Why The New CISA Is So Bad For Privacy

from the it's-a-mess dept

We warned earlier this week that Congress was going to make the cybersecurity bill CISA much worse on privacy, and then shove it into the "must pass" omnibus spending bill, and that's exactly what happened. The 2000+ page bill was only released early yesterday morning and the vote on it is tomorrow, meaning people have been scrambling to figure out what exactly is actually in there. The intelligence community has been using that confusion to push the bill, highlighting a couple of the predictions that didn't make it into the bill to argue that people against CISA are overstating the problems of the bill. That's pretty low, even for the intelligence community.

Stanford's Jennifer Granick has gone through this new zombie CISA, which has technically been renamed "the Cybersecurity Act of 2015," but which she's calling OmniCISA and discovered that it's a complete disaster on the privacy front, basically wiping out any ability by the FCC or the FTC to make service providers respect user privacy, and instead, is designed to encourage more monitoring of user behavior, weakening their privacy. As she notes, after the FCC's net neutrality rules, there was some concern about a turf war between the FCC and the FTC on who protects consumer privacy rights with regards to internet access providers. To stop people from freaking out over this, the two agencies told people to calm down, because they're happy to work together to protect privacy, with the FCC handling issues related to privacy as a common carrier, and the FTC handling everything else.

But, as Granick points out, under CISA, so long as ISPs claim that they're spying on your internet activity for "cybersecurity" purposes (which is defined ridiculously broadly in the bill), then the FCC and FTC are completely blocked from doing anything:

This language means that, regardless of what rules the FCC or FTC have now or will have in the future, private companies including ISPs can monitor their systems and access information that flows over those systems for “cybersecurity purposes.”


It appears that OmniCISA is trying to stake out a category of ISP monitoring that the FCC and FTC can’t touch, regardless of its privacy impact on Americans.

This section of OmniCISA would not only interfere with future privacy regulations, it limits the few privacy rules we currently have.

The Wiretap Act is a provision of law that conditions the ability of telephone companies and Internet Service Providers to monitor the private messages that flow over their networks. The Wiretap Act says that these wire and electronic communications service providers can “intercept, disclose, or use that communication in the normal course of … employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service” (emphasis added). Similarly, ECPA allows providers to access stored information, and then to voluntarily share it for the same reasons. This language allows providers to conduct some monitoring of their systems for security purposes — to keep the system up and running and to protect the provider.

But it appears OmniCISA would waive these provisions of the Wiretap Act and ECPA. Why do that except to expand that ability to monitor for broader “cybersecurity purposes” beyond the legal ability providers already have to intercept communications in order to protect service, rights, or property?

So this bill isn’t just about threat information sharing, it’s about enabling ISP monitoring in ways beyond current law that have not been clearly defined or explained.

And, of course, if you don't think this will be abused both by the internet access providers and the law enforcement/intelligence communities, you haven't been paying attention for the past decade or more.

Filed Under: cisa, cybersecurity, fcc, ftc, jennifer granick, privacy, surveillance

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon (profile), 19 Dec 2015 @ 1:19pm

    The solution ...

    It appears that OmniCISA has cast a net over the internet to catch fish swimming down the tubes from chip to chip.

    It passed without the hype of a regular Bill and the real bill will be borne by the 99% whose privacy is surrendered in order, apparently, to enable 3 letter agencies to, once and for all, prove, beyond a shadow of a doubt, that all "cyber-attacks" are planned using snail mail, post office boxes, and invisible ink.

    SO, the next step is to shut down all mail, courier, carrier and package services -- and to hell with the consequences and/or the cost to the economy.

    The final step is to shut down the internet, because then there can be no cybercrime.

    Yeah, that should do it!

    Mind you, if all electricity generation were to be shut down, then no-one could pump fuel to power their cars with 12 volt power supplies, that could be used to charge their laptops and smartphones.

    Yeah, as a result, the USA staggers to a halt and the terrorists and cybercriminals will have won and the cyberwar will be finally over.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Essential Reading
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.