

Proposed Info Sharing Legislation Could Worsen NSA Surveillance - lemonlyman87
https://cdt.org/702-info-sharing/

======
rubbingalcohol
CISA is the government's way of writing into law that people have no right to
privacy in any data held by third party service providers. By granting legal
immunity for service providers to share so-called "threat" data—potentially
containing unminimized private customer data—law enforcement agencies are
opening a huge backdoor for uncontrolled warrantless mass surveillance.
Because this surveillance would be done in secret, people would have no legal
basis to challenge what amounts to an end-run around the U.S. Constitution.

Watch in the coming weeks as lawmakers point to the OPM hacks as justification
for spying on everyone's Gmail activity.

~~~
tzs
> By granting legal immunity for service providers to share so-called "threat"
> data—potentially containing unminimized private customer data—law
> enforcement agencies are opening a huge backdoor for uncontrolled
> warrantless mass surveillance

Section 4(d)(2) requires removal of personal information before sharing unless
that personal information is _directly_ related to a cybersecurity threat.

A cybersecurity threat is defined as "an action, not protected by the First
Amendment to the Constitution of the United States, on or through an
information system that may result in an unauthorized effort to adversely
impact the security, availability, confidentiality, or integrity of an
information system or information that is stored on, processed by, or
transiting an information system" and "does not include any action that solely
involves a violation of a consumer term of service or a consumer licensing
agreement".

There is no mass surveillance implied in this.

> Because this surveillance would be done in secret, people would have no
> legal basis to challenge what amounts to an end-run around the U.S.
> Constitution.

The Constitution restricts government from forcing companies to give up
information against their will. Nothing in the Constitution prohibits
companies from voluntarily giving up information, and so nothing you have
cited is in any way an end-run around the Constitution.

~~~
rubbingalcohol
> Section 4(d)(2) requires removal of personal information

Section 4(d)(2) of _what?_ These minimization requirements have been removed
or weakened in the various iterations of CIS(P)A that have appeared and been
defeated year after year. There is currently no bill in front of Congress, so
your citing of a specific provision is questionable. Congress is expected to
take a new version of CISA up in the next few weeks.

> The Constitution restricts government from forcing companies to give up
> information against their will.

Except under Section 702, companies are compelled to hand the information via
secret orders with gag provisions. Fighting these orders is expensive and the
gag orders prevent the companies from openly opposing them.

It _is_ an end-run around the Constitution if the data a company provides
belongs to an individual and is disclosed without a proper warrant, unless you
agree with the statement that "people have no right to privacy in any data
held by third party service providers." Such an attitude ignores the reality
that cloud services have become integrated into peoples' lives, and ubiquitous
enough that the end-customer should have legal interest and Constitutional
protection in data held by third parties.

~~~
tzs
> Section 4(d)(2) of _what?_

Section 4(d)(2) of the bill that the article you are commenting on is writing
about, S.754, the "Cybersecurity Information Sharing Act of 2015".

~~~
rubbingalcohol
Section 4(d)(2) requires removal of information that a company "knows at the
time of sharing" to be private personal information. That's complete weak
sauce. There is tons of leeway here for the government to demand threat
indicators that could "accidentally" vacuum up private info without anyone
"knowing" about it. And the bill hasn't even gone through committee. If the
past is any indication, the GOP will try to strike it completely.

Anyway, I would appreciate if you could address the other point I raised
because I'm very curious to hear your philosophical thoughts on this subject.

~~~
tzs
I don't see anything in (this version of, anyway) CISA that would let the
government demand threat indicators. If the government wants to come demanding
companies give them information, they have to turn to other laws for that.

On the Constitutional issue:

> It _is_ an end-run around the Constitution if the data a company provides
> belongs to an individual and is disclosed without a proper warrant, unless
> you agree with the statement that "people have no right to privacy in any
> data held by third party service providers."

People have multiple rights to privacy related to such data. Some come from
state law. Some come from federal agencies. Some come from federal
legislation. Some come from the Constitution.

The ones from the Constitution protect against government compelling release
of the data. They don't protect against the providers deciding on their own to
disclose the information to the government (or to the public, or to private
parties). If, for instance, PG&E decided to publish a list of its customers
along with contact information and energy use records, it would not be
violating a Constitutional right to privacy. If the government demanded that
PG&E make and turn over such a list, then we've got a Constitutional issue to
talk about.

In that hypothetical, PG&E would be violating some of those other rights to
privacy that come from state legislation, federal legislation, and agency
rules, and would run into a ton of trouble.

------
deluxelight
Wow, this is a totally uncredited ripoff of some analysis by Stanford Law's
Jonathan Mayer. The image is essentially a remake of one he put together. In
favor of changing the link.

[http://webpolicy.org/2015/06/04/nsa-
cybersecurity/](http://webpolicy.org/2015/06/04/nsa-cybersecurity/)

------
wheaties
I'm getting tired of finding out about all these ways in which agencies are
allowed to use data which circumvent the Constitution. I have to wonder
exactly what needs to happen for people to realize this. Then again, you also
have to wonder why our own government is surprised people are using encrypted
first communication.

------
bediger4000
NSA/FBI surveillance is pretty unpopular - I'm pretty sure that Senator and
Representative offices got a ton of calls about it, otherwise the PATRIOT Act
section 215 wouldn't have sunsetted, it would have gotten a big sloppy wet
rubber stamp. SOPA touched off a big campaign a couple of years ago, CISA gets
nearly unanimous bad reviews.

So, why does the Senate keep trying to crank up this sort of thing? They need
to be a little answerable to their constituency, they need to exhibit a little
leadership in terms of not just blindly following party leadership and
lobbyists.

Is this whole category of law a place where the DoJ has intercepted enough
sketchy conversations that they've got leverage against key Senators and Reps?
That's the only thing I can think of, other than the "intelligence community"
is flat out lying in the secure sessions. Since the "intelligence community"
has a long history of lying, with a lot of recent scandalous reveals, you'd
think that oversight committees would be a lot less willing to just believe.

So, I'm torn. Why does this keep popping up?

~~~
duaneb
> So, I'm torn. Why does this keep popping up?

Constituents may vote, but lobbyists pay the bills.

~~~
rubbingalcohol
All the big tech companies want CISA because it legalizes data sharing
programs like PRISM. To date, they've been forced to do this for years under
Section 702 of FISA, but the whole thing has been in breach of their privacy
agreements with customers.

Remember when EFF sued AT&T for [letting the NSA wiretap their Internet
backbone facilities][1]? Congress killed the lawsuit by retroactively granting
immunity under the FISA Amendments Act.

CISA is just the same thing, but for newer programs like PRISM, and tech
companies want the immunity because they're otherwise being exposed to major
liability.

Personally, I think a better idea would be to reform Section 702 of FISA to
ban programs like PRISM. The government should be required to get a warrant
when they want to look at private data.

[1]:
[https://en.wikipedia.org/wiki/Room_641A](https://en.wikipedia.org/wiki/Room_641A)

~~~
MichaelCrawford
for uncle sam to get a warrant is just dandy but thats not going to protect us
from organized crime or the intelligence services of other nations.

We need security that my mother can understand. dad had a top secret clearance
so mom understands why she needs to shred paper documents.

ive had no such luck explaining to her how to maintain her privacy with her
imac.

------
MichaelCrawford
this is why I use tor.

Unfortunately many sites do not permit connections from exit nodes. cloudflare
always requires one solve a captcha.

duckduckgo by contradt provides a hidden service.

Im planning on providing one too; I wouldnt want the FBI to know who is
reading my articles about c++ memory management.

------
MichaelCrawford
Just now i read in The Columbian that obama has committed not to spy on the
prime minister of france, after france called for an intelligence code of
ethics in which the allies agree not to spy on each other.

There was no mention of spying on their own citizens.

~~~
shostack
And if someone else spies on the PM of France, and the US happens to get their
hands on that data, then I'll bet they'd argue the US did not spy on them.

