One thing that has become crystal clear since the Edward Snowden revelations, is that much of Congress has no problem at all with unconstitutional spying. Rather, they are primarily upset it was exposed and are dead set on making sure no other whistleblower can ever do the same. Enter CISA, or The Cybersecurity Information Sharing Act.
I’ve spent much of today reading about the bill, and have compiled what I think are the most astute observations. First, from the ACLU:
A new cybersecurity bill poses serious threats to our privacy, gives the government extraordinary powers to silence potential whistleblowers, and exempts these dangerous new powers from transparency laws.
“The bill would create a massive loophole in our existing privacy laws by allowing the government to ask companies for ‘voluntary’ cooperation in sharing information, including the content of our communications, for cybersecurity purposes. But the definition they are using for the so-called ‘cybersecurity information’ is so broad it could sweep up huge amounts of innocent Americans’ personal data.
“The Fourth Amendment protects Americans’ personal data and communications from undue government access and monitoring without suspicion of criminal activity. The point of a warrant is to guard that protection. CISA would circumvent the warrant requirement by allowing the government to approach companies directly to collect personal information, including telephonic or internet communications, based on the new broadly drawn definition of ‘cybersecurity information.’”
In addition to the threats to every American’s privacy, the bill clearly targets potential government whistleblowers. Instead of limiting the use of data collection to protect against actual cybersecurity threats, the bill allows the government to use the data in the investigation and prosecution of people for economic espionage and trade secret violations, and under various provisions of the Espionage Act.
The always excellent Electronic Frontier Foundation (EFF) has also chimed in:
CISPA purports to allow companies and the federal government to “share” threat information for a “cybersecurity” purpose—to protect and defend against attacks against computer systems and networks. But the bill is written broadly enough to permit your communications service providers to identify, obtain, and share your emails and text messages with the government. While business leaders have conceded that they do not need to share personally identifying information to combat computer threats, the bill provides an exception to existing law designed to protect your personal information.
The newly granted powers are intended to thwart computer security threats against a company’s rights and property. But the definitions are broad and vague. The terms allow purposes such as guarding against “improper” information modification and ensuring “timely” access to information, functions that are not necessarily tied to attacks.
Once handed over, the government is able to use this information for investigating crimes that are unrelated to the underlying security threat and, more broadly, for “national security” purposes, which is a poorly defined term that includes “threats to the United States, its people, property, or interests” and “any other matter bearing on United States national or homeland security.”
Companies would also be immune from both civil and criminal liability for any action, including but not limited to violating a user’s privacy, as long as the company used the powers granted by CISPA in “good faith.” The immunity even extends to “decisions made based on” any information “directly pertaining” to a security threat. The consequences of such a clause are far-reaching.
Meanwhile, Trevor Timm, executive of the Freedom of the Press Foundation, noted in the Guardian that:
One of the most underrated benefits of Edward Snowden’s leaks was how they forced the US Congress to shelve the dangerous, privacy-destroying legislation– then known as Cispa – that so many politicians had been so eager to pass under the guise of “cybersecurity”. Now a version of the bill is back, and apparently its authors want to keep you in the dark about it for as long as possible.
Now it’s called the Cybersecurity Information Sharing Act (Cisa), and it is a nightmare for civil liberties. Indeed, it’s unclear how this kind of law would even improve cybersecurity. The bill was marked up and modified by the Senate intelligence committee in complete secrecy this week, and only afterward was the public allowed to see many of the provisions passed under its name.
Cisa is what Senator Dianne Feinstein, the bill’s chief backer and the chair of the committee, calls an “information-sharing” law that’s supposed to help the government and tech and telecom companies better hand information back and forth to the government about “cyberthreat” data, such as malware. But in reality, it is written so broadly it would allow companies to hand over huge swaths of your data – including emails and other communications records – to the government with no legal process whatsoever. It would hand intelligence agencies another legal authority to potentially secretly re-interpret and exploit in private to carry out even more surveillance on the American public and citizens around the world.
Under the new provisions, your data can get handed over by the tech companies and others to the Department of Homeland Security (not exactly a civil liberties haven itself), but then it can be passed along to the nation’s intelligence agencies … including the NSA. And even if you find out a company violated your privacy by handing over personal information it shouldn’t have, it would have immunity from lawsuits – as long as it acted in “good faith”. It could amount to what many are calling a “backdoor wiretap”, where your personal information could end up being used for all sorts of purposes that have nothing to do with cybersecurity.But it’s not just privacy advocates who should be worried: transparency also takes a huge hit under this bill. Cisa would create a brand-new exception to the Freedom of Information Act (which is already riddled with holes), all the better to ensure everything in this particular process remains secret.
In typical intel-committee fashion, the Foia amendment wasn’t even made public until after it was passed by committee.The fact of the matter is the Snowden leaks have done more for cybersecurity than any info-sharing bill ever could. The major tech companies have leapt forward and are now competing on who is more secure because of worries that the NSA, and other intelligence agencies for that matter, are snooping wherever they can. Certainly there is more to do, but eviscerating privacy rights in the process is not the solution.
Unsurprisingly, the financial services industry seems to be particularly excited about this piece of legislation. This shouldn’t come as any surprise in light of my recent post: Wall Street Teams Up with U.S. Intelligence Cronies in Bid to Form Fascist “Cyber War Council.”
The new Senate bill has won support from financial trade groups, among others, who say the legislation is critical to making sure hackers can’t wreak havoc on bank records.
Kenneth Bentsen, chief executive at the Securities Industry and Financial Markets Association, said in a statement that leaders of the Senate Intelligence panel who wrote the bill have “taken a balanced and considered approach which will help the financial services industry to better protect our customers from cyber terrorists and criminals, as well as their privacy.”
Ah, the Securities Industry and Financial Markets Association (SIFMA). This is the same Wall Street lobby that former NSA chief Keith Alexander recently signed on as a client for $600,000 per month for “cyber-security” advice.
It seems fairly obvious what CISA is intended to do. The NSA and other intelligence agencies are well aware that all Americans essentially sign away their privacy rights to large technology companies via terms of service agreements (a topic I highlighted recently). Now that government access to tech companies’ data has been exposed by Edward Snowden, they are looking for another way to obtain “legal” access. This seems to be what CISA is all about.
If you recall, the most meaningful victory achieved by Aaron Swartz prior to his untimely and tragic death at the hands of a vindictive and hateful U.S. government, was leading the charge to stop Internet censorship bills SOPA/PIPA. It would be wise for all of us to take heed of his words:
We won this fight because everyone made themselves the hero of their own story. Everyone took it as their job to save this crucial freedom. They threw themselves into it. They did whatever they could think of to do. They didn’t stop to ask anyone for permission. You remember how Hacker News readers spontaneously organized this boycott of GoDaddy over their support of SOPA? Nobody told them they could do that. A few people even thought it was a bad idea. It didn’t matter. The senators were right: The Internet really is out of control. But if we forget that, if we let Hollywood rewrite the story so it was just big company Google who stopped the bill, if we let them persuade us we didn’t actually make a difference, if we start seeing it as someone else’s responsibility to do this work and it’s our job just to go home and pop some popcorn and curl up on the couch to watch Transformers, well, then next time they might just win. Let’s not let that happen.
Read more Michael Krieger. Hat tip: Zero Hedge.