So, What Is All This CISPA That You Have Been Hearing About?

By Charlotte Walden

On April 26, 2012, the U.S. House of Representatives passed an amendment, called the Cyber Intelligence Sharing and Protection Act or CISPA, to the National Security Act of 1947  (Tsukayama, 2012). If passed, CISPA will allow private corporations and the government to share certain types of information with one another  (Tsukayama, 2012). As of this blog, CISPA is now going through the Senate (Tsukayama, 2012).

If CISPA passes the Senate, and after undergoing a process to ensure both houses have passed identical legislation, President Obama has indicated that, at presentment, he will veto the amendment (Knox,  2012). However, article one section seven of the U.S. Constitution allows both houses to override the president’s veto by a 2/3rds majority vote. So, even with Obama's veto, there is still a possibility that CISPA could become law.

This should be disconcerting to librarians who value the free sharing of uncensored information.  If passed, CISPA could create a disincentive for people who want to share certain types of information over the Internet. For instance, as the reader will learn from these blogs, the information governed by CISPA is exempt from many public disclosure and privacy laws. This means that the public will not know whether or not the information they shared on the Internet has been shared with the federal government. In addition to lack of public disclosure and privacy, vague definitions also offer little guidance as to what kinds of information will trigger CISPA. Likewise, CISPA offers little to no legal remedy if the federal government or a private corporation uses certain types of information in a way that is not authorized by CISPA. Thus, if the public fears that:

1.     they will end up on a government watch list because they are unsure if their information will trigger CISPA,

2.     they will have no way of knowing if their information has ended up on such a watch list, and

3.     they will have little legal recourse for a wrong committed by the government or a private corporation, then

4.     the public will likely become more restrictive on the information they choose to share on the Internet.

If the public is more restrictive on what they chose to share on the Internet, CISPA will likely have a censoring effect on the information that is made available on the Internet.

By using direct language from CISPA as it now appears, this blog will show the reader how CISPA works. Additionally, this blog will show the reader why some groups protest CISPA while others praise it.

Due to the size of the information that has been gathered for this topic, this blog will consist of multiple parts. The first part will show how corporations, like Google or Facebook, could, on a voluntary basis, share your information with the federal government. The second part will inform the the reader what kind of information will be governed under CISPA, as well as the limitations CISPA places on the use of that information. Finally, the last blog will show the reader how CISPA allows the federal government to share certain types of information with other federal agencies, as well as show the reader how CISPA offers little legal recourse. 

All right, let’s get started and ask:

I. What Part of CISPA Allows Private Corporations and the Federal Government To Share Information?

Under section 1104 (a)(2)(A)(i-ii), CISPA states that only certified entities or persons with appropriate security clearance may share classified cyber threat intelligence.

Great. But do you know who or what a certified entity is? Do you know what cyber threat intelligence means? Thought so.  Let’s break it down.

1. Cyber Threat Intelligence

According to section 1104 (h)(5), cyber threat intelligence “means intelligence in the possession of an element in the intelligence community directly pertaining to:

               (i)        a vulnerability of a system or network of a government or private entity;

            

               (ii)     a threat to the integrity, confidentiality, or availability of a system or network of a government or private entity or any information stored on, processed on, or transiting such a system or network;

               (iii)    efforts to deny access to or degrade, disrupt, or destroy a system or network of a government or private entity; or

               (iv)    efforts to gain unauthorized access to a system or network of a government or private entity, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network of a government or private entity. 

2. Certified Entity

A visualization of the certified entity definition.

A certified entity, according to section 1104 (h) (2), means “a protected entity, self-protected entity, or cyber security provider

             

              A.    gets security clearance from the Director of National Intelligence, AND
              B. can demonstrate to the Director that they can protect classified cyber threat intelligence

a.     Cybersecurity Provider

Section 1104 (h)(7) says a “cybersecurity provider means a non-governmental entity that provides goods or services intended to be

used for cybersecurity purposes.”

·      (. . . and as if that wasn’t enough) Cybersecurity purposes “means the purpose of ensuring the integrity, confidentiality, or availability of, or safeguarding, a system or network, including protecting a system or network from—

                      i.         a vulnerability to a system or network a threat to the integrity,

                     ii.         confidentiality, or availability of a system or network or any information stored on,processed on, or transiting such a system or network;

                   iii.         efforts to deny access to or degrade, disrupt, or destroy a system or network; OR  

                    iv.         efforts to gain unauthorized access to a system or network, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network.”

                    

b.    Protected Entity

Section 1104 (h)(11) says a protected entity “means an entity, other than an individual, that contracts with a cybersecurity provider for goods or services to be used for cybersecurity purposes.

c.     Self-Protected Entity

Section 1104 (h)(12) says “a self- protected entity means an entity, other than an individual, that provides goods or services for cybersecurity purposes to itself.”

All right, folks, with all those words, do you know who is authorized to share cyber security intelligence (i.e. who a certified entity is) under CISPA?

Need a hint?

Well, as some point out, the definition of a cybersecurity provider (which is also a certified entity) most likely includes corporations like Symantec, Norton Anti-Virus, and the like (Westervelt, 2012). However, as others point out, this definition could include so much more. “For example,” as one blogger wrote, “Google and Microsoft offer [some form of cyber security service with their] productivity apps for email, word processing, spreadsheets, and so forth.” (Samson, 2012). “[Additionally], [a]n ISP such as Verizon or AT&T protects your data as it travels in and out of your network” (Samson, 2012). Thus, by definition, Google, Verizon, Facebook, and others could be certified entities. Yet, a certified entity is also someone who contracts with a cybersecurity provider (a protected entity) or provides cybersecurity purposes to itself (a self-protected entity). Thus, some have argued that, contrary to the quote above, Google and Facebook would fall under the self-protected entity sub-definition (Sottek, 2012).

Regardless, of which sub-definition they fall under, it is likely that companies such as Google and Facebook, as long as the Director of National Intelligence grants them the okay, would be considered a certified entity under CISPA. As it just so happens, Facebook, who vehemently opposed SOPA and PIPA earlier this year, is one of CISPA’s big supporters (Kaplan, 2012). More on that later…

All right, so now that we have some idea about who these certified entities might be, one must ask who these entities are allowed to share cyber threat information with?

II. The Federal Government, Voluntarily

Section 1104 (b)(1)(A)(ii) of CISPA states that a cybersecurity provider (which is a certified entity, remember) has the discretion to share cyber threat information, with the consent of a protected entity, with the Federal Government for National Security purposes.

Additionally, section 1104(b)(1)(B)(ii) states that self-protected entities may also share cyber threat information with the Federal Government for cyber security purposes.

By the way, for those who noticed the change in terms, the only difference between cyber threat information and cyber threat intelligence is that the former refers directly to the information itself [section 1104(h)(4)], while the latter only refers to the possession of such information [section 1104 (h)(5)].  Otherwise, both definitions are basically word for word.

So, with the language that is going through the Senate right now, CISPA sets up a voluntary sharing of cyber threat information between the Federal Government and certified entities, which could include Facebook, Google, and many others. Since this is a voluntary sharing, CISPA notes that certified entities will not be  liable for not participating in CISPA (see section 1104 (g)(5) of CISPA). Additionally, CISPA also states, nothing in the bill will be construed as requiring certified entities to share cyber threat information with the government (see section 1104(c)(3)). 

All right, that is all for today. Stayed tuned for more blogs that will show how CISPA allows your information, if it is deemed to be a cybersecurity threat, to be shared amongst federal agencies. The next blogs will also discuss limitations, liability exemptions, legal recourse, and CISPA’s relation to other privacy laws. Later blogs will also reveal why some groups oppose CISPA, while other groups support it. Until next time, ta ta.     

References

Kaplan, J. (2012, April 13). A message about CISPA. (Facebook post). Retrieved from http://www.facebook.com/notes/facebook-washington-dc/a-message-about-cispa/10150723305109455.

Knox, O. (2012, April 6). CISPA cybersecurity bill gets veto threat from Obama. ABC news. Retrieved from http://abcnews.go.com/Politics/OTUS/cispa-cybersecurity-bill-veto-threat-obama/story?id=16214940#.T8A4AL8087A

Samson, T. (2012, April 30). Why CISPA could kill the cloud. (web blog). InfoWorld. Retrieved from http://www.infoworld.com/t/cloud-computing/why-cispa-could-kill-the-cloud-192014

Sottek, T.C. (2012, April 27). The Cyber Intelligence Sharing and Protection Act Explained. Retrieved from http://www.theverge.com/2012/4/27/2976718/cyber-intelligence-sharing-and-protection-act-cispa-hr-3523 

Tsukayama, H. (2012, April 27). Cispa passes the House, privacy battle moves to the Senate. The Washington Post. Retrieved from http://www.washingtonpost.com/blogs/post-tech/post/cispa-passes-the-house-privacy-battle-moves-to-senate/2012/04/27/gIQA7cJBlT_blog.html

Westervelt, R. (2012, April 27). CISPA intelligence information sharing bill passes house, headed to senate. (web blog).  IT Knowledge Exchange. Retrieved from http://itknowledgeexchange.techtarget.com/security-bytes/cispa-intelligence-information-sharing-bill-passes-house-headed-to-senate/

Impacts of decreased budgets in libraries

By: Lindsay Fricke

According to one survey, “Most libraries have still not recovered from the massive cuts inflicted since the financial crisis of 2008, and when this depressed starting point meets with the rapid evaporation of state aid and the inexorable rise of expenses, then the numbers often translate to stressed staffs, fewer materials, and reduced service hours” (Kelley, 2012).

So what happens when the budgets are decreased?

Kelley spoke with a librarian who said, “The worst impact of the budget cuts has been on the overall employee morale of the organization. With continued decreased funding resulting in a reduction in available service hours, the number of staff continues to decline.” (Kelley, 2012) In addition to this, each staff member is required to take on more responsibilities and work in order to accommodate the low staff number. As a result, libraries are not able to have enough funds to purchase new materials for their collections.

Who is affected by library budget cuts?

The first places that budget cuts are noticeable in are within the staff and the collections at a library. There are fewer workers staffed at the desks and most of the workers only work part-time. Libraries can reduce costs by not paying benefits and hiring nonprofessional staff, such as library assistants, to help in areas where professional librarians used to work. Additionally, the people who come to the library trying to obtain information are also going to be affected by the budget cuts. They come into the library expecting to be able to fully utilize the services offered. However, they will learn that they may only be able to get assistance through staff members because the materials and resources needed might not be available.

Reduced service hours

As a result of budget cuts, many libraries are reducing the amount of time that they are open. Kelley states, “The overall change in the number of weekly open hours per system was down another 2.2 hours over the last year, to an average of 49” (Kelley, 2012). Many libraries are finding that they cannot afford of the costs of staying open from the early morning to the late evening.

How libraries have changed

Here is a look at the percentages of how many libraries are dealing with staffing changes:

What funds are libraries using?

According to Kelley, “State funding is generally not a primary source for public library budgets. Nevertheless, state funding pays for the statewide systems that allow for regional resource sharing, consulting, and professional development.” (Kelley, 2012) Personally, I use MeL for many of the materials that I need for school as well as for my personal use.

How budgets are divided amongst populations

In Kelley’s article, he states, “Budget struggles, whether at the federal, state, or local level, hit larger library systems the hardest” (Kelley, 2010).

Here is the breakdown of budgets according to the population that the library serves:

•  10,000 to 24,999 reported an increase of 2.5%
•  500,000 to 999,999 reported a 2.7% reduction
•  1 million and higher reported a 1.8% reduction

Have you seen changes at your library where staff hours are being reduced? Has the library changed its hours as a result of not being able to afford costs of operating the library? Does your library use non-professionals because librarians take more of the budget due to salaries?

Have you seen any changes within the library that you work at or visit frequently that were discussed in this article? If so, what are some suggestions for libraries help offset the reductions in budgets?

References:

Kelley, M. (2012, January 1) The new normal: library budgets trend downward, though 52 percent expect an increase. Lack of support at state level adds to strain. Library Journal, 137 (1), 37+. Retrieved from http://lj.libraryjournal.com/2012/01/funding/the-new-normal-annual-library-budgets-survey-2012/

Organization of Information & RDA

What is the goal and how is it to be achieved?

James Nauenburg

After visiting the link from my previous article we now know the goal of RDA practice, but let’s elucidate the facets of that goal:

1.      Convenience of the user – in describing and providing access librarians should allow “user need” to supersede professional preference.

2.      Common usage – the descriptions and access provided should meet the standards of those who are its most frequent users.

3.      Representation – Names and descriptions should be derived from the manner in which the cataloged entity describes itself.

4.      Accuracy – the cataloger should be faithful to the entity she is entering into the catalog.

5.      Sufficiency and necessity – only those data which are required to fulfill user tasks and uniquely identify an entity should be included.

6.      Significance – based on 5; the only data included should be bibliographically significant data.

7.      Economy – an Occam’s razor of sorts; if a number of ways of describing and providing access to an entity exist, then the simplest should be chosen.

8.      Consistency and standardization – descriptions and access should share the broadest possible means of interchangeability among the largest number of potential users.

9.      Integration – material types and controlled name forms for certain entities should be based on a common set of description rules. (We should all agree on a description of what plaster is before we begin cataloging plaster statues).

And now the means of achieving the goal as outlined in the FRBR (Functional Requirements of Bibliographic Records), through the use of attributes and their relationships.

In providing descriptions and access via RDA, a cataloger must identify and properly place attributes for 4 categories of possible entities, all previously described in my post last week. These categories are:

·  Attributes of manifestations and items

·  Attributes of works and expressions

·  Attributes of the authorship, whether a person, group or corporation

·  Attributes of a concept, object, event, or place

Next week we will begin to see how the dynamic of relationships between these categories and attributes provides a robust scheme for cataloging in the digital era.

-Jim Nauenburg

Libraries in the digital age

By Aaron Tomak

It’s of no little concern that the traditional view of the library and the contemporary world of information do not necessarily align. More and more people are questioning the validity of the both the public and the academic library. In order to maintain their existence many libraries have had to expand upon their usual services in order to maintain relevancy.  The idea of a library as a book depository is no more. Now the library must actively engage its users by becoming educators, content creators, and providers of technological resources. Librarians must realize that the discovery of information will most likely take place independent of the library and expand their role from fact-finder to information guidance. They will need to accept the greater challenge that comes with this role.

In the current economic climate cities and organizations are looking for ways to cut spending and the library is a prime target. Luckily the library holds a soft spot in the hearts of many educated and influential people. The Bill and Melinda Gates Foundation released a study of the benefits of internet access within the public library. The 2010 report states that “149 million American’s visited public libraries in the last year and nearly half of these visitors made use of library computers and wireless networks to access the Internet”. For the past century libraries have been considered a mandatory public good for an educated and prosperous society. Now the library is in the difficult situation in which it must prove its continued value.

But the good news is that libraries are doing just that. According to the Public Library Funding and Technology Access Study 2010-2011, “virtually all public libraries (99.3 percent) provide public access to computers and the internet” and “87 percent of libraries provide formal or informal technology training”. With less funding and increasing demand libraries are rising to the occasion and continuing to provide excellent service to their communities.

Emerging Standards in LIS

An Introduction to RDA

James Nauenburg

The forthcoming standard for the organization of information in Library and Information Science is Resource Description and Access. The current AACR2 (Anglo-American Cataloging Rules) was first implemented in 1978, and although it has been updated through the years it cannot escape its own past and the limitations associated with that past. Plainly, the AACR2 was intended for use in a card catalog. These limitations have been acknowledged and smoothed since the 1997 Toronto conference on the future development of the AACR. But it was understood then and remains the case now, that a retooling of applications through fundamental changes in code is really necessary to fully exploit the opportunities for “resource description and access” in the digital age.

The Joint Steering Committee for Development of RDA, the driving force behind this initiative, is composed of members from Australia, Great Britain, Canada, and the United States. Located within this committee are groups charged with maintaining the evolving principles of digital demands and the methodology with which these demands will be met by RDA. A primary national contributor for the US is the American Library Association’s Committee on Cataloging: Description and Access. RDA is inclusively built on the policies laid out in Functional Requirements for Bibliographic Records, Functional Requirements for Authority Data and the IFLA Statement of International Cataloging Principles.

In short, what does this mean? These functional requirements take the shape of entities in relationship to one another in the methodology utilized for computer databases and provide a bibliographic framework for concepts pertaining to the organization of information. For instance, a principal will produce an artifact we can refer to as a thus far "uncategorized" bibliographic entity. This entity is distinct to this creator, and it is the realization of an expression in the form of a now categorize-able item (i.e. a book, or perhaps even a PDF). The functional requirements attached to a bibliographic record for this item should present clear relationships to other bibliographic record holders in order to facilitate accurate research and procurement of desired materials. There are authorial relationships, chronological relationships of material, relationships by subject, and so on.

The international statement providing the underlying principles of cataloging standards in RDA and future practice is provided at: http://www.ifla.org/
I’ll be back with more on RDA next week and in the weeks to come.

The Issue Really Isn’t About The Copyright, Is It?

By Charlotte Walden 

Librarians are said to be the guardians of unimpeded access to information. (Rubin, 2008, p. 10). Yet, there are legal implications that sometimes present roadblocks to unimpeded access. This roadblock is based on the dichotomy of public (read: unimpeded access) verses private (read: impeded).  More specifically, the dichotomy can be understood as “I don’t have to pay” vs. “I have to pay/seek permission.” Or, stated in legal terminology, the fair use doctrine (public) vs. copyright protection (private). The following case is based on this very dichotomy.  

A few days ago, a Federal District Court in Georgia ruled largely in favor for unimpeded access to information (Diamond & Rankin, 2012b). The case stems from the actions of Georgia State University (GSU) professors who posted excerpts of copyrighted material online without paying for or asking for the publisher’s permission to do so. Three large publishers—Oxford University Press, Cambridge University Press, and SAGE Publications—filed numerous claims against this practice (out of 74 claims, only 5 prevailed) (Diamond & Rankin, 2012a).  The man wants to get paid, so he cries infringement while the university, who wants to educate, is crying fair use.

And just what is fair use? Well, as an article from the Atlantic-Journal Constitution, entitled “Judge Rules Largely for Georgia State in Copyright Case,” states “the ‘fair use doctrine’ allows someone to use published material without the consent of the copyrighted owner” (Diamond & Rankin, 2012a). Okay, so how does one determine what fair use is? According to 17 U.S.C. § 107 (1-4), the following four factors are listed to determine if a practice is fair use:

·      The purpose and character of the use, including whether such use is of commercial nature or is for nonprofit educational purposes

·      The nature of the copyrighted work

·      The amount and substantiality of the portion used in relation to the copyrighted work as a whole

·      The effect of the use upon the potential market for, or value of, the copyrighted work

Pretty murky guidelines, eh? Even the judge, Orinda Evans, who ruled in favor for unimpeded access agrees (Diamond & Rankin, 2012a). Yet, Judge Evans said “[a]llowing . . . access to unpaid, small excerpts of copyrighted works promotes the spread of knowledge because it reduces the cost of education” (Diamond & Rankin, 2012a). And so, with those words, librarians are relieved that the access to information is unimpeded by monetary roadblocks and is protected by the fair use doctrine–that is until the case is heard on appeal.  

Yet, the issue really isn’t about copyright infringement, is it? What appears to be happening in the GSU case is an example of big publishers showing signs of struggle to stay afloat in the information dissemination department. In other words, the Internet has not only made access to information easier, it has also made information dissemination easier for the common people.  And if dissemination of information is how big publishers make money, it is likely that they view the Internet, where anyone can become a publisher, as a threat to their viability. In the age of the Internet, it appears unlikely that the spread of academic knowledge will be diminished if a few publishers do not get paid, as the Atlantic Journal Constitution contends would happen (Diamond & Rankin, 2012a). Can’t a graduate student who is working on a research project create a website and freely disseminate that information on the website for credit? Isn’t disseminating information through the Internet happening right now on this very blog? Aren’t the authors on this blog self-publishers? The following video provides a counter to the contention that humans need money to create information (Pink, 2010)

Of course some will argue that internet publishing does not necessarily make the old ways of publishing extinct.

Now take a moment and imagine a world without big publishers. Imagine that void being filled by the individual and the individual’s computer. Imagine individual web publishers being paid by the advertisements placed on their websites. That could happen, couldn’t it? In the eighties, Iron Maiden sang about Native Americans running to the hills to save their lives; today, big publishers are running to the courts.

True, some will argue the Internet’s information overload raises questions about credible sources, but could this be where the librarian steps in. Ever hear the words: “ask a librarian?”

So, does this mean that the GSU case is the beginning of the end for big publishers in the age of the Internet? Will the appeals court rule in favor of the publishers thereby insuring their viability at the cost of unimpeded information access online? If the appellate court rules in favor of the publishers, will the fair use doctrine be refined to narrow chinks in regards to placing copyrighted information on the Internet? What does the GSU case mean for a librarian’s future?  You tell me, librarians. You tell me.

References:

Diamond, L. & Rankin, B. (May 14, 2012a). Judge rules largely for Georgia StateUniversity in copyright case. The Atlanta journal-constitution. Retrieved from http://www.ajc.com/news/atlanta/judge-rules-largely-for-1437124.html

Diamond, L. & Rankin, B. (May 18, 2012b). Judge rules largely for GSU in copyright case. The Atlanta journal-constitution. Retrieved from http://thebarnewsflash.com/Story.nsp?story_id=172595138

Pink, D. (Producer 2010). Drive: The surprising truth that motivates us. RSAanimate. Video retrieved from http://www.youtube.com/watch?v=u6XAPnuFjJc.

Rubin, R. E. (2008). Stepping back and looking forward: Reflections on the foundations of libraries and librarianship. In Ken Haycock & Brooke E. Sheldon (Eds.), The portable MLIS: Insights from experts, (pp. 3-14). Westport, CT: Libraries Unlimited.