For immediate release: July 28, 2015



This bill must be rejected by the Senate and President Obama should threaten to veto! Take action here to #StopCISA

Cross-posted from Congressional Dish:

The National Security Agency is sitting on a new surveillance
apparatus, awaiting congressional action to help them begin collecting a
massive amount of new data on people in the U.S. that they can view and
share without a warrant.

According to documents
made available to the press by Edward Snowden, in 2012 the Department
of Justice secretly approved the NSA to begin using cyber threat
indicators as selector terms for conducting “upstream” surveillance, a
technique that involves the use of interception equipment to pull
information directly from the switches and cables that make up the
Internet. It’s likely, however, that the NSA hasn’t had a lot of cyber
threat information to work with up to this point; most of that
information is held by private companies.

Now it appears that Congress may be ready to help the NSA get the
information they need to finally crank up their cybersecurity
surveillance system. The Senate this week is expected to take up a bill,
the Cyber Information Sharing Act
(CISA, formerly known as CISPA), that would incentivize companies to liberally share “cyber
threat indicators” with the Department of Homeland Security by granting
them legal immunity from any surveillance laws when they do so.

The companies would be allowed to leave their users’ personal details
in the information they give to the government unless they
affirmatively know that it is not directly related to a threat, and the
DHS would be required to share all of the information with the NSA and
other federal agencies.

But that’s just the beginning of how CISA would massively violate privacy.

Any information shared with the government under CISA could be used to turn on the NSA’s latent cybersecurity surveillance powers.
As revealed by the Snowden documents, cyber threat indicators can be
used by the NSA as selectors to target the warrantless interception and
collection of information from the Internet backbone. These selectors —
things like email address, IP addresses, ranges of IP addresses, phone
numbers, or strings of computer code — are used as filters to select and
extract data from Internet traffic.

Importantly, any “incidental” data that is picked up along the way
that is not directly related to the threat, including any and all
personal data that is hacked or targeted as part of the cyber threat,
can be indefinitely retained by the NSA. This could be a massive amount
of data if a threat involves a company like Google, Bank of America, or

Section 702
of the FISA Amendments Act, which the government uses to authorize its
upstream collection programs, allows the NSA to retain, share, and use
information about U.S. persons related to criminal investigations,
including (but not limited to) those involving cybersecurity crimes.

The NSA, FBI, and other law enforcement entities are allowed to query
the databases that are assembled under Section 702 at will using U.S.
persons identifiers (e.g. email addresses and phone numbers of people
who live in the U.S.) to access communications that can be used in
criminal investigations. This is the warrantless process that has become
known as the “backdoor search loophole.” All of this can be done
without a warrant under Section 702 because that law  was supposed to
only be used to investigate foreign suspects.

There’s no way to know exactly how much CISA will expand the NSA’s
ability to collect and query data on Americans’ communications, but the
leaked documents suggest that the cyber threats shared under CISA will
help them add a major new plank to their activities that they have
lobbying for for years. The broad legal immunity provisions in CISA
should help the NSA get a huge amount information to input into the
system from a wide range of data-rich industries, including insurers,
banks, casinos, telecoms, hospitals, airlines, and more that have
already announced their support for the bill.