The American Everyman blog has been insisting since 2013 that the Snowden Spectacle would provide cover for passing CISPA, a bill that in its many different unpassed incarnations has been the bête noire of privacy advocates for some time. While I don’t agree with everything the AE blogger, Scott Creighton wrote, he is rare in making this connection and not wrong to. There is no question that the spirit and intended effects of CISPA reside in certain parts of the Freedom Act. It also creates conditions conducive to passing the real thing.
You may recall that CISPA is a bill which, in the ostensible interest of preventing and fending off cyberattacks, creates broad legal exemptions that allow the government to share “cyber threat intelligence” with private companies, and companies to share “cyber threat information” with the government. The ACLU listed these as the main reasons for its opposition to the bill:
- Creates an exception to all privacy laws to allow companies to share our personal information, including internet records and the content of emails, with the government and other companies, for cybersecurity purposes;
- Permits our private information to be shared with any government agency, like the NSA or the Department of Defense ’s Cyber Command;
- Fails to require the protection of Americans’ personally identifiable information (PII), despite repeated statements by the private sector that it doesn’t want or need to share PII;
- Once shared with the government, allows our information to be used for non-cybersecurity “national security” purposes – an overbroad “catch-all” phrase that can mean almost anything;
- Immunizes companies from criminal or civil liability, even after an egregious breach of privacy;
- Fails to implement adequate transparency and oversight mechanisms
Since the Freedom Act says nothing about cybersecurity, it’s not obvious at first glance what could connect it to CISPA. But the overarching objection to CISPA was that cybersecurity was simply a pretext for streamlining collusion on mass surveillance between the government and the private sector generally. This is the concern encapsulated in item 4, that CISPA makes data gathered in the interest of cybersecurity available for precisely the kind of investigations covered by The Patriot Act and its successor, The Freedom Act.
The Freedom Act’s signature feature, the thing we’re all supposed to be thrilled about, mandates the collusion of phone companies at the very least, by making them the retainers of bulk data the NSA will theoretically, in half a years’ time, no longer be allowed to capture and store under its own auspices. The operation will also require collusion of a “Booz-type contractor” that will supplant the NSA as the compiler of all the data from the disparate sources.
It’s fair to see the Freedom Act’s “target” for these searches as analogous to CISPA’s “cybersecurity threat” in terms of how it rationalizes the going-through of private user data, and the amount of user data that can be made available without a warrant, via the nebulously defined “selector” that determines what records a query returns. If there is some constraint that selectors impose on records retrieval that CISPA’s focus on a particular cybersecurity threat doesn’t, it’s not yet obvious.
By the very nature of the investigations covered, and the methods used therein, item 3 in the ACLUs CISPA concerns is also germane to the Freedom Act, which enables government agents to get unredacted records tens of thousands at a time. Personally identifiable information is precisely what this kind of record-searching covered by The Freedom Act is looking for.
Moving on, consider the ACLU’s concerns in item 5 about the immunization of companies against sections 105 and 106 of the Freedom Act, which are the most strikingly CISPA-like elements in the bill. These sections not only immunize “a person” that cooperates in an invasion of privacy in any way from legal consequences, but also compensates them for their assistance, a la PRISM. By compensating entities willing to share private data with the government, The Freedom Act adds an extra incentive for private sector secrecy, cooperation and zeal that CISPA does not.
About similar language in CISPA, the Electronic Frontier Foundation said that the “immunity provisions would override existing privacy laws like the Wiretap Act and the Stored Communications Act.” This certainly makes sense, since immunity from lawsuits and prosecution is clearance to operate above the law. So the ACLU’s objection to CISPA in item 1 above, and EFF’s similar objection, must also apply to The Freedom Act.
The Freedom Act’s language also seems to broaden the scope of immunity beyond CISPA’s limits, by borrowing The Patriot Act’s “any person” which it defines as “any individual, including any officer or employee of the Federal Government, or any group, entity, association, corporation, or foreign power.” Though it’s hard to say for certain, this appears to be broader than CISPA’s “protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider.” Unless I’m misreading, The Freedom Act’s language immunizes any person or entity involved in the unauthorized or illegal use of private records.
CISPA also stipulates that the immunity applies to entities acting “in good faith,” a qualifier that the Patriot Act included also in its much weaker immunization language. It can’t be an accident, then, that The Freedom Act’s immunization language omits any mention of “good faith” entirely, and thereby closes any small openings for lawsuits or prosecution, no matter how recklessly or destructively someone’s privacy has been invaded.
So far, so CISPA-like — and in some respects, actually worse — but the accuracy of the comparison is significantly, though not wholly, contingent on how The Freedom Act stacks up in terms of the “adequate transparency and oversight mechanisms” mentioned in item 5 above. CISPA is entirely separate from FISA. Rather than oversight from a rubber stamping secret court, CISPA requires the Intelligence Community’s Inspector General annually to review and report on the government’s handling and use of information. An amended version of CISPA added in periodic review by the Privacy and Civil Liberties Oversight Board and required senior privacy officials from government agencies to complete annual reviews evaluating effects of CISPA use on privacy.
That the proposed oversight in CISPA consists entirely of Intelligence Community officials filing annual reports and periodic review by a committee that has no authority means there is really no oversight. On paper, The Freedom Act looks much better, by requiring authorization of “selectors” for querying data by the FISA court. However, the FISA court operates in secrecy and has denied only 12 warrants out of 33,943 requests between 1979 and 2012. There is no reason to believe its approval of selectors will be less lenient, and once approved, these selectors can be used repeatedly.
The Freedom Act establishes the involvement of amicus curiae — friends of the court — who can advise the court on certain decisions. However, the use of this option, the person(s) assigned to the role, and the information to which they are privy, are entirely at the court’s discretion. In other words, like the court itself, this measure establishes only the appearance of oversight. The Freedom Act also establishes new reporting requirements, but by most accounts these are so broad as to be meaningless, especially since the bill exempts the FBI from many of them.
In summary, The Freedom Act throws more transparency bones to reformers than CISPA does, but they’re just bones. Hence, the ACLU’s objection to CISPA on this count (item 5) applies to The Freedom Act as well.
So if The Freedom Act is really the love child of The Patriot Act and CISPA, you would expect CISPA advocates to be Freedom Act advocates too. So let’s see, there’s Mike Rogers who wrote CISPA and is among the best friends the NSA has in Congress. Here’s his statement of support. Tech industry titans that supported CISPA, such as Google, Apple, Microsoft, Yahoo and Facebook, strongly endorsed The Freedom Act as well. Emptywheel’s Marcy Wheeler, a Freedom Act critic, noted that, in its communications endorsing the bill, Google uses “modernize” where less candid proponents are using reform. She also noted that the corporate beneficiaries of The Freedom Act’s immunity and payment provisions are keeping rather quiet about their impending benefits.
Unfortunately, the similarity with CISPA breaks down where opposition is concerned. Groups that adamantly opposed CISPA for reasons that, as we have seen, also apply to The Freedom Act, have swallowed the “Important First Step” Kool-Aid, and are now robotically regurgitating it or saying nothing at all. No doubt this owes at least in part to beloved public figures giving a world weary nod to the kind of Orwellian maneuver they built their reputations on excoriating. After two years of insisting that Big Brother is watching us, and vigorously applauding themselves for doing so, they can’t possibly admit that things have actually gotten worse and will continue to do so.
While privacy advocates were savoring the drama of Patriot Act expiration, Rand Paul’s filibuster showboating, and the Freedom Act’s “important first step”, CISPA supporters were maneuvering to resuscitate the real CISPA. This time around it’s called the Cybersecurity Information Sharing Act, CISA (S. 754) and includes all the worst elements of its predecessor. Senate Majority Leader Mitch McConnell announced on June 9 that he would attach this bill to The Defense Authorization bill now on the Senate floor. Fortunately, even supporters of the bill, such as co-author Dianne Feinstein, opposed McConnell’s attempt to short circuit debate today and thwarted it. But CISPA’s supporters aren’t going to stop there, and the Freedom Act’s formalizing and normalizing of private sector collusion in mass surveillance can only help them.