The devilish details of amendments to the House-passed cyber-security bill, CISPA.
LIKE THIS ARTICLE ?
Join our mailing list:
Sign up to stay up to date on the latest headlines via email.
(This analysis first appeared at Balkinization, a noted civil liberties and legal blog).
After a flurry of last minute amendments last week, the House unexpectedly passed CISPA on Thursday evening. A week ago, I described my concerns with the version of the bill that made it out of the House Committee on Intelligence. In the intervening week, there was considerable outcry around the billled in part by theElectronic Frontier Foundation, theAmerican Civil Liberties Union, and the Center for Democracy and Technology.
Learning their lesson from SOPA, the House decided to invite civil liberties constituencies to the table so as to avoid having to witness another implosion of a major legislative goal. As a result, a number of amendments were introduced that began to address some of the most egregious parts of the bill, and, in response, some members of the civil liberties community decided to withhold further, vocal opposition. Then, on Thursday evening, it all fell apart. As Josh Smith at theNational Journal described, the CISPA that was passed by the House on Thursday didn’t reflect this negotiation:
The Center for Democracy and Technology and the Constitution Project never really dropped objections to the Cyber Intelligence Sharing and Protection Act, but after discussions with the bill’s sponsors, the groups said on April 24 they would not actively oppose the bill and focus on amendments instead. But on April 25, the House Rules Committee shot down 22 of 43 submitted amendments to the bill, known as CISPA. All but one Republican amendments were made in order, while four out of 19 Democratic amendments and four with 10 bipartisan support made the cut. Five amendments were withdrawn.
Unhappy with this outcome, the civil liberties groups are doubling down their efforts for the next stage of this battle -- the Senate.
That’s the quick recap of what happened last week.
This bill still poses serious issues. Here is the version of the bill that reflects all the amendments made. For those who want to compare, this is the original billwithout the amendments and these are the eleven amendments that were added on top of it.
I’ll spend the rest of this post providing a summary of the amendments made and provide my thoughts on the problems they create and solve. I’ve ordered them, roughly, by importance.
That’s the quick recap of what happened last week.
This bill still poses serious issues. Here is the version of the bill that reflects all the amendments made. For those who want to compare, this is the original billwithout the amendments and these are the eleven amendments that were added on top of it.
I’ll spend the rest of this post providing a summary of the amendments made and provide my thoughts on the problems they create and solve. I’ve ordered them, roughly, by importance.
1. Goodlatte Amendment: Provides more detail around what “cybersercurity” means under this bill:
This amendment places under the umbrella of cybersecurity:
(i) a vulnerability of a system or network of a government or private entity;
(ii) a threat to the integrity, confidentiality, or availability of a system or network of a government or private entity or any information stored on, processed on, or transiting such a system or network;
(iii) efforts to degrade, disrupt, or destroy a system or network of a government or private entity; or
(iv) efforts to gain unauthorized access to a system or network of a government
or private entity, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network of a government or private entity
Cyber threat information, under this amendment, now specifically covers information relating to a threat to the “integrity, confidentiality, or availability of a system or network of a government or private entity or any information stored on, processed on, or transiting such a system or network.”
Confidentiality is defined as “including the means for protecting proprietary information.” This sounds a lot like intellectual property. If that’s correct, than it means that cybersecurity threats now include intellectual property piracy. Accordingly, private companies can send warrantless surveillance information regarding threats of copyright piracy to the government, and the government is authorized to act on them. It’s not exactly the Son of SOPA, but it does elevate the crime of copyright piracy so that it is now on par with distributed denial of service (DDoS) attacks and Stuxnet type viruses.
Availability is defined as “timely and reliable access to and use of information.” This would imply that information about any activity that might slow down a network might be considered cyber threat information. VPN, used by businesses everywhere, slows down the network. End to end encryption, used by programs like Skype, slows down the network. Streaming video, like Netflix, slows down the network. These are all legal, common uses of the Internet, and under this bill, an individual using these applications and services can have her use data passed onto the government as cyber threat information.
And more generally, including as a threat any vulnerability to a system or network is dangerously overbroad. As EFF notes, “CISPA currently defines a ‘cybersecurity system,’ as something that is designed to protect a ‘system or network.’” Rainey Reitman, EFF’s activism director explained that this definition “could mean anything—a Local Area Network, a Wide Area Network, a microchip, a website, online service, or a DVD.”
Very importantly, the bill does make clear that violation of terms of use or licensing agreements “does not constitute unauthorized access” for the purposes of this bill. This is something that Orin Kerr has discussed at length with respect to Computer Fraud and Abuse Act and is a very good addition to this bill.
2a. Quayle Amendment: Extends the authorized government use of cyber threat information to cover:
1. Cybersecurity
2. Investigation and Prosecution of cybersecurity crimes
3. Protection of “individuals from the danger of death or serious bodily harm” and the investigation and prosecution of such crimes
4. Protection of “minors from child pornography, any risk of sexual exploitation, and serious threats to the physical safety of such minor” and the investigation and prosecution of such crimes
5. National Security
This amendment seriously and dangerously expands the scope of this bill and really shares the number one spot with the Goodlatte Amendment. I made a comment about mission creep in my earlier blog post and this amendment seems to exemplify my point. A week ago, we were talking about a cybersecurity bill. Now, we’ve got a bill about fighting crime and child pornography.
Practically speaking, this means that when Comcast or Google hands warrantless surveillance information over to the government, the government can use it as long it’s about an issue of cybersecurity or national security. Or about someone who might be in danger. Or about the safety of a minor.
Its especially disturbing because fighting crime writ large has long been the responsibility of the government and those responsibilities have long been accompanied by clearly articulated limitations on government power. Those limitations were created to maintain the fine balance between protecting the country and protecting individual liberties. Cybersecurity is a new responsibility the government needs to take on, so one can at least understand how the government might feel that in this Brave New World of wars waged on the Internet, they need new, more expansive authorities. But, to circumvent the protections of the Fourth Amendment for issues that fall squarely into traditional government policing and prosecution seems to be unprecedented and deeply unsettling.
2b. Quayle Amendment: Defines the scope of what constitutes a cybercrime.
Under this amendment, cybercrimes includes crimes under state or federal law that involve:
1. efforts to degrade, disrupt, or destroy a system or a network
2. efforts to gain unauthorized access to a system or a network
3. efforts to exfiltrate information from a system or network without authorization
4. the violation of a provision of Federal law relating to computer crimes including the Computer Fraud and Abuse Act of 1986
This is the second part of the Quayle Amendment. It makes very clear that the government can use information obtained without a warrant to investigate and prosecute existing computer crime laws like CFAA. As I have said before, this seems to be a circumvention of the Constitution.
Additionally, allowing the government to use this surveillance information to investigate instance of network disruption and degradation causes concern because the definition of network disruption and degradation is still vague. And this raises the same type of void for vagueness concerns I discussed in my last post. Legitimate uses of the network, like Skype, YouTube, and Netflix, can now be caught under the purview of cybercrime.
And such an extension of the term is not unfathomable. During the Comcast/Bittorrent battle, Comcast seemed to argue that any application that taxes their network threatens to degrade or disrupt the network.
3. Mulvaney Amendment 1: Attempts to protect civil liberties.
This amendment does three things.
First, it says that the government “may, consistent with the need to protect Federal systems and critical information infrastructure from cybersecurity threats and to mitigate such threats, undertake reasonable efforts to limit the impact on privacy and civil liberties of the sharing of cyber threat information with the Federal Government.” Importantly, this amendment creates no affirmative duty and simply authorizes the government to protect civil liberties insofar as 1) efforts to do so are reasonable 2) such efforts don’t limit the ability of the government to protect against cybersecurity threats. The language here is surprisingly blithe. It does not view civil liberties concerns as equal to national security concerns and instead actively places civil liberties in the back seat.
Second, this amendment requires agencies that receive non-cyber threat information to let the responsible company know that the information was a non-cyber threat. Notably, the government is not required to stop interacting with companies that regularly over share nor does is government required to clarify the scope of cyber threat information in order to reduce further instances of over sharing.
Third, this amendment requires the government to dispose of information that is given to them unless it conforms to one of the listed purposes for which it can be used. This is a very good thing. However, it should also require that such information be discarded in some reasonably quick time frame. This is a point of concern in part because the government is a major target of cyber attacks. The VA has experienced serious attacks that ended up exposing private information of our veterans. Properly minimizing risk requires such information to be disposed of quickly.
4. Pompeo Amendment 1: Broadens the immunity provision.
This amendment extends the immunity provision to include any claims arising from the identification and obtaining of cyber threat information, in addition to the original immunity for claims arising from the sharing of such information.
As I noted before, the problem with immunity is that it leaves us with no legal recourse. We can’t sue the government because they didn’t actually do anything. We can’t sue the company who violated our privacy because the bill forbids it.
5. Flake Amendment: Requires executive branch to report to Congress a list of which federal agencies receive information under CISPA.
This amendment requires the government to provide a list of all departments and agencies receiving cyber threat information in its annual report to the Inspector General of the Intelligence Community.
The shortcoming of this well-intentioned amendment is, as I mentioned last week, the information in the report can be classified, and thus kept out of the public eye. So, for example, if the NSA is receiving information on American citizens, the mere fact of this might be considered sensitive information and can thus be kept classified.
And I’m not just being a skeptic. Consider the Glomar response to Freedom of Information Act Request (FOIA). The Glomar response allows the government to respond to a FOIA request by saying that they can “neither confirm nor deny” the existence of the information requested and has been traditionally used in national security cases. The Glomar exemption cripples FOIA law, because it prevents transparency in instances when it is often needed most. In this same way, the annual report mandated in CISPA can quickly become an ineffective method of internal review if the behavior most in need of review is classified.
6. Amash Amendment: Forbids the government from using personally identifiable library circulation records, library patron lists, book sales records, book customer lists, firearms sales records, tax returns, educational records, and medical records that it receives from private entities under CISPA.
This is a good amendment. It prevents the government from using certain, very private information. That said, a private entity under CISPA can still hand over this information without any threat of liability whatsoever.
7. Pompeo Amendment 2: Reiterates that the Federal Government cannot do anything it couldn’t do pre-CISPA when it comes to forcibly deploying cybersecurity tools on private sector networks.
This amendment just clarifies that CISPA doesn’t alter existing authorities or provide new authority to any federal agency to install, employ, or otherwise use cybersecurity systems on private sector networks.
This means that existing law might already authorize the government to require Comcast or Facebook to install certain software on its network and platform, respectively, but CISPA does not – and nor does it affect that existing authority. I don’t know if the government has such an authority under exiting law; maybe under the Communications Assistance for Law Enforcement Act (CALEA), but I’m not sure.
8. Woodall Amendment: Assures private companies that they don’t get punished for choosing not to play ball.
This amendment assures companies that they won’t be subject to new liabilities if they decide not to participate in the surveillance and sharing of private information authorized by CISPA.
9. Rogers Amendment: Clarifies that CISPA doesn’t affect:
i. existing laws that require individuals to provide information to the government
ii. the way FOIA applies to information required to provided to the government
This amendment clarifies that CISPA doesn’t affect information already required to be provided to the government and the way FOIA applies to said information.
10. Mulvaney Amendment 2: Creates a sunset provision for CISPA.
This amendment ensures that the provisions of the bill are terminated five years after the date of enactment.
11. Turner Amendment: Makes language consist across Executive Branch.
This amendment changes the uses of the word “degrade” to “deny access to or” in a multiple places across the bill.
This amendment places under the umbrella of cybersecurity:
(i) a vulnerability of a system or network of a government or private entity;
(ii) a threat to the integrity, confidentiality, or availability of a system or network of a government or private entity or any information stored on, processed on, or transiting such a system or network;
(iii) efforts to degrade, disrupt, or destroy a system or network of a government or private entity; or
(iv) efforts to gain unauthorized access to a system or network of a government
or private entity, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network of a government or private entity
Cyber threat information, under this amendment, now specifically covers information relating to a threat to the “integrity, confidentiality, or availability of a system or network of a government or private entity or any information stored on, processed on, or transiting such a system or network.”
Confidentiality is defined as “including the means for protecting proprietary information.” This sounds a lot like intellectual property. If that’s correct, than it means that cybersecurity threats now include intellectual property piracy. Accordingly, private companies can send warrantless surveillance information regarding threats of copyright piracy to the government, and the government is authorized to act on them. It’s not exactly the Son of SOPA, but it does elevate the crime of copyright piracy so that it is now on par with distributed denial of service (DDoS) attacks and Stuxnet type viruses.
Availability is defined as “timely and reliable access to and use of information.” This would imply that information about any activity that might slow down a network might be considered cyber threat information. VPN, used by businesses everywhere, slows down the network. End to end encryption, used by programs like Skype, slows down the network. Streaming video, like Netflix, slows down the network. These are all legal, common uses of the Internet, and under this bill, an individual using these applications and services can have her use data passed onto the government as cyber threat information.
And more generally, including as a threat any vulnerability to a system or network is dangerously overbroad. As EFF notes, “CISPA currently defines a ‘cybersecurity system,’ as something that is designed to protect a ‘system or network.’” Rainey Reitman, EFF’s activism director explained that this definition “could mean anything—a Local Area Network, a Wide Area Network, a microchip, a website, online service, or a DVD.”
Very importantly, the bill does make clear that violation of terms of use or licensing agreements “does not constitute unauthorized access” for the purposes of this bill. This is something that Orin Kerr has discussed at length with respect to Computer Fraud and Abuse Act and is a very good addition to this bill.
2a. Quayle Amendment: Extends the authorized government use of cyber threat information to cover:
1. Cybersecurity
2. Investigation and Prosecution of cybersecurity crimes
3. Protection of “individuals from the danger of death or serious bodily harm” and the investigation and prosecution of such crimes
4. Protection of “minors from child pornography, any risk of sexual exploitation, and serious threats to the physical safety of such minor” and the investigation and prosecution of such crimes
5. National Security
This amendment seriously and dangerously expands the scope of this bill and really shares the number one spot with the Goodlatte Amendment. I made a comment about mission creep in my earlier blog post and this amendment seems to exemplify my point. A week ago, we were talking about a cybersecurity bill. Now, we’ve got a bill about fighting crime and child pornography.
Practically speaking, this means that when Comcast or Google hands warrantless surveillance information over to the government, the government can use it as long it’s about an issue of cybersecurity or national security. Or about someone who might be in danger. Or about the safety of a minor.
Its especially disturbing because fighting crime writ large has long been the responsibility of the government and those responsibilities have long been accompanied by clearly articulated limitations on government power. Those limitations were created to maintain the fine balance between protecting the country and protecting individual liberties. Cybersecurity is a new responsibility the government needs to take on, so one can at least understand how the government might feel that in this Brave New World of wars waged on the Internet, they need new, more expansive authorities. But, to circumvent the protections of the Fourth Amendment for issues that fall squarely into traditional government policing and prosecution seems to be unprecedented and deeply unsettling.
2b. Quayle Amendment: Defines the scope of what constitutes a cybercrime.
Under this amendment, cybercrimes includes crimes under state or federal law that involve:
1. efforts to degrade, disrupt, or destroy a system or a network
2. efforts to gain unauthorized access to a system or a network
3. efforts to exfiltrate information from a system or network without authorization
4. the violation of a provision of Federal law relating to computer crimes including the Computer Fraud and Abuse Act of 1986
This is the second part of the Quayle Amendment. It makes very clear that the government can use information obtained without a warrant to investigate and prosecute existing computer crime laws like CFAA. As I have said before, this seems to be a circumvention of the Constitution.
Additionally, allowing the government to use this surveillance information to investigate instance of network disruption and degradation causes concern because the definition of network disruption and degradation is still vague. And this raises the same type of void for vagueness concerns I discussed in my last post. Legitimate uses of the network, like Skype, YouTube, and Netflix, can now be caught under the purview of cybercrime.
And such an extension of the term is not unfathomable. During the Comcast/Bittorrent battle, Comcast seemed to argue that any application that taxes their network threatens to degrade or disrupt the network.
3. Mulvaney Amendment 1: Attempts to protect civil liberties.
This amendment does three things.
First, it says that the government “may, consistent with the need to protect Federal systems and critical information infrastructure from cybersecurity threats and to mitigate such threats, undertake reasonable efforts to limit the impact on privacy and civil liberties of the sharing of cyber threat information with the Federal Government.” Importantly, this amendment creates no affirmative duty and simply authorizes the government to protect civil liberties insofar as 1) efforts to do so are reasonable 2) such efforts don’t limit the ability of the government to protect against cybersecurity threats. The language here is surprisingly blithe. It does not view civil liberties concerns as equal to national security concerns and instead actively places civil liberties in the back seat.
Second, this amendment requires agencies that receive non-cyber threat information to let the responsible company know that the information was a non-cyber threat. Notably, the government is not required to stop interacting with companies that regularly over share nor does is government required to clarify the scope of cyber threat information in order to reduce further instances of over sharing.
Third, this amendment requires the government to dispose of information that is given to them unless it conforms to one of the listed purposes for which it can be used. This is a very good thing. However, it should also require that such information be discarded in some reasonably quick time frame. This is a point of concern in part because the government is a major target of cyber attacks. The VA has experienced serious attacks that ended up exposing private information of our veterans. Properly minimizing risk requires such information to be disposed of quickly.
4. Pompeo Amendment 1: Broadens the immunity provision.
This amendment extends the immunity provision to include any claims arising from the identification and obtaining of cyber threat information, in addition to the original immunity for claims arising from the sharing of such information.
As I noted before, the problem with immunity is that it leaves us with no legal recourse. We can’t sue the government because they didn’t actually do anything. We can’t sue the company who violated our privacy because the bill forbids it.
5. Flake Amendment: Requires executive branch to report to Congress a list of which federal agencies receive information under CISPA.
This amendment requires the government to provide a list of all departments and agencies receiving cyber threat information in its annual report to the Inspector General of the Intelligence Community.
The shortcoming of this well-intentioned amendment is, as I mentioned last week, the information in the report can be classified, and thus kept out of the public eye. So, for example, if the NSA is receiving information on American citizens, the mere fact of this might be considered sensitive information and can thus be kept classified.
And I’m not just being a skeptic. Consider the Glomar response to Freedom of Information Act Request (FOIA). The Glomar response allows the government to respond to a FOIA request by saying that they can “neither confirm nor deny” the existence of the information requested and has been traditionally used in national security cases. The Glomar exemption cripples FOIA law, because it prevents transparency in instances when it is often needed most. In this same way, the annual report mandated in CISPA can quickly become an ineffective method of internal review if the behavior most in need of review is classified.
6. Amash Amendment: Forbids the government from using personally identifiable library circulation records, library patron lists, book sales records, book customer lists, firearms sales records, tax returns, educational records, and medical records that it receives from private entities under CISPA.
This is a good amendment. It prevents the government from using certain, very private information. That said, a private entity under CISPA can still hand over this information without any threat of liability whatsoever.
7. Pompeo Amendment 2: Reiterates that the Federal Government cannot do anything it couldn’t do pre-CISPA when it comes to forcibly deploying cybersecurity tools on private sector networks.
This amendment just clarifies that CISPA doesn’t alter existing authorities or provide new authority to any federal agency to install, employ, or otherwise use cybersecurity systems on private sector networks.
This means that existing law might already authorize the government to require Comcast or Facebook to install certain software on its network and platform, respectively, but CISPA does not – and nor does it affect that existing authority. I don’t know if the government has such an authority under exiting law; maybe under the Communications Assistance for Law Enforcement Act (CALEA), but I’m not sure.
8. Woodall Amendment: Assures private companies that they don’t get punished for choosing not to play ball.
This amendment assures companies that they won’t be subject to new liabilities if they decide not to participate in the surveillance and sharing of private information authorized by CISPA.
9. Rogers Amendment: Clarifies that CISPA doesn’t affect:
i. existing laws that require individuals to provide information to the government
ii. the way FOIA applies to information required to provided to the government
This amendment clarifies that CISPA doesn’t affect information already required to be provided to the government and the way FOIA applies to said information.
10. Mulvaney Amendment 2: Creates a sunset provision for CISPA.
This amendment ensures that the provisions of the bill are terminated five years after the date of enactment.
11. Turner Amendment: Makes language consist across Executive Branch.
This amendment changes the uses of the word “degrade” to “deny access to or” in a multiple places across the bill.
Anjali Dalal is a resident fellow at the Yale Information Society Project at Yale Law School and a contributing blogger at Balkinization, a civil liberties blog.
