A cyber surveillance bill is currently pending in Congress, the Cyber Information Sharing Act, S.754 (CISA), and President Obama must keep his promise to veto this bill. CISA is inconsistent with the Administrations substantive concerns and then some. CISA: (1) fails to carefully safeguard privacy and civil liberties; (2) fails to preserve the long-standing, respective roles and missions of civilian and intelligence agencies; and (3) provides broad scope of liability limitations for companies.
If President Obama fails to keep his word, he actually abandons all Americans, leaving us all and our personal information vulnerable to government abuse. CISA: 1) allows and enables the police to access Americans data without due process; and 2) allows and enables the government to misuse our private data. This bill is bad for all Internet and wifi users – all Americans.
Congress attempts to paint CISA as the savior – the answer to the breach of the Office of Personal Management (OPM) – and other recent government breaches of Americans confidential and personal information. However, mandating companies create backdoors – government hackable encryption – increases the risk of breaches of Americans private and confidential information and makes it vulnerable to other hackers. It’s like leaving the window of your home open, and expecting a criminal to break into your home from the front door and not the window. Basically, you cannot intentionally create a weaker encryption, and expect for hackers not to be able to exploit that weakness to their own benefit. The privacy and civil liberties of all Internet users are in danger.
CISA prescribes broad immunity for companies, vague definitions, and aggressive spying powers. CISA will further encourage discriminatory surveillance practices, because CISA grants the government broad discretion in how to use the information for non-cybersecurity purposes. CISA also contains exemptions from the Freedom of Information Act, which will keep the public in the dark about what information is being collected, shared, or used.
Data collected by national surveillance programs has been used to harass the Arab American community across a wide scope of issues, including immigration and other non-terror and non-national security related incidents. Legal challenges to this data’s admission into evidence have shown to be difficult. CISA is no different, it is cyber surveillance. Law enforcement use of information obtained is not limited to cyber-crimes, but goes far beyond this, and permits use for crimes involving any level of physical force including those that do not involve any threat of death or significant bodily injury.
What is most alarmingly, is that CISA creates another one stop shop for monitoring of all American’s data. The government through CISA authorizes companies to police their consumers personal information, texts, and calls, and share this information instantly with the government. This is real time sharing of “cyber threat indicators” to military and intelligence agencies. The cyber threat indicators shared with any agency would be automatically shared with the NSA—all without requiring companies to strip out personally identifying information. While some may suggest they are only monitoring threats, but that is not accurate. Threats are broadly defined, equating to monitoring of all information.
CISA also authorizes companies to launch vigilante countermeasures against perceived attackers, without any safeguards. Countermeasures include companies being able to hack systems of perceived attackers and potentially shutting down their operating systems or extracting confidential information. As you can imagine this can have an profound affect on an individual or company, who incurs monetary loss from loss of business or consumer trust, or physically cannot operate. This does not help cyber security but actually encourages abuse and may open the door to more breaches of private and confidential information. While on paper CISA prohibits measures that cause “substantial harm,” it is still unclear exactly what constitutes substantial, leaving it up for companies to decide where the line is drawn. Any company that merely does significant (but not “substantial”) harm to innocent people or systems (machines) will not be liable in court.