CISA is the government's way of writing into law that people have no right to privacy in any data held by third party service providers. By granting legal immunity for service providers to share so-called "threat" data—potentially containing unminimized private customer data—law enforcement agencies are opening a huge backdoor for uncontrolled warrantless mass surveillance. Because this surveillance would be done in secret, people would have no legal basis to challenge what amounts to an end-run around the U.S. Constitution.
Watch in the coming weeks as lawmakers point to the OPM hacks as justification for spying on everyone's Gmail activity.
> By granting legal immunity for service providers to share so-called "threat" data—potentially containing unminimized private customer data—law enforcement agencies are opening a huge backdoor for uncontrolled warrantless mass surveillance
Section 4(d)(2) requires removal of personal information before sharing unless that personal information is directly related to a cybersecurity threat.
A cybersecurity threat is defined as "an action, not protected by the First Amendment to the Constitution of the United States, on or through an information system that may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system" and "does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement".
There is no mass surveillance implied in this.
> Because this surveillance would be done in secret, people would have no legal basis to challenge what amounts to an end-run around the U.S. Constitution.
The Constitution restricts government from forcing companies to give up information against their will. Nothing in the Constitution prohibits companies from voluntarily giving up information, and so nothing you have cited is in any way an end-run around the Constitution.
> Section 4(d)(2) requires removal of personal information
Section 4(d)(2) of _what?_ These minimization requirements have been removed or weakened in the various iterations of CIS(P)A that have appeared and been defeated year after year. There is currently no bill in front of Congress, so your citing of a specific provision is questionable. Congress is expected to take a new version of CISA up in the next few weeks.
> The Constitution restricts government from forcing companies to give up information against their will.
Except under Section 702, companies are compelled to hand the information via secret orders with gag provisions. Fighting these orders is expensive and the gag orders prevent the companies from openly opposing them.
It _is_ an end-run around the Constitution if the data a company provides belongs to an individual and is disclosed without a proper warrant, unless you agree with the statement that "people have no right to privacy in any data held by third party service providers." Such an attitude ignores the reality that cloud services have become integrated into peoples' lives, and ubiquitous enough that the end-customer should have legal interest and Constitutional protection in data held by third parties.
Section 4(d)(2) requires removal of information that a company "knows at the time of sharing" to be private personal information. That's complete weak sauce. There is tons of leeway here for the government to demand threat indicators that could "accidentally" vacuum up private info without anyone "knowing" about it. And the bill hasn't even gone through committee. If the past is any indication, the GOP will try to strike it completely.
Anyway, I would appreciate if you could address the other point I raised because I'm very curious to hear your philosophical thoughts on this subject.
I don't see anything in (this version of, anyway) CISA that would let the government demand threat indicators. If the government wants to come demanding companies give them information, they have to turn to other laws for that.
On the Constitutional issue:
> It _is_ an end-run around the Constitution if the data a company provides belongs to an individual and is disclosed without a proper warrant, unless you agree with the statement that "people have no right to privacy in any data held by third party service providers."
People have multiple rights to privacy related to such data. Some come from state law. Some come from federal agencies. Some come from federal legislation. Some come from the Constitution.
The ones from the Constitution protect against government compelling release of the data. They don't protect against the providers deciding on their own to disclose the information to the government (or to the public, or to private parties). If, for instance, PG&E decided to publish a list of its customers along with contact information and energy use records, it would not be violating a Constitutional right to privacy. If the government demanded that PG&E make and turn over such a list, then we've got a Constitutional issue to talk about.
In that hypothetical, PG&E would be violating some of those other rights to privacy that come from state legislation, federal legislation, and agency rules, and would run into a ton of trouble.
This might not be a problem if we did not have a totalitarian legal system that depends on privacy and discretion because without it pretty much everyone is a criminal. I don't look forward to the day when government can pretty much put anyone away using secret evidence and laws that are already on the books.
They have already used so-called terrorism legislation to put away people involved with the drug trade. How long before they start spying on people downloading copyrighted material or in the UK people watching unsavory porn.
Wow, this is a totally uncredited ripoff of some analysis by Stanford Law's Jonathan Mayer. The image is essentially a remake of one he put together. In favor of changing the link.
I'm getting tired of finding out about all these ways in which agencies are allowed to use data which circumvent the Constitution. I have to wonder exactly what needs to happen for people to realize this. Then again, you also have to wonder why our own government is surprised people are using encrypted first communication.
NSA/FBI surveillance is pretty unpopular - I'm pretty sure that Senator and Representative offices got a ton of calls about it, otherwise the PATRIOT Act section 215 wouldn't have sunsetted, it would have gotten a big sloppy wet rubber stamp. SOPA touched off a big campaign a couple of years ago, CISA gets nearly unanimous bad reviews.
So, why does the Senate keep trying to crank up this sort of thing? They need to be a little answerable to their constituency, they need to exhibit a little leadership in terms of not just blindly following party leadership and lobbyists.
Is this whole category of law a place where the DoJ has intercepted enough sketchy conversations that they've got leverage against key Senators and Reps? That's the only thing I can think of, other than the "intelligence community" is flat out lying in the secure sessions. Since the "intelligence community" has a long history of lying, with a lot of recent scandalous reveals, you'd think that oversight committees would be a lot less willing to just believe.
All the big tech companies want CISA because it legalizes data sharing programs like PRISM. To date, they've been forced to do this for years under Section 702 of FISA, but the whole thing has been in breach of their privacy agreements with customers.
Remember when EFF sued AT&T for [letting the NSA wiretap their Internet backbone facilities][1]? Congress killed the lawsuit by retroactively granting immunity under the FISA Amendments Act.
CISA is just the same thing, but for newer programs like PRISM, and tech companies want the immunity because they're otherwise being exposed to major liability.
Personally, I think a better idea would be to reform Section 702 of FISA to ban programs like PRISM. The government should be required to get a warrant when they want to look at private data.
>Is this whole category of law a place where the DoJ has intercepted enough sketchy conversations that they've got leverage against key Senators and Reps?
That's all I can think of too after reading Daniel Suarez' "Influx." With the resources and information at their disposal I would not put it past them to take this approach.
That raises the question of how we can change the system if we have to assume some sort of blackmail like that might be taking place. Is there a workaround?
Just now i read in The Columbian that obama has committed not to spy on the prime minister of france, after france called for an intelligence code of ethics in which the allies agree not to spy on each other.
There was no mention of spying on their own citizens.
And if someone else spies on the PM of France, and the US happens to get their hands on that data, then I'll bet they'd argue the US did not spy on them.
Watch in the coming weeks as lawmakers point to the OPM hacks as justification for spying on everyone's Gmail activity.