More than a year after the start of the "Arab Spring," large portions of the Middle East remain in upheaval. Even in the most stable of countries, press freedom--and by extension, online freedom--remains up for debate. We've highlighted the ongoing debate in Tunisia over online filtering, and have touched on new threats to bloggers in several countries. This week it is legislative proposals in both Iraq and Lebanon that have us on alert.
Iraq's Harsh Informatics Crime Law
All eyes are currently on Baghdad, where an Arab League Summit is taking place. But, as the Economistnotes, "once the dignitaries and television cameras [have departed]," a broadly-worded bill that would severely punish thought crimes is due to come up in front of Iraq's Parliament. According to a translation from the Centre for Law and Democracy, Article 3 of the Act includes mandatory life sentences for using computers or the Internet to:
"compromise" the "unity" of the state;
"subscribe, participate, negotiate, promote, contract or deal with an enemy ... in order to destabilize security and public order or expose the country to danger";
"damage, cause defects, or hinder [systems or networks] belonging to security military, or intelligence authorities with a deliberate intention to harm [state security]".
Under Articles 4 and 5 of the bill, life imprisonment is also imposed upon those who establish or manage a website with deliberate intent to:
promote "ideas which are disruptive to public order";
"implement terrorist operations under fake names or to facilitate communication with members or leaders of terrorist groups";
"promote terrorist activites and ideologies or to publish information regarding the manufacturing, preparation and implementation of flammable or explosive devices, or any tools or materials used in the planning or execution of terrorist acts";
facilitate or promote human trafficking "in any form";
engage in "trafficking, promoting or facilitating the abuse of drugs".
Other articles of the Act aim to provide legal protection for the "legitimate use of computers and information networks" and to "punish the perpetrators of acts which violate the rights of users whether they may be individuals or legal entities." The more alarming elements of the Act include provisions to punish those who utilize information networks to "create chaos in order to weaken the trust of the electronic system of the state," "provoke or promote armed disobedience," "disturb public order or harm the reputation of the country," or "intrudes, annoys or calls computer and information network users without authorization or hinders their use." The penalties for these proposed crimes range from 3 months to life in prison.
There are also extreme penalties related to copyright--2-3 years imprisonment for publishing or copying "any scientific research work, literary, or intellectual properties which belong to someone else and is protected by international laws and agreements"--and hacking, punishing those who access "a private website of a company or institution with the intent to [change, modify, delete or unduly use it]."
Human rights group, Access, has issued an extensive report detailing the many troubling facets of the proposed Act, calling it "vague, broad, and overly harsh." We couldn't agree more: Iraq's new bill presents a grave threat to free expression and innovation. While the harsh, disproportionate sentences are most egregious, the overbroad wording of most of the articles would strip away protections for the press, whistleblowers, activists, and even ordinary citizens.
It is worth noting that while Iraq has placed restrictions on the press, there has been no previous evidence of website blocking, although reports have suggested that Iraqi authorities struck a deal in 2009 with a French company to implement a "security system" that would allow both surveillance and blocking of sites.
Part of the reason, perhaps, that Iraq is now cracking down is the low number of Internet users in the country: an estimated 2.5% of the total of population, according to the International Telecommunications Union (ITU). The number of people who access the Internet via mobile devices in Iraq is on the rise, however, with an estimated 33% of Iraqis getting news via their mobile device (that same survey states that 28% of Iraqis use the Internet for news).
Regardless of the true number of Internet users in Iraq, two things are certain: Iraqis are increasingly using the Internet and this proposed Act would severely limit their ability to do so. We echo Access in advising the Iraqi Parliament to conduct a proper human rights impact assessment of the Act and engage with civil society actors and technologists to revise the bill.
Lebanon's Internet Regulation Act Hurts Bloggers
Lebanon's press is among the most liberal in the Middle East. Though self-censorship is prevalent and the country's 1963 press law limits the number of press licenses issued for political publication, Lebanon's uncensored Internet has filled that void in many ways, allowing independent websites to offer a broader range of opinions than are available in print.
Now, the Lebanese Internet Regulation Act (LIRA) proposed by Lebanon's Minister of Information, M. Walid Daouk, threatens to disrupt online space. The Act would limit what bloggers and independent media sites (as well as ordinary citizens, and even politicians) can and cannot say online, as well as where they can express themselves.
The proposed law [text in Arabic, rough translation in English available here] would prohibit any publication by electronic means "affecting the morals and ethics" of Lebanon, as well as anything related to gambling. Furthermore, Article 4 of the law would require website owners to register with the Ministry of Information and report identifying information such as their name, address in Lebanon, and contact information. Article 4 would also place conditions on who can own a website, restricting those convicted of a misdemeanor or felony, as well as those who have legal immunity (which includes parliamentarians), and limit site owners to owning only one website.
Article 6 of the Act would bring websites within the purview of the existing Press Law 382/94, which was initially devised to authorize private audiovisual channels to operate in Lebanon. Article 7 would apply to the Internet existing laws that govern published and broadcast advertising. Furthermore, Article 8 would authorize the country's press court to handle all violations and legal disputes arising from electronic media work.
Lebanon's blogger community has been vocal about the proposed law, which would undoubtedly hinder their freedom of expression. One concern that has been raised again and again is what constitutes a website. With ever-increasing participation on social networks, will Lebanese who have pages on both Google Plus and Facebook be held liable for their "ownership" of them?
Using the hashtag #StopLIRA, Lebanese netizens have protested the bill. There is also a video explaining why LIRA is problematic and it calls on the global community to stand in solidarity against it. Additionally, Ontornet--an organization primarily concerned with the implementation of high-speed affordable Internet in Lebanon, but also involved in digital rights activism--conducted an interview with Minister Daouk regarding the Act, but concluded that the government has no plans to listen to the outcry against LIRA.
EFF supports the local opposition to LIRA and calls on the Lebanese Ministry of Information to consult with the country's online community in re-drafting the law.
The proposed legislation mandated compulsory civilian ID cards containing a chip designed to store personal and biometric information, including home address, marital status, eye colour, and fingerprints. Proponents argued that the biometric ID card would be used to stop “honest folk” from becoming the victims of identity fraud. In fact, the law would have enabled the "honest folk" database to be used for criminal and judicial purposes. The Conseil correctly determined that such uses constituted a serious incursion into the right to private life, disproportionate to the law’s stated objective.
Another provision in the law would have allowed for a second, optional chip to be used for online authentication in e-commerce transactions. The Conseil determined that such use would require too broad a range of personal data to be collected without any guarantees of security and confidentiality. Furthermore, it condemned the law’s vague conditions for authenticating individuals, especially minors. EFF welcomes the Conseil's decision to strike out substantial parts of the legislation to protect privacy. Nevertheless, the Conseil should explain their unmotivated reasoning behind leaving significant anti-privacy portions of the law intact, namely biometric data collection for the purpose of preventing ID fraud.
The argument for biometrics is predicated on the flawed assumption that a national biometric ID scheme will prevent identity fraud. Massive databases already invite security breaches anda biometrics database of this scale is a honeypot of sensitive data vulnerable to exploitation. Such a data breach is not just costly—it is irreversible, you cannot change your fingerprints or your irises.
This decision of the Council's should not be interpreted as being either in favour of biometrics or against it. Nor is the Council expressing any opinion either in favour of a register of biometric data or against it. What the Council is saying is that the safeguards involved in the creation and deployment of this register are inadequate. In the circumstances, the Council is not in a position to over-ride the wishes of the legislature.
The Conseil’s ambivalent statement is politically understandable. Regulators tend to romanticize the security and accuracy of biometric systems. In fact, there is a lack of evidence to demonstrate the reliability and proportionality of this new technology. Jean Marc Manach, a blogger and journalist from Owni.fr, argues that biometrics has proven inaccurate and therefore ineffective in fighting identity fraud or anything else. As long ago as August 2009, TheRegister magazine suggested that our trust in biometric technology is a delusion.
Last year, a French report revealed that 10% of biometric passports were fraudulently obtained [French]. The introduction of biometrics is exacerbating the problem of identity fraud instead of solving it. The French government already has several powerful surveillance technologies available to track people's movements, including mobile phone logs, web usage logs and credit card usage logs. They must provide evidence first that they can use this technology to enhance security before spending taxpayer money on another National ID biometric scheme.
The proposed collection of this vast amount of biometric information gives governments too much unchecked power and opens the door for government abuse. In their referral to the Conseil, French parliamentarians quoted Martin Niemöller's chilling poem "First they came." They argued that had this kind of database existed during WWII, the Nazis and collaborators in Vichy France could have more easily arrested French Résistance fighters based on their fingerprints or facial scans.
EFF, as one of 80 civil liberties organizations, has requested the Council of Europe in 2011 to investigate if National ID biometrics laws in Europe comply with the Council of Europe Privacy Treaty and the European Convention on Human Rights.
In light of the long list of privacy concerns surrounding biometrics, and the guarantee of future security breaches, biometric national ID laws cannot be justified. As more nations continue to adopt and implement biometric ID laws, now is the time for the Council of Europe to comply with its duty to seriously confront all of these issues. Under our watch, we refuse to let states collect massive amounts of biometric data without regard to our privacy rights.
H.O.P.E. stands for Hackers On Planet Earth, one of the most creative and diverse hacker events in the world. HOPE Number Nine will be taking place on July 13, 14, and 15, 2012 at the Hotel Pennsylvania in New York City. If you haven't been before, this is the year to attend. For every ticket purchased in the month of April, conference organizers 2600: The Hacker Quarterly are donating 10% of the proceeds to EFF--so buy your tickets today!
For three full days and nights you can explore hackerspace villages, film festivals, art installations, vintage computers, electronic workshops, savor the country's biggest supply of Club-Mate, and attend the host of provocative talks that HOPE has become well-known for offering. Join thousands of hackers to hear this year's keynote on hacking corporations by famous troublemakers and EFF clients The Yes Men, as well as these exciting talks from EFF staffers:
Staff Attorney Hanni Fakhoury will talk about the law on location data, and what the Supreme Court's recent U.S. v. Jones ruling means for the future of warrantless surveillance.
Senior Staff Attorney Marcia Hofmann will talk about protecting your data from the cops.
Activist Eva Galperin will talk about the Google+ Nymwars and the struggle to maintain a space for anonymity and pseudonymity on the Internet.
Web Developer Micah Lee will give some privacy tips for web developers building activist websites.
On Monday, a joint Commons and Lords committee published a report urging Google and other sites to take proactive steps to monitor their search results in order to protect the privacy of certain individuals. As a result, a committee of Parliamentary members has begun pushing for legislation to force search engines and social networks to censor themselves. The committee, set up by the prime minister, arose out of increasing controversies and injunctions to protect people’s online image.
Committee chair John Whittingale stated, "It is clear that media self-regulation under the [Press Complaints Commission] did not work. We therefore wish to see a stronger self-regulatory system that is seen to be effective and commands the confidence of the public." Citing the high cost of legal action, the committee claims that self-regulation by companies would be the optimal way of dealing with claims of privacy violation.
There have been an increasing number of censorship cases in the UK. In February, members of the UK Parliament concluded in a report that the Internet plays a major role in the radicalization of terrorists and called on the government to pressure Internet Service Providers in Britain and abroad to censor online speech. On a more local level, a small district court in Swansea sentenced a university student to jail for 56 days after admitting to have posted racially offensive comments on Twitter about soccer player Fabrice Muamba who had collapsed from cardiac arrest during a game in March. The district judge, after calling the comments “vile and abhorrent,” told the student, "I have no choice but to impose an immediate custodial sentence to reflect the public outrage at what you have done.”
Censorship is most alarming when states use state security or supposed social appropriateness to justify their action. The fact of the matter is that speech is speech. When governments and their courts are left to decide what kind of speech is “good” or “bad” for society, there's an increased threat that those authorities will abuse their power to silence anyone in the name of the public good.
United Arab Emirates
United Arab Emirates authorities briefly detained Islamic scholar and political activist, Mohammed Abdel-Razzaq al-Siddiq, on Sunday for comments he made on Twitter. Mohammed was arrested for criticizing a sheik of one of the emirates (city-states). He was arrested Sunday at dawn and was released by the end of the day.
Earlier this month, blogger and activist Saleh AlDhufair was arrested for criticizing repressive actions by state authorities on his Twitter account and blog. He remains imprisoned and could face up to 5 years in prisons under new far-reaching cyber crime laws. Last summer, Emirati authorities imprisoned five activists, who were subsequently pardoned by the president in November.
Pakistani authorities shut down mobile phone networks for a day in one of the state’s four provinces of Balochistan. The day was March 23, a national day known as Pakistan Day celebrating the first adoption of the constitution and its status as the first Islamic republic. The southern province was struck with chaos as people began to report blocked communications throughout the region, justified in the name of “national security.” As one of the poorest regions in the country, Balochistan has had a long history of conflict with the Pakistani government due to an ongoing separatist movement that began with their refusal to accede to the state.
Such bans are gross violation of citizens’ consumer rights and Telcos should have put some pressure on the authorities to push back on such hegemonic decisions…We demand from the Government to uphold the fundamental rights of its citizens and stop playing the false alarms of “national security” to curb fundamental rights, especially freedom of expression, speech and opinion.
While the state undoubtedly has a responsibility to uphold its citizens’ free speech rights, companies providing the services also have a duty to respect its customer’s rights as well. Since the Pakistani Ministry of Information Technology backed out of its plans to subsidize a national filtering and blocking system, there is strong concern about the next steps the government will take to implement other forms of censorship of Internet and mobile communications.
A Bangladeshi court order from last week marks another recent incident of increased censorships efforts in the South Asian country. The court ordered the shutdown of five Facebook pages and a website for content deemed blasphemous against Islam, while demanding content hosts and creators to be brought to justice for “uploading indecent materials.” The most chilling aspect of the order is that the court expresses a desire to find ways of facilitating future blockage of website and pages.
Two university teachers initiated the takedowns when they filed a suit complaining about the pages and their supposed negative effects on “religious sentiments.” This latest move comes following Bengali authorities’ increased monitoring of Facebook for political expression. EFF will be monitoring future efforts in Bangladesh to block content online.
Facebook has been a popular place for Syrian Internet activists to share their opposition to the Assad regime ever since the site was unblocked by the Syrian government in early 2011. While some interpreted the Assad regime's decision to allow access to Facebook as a positive sign, others feared that the government had made Facebook available for the purpose of entrapping Syrian activists.
In the past month, EFF has reported on several instances of pro-Syrian-government hackers targeting Syrian Internet activists using malware spread through chats and emails, as well as updates downloaded from a fake YouTube site. Most recently, we've seen reports from Syrian opposition networking specialists of a phishing attack aimed at Syrian activists, spread primarily on pro-revolution forums on Facebook.
The screenshot below shows the phishing link accompanied by the following text in Arabic: Urgent and critical.. video leaked by security forces and thugs.. the revenge of Assad's thugs against the free men and women of Baba Amr in captivity and taking turns raping one of the women in captivity by Assad's dogs.. please spread this.
The screenshot below displays the link in a comment under a pro-revolution video. The phishing link is accompanied by the following text in Arabic: Urgent. The thug Sharif Shihada was arrested by the Free Army. Captured by Ahrar Al Qlamoun battalion... please spread the video of him denouncing the Syrian Regime... Allahu Akbar, victory to our revolution and Free Army.
The screenshot below shows the fake Facebook login page. Note the non-Facebook URL in the URL bar of the browser.
Facebook users should be especially cautious about clicking on links in the comment sections of pro-Syrian-revolution forums, especially if they are accompanied by this text. Facebook users should beware of fake pages that resemble the Facebook login page. Always check the URL bar at the top of your browser to make sure it reads https://www.facebook.com. When in doubt, type https://www.facebook.com manually to get to Facebook.
This attack steals usernames and passwords and could potentially give an attacker access to all of the private information in your Facebook account. Syrian Facebook users should also be cautious about clicking on links sent over Facebook by their friends, whose accounts may have been compromised.
EFF is deeply concerned to see targeted attacks on Syrian Internet activists increasing in number and using increasingly diverse methods. We will continue to keep a close eye on developments.
Last week, Forbes’ Andy Greenberg investigated a dangerous but largely underreported problem in Internet security: the sale of zero-day exploits to customers not intending to fix the flaws. Zero-day exploits are hacking techniques that take advantage of software vulnerabilities that haven’t been disclosed to the developer or the public. Some companies have built successful businesses by discovering security flaws in software such as operating systems and popular browsers like Google Chrome and Microsoft Internet Explorer, and then selling zero-day exploits to high-paying customers—which are often governments.
France-based VUPEN is one of the highest-profile firms trafficking in zero-day exploits. Earlier this month at the CanSecWest information security conference, VUPEN declined to participate in the Google-sponsored Pwnium hacking competition, where security researchers were awarded up to $60,000 if they could defeat the Chrome browser’s security and then explain to Google how they did it. Instead, VUPEN—sitting feet away from Google engineers running the competition—successfully compromised Chrome, but then refused to disclose their method to Google to help fix the flaw and make the browser safer for users.
“We wouldn’t share this with Google for even $1 million,” said VUPEN founder Chaouki Bekrar. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.” VUPEN, which also “pwned” Microsoft’s Internet Explorer, bragged it had an exploit for “every major browser,” as well as Microsoft Word, Adobe Reader, and the Google Android and Apple iOS operating systems.
While VUPEN might be the most vocal, it is certainly not the only company selling high-tech weaponry on the zero-day exploit market. Established U.S. companies Netragard, Endgame, Northrop Grumman, and Raytheon are also in the business, according to Greenberg. He has also detailed a price list for various zero-day exploits, with attacks for popular browsers selling for well over $100,000 each and an exploit for Apple’s iOS going for a quarter million.
But who exactly are these companies selling to? No one seems to really know, at least among people not directly involved in these clandestine exploit dealings. VUPEN claims it only sells to NATO governments and “NATO partners.” The NATO partners list includes such Internet Freedom-loving countries as Belarus, Azerbaijan, Ukraine, and Russia. But it’s a safe bet, as even VUPEN’s founder noted, that the firm’s exploits “could still fall into the wrong hands” of any regime through re-selling or slip-ups, even if VUPEN is careful.
Regardless of who the buyers are, anysecurity researcher selling zero-day exploits to those who take advantage of vulnerabilities rather than fixing the software is responsible for making the Internet less secure for users. The existence of a marketplace for such transactions does not legitimize the practice, and security researchers should never turn a blind eye to their ethical responsibility to help improve technology. We should help ensure the Internet promotes freedom and safety, and is not a system to control and oppress.
The governments who buy zero-day exploits also bear responsibility here. The administration has repeatedly warned of a crippling cyber-attack to our infrastructure and Congress is in the midst of debating an expansive new "cybersecurity" bill that, as EFF previously explained, will likely invade users’ privacy in the name of promoting Internet security. Yet the sale and use of exploits that leave ordinary users of popular software vulnerable—a real cybersecurity threat—remains unmentioned in this cybersecurity debate.
The U.S. government has the ability to make us more secure right now with no new legislation. Anyone—including the U.S. government—who has knowledge of security vulnerabilities should notify the affected companies and help fix the problems. Keeping flaws under wraps makes millions of Internet users less safe. If exploits are used to conduct attacks on network infrastructure, either in other countries or the U.S., those who sell exploits could be complicit in such acts.
A good cybersecurity discussion would address this issue head-on. If the U.S. government is serious about securing the Internet, any bill, directive, or policy related to cybersecurity should work toward ensuring that vulnerabilities are fixed, and explicitly disallow any clandestine operations within the government that do not further this goal. Unfortunately, if these exploits are being bought by governments for offensive purposes, then there is pressure to selectively harden sensitive targets while keeping the attack secret from everyone else, leaving technology—and its users—vulnerable to attack.
UPDATE: A prior version of this post stated that in Andy Greenberg's story, a hacker named the Grugq "implies the only reason he doesn't sell to Middle Eastern countries is they don’t pay enough." In fact, the article said the Grugq "limits his sales to the American and European agencies and contractors not merely out of ethical concerns, but also because they pay more." We regret the error.
Issa Report Gives Federal Government C-minus on FOIA Processing
The US House Committee on Oversight and Government Reform, chaired by Darrell Issa (R-CA), released a report (pdf) that graded the federal government and its agencies on their ability to manage FOIA requests. We've documented extensively the lackoftransparency in the current administration, and, for advocates following the issue, there was no surprise that the Committee's report gave the federal government a C-minus. In addition to the government's C-minus grade overall, the Department of Justice (DOJ), the Department of Defense (DOD), and the Department of Homeland Security (DHS) each individually received D’s.
To conduct the report, Rep. Issa sought information about the FOIA tracking systems of 100 federal agencies. In particular, Rep. Issa requested an electronic, sortable copy of the agency’s FOIA processing “logs,” containing various information on requests and the agency’s processing of those requests. Many agencies produced incomplete logs, produced logs that tracked FOIA requests inconsistently, or couldn’t produce logs in a sortable electronic format at all. The report concluded with an ominous warning: "When agencies cannot even produce FOIA logs with basic information to Congress, it raises serious concerns about their ability to meet their legal obligations to FOIA requesters."
Administration Officials Defend Against FOIA Faults
After the release of the above-mentioned report, on March 21 a subcommittee of the US House Committee on Oversight and Government Reform held a hearing titled, "FOIA in the 21st Century: Using Technology to Improve Transparency in Government." The hearing focused on the creation of a central FOIA website for citizens to access unified FOIA instructions, but also saw witnesses defending their FOIA stats. Witnesses included administration officials from the Department of Justice, the National Archives, and the Environmental Protection Agency. Melanie Pustay, the Director of DOJ’s FOIA office, defended the government's transparency record stating that the government released records in part or in full in response to 93.1% of requests where records were located and processed for disclosure. However, releasing records, and releasing meaningful records, are often two distinct things. EFF frequently receives records that disclose virtually nothing about the topic or that have such substantial (and often arbitrary) redactions that the records are meaningless.
While the centralized FOIA website is a step in a more transparent direction, DOJ should start by concentrating on making meaningful responses to FOIA requests.
Push for Transparency in Bradley Manning Court-Martial
On Thursday, Michael Ratner, president of the Center for Constitutional Rights and the lawyer who represents Wikileaks and Julian Assange, called (pdf) on the military court in Bradley Manning's case to release documents relating to Manning's military trial. Ratner pointed to the presumption in military law of public court martials and the public’s compelling interest in access to the trial and court documents.
Ratner's letter follows a March 12 letter, (pdf) spearheaded by the Reporters Committee For Freedom of the Press and signed by more than 40 news organizations, to the General Counsel of the Department of Defense requesting DOD implement measures that will allow media organizations to review documents relating to the Manning case. The organizations asked DOD to immediately post all filings, decisions, and transcripts that don't require full classification online; to post those that do need classification review within 15 days; and to adopt other measures that will enhance the public’s access to Manning’s court-martial.
The U.S. legislature has cybersecurity on the brain. In the coming months, Congress and the Senate will consider a confusing variety of cybersecurity bills--including H.R. 3523 (Rogers), H.R. 3674 (Lungren), S. 2105 (Lieberman), and S. 215 (McCain)--all of which purport to keep U.S. companies and infrastructure safe from “cyberattacks." But as Congress continues to weigh this legislation and negotiate potential amendments, users should ask some serious questions about how these proposals will affect civil liberties, and tell Congress that we won't stand for cybersecurity bills that undermine our civil liberties. Here are four hard questions that Congressmembers should be asking about these bills--the answers to which the bills disagree on or dodge entirely.
Who will be in charge of cybersecurity?
The Rogers bill (H.R. 3523) proposes to put the military-intelligence community in charge of cybersecurity while the Lungren bill (H.R. 3674) keeps it under civilian control by putting it in the hands of the Department of Homeland Security. Given the National Security Agency’s history of secrecy and over-classification, military control of cybersecurity is a potentially disastrous outcome for those who are concerned with counter-balancing hysteria over “cyberwarfare” and “cybercrime” with respect for privacy and civil liberties. Civilian control over cybersecurity is essential if there is to be any degree of openness and transparency in U.S. cybersecurity policy.
Governmental cybersecurity programs must aim to achieve security through openness and the use of transparent, accountable processes. Governments have a special duty to their citizens to guard their privacy and civil liberties, as well as a duty to be accountable for their use of taxpayer dollars. Government programs are, by their very nature, not competing in a marketplace, where there are sometimes strong financial incentives for the clever use of secretive practices. Additionally, the sprawling nature of U.S. infrastructure decreases the likelihood of keeping secrets against adversaries and increases the potential benefits of constructive scrutiny from all corners. Simply put: open is better, and there is no way cybersecurity policy will be open under military control.
What exactly is a “cybersecurity threat?”
At this time, most of the proposed cybersecurity bills grant the government broad powers in the event of a “cybersecurity threat.” Unfortunately, we don’t know what that means. EFF has raised detailed concerns about the potential harm this vague language could do if the existing legislative proposals are passed into law. In brief, broad definitions potentially implicate tools and behaviors that security experts would NOT reasonably consider to be cybersecurity threat indicators. Just using a proxy or anonymizing service such as Tor, encryption to protect your data, or measuring your ISP’s network performance could all be construed as “cybersecurity threats” in some of these legislative proposals. People who take measures to protect their own privacy and security online in ways that EFF regularly recommends and supports could potentially be treated like criminals. And even under a more generous reading of the language, legitimate security research would be targeted and security researchers could find themselves under perpetual scrutiny as potential “cybercriminals.”
What does "information sharing" mean?
All of the proposed cybersecurity bills mandate some kind of “information sharing” or “government assistance” between the U.S. government and the private companies that have access to so much of our personal data, including email, web searches, GPS data, and our social graphs. Companies are encouraged to share information about “cyber threats” or incidents with the government, and to that end it provides them with immunity when sharing information about threats.
Some of the proposals balance this information-sharing with privacy oversight, to make sure that shared information does not impinge on individual privacy or civil liberties, but proposals such as the Rogers bill contain no such protective language. The Rogers bill gives companies a free pass to monitor and collect communications and share that data with the government and other companies, so long as they do so for “cybersecurity purposes.” Just invoking “cybersecurity threats” is enough to grant companies immunity from nearly all civil and criminal liability, effectively creating an exemption from all existing law. Additionally, the Rogers bill places almost no restrictions on what kinds of information can be collected and how it can be used, so long as the companies can claim it was motivated by “cybersecurity purposes.” S. 2105 (Lieberman) and S. 2151 (McCain) contain similarly dangerous provisions.
As if that wasn't bad enough, "information sharing" is often just a euphemism for surveillance and countermeasures, including monitoring email, filtering content, or blocking access to websites.
Will the cybersecurity bills improve our security or not?
Ideally, cybersecurity legislation would benefit U.S. citizens by protecting government systems and infrastructure in a manner that is open, accountable, transparent, and respectful of citizens’ privacy and civil liberties. Unfortunately, there are aspects of the proposed cybersecurity bills that lead us to believe the American people will not be coming out on top.
There is little doubt that the Internet could stand to be a safer place. Major operating systems have security vulnerabilities, as do plenty of other commercial off-the-shelf software. The Internet could use more encryption, more secure protocols, and better authentication schemes. But the cybersecurity bills don't do any of these things. Instead of creating incentives for better defensive Internet security, the proposed bills take an offensive posture: more monitoring, more surveillance, and more disclosure of your private information. Not only will the cybersecurity bills fail to make us safer, they will put users' privacy and security at risk.