Reading The Tea Leaves To Understand Why CISA Is A Surveillance Bill

from the it's not as easy as you'd think dept

I’ve had a few conversations recently with people on Twitter who claim that CISA is “not a surveillance bill,” claiming that they’ve read the bill and there’s nothing about surveillance in it. It’s true that the bill positions itself as nothing more than a “cybersecurity” bill that clarifies a few things and then provides some immunity for companies who “voluntarily” share information. However, as I’ve said in response, in order to understand why it’s a surveillance bill, you have to look more closely at how CISA interacts with other laws and what the intelligence community is currently doing. Unfortunately, this isn’t always easy, because part of what the intelligence community is doing and how they’ve interpreted other laws remains secret. But, as you’ve probably heard, some of that has been leaking out over the past few years.

Back in June, we wrote about Jonathan Mayer’s analysis of another leak story done by Pro Publica and the NY Times, showing that the FBI and the NSA blurred the lines between “terrorism” and “cybercrime” in order to do more warrantless surveillance of people they deemed to be “hackers.” As Mayer noted at the time, this revealed that beyond the kinds of selectors most people believed the FBI and NSA were allowed to search the “upstream” corpus of data on, it could also use “cybersignatures.” And thus, it seemed clear that CISA was about expanding the ability of the FBI and the NSA to get access to more such signatures, in order to more widely do warrantless surveillance on Americans’ communications.

You have to dig a bit deeper into the muck to understand why this is true, and it has to do with another recently revealed tidbit, which is that the NSA and FBI (and CIA, for that matter), frequently make use of backdoor searches of the upstream data — a capability that was approved in 2011. Basically, the rules changed so that the intelligence community could sniff through data that was deemed collected “incidentally.” And that includes basically anything that is picked up in the “upstream” collection of data (tapping internet backbone lines) under Section 702 of the FISA Amendments Act.

Now, Marcy Wheeler has taken this a step further, noting that it looks like Mayer’s analysis may actually have underplayed things. Wheeler’s post is long and detailed, and delves deeply into more partially secret things, and tries to read the tea leaves from some previously declassified and leaked documents and programs, but comes to the conclusion that CISA is likely to be the key piece for letting the NSA and FBI warrantless spy on Americans’ after the FISA Court limited that ability a few years ago.

Without going into all the details of Wheeler’s post, the short version is that it’s well established that the NSA used to have a program very similar to the phone dragnet program, but for internet communications. Eventually that was determined to go too far and was shut down. But Wheeler is suggesting that a more narrow version was likely re-authorized later, and CISA is the way to expand it. It appears that the intelligence community was allowed to collect online info, but only to protect its own network. But, with the immunity granted under CISA, the NSA and FBI could effectively hand that power over to AT&T and Verizon, and freely “share” information back and forth with no liability for the telcos (both of which have a long history of proactively helping the NSA).

That is, CISA affirmatively permits private companies to scan, identify, and possess cybersecurity threat information transiting or stored on their systems. It permits private companies to conduct precisely the same kinds of scans the government currently obligates telecoms to do under upstream 702, including data both transiting their systems (which for the telecoms would be transiting their backbone) or stored in its systems (so cloud storage).

Thus, CISA permits the telecoms to do the kinds of scans they currently do for foreign intelligence purposes for cybersecurity purposes in ways that (unlike the upstream 702 usage we know about) would not be required to have a foreign nexus. CISA permits the people currently scanning the backbone to continue to do so, only without consideration of whether the signature has a foreign tie or not. Unlike FISA, CISA permits the government to collect entirely domestic data.

Of course, there’s no requirement that the telecoms scan for every signature the government shares with it and share the results with the government. Though both Verizon and AT&T have a significant chunk of federal business — which just got put out for rebid on a contract that will amount to $50 billion — and they surely would be asked to scan the networks supporting federal traffic for those signatures. But they can do so if they want to. And the telecoms are outspoken supporters of CISA, so we should presume they plan to share promiscuously under this bill.

As Wheeler notes, if this is true, then it actually makes CISA a super powerful surveillance tool for the government for a variety of reasons. First, it’s all “voluntary” between the telcos and the NSA/FBI, so no FISA Court to get in the way. Next, she points out that, while the language of the bill says that Homeland Security will “scrub” private info before sharing it with other agencies, it actually notes that the FBI can “veto” that scrub. And working together, the NSA and FBI can do a lot of damage this way:


CISA, as written, would let FBI and NSA veto any scrub (including of content) at DHS. And incoming data (again, probably including content) would be shared immediately not only with FBI (which has been the vehicle for sharing NSA data broadly) but also Treasury and ODNI, which are both veritable black holes from a due process perspective. And what few protections for US persons are tied to a relevance standard that would be accomplished by virtue of a tie to that selector. Thus, CISA would permit the immediate sharing, with virtually no minimization, of US person content across the government (and from there to private sector and local governments).

As she notes, this makes CISA — as Senator Ron Wyden has been saying for months — not a cybersecurity bill at all, but a vast domestic internet surveillance bill.

Filed Under: , , , , , , ,
Companies: at&t, verizon

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Reading The Tea Leaves To Understand Why CISA Is A Surveillance Bill”

Subscribe: RSS Leave a comment
15 Comments
Anonymoussays:

CISA isn’t itself a surveillance bill but it will be used as one. The problem is; is that it cements in the governments practice of warrantless mass-surveillance by removing the ability to hold 3rd parties accountable for sharing your information with the government.

As pointed out with the article, it would “Thus, CISA would permit the immediate sharing, with virtually no minimization, of US person content across the government (and from there to private sector and local governments).”

Sure glad that we are so busy pushing for shit like this when even internal documents state that the results don’t justify the mass human rights violations….

tqksays:

Re: Re: Re: DubbleBubble joke compression.

Some dummy who wanted me to tell you it’s a long distance from Japan.

There’s another instance of the same phenomenon (communication compression). You can fit a barely amusing joke with pics into a dubblebubble gum wrapper!

The one I have under a magnet on my fridge also points out fingernails grow four times faster than toenails. For whatever that’s worth.

Anonymoussays:

So CISP is basically a domestic internet backbone tapping program which allows private corporations to warrentlessly search and seize the content and metadata of all American citizens’ communications as it flows through all the backbone networks in the United States, without any judicial oversight over which cybersignatures get deployed on the network and searched for. Such as a names, phone numbers, email address, network signatures, etc.

Google gets crap about scanning the content of people’s personal emails for advertising purposes, yet we’re about to allow all the telcoms to warrentlessly search through the content of American communications and seize that content if it matches one of the billions of cybersignatures deployed and actively searched for on that network.

Who gets to choose these cybersignatures again? Is there any judical oversight on the deployment of these signatures? Or is it just an unconstitutional free for all?

Anonymoussays:

So this is the shadow government making it’s return from the McCarthy era, then again from the Reagen/Bush era, and this is what Obama want’s for his “legacy”?

Why don’t I have confidence that centralized data can be kept secure and private?

Why don’t I have confidence that companies allowed to collect data won’t use it for their own purposes?

Why does the FBI, CIA want to recreate the most restrictive regimes on the net in the USA?

Sigh.

tqksays:

Re: Re:

Why does the FBI, CIA want to recreate the most restrictive regimes on the net in the USA?

Why have almost all North American and British based politicians gone whole-hog totalitarian “we need to violate your rights in order to protect you” ever since ca. 2000? How many real terrorist incidents has NorthAm actually suffered? Yet the Constitution is forgotten as soon as it’s sworn to?

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Report this ad??|??Hide Techdirt ads
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...
Older Stuff
12:25 Australian Privacy Commissioner Says 7-Eleven Broke Privacy Laws By Scanning Customers' Faces At Survey Kiosks (6)
10:50 Missouri Governor Doubles Down On 'View Source' Hacking Claim; PAC Now Fundraising Over This Bizarrely Stupid Claim (45)
10:45 Daily Deal: The All-in-One Microsoft, Cybersecurity, And Python Exam Prep Training Bundle (0)
09:43 Want To Understand Why U.S. Broadband Sucks? Look At Frontier Communications In Wisconsin, West Virginia (8)
05:36 Massachusetts College Decides Criticizing The Chinese Government Is Hate Speech, Suspends Conservative Student Group (71)
19:57 Le Tigre Sues Barry Mann To Stop Copyright Threats Over Song, Lights Barry Mann On Fire As Well (21)
16:07 Court Says City Of Baltimore's 'Heckler's Veto' Of An Anti-Catholic Rally Violates The First Amendment (15)
13:37 Two Years Later, Judge Finally Realizes That A CDN Provider Is Not Liable For Copyright Infringement On Websites (21)
12:19 Chicago Court Gets Its Prior Restraint On, Tells Police Union Head To STFU About City's Vaccine Mandate (158)
10:55 Verizon 'Visible' Wireless Accounts Hacked, Exploited To Buy New iPhones (8)
10:50 Daily Deal: The MacOS 11 Course (0)
07:55 Suing Social Media Sites Over Acts Of Terrorism Continues To Be A Losing Bet, As 11th Circuit Dumps Another Flawed Lawsuit (11)
02:51 Trump Announces His Own Social Network, 'Truth Social,' Which Says It Can Kick Off Users For Any Reason (And Already Is) (100)
19:51 Facebook AI Moderation Continues To Suck Because Moderation At Scale Is Impossible (26)
16:12 Content Moderation Case Studies: Snapchat Disables GIPHY Integration After Racist 'Sticker' Is Discovered (2018) (11)
13:54 Arlo Makes Live Customer Service A Luxury Option (8)
12:05 Delta Proudly Announces Its Participation In The DHS's Expanded Biometric Collection Program (5)
11:03 LinkedIn (Mostly) Exits China, Citing Escalating Demands For Censorship (14)
10:57 Daily Deal: The Python, Git, And YAML Bundle (0)
09:37 British Telecom Wants Netflix To Pay A Tax Simply Because Squid Game Is Popular (32)
06:41 Report: Client-Side Scanning Is An Insecure Nightmare Just Waiting To Be Exploited By Governments (35)
20:38 MLB In Talks To Offer Streaming For All Teams' Home Games In-Market Even Without A Cable Subscription (10)
15:55 Appeals Court Says Couple's Lawsuit Over Bogus Vehicle Forfeiture Can Continue (15)
13:30 Techdirt Podcast Episode 301: Scarcity, Abundance & NFTs (0)
12:03 Hollywood Is Betting On Filtering Mandates, But Working Copyright Algorithms Simply Don't Exist (66)
10:45 Introducing The Techdirt Insider Discord (4)
10:40 Daily Deal: The Dynamic 2021 DevOps Training Bundle (0)
09:29 Criminalizing Teens' Google Searches Is Just How The UK's Anti-Cybercrime Programs Roll (19)
06:29 Canon Sued For Disabling Printer Scanners When Devices Run Out Of Ink (41)
20:51 Copyright Law Discriminating Against The Blind Finally Struck Down By Court In South Africa (7)
More arrow