Why The New CISA Is So Bad For Privacy

from the it's-a-mess dept

We warned earlier this week that Congress was going to make the cybersecurity bill CISA much worse on privacy, and then shove it into the “must pass” omnibus spending bill, and that’s exactly what happened. The 2000+ page bill was only released early yesterday morning and the vote on it is tomorrow, meaning people have been scrambling to figure out what exactly is actually in there. The intelligence community has been using that confusion to push the bill, highlighting a couple of the predictions that didn’t make it into the bill to argue that people against CISA are overstating the problems of the bill. That’s pretty low, even for the intelligence community.

Stanford’s Jennifer Granick has gone through this new zombie CISA, which has technically been renamed “the Cybersecurity Act of 2015,” but which she’s calling OmniCISA and discovered that it’s a complete disaster on the privacy front, basically wiping out any ability by the FCC or the FTC to make service providers respect user privacy, and instead, is designed to encourage more monitoring of user behavior, weakening their privacy. As she notes, after the FCC’s net neutrality rules, there was some concern about a turf war between the FCC and the FTC on who protects consumer privacy rights with regards to internet access providers. To stop people from freaking out over this, the two agencies told people to calm down, because they’re happy to work together to protect privacy, with the FCC handling issues related to privacy as a common carrier, and the FTC handling everything else.

But, as Granick points out, under CISA, so long as ISPs claim that they’re spying on your internet activity for “cybersecurity” purposes (which is defined ridiculously broadly in the bill), then the FCC and FTC are completely blocked from doing anything:

This language means that, regardless of what rules the FCC or FTC have now or will have in the future, private companies including ISPs can monitor their systems and access information that flows over those systems for ?cybersecurity purposes.?


It appears that OmniCISA is trying to stake out a category of ISP monitoring that the FCC and FTC can?t touch, regardless of its privacy impact on Americans.

This section of OmniCISA would not only interfere with future privacy regulations, it limits the few privacy rules we currently have.

The Wiretap Act is a provision of law that conditions the ability of telephone companies and Internet Service Providers to monitor the private messages that flow over their networks. The Wiretap Act says that these wire and electronic communications service providers can ?intercept, disclose, or use that communication in the normal course of ? employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service? (emphasis added). Similarly, ECPA allows providers to access stored information, and then to voluntarily share it for the same reasons. This language allows providers to conduct some monitoring of their systems for security purposes ? to keep the system up and running and to protect the provider.

But it appears OmniCISA would waive these provisions of the Wiretap Act and ECPA. Why do that except to expand that ability to monitor for broader ?cybersecurity purposes? beyond the legal ability providers already have to intercept communications in order to protect service, rights, or property?

So this bill isn?t just about threat information sharing, it?s about enabling ISP monitoring in ways beyond current law that have not been clearly defined or explained.

And, of course, if you don’t think this will be abused both by the internet access providers and the law enforcement/intelligence communities, you haven’t been paying attention for the past decade or more.

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Why The New CISA Is So Bad For Privacy”

Subscribe: RSS Leave a comment
jilocasin (profile) says:

Invest in VPN stock now.

I guess it’s time to invest in VPN stock now.

There’s going to be one heck of a bump in VPN use if/when this goes through.

Just picture it;

A creepy cartoon guy (representing ISPs) peeking up under Little Bo Peep’s dress as she surfs Macy’s with a shady gov guy watching over both of them.

A shady cartoon lady, in the guise of an old fashioned phone operator, between your computer and your doctor’s, passing notes to the government.

Cartoon hands coming out of a monitor, uncomfortably caressing a small child who is on the internet stretching back to a questionable person sporting a large and recognizable (pick one; AT&T, Comcast, Verizon, etc.) corporate logo. A grizzled Uncle Sam like character (recovering from a two week binge) grins slyly behind the unfortunate fondler with one hand on it’s shoulder.

New Tag line: VPNs are not just for pirates anymore..

Anonymous Coward says:

I wonder what kind of impact such a bill will have on the transatlantic information sharing?

This smells like a tantrum that will result in a complete meltdown on that issue and thus taking the big cloud-providers into the meatgrinder of geographical isolationism.

Sounds to me like the next president is getting teed up for failure by congress. Either the majorities there really distrust their presidential candidates ability to get elected or they just love to watch any president cringe. (profile) says:

The solution ...

It appears that OmniCISA has cast a net over the internet to catch fish swimming down the tubes from chip to chip.

It passed without the hype of a regular Bill and the real bill will be borne by the 99% whose privacy is surrendered in order, apparently, to enable 3 letter agencies to, once and for all, prove, beyond a shadow of a doubt, that all “cyber-attacks” are planned using snail mail, post office boxes, and invisible ink.

SO, the next step is to shut down all mail, courier, carrier and package services — and to hell with the consequences and/or the cost to the economy.

The final step is to shut down the internet, because then there can be no cybercrime.

Yeah, that should do it!

Mind you, if all electricity generation were to be shut down, then no-one could pump fuel to power their cars with 12 volt power supplies, that could be used to charge their laptops and smartphones.

Yeah, as a result, the USA staggers to a halt and the terrorists and cybercriminals will have won and the cyberwar will be finally over.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...