Why CISPA could kill the cloud

CISPA doesn't just pose a threat to individual users' privacy -- any company using an Internet or cloud service could see its data passed along

Opponents of CISPA such as the ACLU have focused almost exclusively on the bill's potential impact on individual users' privacy, and understandably so. But a close read of CISPA's broad language reveals that Joe Internet's privacy isn't all that would be in jeopardy if the bill makes it through the Senate and past President Obama's veto pen. CISPA poses a threat to the privacy of entire organizations, from nonprofits and small business on up to the enterprise -- and even to the very future of cloud computing.

Drawing from the bill's exact language, CISPA would permit "certified entities" and "cyber security providers" to "voluntarily" share any customer data with other certified entities, so long as the data constitutes "cyber threat intelligence" for "cyber security purposes" -- as well as for the sake of "national security."

In a nutshell, the federal government and "certified entities" could freely pass around customer data in the name of security, without due process and without any fear of reprisal if their purported security fears turn out to be completely unwarranted. "Certified entities" can mean federal agencies, other public agencies, utilities, and private organizations. That's a potentially long, long list of whistleblowers.

"Cyber security providers" are prime candidates to play the role of data providers under CISPA. By the bill's definition, it means any private entity that provides goods or services intended to be used for cyber security purposes. That, too, is a remarkably vague term. Any kind of Internet- or cloud-service provider offers some form of cyber security service, beyond the standard antivirus, antispam, and firewall protection.

For example, Google and Microsoft offer hosted productivity apps for email, word processing, spreadsheets, and so forth -- and part of those service includes securing customer's documents and messages. An ISP such as Verizon or AT&T protects your data as it travels in and out of your network. A SaaS company such as Salesforce.com protects customer's business information. Similarly, providers of IaaS and PaaS offerings secure the data and application processes of their customers. The list goes on and on, from financial institutions to online retailers to social networking sites.

Importantly, CISPA doesn't just specify individuals when it talks about customers of cyber security providers. That means if a cyber security provider notices one of its customers is engaging in business practices that could constitute some kind of general security threat, that provider can pass that suspect data on to whomever. That data could include email messages, financial transactions, Web history, customer information. That list, like the list of potential data sharers, stretches on and on.

Proponents of the bill might point to the part that specifies an entity can't share its customer's data unless it constitutes a cyber threat or a threat to national security. Unfortunately, that is pretty darn subjective. Depending on one's political leanings, certain nonprofits -- such as  religious or political groups -- pose a "national security threat." Health care organizations that provide controversial services such as abortions or stem-cell treatment could be deemed a threat. Media companies -- whether the New York Times or Fox News or CNN -- might pose security threats in their critics' minds. Private companies with clients who are potentially involved in suspect activities -- say, a company that does business in countries that aren't U.S. allies -- could be construed as a security threat.

Yet again, the possibilities stretch on because the bill's language is vague. Participants have the luxury of picking and choosing what information to share, so long as they can frame it as a security threat. If it turns out the shared data doesn't represent a threat at all, the entity that volunteers it faces no consequences.

So how might the passage of CISPA affect the future of the cloud? Well, CISPA could deter any privacy-conscious organization from using cloud- and Internet-based services altogether. Why risk letting Microsoft or Google monitor and protect your business's email, or Amazon or Rackspace protect your data, or Salesforce.com protect your customer data, knowing that on any given day someone might pass your sensitive data to the feds and other entities -- some of whom might even be your competitors -- in the name of security?  Even if 95 percent of the admins exercise discretion, there's always a chance someone with a bad case of paranoia or an itchy trigger finger or some odd vendetta could decide your organization's data poses a security threat and should be passed along.

Is your organization willing to risk it?

This story, "Why CISPA could kill the cloud," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Join the discussion
Be the first to comment on this article. Our Commenting Policies