One of the things that civil liberties activists like to lament about is that the general public seems to care more about Google and Facebook using their personal data to target advertising than the government using it to target drone strikes.
The reality is that both types of abuse are dangerous, and they work hand in hand.
It’s hard to find a more perfect example of this collusion than in a bill that’s headed for a vote soon in the U.S. Senate: the Cybersecurity Information Sharing Act, or CISA.
CISA is an out and out surveillance bill masquerading as a cybersecurity bill. It won’t stop hackers. Instead, it essentially legalizes all forms of government and corporate spying.
Here’s how it works. Companies would be given new authority to monitor their users — on their own systems as well as those of any other entity — and then, in order to get immunity from virtually all existing surveillance laws, they would be encouraged to share vaguely defined “cyber threat indicators” with the government. This could be anything from email content, to passwords, IP addresses, or personal information associated with an account. The language of the bill is written to encourage companies to share liberally and include as many personal details as possible.
That information could then be used to further exploit a loophole in surveillance laws that gives the government legal authority for their holy grail — “upstream” collection of domestic data directly from the cables and switches that make up the Internet.
Thanks to Edwards Snowden, we know that the NSA, FBI, and CIA have already been conducting this type of upstream surveillance on suspected hackers. CISA would give the government tons of new domestic cyber threat indicators to use for their upstream collection of information that passes over the Internet. This means they will be gathering not just data on the alleged threat, but also all of the sensitive data that may have been hacked as part of the threat. So if someone hacks all of Gmail, the hacker doesn’t just get those emails, so does the U.S. government.
The information they gather, including all the hacked data and any incidental information that happens to get swept up in the process, would be added to massive databases on people in the U.S. and all over the world that the FBI, CIA, and NSA are free to query at their leisure. This is how CISA would create a huge expansion of the “backdoor” search capabilities that the government uses to skirt the 4th Amendment and spy on Internet users without warrants and with virtually no oversight.
All of this information can be passed around the government and handed down to local law enforcement to be used in investigations that have nothing to do with cyber crime, without requiring them to ever pull a warrant. So CISA would give law enforcement a ton of new data with which to prosecute you for virtually any crime while simultaneously protecting the corporations that share the data from prosecution for any crimes possibly related to it.
There’s little hope for ever challenging this system in court because you’ll never know if your private information has been shared under CISA or hoovered up under a related upstream collection. In a particularly stunning display of shadyness, the bill specifically exempts all of this information from disclosure under the Freedom of Information Act or any state, local, or tribal law.
The members of Congress who are pushing hardest for the bill, unsurprisingly, have taken more than twice as much money from the defense industry than those who are opposing it. These politicians claim that CISA is intended to beef up U.S. cybersecurity and stop foreign hackers from ruining everything, but, as their funders in the defense industry know well, it will really just give the government more data and create new opportunities for contractors to sell their data analysis services.
The world’s cybersecurity experts say that CISA won’t stop cyber attacks, but it will create a gaping loophole for law enforcement agencies from the NSA right down to your local police department to access people’s private information without a warrant. Systems like this have chilling effects on our willingness to be ourselves and speak openly on the Internet, which threatens our most basic rights.
The Internet makes a lot of good things possible, but it also makes it possible for corporations and governments to exploit us in ways they never could before. The debate over CISA is not about hackers, or China, or cybersecurity — it’s about whether we want to further normalize ubiquitous monitoring, warrantless surveillance, and unfettered manipulation of our vulnerabilities, or if we want to protect the Internet as a promising platform for freedom and self expression.