The Senate passed the Cybersecurity Information Sharing Act on Oct. 27 with a 74 to 21 vote. The way it is written feels like a digital enhancement of the Patriot Act that was drafted in 2001 after the terrorist attacks that took down the World Trade Center.
Among the many things the Patriot Act was designed for, its articles included the ethics of surveillance and determining who it was acceptable to spy on. Anyone who was a potential threat to the United States government, regardless of citizenship, was subject to getting their phones tapped and spied on without warrant.
The term terrorism is loosely defined in the Patriot Act which extends to life-threatening activities to others that break the laws of the United States. CISA is designed to share “cyber threat indicators” and relevant files between government agencies in order to protect the United States from acts of terrorism and forms of digital harm.
At first, CISA seems innocent enough to protect the citizens of this country but one of the sections really disturbs me. Section 4 allows private entities, such as a person or a company, to share private information of their own with the government if they see it as a threat. The government is obligated to accept the data in real time because the data is seen as a cyber threat until investigated.
This means that if large companies hold valuable confidential client information, they can reveal it to the government on the suspicion of terrorist activity regardless of validity. The exception to this rule is information that could hurt business competitors.
It seems terribly convenient that companies can just willingly divulge information in their data centers and I certainly hope this does not transcend a company’s terms and services. Furthermore this bill can be used in more dastardly ways with wireless sniffing.
Say, if some government suits were at a coffee shop with a public Wi-Fi hot spot, it would be totally legal for them to collect wireless information and packets coming from phones barring direct communication. This is because of a 2012 federal ruling that separated wireless data collection from wiretapping. While it is illegal to decrypt the information without approval from the Department of Justice, the data is still there and available for the government’s convenience.
They could submit this as actionable intelligence because of terrorist rumors of a cyber threat and it could divulge the private data on our phones including instant messages, cookies and previous network credentials to see where citizens have been as if the smart phone GPS trackers in our pockets weren’t enough.
If the government gives a private entity permission, they could reveal other peoples’ private information. That could mean the government could potentially have third party companies acting like digital privateers on the hunt for peoples’ information.
My concern is that I don’t have to be a corporate official if I want to sit around at Bellevue College and collect wireless data in popular areas and nobody else needs to be one either. When the Departments of Justice and Homeland Security figure out their plan for implementing a real time cyber threat response scheme, they can legally take wireless information in huge bytes and there won’t be much we can do to stop them.
I understand the goal of this cybersecurity act is important for the U.S. as it tackles the new age of Internet extremists and digital threats other nations might present, but the sacrifice of privacy for security has extended way too far. The point of passwords and protection for cloud based accounts will become null and void. Google and Facebook will probably divulge our wallets and browsing histories anyway so the solutions to the problem are getting more and more polarized. One must either admit defeat and lose their privacy or get off the grid.