[tzs]

> By granting legal immunity for service providers to share so-called "threat" data—potentially containing unminimized private customer data—law enforcement agencies are opening a huge backdoor for uncontrolled warrantless mass surveillance

Section 4(d)(2) requires removal of personal information before sharing unless that personal information is directly related to a cybersecurity threat.

A cybersecurity threat is defined as "an action, not protected by the First Amendment to the Constitution of the United States, on or through an information system that may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system" and "does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement".

There is no mass surveillance implied in this.

> Because this surveillance would be done in secret, people would have no legal basis to challenge what amounts to an end-run around the U.S. Constitution.

The Constitution restricts government from forcing companies to give up information against their will. Nothing in the Constitution prohibits companies from voluntarily giving up information, and so nothing you have cited is in any way an end-run around the Constitution.

[rubbingalcohol]

> Section 4(d)(2) requires removal of personal information

Section 4(d)(2) of _what?_ These minimization requirements have been removed or weakened in the various iterations of CIS(P)A that have appeared and been defeated year after year. There is currently no bill in front of Congress, so your citing of a specific provision is questionable. Congress is expected to take a new version of CISA up in the next few weeks.

> The Constitution restricts government from forcing companies to give up information against their will.

Except under Section 702, companies are compelled to hand the information via secret orders with gag provisions. Fighting these orders is expensive and the gag orders prevent the companies from openly opposing them.

It _is_ an end-run around the Constitution if the data a company provides belongs to an individual and is disclosed without a proper warrant, unless you agree with the statement that "people have no right to privacy in any data held by third party service providers." Such an attitude ignores the reality that cloud services have become integrated into peoples' lives, and ubiquitous enough that the end-customer should have legal interest and Constitutional protection in data held by third parties.

[tzs]

> Section 4(d)(2) of _what?_

Section 4(d)(2) of the bill that the article you are commenting on is writing about, S.754, the "Cybersecurity Information Sharing Act of 2015".

[rubbingalcohol]

Section 4(d)(2) requires removal of information that a company "knows at the time of sharing" to be private personal information. That's complete weak sauce. There is tons of leeway here for the government to demand threat indicators that could "accidentally" vacuum up private info without anyone "knowing" about it. And the bill hasn't even gone through committee. If the past is any indication, the GOP will try to strike it completely.

Anyway, I would appreciate if you could address the other point I raised because I'm very curious to hear your philosophical thoughts on this subject.

[tzs]

I don't see anything in (this version of, anyway) CISA that would let the government demand threat indicators. If the government wants to come demanding companies give them information, they have to turn to other laws for that.

On the Constitutional issue:

> It _is_ an end-run around the Constitution if the data a company provides belongs to an individual and is disclosed without a proper warrant, unless you agree with the statement that "people have no right to privacy in any data held by third party service providers."

People have multiple rights to privacy related to such data. Some come from state law. Some come from federal agencies. Some come from federal legislation. Some come from the Constitution.

The ones from the Constitution protect against government compelling release of the data. They don't protect against the providers deciding on their own to disclose the information to the government (or to the public, or to private parties). If, for instance, PG&E decided to publish a list of its customers along with contact information and energy use records, it would not be violating a Constitutional right to privacy. If the government demanded that PG&E make and turn over such a list, then we've got a Constitutional issue to talk about.

In that hypothetical, PG&E would be violating some of those other rights to privacy that come from state legislation, federal legislation, and agency rules, and would run into a ton of trouble.