It’s been a year of one step forward, one step backward for Internet freedom and privacy advocates.
The tug of war over the Internet’s cherished anonymity and chaotic democracy has government on one side and the public on the other holding tight. But at one point in the not-so-distant future, the gamers and the hackers and the libertarian haters of government regulation will prove no match for reality.
Every day, the Internet becomes less safe. This isn’t just the view from Washington; it is also the view from Moscow and Paris cyber security officials in government and in the private sector.
“Cyberspace is crucial for social and economic development and we are getting to a point where attacks can destroy the Internet infrastructure,” said Alexander Ntoko of the International Telecommunication Union, a United Nations agency.
The orks – a rainbow blend of common hackers to rich cyber gangs and nation-states – are busting through the web’s door. They are armed with botnets. Their best and brightest write code in their sleep. The privacy rights of those inside the gates are casualties in a multi-billion dollar war that is fast becoming a top defense priority for Washington. Falling face first in the mud, however, might not be the end of the world when this tug of war is finished – providing legislators can assure individual rights to privacy if snared in a dragnet of online criminal investigations.
“If enough amendments can be made to protect civil liberties, then a lot of the opposition will be removed,” said Rainey Reitman, activism director at the Electronic Frontier Foundation (EFF). “We are working with Congress to make those amendments.”
More than the people vs. Hollywood
In the public fight to preserve Internet freedom, the biggest victory was the defeat of the Stop Online Piracy Act (SOPA) in January. Thousands of individuals and activist groups like the recently defunct Media Access Project convinced legislators to shelve the bill, biting the hands of many Hollywood lobby groups that feed them. It’s a rare day when grassroots activism works to defeat a bill sponsored by a major industry. But industry’s support for SOPA’s industry was actually relatively weak. The bill was also a one-trick pony focusing solely on copyright infringement, an issue everyone knew was in the interest of big media.
The latest Internet bills have nothing to do with copyright issues, and everything to do with security threats. The House of Representative’s Cyber Intelligence Sharing and Protection Act, or CISPA, and its deeper bill in the Senate, the 205-page Cyber Security Act of 2012, are different. In the tug of cyber war, these Acts are the sumo wrestler at the end of the rope, heels dug firmly into the sand. Cyber security is supported by the nation’s most powerful lobby groups, like The American Petroleum Institute and the American Bankers Association, plus a diverse group of corporations like Facebook, Boeing and Microsoft, all of whom have experienced attacks from cyber criminals that are not interested in privacy rights. On the contrary, they are out to steal private information, whether it’s credit-card account data or radar technology secrets of the F‑16.
In this fight, it’s not the people versus Hollywood; it’s the people versus a lot of big guys from a lot of different companies that have nothing to do with each other.
CISPA easily passed the house on April 26. Senate bill S. 2105 will be voted on in June at the earliest, according to the U.S. Senate Committee on Homeland Security and Governmental Affairs. It already has some deterrents on the Democratic side, like Minnesota Senator Al Franken, who argue that the omnibus bill erases decades of privacy laws allowing companies to share consumer information with law enforcement and spy agencies without facing legal repercussions. It’s the bill’s biggest downfall.
Hal Halpin, president of the Connecticut-based Entertainment Consumers Association, a group mostly representing the rights of gamers, wrote a letter to the Senate opposing the Cyber Security Act on May 10, together with like-minded associations.
“These bills were clearly written to transfer rights and responsibilities to the government and private corporations, leaving consumers rights hobbled,” Halpin said. “Right now, my browsing or searching history is private. With the passage of this bill, it is not. Politicians are supposed to be vigilant about protecting our rights, not creating legislation that erodes much of our privacy rights that stem from the Forth Amendment,” he said, referring to citizens’ right to be free of unreasonable searches and seizures.
Erik Martin, general manager at Reddit, a social media site that opposed SOPA, weighed in on the same side of the argument. “We lose credibility with our customers if they can’t trust us to protect their information.”
Yet like a TransUnion credit report, our private data is being searched all the time without us knowing. Unless individuals are involved in criminal online activity causing millions of dollars of damage, what are the chances of their private information being used by law enforcement to cause harm?
Hands off my Internet
From a Microsoft spokesman’s point of view, CISPA’s passing was the first step in the coordinated fight against cyber crime. Since November, there has been active dialogue with groups like EFF to address concerns about the House bill, and several important changes were incorporated.
As passed by the House, cyber threat and vulnerability information shared with the federal government can only be used specifically in cases related to cybercrime, national security, to protect individuals from death or bodily harm, or in child pornography cases. On the right, some legal scholars like Paul Rosenzweig of the conservative Heritage Foundation wonder what would happen if the FBI uncovered serious economic espionage or drug dealing. Would those matters fall under national security? Or would they be passed over altogether? Progressive groups like EFF wonder what would happen if a company was discovered to be hiring illegal immigrants; could that be interpreted as a national security issue by a court?
Here’s where the CISPA bill sponsors are right. In cyber space, there is indeed an advanced persistent threat. Cyber security is going military. It is now a question of whether a law passes before foreign state-sponsored hackers shut down a natural gas pipeline in the dead of winter, or after.
Eugene Kaspersky, CEO of Kaspersky Lab in Moscow, one of the largest Internet and software security firms in the market, said the Internet has become so insecure that it is only a matter of time before cyber crime or cyber warfare takes down a company or an important piece of infrastructure in the United States. (Kaspersky Lab was one of the companies that helped uncover Stuxnet, a worm believed to have been created by U.S. and Israeli defense forces to sabotage uranium enrichment in Iran.)
“If we fail to patch these holes in the Internet from these threats, then the Internet as we know it is gone,” Kaspersky said at a Cancun conference I attended in February.
While it may sound alarmist, intrusions into corporate networks, personal computers, and government systems are occurring every day by the thousands. The FBI is already sharing information with the private sector and has prevented cyber attacks before they’ve occurred, said FBI Executive Assistant Director Shawn Henry at a cyber security conference in Baltimore on Oct. 20.
There are users for whom maintaining their privacy is worth the risk of intrusions into their computers or networks. But for certain critical uses of the Internet, where intrusions are entirely unacceptable because the risk of compromise is too great, something has to be done, Henry said. President Obama wants to sign a cyber security bill, but he doesn’t want to do so at the risk of harming consumer privacy rights. In that regard, groups like EFF may get a more palatable bill.
This reporting is supported by The Media Consortium.