CISA is the Cybersecurity Information Sharing Act, sponsored by Senators Dianne Feinstein (D-CA) and Saxby Chambliss (R-Ga.), the Chair and Co-Chair of the Senate Select Committee on Intelligence. The Committee will held a secret mark-up of the bill on July 8. Ostensibly designed to protect us from cyberthreats, the bill instead takes aim at whistleblowers and internet activists and facilitates a vast flow of our private communications data to the NSA. Where to begin…
Let’s start with the way the bill defines “cyberthreat.” It can be an action as innocuous as signing onto your friend’s facebook account (even with your friend’s permission) because that is a violation of the terms of service agreement. We all violate terms of service agreements (the rules you never read, but always agree to) intentionally or not, without presenting a threat to cybersecurity. Moving on to the concept of information sharing at the core of the bill. I know, sharing is good… but there is such a thing as oversharing, and this bill is it. Companies are incentivized to “voluntarily” share “cyberthreat information” with the Department of Homeland Security, which in turn will share that information in real time with the “appropriate” agencies including the Department of Defense and intelligence agencies like the NSA. Information that personally identifies us may or may not be stripped away during all this sharing.
Let’s note right away that “voluntarily” is just another way of saying “without a warrant.” So a range of alphabet soup agencies from DOE to DOJ to DHS, and the DOD and NSA will all have access to data that can include the content of our communications, and without a warrant. They are then allowed to search through this information and use it to investigate and prosecute not just actual cyber crimes, but any criminal activity. Sounds like an end run around the Fourth Amendment to a lot of us.
What has us particularly worried is that the bill explicitly allows use of our personal communications data for the investigation and prosecution of the Computer Fraud and Abuse Act (CFAA) and the Espionage Act. Here’s where the bill specifically targets internet activism and whistleblowers. Here’s how: The CFAA makes felonies of actions that cause little or no harm and is being used to crack down internet civil disobedience. It is the law that was used to persecute Aaron Swartz. The Espionage Act is being used against whistleblowers like Edward Snowden, Chelsea Manning and Thomas Drake to an unprecedented degree by the Obama Administration.
So, we’ve got DHS and the NSA getting data, including communications content without a warrant on “threats” that include innocuous activity that most, if not all, of us are guilty of… and they are allowed to search that data to prosecute us for “crimes” unrelated to cybersecurity. And, the whole operation will be conducted under a cloak of secrecy because the bill includes exemptions from disclosure under state and local sunshine laws, and under the federal Freedom of Information Act. But we aren’t quite done with the disaster that is this piece of legislation.
Let’s talk immunity. Companies are encouraged to hand our private information over to the government and they are guaranteed immunity from prosecution for wrongfully sharing data if it was done in “good faith.” They are also granted immunity if they take countermeasures against “cyberthreats” that cause harm to people or computers who did no wrong. The bill is so egregious that the advocacy community couldn’t fit all our objections in one letter — so we wrote two (see below).