EFF works tirelessly to protect programmers and developers engaged in cutting-edge tech exploration through our Coders' Rights Project.
To help get the word out, today we're introducing the new Coders' Rights List with a short video, which could just be the coolest video about hackers, cats and robots you will see all day.
Share the video. Do it for the kittens.
Sign up today to get the latest news on computer security law, upcoming events with EFF lawyers, discounts on infosec conferences like BlackHat, SOURCE, HOPE, and open source software events, and even get a jump on EFF's third annual D(EFF)CONtest coming in May! Your information is never sold, swapped, or shared.
Hours ago, the House of Representatives voted to approve the Cyber Intelligence Sharing and Protection Act (CISPA), a bill that would allow companies to bypass all existing privacy law to spy on communications and pass sensitive user data to the government. EFF condemns the vote in the House and vows to continue the fight in the Senate.
"As the Senate takes up the issue of cybersecurity in the coming weeks, civil liberties will be a central issue. We must do everything within our power to safeguard the privacy rights of individual Internet users and ensure that Congress does not sacrifice those rights in a rush to pass vaguely-worded cybersecurity bills," said Lee Tien, EFF Senior Staff Attorney.
"Hundreds of thousands of Internet users spoke out against this bill, and their numbers will only grow as we move this debate to the Senate. We will not stand idly by as the basic freedoms to read and speak online without the shadow of government surveillance are endangered by such overbroad legislative proposals," said Rainey Reitman, EFF Activism Director.
EFF extends its deep gratitude to the dozens of organizations that have worked with us on this campaign and the tens of thousand of EFF members who helped us by contacting Congress to oppose CISPA. We look forward to continuing to fight by your side in defense of civil liberties as CISPA moves to the Senate.
Use EFF's action center to send an email to Congress telling them not to trample on civil liberties in any "cybersecurity" legislation.
At this point, EFF readers are doubtless well-familiar with the rise of -- and battles against -- copyright trolls. Techdirt is reporting today about a relatively new copyright troll tactic -- suing only Does that are unfortunate enough to be subscribers of ISPs that don't resist mass subpoenas. So we thought it was time to take note again of the ISPs that are challenging these outrageous lawsuits -- and, often, winning.
As it happens, there is an important hearing in one of these cases tomorrow, in Washington D.C., and EFF Senior Staff Technologist Seth Schoen will be a witness. In this case, porn producer AF Holdings, represented by the Prenda Law Firm, has sued more than 1000 Does in a single lawsuit, based on their purported IP addresses, and obtained an order allowing it to issue subpoenas to various ISPs demanding the Does' identifying information.
Several of the ISPs that were subpoenaed –- including Cox, AT&T, and Verizon –- moved to quash. EFF, along with the American Civil Liberties Union Foundation and the ACLU of the Nation's Capitol, filed an amicus brief in support. As these briefs explain, there's no reason to suppose these Does have any relationship to each other, nor that they are actually located within the jurisdiction where they are being sued. AF Holdings argues that the it is allowed to obtain the identities of the ISPs' customers in D.C. anyway because they might reside in the District or the alleged infringement may have occurred there. But the ISPs told the court that it was easy to discover that only 20 of the IP addresses were likely associated with Washington, D.C.
This is not the only such motion ISPs have filed, but it stands out for two reasons. First, the case is before Judge Beryl Howell, whose 2011 decision authorizing discovery in an earlier mass copyright case has been widely cited by copyright trolls around the country. Since that ruling, however, the due process flaws in these cases, and the burden they are placing on the Does and the courts, not to mention ISPs, have become more and more clear. This motion provides Judge Howell with an opportunity to consider these developments, taking into account evidence and testimony provided by the ISPs and amici.
Second, if Judge Howell denies the motion, the ISPs have asked the Judge Howell to allow them to file an immediate appeal. If so, it will be the first time since this wave of troll litigation began that an appellate court has had an opportunity to weigh in on the due process problems inherent in these cases. Given the seriousness of those problems, and the massive burden these cases are putting on the judicial system, individual Does, and ISPs, it is long past time for a higher court to get involved and help end this shakedown scheme for good.
This week, a flurry of amendments were introduced to try to salvage the Cyber Information Sharing and Protection Act (CISPA), a “cybersecurity” bill moving through the house that’s been criticized as giving companies free rein to spy on personal communications and pass unredacted content (like emails) to the government. Though numerous amendments were suggested, a package of five amendments were put together by the bill’s primary author Mike Rogers (R-MI) and are likely to get accepted without much debate. Below is an overview of what’s in the Rogers package and how it fails to address the grave civil liberties concerns inherent in CISPA.
Before we dive into our analysis, it’s worth noting that this bill has faced a storm of controversy since EFF and other civil liberties advocates launched a week of action 11 days ago. This week, a group of security experts voiced concerns about the civil liberties concerns in the bill. The Free Market Coalition criticized the bill as “unduly expanding federal power, undermining freedom of contract, and harming U.S. competitiveness in the technology sector.” Presidential candidate Ron Paul was equally critical, calling CISPA “Big Brother writ large.” And President Obama has sided with the civil liberties groups. In a statement issued yesterday, the Administration stated that “Without clear legal protections and independent oversight, information sharing legislation will undermine the public's trust in the Government as well as in the Internet.” It also warned that if CISPA were to arrive at the President’s desk in its current state, “his senior advisers would recommend that he veto the bill.”
Rogers’ Amendment Package: Not Nearly Enough to Assuage Civil Liberties Concerns
Minimization Retention and Notification Amendment This amendment has a somewhat misleading title because it does little to actually “minimize” the retention of sensitive user data. In short, the amendment states that if a department or agency receives information that actually isn’t related to cyber security threats, they shall “notify” the entity that gave them the information. This amendment also says that data won’t be kept for purposes other than what has been outlined in the bill—but doesn’t actually narrow the expansive reasons that data can be kept.
The bill also states that the government “may” choose to “undertake reasonable efforts to limit the impact on privacy and civil liberties.” There’s no mandate to do so and no explanation of what constitutes “reasonable efforts.”
Definitions Amendment—We’ve been highly critical of the overbroad ways in which “cyber security” is defined in the bill. We’re concerned that typical privacy-protective measures like using Tor or pseudonyms might be deemed “cyber threat information” under the vague definitions of CISPA. The good news is that this amendment excludes intelligence pertaining to efforts to gain unauthorized access that “solely involve violations of consumer terms of service or consumer licensing agreements and do not otherwise constitute unauthorized access.” This is a step in the right direction because at least signing up for Facebook with a pseudonym is unlikely to get you reported to the FBI for attempting to gain “unauthorized access.”
Unfortunately, this amendment doesn’t address the serious problems with the vague definitions. Even after amendments, “Cybersecurity system" defines the system that “cybersecurity providers” or self-protected entities use to monitor and defend against cyber threats. This is a “system” intended to safeguard “a system or network.” The definition could mean anything—a Local Area Network, a Wide Area Network, a microchip, a website, online service, or a DVD. It might easily be stretched to be a catch-all term with no meaning. For example, it is unclear whether DRM on a DVD constitutes a “cybersecurity system.” And such a “cybersecurity system” is defined to protect a system or network from “efforts to degrade, disrupt or destroy”—language that is similarly too broad. Degrading a network could be construed to mean using a privacy-enhancing technology like Tor, or a p2p protocol, or simply downloading too many files.
Liability Amendment Liability exemption is one of the biggest problems with this bill. As we wrote in a post published yesterday:
the bill creates expansive legal immunity that makes companies and the government largely unaccountable to users. The bill provides “good faith” immunity for using “cybersecurity systems” to obtain information, for not acting on information that a company learns, and for making any decisions based on the information they learn. If a company learns about a security flaw, fails to fix it, and users' information is misused or stolen, companies cannot be held liable as long as the company acted “in good faith” according to CISPA. Companies “acting in good faith” are also excused from all liability for engaging in potential countermeasures, even if they hurt innocent parties.
So what did Rogers do to address these egregious issues? He changed the phrase “for using cybersecurity systems or sharing information in accordance with this section” to “for using cybersecurity systems to identify or obtain cyber threat information or for sharing such information.”
Basically, he didn’t fix it at all.
Limitation Amendment Frankly, this amendment doesn’t address any of the civil liberties concerns. It states: “Nothing in this section shall be construed to provide additional authority to, or modify an existing authority of, any entity to use a cybersecurity system owned or controlled by the Federal Government on a private-sector system or network to protect such private-sector system or network.’’ We suspect that this amendment is attempting to address the issue of black-box style network intrusion detection systems like Einstein being placed on private networks. However, this amendment doesn’t actually prohibit privately owned versions of Einstein being placed inside of networks – it just said that there’s “no additional authority” to do so.
Use Amendment The final amendment has to deal with the usage of data collected under cybersecurity programs. Under the current version of CISPA, although data collected by companies may only be shared for “cybersecurity” purposes, the government can use it for unrelated purposes because the bill allows the government to use it for “national security purposes." Provided “at least one significant purpose” is a cybersecurity or national security purpose, it may be used for other unrelated purposes. The only other restriction on the data is that it not be used for “regulatory” purposes—a term the bill leaves undefined.
The amendment narrows this usage—but not nearly enough. It still allows data collected under cyber security programs to be used for cybersecurity purposes, for the investigation and prosecution of cybersecurity crimes, to protect individuals from death or serious bodily harm, for protecting minors from child pornography or other sexual exploitation or serious threats to their physical safety, and for national security.
“National security” is at best a nebulous term—and, at worst, a catch-all excuse for government snooping. As we’ve explained in our recent post on the topic, “the amorphous phrase 'national security' has invaded many arenas of government action, and has been used to justify much activity that did not involve legitimate terrorist threats. The most obvious (and odious) example is the unfortunately named USA-PATRIOT Act, a law that was sold to the American public as essential to combating terrorism, but which has overwhelmingly been applied to ordinary American citizens never even suspected of terrorism.”
There are several other amendments that are going to be considered, but it’s unclear whether those will be successful and EFF doesn't believe those amendments can ameliorate the core civil liberties concerns with this legislation—namely, the overriding of all existing privacy law to allow companies to share sensitive user data with the government. For now, we’re calling on the Internet to continue to call, email, and tweet at their Representatives urging them to support privacy-protective amendments and oppose CISPA as a whole.
The House of Representatives kicked off their “cybersecurity week” yesterday with a hearing titled "America Is Under Cyber Attack: Why Urgent Action is Needed." Needless to say, the rhetoric of fear was in full force. A lot of topics were raised by members of Congress and panelists, but perhaps the most troublesome theme came from panelist and Former Executive Assistant Director of the FBI Shawn Henry, who repeatedly urged that good cybersecurity means going on the offensive:
“the problem with existing [...] tactics is that they are too focused on adversary tools (malware and exploits) and not on who the adversary is and how they operate. Ultimately, until we focus on the enemy and take the fight to them […], we will fail.”
This offensively-minded approach has major pitfalls, as it could lead to more government monitoring and control over our communications. While we think an increased focus on catching criminals using existing tools is a fine tactic that could be used by law enforcement, we fear the temptation for law enforcement to increase their surveillance capabilities in order to successfully go on the offensive in the context of computer crimes. This could mean things like breaking into people's computers without warrants, or disrupting privacy-enhancing tools like Tor. Needless to say, we think it would be a very bad idea to link our safety to the ability for law enforcement to effectively monitor people, and that is a danger of focusing solely on an offensive strategy. Instead, we would like to offer an alternative, defensively-oriented point of view regarding security, an important view that we think was not adequately represented in yesterday's panel.
Securing U.S. critical infrastructure networks, corporate networks, and the Internet at large depends upon securing our computers and networked devices. Fundamentally, it's very simple: fewer software vulnerabilities means more security. Once a vulnerability is patched and an upgraded version of software is available and in use, that increases safety for all of us. Ensuring that the right mechanisms are in place to maximize this baseline security should be a major focus area of any organized effort to secure our critical and other Internet infrastructure. This means encouraging the disclosure of vulnerabilities when they are found so that they can be fixed, and no longer exploited. This is what we mean when we talk about security for everyone. This defensive strategy also takes a view of vulnerabilities that includes engineering with security in mind: if software doesn't force good security on administrators and other humans who have a role to play to keep things secure, then that should be considered a security vulnerability in that software.
In order to understand why vulnerabilities are the foundation of insecurity and ought to the focus of defensive efforts, let's take a bit of time for those new to the computer security world to define bugs, vulnerabilities, exploits, and a particularly nasty class of exploits called “zero-day” exploits.
What are bugs, vulnerabilities, exploits and “zero-day” exploits?
A software bug is a general term referring to an unintentional problem with a piece of software that causes the software to work in an unexpected or unintended way. Bugs can refer to low-level issues (“we started counting from 0 over here, but from 1 over there, and now this array is messed up”), or to high-level issues (“we didn't implement a feature allowing people to see their open orders on this website”).
Security vulnerabilities are a class of bugs in software; these are the bugs that allow an attacker to gain unauthorized access to do something that she couldn't before. This could mean gaining access to a remote computer, or to a private network, or to other private information. Once again, these range from low-level vulnerabilities (“We weren't expecting the user to give a name that was 4 gigabytes long; our oversight allowed the user to crash the program and execute her malicious code on the victim's system”) to high-level (“Since we didn't force a user to use a strong passphrase, his account could be compromised”).
Exploits are pieces of software that actually take advantage of the security vulnerability and give the user running the software unauthorized access. A security vulnerability could lead to an exploit, although not all vulnerability lead to exploits.
Zero-day exploits are exploits that take advantage of an undisclosed vulnerability. Suppose there is a publicly known vulnerability in the browser Internet Explorer 6. Then any exploit based on that vulnerability is NOT considered a zero-day, and you can (often, theoretically) protect yourself from such a vulnerability. In this case, for example, you could do so by downloading Internet Explorer 9. However, if there is a “zero-day” in Internet Explorer 9, there's nothing you can knowingly do as a user to protect yourself. This makes this type of vulnerability especially scary, since it could be used not just against unwitting users who haven't upgraded their software, but against anyone.
Ok, got it. To make us safer, we need to patch vulnerabilities and prevent exploits, especially zero-day exploits. Does CISPA encourage this?
Unfortunately, the “cybersecurity” bill CISPA and other legislation under debate does NOT focus on this baseline security. Instead of encouraging the patching of vulnerabilities as quickly as possible, or offering solutions to improve the general security of networked computers, the bill encourages broad surveillance of personal data by companies and the government. This type of information sharing is largely unrelated to the core issue of vulnerabilities that need to be patched at the software level. It's certainly possible that by mining that data one could come across an exploit or an unknown vulnerability and share it with the vendor, but the bill is NOT about sharing vulnerabilities so that they can be patched – it's about sharing raw data in a way that could legitimize a public-private surveillance partnership. And this data sharing between companies and the government in no way encourages security vulnerabilities themselves to be shared with the relevant software vendors and developers so that they can be patched. In other words, it just doesn't attack the root of the problem.
Why is fixing vulnerabilities at odds with taking an offensive approach to security?
If we take an offensive approach as Mr. Henry suggests, a “security for the 1%” situation seems likely to arise, in which vulnerabilities are sometimes kept secret, and mitigations or fixes for these vulnerabilities are selectively doled out by the government or other private security firms only to critical infrastructure or paying clients (the “1%” deemed worthy of protection). The government might even deploy black box systems to companies and infrastructure designed to mitigate exploits based on secret vulnerabilities while giving as little information as possible about those underlying vulnerabilities, even to the companies they are protecting. Either way, the vendor would not be told about the vulnerability and so anyone who wasn't a recipient of the “privileged” information would be hung out to dry.
What is a better approach to security?
Changing the incentives and culture to encourage the right sort of information sharing concerning vulnerabilities is a complex problem, and we do not purport to have a complete solution. There are many pieces to the puzzle: what should be done about vendors who don't care about security? What about users who don't upgrade software, or go out of their way to be vulnerable? What about security researchers who discover vulnerabilities, and choose to sell this knowledge to the highest bidder, instead of ensuring that the vendor knows about the vulnerability and it gets fixed?
There are some common sense tactics that the government can take to help solve these problems. For starters, the government can itself commit to disclosing any known vulnerabilities to vendors so that they are promptly patched. Next, incentives could be put in place to encourage research that has broad beneficial effects for everyone's security. For example, suppose a researcher invents a new testing technique that reduces how many exploitable vulnerabilities there are in software in general. This is a win for everyone, and we think the government should strongly encourage such research.1
But beyond these common sense suggestions, the main point we want to raise in this post is not to offer a solution to these problems, but rather suggest that anyone interested in security at the national and international level should be thinking hard about them. Taking an offensive approach has the potential to put our civil liberties in danger, and could create a situation in which our safety ebbs and flows with how well the intelligence community can spy on us. This precarious and undesirable situation can be avoided if instead we take a defensive approach to stop the problem at its core, working to ensure that everyone is maximally protected. Mr. Henry suggests that "offense outpaces the defense." That seems like an oversimplification, but even if one accepts it to be true, we should not take this to be an immutable property of the world. Instead, we should work to change it by increasing our defensive efforts. Unfortunately, the “cybersecurity” debate does not seem to be addressing this point of view, but we hope that somebody brings it up during “cybersecurity week”.
1. At EFF, we think of ourselves as tackling a small piece of this puzzle by encouraging the adoption of HTTPS. We strongly believe that this increases the general security of the web, and we are working towards a future in which HTTPS (and other encrypted protocols) become the standard way to access resources and communicate on the web.
EFF, along with the ACLU of Northern California, is a sponsor of the California Location Privacy Act of 2012 ("SB 1434"), a bill that would require California law enforcement officers and agencies to seek a search warrant before obtaining electronic location information. Yesterday, the bill passed through the California Senate Committee on Public Safety and is now on its way to the full Senate for consideration. But when it gets there, it will be missing a major, important piece of its text: its reporting requirement.
Its certainly no surprise that there's opposition whenever a bill proposes making it harder for law enforcement to get information. But in the case of SB 1434, the opposition came from a surprising place: the wireless industry. And their opposition wasn't with SB 1434's search warrant requirement. In fact, imposing a search warrant would actually be beneficial to the wireless industry. As the ACLU demonstrated with its nationwide FOIA request on law enforcement access to cell phone tracking information, police throughout the country are using different legal standards and judicial process in order to obtain this sensitive information. SB 1434 would create a uniform, easy-to-apply standard for the disclosure of location information in California: a search warrant or nothing. AT&T is even part of the Digital Due Process coalition, which has lobbied Congress to impose a search warrant requirement for law enforcement access to location data.
Instead, the wireless industry's opposition was with SB 1434's reporting requirements, which would force communication providers to report the number of times location information has been disclosed or not, the number of times a provider contested a demand, and the number of users whose location information was disclosed. Providers would be required to publish this information on their websites annually. These lax reporting requirements are a far cry from the Wiretap Act's far more rigorous reporting requirements. But according to the Wireless Association ("CTIA"), a wireless trade association that includes AT&T, Verizon and Sprint, the proposed reporting requirements "unduly burden wireless providers and their employees, who are working day and night to assist law enforcement to ensure the public's safety and to save lives."
So, faced with pressure from these giant wireless companies, its unsurprising that SB 1434 passed out of committee but without its reporting requirements. And while getting SB 1434 to the full California Senate is a great first step towards bringing the protection of a search warrant to millions of Californians, its still disheartening to see the wireless industry continuing to fight against attempts at transparency. Its no surprise that both AT&T and Verizon got no stars for being transparent with its customers about government requests in our "Who Has Your Back" campaign.
It doesn't have to be this way. Whether its Google's Transparency Report, or Twitter's policy of informing users of law enforcement requests for their information, its possible for companies to comply with law enforcement requests, and yet be transparent about it. In fact, the OpenNet Initiative is trying to create a uniform format for company disclosure of data to law enforcement in order to make it easier for companies to be transparent. Apparently the wireless industry wants no part of this openess. Its opposition to SB 1434 just continues its trend of selling you out--and profiting from it--in secret.
This week the House of Representatives is debating CISPA, the dangerous ‘cybersecurity’ bill that threatens to decimate Internet users’ privacy in the name of security. EFF and a wide variety of other groups have been protesting the law’s provisions giving companies the power to read users’ emails and other communications and hand them to the government without any judicial oversight whatsoever—essentially a giant ‘cybersecurity’ exception to all existing privacy laws.
We’ve already shown how the bill’s definition of ‘cyber threat information’ can lead the companies and government to surveil citizens for a host of reasons beyond critical cybersecurity threats. But we want to focus on one vital portion of the bill that is not getting enough attention: what the government can do with your private information once companies hand it over.
Even though CISPA is styled as a ‘cybersecurity’ bill, it explicitly allows the Department of Homeland Security and other government agencies like the National Security Agency (NSA) to use your information for ‘national security’ purposes—expanding the bill far beyond its purported goal. Bill sponser Mike Rogers introduced a package of amendments yesterday, but did not remove “national security” as one of the purposes for which information can be used.
The Erosion of Civil Liberties
In the past decade, the amorphous phrase “national security” has invaded many arenas of government action, and has been used to justify much activity that did not involve legitimate terrorist threats. The most obvious (and odious) example is the unfortunately named USA-PATRIOT Act, a law that was sold to the American public as essential to combating terrorism, but which has overwhelmingly been applied to ordinary American citizens never even suspected of terrorism.
In just one of many examples, from 2003-2006, the FBI issued more than 192,000 National Security Letters to get Americans’ business, phone or Internet records without a warrant. These invasive letters—which come with a gag order on the recipient so they can’t even admit they received one—have been used to gather information about untold number of ordinary citizens, including journalists. Exactly one of those cases ended in a terrorism conviction—and he would have been convicted without the NSL evidence. The ACLU has catalogued how many other PATRIOT Act provisions have been similarly abused. EFF is suing for information about one provision, known as Section 215, which Senators have warned is being secretly interpreted to invade privacy in a way that "most Americans would be stunned" to learn about.
“Information sharing”— CISPA’s mantra—has also created privacy nightmares for everyday Americans in the name of national security. The federal government routinely shares its massive national security databases with local law enforcement agencies with predictable results. An investigation by PBS Frontline and the Washington Post’s Dana Priest showed that “many states have yet to use their vast and growing anti-terror apparatus to capture any terrorists; instead the government has built a massive database that collects, stores and analyzes information on thousands of U.S. citizens and residents, many of whom have not been accused of any wrongdoing.”
Despite the ample evidence of these expansive “national security” powers being used on ordinary citizens, the government has only continued down the same path. Just last month, the National Counterterrorism Center drastically changed its rules so it can now copy entire data bases from other federal government agencies and keep information on citizens for up to five years—even if they’re completely innocent.
Wrongdoing and Abuse Go Unchecked
Of course, with such unchecked power, abuse is inevitable. In 2010, EFF learned through Freedom of Information Act requests indications that the FBI—one of the many agencies that might receive private communications via CISPA—may have committed upwards of 40,000 possible intelligence violations in the nine years since 9/11—many of which were done under the PATRIOT Act. In addition, we’ve found evidence of the FBI "lying in declarations to courts, using improper evidence to obtain grand jury subpoenas, and accessing password-protected files without a warrant."
Incredibly, it recently emerged the FBI may have not only condoned this type of behavior, but encouraged it. Wired recently published an FBI memo on agent training that said, “Under certain circumstances, the FBI has the ability to bend or suspend the law and impinge on freedoms of others” and cited various wiretapping laws in national security investigations. (emphasis ours)
Increased powers of the National Security Agency
CISPA’s author Rep. Mike Rogers has tried to stave off criticism of that CISPA would lead to government abuse by insisting that the bill allows citizens to sue the government if they misuse their information. But this provides very little comfort. Any such lawsuit will be difficult, if not impossible, to bring. The government can attempt to use the same “national security” exception in CISPA that allows them to use the information for other purposes to escape liability.
First, the statute of limitations for such a lawsuit is two years from the date of the actual violation. It’s not at all clear how an individual would know of such misuse if it were kept inside the government. Given that the National Security Agency is notoriously secretive—its employees even used to refer to it as “No Such Agency”—they may attempt to prevent users from finding out exactly how this information was ever used. And a provision in CISPA that provides an exemption to the Freedom of Information Act for all private information handed over by companies for anything cybersecurity related will just make it harder.
But even if a user knew the government was misusing his or her information, litigation would be difficult, expensive, and time consuming given if classified information or national security is involved, the government may invoke the “state secrets privilege.”
EFF has been involved for years in a lawsuit over Fourth Amendment and statutory violations stemming from another abuse of the government’s claimed ‘national security’ powers—the NSA’s warrantless wiretapping program. Given the NSA may be a recipient of “cyber threat information” in CISPA, they stand to gain more power to spy on Americans despite laws that would otherwise prevent them from doing so.
Despite six years of litigation, the government continues to maintain that the “state secrets” privilege prevents lawsuits over the warrantless wiretapping program from being heard, arguing that even if the allegations are true, the suit should be dismissed because of—you guessed it—national security concerns. The same state secrets privilege has been invoked in other cases involving the CIA’s extraordinary rendition program and their authority to target Americans in drone strikes overseas with no judicial safeguards.
CISPA will create yet another tool for the government to expand its already massive national security apparatus, and in turn, erode ordinary citizens’ rights, while giving them virtually no recourse if their civil liberties are violated. The House of Representatives is beginning debates on CISPSA tomorrow, with a vote coming no later than Friday. Join EFF in opposing CISPA by calling, emailing, and tweeting at your Representatives.
The House of Representatives is now poised to vote on the Cyber Intelligence Sharing and Protection Act (CISPA), which would allow companies to monitor our online communications and share private information about users with the government.
CISPA would let companies bypass all existing privacylaw as long as they claim a "good faith" belief that they are doing so for cybersecurity purposes. These exemptions would allow a huge trove of data to end up in the government's hands with no judicial oversight.
House leadership is pushing for a vote on CISPA this week. Please call your Representative now and urge them not to sacrifice the civil liberties of Internet users in the name of cybersecurity legislation.
Click here to find your Representative's phone number and a short script of suggested talking points.
Once you've made the call, please share this on your social networking sites and ask your friends to join you. We need to get as many calls as possible today, before the legislation can be rushed through, so please help spread the word.