TechStuff Looks at CISPA

things up. I got tired of pulling out quotes, and so I have decided spontaneously and without precedent, to drop it and uh and just just say Holly or whatever. You know. I wonder how many listeners we have from that early period when you used to do that all the time. Yeah, the hey there, and then I after Hey there. I think I went to various greetings from around the world, and then I started doing random quotes of I think it was for movies, and then music,

and then I went to novels. Yeah, you know, you've got to change things up every now and then. We've we've done more than four episodes now. So but let's let's talk about Let's talk about what our topic is going to be today, because it's it's a heavy topic and this was something that was requested by several of our listeners. Well, it's not much of a surprise that

people would be interested in hearing about it. It's been, uh, spending a lot of time in the news right around the time that we're recording this, which is very early. May I just technically we're recording this on Star Wars Day. May the fourth be with you, that's right. And uh, it is all about the Cyber Intelligence Sharing and Protection Act of eleven, also known as SISPA and CISPA is one of those things that a lot of people have probably heard about. I mean, it's one of those you know,

like I've seen the acronym pop up on Twitter a lot. Yeah, which makes sense. I mean, it's you know, it's it does involve traffic on the Internet and uh, and so clearly anyone who uses the Internet is interested in this sort of thing, at least from a tangential perspective, even

if they don't know what all the deal is. Now there's a lot of confusion out there too, because I see a lot of people who assume that SISPA is just a reworded approach to doing SOPA or Pippa, which are the piracy acts that were proposed in Yeah, and those were acts against piracy, not for so I don't want to give the wrong impression, but yeah, but those those were all um about, uh, you know, finding ways to allow the government to to pursue people who pirated

intellectual property. Yeah, and we're talking about the United States government. Of course, we do have a lot of foreign won't foreign to us, foreign to US, their domestic to themselves. But yeah, we have are more domestic than others. That's true. That's true. Well, we we do have a lot of listeners from around the world, many many countries around the world.

So nonetheless, since the Internet is uh a worldwide entity and a lot of the content we're talking about is born in the United States, it would have an effect on traffic worldwide. And and Soap and Pippa were both actually directed by the United States to to target sites that were outside the jurisdiction of the United States in order to find a way to combat piracy. Because as christ just pointed out, you know, the Internet is a global entity. It does not belong to the United States.

It is not housed in the United States. It is truly all over the world. Which causes some issues when you're talking about legislation, because clearly one country cannot claim to be able to legislate over other countries in the

world that are our sovereign nations. So SOAP and PIPPA were both approaches to try and head off piracy that was hosted in in UH in countries other than the United States, Like, how do you protect the interests of companies within the United States when he attacks themselves or the theft or however you want to frame it is occurring outside the border. Well, CISPA is not about that,

at least not on its surface. CISPA was truly it's it's the the actual purpose of it, according to the act itself is and I quote, to provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities and for other purposes and for other purposes. I hate that phrase. That's

like the job description as a sign. Yes, that is the worst thing to see on a job description because you're you're like, I'm the senior vice president of finance at such and such, like go make me some coffee. What do you mean, Well, it's other duties and I just assigned them to you exactly. Yeah. Anyway, So although that rarely happens to senior executives, true from what I understand, could it happens to senior writers any a? So the uh, that's not that's not true. I'm making a joke. I

love you. How stuff words dot com and Discovery Communications and sparing company. Uh, the some restrictions apply. Your knowledge

may vary. The so, yeah, this this is really to protect The idea anyway, is that it would help protect the United States from cyber attacks by allowing the government to share information that's normally of classified or secret levels with other entities, which could include cyber security firms, so companies that are specifically formed around the idea of protecting data and making secure systems and detecting intrusions that kind of thing, as well as other companies so Internet service

providers could be an example, or even other types of private companies. It's also meant to allow these companies, these private entities that have no connection to the government other than the fact that they happen to be within the realm of the United States. UH, allows them to share information with the government. And the key word there's it allows because the fear among people who oppose this act

is that it would compel these companies to share information. So, in other words, one of the main concerns around this act, and it's it's a legitimate concern, is that the government might come up to say a company like Facebook and say, hey, Facebook, we suspect that there are eight or nine people that we have on this list who are involved in some

sort of terrorism group cyber terrorism. You know, they're playing a big hacking attack and they have, uh, they have accounts on Facebook, and we're able to access some of that information, but we really want all the information you

have on them. So could you please give us all the data you have on these people, including all the messages they send to each other, messages they send to other people that are not connected to the eight names on this list, uh, their their contact information, everything you have on them we want And then Facebook would say sure,

here you go. And that's the big fear is that this would allow the government to get access to private information that most of the time we would say the government has no business knowing um, and they would do it under the the umbrella of trying to protect national security from cyber threats. Now, if you actually read the the full proposed legislation, which I have, you see that you can kind of see where where the the representatives who introduced this. In the United States, we have the

House of Representatives and we have the Senate. These are two bodies that propose legislation, and once it passes through one body, it has to go to the other and pass through that one as well before it goes to the President of the United States, who can then either sign the the the bill into law, or veto it, or just let it sit there. That's really those are the three options. Really. Yeah, by the way, the President of United States currently has said he would veto SISPA

vitos can be overridden. But that's you know, that's kind of beyond the scope at this discussion. Anyway, it's it's gone through the House of Representatives. It will next go to the Senate. It was pasted, Yes, it was past. Uh the vote, that's right, And it was not straight down party lines, but in general, more Republicans voted in favor of it and more Democrats voted against it. But but there was bipartisan support and bipartisan opposition. So it's

not it's not cut and clear. It's not like this is a Republican issue. Now, this is this is broader than that. Yeah. And as a matter of fact, you can you can see different lists of the organizations and companies that are foreign against it and the same thing you'll see. Uh, you'll see there. Um, some of the companies that you might expect to be for it are again said in vice versa, and some of the other lobbying groups and grassroots support organizations that you know, try

to get people involved in the issues like this. Um, it's very interesting to see the people who are working together for or against the bill. Yeah. I mean, this is another example of how SISPA is different from SOPA and PIPPA because SOPA and PIPPA, there were quite a few major companies, technology companies that opposed that legislation, right the SOPA and PIPPA like companies like Google and Facebook opposed those but in fact, sorry to interrupt ahead, some

of them were very outspoken. They they had the Internet blackout days where they would take their sites, uh you know, make the first page sort of uh uh, Well, this is what you would see if this legislation passes, and it would be a very drab you know, uh start contrast to what you would see on the you know,

everyday site. Either this I would be taken down or there was like a censored bar over the logo and you could proceed from there into the site, but you know, would be shut down and when you first got there, just with an explanation. Yeah, yeah, so that it would inform people what was going on. Well, some of those companies are actually in support of SISPA, now, not Google. Google has yet to come out one way or the

other on the issue. A lot of them are are mute on the topic, right, But Facebook said that they supported or they the company representatives in Facebook spoke out in support of SISPA, and Microsoft did as well and then sort of backed off. But um, there are several companies that have spoken out in favor of it. And

uh again that that illustrates that there's a difference here. Now, there were points during the debate of SISPA while it was going through the House about adding in language or or modifying language that would also have it applied to intellectual property theft. Yeah, the Center for Democracy and Technology used to support the bill but dropped off after the

bill was modified and then that language subsequently was dropped again. UH. Problem pretty much at the last minute, so that it didn't it didn't expressly include intellectual property theft as one of the reasons for the bill itself. UH. And like I said, the bill really what what its purposes is to allow intelligence agencies like the FBI, the CIA, the n s A. UH. These are all intelligence agencies within the United States and law enforcement in the case of FBI.

But these are agencies that are all about collecting information and using that to try and protect the interests of the United States. And the issue is a lot of the information is very sensitive and the government is not allowed to share that information with with non government, non UH certified entities. Yeah, don't talk badly about this information. It will start to cry well at any rate. Like they are not allowed to actually share that information by law.

And this this legislation would allow them to then share information with parties that could actually affect whatever is going on. So, for example, if the CIA has has created some dossier about a domestic group of folks who are trying to get together and cause problems on the internet. Let's say that it's an anonymous group of people Let's say the CIA has gathered up this information to SEGA. The CIA may want to pass on this information about these anonymous

individuals two to private companies. They might be cyber security companies, they might be Internet service providers, and the purpose of sending the information might be to help head off an attack or to uh to just be on the alert for potential attacks, or maybe even to track down these people so that whatever intelligence agency is interested in them can actually go and say, hey, you know, we need to talk remember that thing or you were going to

do about that, We need to chat about this. So the you know, the idea of it being all about sharing information on the surface seems like it's a wise thing, and that the more people know about what's going on, the more likely they can head off disaster. Because that's one of the big issues about cybersecurity is that, you know,

the systems, the systems can only be so secure. What can help us is knowing more about what's going on so that we can anticipate things and uh either head them off or reduce the effectiveness of an attack upon any given system. The problem is that this is giving the government and these entities a little bit more freedom to share information than a lot of people are comfortable with UM and that there are things built into the

bill itself that make it pretty worrisome. For example, one of the amendments or or not an amendment, I'm sorry, one of the passages within this bill gives all the entities involved exemption from legal recourse if they cooperate with the federal government. So, in other words, let's say that your I s P sends the federal government a list of information about all the sites you visit, all the packets of data that you send through that Internet service provider.

They send that information to the government in its efforts to prosecute you for something. Well, you would not be able to turn around and sue the Internet service provider for violating your privacy because they would have exemption underneath this legislation. So in other words, it's like a get out of jail free hard for any company that is part of this. That's that's you know, sharing information in this way as covered by this bill, which is scary.

It's probably also why a lot of companies are like, yeah, I'm behind this, because this means if the government comes to me and says I need this information and I give that information, I don't have to worry about a multimillion dollar lawsuit hitting hitting me, and then I'm gonna take a hit and my shareholders are going to be really upset because my company just had to spend all this money to settle out of court with this other

person because we sent their information to the government. This this passage would say, uh, yeah, you can sue us, but you have no grounds to stand on because the law says we can do this and you can't sue us. I wonder if there is a feeling among some of the companies that going along with this legislation would make the federal government more inclined to look favorably on them

and other business matters as well. I can't read their minds, of course, and I don't know that anybody has come out and said, well, you know, we really love the government because hey, guys, you're awesome. Within within the bill itself, there's language that that is meant to protect against that, but whether or not that holds any real authority remains to be seen. Like there's there's a passage in there that says that the the uh, the articles within SISPA

could not be used for regulatory purposes. So the government would not be able to regulate the Internet or Internet traffic using CISPA as its foundation. Also, no entity can use the information that they're sharing two uh to gain a competitive advantage over some other entity. So in other words, if you get you know, this information from the federal government, you could not somehow leverage that to give yourself a better business stance, because that's not what it's meant for. Now,

how that ends up being enforceable or detective? You got me? I mean, I just don't. I don't understand, especially when you're talk about classified information. This information remains classified, right, So if the government has this classified information and they have authorized a particular entity to have the information, that entity can't share the information with other other you know people, they if they're within that umbrella with the federal government.

There can be sharing between entities and the government, but you can't release it to the general public. So, you know, how would the government the government would have to acknowledge what the information is if a company were to try and use it to gain leverage in the competitive market space. Thus, the information that was private becomes public. This is problematic, right, How where where do you draw the line between, all right, this intelligence is all about national security, and we need

to make sure it's secret. We cannot acknowledge it, we cannot reveal it, and we need to make sure the market remains fair and that companies don't take advantage of this new avenue of information. Uh, you know, if they if they do take action, then you've got a compromise between those two silos. And and that's a problem. It's not a big problem as far as the average consumers concern.

The average consumers more concerned about the fact that, hey, this is kind of like wire tapping without a warrant. The government essentially can ask a company to give it information, and the company can give that information, no warrants, nothing, no no legal uh loopholes that you have to leap through. It's just request. Now, with that in mind, like I said, with the way the information is worded in the bill,

the company is not compelled to share information. So the federal government comes to Facebook and asks for that information about those aid individuals, Facebook can tell the government, we're not going to share that unless you have a warrant. And in that case, whichever intelligence agency it is that's in question. Would theoretically have to go through the whole process of securing a warrant, serving at the Facebook, and

then waiting to get the information. Uh now, how likely is it that companies are going that that support this are going to do that. That depends on each individual company. For some companies, it makes perfect sense for them to say no, because if they said yes, they risk alienating

their user base. I know that if I if I had an I s P and I found out that I s P was sharing information about users to the government without the use of a warrant, I would not want that I s P as my I s P. And it's not that I'm doing anything clandestine or illegal. It's just I don't like the idea of companies just freely handing over private information to the government without there being a legal reason to do so, you know, I

mean that just that just doesn't seem right. It's almost the same as imagine having a government official show up at your door one day, and that government officials job is to follow you around and watch everything you do and write a report every single day about everything you do, and it doesn't matter if you're doing something right or wrong. That's just what they do. Wait, you mean they don't do that to you? Well, you know, not that I'm guilty.

I feel guilty for putting you on that list. That was a great aper fool's joke, but it's had implications that went beyond what I had originally intended in five years. Yeah, well you know, um aper fools. Well yeah, I think the the I think the language in the bill is what gives people uh so much trouble is that it it's it started off broader, admittedly, but it's still broad enough where it gives a lot of power that um. You know, people feel that the government shouldn't have um.

But you know, that's that's the nature of a lot of these these bills that have gone through. I was one of the main criticisms of SOPA UM, so you know that that's what's given so much pause to a lot of these organizations that have come out against it. Well, there's also there's a specific phrase within the bill itself which says notwithstanding any other provision of law. So what that means is that SISPA overrides all other laws when it comes to sharing information. So any privacy law that

would protect your privacy is negated. By SISPA exactly. So if even if you had a state law or there was some other law in the books that would protect your rights as a citizen to specific private information, SISPA overrides it and says doesn't count. As long as it falls under this category, it does not count. And there's nothing there's no burden of evidence on the part of any any entity, whether it's the government or the private company, to show that this is a justifiable approach for any

given case. It's not like there's a burden of proof that you must meet in order to count as this whole sharing of information to head off cyber crime. There's nothing there in the bill that says in order for this to apply, you must meet these criteria. So, in other words, you might as well just say privacy laws don't exist, because CISPA means that it's not. It's they

don't they don't apply. Well. Mozilla UH, the organization that creates and maintains the Firefox web browser, made a statement against it that says, while we wholeheartedly support aim more secure internet, SISPA has a broad and alarming reach that goes far beyond internet security. The bill infringes on our privacy, includes vague definitions of cybersecurity, and grants immunities to companies and government that are too broad around information misuse. Um.

And then you know, end quote. And then they go on to say that they hope the Senate takes a a careful consideration of the issues before promoting, before passing this legislation. And and we should also point out there are at least two other bills within the Senate itself

that that also are cybersecurity bills. And so that's a complicated matter in the Senate because it's you know, it's this bill would also address the same issues that other bills that are on in consideration are already you know, they're already there. So so it may be that the Senate just as you know, this doesn't even make sense because we have these other bills here that address the same problem but don't have the same issues. Or cybersecurity is sort of difficult to to capture anyway, um, far

more than than you know, physical security. There there are just so many loopholes and ways to get into electronic systems compared to a physical system. Yes, and uh, you know they're they're it's difficult to do. And I think that's one of the reasons that the legislation is so broad. Um. Also, it is much easier to um prosecute cybersecurity cases when you have the help of other agencies working together, which is what the idea is, is, you know, giving people

the authority to share information like that. Yeah, no, the yeah, the purpose for the challenge, Yeah, it's it's I completely understand the government's approach and and uh and when I say the government, I really should say that that. You know, we're talking about people like Representative Mike Rodgers, who was the guy who wrote this the original. Yes, he's the

one who who wrote the original as Sispa language. And um, I can totally understand where he's coming from because one of the if you ever have read any information about criminal procedures, about investigative procedures that that ended up being for cases that spanned either multiple jurisdictions or you had both federal and state enforcement agencies involved. One of the things that always struck me whenever I read those reports was how much easier things could have gone had these

different agencies shared their resources more freely. And in many cases, it's not that the agency is trying to hog all the credit, which is often how it's portrayed. Right. Often it's like the law enforcement official who wants to have the collar and he doesn't want anyone else taking credit for it. That's how popularly we perceive the TV shows and books novels as well. But but in reality that

the cases that handling information is very delicate. You know, the way you handle information is of paramount and importance than any kind of investigative effort, whether it's law enforcement or journalism whatever, right the way you into information is

as important as as anything else. And so whenever you get into a situation where you're talking about sharing information, you automatically have to worry about that because how strong is the link between the two entities, you know, how how secure is that is the other entity reliable if you share information with that entity, is it going to actually affect your investigation in a negative way? And these

are a lot of considerations you have to make. And so while it's easy in hindsight to say, ah, if only the FBI had talked to this one local police station, they would have caught this guy, you know, years before hand, very easy to say that in in hindsight, same sort of thing here is that you know, you're thinking, well, if only all these different groups, whether they are in federal government agencies or private companies, if only they could

actually talk to each other, then perhaps they could head off attacks from uh, say, hackers in China. You know, they might be able to You might have one agency that knows about it, but because of their policies, they don't share the information and so the attack goes on as planned and people are hurt by it. The idea here is that by sharing all this information we would be better off for it. The problem is that kind of ignores the impact it can make on the actual

US citizen. So while it's while it's laudable that that representatives are looking for ways to protect our cyber infrastructure, which is, as you pointed out, a very difficult thing to do. There's so many loopholes both technical and personal

in those systems that's hard to protect. It's laudable that they're trying to do this, but unfortunately the fact that it sort of throws out privacy rights for U. S citizens means that it could potentially do far more harm than good, and it also could mean another step toward a very big brother kind of government, and I often

I mean I love that kind of science fiction. I mean, I love the dystopian science fiction, this so brave new world, that kind of stuff where you've got this uh this government agency that is really oppressive and intrusive in our lives. I honestly don't think we are anywhere close to that kind of level. But when you see stuff like this going through government and getting past, you think maybe that's not entirely unrealistic, because these are sort of paving the

way to that sort of environment. And I think most of us would agree that that's not a desirable outcome. Like I don't want the thought police chasing me down all the time, you know, but I don't again, not to say that that's where we're we're definitely headed. But when you see this kind of stuff, you can say, all right, this it feels like it's a little just it's stepped just a little further away from the fixed inside of of the bookstore, right like that. It's just

edging a little closer to nonfiction. It's not there yet, but if we aren't careful, then that could happen. So it is completely understandable why people are uh up in arms about this and um again, just as understandable as it is that this kind of legislation is being debated in the first place. It's not an easy issue to solve. I wish it were, because then we wouldn't you know, we would have had a podcast about video games. Well

it's about Star Wars. It is kind of funny though, because after the the reaction to public reaction to SOPA and Pippa, with so many people being aware of the bills, especially SOPA. Um um, it's it's kind of funny to see how SISPA has sort of snuck in under the radar so far if you fewer people are talking about at it. I see more information on it in the the tech uh press than I do in uh you

know that the general media. Um. So it's it is kind of funny that it's being Um it's out there and people are interested in and curious about it, but it's far on on a far lesser scale now. Um, if you are interested in it, UM, I would recommend a an interesting site that you might go to, open

Congress dot org. Um. There there's a lot of information there, especially uh you know, on on all kinds of things, not just SIS but this is um, this is basically all kinds of legislation that's going through and uh, if you're a member of the site, you can vote yea or nay on it whether you're interested. Um. It's sort of a a straw pole, if you will, on how

people feel about it. Of course, it's it's completely on scientific and if you're uh, you know, somebody who lives in the United States, you can um use tools on the site to write for or against legislation UH to your representatives and senators, which is a pretty cool tool. UM. So I would totally recommend that site to anybody who's interested in it. But it also gives you not opportunity to read the uh the text of legislation CISPA and others,

UM and see where it is. Sure it is. We should also mention whenever you read this legislation for the layman, it can be a little dense. I was gonna say, try not to doze off, because uh, you know, we gotta remember our the United States is is governed by lawyers. I mean, this is this is about creating law. So it's written like a law. It's it's legal language doesn't

tend to be so dense that it's indecipherable. And also I shouldn't mention CISPA itself is one of the more succinct eleven pages eleven pages of document that I had the one I've got eighteen. So yeah, so of course I did not include the amendments that were added, and I had those, I had to read those separate. But I was disappointed that there weren't any pictures. Yeah, well, what after all the pictures of various kinds of pirates

in the Sopa and Pippa stuff. You know, some of them will let you connect some dots, and some of them you could color in the peg leg. Yeah, the buckled swashes were awesome. We're obviously being a little silly right now, but no, yeah, I think it's I think it's really good. And other nations also have similar tools, depending upon where you are and and the kind of

government your nation has. Uh So it's always good to take into account that sort of thing, to do some research, see see what impact you as a citizen can have. And in some cases it may be that you want to uh to contact a representative, a senator or whatever, and mentioned that you are in favor of something you know not everything has to be Oh, this is bad,

it's going to destroy the world. It's also good for you to show support for things that you think are really UM applicable and import it in and uh, I think taking an active role as a citizen is a really important thing to do. I've done it on on multiple occasions. I probably still don't do it as much

as I should, but um, I'm getting there. And beyond just you know, going to the polls and voting, it's that should not be the beginning and end of your role as a citizen, if possible, especially if these things are really important to you. So anyway that, do you have anything else you wanted to add about CISPA in particular and not in particular, but I I do think it's interesting that you know, this is not a black

and white situation. You know, I personally have sort of a grave view of of CISPA, where I see some merit in and I see some problems with it. So UM, I think it's especially important to become as informed. You know, don't don't take accounts that you read uh online or or you know, stories you hear in the news. Don't take those uh too hard, too much without doing some research yourself and and citing for yourself how you feel about these issues. Um, at least that's my advice. Yeah, no,

I I agree entirely. So I'm going to go and have some kind of meal tyn to settle my nerves so that we can record our second podcast of our podcast recording marathon. Yeah. I'm surprised Jonathan that you, uh you, we didn't have the lad I told you. I told you. It's it's because it's because things are not always It's not evil empire versus the rebellion. May the fourth be

with you. Um, It's it's not that, it's it's one group of legislators who are trying to tackle a legitimately difficult problem and perhaps going about the wrong way, maybe in ways that you know, they just don't anticipate the kind of problems that would exist, whereas those of us who it could affect anticipate it a lot. So, I mean, it's I understand it's a complex issue, which is probably why don't get so angry. Um, But if you want, we can pick another topic and I'll get really ticked

off about it all. Right, then, how about how about the progression of obi Wan Kenobi as a character through the original trilogies and then the prequels of Star Wars. That really gets me mad. And our producer Tyler can let you know because I went on about a ten minute rant about it before we started recording. Alright, then I'm excited. Okay, so we'll we'll we'll chat about that offline,

because I mean, that's not really tech stuff. But you guys, if you have any requests for topics that we should cover, like why is Jonathan mad at Obi wan Kenobi, let us know. Send us a message in Facebook or on Twitter. Are handle there is tech Stuff h s W or you can fire off a quick email. Our address is tech Stuff at Discovery dot com and Chris and I will talk to you again really soon for more on

this and thousands of other topics. Is it how Stuff works dot Com brought to you by the reinvented tieth thousand and twelve Camry. It's ready. Are you