Cyber Bill Gives Companies Perfect Cover to Gut Your Privacy

Some tech companies are eager to share more of our personal data with the government so long as they don’t have to worry about violating any privacy safeguards. CISA gives companies exactly what they want: ironclad liability protection to share information about any perceived cyber threats with federal agencies. (Photo: Mr. Thinktank/flickr/cc)

By Sandra Fulton

Following several high-profile data breaches — such as those at Sony and the U.S. Office of Personnel Management — Congress is once again feeling the pressure to push “cybersecurity” legislation.

The problem is, the bill they’re laser-focused on is misguided, wouldn’t protect us — and is a huge gift to companies wanting legal cover if and when they choose to violate Americans’ privacy rights.

In March, the Senate Intelligence Committee voted 14–1 in favor of the Cybersecurity Information Sharing Act of 2015 (CISA). The bill, like its infamous predecessor CISPA, would allow companies to share vast amounts of users’ private and personally identifiable data with the government. That information would go straight to the Department of Homeland Security and then on to the NSA.

If CISA passes, companies would be permitted to monitor and then report to the government on vaguely defined “cyber-threat indicators” — a term so broad that it covers actual threats hackers pose to computer systems but also sweeps in information on crimes like carjacking and burglaries. Those are serious offenses to be sure, but they have nothing to do with cybersecurity.

While current law allows companies to monitor their own systems for cyber threats, CISA would take this to the next level. The bill would allow companies that hold huge swaths of our personal data — like health insurers and credit-card companies — to monitor and report online activity “notwithstanding any other provision of law.”

This means that CISA would undermine the strong protections embedded in laws like the Electronic Communications Privacy Act of 1986 and the Privacy Act of 1964 — laws designed to keep the government from spying on our communications.

While posing a serious threat to our privacy online, CISA wouldn’t even guard well against cyber attacks. The bill offers a bad trade-off, to put it mildly.

In April, leading Internet-security technologists wrote to the Senate Intelligence Committee, arguing that Congress didn’t need to create new legal authority to let companies share information designed to help protect their systems from future attacks. As their letter explains:

Waiving privacy rights will not make security sharing better. The more narrowly security practitioners can define these IoCs [indicators of compromise] and the less personal information that is in them, the better… Any bill that allows for and results in significant sharing of personal information could decrease the signal to noise ratio and make IoCs less actionable.

In June 2015, further revelations from whistleblower Edward Snowden showed that much of the activity CISA would authorize has been going on for quite some time. Leaked government slides show that the NSA and the FBI secretly joined forces in 2012 to spy on Internet traffic in pursuit of cybersecurity suspects.

Despite these efforts, cyber attacks have continued to escalate. Yet this bill to immunize companies from liability for sharing our personal data sailed through the Senate Intelligence Committee.

The lone dissenter on that committee, Sen. Ron Wyden, noted that cyber attacks are a “serious problem.” However, Wyden said, “if information-sharing legislation does not include adequate privacy protections, then that’s not a cybersecurity bill — it’s a surveillance bill by another name.”

So who’s behind the massive push to pass CISA? Insurers, credit-card companies, banks, gas and oil giants, and telecom companies have all lined up behind the bill. Keepers of some of our most private and sensitive data — banks like JPMorgan Chase, and health insurers like Anthem and Blue Cross Blue Shield, to name just a few — are lobbying hard for CISA’s passage.

In fact, according to lobby-disclosure reports for the first quarter of 2015, the number of companies lobbying for CISA has just about tripled over the last year. Recent attacks have cost companies billions, not to mention embarrassment.

Stronger cyber “hygiene” would best protect these companies from intrusions and breaches, but that would be costly. Implementing invasive monitoring programs and handing the information off to the government is far preferable if that approach can be sold as a solution to the problem.

In short, these companies are eager to share more of our personal data with the government so long as they don’t have to worry about violating any privacy safeguards. CISA gives companies exactly what they want: ironclad liability protection to share information about any perceived cyber threats with federal agencies.

So while CISA would do little or nothing to improve cybersecurity, it would strengthen the surveillance regime and make our personal information even more vulnerable to government abuse.

Leaders in the Senate, who want to pass CISA before Congress breaks for its August recess, have announced that the bill will be up on their agenda as soon as this week. The Free Press Action Fund is working with our allies to fight back. Please click here to urge your senators to oppose this dangerous bill.

————–

This work is licensed under a Creative Commons Attribution-Share Alike 3.0 License.

Sandra Fulton is a Legislative Assistant at the ACLU’s Washington Legislative Office working on First Amendment and privacy issues.

Judge: CIA, Pentagon May Still Neither Confirm Nor Deny Records Exist on US Citizens Killed by Drones

A federal judge has ruled the CIA and Defense Department (DOD) do not have to confirm or deny whether they have records on the “factual basis for the killing” of either Samir Khan or Abdulrahman al-Awlaki, who were killed in two separate drone strikes in September and October of 2011.

In the same decision, which contained top secret information and was heavily redacted, Judge Colleen McMahon of the Southern District of New York also ordered the CIA, DOD and Office of Legal Counsel (OLC) to disclose portions of documents with facts about US drone operations already “officially acknowledged.”

These facts include:

(1) US government uses drones for “targeted killings” overseas;

(2) DOD and CIA have an “intelligence interest in the use of drones to carry out targeted killings”;

(3) DOD and CIA have an “operational role in conducting targeted killings”;

(4) information about the legal basis (constitutional, statutory, common law, international law, and treaty law) for engaging in the targeted killings abroad, including specifically the targeted killing of a US national;

(5) US government carried out the “targeted killing” of Anwar al-Awlaki

(6) FBI was investigating Samir Khan’s involvement in jihad

The development was the latest in a Freedom of Information Act (FOIA) lawsuit filed by the American Civil Liberties Union in October 2011, which sought documents on the “targeted killings” of Anwar Al-Awlaki, his 16-year-old son, Abdulrahman, and Samir Khan.

Anwar al-Awlaki and Samir Khan were killed in a drone strike in Yemen on September 30, 2011. Weeks later, Abdulrahman was killed in a drone strike in Yemen on October 14.

In April 2014, the Second Circuit Court of Appeals reversed a January 2013 decision by the district court. The government was ordered to release a memo related to the targeted killing of Anwar Al-Awlaki. The memo was released in June. The same appeals court ruling additionally ordered the government to list documents and make a case for why each document should remain secret.

McMahon examined over 100 documents and determined the CIA had to release parts of three documents. The OLC had to release the parts of three documents and one full document. None of the documents the DOD was required to submit for review had to be disclosed.

McMahon allowed the government agencies to invoke attorney-client privilege and the deliberative process privilege for a number of the documents, which advocates for reform of FOIA have referred to as the “withhold it because you want to” exemption.

The CIA and Defense Department were permitted to continue to “stand on its Glomar” with respect to information on the drone strikes, which killed Khan and Abdulrahman. This means neither agency has to acknowledge to the ACLU that it has documents related to any decision to target and kill these individuals. (more…)

Documents Raise Concerns About Extent of CIA Spying Inside the United States

The American Civil Liberties Union published a batch of documents obtained from the CIA on how it complies with and understands Executive Order 12333, an executive order issued by President Ronald Reagan which mandates the powers and responsibilities of US intelligence agencies. The documents strongly suggest that the agency engages in an extensive amount of domestic spying operations that are largely kept secret from the American people.

Of the 49 documents released, many of them are policy briefings on what the CIA can and cannot collect on US persons when conducting spying operations. They largely have to do with the rules that the agency is expected to follow and how the agency goes about complying with them. However, many of the documents are highly censored.

The CIA claims much of the information in the documents involves “classified secret matters or national defense or foreign policy.” It also believes that the National Security Act partly exempts the agency from the Freedom of Information Act, which is why many of the documents have huge chunks of information missing.

What can be gleaned from the documents is that the agency has a secret definition of “monitoring” as it relates to surveillance of US persons that the public is not allowed to know:

Secret definition of monitoring - CIA

The definition of “electronic surveillance” in regards to US persons is partially censored too, however, the CIA will let the public know that “electronic surveillance” involves the “acquisition of a non-public communication by electronic means without the consent of any party to the communication or, in the case of a non-electronic communication, without the consent of a person who is visibly present at the place of communication.”

Part of the definition for “unconsented physical searches,” which requires Attorney General approval, is censored.

Details from a “memorandum of understanding” [PDF] between the FBI and CIA provides a glimpse at how the two agencies coordinate spying activities:

FBI-CIA Coordination

Another document, “CIA and EO 12333: Overview for the ICIG Boston Review Forum” [PDF], dated June 2013, outlines detailed talking points, which includes some details on the loopholes the agency might be able to use to obtain information on US citizens.

The CIA is allowed to “provide specialized equipment and technical knowledge to assist another department or agency in the conduct by that department or agency of lawful and authorized electronic surveillance in the United States.” (more…)

Spy Planes: FBI Flew Over 100 Secret Missions Over 30 Cities in Recent Months

The Associated Press reported new details on secret surveillance flights being conducted by the FBI, including how the agency registers aircrafts with fake companies to conceal their role.

A recent review conducted by the AP found that over a “recent 30-day period” the FBI flew over 100 flights over 30 cities in 11 states and the District of Columbia.

Most of the missions were with Cessna 182T Skylane aircrafts. They were flown over Boston, Chicago, Houston, Phoenix, Seattle and parts of Southern California.

The planes carried video surveillance equipment as well as Stingray surveillance equipment or cell-site simulator gear, which creates a dragnet and enables the FBI to trick cellphones in a given area into providing identification information to agents.

Unlike the agency’s drone fleet, piloted aircraft is not subject to the Justice Department’s policy barring drones from being used to monitor “First Amendment activities,” which may partly explain why the secret flights have been spotted over cities where communities have protested killings by police.

Sam Richards, an independent journalist, first reported that the FBI was flying secret missions over cities with aircraft registered to fake companies.

“The aircraft have been registered to corporations that do not exist, and the purpose of the aerial operations is not known at this time. The flight patterns of the aircraft indicate they are most likely conducting surveillance, much like the controversial aircraft caught flying circles over the city of Baltimore which has seen many protests recently,” Richards reported on May 25.

Richards searched “aircraft registration” in Bristow, Virginia, and found many “three-letter acronym companies.” A few of the aircrafts listed were “registered explicitly to the Department of Justice.” He decided the companies had to be fake when his searches for information on the Internet were “fruitless.” He also noticed that the flight patterns—repeated circles around a city—indicated these planes were likely involved in surveillance missions. (more…)

Government Seeks ‘Emergency Stay’ of Decision Ordering Release of Thousands of Torture Photos

The United States government requested an “emergency stay” of a federal court decision, which ordered thousands of photographs of detainee abuse and torture in Iraq and Afghanistan to be released.

In March, Judge Alvin Hellerstein of the US District Court of the Southern District of New York was no longer willing to tolerate the government’s secrecy arguments or the government’s refusal to individually review each photo and explain why each photo would pose a national security risk if made public.

The judge immediately issued a temporary stay and gave the government 60 days to file an appeal.

With that 60-day period about to elapse, the government abruptly announced it would appeal on May 15 and filed a motion requesting a stay.

The American Civil Liberties Union, which has pursued the release of records related to detainee treatment and “the death of prisoners in United States custody and abroad after September 11, 2001,” since October 2003, objected in a letter to the Second Circuit Court of Appeals [PDF].

“The government simply does not explain why it could not have made its decision long before the eve of the expiration of the stay granted by the district court,” the ACLU declares. “Its last minute decision to do so is abusive of both the court and counsel and should not be rewarded by the routine grant of this kind of motion which the government expressly seeks.”

Back in August, when Hellerstein ruled that the Secretary of Defense’s certification for keeping the photos secret was “inadequate,” the government was instructed to individually review the photographs and inform the court of why each photograph could not be released. Government attorneys rebuffed his request.

In October and February, the court reminded the government that the Secretary of Defense had to certify each picture “in terms of its likelihood or not to endanger American lives.” It explained again afterward that the government could not certify a mass of photographs as a risk to national security. The government never complied, which led to the judge’s decision in March.

The Protected National Security Documents Act (PNSDA) was passed in October 2009 to amend the Freedom of Information Act. It was the prime measure supported by President Barack Obama to ensure torture photographs remained secret.

The law established that “photographs could be made exempt from disclosure for a three-year certification by the Secretary of Defense to the effect that publication would endanger American lives.” Prime Minister Nouri al-Maliki asked President Barack Obama not to release photographs of detainees abuse, for “fear of the consequences.” Secretary of Defense Robert Gates filed a certification to prevent the release of photographs and the court upheld that certification.

Three years later, Secretary of Defense Leon Panetta renewed the certification, even though US troops had withdrawn and the war in Iraq had been declared over. (Military operations against ISIS were not ongoing at the time.)

The ACLU points out in the letter to the judge, “PNSDA did not strip courts of the power to review the basis for the secretary’s suppression of otherwise public documents.” The Secretary of Defense “must provided some basis to believe that he reviewed each photograph and evaluated its individual risk in advance of certification.”

Only a “sample of photographs” were ever reviewed by the government for this lawsuit, and the ACLU argues an “emergency stay” should not be granted because the government is not likely to succeed in its appeal.

The government maintains in its motion that an “emergency stay” will cause minimal harm to the ACLU. On the other hand, no stay will mean the photographs are released and the “status quo” is destroyed. It will harm the ability of the government to appeal.

“The absence of a stay will cause the disclosure of records that the Secretary of Defense has certified to be exempt from disclosure under the PNSDA, a statute that was enacted by Congress in order to protect U.S. citizens, members of the US Armed Services, and US government employees from harm while overseas,” the government argues. (more…)