This part encompasses a retrospective review of US laws and acts as well as pros and cons of current legislative proposals on the surveillance of cyberspace.So, let’s talk about US legislature in this area, or what I subtitled as “a history of failure” (see right-hand image). In the 1980s – several laws that proposed to weaponize cryptography; imagine how different the Internet would be today if we had no cryptography: you wouldn’t have SSL, you wouldn’t have e-banking, you wouldn’t have e-anything. Thankfully these efforts did not pass. However, cryptography is still affected by import/export laws in almost all nations. And so, sure everyone in the room has heard about SOPA and PIPA (see left-hand image), and that was in 2011 and in massive protests. Essentially all this was – was a draconian approach to filter DNS systems, to basically censor them and blacklist unapproved websites for the purposes of stopping piracy. Piracy was poorly defined in legislature, and thus could be manipulated. It would have established the power for political and corporate censorship of the Internet. Luckily, this did not pass.
In that section of that subtitle I’m just talking about related things that I think are perhaps more interesting, unless it’s just a bad idea, because it doesn’t stop you from typing in an IP address of where you want to go. It really is not a solution. It did way more bad than it did any good. It actually didn’t do anything to solve the problem. It completely didn’t solve the problem, just created more problems. That’s why I consider it a massive failure.So, this is a bill being considered (see right-hand image), I don’t think it’s been signed into law yet; I’m not familiar with the history of the decisions or rulings of it. But effectively it grants the executive branch to shut down parts of the Internet essentially for the purposes of national security and defense. So that’s worth considering. But more importantly, the Cybersecurity Act of 2012 (see left-hand image), last year it was proposed. It did not pass. Its stated goal is to set cybersecurity standards for critical infrastructure operators, and would have encouraged companies and the government to share information with each other about cyber threats to basically establish that level of cooperation, because currently there is no level of that cooperation. We’re trying to meet that treaty, that treaty is a good idea. Honestly, this is my opinion: I believe that treaty is a good idea, if you can get everyone to do it. So even if you’ve ratified it, you have to work towards that.
So, the main purpose of this was to raise situational awareness by sharing information on critical infrastructure, and that’s where we can be hit the hardest. Opposing groups cited privacy concerns, most understandably, very similar to CISPA, which we’ll talk about next. But the bill explicitly prohibited sharing citizen data with military and intelligence community groups. So, I think having this privilege in your legislature makes sense and it’s a good idea.So, let’s talk about CISPA – Cyber Intelligence Sharing and Protection Act (see right-hand image). Many people I know are big fans of this and bills like this. As it’s written, it has other problems. Its stated goal is to provide for the sharing of certain cyber threat intelligence and cyber threat information between intelligence communities and cyber security entities, and for other purposes.
The end “for other purposes” is really what kills it, because the way it’s written so open-ended, that to quote the EFF: “It carves a loophole in all known privacy laws and grants legal immunity for companies to share your private information”. It passed the House in 2012, but did not pass in Senate; I think it was filibustered down.It’s been reintroduced this year (see left-hand image), this February it was reintroduced. In effect, it required ISPs and websites to track a vast amount of information on their users for the purposes of sharing with the government, for cybersecurity purposes and for other purposes.
This costs ISP companies money, because disk space plus time equals money. Basically, as a trade back, the act allows them to resell the info to anyone for cybersecurity and other purposes. What do you mean by cybersecurity purposes? It doesn’t define that precisely. The language is so vague it can be everything.So, my information could be resold for cybersecurity purposes, and then I can get Viagra spam, and that, clearly, should not be enabled by law. The bill directly circumvents the Cable Communications Policy Act, the Wiretap Act, the Video Privacy Protection Act, the Electronic Communication Privacy Act as well (see right-hand image). So these laws expressly allow for lawsuits against companies that go too far in divulging your private information.
However, the CISPA terminology goes so far to directly state that companies are not required to notify their customers if that data is mishandled in compliance with CISPA. And that goes for the government as well. So remember this is not yet passed but it’s being voted on now.
So, what this means is if all these people are tracking you, it’s like you’re sharing information with the government. If I want to spy on you, I don’t have to limit options to just hacking you or hacking government, or hacking your favorite site. I can just hack these other sites as well. I have X number of ways, X number of more ways to get at you now. So this creates many problems.