The order requires a cumbersome series of reviews by the Attorney General, the Chief Privacy Officer, the Officer for Civil Rights and Civil Liberties, including annual revisions, and limits all new (internal to fedgov) provisions to all existing privacy regulations throughout every agency of the federal government.
But, sure: the 1-day-old EO has not "undergone any public technical rights-based or privacy reviews".
In particular, note that this applies to the category of industry known as critical infrastructure. Examples of this include electric utilities and water utilities.
It's not written to be a general "applies everywhere" memo. It might of course be construed as such at some point, but it's not, on the face of it, written as such.
Not only does it narrowly describe critical infrastructure (one of the few changes between the signed EO and the draft of it that was published last year is a careful definition of what "critical infrastructure" means), but it does not enable the government to do anything involuntary with those critical infrastructure entities.
In other words, if you run a nuclear power plant that is connected to the Internet via an unauthenticated gateway and the government somehow learns of that fact, this EO would not allow the government to take any actions, other than to (a) inform you that you are operating designated critical infrastructure and (b) offer to enroll you in a program to have the government unidirectionally share nonclassified attack information with you.
The idea that someone would read a ZDNet Violet Blue story and immediately create a petition to the White House about it is as good an illustration as any about why White House petitions are stupid. Can you get Obama to confess that he's a Muslim, while you're at it?
"CISPA is accurately described as a setup to wipe out decades of consumer privacy protections, giving the U.S. government unprecedented access to individuals' online data and communications."
Where by "accurate" we mean "conformant with Violet Blue's understanding of the bill", or, in layman's terms, "not at all accurate".
In particular, CISPA contains no provisions that would enable the US Government to request private information from private companies. The information that CISPA allows private companies to share is limited to network attack data.
Can anybody point out which privacy laws are supposedly being wiped out and which portions of CISPA supposedly do this? Because I have never seen these concerns expressed in concrete terms.
Informed people who believe that CISPA is a privacy threat are typically taking a narrow reading of the ECPA's information sharing provision (for instance, reading into it the idea that "information required to maintain one's network" would not include "detailed information about ongoing network attacks"). If you believe that ECPA prevents Facebook or AT&T from sharing information about attacks --- something backbone providers already do --- then CISPA creates a new authorization to share that information.
The idea that CISPA would be a vector for DHS and DOJ to get warrantless access to email and Facebook messages, though, is hyperbolic and more than a little silly, because DHS and DOJ already have a warrantless way to get most of that information --- court orders.
It's ˙totally˙ reasonable to be concerned about the ease with which the government can get access to information via court orders. But that's a concern that's orthogonal to CISPA; if anyone meant CISPA as an an additive to the mechanisms the government already uses to get email, the bill would be written differently.
It is as always worth mentioning that CISPA is an opt-in measure.
I mean no snark by this; I mean exactly what I say with this: if you get your information about new regulations from Violet Blue, I just don't know how to help you.
I flagged this, for what it's worth. I upvoted other stories on the cybersecurity EO (I did a clause-by-clause comparison of the just-signed EO with last year's published EO draft, so it'd've been nice to have some place to discuss it). I flagged some other bad ones. And which one makes it to the front page of HN? This one. Sigh.
Violet Blue is a sex writer who is probably most notorious for getting kicked out of Boing Boing. Under ZDNet's masthead she's probably best known for the series of posts she wrote about a "booth babe" at a conference (and her low-cut shirt) that turned out to be the lead developer of the product she was there to represent.
She has the same engagement with internet privacy that your average HN commenter does, with the added benefit of financial incentive for generating rageviews.
19 comments
[ 0.26 ms ] story [ 73.7 ms ] threadBut, sure: the 1-day-old EO has not "undergone any public technical rights-based or privacy reviews".
It's not written to be a general "applies everywhere" memo. It might of course be construed as such at some point, but it's not, on the face of it, written as such.
In other words, if you run a nuclear power plant that is connected to the Internet via an unauthenticated gateway and the government somehow learns of that fact, this EO would not allow the government to take any actions, other than to (a) inform you that you are operating designated critical infrastructure and (b) offer to enroll you in a program to have the government unidirectionally share nonclassified attack information with you.
In particular, CISPA contains no provisions that would enable the US Government to request private information from private companies. The information that CISPA allows private companies to share is limited to network attack data.
The idea that CISPA would be a vector for DHS and DOJ to get warrantless access to email and Facebook messages, though, is hyperbolic and more than a little silly, because DHS and DOJ already have a warrantless way to get most of that information --- court orders.
It's ˙totally˙ reasonable to be concerned about the ease with which the government can get access to information via court orders. But that's a concern that's orthogonal to CISPA; if anyone meant CISPA as an an additive to the mechanisms the government already uses to get email, the bill would be written differently.
It is as always worth mentioning that CISPA is an opt-in measure.
I flagged this, for what it's worth. I upvoted other stories on the cybersecurity EO (I did a clause-by-clause comparison of the just-signed EO with last year's published EO draft, so it'd've been nice to have some place to discuss it). I flagged some other bad ones. And which one makes it to the front page of HN? This one. Sigh.