By Donny Shaw
The National Security Agency is sitting on a new surveillance apparatus, awaiting congressional action to help them begin collecting a massive amount of new data on people in the U.S. that they can view and share without a warrant.
According to documents made available to the press by Edward Snowden, in 2012 the Department of Justice secretly approved the NSA to begin using cyber threat indicators as selector terms for conducting “upstream” surveillance, a technique that involves the use of interception equipment to pull information directly from the switches and cables that make up the Internet. It’s likely, however, that the NSA hasn’t had a lot of cyber threat information to work with up to this point; most of that information is held by private companies.
Now it appears that Congress may be ready to help the NSA get the information they need to finally crank up their cybersecurity surveillance system. The Senate this week is expected to take up a bill, the Cyber Information Sharing Act (CISA), that would incentivize companies to liberally share “cyber threat indicators” with the Department of Homeland Security by granting them legal immunity from any surveillance laws when they do so.
The companies would be allowed to leave their users’ personal details in the information they give to the government unless they affirmatively know that it is not directly related to a threat, and the DHS would be required to share all of the information with the NSA and other federal agencies.
But that’s just the beginning of how CISA would massively violate privacy.
Any information shared with the government under CISA could be used to turn on the NSA’s latent cybersecurity surveillance powers. As revealed by the Snowden documents, cyber threat indicators can be used by the NSA as selectors to target the warrantless interception and collection of information from the Internet backbone. These selectors — things like email address, IP addresses, ranges of IP addresses, phone numbers, or strings of computer code — are used as filters to select and extract data from Internet traffic.
Importantly, any “incidental” data that is picked up along the way that is not directly related to the threat, including any and all personal data that is hacked or targeted as part of the cyber threat, can be indefinitely retained by the NSA. This could be a massive amount of data if a threat involves a company like Google, Bank of America, or AT&T.
Section 702 of the FISA Amendments Act, which the government uses to authorize its upstream collection programs, allows the NSA to retain, share, and use information about U.S. persons related to criminal investigations, including (but not limited to) those involving cybersecurity crimes.
The NSA, FBI, and other law enforcement entities are allowed to query the databases that are assembled under Section 702 at will using U.S. persons identifiers (e.g. email addresses and phone numbers of people who live in the U.S.) to access communications that can be used in criminal investigations. This is the warrantless process that has become known as the “backdoor search loophole.” All of this can be done without a warrant under Section 702 because that law was supposed to only be used to investigate foreign suspects.
There’s no way to know exactly how much CISA will expand the NSA’s ability to collect and query data on Americans’ communications, but the leaked documents suggest that the cyber threats shared under CISA will help them add a major new plank to their activities that they have lobbying for for years. The broad legal immunity provisions in CISA should help the NSA get a huge amount information to input into the system from a wide range of data-rich industries, including insurers, banks, casinos, telecoms, hospitals, airlines, and more that have already announced their support for the bill.