TechnoLlama, with a view from abroad:
From the start the Bill was advertised with an unhealthy dose of jingoism, its proponents sold it as a way to defend against foreign cyber-threats. While not mentioned specifically, the Act talks mostly about US intelligence agencies sharing information with private parties (with adequate security clearance) and viceversa. Checks and balances are supposedly placed on the use of that information and how it is to be stored and handled by the US government. The heavy implication here is that these threats come from abroad, or that is how the proponents sold it to the tech industry and to the media. The reality is that the final ACT is horrendously vague, and seems to create a private intelligence apparatus. My greatest concern about CISPA is that it will create surveillance sub-departments in technology companies, just like there are DMCA compliance offices everywhere.
CISPA becomes truly worrying in Sec. 1104.(b)(1), which cites the private entities that will be subject to the law. These are “cybersecurity providers” and “self-protected entities”. The definitions for these are too vague, to say the least. A cybersecurity provider is “a non-governmental entity that provides goods or services intended to be used for cybersecurity purposes.” In other words, this covers anyone who manufactures anything which can be used to secure information online, including certificate authorities and other similar security intermediaries. The clear threat here is that these intermediaries will have to snoop on their users and report back to the US federal government. Interestingly, I think that the definition clearly covers VPN and proxy providers! Similarly, a self-protected entity is “an entity, other than an individual, that provides goods or services for cybersecurity purposes to itself.” In other words, any company with antivirus software and a firewall is subject to the law. Nice piece of legislative jiggery.
Back in January, the major tech companies joined the internet hordes to stop SOPA. This time around those same companies are sitting on their hands. What gives?
Well, for starters, the two laws are very different: among other things, SOPA would have turned them into copyright cops, while CISPA simply gives them the option to pass on data if they choose.
Secondly, cyber-attacks are serious stuff for such companies. For just one example, read Stephen Levy’s In the Plex description of how the Chinese government broke into Google’s computers and stole not only code, but the Gmail messages of political dissidents. China is plundering US tech secrets on a regular basis and it’s understandable that the firms would welcome new tools to help them fight back.
Whether CISPA is the right tool is another question, of course. But the point, for now, is that CISPA doesn’t harm the self-interest of Silicon Valley companies so they have little incentive to kick up dust. (Facebook offered initial support for the goals of the bill but has since gone silent).
Finally, CISPA is not going anywhere fast. It passed the House with Republican support but is unlikely to make quick headway in a Democrat-controlled Senate, especially after the Obama administration threatened to veto it. This means the tech companies may be simply keeping their powder dry, betting that no law is going to pass until after the November election. Or maybe they just don’t care.
Either way, CISPA opponents looking for their SOPA allies to ride to the escape may have a long wait.