Why Your Data Is Safer With Facebook Than Washington

We all know the internet is a terrifying place. Careers hang in the balance based on unsavory Tweets. People film themselves playing covers of "Call me Maybe". Rock-a-fire Explosion exists. But aside from individual pratfalls, and mind-blowing acts of goofballism, the Internet also provides yet another front for defense and security experts to worry about. That concern is wrapped into Obama’s and Romney’s respective stands on the Internet itself: Yes, it should be free and open because this is America, but we also need to make sure no bad stuff happens because of it.

What the U.S. government will actually do to address those concerns — as well as appease the copyright and tech lobbies — is yet to be seen, but we’ve got a good idea how legislation will shake out. Last year, Congress laid down its (controversial) vision by drafting the Cyber Internet Security and Protection Act (CISPA), which passed in the House, and still awaits a vote in the Senate. CISPA allegedly would allow the federal government to receive private information via internet service providers, regarding potentially unlawful or threatening activity If you've heard anything about the proposed legislation, you have probably had fears of government agents sifting through your private information, taking notes on your cache of porn, or spying on whose Facebook profile you stalk the most.

While the idea of the government monitoring Internet use is unnerving, legislation often gets misinterpreted by amateurs. Thus, I set out to speak with an expert on internet security and intellectual property issues to figure out what exactly would happen if CISPA or a clone gets passed. Henry Cittone is the managing partner of Cittone & Chinta LLP, a firm that has worked in intellectual property for the past 10 years. The firm handles copyright, trademark, and patent litigation, and is regularly called upon to opine on DMCA compliance and data privacy issues. He was nice enough to chat with me about CISPA hype and what's likely to happen when Washington decides to regulate the web.

Of Congress’ attempts to pass a cybersecurity bill, CISPA probably came the closest to becoming law. What is it actually designed to do?

I could start out by saying what it doesn't do. CISPA does not mandate that Google or Twitter or anyone else send data to the government for storage. That's one thing that I think that's not been stated. But there's a huge "however…" The reality is that the Federal Government is proposing to use information from companies that collect this data because it's incredibly useful to them. What it does is allow for sharing; the Federal Government collects cyber threat information, however they collect it, so they have this trove of data of cyber security threats.

So Google, your search providers, Visa, any qualifying entity under the Act, that collects data can share it with the government. And the government can, for its own reasons share data with those entities. So it does enable better cooperation, in terms of if there is an attack. However, the Act is fairly broad when you start to allow companies to give data to the government like this, you don't really know what they're going to do with it.

The main fear people seem to have is that the government will have access to everyone's private information. Are those fears legitimate?

It's going to be if CISPA is approved, but it's only passed the House, it has not passed the Senate, and Obama has threatened to veto it. I'd be surprised if it becomes law, at least in its present form. Because you've got section 1104(A) "the director of national intelligence shall establish procedures to allow elements of the intelligence community to share threatening intelligence with private sector entities." That's fine, I mean nobody should have a problem with that because if the government knows that Visa's going to be targeted by Anonymous, then the director of national intelligence should be able to pick up the phone and call the guys over at the credit card processors and be like, "Hey, we have information that there's going to be a huge ass attack coming out the pipe, you might want to get ready."

So what is the problem?

The problem comes in when you get to B, which is the sharing provision. You've got B(2) here, "sharing with the Federal Government," I think this is really what's ticking people off. It creates a formalized system, so you don't have all these different law enforcement agencies overlapping. They're going to create this one stop shop basically under the national cyber security and communications integration center. So all of the reporting's going to go to that center and all that data's going to get stored and that's what the problem is. The companies are allowed to determine what they perceive to be reportable data, what they think constitutes a threat.

The reality is it's probably going to just all get stored in some sort of gigantic mineable database because the more data you have, the better. Right now all of the stuff you do on the internet is all governed by contract, I mean Google has its Terms of Service, 'we mine data but we swear to god we will remove your name so no one will know what kind of porn you download and other private stuff people are worried about in this country.'

When they send that data, they are removing the identifying information from it?

I would doubt it. To do cyber security, you're going to need IP addresses and you're going to need to trace it back. They do the same thing when they go for child porn rings, they get these people to accept some contraband from the FBI and then they go back and look at the IP addresses that they identify and they go back and subpoena the ISP address and go, "who's at this address, who's account is this?"

Given the need for national security, what is getting people so riled up? Protecting against child pornography and fighting terrorism are good things right?

Yeah, those are. But we have the requirement to get search warrants for this stuff. The issue is that policies are abused. The problem is none of this stuff is ever used for its intended purpose. You saw in the Do Not Fly list, where they put political people on it like senators that they didn't like, that couldn't have been by accident at that time. So who knows what they're really going to do with the data, they're not going to tell you if they're doing something non-permissive with it.

Since the Act doesn't require a search warrant, the question is, is this data private? It probably isn't really, I mean people think it is. If you ever had the chance to administer a small business, I can read everybody's email in my company. I don't want to read everybody's email; I am allowed to.

—

Which means there's no such thing as privacy on the internet. There's things you can do to make yourself more private by entering into agreements with companies like Facebook where only your friends to see things you post. But at the end of the day, that's a private contract, there's no constitutional right to privacy on their end or to a warrant with search, and maybe there should be. Maybe the Fourth Amendment needs to catch up. I think that's what the issue is.

Is there a way for CISPA to be amended, or better worded to clarify what information would be legal to send?

I don't know if it can be. I think it needs to end up being with a search warrant process. And if we need more judges, and we already have a special court for terrorism, if we need a cyber security panel of judges that issues warrants rather quickly on some sort of review, at least there's some sort of independent review of what these people are gathering. A few things that really bother people with this is that you can't find out what they've collected. Why does that need to be there?

The other thing is that a lot of people got what they wanted in this Act but the citizens didn't. Here's one: C(iii): "the information collected shall not be used by the Federal Government for regulatory purposes". So these ISPs or websites are all regulated by the FCC or various other entities, so if there's stuff in there the FCC might want to know about, or somebody else might want to know about, federal trade commission, antitrust stuff, they can't look at it. So the sharer has no risk at all, they're protected because it can't be used.

Then, they have exemptions for lawsuits too; the only way you can sue is if they did it intentionally for bad purposes. But even if you're violated, you can only sue for 1000 bucks and the costs of your attorney's fees, big whoop. Plus, chances are you will never know you're violated unless you're a criminal that's actually been targeted for investigation by the FBI. Realistically the government probably isn't going to use this to go after individuals unless they're actually doing illegal activities.

Also, there is this affirmative search restriction, it says the federal government may not affirmatively search cyber threat information shared with the federal government in subsection (b) for purpose other than a purpose referred to in that big list of child porn, and terrorists, and all kinds of bad people that we don't like and really don't care about. That's probably the big issue here, we are eliminating everyone's civil liberties, criminals and non-criminals – civil liberties apply to everybody or they apply to nobody at the end of the day.

And another thing to point out is some of the weasel language, "may not affirmatively search this collection of information." Who knows how that's going to be interpreted? It didn't say, 'may not search,' it said "may not affirmatively search." So "affirmatively" is probably put in there for a reason, they're probably looking to say, "hey if we find out in the course of our terrorism investigation that there's some bank fraud, we can use that because we weren't 'affirmatively' looking for it." A lot of this is hyperbole on my part, to a certain extent, because I have no idea what they're going to collect under this law.

So the companies have regulatory immunity, but individuals do not. Could they build in an immunity to limit the searches to child porn, crime and national security?

They could if they wanted to, they built it in for the companies. They said "we're not going to do regulatory actions against you based on the stuff we find in here, so don't worry."

But then it's a moral issue too. Child porn is an individual crime, and that's in there big time because it's a hot button social issue right now, but then if this is really for national security, I would, even though people might hate me if they see this in print, say take the child porn thing out of there if you're really worried about threats of denial of service attacks and other security threats.

Because if you look at the lists, it just doesn't make a lot of sense, it's like security purposes, crime, and then they've put in these: protecting individuals from danger of death, and (d) is the porn thing because again that's a moral issue because if we know about it we have to stop it, we can't just keep letting it happen.

But if it's death, or a money launder thing, it's probably not going to be on the radar, but it could be because once you have the data there, it's fairly easy to monitor.

Again they're probably just collecting hacking information, so sort of taking the other side for a minute, if the companies only provide what they're supposed to provide under this act, which is the hacking and denial of service stuff, then how are they looking for direct threats and child porn? They're looking for individual activity then, so I'm sort of torn to take the conservative view on this because if you were really just looking for data about who's connecting to the internet and what they're doing, you aren't really locating a defined "danger," you're going to have to look at forum posts and emails, otherwise you're not going to really get that from data, you'll just have a bunch of data and logins and people going from interfacing computers and what not.

If CISPA were to go through a number of reforms, even in light of reactions to SOPA and PIPA, is this at all likely to go through?

Not under the current administration. The problem is that this is being talked about, and I could only guess that this was done in consultation with government agencies and corporations like Microsoft, so this is something that's on the wish list of homeland security: "We want big brother, we want to be able to get this data because we can make everyone so much more secure as long as they're doing what we want them to do."

There already are systems in place to protect our security, we don't need this. It's not like the companies are so impotent that they can't figure out when they're being hacked, they can do that on their own, they already do that all the time. They're usually the ones that notify law enforcement, "hey we noticed that these people tried to do a DNS on us," you see some massive failures, but some of that is that they're using a really old encryption method, but that being said, the private industry has for the most part been very good at stopping or preventing attacks and the reality is they have the tools to stop attacks. It's not like the NSA is going to launch any criminal weapons to stop it or something.

I don't know what homeland security can do to stop a cyber attack. I doubt they have the same capabilities as Google, Comcast, and Verizon. I mean, they have an office to investigate crimes after the fact, and that's fine. They'll get those reports, that's what the government should be doing. As far as the preventative stuff I really think the front line is more the individual operator of the system. I think its better in this case to have in effect private law enforcement. We allow people in this country to keep guns in their house to protect their home because the cops can't get there in time, so why don't we allow Verizon or Comcast to guard their own computer systems? They're already doing it anyway.

Right. You mentioned that's already happening, they already are able to monitor your ISP.

They know exactly what you're doing.

What exactly is the difference between being monitored by a company, and being monitored by the government?

The difference is what the government knows about them. If Google knows about something or Zuckerberg knows what I'm doing on Facebook, it's a bit different than if the cops down the street know because presumably Zuckerberg or Google care about gathering data but they don't care about the individual user. They care about what a million people do on the internet that are similar to the individual, because now we have a million individuals at least in one particular profile. And they use that data for marketing purposes, that's how Facebook will monetize.

Remember in the McCarthy period when they went after people who checked books out from libraries? This country has a lot of social conservatives. You might not care if Google knows, or if Zuckerberg knows. But there's a difference because the government has guns, Google can't shoot you.

—

The government has the right to use violence, they have the right to imprison people, they have the right to investigate people, they can get you fired. Just an investigation is enough to ruin someone's life, so you don't necessarily want the government looking at everything that you're doing on the Internet versus private entities. There's a big difference when someone has the authority to use force over you.

The worst thing an ISP can do is shut down access to their ISP, whereas the government can keep this data forever whether there's threats in it or not, and they can mine it and do whatever they want with it.

But this real debate is about privacy.

Well, here in section 7, "The Federal Government may," remember that word, "consistent with the need to protect Federal systems and critical information infrastructure from cyber security threats and to mitigate such threats, undertake reasonable efforts to limit the impact on privacy and civil liberties of the sharing of cyber threat information with the Federal Government pursuant to this subsection c." "May." Okay, so I'm running a government agency, and I have a limited budget and you get the statute that says we're implementing this, guys, but by the way section 7 isn't mandatory so you don't have to do it if you don't want to. 'Now we can save a couple million bucks and direct that to something else that were already shorter funds on.'

So section 7 will never be implemented, there's no office created for article C, protection in here, there's no officer in charge to make sure that this stuff complies. I mean even private companies have got compliance officers to ensure there's compliance. I don't see any sort of compliance provision here, and that might be the answer to your question of what could be amended. They could create that office, to look over their shoulders, and if you're doing what you're supposed to be doing, busting terrorists and hackers, awesome. But the minute I see you get a call from some senator that wants to know what some other senator is doing, or vice versa, or wants data…

So you can see that all this data can be misused, the government has misused data in the past. There are numerous examples of the government misusing data in the past. It's not like these guys are clean, you’ve got McCarthy, you’ve got misuse of the wired data for industrial espionage back in the 80's. You can go and research numerous examples of the government misusing the data it collects, either illegally, or under the table or even legally. We shouldn't necessarily give them a free pass to do this, just to sort of trust them that everything's going to be okay, because they've been trusted before and they failed, and human beings don't change. The government is run by people, and there may be ideals here that are very good, but at the end of the day the government's run by people, and ideals get subverted by other interests.