Dana Liebelson is a reporter in Mother Jones' Washington bureau. She contributes regularly to The Week. Previously, she worked for the Project On Government Oversight (POGO), covering defense and open government issues. Her work has also appeared on TIME's Battleland, Truthout, OtherWords and Yahoo! News. In her free time, she plays electric violin in an Indie rock band.
When the US government tried to regulate the internet in 2011, through the Stop Online Piracy Act and a corresponding Senate bill, Silicon Valley tech giants and civil libertarians went ballistic. The two groups, often at odds, banded together to fight the controversial bills, which would have given the government enormous power to regulate web content and censor sites that appeared to be violating copyright laws. The protesters organized internet blackouts, and squashed the measures before you could type "Free streaming Walking Dead." But now some of the companies that fought SOPA, including Google, Yahoo, Facebook, Amazon, and eBay, are joining with initial SOPA supporters and the Obama administration to thwart the European Union's attempt to protect the personal information of European citizens—and American privacy advocates are back to fighting the tech behemoths.
In January 2012, the European Union proposed overhauling existing privacy laws in its member states. If passed by the European Parliament, the proposal will turn the EU's privacy recommendations into a legal requirement. This is some of the most powerful legislative action the EU can take, because it overrides all the national laws of members. Unlike SOPA, the laws aren't targeting copyright violations; instead, they would require that companies across Europe do more to protect consumers' privacy. That includes potentially giving hundreds of millions of European citizens the ability to opt out of online web tracking—which is exactly the kind of information companies like Facebook use to target advertising and attract revenues.
In the United States, corporations dominate tech policy and privacy is a consumer issue, but the EU considers privacy a civil and human right, explains Jeffrey Chester, executive director for the Center for Digital Democracy. The new EU laws would affect users outside of Europe (including US websites accessed by Europeans), so it's not surprising that US-based companies are swarming Brussels, where the European Parliament is attempting to finalize the proposals by April (see map).
Peter Fleischer, Google's Global Privacy Counsel, argues that the EU is stifling innovation. "I had always thought it was sensible to apply Europe's privacy laws worldwide, in the interests of maintaining one, consistent worldwide standard," he writes on his personal blog. "I'm changing my mind now…Despite all its good intentions, Europe is giving the world hopelessly vague privacy laws." (Google has seven lobbyists in Brussels and spent at least $780,000 there in 2011, and the EU announced this week it plans to take action against Google for violating Europe's existing privacy laws.)
Marc Rotenberg, president and executive director of the Electronic Privacy Information Center, says large internet firms are opposing the privacy bills because they simply don't want to be regulated: "In the US they oppose copyright rules, but the way that plays out in Europe is that these companies are opposing privacy." The Center for Digital Democracy's Chester says his group supports the European proposals because they give individuals, not corporations, the ability to decide how their personal data can be collected and used. "But to [these companies] it threatens to kill off the digital golden goose they have fattened so well, because they have to ask permission and explain what they do," he says. Both groups, along with 15 US NGOs, sent a letter to the Obama administration and US ambassadors earlier this month encouraging Washington to butt out of the EU decision making.
Companies that initially supported SOPA—such as Dell, Intel, and Microsoft—have lobbyists in Brussels, along with companies that vehemently opposed SOPA, including Google, Facebook, Yahoo, and eBay, according to the EU's Transparency Register. The American Chamber of Commerce to the European Union, which speaks for American business in Europe, also has nine lobbyists there. "These are businesses who most certainly do not want to strengthen consumer privacy," Joe McNamee, the EU advocacy coordinator at European Digital Rights, a coalition of European privacy groups, tells Mother Jones. "Of course, some are seeking minor changes, while some are seeking destruction of the whole legal framework. It is not the case that every company lobbying on the proposal are demanding the same thing."
Tech companies—including Google—are particularly concerned about the "Right to Be Forgotten" provision, which gives users (like say, party-happy college students) the right to erase their digital footprint. Google's Fleischer writes that this would force search engines like Google to remove information and is paramount to censorship, "more pernicious than book burning." Privacy experts agree that this part of the proposal should be carefully considered for First Amendment issues, but Chester points out that "the industry is using this issue as a political smokescreen to help kill off the [whole] law."
According to a document put online by LobbyPlag, an open source website which aims to track the influence of European lobbying on the privacy proposals, Facebook has submitted comments that oppose giving users the ability to opt out of targeted advertising, claiming that it "impairs companies' ability to innovate and negatively impacts the users experience." A Yahoo document obtained by Center for Digital Democracy shows that Yahoo is asking for amendments so that users don't have to give "explicit consent" for web companies to take their personal data, because Yahoo maintains that all the data-tracking is anonymous.
Will all this lobbying make a difference? A lobbying firm representing the National Business Coalition on E-Commerce and Privacy has found that the privacy proposal has not been weakened by the efforts, according to Politico. But LobbyPlag maintains that parts of the privacy bill are being amended to match the lobbyists' suggestions word-for-word. "It's too soon to say, but there's a very real possibility they will have a very great effect," says Jay Stanley, senior policy analyst at the American Civil Liberties Union.
The Obama administration has entered the fray on the same side as the tech biggies. The US Commerce Department is opposing the proposals because it "is concerned that sweeping new privacy controls could hurt the United States tech industry in Europe," according to the New York Times. Chester notes that even though Obama issued a progressive Privacy Bill of Rights last year, the administration is "relying too much on [voluntary] self-regulation" and bending to desires of the tech industry.
European privacy advocates, like their stateside comrades, want the United States to stop meddling in this matter: "The US government would never accept lobbying by the EU, if it was seeking to undermine the rights of US citizens," McNamee says. "It is totally inappropriate."
It looks like Charles Darwin can stop turning over in his grave, or at least, slow his roll: Three bills that take aim at widely accepted scientific theories like evolution and climate change died this week, in Indiana, the Oklahoma state Senate, and Arizona, following the earlier demise of similar legislation in Montana and Colorado, the National Center for Science Education reports. But two other anti-evolution bills—one in Missouri and another in Oklahoma's House of Representatives—are still kicking, and they have more explicit pro-creationist language than the bills that have already been scrapped.
As Mother Jones reported last week, the House bill in Oklahoma, introduced by Republican state representative Rep. Gus Blackwell in February, forbids teachers from penalizing kids for writing papers attempting to debunk the theory of evolution or global warming. That bill squeaked through the Oklahoma Common Education committee on February 19, and is still alive. So is a House bill in Missouri, introduced by Republican state representative Rick Brattin in January, that would require that teachers and textbooks devote equal space to the teaching of intelligent design, "destiny" and any other theories of origin. Brattin's bill has been referred to the Missouri Elementary and Secondary Education committee, but a hearing still hasn't been scheduled. Even the Discovery Institute, which supports intelligent design research, is opposing the Missouri bill, saying it goes too far in pushing intelligent design in schools.
In contrast, the dead bills in Indiana and Oklahoma don't even mention evolution. Instead the Indiana bill merely says "some subjects, including, but not limited to, science, history, and health, have produced differing conclusions," and both the Indiana and Oklahoma bills say teachers should be allowed to teach the "strengths and weaknesses" of different theories. This is similar to language used in the now-dead Arizona bill—except that Arizona actually names those controversial theories: "biological evolution, the chemical origins of life, global warming and human cloning." Kathy Trundle, president of the Association for Science Teacher Education, tells Mother Jones that "these types of legislation represent a thinly veiled attack on biological evolution.... Theories are not speculation."
In Indiana, a spokesman for Rep. Robert Behning, House Education Committee chairman, told The Indiana Star on February 3 that the bill wasn't going to get a hearing "due to the volume of bills and limited time." But that doesn't mean that the bill's sponsor is giving up. "It might be one of those things that I may file for several years," Republican state Representative Jeff Thompson told the paper. "My thought process hasn't changed."
Trundle says this kind of thinking is exactly the problem: "Legislation that conflates science, religion and politics is confusing and works against efforts to achieve scientific literacy."
On Monday, an American cybersecurity firm called Mandiant released a report accusing the Chinese government of systematically hacking into American computer networks and targeting state secrets, weapons programs, businesses, and even the nation's gas pipelines. The New York Times vetted the story and concluded that a growing body of evidence "leaves little doubt" that these attacks are originating from a secret Chinese army base. Adam Segal, senior fellow for China studies at the Council on Foreign Relations (an organization that, in the past, has also been targeted by hackers that appeared to be China-based), tells Mother Jones that this "raises the pressure on the increasing drum beat on the US to do something."
So just how freaked out do you need to be? Here's everything you need to know:
How do cyberattacks and cyberwarfare work? A cyberattack is what happens when a hacker penetrates computers or networks for the purpose of maliciously exploiting systems and information. This can lead to identity theft, viruses, theft of intellectual property, or full-on system infiltration (i.e., the hacker can watch your every move). Cyberwarfare is what happens when countries are the ones employing those hackers, often with the goal of stealing state secrets and/or causing damage.
The scheme that Chinese hackers employ to gain footholds on victims' computers is known in computer-speak as spear phishing, according to Mandiant, and it's a scam that's been around for years. The sabotage begins when a victim receives an innocuous work-related email about a meeting or a project from what appears to be a colleague's email address. If the target takes the bait, he or she will click on a hyperlink or download an attachment from the message. In some cases, suspicious recipients have responded to phishing emails with questions about the file's authenticity. The Chinese hackers have responded: "It's legit." When the target downloads the files, they'll be unwittingly installing remote-access software (sometimes referred to as a "backdoor") that allows the hacker to assume control of the victim's computer.
With a few lines of code, the hacker can install other backdoors and programs, upload and download files, capture screenshots of the user’s desktop, record keystrokes and passwords, and shut down the system. The sleuthing can last months or even years, and confidential and top-secret files can be easily transported from the network into the hacker's hands. Here's a video showing an attack in progress:
So what is this mysterious Unit 61398? Unit 61398 (or "61398部队" for the Mandarin speakers among you) is believed to be a top-secret unit of the Chinese government that "engages in harmful 'Computer Network Operations,'" according to the Mandiant report. It's located in a 12-story facility in Shanghai, and could have up to thousands of employees, most of whom are required to speak English, demonstrate computer security skills, and exhibit "team spirit." Richard Bejtlich, the chief security officer at Mandiant, tells Mother Jones that the unit built new headquarters in 2007. Mandiant claims to have known about the unit for seven years, but it's unclear exactly how long it has been around. D.B. Grady, a national security journalist and author, makes the case that "concerns over Unit 61398—a perfectly unnerving name—are no more worrisome than Chinese spies recruiting American agents to steal folders from locked filing cabinets." He adds, "If the US government were really alarmed, we would be threatening to go to war. Instead, we're threatening to give a lot of money to government contractors."
Nevertheless, here are some infographics showing just how effective Unit 61398 is at getting on your computer, and staying there:
Who is the Chinese government hacking?The short answer: Your business, your water supply, your defense, your newspapers, and probably more. The longer answer: Since 2006, China's espionage division has stolen data from at least 115 American businesses—and that's only the hacking that Mandiant directly observed. The company believes that number represents only a small fraction of the China's overall hacking activity. Not surprisingly, Chinese spies were most interested in hacking national-security-related industries such as aerospace, energy, scientific research and information technology. Here's a chart showing the most-targeted industries (it only includes attacks Mandiant witnessed, and includes some that occurred outside the United States):
Mandiant
But even if you work for an alfalfa farm in Wyoming, hacking could still affect you: According to the New York Times, the hackers are interested in US critical infrastructure—electric grids, oil pipelines and water systems—and are attempting to unlock US military secrets by targeting defense contractors and weapons program (more on that later). Chinese hackers are also taking on media giants that produce journalism critical of China: the Times' computers were compromised recently after a high-profile investigation revealed that members of Chinese Prime Minister Wen Jiabao’s family had accumulated massive wealth from state contracts, and the Washington Post, Bloomberg News and the Wall Street Journal have also all been targeted. (Mother Jones liability note: China is great! 我们爱中国!)
Why is China hacking the United States?Segal, the Council on Foreign Relations expert, explains:
The Chinese want to move up the value chain. They want to move from "made in" to "innovated in China." So part of it is stealing industrial secrets and helping Chinese companies. There's [also] political and military espionage—having a better sense of what the US government and US opinion leaders and other people think about China and try to influence that, and wanting to steal US military secrets. It's also a kind of deterrent. [It] sends a message to the US that the US homeland is vulnerable and if there was going to be a regional conflict that escalated, the US should know that the Chinese have a way of reaching out and touching us.
Another explanation? Chinese hackers just really wanted to access their social-media accounts, many of which are blocked on the mainland. Mandiant was able to trace some of the hackers' identities because the "easiest way for them to log into Facebook and Twitter [was] directly from their attack infrastructure." And as our colleague Josh Harkinson noted, at least one hacker appears to be "a fan of American and British pop culture"—he used Harry Potter references for his passwords.
So…just how screwed are we? Both private US companies and government infrastructure are pretty bad at stopping hackers from beating down the door. Most private companies "aren't in a position to defend themselves, and if you devote any length of time to break into one of these guys, you're going to find a way in," says Mandiant's Bejtlich.
When it comes to government, the forecast isn't much better: President Obama says that the "cyberthreat is one of the most serious economic and national security challenges we face as a nation." Between 2007 and 2009, the head of the Pentagon's Cyber Crime Center confirmed 102 instances in which hackers had infiltrated the networks of government agencies, military contractors, or other entities connected to the Department of Defense, according to a 2010 Forbes report. In 2007, the 10 largest defense contractors, including Lockheed Martin, Northrop Grumman, Raytheon, and Boeing, all suffered security breaches that traced back to China. CFR's Segal says that even though cyber attacks aren't new, "on the defense side, we haven't had too much success" defending against them.
But experts don't necessarily say that means the United States is screwed. Segal says that US-China relations would have to "already be very, very bad or very, very close to military conflict anyway for the Chinese to consider a cyberattack." He adds that "there is some vulnerability to the power grid and industrial sector, but it's not a major threat right now. The major threat is espionage and stealing secrets."
"The way cybersecurity works is the way security works in the real world," Bejtlich says. "It's based on fast detection and response. It's hard to stop someone from breaking into your house, but you can call the police and kick them out." He adds that "defense contractors also learn from their experiences, and the ones who are making the news more tend to do the best job of protecting information that I've seen."
Grady makes the case that many of the cybersecurity concerns are overblown, and are instead, simply a good way for the defense industry to squeeze more money out of taxpayers. "This isn't some kind of new horror. Cyberattacks will become worrisome when someone figures out how to use a copy of Linux to blow up something," he tells Mother Jones. "The motives of defense contractors are pretty obvious, aren't they?" he adds. "The war on terror is all but over, but cybersecurity could mean anything and everything. Where there's fear, there's a lot of money to be made."
What is the Obama administration doing? Last week, Obama issued an executive order on cybersecurity with the aim of protecting US critical infrastructure from hackers, despite pushback from conservatives and big business. The order requests that companies participate in a voluntary information-sharing program so the government can help them stop attacks. "It's not clear that the executive order is going to make it better," Segal says. According to Bejtlich, the administration "is doing as much as it can with the order, but now the focus needs to shift to the House and the Senate."
Who else is China attacking? Wait, are we attacking anyone? Check out this amazing chart by Foreign Affairs, showing the number of cyber attacks, and by whom, from 2001 to 2011 (click link for the full chart):
SC Magazine reports that hackers (of unconfirmed origin) are now using phishing emails that claim to include the Mandiant cybersecurity report, in order to gain access to victims. The phishing emails are reportedly targeting Japanese companies and Chinese journalists. Here's a screenshot of one of the fake emails, released by Symantec:
And here's a tweet from Malware Lab claiming that some of the victims may be Chinese journalists:
UPDATE: On February 19, HB1674 passed through the Oklahoma Common Education committee on a 9-8 vote. On March 14, the bill died in the Oklahoma House of Representatives, according to the National Center for Science Education.
In biology class, public school students can't generally argue that dinosaurs and people ran around Earth at the same time, at least not without risking a big fat F. But that could soon change for kids in Oklahoma: On Tuesday, the Oklahoma Common Education committee is expected to consider a House bill that would forbid teachers from penalizing students who turn in papers attempting to debunk almost universally accepted scientific theories such as biological evolution and anthropogenic (human-driven) climate change.
Gus Blackwell, the Republican state representative who introduced the bill, insists that his legislation has nothing to do with religion; it simply encourages scientific exploration. "I proposed this bill because there are teachers and students who may be afraid of going against what they see in their textbooks," says Blackwell, who previously spent 20 years working for the Baptist General Convention of Oklahoma. "A student has the freedom to write a paper that points out that highly complex life may not be explained by chance mutations."
These bills are "a kind of code for people who are opposed to teaching climate change and evolution."
Stated another way, students could make untestable, faith-based claims in science classes without fear of receiving a poor mark.
HB 1674 is the latest in an ongoing series of "academic freedom" bills aimed at watering down the teaching of science on highly charged topics. Instead of requiring that teachers and textbooks include creationism—see the bill proposed by Missouri state Rep. Rick Brattin—HB 1674's crafters say it merely encourages teachers and students to question, as the bill puts it, the "scientific strengths and scientific weaknesses" of topics that "cause controversy," including "biological evolution, the chemical origins of life, global warming, and human cloning."
Largely overlooked among President Obama's State of the Union policy moves was a push to protect US infrastructure from cyberattacks. Earlier on Tuesday, the president signed an executive order that expands information-sharing between the government and private companies to, as he said in Tuesday night's address, develop "standards to protect our national security, our jobs, and our privacy." Conservatives and big business are warning of executive overreach—but in fact, the cybersecurity program gives companies more information than it requires from them, relies heavily on congressional support, and even makes civil liberties advocates happy.
Under the order, companies that provide vital services like electricity and water—many of which are considered highly vulnerable to attacks—will be able to view classified government information on cyberthreats, but they aren't required to share information when they get hacked. The order doesn't require companies to participate, nor does it provide any financial incentives (yet), but that didn't stop House Homeland Security Committee Chairman Rep. John McCaul, R-Texas, from warning that it could "open the door to increased regulations that would stifle innovation [and] burden businesses." The U.S. Chamber of Commerce called the program "unnecessary."
By contrast, civil libertarians such as the ACLU were relieved that the order emphasized privacy and civil liberties safeguards. Lee Tien, a senior staff attorney with the Electronic Frontier Foundation, told Forbes that “We definitely like the executive order better than last year's Cyber Intelligence Sharing and Protection Act... The executive order can’t change any federal rules. It just changes the way the executive branch chooses to do things.”
