CISPA's Immunity Provision Might Unleash Corporate Hacking
The Cyber Intelligence Sharing and Protection Act (CISPA) passed the House last Thursday on a 288-127 vote. The bill now heads to the Senate, where it is expected to face stiff resistance. President Obama is on record as opposing CISPA, threatening to veto the bill if it doesn't address civil liberties concerns.
So, that's certainly something worth cheering about. On the tech side of things, Reddit co-founder Alexis Ohanian continues his campaign to kill CISPA. The masses, meanwhile, are too transfixed by the Boston Marathon spectacle to care much about internet privacy. Not to devalue that horrible tragedy, but Americans might also want to watch their government's debate on a bill that will have vast repercussions far into the future.
Under CISPA, corporations would be allowed to aggressively combat loosely-defined “cybersecurity threats.” Rep. Jim Langevin wisely attached an anti-hack-back amendment to CISPA limiting corporations to cybersecurity measures only on their own networks. Language found in the exemptions section, however, effectively nullifies this amendment. Companies would be able to act with immunity outside their networks. Translation: it's illegal to hack as an act of civil disobedience (see: Anonymous), but perfectly legal if you are a corporation.
Another implication is that neither companies nor the government will have to prove beyond a reasonable doubt who committed the cyber-crime. Immunity could potentially lead to the internet's very own version of an endlessly escalating Lincoln Country War.
I put the question to Electronic Frontier Foundation's Mark Jaycox on whether or not CISPA could create a type of legalized, extra-judicial vigilantism.
“'Vigilantism' is a pretty specific term,” said Jaycox. “The amendment passed limits companies from acting beyond their own computer networks to gather threat information; however, it ignores another section of the bill that allows wide ranging acts in response to the perceived threat.”
Therein lies the rub. A perceived threat could be anything—whatever act a business finds threatening.
As Jaycox notes, CISPA's immunity section covers any "decision made" based on information a company learns as long as the business acts in “good faith.” Rather innocuous language, to be sure, but troubling given the nebulous legal definition of good faith. Jaycox says the immunity and good faith language creates a significant loophole.
“A company could still use aggressive countermeasures outside of its own network as long as it believed the countermeasures were necessary for protection,” Jaycox told me. “This section could have been fixed by limiting the broad legal immunity given to companies. But, it wasn't. So the amendment still leaves the door open to abuse. A user's only recourse is to prove a company didn't act in 'good faith,' which is notoriously hard.”
Read the rest over at VICE’s Motherboard.