The impending cybersecurity power grab - it's not just for the U.S.
EFF and a number of civil society organizations have declared this to be ‘Stop Cyber Spying Week’ in protest of several controversial U.S. cybersecurity legislative proposals, including the bill currently before Congress and the Senate called CISPA, the Cyber Intelligence Sharing & Protection Act of 2011. While ‘Stop Cyber Spying Week’ is focused on U.S. initiatives, Canadians should be concerned as well as the adoption of a privacy-invasive U.S. cybersecurity strategy is likely to have serious implications for Canadian civil liberties. For this reason, OpenMedia.ca, CIPPIC and other Canadian groups have joined the protest. In general, Canadians would do well to remain vigilant.
Using the guise of ‘cybersecurity’, CISPA aims to mobilize Internet intermediaries to institute a sweeping, privacy-invasive, voluntary information-sharing regime with few safeguards. The U.S. cybersecurity strategy, embodied in CISPA and other legislative proposals, also seeks to empower Internet companies to deploy ill-defined ‘countermeasures’ in order to combat these threats. Use of these powers is purportedly limited to situations addressing ‘cybersecurity’ threats, yet this term is so loosely defined that it can encompass almost anything – even, potentially, to investigate potential breaches of intellectual property rights!
The cornerstone of the privacy-invasive CISPA component is the establishment of private-public partnerships for information sharing. This creates a two-tiered regime that, on the one hand, facilitates the collection of personal Internet data by private Internet companies as well as the sharing of that information with the government and, on the other, allows government agencies to share information with private companies.
To enable information flows from Internet companies to government agencies, CISPA will grant Internet companies immunity from civil or criminal liability for any monitoring or sharing of user activity—as long as it is done in ‘good faith.’ Specifically, CISPA authorizes companies to “use cybersecurity systems to identify and obtain cyber threat information.” Aggrieved users who sue Internet companies for wrongfully handing over their data to the government will have to meet the incredibly high bar of proving the decision comprised ‘willful misconduct.’
The U.S. cybersecurity strategy will also permit Internet companies to employ dubiously defined ‘countermeasures,’ provided they are justified with equally vague and undefined ‘defensive intent.’ Internet companies will be permitted to deploy ‘cybersecurity systems’ – products designed to ‘safeguard...a network from efforts to degrade, disrupt, or destroy’. While it is unclear exactly what this would permit an Internet company to do, it could allow blocking of specific websites or individuals or even a much broader range of filtering. Given the potentially all-encompassing and inclusive definition of ‘cybersecurity’, it would not be surprising if these ‘countermeasures’ were ultimately used to block online entities such as Wikileaks or sites accused of copyright infringement. The inclusion of ‘degrade’ in the definition of permissible ‘cybersecurity systems’ could even raise net neutrality concerns, as ISPs have, in the past, claimed ‘network degradation’ as justification for the throttling of downstream services such as peer-to-peer applications. Indeed, U.S. cybersecurity laws have a history of being employed by private Internet companies to stifle downstream competition.
In sum, the U.S. cybersecurity strategy envisions a voluntary cooperative regime where Internet companies are given broad-ranging immunities to surveil Internet users and downstream online services. This amounts to an erosion of personal privacy safeguards currently in place. Under this regime, an online company need only to assert a vague ‘cybersecurity objective’ and it will have carte blanche to bypass domestic laws and protections against privacy invasion.
This legislation is likely to have direct implications for Canadians. Canada and the United States have agreed to a joint ‘Beyond the Borders Initiative’ [pdf] aimed at establishing a ‘secure perimeter’ around the two countries. Somewhat ironically given the borderless nature of the Internet, the Initiative envisions a secure cyber perimeter in addition to the secure physical perimeter it seeks to put in place. While the cybersecurity segment of this Initiative remains vague, it includes a commitment to:
- Develop joint Canadian and U.S. programs, and analytic or communications products, aimed at enhancing the cross-border protection of critical infrastructure;
- Enhance the two countries’ ability to ‘respond jointly and effectively’ to cyber incidents, including joint engagement with private sector entities as well as ‘real-time information sharing’ between cybersecurity operation centres across both countries;
- Harmonize best practices and objectives on cybersecurity between Canada and the U.S., and actively advance these objectives in international Internet governance forums and bi-lateral interactions with third countries; and
- Take steps to generally “make cyberspace safer for all our citizens.”
While lacking in specifics, the emphasis on joint information flows, references to bi-national cooperation with private sector entities, and a commitment to jointly advance cybersecurity and best practices all hint at a consolidation of laws and practices. Moreover, reference to joint cybersecurity ‘products’ is reminiscent of the ‘cybersecurity systems’ invoked by CISPA.
If CISPA passes in the U.S., Canadians could expect great political pressure to adopt similar measures in Canada. As Canada’s Federal and Provincial Privacy Commissioners recently noted in a Joint Resolution, there is currently nothing in the Initiative to guarantee Canadian privacy standards are maintained in this harmonization effort. Suggestions that programs subject to the a ‘shared vision’ [see p. 15] between Canada and the United States on privacy emphasize this.
In fact, two current legislative proposals in Canada, if passed, will remove any legal barriers to the type of public-private information sharing that is at the heart of CISPA. First, there is Bill C-12, which will amend Canada’s federal privacy protection statute, the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA legally restricts the conditions under which private organizations such as telecommunications companies can disclose personal information about their customers to third parties, such as the government. Bill C-12 will significantly expand the conditions under which companies can share information without having to seek customer consent. It will permit telecommunications companies to hand over customer information to any organization seeking it for the purpose of performing ‘policing services’, a term that is increasingly being applied to public-private cybersecurity partnerships.
More concerning is a provision included in Bill C-30, the Canadian Government’s latest attempt to update its capacity to surveil the online activities of its citizens. Among the numerous privacy-invasive elements found in Bill C-30 is a provision granting organizations – including telecommunications companies – immunity from “any criminal or civil liability” if they voluntarily decide to preserve customers’ information or share it with law enforcement. This is evocative of the civil and criminal immunity CISPA offers U.S. companies for handing over their users’ data to the United States Government. While the scope of monitoring permitted under C-30 may not go as far as that in CISPA, the C-30 immunities for voluntary sharing of customer information to the Government are arguably broader.
Canadians would do well to take note of developments on CISPA in the United States. While the immunities granted in Bill C-30 may not have been included specifically with a cybersecurity purpose in mind, Canada is now tied to United States cybersecurity strategies through commitments in the joint perimeter security Initiative. If the CISPA vision is adopted in the United States, Canadians can expect similar strategies to appear soon after. If Bill C-30 passes, many of the legal tools for this unaccountable sharing regime will already be in place, ready for exploitation.