How Big Business Is Helping Expand NSA Surveillance, Snowden Be Damned

la-fg-russia-edward-snowden-20150304-001

Since November 11, 2011, with the introduction of the Cyber Intelligence Sharing and Protection Act, American spy agencies have been pushing laws to encourage corporations to share more customer information. They repeatedly failed, thanks in part to NSA contractor Edward Snowden’s revelations of mass government surveillance. Then came Republican victories in last year’s midterm Congressional elections and a major push by corporate interests in favor of the legislation.

Today, the bill is back, largely unchanged, and if congressional insiders and the bill’s sponsors are to believed, the legislation could end up on President Obama’s desk as soon as this month. In another boon to the legislation, Obama is expected to reverse his past opposition and sign it, albeit in an amended and renamed form (CISPA is now CISA, the “Cybersecurity Information Sharing Act”). The reversal comes in the wake of high-profile hacks on JPMorgan Chase and Sony Pictures Entertainment. The bill has also benefitted greatly from lobbying by big business, which sees it as a way to cut costs and to shift some anti-hacking defenses onto the government.

For all its appeal to corporations, CISA represents a major new privacy threat to individual citizens. It lays the groundwork for corporations to feed massive amounts of communications to  private consortiums and the federal government, a scale of cooperation even greater than that revealed by Snowden. The law also breaks new ground in suppressing pushback against privacy invasions; in exchange for channeling data to the government, businesses are granted broad legal immunity from privacy lawsuits — potentially leaving consumers without protection if companies break privacy promises that would otherwise keep information out of the hands of authorities.

Ostensibly, CISA is supposed to help businesses guard against cyber attacks by sharing information on threats with one another and with the government. Attempts must be made to filter personal information out of the pool of data that is shared. But the legislation — at least as marked up by the Senate Intelligence Committee — provides an expansive definition of what can be construed as a cyber security threat, including any information for responding to or mitigating “an imminent threat of death, serious bodily harm, or serious economic harm,” or that is potentially related to threats relating to weapons of mass destruction, threats to minors, identity theft, espionage, protection of trade secrets, and other possible offenses. Asked at a hearing in February how quickly such information could be shared with the FBI, CIA, or NSA, Deputy Undersecretary for Cybersecurity Phyllis Schneck replied, “fractions of a second.”

Questions persist on how to more narrowly define a cyber security threat, what type of personal data is shared, and which government agencies would retain and store this data. Sen. Ron Wyden, D-Ore., who cast the lone dissenting vote against CISA on the Senate Intelligence Committee, declared the legislation “a surveillance bill by another name.” Privacy advocates agree. “The lack of use limitations creates yet another loophole for law enforcement to conduct..

Read more