Re: letter opposing cybersecurity legislation: looking for signers
Thanks to everyone who has responded so far, and apologies for the terrible formatting of the actual letter. Just a reminder to let me know by tomorrow morning if you would be interesting in signing -- if you've replied to me already, no need to do so again, I will respond to you tomorrow. Also, if anyone has good leads about large mailing lists that might be a good place to solicit professionals, academics, or security experts, please let me know as soon as possible. And feel free to circulate this request yourself to colleagues, and tell them to email me. We are aiming to get the letter together by Thursday or Friday, but have yet to determine the exact time line for publication. On 04/17/2012 06:02 PM, Dan Auerbach wrote: Dear NANOGers, EFF is looking for sign-ons to a letter expressing concern about some of the proposed cybersecurity legislation currently being debated in the US Congress. This legislation has a number of alarming provisions, including incentives for recording massive amounts of network traffic and sharing it with federal agencies; nullification of existing wiretapping and privacy laws; in some cases, new kinds of bureaucracy for backbone and other ISPs who are designated as critical infrastructure, and provisions that establish intellectual property enforcement as a cybersecurity objective. We realize this is potentially a complicated topic in the NANOG community, and we'd prefer not to start a giant OT flamewar, so: if you agree with our concerns and would like to sign on to our letter, let us know by private email by Thursday morning 9am Pacific US time. If you think we have the wrong perspective, you can let us know off-list, or write your own letters, or work with your various policy departments on this. Because there are many cybersecurity bills currently being debated in the US House and Senate, the letter is generally framed in opposition to bad aspects of the bills, though it calls out two current proposals that are particularly bad and close to passing: CISPA (H.R. 3523) in the House, and Secure IT Act (S. 2151) in the Senate. The letter also is intended to be simple and focused on the civil liberties issues that stem from the broadness of the bills. It does not talk about technical problems with deploying IDS/IPS in the private sector (for a discussion of this, see, e.g. http://harvardnsj.org/wp-content/uploads/2012/01/Vol.-3_Bellovin_Bradner_Diffie_Landau_Rexford1.pdf) or other legitimate technical concerns about effectiveness. We certainly encourage people to raise these concerns separately. The text of the letter is below in triple quotes: Dear Lawmakers, We are writing you today as professionals, academics, and experts who have researched, analyzed, and defended against security threats to the Internet and its infrastructure. We have devoted our careers to building security technologies, and to protecting networks, computers, and critical infrastructure against attacks of many stripes. We take security very seriously, but we fervently believe that strong computer and network security does not require Internet users to sacrifice their privacy and civil liberties. The opposite, in fact, is true. The bills currently under consideration, including Rep. Rogers' /Cyber Intelligence Sharing and Protection Act of 2011 /(H.R. 3523) and Sen. McCain's/SECURE IT Act /(S. 2151)/, /are drafted to allow entities who participate in relaying or receiving Internet traffic to freely monitor and redistribute those network communications. The bills nullify current legal protections against wiretapping and similar civil liberties violations for that kind of broad data sharing. By encouraging the transfer of users' private communications to US Federal agencies, and lacking any form of public accountability or transparency, these cybersecurity bills falsely trade our civil liberties for the promise of improved network security. As experts in the field, we reject this false trade-off and urge you to oppose any cybersecurity initiative that does not explicitly include appropriate methods to ensure the protection of users' civil liberties. In summary, we urge you to reject legislation that: * Uses vague language to describe network security attacks, threat indicators, and countermeasures, allowing for the possibility that innocuous online activities could be construed as cybersecurity threats. * Exempts cybersecurity activities from existing laws that protect individuals' privacy and devices, such as the Wiretap Act, the Stored Communications Act, and the Computer Fraud and Abuse Act. * Gives sweeping immunity from liability to companies even if they violate individuals' privacy without good reason. * Allows data originally collected through cybersecurity programs to be used to prosecute unrelated crimes. * Includes provisions
letter opposing cybersecurity legislation: looking for signers
Dear NANOGers, EFF is looking for sign-ons to a letter expressing concern about some of the proposed cybersecurity legislation currently being debated in the US Congress. This legislation has a number of alarming provisions, including incentives for recording massive amounts of network traffic and sharing it with federal agencies; nullification of existing wiretapping and privacy laws; in some cases, new kinds of bureaucracy for backbone and other ISPs who are designated as critical infrastructure, and provisions that establish intellectual property enforcement as a cybersecurity objective. We realize this is potentially a complicated topic in the NANOG community, and we'd prefer not to start a giant OT flamewar, so: if you agree with our concerns and would like to sign on to our letter, let us know by private email by Thursday morning 9am Pacific US time. If you think we have the wrong perspective, you can let us know off-list, or write your own letters, or work with your various policy departments on this. Because there are many cybersecurity bills currently being debated in the US House and Senate, the letter is generally framed in opposition to bad aspects of the bills, though it calls out two current proposals that are particularly bad and close to passing: CISPA (H.R. 3523) in the House, and Secure IT Act (S. 2151) in the Senate. The letter also is intended to be simple and focused on the civil liberties issues that stem from the broadness of the bills. It does not talk about technical problems with deploying IDS/IPS in the private sector (for a discussion of this, see, e.g. http://harvardnsj.org/wp-content/uploads/2012/01/Vol.-3_Bellovin_Bradner_Diffie_Landau_Rexford1.pdf) or other legitimate technical concerns about effectiveness. We certainly encourage people to raise these concerns separately. The text of the letter is below in triple quotes: Dear Lawmakers, We are writing you today as professionals, academics, and experts who have researched, analyzed, and defended against security threats to the Internet and its infrastructure. We have devoted our careers to building security technologies, and to protecting networks, computers, and critical infrastructure against attacks of many stripes. We take security very seriously, but we fervently believe that strong computer and network security does not require Internet users to sacrifice their privacy and civil liberties. The opposite, in fact, is true. The bills currently under consideration, including Rep. Rogers' /Cyber Intelligence Sharing and Protection Act of 2011 /(H.R. 3523) and Sen. McCain's/SECURE IT Act /(S. 2151)/, /are drafted to allow entities who participate in relaying or receiving Internet traffic to freely monitor and redistribute those network communications. The bills nullify current legal protections against wiretapping and similar civil liberties violations for that kind of broad data sharing. By encouraging the transfer of users' private communications to US Federal agencies, and lacking any form of public accountability or transparency, these cybersecurity bills falsely trade our civil liberties for the promise of improved network security. As experts in the field, we reject this false trade-off and urge you to oppose any cybersecurity initiative that does not explicitly include appropriate methods to ensure the protection of users' civil liberties. In summary, we urge you to reject legislation that: * Uses vague language to describe network security attacks, threat indicators, and countermeasures, allowing for the possibility that innocuous online activities could be construed as cybersecurity threats. * Exempts cybersecurity activities from existing laws that protect individuals' privacy and devices, such as the Wiretap Act, the Stored Communications Act, and the Computer Fraud and Abuse Act. * Gives sweeping immunity from liability to companies even if they violate individuals' privacy without good reason. * Allows data originally collected through cybersecurity programs to be used to prosecute unrelated crimes. * Includes provisions suggesting a back door for intellectual property enforcement. Computer security is too important an issue to let it be hijacked for the sectional interests of unrelated industries. We appreciate your interest in making our networks more secure, but passing legislation that suffers from the problems above would be a grave mistake for privacy and civil liberties, and will not be a step forward in making us safer. Sincerely, signers For a more detailed discussion of some of the civil liberties implications and other analyses, please see the following articles: https://www.eff.org/deeplinks/2012/03/dangerously-vague-cybersecurity-legislation https://www.eff.org/deeplinks/2012/03/rogers-cybersecurity-bill-broad-enough-use-against-wikileaks-and-pirate-bay
