When Security and Privacy Wrestle Who is the Winner?

Monday, April 30, 2012

Theresa Payton


Does CISPA win the security battle but lose the privacy war?

There is a fight going on between security and privacy and it is your personal data and communications at stake.  Many of you might remember hearing about SOPA, PIPA, and ACTA. 

You might vaguely remember that on January 18th of this year that websites, such as Google and Wikipedia, looked strange as the web protested these pieces of legislation. 

When I talk with companies and individuals they are not sure why SOPA, PIPA, and ACTA are considered “good or bad” and most are not sure what CISPA is all about.  Only a handful knew that it hit the news this week that it is going to be voted on.

A quick overview is essential to understanding why you need to make sure your voice is heard.  Regardless of whether or not you love the idea or do not like the idea at all, you need to weigh in.  It is an important part of the process to make sure we get the best chance and striking a balance between security and privacy.

SOPA stands for The Stop Online Piracy Act (SOPA)and is a US bill that was introduced by U.S. Representative Lamar S. Smith (R-TX) to help fight against counterfeit goods and stealing intellectual property.  PIPA is an acronym of an acronym.  Consider it the nickname for the PROTECT IP Act. 

The PROTECT IP stands for Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act.  This was another law designed to help copyright holders to fight back against counterfeiting.  It was introduced  by Senator Patrick Leahy D-VT.  The support for these bills was mixed. 

Companies such as Google, Wikipedia, and over 7000 other web sites either changed their site or went offline all day on January 18th to protest SOPA and PIPA. They felt the enforcement of SOPA and PIPA would be too ominous for the internet community.  Both pieces of legislation went on “hold” after the January 18th web protests.

ACTA is an international agreement.  It stands for the Anti-Counterfeiting Trade Agreement and it's goal was to establishing international standards for copyrights and intellectual property rights.  ACTA was signed late 2011 by the U.S. and 7 other countries and the European Union signed it in January.  

ACTA has not been fully approved or ratified.  The general public across the globe is unhappy because they feel that ACTA was negotiated in secret and most of the bill or how it will be enforced is not fully known.  Just in the last few months, over 200 cities across Europe protested ACTA.

On the surface, the bills make sense.  Doesn't everyone want to protect against counterfeit goods and fight cybercrime?  The answer is yes, everyone wants the ability to fight crime better.  However, what a lot of companies did not like about the laws was they were holding the website accountable when users posted content that they should not meaning they would take the website offline if users violated copyright laws.  This would make it very challenging for companies like Hulu or YouTube to manage their content which is user-provided.

Now enters CISPA, which stands for the Cybersecurity Intelligence Sharing and Protection Act and was introduced November 2011 in the House.  The bill’s co sponsors are Rep. Mike Rodgers (R-Mich.) and Rep. Dutch Ruppersberger (D-Md.). 

According to Mike Rodgers’ website, “H.R. 3523, the Cyber Intelligence Sharing and Protection Act, safeguards U.S. jobs by making it easier to identify and combat cyber threats, which steal over $200 billion in American intellectual property every year.”   The core goal of CISPA is to encourage better and more frequent information sharing.  As most of those in law enforcement and the security industry will tell you, the key to fighting cybercrime is to share the details. 

Think of your neighborhood watch program.  By learning about other crimes in the neighborhood, how the criminals got away with their misdeeds, and other important details about the cases helps you be more aware and gives you advice on how to better protect your personal residence.  CISPA creates that same element of a neighborhood watch program. 

Information sharing about cybercrimes by the victimized businesses in today’s environment has been an ongoing challenge.  Many businesses are reluctant to be public about being a victim.  Some businesses believe it could spook their customers and cost them future business. 

Others think that by showing public weakness that it makes them a target for other attackers.  CISPA hopes to allay these concerns by providing businesses a level of anonymity in reporting.  It also has the backing of industry giants such as Microsoft, AT&T, Time Warner Cable and Facebook.  The Guardian reported last week that 112 members of Congress are supporting the bill.

The bill begins with, “To provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities, and for other purposes.”  So far so good, so where is the battle with privacy?  Privacy advocates and security experts want better information sharing. 

The bill goes on to say, “IN GENERAL.—The Director of National Intelligence shall establish procedures to allow elements of the intelligence community to share cyber threat intelligence with private-sector entities and to encourage the sharing of such intelligence.” Read further and the language gets a little vague creating discomfort about how privacy will be protected. 

“CYBER THREAT INTELLIGENCE.—The term ‘cyber threat intelligence’ means information in the possession of an element of the intelligence community directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from—‘‘(A) efforts to degrade, disrupt, or destroy such system or network; or ‘‘(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.” 

Privacy advocates are concerned with the vagueness found in this part and other subsequent parts of the bill.  It appears that in order to track down the “bad guys” all traffic might be monitored.  That means the innocent would be monitored in order to track down the path of the alleged and the guilty. 

As organizations and individuals speak up about the monitoring and tracking, Rogers and Ruppersberger have made adjustments to the bill.  It’s not too late to have your voice heard.  Read the bill for yourself, it is brief compared to other bills. Then decide your point of view.  We would love to hear all opinions on this bill. 

You can find the bill at the House of Representatives page under: 

Theresa is also the co-author of the new book “Protecting Your Internet Identity: Are You Naked Online?” available in bookstores, libraries, and online at Amazon, Barnes and Noble, Books A Million and Google Play.

Cross-posted from Fortalice

Possibly Related Articles:
Security Awareness
Information Security
Privacy Cyber Security legislation Security Congress SOPA PIPA CISPA acta
Post Rating I Like this!
John Simmons Biggest issue I see is in the definitions here...when we look at the way everything is set up, it essentially one-sides the whole situation, effectively slamming whistleblowers and effectively tells the American people that they cannot question the actions of "the government". What is interesting about the definition of "government" in the United States is that it has been eminently defined as "of the people, by the people and for the people". However, those who often use these laws to their advantage are not always doing so in the interests of the general population and are often doing so in direct opposition of such. We're really seeing a problem of ethics in our society which is being played out on the World Wide Web.

We are to the point where the hallmark of innovation is a new gadget for a cell phone, the landmark of musical creativity is a sample of a previously recorded song, and the definition of progress in our society is "growth" and "job creation", as opposed to "innovation" and "efficiency" (both in production and consumption of resources, and in workforce development). Our politicians push these laws out not for public benefit, but for the benefit of a few companies which make money off of recycled knowledge.

In terms of security, it really boils down to the fact that we are not really living in a much different world than what existed in the time of our parents. They played the duck and cover drills out when they were younger, fearing imminent attack from some faceless enemy. Like them, we always want new toys to play with to make our jobs easier, but unlike them, our ability to understand the ramifications of having these toys at our disposal is greatly hindered by the scope of what we are dealing with as a society. Instead of simplifying our laws, we make them more complex, with vagaries which are only understood by corporate legal teams...Sometimes it's better to work a little harder in order to get the job done right instead of cheating and suffering the consequences...
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.