I've had a few conversations recently with people on Twitter who claim that CISA
is "not a surveillance bill," claiming that they've read the bill and there's nothing about surveillance in it. It's true that the bill positions itself as nothing more than a "cybersecurity" bill that clarifies a few things and then provides some immunity for companies who "voluntarily" share information. However, as I've said in response, in order to understand why it's a surveillance bill, you have to look more closely at how CISA interacts with other laws and
what the intelligence community is currently doing. Unfortunately, this isn't always easy, because part of what the intelligence community is doing and how they've interpreted other laws remains secret. But, as you've probably heard, some of that has been leaking out over the past few years.
Back in June, we wrote about Jonathan Mayer's analysis
of another leak story done by Pro Publica and the NY Times, showing that the FBI and the NSA blurred the lines
between "terrorism" and "cybercrime" in order to do more warrantless surveillance of people they deemed to be "hackers." As Mayer noted at the time, this revealed that beyond the kinds of selectors most people believed the FBI and NSA were allowed to search the "upstream" corpus of data on, it could also use "cybersignatures." And thus, it seemed clear that CISA was about expanding the ability of the FBI and the NSA to get access to more such signatures, in order to more widely do warrantless surveillance on Americans' communications.
You have to dig a bit deeper into the muck to understand why this
is true, and it has to do with another recently revealed tidbit, which is that the NSA and FBI (and CIA, for that matter), frequently make use of backdoor searches
of the upstream data -- a capability that was approved in 2011. Basically, the rules changed so that the intelligence community could sniff through data that was deemed collected "incidentally." And that includes basically anything that is picked up in the "upstream" collection of data (tapping internet backbone lines) under Section 702 of the FISA Amendments Act.
Now, Marcy Wheeler has taken this a step further, noting that it looks like Mayer's analysis may actually have underplayed things. Wheeler's post is long and detailed, and delves deeply into more partially secret things, and tries to read the tea leaves from some previously declassified and leaked documents and programs, but comes to the conclusion that CISA is likely to be the key piece for letting the NSA and FBI warrantless spy on Americans'
after the FISA Court limited that ability a few years ago.
Without going into all
the details of Wheeler's post, the short version is that it's well established that the NSA used to
have a program very similar to the phone dragnet program, but for internet communications. Eventually that was determined to go too far and was shut down. But Wheeler is suggesting that a more narrow version was likely re-authorized later, and CISA is the way to expand it. It appears that the intelligence community was allowed to collect online info, but only to protect its own network. But, with the immunity granted under CISA, the NSA and FBI could effectively hand that power over to AT&T and Verizon, and freely "share" information back and forth with no liability for the telcos (both of which have a long history of proactively helping the NSA).
That is, CISA affirmatively permits private companies to scan, identify, and possess cybersecurity threat information transiting or stored on their systems. It permits private companies to conduct precisely the same kinds of scans the government currently obligates telecoms to do under upstream 702, including data both transiting their systems (which for the telecoms would be transiting their backbone) or stored in its systems (so cloud storage).
Thus, CISA permits the telecoms to do the kinds of scans they currently do for foreign intelligence purposes for cybersecurity purposes in ways that (unlike the upstream 702 usage we know about) would not be required to have a foreign nexus. CISA permits the people currently scanning the backbone to continue to do so, only without consideration of whether the signature has a foreign tie or not. Unlike FISA, CISA permits the government to collect entirely domestic data.
Of course, there’s no requirement that the telecoms scan for every signature the government shares with it and share the results with the government. Though both Verizon and AT&T have a significant chunk of federal business — which just got put out for rebid on a contract that will amount to $50 billion — and they surely would be asked to scan the networks supporting federal traffic for those signatures. But they can do so if they want to. And the telecoms are outspoken supporters of CISA, so we should presume they plan to share promiscuously under this bill.
As Wheeler notes, if this is true, then it actually makes CISA a super powerful surveillance tool for the government for a variety of reasons. First, it's all "voluntary" between the telcos and the NSA/FBI, so no FISA Court to get in the way. Next, she points out that, while the language of the bill says that Homeland Security will "scrub" private info before sharing it with other agencies, it actually notes that the FBI can "veto" that scrub
. And working together, the NSA and FBI can do a lot of damage this way:
CISA, as written, would let FBI and NSA veto any scrub (including of content) at DHS. And incoming data (again, probably including content) would be shared immediately not only with FBI (which has been the vehicle for sharing NSA data broadly) but also Treasury and ODNI, which are both veritable black holes from a due process perspective. And what few protections for US persons are tied to a relevance standard that would be accomplished by virtue of a tie to that selector. Thus, CISA would permit the immediate sharing, with virtually no minimization, of US person content across the government (and from there to private sector and local governments).
As she notes, this makes CISA -- as Senator Ron Wyden has been saying for months -- not a cybersecurity bill at all, but a vast domestic internet surveillance bill.