The unnoticed expansion of domestic surveillance
An advancing cybersecurity bill may further compromise citizens’ privacy
Earlier this week, John Oliver of HBO’s Last Week Tonight presented a compelling piece on the upcoming deadline for the reauthorization of the Patriot Act — the law passed in the wake of the 9/11 attacks which greatly enhanced the government’s powers of surveillance. At the time, the public asked few questions, demanding action for greater security and disregarding the potential cost. Twelve years later, Edward Snowden leaked classified documents from the National Security Agency about the breadth and depth of the NSA’s surveillance programs from that point forward, sparking national and international debate.
Programs such as PRISM for foreign surveillance and domestic wiretapping drew huge outcry. At the time, Brazilian President Dilma Rousseff accused the U.S. on the floor of the United Nations of “a breach of international law and an affront” to national sovereignty. Similar claims were made about domestic programs, especially since the their capabilities, let alone their use, were unknown to the vast majority of Americans.
In the two years since the furor, the public has largely forgotten the debate on domestic surveillance. Oliver interviewed Snowden on these matters, trying to draw attention to the impending expiration, and likely subsequent reauthorization, of the Patriot Act on June 1, but June 1 is not the most imminent deadline. We are poised to repeat our mistakes with a bill that critics have already dubbed the “Patriot Act 2.0”: the Cyber Information Sharing Act (CISA) that may be signed into law by May.
In the wake of high-profile security breaches — of Sony Pictures, Anthem, JP Morgan, Home Depot, and Target to name a few — which exposed corporate data, credit card data, and social security numbers, Congress has taken action. In a bill aimed at improving cybersecurity and preventing further data breaches, the Senate Intelligence Committee passed CISA, which will likely be voted on later this month. The bill incentivizes companies to share threat information and offers liability protection to those that do.
The bill is not merely a knee-jerk reaction to a few rare and prominent leaks. According to Netherlands-based security firm Gemalto, in 2014, there were more than 1400 data breaches of companies and government agencies, resulting in over 974 million data records being lost or stolen — an increase by almost 50 percent from 2013. Only 4 percent of the breaches were considered “secure,” in which the records exposed were rendered useless by encryption.
However, when CISA passed the Senate Intelligence Committee on March 13 by a 14-1 vote, only Sen. Ron Wyden, D-Ore., voted against it. In a public statement, he wrote, “If information-sharing legislation does not include adequate privacy protections then that’s not a cybersecurity bill — it’s a surveillance bill by another name … It makes sense to encourage private firms to share information about cybersecurity threats. But this information sharing is only acceptable if there are strong protections for the privacy rights of law-abiding American citizens.”
Many individuals and groups echoed his warning. In a letter to Chairman Richard Burr, R-N.C., and Vice Chairman Diane Feinstein, D-Calif., a coalition of civil liberties groups, security experts, and academics warned that “CISA disregards the fact that information sharing can — and to be truly effective, must — offer both security and robust privacy protections.” Signatories include the ACLU, the Electronic Frontier Foundation, the Brennan Centre for Justice, and MIT’s own Prof. Ronald L. Rivest.
The biggest criticisms stem from the bill’s broad definitions and uses of the shared data. Under the bill, the government may retain and use any shared information resulting from cybersecurity threats related to “an imminent threat of death, serious bodily harm, or serious economic harm.” The use of shared data is not limited to any specific agency. Under the Homeland Security Act of 2002, the data would be shared with “all appropriate government agencies,” including the FBI and NSA. The data may be used not only in combating broad threats but also in criminal proceedings. Since all data shared under the act by companies is voluntary, the data would be accessible without a warrant, without a judge to determine relevance. Lastly, given the liability protections extended to companies who share data, consumer privacy protections from corporations are potentially undermined.
We live in a constantly accelerating world of sensors and networks, where the Internet of Things is becoming more real every day. Not knowing what information about you is being shared and analyzed is disconcerting at best and terrifying at worst. Yet instead of engaging with these pressing issues, the news is inundated with predictions of a presidential contest 19 months away.
Proponents of the legislation note that any data accepted must be stripped of personal information. They also state that only data directly pertinent to cyberattacks can be shared. Regardless of interpretation, the bill has a much better chance of being signed into law than its predecessor last year, the Cyber Intelligence Sharing and Protection Act (CISPA) that was prevented from passage by civil rights organizations. According to ACLU media strategist Rachel Nausbaum, CISA is potentially worse than its forebear, stating in a blog post that it “fails to limit what the government can do with the vast amount of data to be shared with it under this proposal.”
However, the bipartisan support for CISA in the Senate and the presence and support for similar House bills — the Protect Cyber Networks Act and the National Cybersecurity Protection Advancement Act — mean that the measure will likely pass Congress. Both House bills are scheduled for the week of April 20, and CISA will likely hit the Senate floor at the same time. Reports this week about a breach of the White House and State Department networks last year are adding even more pressure for cybersecurity and information-sharing legislation. The final version of this bill may well be law by May.
The debate over privacy and security is incredibly complex, especially since those professionals and officials who have the most knowledge to weigh the costs and benefits cannot share that knowledge in the service of national interests. Victories are not announced, while failures are public and quite possibly fatal. The Patriot Act was passed in the shadow cast by 9/11, with the motto “never again” on everyone’s lips for good reason. Yet avoiding this debate due to its complexity or its inherent murkiness is incredibly shortsighted.
Civil rights activists often quote Benjamin Franklin: “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.” The quote, while accurate in wording, is often taken out of context. Rather than Franklin favoring liberty over safety, he was denouncing a choice presented to him by the colonial governor of Pennsylvania. Franklin sought both liberty and safety, unwilling to trade either.
Security and privacy interests need not be at odds with one another. So rather than waiting a decade until the next Edward Snowden reveals the scale and scope of government surveillance, before the final version of CISA becomes law, we should have this public debate. We should never have stopped.
Keertan Kini is a member of the Class of 2016.