Why The New CISA Is So Bad For Privacy

The proposed Cybersecurity Act of 2015, basically wipes out any ability by the FCC or the FTC to make service providers respect user privacy, and instead, is designed to encourage more monitoring of user behavior.

onDecember 18, 2015 at 10:02 AMDecember 20, 2015 at 10:15 AM

We warned earlier this week that Congress was going to make the cybersecurity bill CISA much worse on privacy, and then shove it into the “must pass” omnibus spending bill, and that’s exactly what happened. The 2000+ page bill was only released early yesterday morning and the vote on it is tomorrow, meaning people have been scrambling to figure out what exactly is actually in there. The intelligence community has been using that confusion to push the bill, highlighting a couple of the predictions that didn’t make it into the bill to argue that people against CISA are overstating the problems of the bill. That’s pretty low, even for the intelligence community.

Stanford’s Jennifer Granick has gone through this new zombie CISA, which has technically been renamed “the Cybersecurity Act of 2015,” but which she’s calling OmniCISA and discovered that it’s a complete disaster on the privacy front, basically wiping out any ability by the FCC or the FTC to make service providers respect user privacy, and instead, is designed to encourage more monitoring of user behavior, weakening their privacy. As she notes, after the FCC’s net neutrality rules, there was some concern about a turf war between the FCC and the FTC on who protects consumer privacy rights with regards to internet access providers. To stop people from freaking out over this, the two agencies told people to calm down, because they’re happy to work together to protect privacy, with the FCC handling issues related to privacy as a common carrier, and the FTC handling everything else.

But, as Granick points out, under CISA, so long as ISPs claim that they’re spying on your internet activity for “cybersecurity” purposes (which is defined ridiculously broadly in the bill), then the FCC and FTC are completely blocked from doing anything:

Sponsored

Early Adopters Of Legal AI Gaining Competitive Edge In Marketplace

How to best leverage generative AI as an early adopter with ethical use.

From LexisNexis

This language means that, regardless of what rules the FCC or FTC have now or will have in the future, private companies including ISPs can monitor their systems and access information that flows over those systems for “cybersecurity purposes.”

[….]

It appears that OmniCISA is trying to stake out a category of ISP monitoring that the FCC and FTC can’t touch, regardless of its privacy impact on Americans.

This section of OmniCISA would not only interfere with future privacy regulations, it limits the few privacy rules we currently have.

The Wiretap Act is a provision of law that conditions the ability of telephone companies and Internet Service Providers to monitor the private messages that flow over their networks. The Wiretap Act says that these wire and electronic communications service providers can “intercept, disclose, or use that communication in the normal course of … employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service” (emphasis added). Similarly, ECPA allows providers to access stored information, and then to voluntarily share it for the same reasons. This language allows providers to conduct some monitoring of their systems for security purposes — to keep the system up and running and to protect the provider.

But it appears OmniCISA would waive these provisions of the Wiretap Act and ECPA. Why do that except to expand that ability to monitor for broader “cybersecurity purposes” beyond the legal ability providers already have to intercept communications in order to protect service, rights, or property?

So this bill isn’t just about threat information sharing, it’s about enabling ISP monitoring in ways beyond current law that have not been clearly defined or explained.

And, of course, if you don’t think this will be abused both by the internet access providers and the law enforcement/intelligence communities, you haven’t been paying attention for the past decade or more.

Why The New CISA Is So Bad For Privacy

More Law-Related Stories From Techdirt: