Reading The Tea Leaves To Understand Why CISA Is A Surveillance Bill
from the it's-not-as-easy-as-you'd-think dept
I've had a few conversations recently with people on Twitter who claim that CISA is "not a surveillance bill," claiming that they've read the bill and there's nothing about surveillance in it. It's true that the bill positions itself as nothing more than a "cybersecurity" bill that clarifies a few things and then provides some immunity for companies who "voluntarily" share information. However, as I've said in response, in order to understand why it's a surveillance bill, you have to look more closely at how CISA interacts with other laws and what the intelligence community is currently doing. Unfortunately, this isn't always easy, because part of what the intelligence community is doing and how they've interpreted other laws remains secret. But, as you've probably heard, some of that has been leaking out over the past few years.Back in June, we wrote about Jonathan Mayer's analysis of another leak story done by Pro Publica and the NY Times, showing that the FBI and the NSA blurred the lines between "terrorism" and "cybercrime" in order to do more warrantless surveillance of people they deemed to be "hackers." As Mayer noted at the time, this revealed that beyond the kinds of selectors most people believed the FBI and NSA were allowed to search the "upstream" corpus of data on, it could also use "cybersignatures." And thus, it seemed clear that CISA was about expanding the ability of the FBI and the NSA to get access to more such signatures, in order to more widely do warrantless surveillance on Americans' communications.
You have to dig a bit deeper into the muck to understand why this is true, and it has to do with another recently revealed tidbit, which is that the NSA and FBI (and CIA, for that matter), frequently make use of backdoor searches of the upstream data -- a capability that was approved in 2011. Basically, the rules changed so that the intelligence community could sniff through data that was deemed collected "incidentally." And that includes basically anything that is picked up in the "upstream" collection of data (tapping internet backbone lines) under Section 702 of the FISA Amendments Act.
Now, Marcy Wheeler has taken this a step further, noting that it looks like Mayer's analysis may actually have underplayed things. Wheeler's post is long and detailed, and delves deeply into more partially secret things, and tries to read the tea leaves from some previously declassified and leaked documents and programs, but comes to the conclusion that CISA is likely to be the key piece for letting the NSA and FBI warrantless spy on Americans' after the FISA Court limited that ability a few years ago.
Without going into all the details of Wheeler's post, the short version is that it's well established that the NSA used to have a program very similar to the phone dragnet program, but for internet communications. Eventually that was determined to go too far and was shut down. But Wheeler is suggesting that a more narrow version was likely re-authorized later, and CISA is the way to expand it. It appears that the intelligence community was allowed to collect online info, but only to protect its own network. But, with the immunity granted under CISA, the NSA and FBI could effectively hand that power over to AT&T and Verizon, and freely "share" information back and forth with no liability for the telcos (both of which have a long history of proactively helping the NSA).
As Wheeler notes, if this is true, then it actually makes CISA a super powerful surveillance tool for the government for a variety of reasons. First, it's all "voluntary" between the telcos and the NSA/FBI, so no FISA Court to get in the way. Next, she points out that, while the language of the bill says that Homeland Security will "scrub" private info before sharing it with other agencies, it actually notes that the FBI can "veto" that scrub. And working together, the NSA and FBI can do a lot of damage this way:That is, CISA affirmatively permits private companies to scan, identify, and possess cybersecurity threat information transiting or stored on their systems. It permits private companies to conduct precisely the same kinds of scans the government currently obligates telecoms to do under upstream 702, including data both transiting their systems (which for the telecoms would be transiting their backbone) or stored in its systems (so cloud storage).
Thus, CISA permits the telecoms to do the kinds of scans they currently do for foreign intelligence purposes for cybersecurity purposes in ways that (unlike the upstream 702 usage we know about) would not be required to have a foreign nexus. CISA permits the people currently scanning the backbone to continue to do so, only without consideration of whether the signature has a foreign tie or not. Unlike FISA, CISA permits the government to collect entirely domestic data.
Of course, there’s no requirement that the telecoms scan for every signature the government shares with it and share the results with the government. Though both Verizon and AT&T have a significant chunk of federal business — which just got put out for rebid on a contract that will amount to $50 billion — and they surely would be asked to scan the networks supporting federal traffic for those signatures. But they can do so if they want to. And the telecoms are outspoken supporters of CISA, so we should presume they plan to share promiscuously under this bill.
CISA, as written, would let FBI and NSA veto any scrub (including of content) at DHS. And incoming data (again, probably including content) would be shared immediately not only with FBI (which has been the vehicle for sharing NSA data broadly) but also Treasury and ODNI, which are both veritable black holes from a due process perspective. And what few protections for US persons are tied to a relevance standard that would be accomplished by virtue of a tie to that selector. Thus, CISA would permit the immediate sharing, with virtually no minimization, of US person content across the government (and from there to private sector and local governments).As she notes, this makes CISA -- as Senator Ron Wyden has been saying for months -- not a cybersecurity bill at all, but a vast domestic internet surveillance bill.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cisa, cybersignatures, fbi, marcy wheeler, nsa, section 702, surveillance, upstream
Companies: at&t, verizon
Reader Comments
The First Word
“Congressional Acronym Misdirection
The acronym for CISA is intentionally misleading. It is really theC omplete
I nternet
S urveillance
A ct
Subscribe: RSS
View by: Time | Thread
Congressional Acronym Misdirection
C omplete
I nternet
S urveillance
A ct
[ link to this | view in thread ]
As pointed out with the article, it would "Thus, CISA would permit the immediate sharing, with virtually no minimization, of US person content across the government (and from there to private sector and local governments)."
Sure glad that we are so busy pushing for shit like this when even internal documents state that the results don't justify the mass human rights violations....
[ link to this | view in thread ]
...in expressions of 140 characters or less each?
from the tweets-are-for-twits department
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Google gets crap about scanning the content of people's personal emails for advertising purposes, yet we're about to allow all the telcoms to warrentlessly search through the content of American communications and seize that content if it matches one of the billions of cybersignatures deployed and actively searched for on that network.
Who gets to choose these cybersignatures again? Is there any judical oversight on the deployment of these signatures? Or is it just an unconstitutional free for all?
[ link to this | view in thread ]
If Google was actually against CISA, they would be making some noise about it. They aren't doing that.
[ link to this | view in thread ]
Re:
I once overheard my B-in-law answering a phone: "Yup? Uh huh. Uh huh. Four. K, bye." Elapsed time, under thirty sec. Some have the power, it seems.
[ link to this | view in thread ]
Re: Re:
Hello?
Yes.
Oh, he already knows that.
*click*
Son, who was that?
Some dummy who wanted me to tell you it's a long distance from Japan.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Why don't I have confidence that centralized data can be kept secure and private?
Why don't I have confidence that companies allowed to collect data won't use it for their own purposes?
Why does the FBI, CIA want to recreate the most restrictive regimes on the net in the USA?
Sigh.
[ link to this | view in thread ]
DubbleBubble joke compression.
There's another instance of the same phenomenon (communication compression). You can fit a barely amusing joke with pics into a dubblebubble gum wrapper!
The one I have under a magnet on my fridge also points out fingernails grow four times faster than toenails. For whatever that's worth.
[ link to this | view in thread ]
Re:
Why have almost all North American and British based politicians gone whole-hog totalitarian "we need to violate your rights in order to protect you" ever since ca. 2000? How many real terrorist incidents has NorthAm actually suffered? Yet the Constitution is forgotten as soon as it's sworn to?
[ link to this | view in thread ]
Re: Congressional Acronym Misdirection
[ link to this | view in thread ]
Re: Re:
I think it's a disease.
[ link to this | view in thread ]
Re: Re: Re:
----
[ link to this | view in thread ]