CISA: A Surveillance Bill by Any Other Name Smells Just As Foul
An impressive coalition has formed to oppose a new surveillance bill masquerading as cybersecurity legislation.
Privacy and civil liberties organizations, free market groups, and others from across the political spectrum are joining this week in a common chorus call: Stop CISA.
Proponents of CISA — the Cybersecurity Information Sharing Act — claim the Senate bill would help prevent cyber-crimes by improving information sharing between the government and the private sector. But in reality, CISA only succeeds in expanding government surveillance and weakening privacy while making Americans less secure online. The bill as drafted would have done nothing to stop the high-profile breaches at Sony, Anthem, and, most recently, the Office of Personnel Management, which holds terabytes of sensitive information about millions of government employees.
For several years, certain elements of the business community and national security hawks in Congress have pressed for legislation like CISA. In April, the House passed a package of similar cybersecurity information sharing bills, which were opposed by the ACLU and bevy of other privacy and civil liberties groups, but were in some ways dramatically better than the bill now pending in the Senate.
CISA’s vague language and expansive definitions will give the government new ways to collect and use the personal information and communications of innocent Americans, all without a warrant or any review by an independent court or overseer. CISA would allow companies to share information with the government relating to a “cybersecurity threat,” a term defined so broadly in the bill that it could include huge swaths of emails and text messages. The handover of user information under CISA would be permitted even if otherwise prohibited by existing data privacy laws, like the Electronic Communications Privacy Act. The law would also give companies broad legal protections even if they improperly share consumer data.
And, perhaps unsurprisingly, the information shared by companies would automatically be forwarded to numerous intelligence, military, and law enforcement agencies, including the NSA and FBI.
Once in the government’s hands, CISA allows for the shared information to be used in garden-variety law enforcement cases that have nothing to do with cybersecurity. For example, the government could use private emails and messages received from communications providers like Comcast, Facebook, Google, or Verizon to investigate and prosecute whistleblowers who report serious misconduct to the press. That’s a serious concern given that the Obama administration has already prosecuted more national security whistleblowers than all other administrations combined.
As an added bonus for government snoopers, CISA also includes a new exemption to the Freedom of Information Act, which will make it harder for groups like the ACLU to obtain documents from the government to determine how it is using — or misusing — the shared information. That means, for example, that it could be nearly impossible for us to find out how much private information is flowing from companies to the government or how the government is using it.
And despite CISA’s promise to open the floodgates for private information to flow to the government without any privacy protections, it fails at actually delivering better cybersecurity. As we learned with the hack at the OPM, the government is not a reliable guarantor of data security. Hackers were able to access the personal information of millions of Americans — including Social Security numbers, birthdates, and records about citizens’ finances, health, associations, and even sexual orientation—that applicants for security clearances must disclose to the government. All that additional information would make the government an even more desirable target for cybersnoops and cybercrooks.
CISA is more than just a bad solution to a serious problem. It would actually make cybersecurity worse while compromising basic democratic protections for personal privacy. The Senate must reject this surveillance bill. But if it decides to send this travesty to the president, he should veto the bill, consistent with his past threats against similarly atrocious bills.