The CISPA Government Access Loophole

May Day (5/1/2012)

May Day (5/1/2012) (Photo credit: bogieharmond)

Written by Kurt Opsahl – Re-Published from (Creative Commons)

The Cyber Intelligence Sharing and Protection Act—CIPSA, the so-called “cybersecurity” bill—is back in Congress. As we’ve written before, the bill is plagued with privacy problems and we’re urging concerned users to email their Representatives to oppose it.

Many of the bill’s problems stem from its vague language.  One particularly dangerous provision, designed to enable corporations to obtain and share information, is drafted broadly enough to go beyond just companies, creating a government access loophole.

What is the Government Access Loophole?

The bill grants new powers to “cybersecurity providers” and “self-protected entities” and it specifically excludes the government from being considered a “cybersecurity provider.” But due to a drafting discrepancy, the government could fall within the definition of a “self-protected entity” and obtain many of the additional powers granted by CISPA.

This is because a “cybersecurity provider” must be a “non-governmental entity,” but the definitions of “self-protected entity” or a “protected entity” do not have this limitation.  These definitions are critical, as they specify who gets to wield CISPA authority to obtain and transfer your information.

What Does the Loophole Mean?

While the intent of CISPA is to give companies this additional authority, under these definitions, EFF is concerned that the government could also assert some of the new powers granted by CISPA: to “use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property” of the government, so long as it is for “cybersecurity purposes.”

In practical terms, it’s unclear what is exactly covered by such a “cybersecurity system.” Under the vague definition, such a “system” could range from basic defensive software tools, like port-scanning, to more aggressive offensive countermeasures. For more details on the term, please see our FAQ.

If “cybersecurity systems” include tools for aggressive countermeasures, the clause is particularly dangerous because the government could use it to further expand its domestic cybersecurity arsenal. In one instance, the government already uses EINSTEIN, which is software that identifies threats on federal government networks and forwards the information to technicians. If considered a self-protected entity, the government could claim CISPA provided the authority to change EINSTEIN to not only identify and obtain threat information, but to launch aggressive attacks that could cripple innocent users’ computers. Some details about EINSTEIN 3, the latest version we know of, are classified, but security researchers have attempted to assess its security value.

Narrow Limits on the Loophole

The bill does limit this potential government power: it doesn’t allow a government-controlled “cybersecurity system” to be used “on a private-sector system or network to protect such private-sector system or network.” However, it only protects against one type of government abuse, and leave holes for other types—what about using a “cybersecurity system” to protect a different private sector system or network? Or to protect a public-sector system or network? What about a “cybersecurity system” owned by a State government?

The Fourth Amendment limits the government’s ability to use CISPA powers, but there would still be constitutionally dangerous implications: the government would also be granted broad legal immunity for any “decisions based on” cyber threat information, and CISPA’s “notwithstanding” clause could override government privacy laws like the Privacy Act (which protects personal information in government records) and the Computer Matching and Privacy Protection Act (which limits the use of automated matching of government records).

As it stands, CISPA is dangerously vague, and should not allow for any expansion of government powers through a series of poorly worded definitions.  If the drafters intend to give new powers to the government’s already extensive capacity to examine your private information, they should propose clear and specific language so we can have a real debate.

In the meantime, we urge Internet users to join us in opposing this bill.

Activist, Unplugged from the Matrix. Action for Freedom!

Tagged with: , , , , , , , , , , , , , , , ,
Posted in Internet Censorship, Privacy
2 comments on “The CISPA Government Access Loophole
  1. […] The CISPA Government Access Loophole ( […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Enter your email address to follow this blog and receive notifications of new posts by email. You have full control over the frequency of emails you receive, and you can unsubscribe at any time. We will NOT share your email address with anyone, ever!

Join 734 other followers

Member of The Internet Defense LeagueBloggers' Rights at EFF
%d bloggers like this: