ellipsix informatics
 
2013
Apr
22

A close look at the new CISPA

Justice League of the Internet, unite! So went the call from the Elders of the Internet to make a last stand against the long-feared reawakening of the... uh, legislative process. (No, there are no Elders of the Internet. I just couldn't resist linking to that clip.)

Internet privacy advocates are up in arms these days over the Cyber Intelligence Sharing and Protection Act, a bill which modifies the guidelines by which information, including personal and/or private information, may be shared among technology companies and the federal government. CISPA was first introduced last year as House Resolution 3523, and passed by the House of Representatives, but it stalled and died out in the Senate, perhaps partially in response to strong public opposition.

Now, CISPA is back, in the form of House Resolution 624. This was passed by the House last week, and is headed to the Senate for discussion. The text of the bill is quite similar to last year's version, so most of what I wrote about it last year is still applicable, but there are a few things I want to update in light of new information, plus some new provisions in the bill to look at. So what I'm going to do is repost more or less the same thing I wrote last year, with additions and updates to cover the new information.

Since this is a really long post, though, I'll jump straight to the punch line. I don't think CISPA is as bad as some people will say it is. Here is the short version of what I would like to see changed before the bill passes:

  • Require judicial intervention to allow the sharing of personal information without the express approval of the subject, except when necessary to prevent an imminent threat
  • Require that the subject of any shared personal information be notified immediately of what information was shared, except when necessary to protect national security
  • Allow shared information to be subject to the Freedom of Information Act
  • Allow the entity sharing information to specify which department(s) of the government it may be shared with (maybe this is already in there)
  • Allow legal action to proceed against an entity believed to be sharing information improperly, even if the entity asserts they were acting in good faith
  • Create a more flexible process for maintaining a list of classes of information that cannot be used by the government (and perhaps also by private entities)
  • Give an independent or semi-independent watchdog the authority to implement (not just recommend) policies to protect privacy and civil liberties when personal information is shared

As usual, this post comes with the standard disclaimer that I am not a lawyer and this is not legal advice. I make no guarantees about the correctness of this information. If you're concerned about specific effects that CISPA could have on you personally, check with a lawyer.

Amendments to National Security Act

The main body of CISPA consists of an addition to title 50 of the United States Code, which deals with national security. The proposed addition starts out as follows:

Sharing information with private entities

Sec. 1104. (a) Intelligence Community Sharing of Cyber Threat Intelligence With Private Sector and Utilities-

(1) IN GENERAL- The Director of National Intelligence shall establish procedures to allow elements of the intelligence community to share cyber threat intelligence with private-sector entities and utilities and to encourage the sharing of such intelligence.

This basically sums up a large part of what people consider to be the problem with CISPA. It allows the government, or more precisely the national intelligence community (FBI, CIA, NSA, and other such organizations) to share information they have collected with private-sector entities, like businesses. Now, I don't know exactly what information our intelligence agencies collect on U.S. residents, but it stands to reason that if they wanted it, they could have access to phone records and the content of phone calls, emails, personal information like your address history and phone number history, your employment history and credit history, all your financial information, most of your shopping preferences, large parts of your web browsing history, and assorted other information. Obviously, government agencies can get far more information on your life and habits than private businesses or random people can. If a channel is opened up by which businesses can get a share of that information, they'd have a field day — and who knows what kinds of nefarious tricks they could pull with it?

But let's hold on a minute. The capacity for information sharing that CISPA introduces comes with restrictions, which are spelled out by the next paragraph of the bill.

(2) SHARING AND USE OF CLASSIFIED INTELLIGENCE- The procedures established under paragraph (1) shall provide that classified cyber threat intelligence may only be--

(A) shared by an element of the intelligence community with--

(i) certified entities; or

(ii) a person with an appropriate security clearance to receive such cyber threat intelligence;

(B) shared consistent with the need to protect the national security of the United States; and

(C) used by a certified entity in a manner which protects such cyber threat intelligence from unauthorized disclosure; and

(D) used, retained, or further disclosed by a certified entity for cybersecurity purposes.

A "certified entity" is defined in subsection (g) of the bill as follows:

(1) CERTIFIED ENTITY- The term `certified entity' means a protected entity, self-protected entity, or cybersecurity provider that--

(A) possesses or is eligible to obtain a security clearance, as determined by the Director of National Intelligence; and

(B) is able to demonstrate to the Director of National Intelligence that such provider or such entity can appropriately protect classified cyber threat intelligence.

and in turn, "protected entity," "self-protected entity," and "cybersecurity provider," and the related term "cybersecurity purpose," are defined as

(4) CYBERSECURITY PROVIDER- The term `cybersecurity provider' means a non-governmental entity that provides goods or services intended to be used for cybersecurity purposes.

(5) CYBERSECURITY PURPOSE- The term `cybersecurity purpose' means the purpose of ensuring the integrity, confidentiality, or availability of, or safeguarding, a system or network, including protecting a system or network from--

(A) efforts to degrade, disrupt, or destroy such system or network; or

(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.

(7) PROTECTED ENTITY- The term `protected entity' means an entity, other than an individual, that contracts with a cybersecurity provider for goods or services to be used for cybersecurity purposes.

(8) SELF-PROTECTED ENTITY- The term `self-protected entity' means an entity, other than an individual, that provides goods or services for cybersecurity purposes to itself.'

OK, soo... if I'm getting this right, certified entities are basically businesses or organizations that either produce or use (or both) computer security technology, and either have or are eligible for a certain level of security clearance, and which confirm that they are capable of protecting whatever information they receive from unauthorized use. However, simply being capable of obtaining a security clearance, and being capable of protecting information, is not saying much. That's where subparagraphs (C) and (D) come in; it actually requires these certified entities to protect the information they're given, and not to use it for any purpose other than cybersecurity.

In essence, the apparent intent of the bill is to set up a framework to ensure that, once privileged information leaves the intelligence community, it doesn't go any further and isn't used for any purpose other than the one it was explicitly shared for. But the relevant definitions don't seem specific enough to make that happen. "Cybersecurity purposes" encompasses any activity intended to prevent theft or misuse of various types of information, as well as any sort of technological attack. Consider this situation: let's say you wind up on some low-level CIA watchlist for a perfectly innocent reason, such as making multiple business trips to China over the course of a few months. Ordinarily, they would probably watch you for a little while longer, see nothing of interest, and file the whole matter away. But under CISPA, the CIA could share their interest in you with your email provider, who could then start keeping a very close eye on your emails. And, of greater concern, anything suspicious-looking (even if it's actually innocent, these things can be misinterpreted) that your email provider finds, they can then share back with the CIA. Yes, CISPA doesn't require this information to be shared, but how well do you trust your email provider to stick up for your right to privacy?

Here's another issue: how much information is the intelligence community allowed to share, anyway? That is loosely addressed by subparagraph (B), which says that the government can only share information as necessary to protect national security. There are a couple of problems I have with this statement. First of all, it's really vague on what exactly is necessary to protect national security. I understand that intelligence services need to have flexible tools to deal with problems that they haven't anticipated, and it would hinder their work to specify a complete list of circumstances under which information could be shared outside the government, but I really feel like some restrictions could be put in place here — for example, sharing information might only be allowed

  1. when necessary to get access to additional information for which the private entity is the only source, or
  2. when necessary to facilitate the cooperation of the private entity in an ongoing investigation; and
  3. in the face of an imminent threat to national security such that the delay required to go through legal proceedings in a court (i.e. getting a warrant) could lead to property damage or loss of life.

It might be necessary to create some additional procedure by which a court could approve a request to share information with the private sector, since warrants are usually used to take things, not to give them out (as far as I know), but certainly that could be part of the bill as well. Honestly, I'm not sure exactly what sorts of situations prompted this bill to be written, and so I'm not sure what sorts of restrictions would be appropriate. But if history is any indication, intelligence agencies will try pretty hard to pass all sorts of things off as being required in the name of national security, and the current wording gives them free reign to do just that. And as with any organization, there are almost certainly going to be a few people in the intelligence community who would abuse that power.

The other thing that bothers me about this is that there is not much accountability for what information gets shared and why it had to be shared. There is a provision in an earlier part of the bill (section 2, which I'll discuss in more detail later) that specifies that any sharing of information with the federal government under this act must be described in an annual report to Congress. But it says nothing explicit about information shared by the federal government, and it also leaves a lot of leeway for the details of the information shared to be kept in the dark.

(c) Reports on Information Sharing-

(1) INSPECTOR GENERAL OF THE DEPARTMENT OF HOMELAND SECURITY REPORT- The Inspector General of the Department of Homeland Security, in consultation with the Inspector General of the Department of Justice, the Inspector General of the Intelligence Community, the Inspector General of the Department of Defense, and the Privacy and Civil Liberties Oversight Board, shall annually submit to the appropriate congressional committees a report containing a review of the use of information shared with the Federal Government under subsection (b) of section 1104 of the National Security Act of 1947, as added by section 3(a) of this Act, including--

(A) a review of the use by the Federal Government of such information for a purpose other than a cybersecurity purpose;

(B) a review of the type of information shared with the Federal Government under such subsection;

(C) a review of the actions taken by the Federal Government based on such information;

(D) appropriate metrics to determine the impact of the sharing of such information with the Federal Government on privacy and civil liberties, if any;

(E) a list of the departments or agencies receiving such information;

(G) a review of the sharing of such information within the Federal Government to identify inappropriate [stovepiping](http://en.wikipedia.org/wiki/Stovepiping) of shared information; and

(G) any recommendations of the Inspector General for improvements or modifications to the authorities under such section.

...

(3) FORM- Each report required under paragraph (1) or (2) shall be submitted in unclassified form, but may include a classified annex.

A new subsection has been added since last year's version of CISPA, describing a report to be prepared and submitted by the privacy officers of the intelligence community on the privacy implications of the government's actions under CISPA.

(2) PRIVACY AND CIVIL LIBERTIES OFFICERS REPORT- The Officer for Civil Rights and Civil Liberties of the Department of Homeland Security, in consultation with the Privacy and Civil Liberties Oversight Board, the Inspector General of the Intelligence Community, and the senior privacy and civil liberties officer of each department or agency of the Federal Government that receives cyber threat information shared with the Federal Government under such subsection (b), shall annually and jointly submit to Congress a report assessing the privacy and civil liberties impact of the activities conducted by the Federal Government under such section 1104. Such report shall include any recommendations the Civil Liberties Protection Officer and Chief Privacy and Civil Liberties Officer consider appropriate to minimize or mitigate the privacy and civil liberties impact of the sharing of cyber threat information under such section 1104.

This does partially address the concerns I had about last year's version of this section, in that there is some sort of oversight over the information sharing process. But it seems rather weakly defined. All that this subsection allows is the submission of a report and recommendations, which could very well be ignored. I'd much rather have some assurance built into the bill that the recommendations will actually be followed, when doing so doesn't directly hinder national security (and even then, there should be a requirement for an explanation).

Sharing information with the government

Whew. OK. Let's move on to the next part of the bill, subsections (b) and (c), which deal with the reverse process, namely when private-sector entities share information with federal intelligence services.

(b) Use of Cybersecurity Systems and Sharing of Cyber Threat Information-

(1) IN GENERAL-

(A) CYBERSECURITY PROVIDERS- Notwithstanding any other provision of law, a cybersecurity provider, with the express consent of a protected entity for which such cybersecurity provider is providing goods or services for cybersecurity purposes, may, for cybersecurity purposes--

(i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such protected entity; and

(ii) share such cyber threat information with any other entity designated by such protected entity, including, if specifically designated, the entities of the Department of Homeland Security and the Department of Justice designated under paragraphs (1) and (2) of section 2(b) of the Cyber Intelligence Sharing and Protection Act.

(B) SELF-PROTECTED ENTITIES- Notwithstanding any other provision of law, a self-protected entity may, for cybersecurity purposes--

(i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such self-protected entity; and

(ii) share such cyber threat information with any other entity, including the entities of the Department of Homeland Security and the Department of Justice designated under paragraphs (1) and (2) of section 2(b) of the Cyber Intelligence Sharing and Protection Act.

This part seems straightforward enough; it's basically saying that a technology security company can share with the government (or anyone else) information about threats to its systems or its clients' resources, with the explicit permission of the client, when doing so is necessary for the company to do its job of protecting the client.

(2) USE AND PROTECTION OF INFORMATION- Cyber threat information shared in accordance with paragraph (1)--

(A) shall only be shared in accordance with any restrictions placed on the sharing of such information by the protected entity or self-protected entity authorizing such sharing, including appropriate anonymization or minimization of such information and excluding limiting a department or agency of the Federal Government from sharing such information with another department or agency of the Federal Government in accordance with this section;

(B) may not be used by an entity to gain an unfair competitive advantage to the detriment of the protected entity or the self-protected entity authorizing the sharing of information; and

(C) may only be used by a non-Federal recipient of such information for a cybersecurity purpose;

This part, somewhat expanded since last year's CISPA, specifies conditions on when and how that information can be shared: basically that it has to be done in accordance with the company's own privacy policy, and that it can't be used for inappropriate purposes (though I doubt that "unfair competitive advantage" covers all the inappropriate purposes one could come up with).

(D) if shared with the Federal Government--

(i) shall be exempt from disclosure under section 552 of title 5, United States Code (commonly known as the "Freedom of Information Act");

(ii) shall be considered proprietary information and shall not be disclosed to an entity outside of the Federal Government except as authorized by the entity sharing such information;

This says that information shared with the government is exempt from Freedom of Information Act requests. Now, I used to think this was a good thing, because the type of information shared will often be personally identifying information like names, addresses, phone numbers, email addresses, perhaps credit card numbers, accounts with various services, and so on. But the Freedom of Information Act, 5 USC § 552, already includes provisions to omit personally identifying information:

To the extent required to prevent a clearly unwarranted invasion of personal privacy, an agency may delete identifying details when it makes available or publishes an opinion, statement of policy, interpretation, staff manual, instruction, or copies of records referred to in subparagraph (D). However, in each case the justification for the deletion shall be explained fully in writing, and the extent of such deletion shall be indicated on the portion of the record which is made available or published, unless including that indication would harm an interest protected by the exemption in subsection (b) under which the deletion is made. If technically feasible, the extent of the deletion shall be indicated at the place in the record where the deletion was made.

With that in place, there seems to be little justification for exempting this information from FOIA entirely. It seems only fair that, if your information is being shared between private entities and the government, you should be able to know what is being shared, when there isn't a pressing need to keep it secret. I would like to see the FOIA exemption removed from the bill.

But anyway, back to CISPA:

(iii) shall not be used by the Federal Government for regulatory purposes; and

OK, so information shared under CISPA can't be used to create or enforce regulations. That's good, I guess. I'm not sure exactly how this would be relevant.

(iv) shall not be provided to another department or agency of the Federal Government under paragraph (2)(A) if--

(I) the entity providing such information determines that the provision of such information will undermine the purpose for which such information is shared; or

(II) unless otherwise directed by the President, the head of the department or agency of the Federal Government receiving such cyber threat information determines that the provision of such information will undermine the purpose for which such information is shared; and

(v) shall be handled by the Federal Government consistent with the need to protect sources and methods and the national security of the United States; and

Honestly, I can't quite tell what is being said here. Paragraph (2)(A) (scroll up a bit) seems to be saying that different agencies of the federal government can share information among each other, but this says that the entity providing that information, or the head of the government agency receiving it, can block that intragovernmental sharing by saying that it would undermine the purpose for which the information is shared. Again, I really can't imagine what sort of situation this would be relevant in. But I think it would just be better to limit the sharing of information between governmental agencies. Let the company sharing the information specify where it's going, and that's it.

(3) EXEMPTION FROM LIABILITY-

(A) EXEMPTION- No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider, acting in good faith--

(i) for using cybersecurity systems or sharing information in accordance with this section; or

(ii) for not acting on information obtained or shared in accordance with this section.

(B) LACK OF GOOD FAITH- For purposes of the exemption from liability under subparagraph (A), a lack of good faith includes any act or omission taken with intent to injure, defraud, or otherwise endanger any individual, government entity, private entity, or utility.

This paragraph is an interesting inclusion in part because of (3)(A)(ii), which provides immunity from prosecution for declining to use any of this cybersecurity information. I like this clause because it means that, if you're ever not sure about the legal status of some information shared pursuant to this act, the safe "default" course of action is to just leave it alone, and that way there will be no legal consequences. This is much better than the alternative of providing immunity from prosecution for people who went ahead and used the information, under the belief that they were doing so legally, but who actually weren't.

However, the condition of "acting in good faith" is kind of worrying because, as subparagraph (3)(B) says, it's based on intent, and it's very difficult to prove intent in court. This means that even if you think a company is illegally sharing your personal information with the government, all they have to do is claim that they are acting in good faith, and any legal action you may take against them will be dismissed. That just goes too far. If you suspect a company of improper information sharing, there really should be some sort of process by which you can satisfy yourself that they're not doing it, and a proper court proceeding (that at least goes far enough for the shared information to be revealed) should be one such method.

(5) RULE OF CONSTRUCTION- Nothing in this subsection shall be construed to provide new authority to--

(A) a cybersecurity provider to use a cybersecurity system to identify or obtain cyber threat information from a system or network other than a system or network owned or operated by a protected entity for which such cybersecurity provider is providing goods or services for cybersecurity purposes; or

(B) a self-protected entity to use a cybersecurity system to identify or obtain cyber threat information from a system or network other than a system or network owned or operated by such self-protected entity.

There's actually one more thing I don't get about this entire subsection. Why is it even necessary? After all, most companies already have privacy policies, and most of those already say that they may share information with the government in accordance with a court order or when necessary to protect their business, in some cases even without explicit approval by the client. Now, granted, this is coming from the perspective of an individual, and subsection (b) does not apply to individuals (it talks about "protected entities," which are organizations, not people). But I would imagine that businesses have similar agreements in place when they deal with each other. So everything that this piece of CISPA allows was already perfectly legal? Maybe it just needed to be explicit, but I just don't see the point.

Let's continue on to subsection (c), which governs how the federal government (in particular, the intelligence community) may use any information it receives from private-sector entities.

(c) Federal Government Use of Information-

(1) LIMITATION- The Federal Government may use cyber threat information shared with the Federal Government in accordance with subsection (b)--

(A) for cybersecurity purposes;

(B) for the investigation and prosecution of cybersecurity crimes;

(C) for the protection of individuals from the danger of death or serious bodily harm and the investigation and prosecution of crimes involving such danger of death or serious bodily harm; or

(D) for the protection of minors from child pornography, any risk of sexual exploitation, and serious threats to the physical safety of minors, including kidnapping and trafficking and the investigation and prosecution of crimes involving child pornography, any risk of sexual exploitation, and serious threats to the physical safety of minors, including kidnapping and trafficking, and any crime referred to in section 2258A(a)(2) of title 18, United States Code.

(2) AFFIRMATIVE SEARCH RESTRICTION- The Federal Government may not affirmatively search cyber threat information shared with the Federal Government under subsection (b) for a purpose other than a purpose referred to in paragraph (1)(B).

...

(6) RETENTION AND USE OF CYBER THREAT INFORMATION- No department or agency of the Federal Government shall retain or use information shared pursuant to subsection (b)(1) for any use other than a use permitted under subsection (c)(1).

This piece, considerably reworked from the original bill, allows the government to use information collected under CISPA for cybersecurity purposes and for certain kinds of serious crime prevention, which seem like acceptable additions, but not to search through it to find evidence of other crimes. This is probably better than last year's CISPA when I wrote about that, but it still suffers from the same vagueness in the definition of "cybersecurity purposes" that I brought up earlier.

(3) ANTI-TASKING RESTRICTION- Nothing in this section shall be construed to permit the Federal Government to--

(A) require a private-sector entity to share information with the Federal Government; or

(B) condition the sharing of cyber threat intelligence with a private-sector entity on the provision of cyber threat information to the Federal Government.

This bit says that the bill does not give the government the authority to demand information from a private company, at least not in any way that isn't already permitted by existing laws (namely, with a search warrant). It's definitely a good thing to make clear that intelligence agencies are still not allowed to bypass the judicial process; CISPA does not enable warrantless wiretapping and the like. A lot of people are not getting this point correct.

(4) PROTECTION OF SENSITIVE PERSONAL DOCUMENTS- The Federal Government may not use the following information, containing information that identifies a person, shared with the Federal Government in accordance with subsection (b):

(A) Library circulation records.

(B) Library patron lists.

(C) Book sales records.

(D) Book customer lists.

(E) Firearms sales records.

(F) Tax return records.

(G) Educational records.

(H) Medical records.

This identifies selected pieces of information that the government can't use, even if it is shared. The point of this is presumably that, if it gets back to the government that you checked out a couple of books on nuclear engineering, for example, that shouldn't mark you as a terrorist. Good for that, I guess, but I have to wonder where this list came from. I think there should be a more flexible process for marking certain classes of information as protected from government use, probably resulting in a slightly longer list.

At this point I want to point out one section that existed in the earlier version of CISPA but was removed:

(7) PROTECTION OF INDIVIDUAL INFORMATION- The Federal Government may, consistent with the need to protect Federal systems and critical information infrastructure from cybersecurity threats and to mitigate such threats, undertake reasonable efforts to limit the impact on privacy and civil liberties of the sharing of cyber threat information with the Federal Government pursuant to this subsection.

I think this is meant to be replaced by the section on privacy and civil liberties in section 2 of the act (discussed below under "Federal Government Coordination"), so maybe it isn't a big deal that it was removed, but it's something to be aware of.

One final piece of the USC amendment (that I'm going to talk about), that is present in the new CISPA:

(d) Federal Government Liability for Violations of Restrictions on the Disclosure, Use, and Protection of Voluntarily Shared Information-

(1) IN GENERAL- If a department or agency of the Federal Government intentionally or willfully violates subsection (b)(3)(D) or subsection (c) with respect to the disclosure, use, or protection of voluntarily shared cyber threat information shared under this section, the United States shall be liable to a person adversely affected by such violation in an amount equal to the sum of--

(A) the actual damages sustained by the person as a result of the violation or $1,000, whichever is greater; and

(B) the costs of the action together with reasonable attorney fees as determined by the court.

This provides for penalties that the government must bear if it violates the restrictions on how shared information can be used or reshared. In principle, this is a pretty useful section of the bill, but it's hampered by two issues:

  • The restrictions that the bill does include still allow for a wide variety of uses of shared information, and it's not even clear in many cases which uses are allowed and which ones aren't
  • More importantly, there's practically no way for a "person adversely affected by such violation" to find out about it! Remember, information shared under CISPA is exempt from FOIA requests, and there's no requirement to notify the subjects of the shared information.

Federal Government Coordination

This year's version of CISPA includes an entirely new section describing how information is to be shared within different branches of the federal government. I just want to go over one section here, the one relating to privacy and civil liberties:

(b) Coordinated Information Sharing-

(5) PRIVACY AND CIVIL LIBERTIES-

(A) POLICIES AND PROCEDURES- The Secretary of Homeland Security, the Attorney General, the Director of National Intelligence, and the Secretary of Defense shall jointly establish and periodically review policies and procedures governing the receipt, retention, use, and disclosure of non-publicly available cyber threat information shared with the Federal Government in accordance with section 1104(b) of the National Security Act of 1947, as added by section 3(a) of this Act. Such policies and procedures shall, consistent with the need to protect systems and networks from cyber threats and mitigate cyber threats in a timely manner--

(i) minimize the impact on privacy and civil liberties;

(ii) reasonably limit the receipt, retention, use, and disclosure of cyber threat information associated with specific persons that is not necessary to protect systems or networks from cyber threats or mitigate cyber threats in a timely manner;

(iii) include requirements to safeguard non-publicly available cyber threat information that may be used to identify specific persons from unauthorized access or acquisition;

(iv) protect the confidentiality of cyber threat information associated with specific persons to the greatest extent practicable; and

(v) not delay or impede the flow of cyber threat information necessary to defend against or mitigate a cyber threat.

(B) SUBMISSION TO CONGRESS- The Secretary of Homeland Security, the Attorney General, the Director of National Intelligence, and the Secretary of Defense shall, consistent with the need to protect sources and methods, jointly submit to Congress the policies and procedures required under subparagraph (A) and any updates to such policies and procedures.

(C) IMPLEMENTATION- The head of each department or agency of the Federal Government receiving cyber threat information shared with the Federal Government under such section 1104(b) shall--

(i) implement the policies and procedures established under subparagraph (A); and

(ii) promptly notify the Secretary of Homeland Security, the Attorney General, the Director of National Intelligence, the Secretary of Defense, and the appropriate congressional committees of any significant violations of such policies and procedures.

(D) OVERSIGHT- The Secretary of Homeland Security, the Attorney General, the Director of National Intelligence, and the Secretary of Defense shall jointly establish a program to monitor and oversee compliance with the policies and procedures established under subparagraph (A).

Pretty wordy, but the gist is that high-level officials in the Department of Homeland Security, Department of Justice, and Department of Defense are tasked with limiting privacy violations and infringements of civil liberties as much as possible. It's definitely a good thing that the law includes some provision for this, but I wonder if it couldn't be a little more specific about what these policies should entail. Besides, the heads of the DHS, DOJ, and DOD are not exactly the people I want watching their own organizations for privacy violations. That's okay, since their job is to prevent crime and maintain security, but I'd like to see more of this responsibility delegated to an independent or semi-independent watchdog, like the Inspectors General.

Conclusion

Bottom line, I think this bill is somewhat improved over last year's version of CISPA, and I definitely think it's not as bad as some hardcore privacy activists would have you believe (or maybe they're just people dead set against anything bearing the name CISPA). Honestly, I can't really get that worked up about the bill in its current form. Sure, there are some changes I'd like to see in it — to repeat myself from the introduction:

  • Require judicial intervention to allow the sharing of personal information without the express approval of the subject, except when necessary to prevent an imminent threat
  • Require that the subject of any shared personal information be notified immediately of what information was shared, except when necessary to protect national security
  • Allow shared information to be subject to the Freedom of Information Act
  • Allow the entity sharing information to specify which department(s) of the government it may be shared with (maybe this is already in there)
  • Allow legal action to proceed against an entity believed to be sharing information improperly, even if the entity asserts they were acting in good faith
  • Create a more flexible process for maintaining a list of classes of information that cannot be used by the government (and perhaps also by private entities)
  • Give an independent or semi-independent watchdog the authority to implement (not just recommend) policies to protect privacy and civil liberties when personal information is shared

I wouldn't go so far as to say I support the bill as is, but it's not the kind of egregious violation of civil liberties that, say, PIPA was. This bill really just doesn't seem to do a whole lot.

If you'd like to weigh in on the legislative process, contact your Senator to voice your opinion! With CISPA having just passed the House, Senators will be particularly receptive to feedback on the bill in the upcoming days and weeks. I'd also suggest reading the bill itself, of course (in its entirety, not just the sections I've quoted here), and other resources, such as the EFF CISPA FAQ and any number of threads on Reddit, if you're into that sort of thing. Just be wary — there's a lot of misinformation out there, so use your judgment!

2012
Nov
21

Our scientific community is in TROUBLE

I was all set to write a lovely blog post about something sciency and then I saw this. It's truly disturbing just how misguided some of the representatives who seek to control science funding and regulation in this country are.

Slashdot pulled out this quote from Rep. Rohrabacher:

My analysis is that in the global warming debate, we won. There were a lot of scientists who were just going along with the flow on the idea that mankind was causing a change in the world's climate. I think that after 10 years of debate, we can show that that there are hundreds if not thousands of scientists who have come over to being skeptics, and I don't know anyone [who was a skeptic] who became a believer in global warming.

wtf I don't even

Yes, I did intentionally run off the end of a sentence there.

OK, here's my problem with this: not only does Rep. Rohrabacher not understand the science he's talking about, but he's making up false facts to support his opinion. If he can present valid sources to back up his story, then sure, I'll listen, but I'm fairly positive that "we can show that that there are hundreds if not thousands of scientists who have come over to being skeptics" is an outright lie. That sort of thing should be a cardinal sin for a politician in a democratic society.

2012
Nov
06

The win-more effect of indirect elections

It's Election Day (in the US), and I have a relevant post I've been meaning to do for a while.

Suppose you have a binary experiment, one which has two possible outcomes with probabilities p and q = 1-p. For example, voting. (Pretend there are only 2 parties) Overall, let's say people vote Democrat with probability p and Republican with probability q. Now suppose a large number N of people all go out to vote; what can you say about the results?

In a statistical experiment like this, the possible results are drawn from a binomial distribution, in which the probability of getting n Democratic votes (and N - n Republican) is

P(n) = \binom{N}{n}p^n q^{N-n}

The probability that the Democrats will come out ahead is just the sum of all the probabilities for all the outcomes where n is more than half of the total vote: we start at n = \floor*{\frac{N}{2} + 1}, which is the first integer greater than \frac{N}{2}, and add up probabilities all the way to n = N.

P_D(N,p) = \sum_{n=\floor*{N/2 + 1}}^{N}\binom{N}{n}p^n q^{N-n} = 1 - q^N (pq)^{\floor*{\frac{N}{2} + 1}}\binom{N}{\floor*{\frac{N}{2}+1}} {}_2F_1\left(\genfrac..{0pt}{}{1,\floor*{1 + \frac{N}{2}}-N}{2+\floor*{\frac{N}{2}}}\middle|-\frac{p}{q}\right)

Here {}_2F_1 is the ordinary hypergeometric function.

Well, huh. That's kind of an ugly-looking expression. So let's look at some pictures. Say you have N=9 people voting — an absurdly small country, for sure, but it'll be a good example to see how the probabilities work out.

Probabilities for a 9-person election

This graph shows the probability that the Democrat will win the election as a function of the probability that each of the 9 people will vote for him. For example, suppose you estimate, perhaps based on polling, that each person has a 40% chance of voting for the Democrat. (This is not quite the same as estimating that 40% of people will vote for the Democrat, but for much larger numbers of people, it'll be close.) Look for 0.4 on the bottom axis of the graph, follow it up until you hit the red-blue boundary, and you find that you're at about 27% on the vertical axis. So in this situation, the Democrat has a 27% chance of winning the election.

Let's try another one. Same setup, but now with 99 people voting, not just 9.

Probabilities for a 99-person election

You can immediately tell that this graph stays closer to 0 on the left and closer to 1 on the right, and is a lot steeper in the middle. When the graph does that, it means that the candidate who is favored to win, whichever one it is, is even more likely to win. In other words, a graph that stays close to 0 and 1 at the ends and has a steep slope in the middle indicates that the probability of an upset is very low.

For example, if you suppose each person has a 40% probability of voting for the Democrat, in this case that gives him only a 2% chance of winning — much less than the 27% in the 9-person election! This is what I call the "win-more effect": even if a candidate has a tiny advantage in each individual person's vote, when you put together a large number of people, that candidate will be overwhelmingly likely to win.

Take a look at one more fairly extreme case: N=3000, which is roughly the sample size used by some public opinion polls. (Don't quote me on that, I'm not positive.)

Probabilities for a 3000-person election

Here the slope in the middle is almost vertical. A candidate who has a 40% chance of winning any individual vote has essentially zero chance of winning the overall election. But it's not perfectly vertical; if the race is close, like 49% to 51%, the losing candidate still has a 13% chance to pull off an upset! The win-more effect "ramps up" very quickly for small numbers of people, but very slowly for larger numbers, so that if a race is very close in the popular vote, it can still be competitive even for a huge voting population.

Indirect elections

Of course, in the United States, our presidential election is more complicated than that. We don't vote directly for the president; instead we choose electors who will go on to cast the actual votes. This is called an indirect election, and it modifies the effectiveness of the win-more effect — but perhaps not in the way you'd think!

Let me go back to that first example with 9 people in the election. But this time, suppose the 9 people are just the population of one of several states in a larger country. To make the numbers work out, I'll say there are 11 states, each with 9 residents, for a total of 99 people.

Hopefully it's clear that if these 99 people in 11 states are choosing a president using an indirect election (like the US electoral college), the graph I made above for the 99-person election doesn't necessarily apply anymore. What we need to do this time is think of the election in two stages:

  1. First, there are 11 individual elections with 9 voters each. I've already crunched the numbers and shown the graph for an election of 9 voters, and for any given probability p that an individual voter will choose the Democrat, we can calculate the probability P_D(9,p) that any one state of 9 people will go to the Democratic candidate. (P_D is the ugly function I derived at the top of this post, the same one plotted in the graphs above.)
  2. The second level is effectively another election where the states are the voters. In this second-level election, there are 11 participants, and for each one the probability of casting a Democratic vote is P_D(9,p), just the output probability from the first step. So the overall probability of a Democratic candidate winning is P_D(11,P_D(9,p)).

Naturally, I can also do the analogous calculation for the probability of a Republican winning, and I'd get P_R(11,P_R(9,p)). These had better add up to 1 if the calculation is to make sense. And they do:

Probabilities for an 11x9 indirect election

Now this is an interesting result! Let's look at how the graph for the indirect election, the red-blue boundary, compares to the graph for the 99-person direct election, which I've added in as a dashed black line. The curve for the indirect election is less steeply sloped near the center, which means the win-more effect is less prevalent in this indirect election: having an upset is actually more likely! For example, if people have a 40% chance to vote for the Democratic candidate, that gives him a 2.2% chance of winning in a direct election but a 4.6% chance of winning an indirect election, more than twice as likely.

Honestly, that's not what I expected to find.

I know it's not really well justified to extend this conclusion to real elections, because there are so many differences and complications in a real election that I haven't accounted for: the states are different sizes, different people have different probabilities of voting one way or another, in fact you can't even measure those probabilities in many cases... but I feel like the general conclusion, that indirect elections temper the win-more effect, should be relevant. If it is, we'd expect to see that the results of the electoral college vote are statistically closer than the results of the popular vote, in some sense. I'm not quite sure how you would do the analysis to figure out whether that's correct, but maybe that's best left for next year.

Right now, it's time for me to head off to the polls. FOR SCIENCE!

2012
Oct
09

A call to remove Paul Broun from the House Science Committee

I haven't written about the Paul Broun controversy before, since it's been widely covered on other blogs, but now that something (even if trivial) is being done about it, I thought it would be important to spread the word. This is one of the most important things I've posted about in a long time, so I do hope you'll read to the end and seriously consider signing the petition to remove him from his current position.

Just a few weeks ago, Representative Broun (R-GA) said this in a speech to his constituents:

All that stuff I was taught about evolution and embryology and the Big Bang Theory, all that is lies straight from the pit of Hell. And it’s lies to try to keep me and all the folks who were taught that from understanding that they need a savior. You see, there are a lot of scientific data that I’ve found out as a scientist that actually show that this is really a young Earth. I don’t believe that the Earth’s but about 9,000 years old. I believe it was created in six days as we know them. That’s what the Bible says.

(requoted from the Bad Astronomer)

Now, I'm not going to argue that this statement violates the separation of church and state encoded in the First Amendment. The whole point of that amendment is that everyone has a right to practice their choice of religion, and so there's nothing wrong with a person holding Christian beliefs. But what Representative Broun says here goes beyond that, for two critically unforgivable reasons:

  1. He specifically calls out scientific results as "lies straight from the pit of Hell." Not cool, dude. See, being a good Christian doesn't mean that you have to doubt science, because science is not a competitor to religion. Science is nothing more or less than the process of learning about nature by studying nature itself. Or if you're religious, it's the process of learning about God's creation by studying God's creation itself. Either way, the kind of mindset that would cause a man to put so much faith in a book that he would deny reality has no place in government. Ignoring what's happening in the world around you does not lead to responsible decision-making
  2. Representative Broun is on the House Science Committee! These are the people who are supposed to be advocating for the needs of scientists in government, and overseeing the US government's relationship with the scientific community. It's downright irresponsible for any of them to be so vehemently opposed to the very community they are supposed to represent. Analogy time: how would you feel if Osama bin Laden had become the President of the United States? (I know he's dead, it's a hypothetical situation... okay, fine, Zombie Osama bin Laden.)

But wait, there's more!

And what I’ve come to learn is that it’s the manufacturer’s handbook, is what I call it. It teaches us how to run our lives individually, how to run our families, how to run our churches. But it teaches us how to run all of public policy and everything in society. And that’s the reason as your congressman I hold the Holy Bible as being the major directions to me of how I vote in Washington, D.C., and I’ll continue to do that.

I am going to argue that this statement violates the separation of church and state. Because it does. The entire point of the First Amendment is to prevent our government from instituting laws based on any one religion.

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

Simply by making these statements, Representative Broun has come dangerously close to violating one of our most important laws. This is the kind of behavior that potentially deserves impeachment proceedings. When a government official doesn't uphold the laws that regulate the performance of his official duties, he needs to be removed from office. The American people shouldn't tolerate such blatant powermongering.

At this point I'm running out of coherent things to write, simply because seeing this sort of bullshit from a political official makes me that mad. So I'll wrap it up here, and while I'm not going to tell anyone what to think, I really hope you'll agree that something needs to be done about Representative Broun's status. If you do, please go sign the online petition to remove him from the Science Committee. It doesn't carry any legal weight or anything like that, but with enough endorsements it will make the point that a lot of people see something seriously wrong going on, and that's sure to inspire some more substantive action.

2012
Apr
23

A close look at CISPA

You may remember that about three months ago, the internet erupted in an uproar over two copyright protection bills, SOPA and PIPA, which were working their way through the House of Representatives and the Senate, respectively. Now there is another bill, the Cyber Intelligence Sharing and Protection Act (CISPA), which has many of the same people concerned. Indeed, a lot of privacy advocates are warning that CISPA is even worse than SOPA and PIPA. But other people are saying that it's nowhere near as bad. One way or another, there seems to be a lot of misinformation floating around about this bill, so just as I did with PIPA, I thought it would be useful to go straight to the source and see what CISPA is really about.

As usual, this post comes with the standard disclaimer that I am not a lawyer and this is not legal advice. I make no guarantees about the correctness of this information. If you're concerned about specific effects that CISPA could have on you personally, check with a lawyer.

Now then, to the source. The text of the bill itself can be found on the Library of Congress website as House Resolution 3523. It consists of an addition to title 50 of the United States Code, which deals with national security. The proposed addition starts out as follows:

Sec. 1104. (a) Intelligence Community Sharing of Cyber Threat Intelligence With Private Sector--

(1) IN GENERAL- The Director of National Intelligence shall establish procedures to allow elements of the intelligence community to share cyber threat intelligence with private-sector entities and to encourage the sharing of such intelligence.

This basically sums up a large part of what people consider to be the problem with CISPA. It allows the government, or more precisely the national intelligence community (FBI, CIA, NSA, and other such organizations) to share information they have collected with private-sector entities, like businesses. Now, I don't know exactly what information our intelligence agencies collect on U.S. residents, but it stands to reason that if they wanted it, they could have access to phone records and the content of phone calls, emails, personal information like your address history and phone number history, your employment history and credit history, all your financial information, most of your shopping preferences, large parts of your web browsing history, and assorted other information. Obviously, government agencies can get far more information on your life and habits than private businesses or random people can. If a channel is opened up by which businesses can get a share of that information, they'd have a field day — and who knows what kinds of nefarious tricks they could pull with it?

But let's hold on a minute. The capacity for information sharing that CISPA introduces comes with restrictions, which are spelled out by the next paragraph of the bill.

(2) SHARING AND USE OF CLASSIFIED INTELLIGENCE- The procedures established under paragraph (1) shall provide that classified cyber threat intelligence may only be--

(A) shared by an element of the intelligence community with--

(i) certified entities; or

(ii) a person with an appropriate security clearance to receive such cyber threat intelligence;

(B) shared consistent with the need to protect the national security of the United States; and

(C) used by a certified entity in a manner which protects such cyber threat intelligence from unauthorized disclosure.

A "certified entity" is defined in subsection (g) of the bill as follows:

(1) CERTIFIED ENTITY- The term `certified entity' means a protected entity, self-protected entity, or cybersecurity provider that--

(A) possesses or is eligible to obtain a security clearance, as determined by the Director of National Intelligence; and

(B) is able to demonstrate to the Director of National Intelligence that such provider or such entity can appropriately protect classified cyber threat intelligence.

and in turn, "protected entity," "self-protected entity," and "cybersecurity provider," and the related term "cybersecurity purpose," are defined as

(4) CYBERSECURITY PROVIDER- The term `cybersecurity provider' means a non-governmental entity that provides goods or services intended to be used for cybersecurity purposes.

(5) CYBERSECURITY PURPOSE- The term `cybersecurity purpose' means the purpose of ensuring the integrity, confidentiality, or availability of, or safeguarding, a system or network, including protecting a system or network from--

(A) efforts to degrade, disrupt, or destroy such system or network; or

(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.

(7) PROTECTED ENTITY- The term `protected entity' means an entity, other than an individual, that contracts with a cybersecurity provider for goods or services to be used for cybersecurity purposes.

(8) SELF-PROTECTED ENTITY- The term `self-protected entity' means an entity, other than an individual, that provides goods or services for cybersecurity purposes to itself.'

OK, soo... if I'm getting this right, certified entities are basically businesses or organizations that either produce or use (or both) computer security technology, and either have or are eligible for a certain level of security clearance, and which confirm that they are capable of protecting whatever information they receive from unauthorized use. Sure, simply being capable of obtaining a security clearance, and being capable of protecting information, is not saying much. That's where subparagraph (C) comes in; it actually requires these certified entities to protect the information they're given. In essence, the bill is setting up the framework to ensure that, once privileged information leaves the intelligence community, it doesn't go any further.

Now, what sort of information gets out in the first place? That is loosely addressed by subparagraph (B), which says that the government can only share information as necessary to protect national security. There are a couple of problems I have with this statement, though. First of all, it's really vague on what exactly is necessary to protect national security. I understand that intelligence services need to have flexible tools to deal with problems that they haven't anticipated, and it would hinder their work to specify a complete list of circumstances under which information could be shared outside the government, but I really feel like some restrictions could be put in place here — for example, sharing information might only be allowed

  1. when necessary to get access to additional information for which the private entity is the only source, or
  2. when necessary to facilitate the cooperation of the private entity in an ongoing investigation; and
  3. in the face of an imminent threat to national security such that the delay required to go through legal proceedings in a court (i.e. getting a warrant) could lead to property damage or loss of life.

It might be necessary to create some additional procedure by which a court could approve a request to share information with the private sector, since warrants are usually used to take things, not to give them out (as far as I know), but certainly that could be part of the bill as well. Honestly, I'm not sure exactly what sorts of situations prompted this bill to be written, and so I'm not sure what sorts of restrictions would be appropriate. But if history is any indication, intelligence agencies will try pretty hard to pass all sorts of things off as being required in the name of national security, and the current wording gives them free reign to do just that. And as with any organization, there are almost certainly going to be a few people in the intelligence community who would abuse that power.

The other thing that bothers me about this is that there is no accountability for what information gets shared and why it had to be shared. Later on in the bill, subsection (d) specifically, there is a provision that specifies that any sharing of information with the federal government under this act must be described in an annual report to Congress. But it says nothing about information shared by the federal government.

(d) Report on Information Sharing--

(1) REPORT- The Inspector General of the Intelligence Community shall annually submit to the congressional intelligence committees a report containing a review of the use of information shared with the Federal Government under this section, including--

(A) a review of the use by the Federal Government of such information for a purpose other than a cybersecurity purpose;

(B) a review of the type of information shared with the Federal Government under this section;

(C) a review of the actions taken by the Federal Government based on such information;

(D) appropriate metrics to determine the impact of the sharing of such information with the Federal Government on privacy and civil liberties, if any; and

(E) any recommendations of the Inspector General for improvements or modifications to the authorities under this section.

(2) FORM- Each report required under paragraph (1) shall be submitted in unclassified form, but may include a classified annex.

I for one would feel much better knowing that if somebody is abusing the ability to share classified information, there is at least a framework set up for that to be reported to a higher authority. (Not that I really trust Congress, but like it or not, it is their job to oversee intelligence activities.)

Whew. OK. Let's move on to the next part of the bill, subsections (b) and (c), which deal with the reverse process, namely when private-sector entities share information with federal intelligence services.

(b) Private Sector Use of Cybersecurity Systems and Sharing of Cyber Threat Information-

(1) IN GENERAL-

(A) CYBERSECURITY PROVIDERS- Notwithstanding any other provision of law, a cybersecurity provider, with the express consent of a protected entity for which such cybersecurity provider is providing goods or services for cybersecurity purposes, may, for cybersecurity purposes--

(i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such protected entity; and

(ii) share such cyber threat information with any other entity designated by such protected entity, including, if specifically designated, the Federal Government.

(B) SELF-PROTECTED ENTITIES- Notwithstanding any other provision of law, a self-protected entity may, for cybersecurity purposes--

(i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such self-protected entity; and

(ii) share such cyber threat information with any other entity, including the Federal Government.

This part seems straightforward enough; it's basically saying that a technology security company can share with the government (or anyone else) information about threats to its systems or its clients' resources, with the explicit permission of the client, when doing so is necessary for the company to do its job of protecting the client.

(2) USE AND PROTECTION OF INFORMATION- Cyber threat information shared in accordance with paragraph (1)--

(A) shall only be shared in accordance with any restrictions placed on the sharing of such information by the protected entity or self-protected entity authorizing such sharing, including appropriate anonymization or minimization of such information;

(B) may not be used by an entity to gain an unfair competitive advantage to the detriment of the protected entity or the self-protected entity authorizing the sharing of information; and

(C) if shared with the Federal Government--

(i) shall be exempt from disclosure under section 552 of title 5, United States Code;

(ii) shall be considered proprietary information and shall not be disclosed to an entity outside of the Federal Government except as authorized by the entity sharing such information; and

(iii) shall not be used by the Federal Government for regulatory purposes.

And this part specifies conditions on when and how that information can be shared: basically that it has to be done in accordance with the company's own privacy policy, and that it can't be used for inappropriate purposes (though I'm not positive that "can't be used for competitive advantage" really covers all the inappropriate purposes one could come up with). It also says that information shared with the government is exempt from Freedom of Information Act requests, which is a pretty necessary stipulation, so it's good to see that that was included.

(3) EXEMPTION FROM LIABILITY- No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider, acting in good faith--

(A) for using cybersecurity systems or sharing information in accordance with this section; or

(B) for not acting on information obtained or shared in accordance with this section.

This paragraph is an interesting inclusion mostly because of the second item, which provides immunity from prosecution for declining to use any of this cybersecurity information. I like this clause because it means that, if you're ever not sure about the legal status of some information shared pursuant to this act, the safe "default" course of action is to just leave it alone, and that way there will be no legal consequences. This is much better than the alternative of providing immunity from prosecution for people who believed they were acting in compliance with CISPA but who actually weren't.

There is one thing I don't get about this subsection, though. Why is it even necessary? After all, most companies already have privacy policies, and most of those already say that they may share information with the government in accordance with a court order or when necessary to protect their business, in some cases even without explicit approval by the client. Now, granted, this is coming from the perspective of an individual, and subsection (b) does not apply to individuals (it talks about "protected entities," which are organizations, not people). But I would imagine that businesses have similar agreements in place when they deal with each other. So everything that this piece of CISPA allows was already perfectly legal? Maybe it just needed to be explicit, but I just don't see the point.

There's one more piece of the bill that I want to look at, and that is subsection (c), which governs how the federal government (in particular, the intelligence community) may use any information it receives from private-sector entities.

(c) Federal Government Use of Information-

(1) LIMITATION- The Federal Government may use cyber threat information shared with the Federal Government in accordance with subsection (b) for any lawful purpose only if--

(A) the use of such information is not for a regulatory purpose; and

(B) at least one significant purpose of the use of such information is--

(i) a cybersecurity purpose; or

(ii) the protection of the national security of the United States.

OK, so they can't use it to influence policymaking, or at least that's what I assume "not for a regulatory purpose" is supposed to mean. But would it be so hard to just prohibit using this information for any purpose other than protecting national security? I feel like that would be a lot cleaner, and it closes the loophole of someone thinking up a wacky way to use shared information that is not regulatory but not intelligence-related either.

(3) ANTI-TASKING RESTRICTION- Nothing in this section shall be construed to permit the Federal Government to--

(A) require a private-sector entity to share information with the Federal Government; or

(B) condition the sharing of cyber threat intelligence with a private-sector entity on the provision of cyber threat information to the Federal Government.

This final piece (that I'm going to talk about) says that the bill does not give the government the authority to demand information from a private company, at least not in any way that isn't already permitted by existing laws (namely, with a search warrant). It's definitely a good thing to make clear that intelligence agencies are still not allowed to bypass the judicial process; CISPA does not enable warrantless wiretapping and the like.

So where does that leave us? Well, there are a lot of people saying CISPA is worse than SOPA and PIPA. I do not agree. The thing that particularly bothered me about the PROTECT-IP Act was that it allowed the government to take highly restrictive actions against website operators without going through the judicial process to determine whether those website operators had actually done anything wrong. It tinkered with the "innocent until proven guilty" mantra that our justice system is (supposed to be) based on. CISPA does not. In fact, as I pointed out above, there are a couple of clauses inserted which effectively prevent the intelligence community from escaping judicial oversight (any more than they already do).

On the other hand, CISPA does enable some channels for information sharing which, in my opinion, are not sufficiently regulated and monitored. If Wikipedia is to be believed, the bill's sponsors are considering another round of changes that may help close some of the loopholes I've identified, but that's still tentative; besides, if you're the type of person who is a little more concerned about privacy than I am, then the idea of this information sharing in any form probably seems pretty bad. I'll probably be contacting my representatives about this, and whatever your opinion about it, I encourage you to do the same!

2012
Jan
19

Senator Ron Wyden gets it

Ron Wyden, senator from Oregon, released a very insightful letter yesterday in support of the SOPA blackout.

Protect IP (PIPA) and the Stop Online Piracy Act (SOPA) are a step towards a different kind of Internet. They are a step towards an Internet in which those with money and lawyers and access to power have a greater voice than those who don’t. They are a step towards an Internet in which online innovators need lawyers as much or more than they need good ideas. And they are a step towards a world in which Americans have less of a voice to argue for a free and open Internet around the world.

See the full letter on Sen. Wyden's site.

2012
Jan
18

PROTECT-IP: the source

Yesterday, I made a post about the PROTECT-IP Act, explaining in some detail why it's such a dangerous proposition. But if you're like me, maybe you're tired of hearing second-hand arguments. You're not scared of a little legalese, and you want to check out the original source, Senate resolution 968 itself. Well, great! That's what this blog is really (or at least tries to be) about, and that's what I'm going to do in this post.

I have two goals here. For one thing, I'm trying to correct some of the misinformation that may be floating around on the web about PIPA. But I also want to make the point that laws aren't as scary as you might think. When you take a good, close look at them, it's not that hard to understand what is being said — sure, not well enough to argue them in court (unless you're a lawyer), but you can get a pretty decent sense of what is and isn't allowed.

This comes with two standard disclaimers:

  1. I am strongly opposed to PIPA (and SOPA). This post is an attempt to convince others to share that view. But it's more of a justification of my opinion than a rant about it. I've tried to include enough direct quotes to make it clear why I oppose this bill, and to hopefully allow you to come to the same conclusion; I'm not saying you should agree with me just because I say so. The point: keep an open mind, and whatever opinion you have, make sure you know why you have it.
  2. I am not a lawyer and this is not legal advice. I make no guarantees about the correctness of this information. If you're concerned about specific effects that PIPA or SOPA could have on you personally, check with a lawyer.

Definition of Copyright Infringement

PIPA, for all the fuss people have been saying about it, really just builds on existing copyright laws. So it makes sense to start by examining those laws, which are contained in title 17 of the United States Code.

Title 17 is a very long document, but there are three short parts that are especially relevant for interpreting PIPA. First, section 106 (or in the standard notation, 17 U.S.C. §106) defines six rights that are reserved to the holder of a copyright:

Subject to sections 107 through 122, the owner of copyright under this title has the exclusive rights to do and to authorize any of the following:

(1) to reproduce the copyrighted work in copies or phonorecords;

(2) to prepare derivative works based upon the copyrighted work;

(3) to distribute copies or phonorecords of the copyrighted work to the public by sale or other transfer of ownership, or by rental, lease, or lending;

(4) in the case of literary, musical, dramatic, and choreographic works, pantomimes, and motion pictures and other audiovisual works, to perform the copyrighted work publicly;

(5) in the case of literary, musical, dramatic, and choreographic works, pantomimes, and pictorial, graphic, or sculptural works, including the individual images of a motion picture or other audiovisual work, to display the copyrighted work publicly; and

(6) in the case of sound recordings, to perform the copyrighted work publicly by means of a digital audio transmission.

In short: copying, modification, distribution, public performance or display, and broadcasting all require the copyright holder's consent. If you do any of these things without having permission from the copyright holder, this is defined by section 501 as copyright infringement.

(a) Anyone who violates any of the exclusive rights of the copyright owner as provided by sections 106 through 122 or of the author as provided in section 106A (a), or who imports copies or phonorecords into the United States in violation of section 602, is an infringer of the copyright or right of the author, as the case may be.

In addition to the six actions mentioned above, it's also illegal to provide specific information that allows someone else to bypass technological measures which prevent them from infringing copyright. For example, the contents of DVDs are encrypted, and distributing the software that allows people to break the encryption and use the DVD is illegal — unless you have permission from whoever owns the copyright on the DVD contents. Section 1201 has the details. It's kind of long, but here are some of the important parts:

(a) Violations Regarding Circumvention of Technological Measures.

(1)

(A) No person shall circumvent a technological measure that effectively controls access to a work protected under this title....

....

(2) No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that—

(A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title;

(B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title; or

(C) is marketed by that person or another acting in concert with that person with that person’s knowledge for use in circumventing a technological measure that effectively controls access to a work protected under this title.

and so on. (If you're about to complain that I'm taking this out of context, great! Go read it yourself.)

The laws I've listed above, sections 501 and 1201, are referenced by the PROTECT-IP Act in its definition of "internet site dedicated to infringing activities." The following text occurs in section 2 of the bill:

(7) the term 'Internet site dedicated to infringing activities' means an Internet site that--

(A) has no significant use other than engaging in, enabling, or facilitating the--

(i) reproduction, distribution, or public performance of copyrighted works, in complete or substantially complete form, in a manner that constitutes copyright infringement under section 501 of title 17, United States Code;

(ii) violation of section 1201 of title 17, United States Code; or

(iii) sale, distribution, or promotion of goods, services, or materials bearing a counterfeit mark, as that term is defined in section 34(d) of the Lanham Act; or

(B) is designed, operated, or marketed by its operator or persons operating in concert with the operator, and facts or circumstances suggest is used, primarily as a means for engaging in, enabling, or facilitating the activities described under clauses (i), (ii), or (iii) of subparagraph (A);

This definition winds up being the legal basis for the enforcement procedures in later sections of the bill. In other words, if you get sued or prosecuted under PIPA, it will be because you allegedly violated one of these existing laws, 17 U.S.C. §501 or §1201. This is why, in my previous post, I wrote that PIPA doesn't add anything new to copyright infringement — for ordinary citizens, it doesn't make anything illegal that wasn't already illegal. It does require certain behaviors from ISPs, DNS providers, payment gateways, and advertisers, but we'll get to that later.

Legal Responses to Infringing Content

What PIPA does do is drastically increase the allowable penalties for having copyrighted material hosted on your site. This is one of the parts that many people find particularly objectionable about it (and SOPA).

DMCA Safe Harbor Provision

At issue is the fact that a lot of websites these days get much of their content from contributions by their users. And it's possible that some of those contributions are infringing material. Under the direct interpretation of 17 U.S.C. §501, the website hosting the content is legally liable for this, because by hosting the content and allowing others to download it, they are either distributing it or publicly displaying it, perhaps depending on how technically-minded you are.

Currently, the law that governs the consequences of online copyright infringement is the Digital Millennium Copyright Act. It's gotten its fair share of complaints, but it's nowhere near as restrictive as SOPA and PIPA. One of the main reasons the DMCA has been considered tolerable is codified in 17 U.S.C. §512, of which an excerpt follows:

(c) Information Residing on Systems or Networks At Direction of Users.—

(1) In general.— A service provider shall not be liable for monetary relief, or, except as provided in subsection (j), for injunctive or other equitable relief, for infringement of copyright by reason of the storage at the direction of a user of material that resides on a system or network controlled or operated by or for the service provider, if the service provider—

(A)

(i) does not have actual knowledge that the material or an activity using the material on the system or network is infringing;

(ii) in the absence of such actual knowledge, is not aware of facts or circumstances from which infringing activity is apparent; or

(iii) upon obtaining such knowledge or awareness, acts expeditiously to remove, or disable access to, the material;

(B) does not receive a financial benefit directly attributable to the infringing activity, in a case in which the service provider has the right and ability to control such activity; and

(C) upon notification of claimed infringement as described in paragraph (3), responds expeditiously to remove, or disable access to, the material that is claimed to be infringing or to be the subject of infringing activity.

This snippet is part of what is known as the Online Copyright Infringement Liability Limitation Act, at least according to Wikipedia. Most people just call it the safe harbor provision. Essentially, it means that if you're operating an online service on which somebody has uploaded material that infringes copyright, you're not legally liable for the infringement, as long as you take the material offline upon receiving a proper notice. This puts the primary responsibility for avoiding copyright infringement on the users who upload it, not on the host. It allows sites like Facebook, Wikipedia, and Reddit (and millions of others) to exist without having to actively monitor the material uploaded by their users for copyright violations.

PROTECT-IP

Under PIPA, it's a whole different story. This bill doesn't contain anything analogous to the DMCA safe harbor provision. What it does contain is the following piece, in section 3, which allows the U.S. Attorney General to obtain a court order calling for legal action against a foreign site (more on this later) suspected of copyright infringement.

(1) IN GENERAL- On application of the Attorney General following the commencement of an action under this section, the court may issue a temporary restraining order, a preliminary injunction, or an injunction, in accordance with rule 65 of the Federal Rules of Civil Procedure, against the nondomestic domain name used by an Internet site dedicated to infringing activities, or against a registrant of such domain name, or the owner or operator of such Internet site dedicated to infringing activities, to cease and desist from undertaking any further activity as an Internet site dedicated to infringing activities, if--

(A) the domain name is used within the United States to access such Internet site; and

(B) the Internet site--

(i) conducts business directed to residents of the United States; and

(ii) harms holders of United States intellectual property rights.

Note that all of the following measures can be imposed based on only a court order. Not a full trial. All that is needed is for a judge to sign off on it.

Later on in the section, PIPA specifies the actions that can be taken against alleged copyright infringers:

(d) Required Actions Based on Court Orders-

(2) REASONABLE MEASURES- After being served with a copy of an order pursuant to this subsection:

(A) OPERATORS-

(i) IN GENERAL- An operator of a nonauthoritative domain name system server shall take the least burdensome technically feasible and reasonable measures designed to prevent the domain name described in the order from resolving to that domain name's Internet protocol address....

This requires operators of DNS nameservers to remove all DNS records of the infringing domain, so the site can't be accessed by name. For example, if the DNS records for this site were removed, www.ellipsix.net would no longer resolve to my server's IP address, 69.164.216.133, and you would have to know those numbers in order to access this site. If the nameservers that hold these records are not under U.S. jurisdiction, ISPs would be required to present "fake" DNS records which lead you to the wrong website when you type the domain name into your browser. This would be a Bad Thing because the way DNS works, servers all over the world have to sync up with each other, and trust that they are in sync. PIPA's DNS provisions would break that, and instead require that U.S.-based DNS servers provide different information from foreign servers, which could potentially wreak havoc on the system. Besides, in practice, it's pretty easy to register another domain name for any given site, which makes this particular countermeasure fairly ineffective.

(B) FINANCIAL TRANSACTION PROVIDERS- A financial transaction provider shall take reasonable measures, as expeditiously as reasonable, designed to prevent, prohibit, or suspend its service from completing payment transactions involving customers located within the United States and the Internet site associated with the domain name set forth in the order.

This prohibits banks and other financial institutions (like PayPal) from brokering transactions between anyone in the United States and the infringing site. If this provision were invoked on an online business, it would completely shut down their ability to operate within the U.S. Or, applied to a nonprofit foundation, it cuts off their ability to receive donations from Americans.

(C) INTERNET ADVERTISING SERVICES- An Internet advertising service that contracts with the Internet site associated with the domain name set forth in the order to provide advertising to or for that site, or which knowingly serves advertising to or for such site, shall take technically feasible and reasonable measures, as expeditiously as reasonable, designed to--

(i) prevent its service from providing advertisements to the Internet site associated with such domain name; or

(ii) cease making available advertisements for that site, or paid or sponsored search results, links or other placements that provide access to the domain name.

This subparagraph prohibits online advertising agencies from displaying ads on the infringing site, and from displaying ads for the infringing site. Like the previous item, this would drastically limit an online business's ability to reach out to potential customers, and it also prevents sites of all sorts from gaining revenue by displaying ads. This is a reasonable tactic to take against websites that truly are devoted to infringing activities, because advertisements are often how they make their money. But without the proper procedures to ensure that it doesn't get misused, it's a dangerous provision.

(D) INFORMATION LOCATION TOOLS- An service provider of an information location tool shall take technically feasible and reasonable measures, as expeditiously as possible, to--

(i) remove or disable access to the Internet site associated with the domain name set forth in the order; or

(ii) not serve a hypertext link to such Internet site.

This last subparagraph requires search engines and similar sites, potentially including anything that links to other sites (i.e. any website in existence) to remove from their listings any results for the infringing site. Outside of China, most (useful) content on the web is found through U.S.-based search engines, specifically Google, Bing, and Yahoo. Forcibly removing a site from all their results will flat-out kill it.

Of course, as with the advertising clause, if a true copyright infringement site gets hit with this, then good, the law is working. But in a case of mistaken identity, overzealous prosecution, or judicial corruption (rare, but it happens), if a non-infringing site like Wikipedia is removed from search engine results, the consequences will be pretty disastrous. Just think, what would it be like if today's Wikipedia blackout were permanent, and you couldn't get around it by hitting Esc at the right time?

There are similar provisions in section 4 which allow the copyright holder (in addition to the Attorney General) to take similar actions. But there are a couple of key differences:

  • Section 4 applies to domestic sites, or rather domestic domain names, whereas section 3 applies to foreign domain names.
  • Section 4 only compels financial institutions and advertising networks to cut ties with the site. It doesn't say anything about DNS or search engines.

Still, that's a pretty heavy hammer to hit a site with. It may not take them entirely offline, at least not directly, but it does cut off the site's financial support, and any website that's reasonably popular needs that financial support to survive.

Proactive Takedowns

In sections 3 and 4, PIPA specifies that the U.S. Attorney General or a copyright holder can initiate legal action against a website they allege to be infringing copyright. But that's not the end of it. Section 5(a) goes beyond that and actually encourages financial institutions and advertising services to proactively cut off websites for suspected copyright violations by providing them with legal immunity for doing so.

(a) In General- No financial transaction provider or Internet advertising service shall be liable for damages to any person for voluntarily taking any action described in section 3(d) or 4(d) with regard to an Internet site if the entity acting in good faith and based on credible evidence has a reasonable belief that the Internet site is an Internet site dedicated to infringing activities.

In other words, as long as they act with a "reasonable belief" that the website is "dedicated to infringing activities", the financial institution or ad provider suffers no legal consequences for terminating their relationship with the site, regardless of whether the alleged copyright infringement turns out to be valid or not. There are a couple of problems with this: first of all, it encourages what is effectively virtual vigilante justice, in which websites are subject to disciplinary action, with legal force, but without going through the full process of the American justice system. But perhaps more worrying is the fact that "reasonable belief" can be twisted to mean all sorts of things. Admittedly I can understand Congress's motivation to give companies some flexibility to stamp out online copyright infringement — but when you have the ability to completely "bury" a website, that ability needs to be strictly controlled.

Applicability

PIPA uses the phrase "nondomestic domain name" in several places, especially in section 3, which (if you remember) specifies the actions that the Attorney General can bring against foreign sites with a court order. Some supporters of the bill argue that this provision prevents it from being used against, for lack of a better term, "good" websites — the ones that are obviously not copyright infringers, and are just trying to make the internet a better place.

But there's a problem with that. Look at the definition in section 2:

(9) the term 'nondomestic domain name' means a domain name for which the domain name registry that issued the domain name and operates the relevant top level domain, and the domain name registrar for the domain name, are not located in the United States;

The internet is a global network, where boundaries between different countries often get blurred. It's not at all uncommon that a website uses a domain name from one country, a registrar in a different country, and a hosting service in yet another country. For example, a lot of major websites operate URL shorteners whose domain names, like bit.ly, are registered with foreign registrars to take advantage of various two-letter country codes. All of those qualify as nondomestic for purposes of PIPA. On the other hand, a website registered with a U.S. domain name won't necessarily operate in the U.S. In particular, the major top-level domains like .com and .net are operated by American registrars. Many sites thus qualify as domestic under PIPA even though the U.S. government ostensibly no jurisdiction over them.

Besides all that, the fact is that many internet companies have multinational operations. Domain name registrars can have servers in many different countries, and can distribute their operations among these servers in various ways, which potentially allows the domains they host to be considered either domestic or nondomestic depending on when a court order is issued against them. Many larger websites themselves have operations in multiple countries — they may host files on content delivery networks which have servers around the world, and they may hold multiple domain names registered in different countries. Example: Google holds google.com, google.ca, google.co.uk, and a whole bunch of others. All of this makes it pretty murky to determine whether any given website is actually considered domestic or nondomestic, and there's no guarantee that the answer you get will really make sense.

Conclusions

So what are we going to do about all this? If you agree that these bills would be dangerous for the internet, contact your senators and representatives and ask them to vote against SOPA (H.R. 3261) and PROTECT-IP (S. 968)! Information on how to do that is all over the web, especially on several of the major websites which are blacked out today:

  • Wikipedia will show you contact information for your representatives based on your ZIP code
  • Google lets you add your name to a petition that will demonstrate the level of nationwide opposition to the bills
  • Reddit is a continuing source of information (decidedly in opposition) on both bills
  • American Censorship maintains a contact form for your representatives in Congress
  • The full text of each bill can always be accessed through the Library of Congress:

  • You can also have a look at some other posts I've written about these bills

  • Finally, get out and spread the word among your friends!
2012
Jan
17

Why is PROTECT-IP so bad?

As I recently posted, SOPA and PIPA, the bills that represent the next step in the media industries' war on piracy (or, to be fair, what they call piracy), have been getting increasing amounts of attention. And it's bringing results: just yesterday, the Stop Online Piracy Act (SOPA) was pulled from consideration in the House of Representatives.

While this is a big win for the internet, it's only part of the battle, because the PROTECT-IP Act (PIPA), a nearly identical bill, is still scheduled for a vote in the Senate on January 24, a week from today. So it's still not too late to contact your senators and ask them to oppose the bill! Wikipedia has also joined the cause, pledging to black out its site tomorrow to raise awareness.

The Problem with PIPA

A friend of mine recently made a post about SOPA on the FreshySites blog which I think shows how some of the information about what these bills do has been distorted as it's traveled around the web. With the blackouts of Wikipedia, Reddit, and other sites poised to draw a lot of public attention to the bills, I thought this would be an opportune time to clarify exactly why PIPA is so bad.

Contrary to what some people are saying, PIPA does not actually change the definition of copyright infringement. It doesn't make anything illegal that wasn't illegal before (except for certain companies, but more on that later). What it does do is drastically increase the penalties you face if you are infringing copyright. Currently, under the DMCA, if someone asserts that copyrighted material is available on your site, you can take the material off the site. As long as you do this promptly upon receiving the proper sort of request, you're not responsible for the copyright infringement. If the person who originally posted it doesn't believe that the copyright violation is really a violation at all, they can file a counter-notice to say so; then it goes to court, and the copyright holder has to prove that the copyright violation is real.

Under PIPA, that whole procedure changes. If someone asserts that copyrighted material is available on your site, according to subsections 3(d) and 4(d) of PIPA, they can get a court order requiring the following

  • Payment services, like PayPal and credit card companies, are forbidden from doing business with you.
  • Advertising agencies are forbidden from placing ads on your site.

Additionally, if your site is “foreign” (you’re using a web host or DNS registrar in another country):

  • Your domain name gets removed from American DNS resolvers.
  • American search engines are no longer allowed to list your site.

Even though the restrictions only apply to companies that operate in the US, that still cuts you off from Google, Bing, Yahoo, PayPal, Visa, MasterCard, and most banks, not to mention your whole site is inaccessible from anywhere in America — all based on the accusation that you were hosting copyright material. Even if it wasn’t under your control (say, one of your site's users uploaded it), you still suffer the consequences.

The other thing to complain about is that in section 5, PIPA encourages websites, ISPs, DNS resolvers, search engines, etc. to proactively blacklist sites that they suspect might be in violation of the act. So, for example, Google can remove your website from their search listings, or PayPal can arbitrarily close your account, or so on, and as long as they claim a reasonable belief (whatever that means) that your site was infringing copyrights, you have no recourse against them. To some extent, this is already possible, since most of these sites’ terms of service include a provision that they may terminate your account for any or no reason. But those provisions don't have the legal force of the US Justice Department behind them. Right now, Google isn't required to remove a site from their search index just because the government says the site is violating copyright. PIPA would change that. Hopefully, you can see how this opens up a huge potential for abuse.

2012
Jan
15

Update on the fight against SOPA and PIPA

I've written a couple of posts about SOPA and PIPA, the copyright legislation currently making its way through Congress, and the widespread efforts to stop it. There's some good news on that front: these pieces of legislation have been attracting increasing amounts of media attention lately, and Congress is beginning to respond. The DNS blocking provisions of the bill have been pulled (for now, at least), removing a threat to one of the foundations of the internet, and over in the Senate, influential senators are asking for a vote on PIPA (the PROTECT-IP Act) to be postponed so the bill can be further reviewed and possibly amended. Additionally, the White House has issued an official response to two petitions calling for President Obama to veto any of this legislation that does pass through Congress, and while he hasn't promised to do so, it does show that the administration is at least thinking about the implications this legislation would have for free expression online.

But the war against SOPA and PIPA is not over yet, in part because a lot of people just don't know all this is happening. To raise awareness, Reddit will be proceeding with a planned "blackout" of the site this Wednesday, in which the normal content will be replaced by an educational message about PIPA/SOPA. Several other sites will be following suit, including Minecraft, ICanHazCheezburger (the whole network of meme sites), BoingBoing and Rasberry Pi. Wikipedia is soliciting contributor input on whether to join as well. If you're a website owner, consider "blacking out" your own site on January 18 to join in the protest.

If you believe, like I do, that these bills are too open-ended and should not be passed, there's still time and reason to contact your senators and representatives. PIPA is scheduled to come up for a vote on January 24, which is just over a week away, and the more calls and letters the senators get, the more likely they are to vote against it. And even though the vote on SOPA has been indefinitely postponed, it still constitutes a looming threat to internet freedom. Don't hesitate to let Congress know who they are supposed to be representing!

2011
Nov
28

Mozilla's Call the Senate day

The Mozilla Foundation, the group behind Firefox, is organizing another campaign against the PROTECT-IP Act. This time, they're asking voters to call the Senate next Tuesday (they don't give a date, but I'm guessing this is tomorrow) to register their opposition to the act.

As I've previously written, PROTECT-IP is a bill designed to discourage distribution of copyrighted material online. It would greatly expand the actions that the government is allowed to take with respect to websites or online services that are suspected of being involved in this distribution. There is a widespread concern that the powers granted by this bill are too easily abused, and that they will be ineffective. If you believe, as I do, that this is going too far, please consider contacting your representatives in Congress to let them know.