Another day, another attack on privacy rights.
In the coming weeks, the U.S. Senate is expected to vote on new legislation, styled as a cybersecurity bill, which civil libertarians say is nothing more than the latest incarnation of legalized government surveillance.
"CISA is fundamentally flawed because of its aggressive spying powers, broad immunity clauses for companies, and vague definitions of key terms. Combined, they make CISA a surveillance bill in disguise."
—Stop Cyber Surveillance coalition
A massive coalition of rights groups have launched a campaign against the bill, which is known as the Cybersecurity Information Sharing Act (CISA). Under the banner Stop Cyber Surveillance, the coalition—which includes the ACLU, the Brennan Center for Justice, the Electronic Frontier Foundation, the Sunlight Foundation, and others—is urging Congress to oppose "CISA, and any cybersurveillance bill that would violate your basic rights in the name of cybersecurity."
How does CISA threaten privacy rights? As Evan Greer, campaign director at privacy rights group Fight for the Future, explained on Wednesday:
Here’s how it works. Companies would be given new authority to monitor their users—on their own systems as well as those of any other entity—and then, in order to get immunity from virtually all existing surveillance laws, they would be encouraged to share vaguely defined “cyber threat indicators” with the government. This could be anything from email content, to passwords, IP addresses, or personal information associated with an account. The language of the bill is written to encourage companies to share liberally and include as many personal details as possible.
That information could then be used to further exploit a loophole in surveillance laws that gives the government legal authority for their holy grail— "upstream" collection of domestic data directly from the cables and switches that make up the Internet.
The coalition sums it up like this: "CISA is fundamentally flawed because of its aggressive spying powers, broad immunity clauses for companies, and vague definitions of key terms. Combined, they make CISA a surveillance bill in disguise. The bill may even make things worse for internet users."
CISA advanced on Capitol Hill in March after passing the Senate Intelligence Committee, which voted 14-1 in favor of the bill. Its proponents claim the bill "would help prevent cyber-crimes by improving information sharing between the government and the private sector," writes ACLU legislative assistant Nathaniel J. Turner. "But in reality, CISA only succeeds in expanding government surveillance and weakening privacy while making Americans less secure online."
Turner adds, "The bill as drafted would have done nothing to stop the high-profile breaches at Sony, Anthem, and, most recently, the Office of Personnel Management."
Moreover, as Greer says, "There's little hope for ever challenging this system in court because you’ll never know if your private information has been shared under CISA or hoovered up under a related upstream collection. In a particularly stunning display of shadyness, the bill specifically exempts all of this information from disclosure under the Freedom of Information Act or any state, local, or tribal law."
Critics note that many of CISA's more outspoken supporters in Congress have received generous donations from the defense industry. That is part of why a grassroots movement against the bill is so important, says the Electronic Frontier Foundation, which is in the midst of a surging week of action against the legislation.
Writes EFF activist Nadia Kayyali, "We keep hearing that CISA and the other 'cybersecurity' bills moving through Congress are 'must-pass' legislation. But just like the original version of CISA, the Cyber Intelligence Sharing and Protection Act (CISPA), we think grassroots activism can stop this legislation in its tracks."