Posts

The Tech Industry Worries CISA Will Allow Other Companies to Damage Their Infrastructure

Screen Shot 2015-10-16 at 10.01.41 AMThe Computer and Communications Industry Association — a trade organization that represents Internet, social media, and even some telecom companies — came out yesterday against the Cyber Intelligence Sharing Act, an information sharing bill that not only wouldn’t be very useful in protecting against hacking, but might have really dangerous unintended consequences, such as gutting regulatory authority over network security negligence (though the Chamber of Commerce, this bill’s biggest backer, may not consider it an unintended consequence).

Most coverage of this decision emphasizes CCIA’s concern about the bill’s danger to privacy.

CISA’s prescribed mechanism for sharing of cyber threat information does not sufficiently protect users’ privacy or appropriately limit the permissible uses of information shared with the government.

But I’m far more interested in CCIA’s stated concern that the bill, in authorizing defensive measures, would permit actions that would damage the Internet’s infrastructure (to which a number of these companies contribute).

In addition, the bill authorizes entities to employ network defense measures that might cause collateral harm to the systems of innocent third parties.

[snip]

But such a system … must not enable activities that might actively destabilize the infrastructure the bill aims to protect.

At least some of these companies that make up our Internet ecosystem think that some other companies, in aggressively pursuing perceived intruders to their systems, will do real damage to Internet as a whole.

It seems like a worthy concern. And yet the Senate runs headlong towards passing this bill anyway.

Telecoms Versus the Toobz: The Source of the Legal Troubles

In this important piece on overbroad surveillance programs under Presidents Bush and Obama, the WaPo reveals that the program James Comey almost resigned over in 2004 involved sucking Internet metadata off telecom switches owned by the telecoms.

Telephone metadata was not the issue that sparked a rebellion at the Justice Department, first by Jack Goldsmith of the Office of Legal Counsel and then by Comey, who was acting attorney general because John D. Ashcroft was in intensive care with acute gallstone pancreatitis. It was Internet metadata.

At Bush’s direction, in orders prepared by David Addington, the counsel to Vice President Richard B. Cheney, the NSA had been siphoning e-mail metadata and technical records of Skype calls from data links owned by AT&T, Sprint and MCI, which later merged with Verizon.

For reasons unspecified in the report, Goldsmith and Comey became convinced that Bush had no lawful authority to do that.

This leads me to wonder whether legal leverage from the Internet providers — rather than any squeamishness about the law itself — caused the conflict.

Remember, in the fight over retroactive immunity in 2008, the industry group for the Internet providers — including Microsoft, Yahoo, and Google — argued against retroactive immunity.

The Computer & Communications Industry Association (CCIA) strongly opposes S. 2248, the “FISA Amendments Act of 2007,” as passed by the Senate on February 12, 2008. CCIA believes that this bill should not provide retroactive immunity to corporations that may have participated in violations of federal law. CCIA represents an industry that is called upon for cooperation and assistance in law enforcement. To act with speed in times of crisis, our industry needs clear rules, not vague promises that the U.S. Government can be relied upon to paper over Constitutional transgressions after the fact.

Given the WaPo’s report, this amounts to a demand that Congress allow the Internet companies to hold the telecoms accountable for helping the government seize their data.

As well they should have been able to. To a degree, these companies compete, and in the name of helping the government, the telecoms were helping themselves to Internet suppliers crown jewels.

Microsoft and Google versus AT&T and Verizon. Now that would have been an amusing lawsuit to watch. And probably a lot bigger worry for the people who use all of them to spy on us peons than we peons actually are.

The Government’s Unclear Demands for Emails

Ryan Singel and Mary have pointed to to Ken Wainstein’s confirmation of something we’ve been discussing for some time: the problem with FISA’s restrictions on foreign communication has to do with email.

But in response to a question at the meeting by David Kris, a former federal prosecutor and a FISA expert, Wainstein said FISA’s current strictures did not cover strictly foreign wire and radio communications, even if acquired in the United States. The real concern, he said, is primarily e-mail, because "essentially you don’t know where the recipient is going to be" and so you would not know in advance whether the communication is entirely outside the United States. [my emphasis]

Now that the Administration is finally telling us some truths about their program, I think it worthwhile to repeat and expand on an observation I made here about CCIA’s letter opposing telecom immunity. CCIA, after all, represents three big email companies: Microsoft (Hotmail), Google (Gmail), and Yahoo. And in their letter, these email companies directly tie immunity with confusing requests from the government.

To the Members of the U.S. House of Representatives:

The Computer & Communications Industry Association (CCIA) strongly opposes S. 2248, the “FISA Amendments Act of 2007,” as passed by the Senate on February 12, 2008. CCIA believes that this bill should not provide retroactive immunity to corporations that may have participated in violations of federal law. CCIA represents an industry that is called upon for cooperation and assistance in law enforcement. To act with speed in times of crisis, our industry needs clear rules, not vague promises that the U.S. Government can be relied upon to paper over Constitutional transgressions after the fact. !!

CCIA dismisses with contempt the manufactured hysteria that industry will not aid the United States Government when the law is clear. As a representative of industry, I find that suggestion insulting. To imply that our industry would refuse assistance under established law is an affront to the civic integrity of businesses that have consistently cooperated unquestioningly with legal requests for information. This also conflates the separate questions of blanket retroactive immunity for violations of law, and prospective immunity, the latter of which we strongly support.

Read more