Skip Links

It's privacy versus cybersecurity as CISPA bill arrives in Senate

What's more important, your online privacy or law enforcement's endless thirst for data? Congress must decide.

By Melissa Riofrio, PC World
April 25, 2013 12:05 PM ET

PC World - Cybersecurity and online privacy are two critical interests that seem destined never to get along. Sure, you want malicious hackers, spammers, and other Internet lowlifes brought to justice--but you also want to protect your online data.

A big part of cybercrime-fighting, however, demands gathering a haystack's worth of aggregated online data and scanning it for an elusive needle of suspicious activity.A Your online data could be swept into one of these piles and scanned. What happens to it along the way is anyone's guess.

[ IN THE NEWS: Anonymous calls for Internet blackout to protest CISPA ]

That's why you'll want to keep an eye on the Cyber Intelligence Sharing and Protection Act (CISPA), which passed the U.S. House of Representatives last week and is now being considered by the Senate, where it's currently in committee. CISPA aims to loosen restrictions that currently govern the sharing of data among cybersecurity investigators. That may sound reasonable enough, but the controversy arises over how the data is handled--specifically, how it's shared, and howA personally identifiable information (PII) is minimized.

In addition, the bill creates a high level of immunity from lawsuits for the government and private companies that share data. This isn't exactly comforting when they're sharing your data.

When, not if, your data is scanned and shared

The first step in understanding how cybersecurity works is to accept that your online data is already being scanned. Government, law enforcement, and private companies are all on the lookout for suspicious-looking Internet activity. Spammers, botnets, and malicious hacks into sites like Twitter fall into one broad category of cybercrime. Of even greater concern are attempts to attack "critical infrastructure" (such as power and water utilities, and communication networks), or civilians.

CISPA would let private companies share data with law enforcement officials and government agencies if the data qualifies as what the bill calls "cyber threat information" that could help solve a crime. That term's vagueness is a big part of the privacy problem, says Jeramie Scott, national security fellow at the Electronic Privacy Information Center. "It uses terms like 'vulnerability to a network' and 'threat to the integrity of a network' in its definition that are left to the private sector to interpret," Scott says.

Definitions covering data are vague enough to invite oversharing

CISPA's vagueness gives private companies a lot of wiggle room to overshare information. "Say a social networking site suffers a denial-of-service attack," Scott says. "The site could just offer the more relevant diagnostic details to the government, but it could also provide the personal information on all the profiles affected--including, for example, who you're connected with, and profile bio details--as long as the social network deemed the information part of the 'cyber threat information.'"

According to legislative counsel Michelle Richardson of the American Civil Liberties Union, every stupid spam you receive from Nigeria could make your data fair game for further investigation. "These are everyday occurrences that are cybersecurity events under the bill," says Richardson. Rainey Reitman, activism director at the Electronic Frontier Foundation, says that a service could share any data that it deemed "cyber threat information" and could do so "without legal process, so long as it was in 'good faith' and for a 'cybersecurity purpose.'", "

Originally published on www.pcworld.com. Click here to read the original story.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News