The Common Commercial Services OLC Memo and Zombie CISPA

Some time last summer, Ron Wyden wrote Attorney General Holder, asking him (for the second time) to declassify and revoke an OLC opinion pertaining to common commercial service agreements. He said at the time the opinion “ha[d] direct relevance to ongoing congressional debates regarding cybersecurity legislation.”

That request would presumably have been made after President Obama’s April 25, 2012 veto threat of CISPA, but at a time when several proposed Cybersecurity bills, with different information sharing structures, were floating around Congress.

Wyden asked for the declassification and withdrawal of the memo again this January as part of his laundry list of requests in advance of John Brennan’s confirmation. Then, after having been silent about this request for 8 months (at least in public), Wyden asked again on September 26.

It appears that Wyden had intended to ask the question of one of the witnesses at an open Senate Intelligence Committee hearing (perhaps Deputy Attorney General James Cole), but — having had warning of his questions (because he sent them to the witnesses in advance) — Dianne Feinstein and Susan Collins ensured there would not be a second round of questions.

As it happens, Wyden made the request for the memo two days after DiFi told The Hill she was preparing to advance her version of CISPA, and the day after Keith Alexander started calling for cybersecurity legislation again.

In a brief interview with The Hill in the U.S. Capitol on Tuesday, Feinstein said she has prepared a draft bill and plans to move it forward.

The legislation would be the Senate’s counterpart to the Cyber Intelligence Sharing and Protection Act, known as CISPA, which cleared the House in April.

CISPA would remove legal barriers that prevent companies from sharing information with each other and the government about cyber attacks. It would also allow the government to share more information with the private sector.

Since then, Alexander has pitched new cybersecurity legislation in an “interview” with the NYT, admitting he needs to be more open about his places for cybersecurity.

Now, the Executive Branch’s unwillingness to actually share the law as it interprets it with us mere citizens prevents us from understanding precisely what relationship this OLC memo has with proposed cybersecurity legislation — but Wyden made it clear in January that it does have one. But here are some things we might surmise about the memo:

  • The Administration is currently relying on this memo. If it weren’t using it, after all, it wouldn’t need to be revoked. That means that since at least January 14, 2011 (before which date Wyden and Russ Feingold first asked it be revoked), the Administration has had a secret interpretation of law relating in some way to cybersecurity.
  • The interpretation would surprise us. As Wyden notes, “this opinion is inconsistent with the public’s understanding of the law” (he doesn’t say what that law is, but I’ll hazard a guess and say it pertains to information sharing). It’s likely, then, that some form of online provider has been sharing cyber-intelligence with the federal government under some strained interpretation of our privacy protections (and, probably, some kind of Attorney General assurances everything’s cool).

Let’s use the lesson we learned during the FISA Amendments Act where the telecoms were clambering for the legislation and the retroactive immunity, but the Internet companies were grateful for “clarity,” but explicitly opposed to retroactive immunity. When we learned the telecoms had been turning over the Internet companies metadata and content, this all made more sense. The Internet Companies wanted the telecoms to be punished for stealing their data.

In this case, in the first round of CISPA (which had broad immunity protections), Facebook and Microsoft were supporters. But in this go-around (which has still generous but somewhat more limited immunity), the big supporters consist of:

  • Telecoms (AT&T, Verizon; interestingly, Sprint did not sign a letter of support)
  • Broadband and other backbone providers (Boeing, Cisco, Comcast, TimeWarner, USTelecom)
  • Banks and financial transfer
  • Power grid operators and other utilities

Now, who knows with which of these entities the government is already relying on this common commercial services memo, which of our providers we believe have made some assurances to us but in fact they’ve made entirely different ones.

But I will say the presence of the telecoms, again, angling for immunity for information sharing, along with their analogues the broadband providers does raise questions. Especially considering Verizon Exec’s trash talking about consumer-centric Internet companies that don’t prioritize national security.

Stratton said that he appreciated that “consumer-centric IT firms” such as Yahoo, Google, Microsoft needed to “grandstand a bit, and wave their arms and protest loudly so as not to offend the sensibility of their customers.”

“This is a more important issue than that which is generated in a press release. This is a matter of national security.”

After all, the telecoms have a history of willingly cooperating with the government, even if it bypassed the protections offered by Internet companies, even if it violated the law. Have they been joined by big broadband?

Well, DOJ could clear all this up by revoking and releasing the memo. Until they do, though, my wildarsed guess is that those operating the Toobz in the country — the telecom and broadband companies — have already started sharing consumers’ data that a plain reading of the law seemingly wouldn’t permit them to do.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

12 replies
  1. Snoopdido says:

    @joanneleon: If it has SSCI Chair Diane Feinstein’s and HPSCI Chair Mike Roger’s fingerprints on it, you can be sure of the fact that it is not in the best interest of the American public.

    That duo are only interested in the dominance of the National Security State over us peons.

  2. Snoopdido says:

    This is off topic, but I left a comment Emptywheel in your Bandar post. There is apparently much more to the rift between Bandar and the US. The Saudis are cutting off their funding to Yemen as another slap to the US.

    I expect we’ll be seeing more from this spat in the near future. I even wonder whether Bandar will do a Putin on the US. That’s where the Saudis used their “carrot and stick” control of terrorist groups as a threat to Putin’s Sochi Olympic games unless Putin got in line with the Saudi plans to get rid of Assad in Syria.

    Think along those same lines with regard to Yemen and the US.

  3. Frank33 says:

    “This is a matter of national security.”

    Then the authorities must be obeyed. They are God-like and have uttered the sacred words, “National Security”. All you disrespectful peasants, bow before the awesomeness of our secret priests who will smite all enemies. Foreign and domestic, especially domestic enemies.

  4. Snoopdido says:

    @emptywheel: I wasn’t aware of making that assumption, but perhaps I had. LOL!

    Some further thoughts on the Bandar snit:

    I suspect that Bandar is not long for this world. It is one thing to threaten and blackmail the US. It is another to threaten and blackmail the former KGB officer, Vladimir Putin. Doing both is liable to get you killed.

    I suggest that Bandar may want to be real careful what food he eats, the liquids he drinks, the vehicles he travels in, and so on.

  5. orionATL says:

    ah, at last,

    the cable companies can be proud they have been allowed to begin pulling their weight with the rest of corporate america’s communications sector in sanctioning spying on their customers – for a small recompense in the form of less competition and price regulation, i’d guess.

  6. Snoopdido says:

    @emptywheel: No, I’m not making that assumption at all. Rather I’m making the point that Bandar this time may have really gone too far with his public threats against both the US and Russia.

    Particularly with Putin. The idea that Bandar would threaten Putin’s Sochi Olympics with terrorists (that was the implication when he offered to keep them in line if Putin would agree to pushing Assad out in Syria), was way too public and way too blatant a threat.

    Particularly because Putin’s approach to dealing with terrorism is far more ironfisted and intolerant than even the US approach. I can’t see Putin responding to Bandar and the Saudis with anything other that retaliation.

  7. emptywheel says:

    @Snoopdido: It was only public because the parties engaged in mutual leaking of it. But those threats are made all the time in private. We just never hear about it bc we get told myths about who was behind a terrorist attack and why.

    Bandar partly funded the 9/11 attack and may have done worse, and wasn’t even ousted from the country for years afterward. You think these pickyune threats — particularly tied as they are to Syrian rebels we’ve been funding — are gonna get him killed?

    Besides, there are already not-crazy rumors that Putin was trying to off Bandar back in April. This is a nasty world. These men are both survivors.

  8. Nigel says:

    The non legislative NIST cybersecurity framework*:
    http://www.federalnewsradio.com/364/3489337/NISTs-cyber-framework-moves-toward-implementation-stage-
    is also worthy of consideration, particularly the attention is has been getting from guys like this:
    http://www.skatingonstilts.com/skating-on-stilts/2013/10/whos-afraid-of-the-nist-cybersecurity-framework.html
    Now that NIST has released a discussion draft of its preliminary framework, business’s worries are looking a bit overblown. And they’re distracting from a much more serious threat buried in the NIST draft – the stealth imposition of a European-style privacy regime on the U.S. private sector…

    (* required by this executive order:
    http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity

  9. Clark Hilldale says:

    According to some accounts, Bandar is reluctant to wipe his ass without first clearing it with the CIA.

    Putin definitely knows this.

    That’s what adds a sinister dimension to the threat that Bandar is rumored to have delivered to Putin over Sochi. Because if Bandar actually made this threat, Putin would have immediately connected it to Bandar’s 30-plus year partnership with the CIA and figured that the US is down with the plan.

    Thus explaining Putin’s hard line on Syria.

    Not to mention the related ramifications of the idea of US/Saudi dealings in Chechnya…

Comments are closed.