CISA: Spying By Any Other Name
A new cybersecurity bill making its way through Congress could allow government agencies from the NSA to your local police to get and use your private data without due process. The Cybersecurity Information Sharing Act (CISA) provides sweeping protections against liability to companies that collect large amounts of user data—including telecommunications, banking, and major retail companies—if they share that data with the government. While the stated intention of the bill is to bolster US cyberdefenses, civil rights groups say CISA is actually a surveillance bill in disguise that will endanger the privacy and civil liberties of Internet users. It also contains exemptions to the Freedom of Information Act, which will keep the public in the dark about what information is being collected, shared, or used. The government would be permitted to use that data in a broad range of investigations and prosecutions, including Espionage Act investigations that could silence whistleblowers and threaten press freedom.
PEN has seen the impact this kind of sweeping surveillance has on writers around the world: growing self-censorship and lasting damage to the U.S.’ reputation as a haven for free expression. That’s why PEN and over a dozen other groups are asking you to join us in a Week of Action to Stop CISA. Back in April, PEN American Center signed on to a coalition letter of 55 civil society organizations and security experts opposing CISA on privacy and civil liberties grounds. Months later, CISA is still fundamentally flawed. The Senate is trying to vote on the bill in the coming weeks, and only you can help us stop it.
CISA will allow companies like Facebook or Comcast to monitor their systems for broadly-defined “threats” and to launch countermeasures or “hack-backs” against perceived attackers. Given a blank check to respond to threats, these companies could escalate the situation in ways that damage networks belonging to innocent bystanders. While the bill prohibits measures that cause “substantial harm,” it’s unclear exactly what substantial means; companies could still have a pass to wreak significant amounts of damage. In fact, broad definitions like this in the bill could end up granting companies even more discretion to decide when to go on the offense against perceived threats. For example, the bill’s language of “cybersecurity purpose” is so poorly defined that it means almost anything related to protecting—including physically protecting—a computer or software.
Through the bill, companies could disclose so-called “cyber threat indicators”— just about anything from your email contents to the type of phone you use, geolocation, or your IP’s login history—to the government without a warrant. It also requires that data shared with any agency be automatically shared with the NSA and other military and intelligence agencies. The bill affords few privacy protections for Internet users and does not effectively require source companies to remove personal identifying information before sharing with the government.
The theft of 22 million government employees’ personal information at the Office of Personnel Management is confirmation that the federal government does not effectively protect its own systems from cyberthreats. Companies sharing our personal information with the government only makes the risk of data theft greater. By moving more data from the private sector to the federal government, this bill would expose American citizens to even more risk of privacy breaches.
In exchange for gathering and sharing information gleaned from cyber threat indicators, the bill protects companies that store user information against being held liable for engaging in activities – such as monitoring and sharing information– authorized by the bill. The bill also contains language that prevents citizens from using the Freedom of Information Act (FOIA) to find out what’s been shared with the government. This lack of transparency invites abuse, hindering journalists and citizens from bringing to light government missteps and overreach.
Jennifer Granick, director of Civil Liberties at Stanford Law’s Center for Internet and Society, provides a simple example of how the government could infringe on your privacy rights under the provision of CISA outlined above:
“Imagine … someone sends you an email attachment containing malware. Your email service provider shares the attachment with the government, so that others can configure their computer systems to spot similar attacks. The next day, your provider gets a call. It’s the Department of Homeland Security (DHS), and they’re curious. The malware appears to be from Turkey. Why, DHS wants to know, might someone in Turkey be interested in attacking you? To investigate, would your email company please share all your emails with the government? Knowing more about you, investigators might better understand the attack.”
Sound pretty bad to you? Here’s what you can do to help:
1. Learn more. For detailed analysis you can check out this blog post and this chart.
2. Visit the Stop Cyber Spying coalition website where you can email and fax your Senators, using a new tool developed by Fight for the Future, and tell them to vote no on CISA.
3. Join EFF, Access, Fight for the Future, and the ACLU for an “Ask Me Anything” on Reddit on Wednesday, July 29 at 10am ET/7am PT. Ask away, and invite your friends!
4. Help us spread the word. After you’ve learned more and contacted your government representatives, tweet, Facebook, or blog about why CISA must be stopped. Join us by publishing a blog post this week about why you oppose CISA and include the action tools at https://stopcyberspying.com/.
- CISA sacrifices liberty without improving security. We deserve both. https://stopcyberspying.com/ #StopCISA
- Don’t trade away my privacy for a surveillance bill in disguise. https://stopcyberspying.com/ #StopCISA
With your help, we’ll make sure Congress gets the message: now more than ever, we don’t need more cyber surveillance. We need better security. CISA must be defeated.