[Busec] Fwd: letter opposing cybersecurity legislation

Sharon Goldberg goldbe at cs.bu.edu
Wed Apr 18 21:47:45 EDT 2012

Dear Group,

Another day, another disturbing bill affecting privacy on the
Internet.  Details below.  Please take action if you think it's


---------- Forwarded message ----------
From: Dan Auerbach <dan at eff.org>
Date: Tue, Apr 17, 2012 at 9:02 PM
Subject: letter opposing cybersecurity legislation: looking for signers
To: nanog at nanog.org

Dear NANOGers,

EFF is looking for sign-ons to a letter expressing concern about some
of the proposed "cybersecurity" legislation currently being debated in
the US Congress. This legislation has a number of alarming provisions,
including incentives for recording massive amounts of network traffic
and sharing it with federal agencies; nullification of existing
wiretapping and privacy laws; in some cases, new kinds of bureaucracy
for backbone and other ISPs who are designated as "critical
infrastructure", and provisions that establish intellectual property
enforcement as a "cybersecurity" objective.

We realize this is potentially a complicated topic in the NANOG
community, and we'd prefer not to start a giant OT flamewar, so: if
you agree with our concerns and would like to sign on to our letter,
let us know by private email by Thursday morning 9am Pacific US time.
If you think we have the wrong perspective, you can let us know
off-list, or write your own letters, or work with your various policy
departments on this.

Because there are many "cybersecurity" bills currently being debated
in the US House and Senate, the letter is generally framed in
opposition to bad aspects of the bills, though it calls out two
current proposals that are particularly bad and close to passing:
CISPA (H.R. 3523) in the House, and "Secure IT Act" (S. 2151) in the
Senate. The letter also is intended to be simple and focused on the
civil liberties issues that stem from the broadness of the bills. It
does not talk about technical problems with deploying IDS/IPS in the
private sector (for a discussion of this, see, e.g.
or other legitimate technical concerns about effectiveness. We
certainly encourage people to raise these concerns separately. The
text of the letter is below in triple quotes:


Dear Lawmakers,

We are writing you today as professionals, academics, and experts who
have researched, analyzed, and defended against security threats to the
Internet and its infrastructure. We have devoted our careers to building
security technologies, and to protecting networks, computers, and
critical infrastructure against attacks of many stripes.

We take security very seriously, but we fervently believe that strong
computer and network security does not require Internet users to
sacrifice their privacy and civil liberties. The opposite, in fact, is true.

The bills currently under consideration, including Rep. Rogers' /Cyber
Intelligence Sharing and Protection Act of 2011 /(H.R. 3523) and Sen.
McCain's/SECURE IT Act /(S. 2151)/, /are drafted to allow entities who
participate in relaying or receiving Internet traffic to freely monitor
and redistribute those network communications. The bills nullify current
legal protections against wiretapping and similar civil liberties
violations for that kind of broad data sharing. By encouraging the
transfer of users' private communications to US Federal agencies, and
lacking any form of public accountability or transparency, these
"cybersecurity" bills falsely trade our civil liberties for the promise
of improved network security. As experts in the field, we reject this
false trade-off and urge you to oppose any cybersecurity initiative that
does not explicitly include appropriate methods to ensure the protection
of users' civil liberties.

In summary, we urge you to reject legislation that:


   Uses vague language to describe network security attacks, threat
   indicators, and countermeasures, allowing for the possibility that
   innocuous online activities could be construed as "cybersecurity"


   Exempts "cybersecurity" activities from existing laws that protect
   individuals' privacy and devices, such as the Wiretap Act, the
   Stored Communications Act, and the Computer Fraud and Abuse Act.


   Gives sweeping immunity from liability to companies even if they
   violate individuals' privacy without good reason.


   Allows data originally collected through "cybersecurity" programs to
   be used to prosecute unrelated crimes.


   Includes provisions suggesting a back door for intellectual property
   enforcement. Computer security is too important an issue to let it
   be hijacked for the sectional interests of unrelated industries.

We appreciate your interest in making our networks more secure, but
passing legislation that suffers from the problems above would be a
grave mistake for privacy and civil liberties, and will not be a step
forward in making us safer.




For a more detailed discussion of some of the civil liberties
implications and other analyses, please see the following articles:




For discussions of CISPA in particular, see:




Dan Auerbach
dan at eff.org
Staff Technologist
Electronic Frontier Foundation

Peter Eckersley
pde at eff.org
Technology Projects Director
Electronic Frontier Foundation

Sharon Goldberg
Computer Science, Boston University

More information about the Busec mailing list