CISA and the War on Privacy


On October 27, the Senate voted in favor of the Cybersecurity Information Sharing Act of 2015 (CISA), a controversial bill that proponents advertise as an essential tool for preventing a cyber attack but opponents decry as a government-approved mass surveillance.

On the surface, CISA encourages the sharing of information related to cybersecurity threats between companies and the government. Government agencies and corporations would be required to share information with one another that could help identify cybercriminals or potential cybersecurity threats for the purpose of everything from defense to prosecution.

The bill also gives companies legal immunity for sharing data with the federal government, and a number of lawmakers and consumer rights advocates have expressed very real concerns that the legislation does not protect Americans’ privacy — particularly considering the blanket Freedom of Information Act exemption that the bill entails. That means that in the event a company oversteps and shares irrelevant or incorrect information, the public not only won’t know, there would be no legal recourse if they found out. CISA virtually guarantees that the public will have no ability to see what information is being shared between companies and the government.

CISA was passed by a vote of 74-21, over the pleas of privacy advocates, with the most critical protection amendments being shot down, highlighting how detached lawmakers in the United States are from matters related to not only technology but also our own Constitution. One dissenter previously stated that CISA is merely “a surveillance bill by another name,” and his concern is shared by many.

“Any information-sharing legislation that lacks adequate privacy protections is not simply a cybersecurity bill, but a surveillance bill by another name,” U.S. Senator Ron Wyden (D-OR) said previously in a dissenting view on the bill. “I opposed this bill because I believe its insufficient privacy protections will lead to large amounts of personal information being shared with the government even when that information is not needed for cybersecurity.”

One of the amendments that was rejected came from Wyden and sought to reform the bill’s privacy protections by requiring that companies remove personal data before sharing information, unless that information is necessary to identify a threat. It lost by a vote of 41 to 60.

CISA, as it was passed, offers a vaguely-defined criteria, stating that “cybersecurity threat” information gathered can be shared “notwithstanding any other provision of law.” The vagueness of the term “threat” is immediately apparent when reading the bill, and risks allowing companies, and by extension the government, the ability to monitor the private activities of users without a warrant, effectively circumventing the Fourth Amendment rights of Americans.

The Fourth Amendment reads: “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

“But the Fourth Amendment does not protect information given to a third party, Liz. Haven’t you heard of the Third Party Doctrine? People who give information to third parties have no reasonable expectation of privacy!”

The Constitution only protects against government actions, not private ones, so it is true that information given to third parties is not protected under the Fourth Amendment — unless that third party is acting as an agent of the government. Let’s compare this to a more direct example. The police are not permitted to break into a person’s house in order to gather evidence without a warrant, lest they be acting against the Fourth Amendment. A vigilante breaking into a person’s home, while still committing a crime, is not acting against the Fourth Amendment.

However, if that vigilante is Batman, and Batman is responding to the police calling him via Bat Signal, he is acting as an agent of the government, thus creating a Fourth Amendment violation. With CISA, the government is Bat Signaling companies in order to obtain evidence they cannot lawfully gather themselves. As this would arguably be a violation of the Fourth Amendment, a new law is needed in order to do this without fear of repercussion.

And that’s how CISA is born.

Fourth Amendment aside, CISA allows for the sharing of such information in real time. I don’t think I need to tell you what a cyberattack on such information could look like — not that you’d ever see it, anyway. The blanket FOIA exemption ensures that citizens would never be informed of such a security breach. What a time to be alive.

In short, we are telling American businesses that they should share private consumer information with the government, while granting them immunity from liability for a violation of said consumer’s privacy, in order to combat threats of an undefined nature. We are also telling the government that they can avoid obtaining warrants in order to search, gather, and seize our information from non-government entities for the purposes of surveillance. How can this possibly end badly for anyone?

Before the bill can make its way to the president’s desk in order to become law, it will return to the House of Representatives for conference, in order to consolidate the Senate and House version, which was passed earlier this year.

Are you afraid yet?