The controversial Cyber Intelligence Sharing and Protection Act (CISPA) just passed the U.S. House, and will now head to the upper Senate chamber for further deliberation.
Rinse and repeat. This isn’t the first time that this has happened, but it still poses a major threat to Fourth Amendment rights, according to civil liberties campaigners.
The Bill was passed 288-127 in favor of the Bill after two days of debate and discussion on the House floor. Only 18 members of the House abstained from the vote.
CISPA will allow private sector firms to search personal and sensitive user data of ordinary U.S. residents to identify “threat information,” which can then be shared with other opt-in firms and the U.S. government — without the need for a court-ordered warrant.
This means a company like Facebook, Twitter, Google, or any other technology or telecoms company, including your cell service provider, would be legally able to hand over vast amounts of data to the U.S. government and its law enforcement — for whatever purpose it deems necessary — and face no legal reprisals.
And despite numerous amendments and changes, there are no requirements that personal data, such as health records or banking information, should be anonymized before sharing it with the government.
It’s hoped that the data can be used in real time to stop cyberattacks in their tracks, or even trace back to the source of the attack. Because cyberattacks nowadays as weapons in the virtual battlefield could lead to all-out war.
The Bill will also amend the National Security Act to allow U.S. intelligence services to hand over classified information to entities and people that do not have security clearance. The idea is that this will be used in order to help companies fight back against and prevent cyberattacks on their systems in the future.
A great deal of controversy has stirred around this Bill. Having amendments passed in a veil of secrecy did not help matters, either.
To make things even more complicated, a new amendment, voted down by lawmakers on Wednesday in the U.S. House, would have allowed U.S. companies to keep their privacy policies intact and their promises valid, including terms of service, legally enforceable in the future.
It means that the many who signed up to such services under terms that promised their data would not be shared with anyone — unless a subpoena or court order was served — would no longer have such rights going forward.
Though it would have weakened CISPA’s overall weight, now it gives additional legal immunity to companies sharing their customer data. Rep. Jared Polis (D-CO), in speaking to ZDNet’s sister site CNET, said that such firms are “completely exonerated from any risk of liability.”
Hello Fourth Amendment, goodbye Fourth Amendment
The key provision of CISPA is that it allows government entities to acquire your data without a warrant, should a private company holding your data hand it over.
The Fourth Amendment of the U.S. Constitution states:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
“Upon probable cause.” That means the U.S. government has to seek out data based on evidence and intelligence. But while the U.S. government and its law enforcement agencies, intelligence services, and more than 600 agencies that can use your data cannot force a company to hand over data, it doesn’t mean your data is safe.
The Fourth Amendment does not protect private companies from accessing and data mining your information for its own gain. It only protects against the U.S. government unlawfully accessing your data without a search warrant.
CISPA bridges a gap between the private firms that can access your data for nefarious purposes — they would likely never do this — to the U.S. government.
U.S. firms voluntarily handing data along the one-way street to the U.S. government effectively means the Fourth Amendment doesn’t have to apply; it’s not snooping if it was handed to the government under “cybersecurity” grounds.
By this point, the U.S. government can do just about anything it likes with your data once it’s in its hands, in spite of the Fourth Amendment and notwithstanding lacking a search warrant. The kicker is that this is allowed as long as it’s lawful and pertains to “cybersecurity purposes,” rather than “national security” purposes. But because the language in CISPA is so ill defined, it could be used for many more reasons than were initially considered.
According to privacy and civil liberties group the Electronic Frontier Foundation (EFF), even though the data was passed to the government for reasons pertaining only to “cybersecurity,” it can then be used to investigate other crime, not limited to cybersecurity crime, such as the “criminal exploitation of minor, protecting individuals from death or serious physical injury, or protecting the national security of the United States.”
But it all flows through the U.S. Department of Justice, first and foremost, which can then be disseminated throughout government and its agencies, onto the FBI, the National Security Agency (NSA), Immigration and Customs, and so on. Even the U.S. Department of Agriculture can take on your data and use it against you, should you be fishing without a license.
And because this is done behind the scenes and private companies do not have to tell you that they’ve handed your data to the government, you may never know about it. And private firms are exempt from Freedom of Information (FOI) requests, with such provisions disallowed under CISPA.