An Open Letter From Security Experts, Academics and Engineers to the U.S. Congress: Stop Bad Cybersecurity Bills
Today, a group of prominent academics, experienced engineers, and professionals published an open letter to members of the United States Congress, stating their opposition to CISPA and other overly broad cybersecurity bills.
We are writing you today as professionals, academics, and policy experts who have researched, analyzed, and defended against security threats to the Internet and its infrastructure. We have devoted our careers to building security technologies, and to protecting networks, computers, and critical infrastructure against attacks of many stripes.
We take security very seriously, but we fervently believe that strong computer and network security does not require Internet users to sacrifice their privacy and civil liberties.
The bills currently under consideration, including Rep. Rogers’ Cyber Intelligence Sharing and Protection Act of 2011 (H.R. 3523) and Sen. McCain’s SECURE IT Act (S. 2151), are drafted to allow entities who participate in relaying or receiving Internet traffic to freely monitor and redistribute those network communications. The bills nullify current legal protections against wiretapping and similar civil liberties violations for that kind of broad data sharing. By encouraging the transfer of users' private communications to US Federal agencies, and lacking good public accountability or transparency, these “cybersecurity” bills unnecessarily trade our civil liberties for the promise of improved network security. As experts in the field, we reject this false trade-off and urge you to oppose any cybersecurity initiative that does not explicitly include appropriate methods to ensure the protection of users’ civil liberties.
In summary, we urge you to reject legislation that:
- Uses vague language to describe network security attacks, threat indicators, and countermeasures, allowing for the possibility that innocuous online activities could be construed as “cybersecurity” threats.
- Exempts “cybersecurity” activities from existing laws that protect individuals’ privacy and devices, such as the Wiretap Act, the Stored Communications Act, and the Computer Fraud and Abuse Act.
- Gives sweeping immunity from liability to companies even if they violate individuals’ privacy, and without evidence of wrongdoing.
- Allows data originally collected through “cybersecurity” programs to be used to prosecute unrelated crimes.
We appreciate your interest in making our networks more secure, but passing legislation that suffers from the problems above would be a grave mistake for privacy and civil liberties, and will not be a step forward in making us safer.
- Bruce Schneier. Prominent security researcher and cryptographer, published seminal works on applied cryptography. Active in public policy regarding security issues; runs a weblog and writes a regular column for Wired magazine.
- David J. Farber. Distinguished Career Professor of Computer Science and Public Policy, Carnegie Mellon University. Designer of the first electronic switching system. Was a major contributor to early programming languages and computer networking. EFF board member.
- Donald Eastlake. Original architect of DNS Security, network security expert. Chair of IETF TRILL and IETF PPPEXT working groups.
- Peter Swire. C. William O'Neill Professor of Law, Ohio State University. Former Assistant to President Obama for Economic Policy, and former Chief Counselor for Privacy in the U.S. Office of Management and Budget.
- Eric Burger. Research Professor of Computer Science and Director, Georgetown Center for Secure Communications, Georgetown University. Chair of multiple IETF Working Groups.
- Tobin Maginnis. Professor of Computer and Information Science, University of Mississippi. Operating system researcher, GNU/Linux expert, Web architecture researcher and networking expert.
- Sharon Goldberg. Professor of Computer Science, Boston University. Network security researcher, member of FCC CSRIC working group on BGP security.
- Peter G. Neumann. Principal Engineer, SRI International Computer Science Laboratory; moderator, ACM Risks Forum. Affiliation listed for purposes of identification only.
- Stephen H. Unger. Professor Emeritus, Computer Science and Electrical Engineering, Columbia University. Board of Governors of IEEE Society on Social Implications of Technology (SSTI).
- Geoff Kuenning. Professor of Computer Science and CS Clinic Director. Harvey Mudd College. File system researcher, built the SEER predictive hoarding system to predict what files mobile users will need while disconnected from a network.
- Benjamin C. Pierce. Professor of Computer and Information Science, University of Pennsylvania. Research on differential privacy, which allows formal reasoning about real-world privacy.
- Richard F. Forno. Lecturer of Computer Science focused on cybersecurity, signing as a private citizen.
- Jonathan Weinberg. Professor of Law, Wayne State University. Chair of ICANN working group, and expert on communications policy.
- Joseph “Jay” Moran. Distinguished engineer, AOL technical operations. Experienced executive working in technical operations and engineering for 20+ years.
- Dan Gillmor. Technology writer and columnist. Director of Knight Center for Digital Media Entrepreneurship at Arizona State University, Fellow at the Berkman Center for Internet and Society, Harvard University. EFF pioneed award winner.
- Armando P. Stettner. Technologist and senior member of IEEE, spearheaded native VAX version of Unix.
- Gordon Cook. Technologist, writer, editor and publisher of “COOK report on Internet Protocol” since 1992.
- Alexander McMillen. Entrepreneur and CEO, Sliqua Enterprise Hosting.
- Sid Karin. Professor of Computer Science and Engineering, University of California, San Diego. Former founding Director of the San Diego Supercomputer Center (SDSC) and National Partnership for Advanced Computational Infrastructure (NPACI).
- Eric Brunner-Williams. CTO, Wampumpeag. Signing as an individual.
- Lawence C. Stewart. CTO, Cerissa research. Built the Etherphone at Xerox, the first telephone system working over a local area network; designed early e-commerce systems for the Internet at Open Market.
- Ben Huh. Entrepreneur, CEO Cheezburger Inc.
- Dave Burstein. Editor, DSL Prime.
- Mikki Barry. Managing partner, Making Sense of Compliance.
- Blake Pfankuch. Network engineer.
- John Peach. Systems Administrator with 20+ years of experience.
- Valdis Kletnieks. IT Professional, Virginia Tech University.
- Darrell Hyde. Director of Architecture, Hosting.com.
- Ryan Rawdon. Network and Security Engineer, was on the technical operations team for one of our country's largest residential ISPs.
- Ken Anderson. VP of Engineering, Pacific Internet.
- Andrew McConachie. Network engineer working on Internet infrastructure.
- Richard Kulawiec. Senior network security architect with over 30 years experience.
- Aaron Wendel. CTO, Whalesale Internet, Inc.
- David Richardson. Center for High Performance Computing, University of Utah.
- David M. Miller. CTO / Executive VP for DNS Made Easy.
- Marshall Eubanks. Entrepreneur and CEO, America Free TV.
- Edward Arthurs. Manager of Network Installations, Legacy Inmate Communications, Legacy Contact Center, Legacy Long Distance Intl. Inc.
- Christopher Liljenstolpe. Chair of the IETF Operations and Management Area Working Group. Chief architect for AS3561 (at the time about 30% of the Internet backbone by traffic) and AS1221 (Australia's main Internet infrastructure).
- Christopher McDonald. Vice President, PCCW Global.
- Joseph Lorenzo Hall. Research Fellow focused on health information technology and electoral transparency, New York University.
- Ronald D. Edge. IT expert.
- David Henkel-Wallace. Vice President of Engineering. Terrajoule Corporation.
- John Pettitt. Internet commerce pioneer, online since 1983, CEO Free Range Content Inc.; founder/CTO CyberSource & Beyond.com; created online fraud protection software that processes over 2 billion transaction a year
- Ben Kamen. I.T./EE Professional.
- Christopher Soghoian. Graduate Fellow, Center for Applied Cybersecurity Research, Indiana University.
- Jo Young. IT professional.
- Mark Hull-Richter. Senior software engineer.
- Joop Cousteau. VP, Global Network Technology. KLM Airlines USA Ltd.
- Jonathan Mayer. Graduate researcher, Security Lab and the Center for Internet and Society, Stanford University
- Jeremy Sliwinski. Network engineer with 10+ years of experience.
- Nathan Syfrig. Software Engineer and IT Consultant.
- Brion Swanson. Senior Software Engineer.
- Seth Johnson. Information Quality Specialist. Coordinator, The Internet Distinction.
- Danny Moules. Security Consultant and Professional Member of BCS, The Chartered Institute for IT.
- Geoff Dahl. Entrepreneur and CEO of SC5 Managed Hosting.
- Eric Tenenbown. Network Engineer.
- Mike Dunn. System technician.
- Patrick Loftus. Software engineer with 10+ years experience.
- Tom Halladay. Senior Software Developer with 10+ years experience.
- Sebastián García. Security Researcher. UNICEN University, Argentina.
- Roger Nebel. CISO Defense Group, Inc., Georgetown University Adjunct, 30+ years of experience, signing as a private citizen.
- David Baker. IT Consultant.
- Robert Mathews. As a private citizen.
- Leo A. Dregier III. IT security expert with 15+ years experience.
CISPA is going to the floor this week, but it is just the first among many cybersecurity bills that will be considered. If you are an academic, technologist, or professional in this space and would like to add your name to this letter for CISPA or future bills that suffer from similar problems, please email dan+letter at eff dot org.