In One of His First Major Legislative Acts, Paul Ryan Trying to Deputize Comcast to Narc You Out to the Feds

Screen Shot 2015-12-07 at 7.53.31 PMAs the Hill reports, Speaker Paul Ryan is preparing to add a worsened version of the Cybersecurity Information Sharing Act to the omnibus budget bill, bypassing the jurisdictional interests of Homeland Security Chair Mike McCaul in order to push through the most privacy-invasive version of the bill.

But several people tracking the negotiations believe McCaul is under significant pressure from House Speaker Paul Ryan (R-Wis.) and other congressional leaders to not oppose the compromise text.

They said lawmakers are aiming to vote on the final cyber bill as part of an omnibus budget deal that is expected before the end of the year.

As I laid out in October, it appears CISA — even in the form that got voted out of the Senate — would serve as a domestic “upstream” spying authority, providing the government a way to spy domestically without a warrant.

CISA permits the telecoms to do the kinds of scans they currently do for foreign intelligence purposes for cybersecurity purposes in ways that (unlike the upstream 702 usage we know about) would not be required to have a foreign nexus. CISA permits the people currently scanning the backbone to continue to do so, only it can be turned over to and used by the government without consideration of whether the signature has a foreign tie or not. Unlike FISA, CISA permits the government to collect entirely domestic data.

We recently got an idea of how this might work. Comcast is basically hacking its own users to find out if they’re downloading copyrighted material.

[Comcast] has been accused of tapping into unencrypted browser sessions and displaying warnings that accuse the user of infringing copyrighted material — such as sharing movies or downloading from a file-sharing site.

That could put users at risk, says the developer who discovered it.

Jarred Sumner, a San Francisco, Calif.-based developer who published the alert banner’s code on his GitHub page, told ZDNet in an email that this could cause major privacy problems.

Sumner explained that Comcast injects the code into a user’s browser as they are browsing the web, performing a so-called “man-in-the-middle” attack. (Comcast has been known to alert users when they have surpassed their data caps.) This means Comcast intercepts the traffic between a user’s computer and their servers, instead of installing software on the user’s computer.

[snip]

“This probably means that Comcast is using [deep packet inspection] on subscriber’s internet and/or proxying subscriber internet when they want to send messages to subscribers,” he said. “That would let Comcast modify unencrypted traffic in both directions.”

In other words, Comcast is already doing the same kind of deep packet inspection of its users’ unencrypted activity as the telecoms use in upstream collection for the NSA. Under CISA, they’d be permitted — and Comcast sure seems willing — to do such searches for the Feds.

Some methods of downloading copyrighted content might already be considered a cyberthreat indicator that Comcast could report directly to the Federal government (and possibly, under this latest version, directly to the FBI). And there are reports that the new version will adopt an expanded list of crimes, to include the Computer Fraud and Abuse Act.

In other words, it’s really easy to see how under this version of CISA, the government would ask Comcast to hack you to find out if you’re doing one of the long list of things considered hacking — a CFAA violation — by the Feds.

How’s that for Paul Ryan’s idea of conservatism, putting the government right inside your Internet router as one of his first major legislative acts?

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

11 replies
  1. Rayne says:

    Ah. It’s this stuff, going back about two years. It’s the stupid MPAA’s attempt to stop piracy of copyrighted materials, via the Center for Copyright Information (see FAQs about this vague program).

    MPAA members wanted this program to sniff content on peer-to-peer networks. MPAA members are:
    20th Century Fox
    Paramount Pictures
    Sony Pictures Entertainment
    Universal Studios
    Walt Disney Studios
    Warner Bros. Entertainment

    EMI is also part of the consortium contributing to this CCI sniffing program.

    But where’s Comcast, you ask? Universal Studios is a Comcast company, which means Comcast is part of the MPAA.

    This is one of the key reasons why ISPs should NOT be content producers, and vice versa — they have a fundamental conflict of interest in serving digital pipe versus offering content. Truly effective net neutrality would have insisted that ISPs are carriers and must act independently of content providers.

    Given Sony Pictures’ MPAA membership, I wonder if buried somewhere in those emails allegedly hacked by North Korea there’s more about this sniffing program? Does make one wonder about the MPAA’s role in relation to U.S. foreign policy, given the White House response to Sony’s hacking.

    • arbusto says:

      Rayne, is there any to block an ISP (Comcast in my case) from acting as our warden. I get all foggy when figuring out how to encrypt searches and viewing. If they’re upstream does using TOR and HTTTP Anywhere even affect the ISP’ s ability to snoop, along with all our other friendly government spys. Doddering minds need to know.

      • jerryy says:

        .
        It comes down to how much time and effort (time being the critical component) you want to put into the project. They have on the other hand, essentially infinite resources to use against you, should they choose to — but not infinity the skill or wisdom.
        .
        It is beyond the scope of this short reply, but there are some simple things you can do such as change your dns servers from your ISP’s default to use any of the freely available dns servers. This stops the ISP from automatically tracking your web travels. (The ISP has to go to extra effort to figure out where and what you visit). You have to then trust the other dns server folks.
        .
        Use search engines that are encrypted AND do not send your requests back to their server by way of the “site address” you see in your url field.
        .
        Make certain you keep up with the security updates for all of your software. Trojan horses turn up in unexpected places.
        .

    • haarmeyer says:

      Sony Pictures is a content provider, but not a carrier, so fears resulting from the mixing of the two should be ameliorated. Sony is forbidden from being a carrier because it’s a foreign company. But they do end up being a mix between content providers and consumer electronics devices. Your fears of Sony should probably not be that they would be involved in some nefarious league with government surveillance, but rather that they are wholesale believers in addictive technology.

      • Rayne says:

        Sony isn’t an ISP, but it does have an entertainment network called PSN. It may/may not be directly sniffing on PSN using CCI’s tech, but it paid for CCI’s tech as part of MPAA.

        Let me clarify this, since it apparently wasn’t clear to you: I mentioned Sony because of all the MPAA members, only it has had its emails disclosed. In them may be content between MPAA members including Univeral(Comcast) about the CCI technology.

        The White House’s defense of Sony as a foreign-owned firm was odd, which I said at the time — but if the White House is really supporting MPAA members as a tool for tracking info/content deployed across networks, that’s an entirely different kettle of fish, and it’d be foolish not to take a deeper look at Sony as a proxy for the other MPAA members.

        • jerryy says:

          .
          Especially considering that it was Sony that released the “Root Kit of All Evil” as one group reported it.
          .
          I wonder if the Tea Partiers will respond to Paul Ryan joining with Chris Dodd and Joe Biden in this legislation… The tea parties supposedly got rid of Speaker John Boehner because he kept working with the Democratic Party, against their wishes, and as Ms. Emptywheel has shown here, Speaker Ryan starts off his term by joining with the Hollywood branch of the Democratic Party.

          • Rayne says:

            I don’t think Hollywood is really aligned with a party per se. It picks the entity most favorable to its business practices (hello, fascists). What’s clear to me — having written here previously about Hollywood’s gross sexism and racism — is that Hollywood is NOT liberal. Having extremely few women and persons of color across its major studio management means Hollywood resembles US manufacturing management and Congress in its makeup, and Hollywood resembles these same entities in its practices.

  2. Giles Byles says:

     
    Your tech search returned 43 meanings.
     
    It was way too difficult to figure out what the acronym CCI stands for.  Turns out it’s a control correlation identifier.  (Somebody had to say it.)
     
    Try googling the following:
    define “control correlation identifier”
    & it’s not very helpful.
     
    One would think by its title that the following article would have the answer, but it too is confusing:
    https://www.itdojo.com/what-are-ccis-and-why-should-i-care-about-them/
     
    The quest for answers would continue but I got bored with it.  Carry on.

Comments are closed.