Cybersecurity and online privacy are two critical interests that seem destined never to get along. Sure, you want malicious hackers, spammers, and other Internet lowlifes brought to justice--but you also want to protect your online data.
A big part of cybercrime-fighting, however, demands gathering a haystack's worth of aggregated online data and scanning it for an elusive needle of suspicious activity. Your online data could be swept into one of these piles and scanned. What happens to it along the way is anyone's guess.
That's why you'll want to keep an eye on the Cyber Intelligence Sharing and Protection Act (CISPA), which passed the U.S. House of Representatives last week and is now being considered by the Senate, where it's currently in committee. CISPA aims to loosen restrictions that currently govern the sharing of data among cybersecurity investigators. That may sound reasonable enough, but the controversy arises over how the data is handled--specifically, how it's shared, and how personally identifiable information (PII) is minimized.
In addition, the bill creates a high level of immunity from lawsuits for the government and private companies that share data. This isn't exactly comforting when they're sharing your data.
When, not if, your data is scanned and shared
The first step in understanding how cybersecurity works is to accept that your online data is already being scanned. Government, law enforcement, and private companies are all on the lookout for suspicious-looking Internet activity. Spammers, botnets, and malicious hacks into sites like Twitter fall into one broad category of cybercrime. Of even greater concern are attempts to attack "critical infrastructure" (such as power and water utilities, and communication networks), or civilians.
CISPA would let private companies share data with law enforcement officials and government agencies if the data qualifies as what the bill calls "cyber threat information" that could help solve a crime. That term's vagueness is a big part of the privacy problem, says Jeramie Scott, national security fellow at the Electronic Privacy Information Center. "It uses terms like 'vulnerability to a network' and 'threat to the integrity of a network' in its definition that are left to the private sector to interpret," Scott says.
Definitions covering data are vague enough to invite oversharing
CISPA's vagueness gives private companies a lot of wiggle room to overshare information. "Say a social networking site suffers a denial-of-service attack," Scott says. "The site could just offer the more relevant diagnostic details to the government, but it could also provide the personal information on all the profiles affected--including, for example, who you're connected with, and profile bio details--as long as the social network deemed the information part of the 'cyber threat information.'"
Sign up for CIO Asia eNewsletters.