) intentionally to achieve a wrongful purpose;
(II) knowingly without legal or factual justification; and
(III) in disregard of a known or obvious risk that is so great as to make it highly probably that the harm of the act or omission will outweigh the benefit.
It’s worth noting, as Techdirt points out, that third clause is necessary in addition to the first two, meaning that an entity can apparently use data to achieve a wrongful purpose so long as the benefit outweighs the cost to the party harmed or so long as the entity involved didn’t completely understand the risk. This is pretty ridiculous, but it does fall right in line with CISPA’s previous — and continuing — stance that no one can get in trouble for mistakes. Ever.
The new CISPA draft increases restrictions on data usages and requires more disclosure about what data was shared and what it was used for, but it’s all after-the-fact.
There are a few changes here, but only a few of them are particularly noteworthy. For one, CISPA now explicitly states that the government cannot require entities to give up information and also that the government can not coerce entities to share data by refusing to share unless they do. From the bill:
(A) require a private-sector entity to share information with the Federal Government; or
(B) condition the sharing of cyber threat intelligence with a private-sector entity on the provision of cyber threat information to the Federal Government
Basically, no taking of “data hostages.”
Also, the part of the bill that deals with the annual report the federal government is required to give to congress has been fleshed out a bit. The bill now states that this report is explicitly for the purpose of making sure that all the information shares have been legal, appropriate, necessary and, moreover, that they haven’t been encroaching on civil liberties. This, of course, is a good thing, but it doesn’t fix — and actually calls more attention to — the huge, glaring problem that CISPA has; nobody bothers to check whether or not the sharing is kosher until after it’s already happened.
Sure CISPA is sort of making strides to make sure that if a bad share happens, it’s clear exactly what went down and who’s at fault, but the bill does nothing to try and prevent bad shares other than make it likely the parties involved will be caught. There’s no attempt at prevention whatsoever. That’s the real issue with the bill that persists and it isn’t likely to change. It’s the same issue that we saw with the DNS blocking provisions of SOPA and the same kind of monster we’re seeing DMCA turn into. You never want to get caught up in a cycle of indecision where nothing can get done until it’s too late, but considering the total lack of cybersecurity disasters so far, it would probably pay to have even just a slight check, the briefest of considerations, before sharing private information all over the place. After all, you can’t take it back.