CISPA: Experts agree, private info not needed for sharing cyber threats with gov’t

If you were given a cloak of absolute immunity and then tasked to share cybersecurity threat information, would you take the extra time to strip out all personally identifiable information (PII) before passing it on to the government? Although no judge will look over your shoulder, no warrant will be required, and no one will smack your hand for sharing sensitive user data that is not required, would you still pass it along? If ‘yes,’ then would your answer change if a cybersecurity expert testified that in 20 years, he had “never seen a package of threat intelligence that’s actionable that also includes PII?”

President Obama’s Executive Order showed that defending critical infrastructure does not require invading our online privacy and passing along our private communications and Internet records to agencies like the NSA or DoD. Yet the Cyber Intelligence Sharing and Protection Act (CISPA) [PDF] is back, reintroduced still in a dangerously privacy decimating form.

“What a difference a year didn’t make,” wrote the Center for Democracy & Technology (CDT), before explaining that CISPA is still fundamentally flawed.

First, the bill creates a sweeping cybersecurity exception to all of our hard-won privacy protections and then encourages (through grants of immunity) companies to share private Internet communications and information directly with the NSA, a military intelligence agency that operates secretly with little public accountability. Second, it allows that private information, once it is in the hands of the military, to be used for purposes completely unrelated to cybersecurity.

Both the EFF and the ACLU wrote about how, at the House Intelligence Committee meeting, “industry experts” testified that the government does not need that private info; it could be removed without causing “too much of a burden” on companies before reporting cybersecurity threats. Yet the same Congress that did not invite a single privacy and civil liberty representative to the meeting still wants your private data dumped into yet another database…just waiting for mission creep to set in.

It’s like a bad blast from the past; as if netizens had not already made their opposition clear and defeated the “privacy killing” legislation. The answers seem so simple—remove “immunity” from liability for companies “sharing private information like internet records, communications content, and identifying information.” No one is saying to forget about cybersecurity; simply remove PII first before passing along cyber threats. Yes, we need to harden our cybersecurity as a nation, but not at the expense of We the People losing even more civil liberties. And it was those for civil liberties who were against CISPA, while those for CISPA included giants like Microsoft, Facebook, IBM, Oracle, Symantec, AT&T and Verizon.

Since this is the Microsoft Subnet, let’s look at Microsoft’s stance on CISPA.

Last year regarding CISPA, Microsoft told CNET‘s Declan McCullagh, “Microsoft believes that any proposed legislation should facilitate the voluntary sharing of cyber threat information in a manner that allows us to honor the privacy and security promises we make to our customers.” That sentence stayed the same in Microsoft’s new statement to The Next Web, but Microsoft Trustworthy Computing VP Scott Charney added:

Legislation introduced in mid-February reflects important changes resulting from an active, constructive dialogue about a prior version of the bill, and that dialogue must continue.  We look forward to continuing to work with policymakers and others to improve cyber security while protecting consumer privacy.

Regarding “an active, constructive dialogue” about CISPA, the EFF wants us to get active again.

Last year, tens of thousands of concerned individuals used the EFF action center to speak out against overbroad and ineffective cybersecurity proposals. Together, we substantially changed the debate around cybersecurity in the U.S., moving forward a range of privacy-protective amendments and ultimately helping to defeat the Senate bill. Now we need your help again.

Like this? Here’s more posts:

• Interview with Microsoft’s Director of Trustworthy Computing Jacqueline Beaucher
• All-seeing Big Bro Domain Awareness System coming to all 34,000 NYPD cops
• DARPA’s unblinking, all-seeing 1.8-gigapixel camera stare on PBS Rise of the Drones
• Security firm report details APT attacks by Chinese Army hackers
• Preserving American Privacy Act would limit domestic drone spying, ban killer drones
• Microsoft admits to being hacked too
• Red-hot love gone bad: Burned by that steamy pic, sext, or shared password
• Chinese hackers use compromised USA university computers to attack us
• Flickr privacy bug changes some private photos to public, then public to private
• Insect assassin drones? Armed drones choosing targets? What could possibly go wrong?
• Unpatched TRENDnet IP cameras still provide a real-time Peeping Tom paradise

Follow me on Twitter @PrivacyFanatic