CISPA – Big Brother Never Sleeps

big-brother-posterIt’s likely you’ve never heard of the Cyber Intelligence Sharing and Protection Act, also known as CISPA.  It is the latest round in the never-ending litany of SOPA-like bills designed to clamp down on the scourge that is the Internet.  And it just cleared the House last week by a pretty comfortable margin.  Comfortable that is, unless you’re a user of the Internet.

Much like the Protecting Children From Internet Pornographers Act of 2011, CISPA cloaks itself with a title that’s hard to be opposed to.  Cyber-terrorism is a very real threat, and who in their right mind would be against a measure to protect us from a cyber-attack?  Ahhh… if only it actually achieved that goal.

What CISPA actually does is provide immunity to ISPs and online  service providers for responding to government requests for information about the cyber-activities of anyone related to cybersecurity, cyber crime, protecting people from harm, protecting children from exploitation, and national security.  Note that the bill does not compel companies to turn over such information, and because it’s a voluntary request, it requires no court approval or any other sort of burden of reasonable cause.  But keep in mind that during the post 9/11 illegal wiretapping scandals, AT&T, Verizon, and other companies were only too willing to hand over your data.  So much so that there were efforts to prosecute the telecom companies for violating citizen’s rights, which ultimately required that the telcos be granted immunity.  Under CISPA, they will have permanent immunity as CISPA explicitly states that companies may provide requested information “notwithstanding any other provision of law.”  In other words, CISPA trumps all other laws.

CISPA would “waive every single privacy law ever enacted in the name of cybersecurity,” Rep. Jared Polis, a Colorado Democrat and onetime Web entrepreneur, said during the House debate. “Allowing the military and NSA to spy on Americans on American soil goes against every principle this country was founded on.”

Yet all this begs the question, will it make us safer?  After all, in the last decade Americans have repeatedly shown that they are willing to sacrifice considerable freedoms in the interest of domestic security.

The fundamental issue would seem to be that this is a bill about cyber-security. Yet the allowances to deploy the law for purposes such as protecting children from exploitation seem pretty hard to defend as essential to preventing cyber-terrorism.  Still, it’s hard to argue that protecting children is a bad thing.

Moreover, the issue would seem to be the relative ease by which potential cyber-terrorists could thwart the efforts enabled by CISPA.  VPN tunnels and anonymous proxy services are well known technologies, and would make it impossible for anyone monitoring network traffic to even determine who was talking to whom, much less eavesdrop on the conversation.  You could certainly argue that the average citizen might not have the geeky skills to set up such a secure Internet connection.  But certainly anyone with the mad tech skills to conduct cyber-terrorism is going to be able to handle an encrypted network tunnel.  Don’tcha think?

So who are we catching here?  One possibility is that this is all just more security theater.  We’ll spend a lot of money and politicians will use CISPA as a campaign slogan, but it will have very little net impact on security.  Another possibility is that CISPA will be exploited for less noble purposes, unrelated to cyber-terrorism.  Instead of hunting down Chinese hackers, it will be used to hunt down your spouse streaming an illegally broadcast Celtics game on her laptop.

The bottom line is that this bill will not accomplish what it purports to.  The bill is highly focused on domestic surveillance, and there is no evidence that we are at risk of a domestic cyber-attack from citizens with poor tech skills.  Further, there are ample laws on the books now that allow the government a pretty wide berth to eavesdrop on citizens when they can show cause.  And those laws have already been routinely circumvented in the name of national security.  If anything, we need to be shoring up the Fourth Amendment, not tearing it to shreds.

Just because technology provides the means to unobtrusively invade our personal privacy does not mean we should be surrendering those rights.

Fortunately, while CISPA started out with bipartisan support, it has become a partisan issue.  It may have been passed by the House, but its chances of getting through the Senate are slim, and Obama has already threatened a veto.  Yet this is no time for complacency.  These sorts of bills just keep on coming, and sooner or later, one of them will slip through.

Be vigilant.

Big Brother Likes to Watch

big-brother-posterSOPA and PIPA may be dead, but the battle is far from over.  The dust had barely settled from the online community’s successful revolt against Hollywood’s attempt to toss out due process in an effort to protect it’s Luddite-like business model when Rep. Lamar Smith, SOPA’s author, introduced the Protecting Children From Internet Pornographers Act of 2011.

That doesn’t even sound related does it?  Further, it’s obviously about protecting children, and who could be against that? Well, that’s kind of the point. The problem is, this bill doesn’t really introduce any additional protections for children or make any bold new strides to stamp out child porn.  At least not directly.

What the bill does require is that your ISP maintain a record of what IP addresses are assigned to you for 18 months.  It is required to keep those records sealed, unless the government, and only the government, requests them.

Some sites are reporting the bill requires ISPs to keep a record of every site you visit.  That’s not true, unless you live in Hawaii, where a separate and unrelated state bill has been proposed requiring your ISP to keep tabs on your every YouTube view and Facebook stalking venture.  The federal bill makes no such requirement.

This means the Fed won’t have the ability under this bill to demand your Internet history as part of an investigation.  But, if it is monitoring network traffic or if it seizes a web server and the logs on that server, they can trace your activity back to your house.

So in theory, FBI agents bust a child porn provider, find out that someone at the address has been a heavy user, and grab the ISP records to find out that on the day in question, that address was assigned to your house.  Then you hear a knock on the door.  Okay, if you’re into child porn, then someone should knock at your door and haul your ass away.  But what if it wasn’t you?  What if your neighbor jacked your WiFi, and he’s the real pervert?  What if you own a coffee shop and provide free WiFi to your customers?  Are you now suspect because of their actions?

And you’d have to be completely naive to think this tactic only applies to child porn.  Gee, have you been to Megaupload or Pirate Bay lately?  And there’s the SOPA/PIPA tie in.  Once this data is being collected and is at the government’s disposal, it will be used for all manner of things.  This isn’t about protecting the children. That’s just the ruse to get the law passed.

And before someone argues that if you’ve got nothing to hide you shouldn’t be worried… that’s not the point.  The Forth Amendment guarantees a right to privacy.  The Supreme Court recently ruled that your car can’t be GPS tagged without a warrant.  This means the police can’t decide to electronically track and log wherever you go in the real world so that  just in case they uncover a crime, they can go back and see who was near the scene when it was committed.  The virtual world should not be different.

As ill-conceived as they were, SOPA and PIPA were at least upfront about their intentions and motivations.  Hiding behind the specter of child porn to erode constitutional rights is despicable.  The children deserve better.

A Second look at the Fourth Amendment

AirportSecurity (by redjar on Flickr)
Airport Security (Photo by redjar on Flickr)

The TSA has been taking an enormous beating this past week over the new enhanced security measures.  Whether you believe all the sordid tales of naked pictures, groped breasts, and fondled genitalia are the unfortunate exceptional case we endure for our safety, or the overreaching rule of a government agency overstepping its authority, let’s at least take a moment to feel pity for the TSA agents themselves.

These hard working front-line employees not only need to deal with the irate and discourteous among us, but they are condemned to spend eight hours a day staring at bad pictures of naked fat people, and running their hands up and down our cottage cheese laden thighs.  It’s a small wonder the suicide rate for TSA employees hasn’t gone through the roof.  If there’s blame to lay here, it’s on the Homeland Security policy that created this mess.  Not the poor people who are stuck implementing it.

There are a lot of valid questions about the safety of the backscatter and millimeter wave scanners, and many more about the efficacy of the scanning technology at preventing terror attacks.  Yet the major unanswered question is, does this sort of scanning technology violate our fourth amendment rights.  The Fourth Amendment assures us a right to a reasonable expectation of privacy.  As I’ve written about before (here and here), the laws defining how new technology can and cannot be used in the context of the Fourth Amendment are decades behind the engineering work.

The current TSA situation makes it clear the so-called naked scanners are the equivalent of searching your clothes, pockets, and body.  Something courts have historically ruled cannot be done without probable cause.  That technology enables the search to be conducted at a distance doesn’t make it less an invasion of privacy.

If you were walking down the street minding your own business and a cop pulled up and told you to empty your pockets and submit to a full pat down, you’d have a lawyer and a lawsuit filed before he got on his latex gloves.  It shouldn’t be a different case if he had a portable scanner that accomplished the same purpose without actually touching you or even stopping you.  The time to decide the legality of these issues is now, before the handheld scanners are developed and deployed.

Although, even with the existing scanners, we are copping to probable cause based solely on the evidence that we purchased a ticket for Toledo.  Would such scanners be as easily accepted in bus stations, movie theaters, or shopping malls?  Probably not.  Clearly airports are different.  We willingly give up rights in airports we would not allow to be infringed anywhere else.

The reason being that collectively we have an irrational fear of terrorists.  It’s not that terrorists don’t warrant our vigilance and attention, but the size of the fear is irrational.  The 9/11 attacks have forever bound airplanes and terrorism together, and it is often argued that we simply have to give up some of our rights at airports in order to be safe.  But we don’t actually live like we believe that.

Over the last decade, terrorists have killed about 3000 Americans on or with airplanes—almost all of them on one day.  Meanwhile, according to the CDC, there are over 30,000 deaths each year caused by firearms.  That’s 300,000 people over that same decade.  For scale, that’s about the same as a medium size city or half the population of the entire state of Alaska.  While outlawing guns would clearly not have saved all those people, if there were no guns many tens of thousands of them would undoubtedly be alive today.  Yet we would never remotely consider a gun ban.  This clearly isn’t a rational decision based on preserving our actual safety and well being.

The point is, we accept some level of risk every day.  It’s not completely safe to drive to the supermarket, and it’s certainly not safe to be around Dick Cheney when he’s got a loaded gun.  But we take those risks anyway.  Sure, we drive cars with airbags and buckle our seatbelts.  We try not wander into urban gang territory at night wearing spandex and singing show tunes.  We lock our doors, but we don’t bar them and hire perimeter guards to walk the yard at night.  We take reasonable, but not oppressive precautions.  There’s no reason airports can’t be handled the same way.

Yes, I’d just as soon the guy sitting next to me on the plane wasn’t packing heat.  But I can live with him having nail clippers, a pocket knife, and 5oz of shampoo.  And yes, that leaves open the possibility that he has a rectum full of C4 and the cool disposition to detonate it.  Although the TSA scanners wouldn’t have picked that up anyway, so at least I’d have gotten to spend more time at home before the flight rather than waiting in line for a security inspection.