Anonymous Former Intel Official Confirms: CISA Is about Bypassing NSA Minimization on Upstream Collection

In the last few days, I have laid out how CISA will permit the intelligence community to bypass the rules currently imposing reasonable limits on the sharing of domestic cyberattack information implicating Americans. Currently, any upstream collection comes in through NSA; unlike PRISM data, NSA cannot share raw upstream collection. Thus, any US person data collected via upstream collection must be treated according to minimization procedures that are especially strict for this purpose.

But under CISA, data comes in through DHS and — assuming NSA and FBI veto its data scrub, as they are sure to do — gets circulated immediately to NSA, FBI, Treasury, ODNI, and several other agencies. Unlike under the current regime, FBI and other agencies that can imprison or sanction Americans will get raw data, without US person identifiers “relevant to” the threat indicator (as they will be, by virtue of being collected with them) minimized. Once FBI gets it, the data will be shared promiscuously, because that’s FBI’s job.

Not everyone buys this. But CNN just quoted an anonymous senior intel official confirming my fears.

There’s yet another issue. Jonathan Mayer, a computer scientist and lawyer with expertise on national security, is worried that if a hacker steals a database of Americans’ private information from a company, the NSA gets to keep that.

But a former senior U.S. official told CNNMoney that NSA already grabs stolen data in its mission to protect the United States from hackers. And it has rules in place to minimize the effect on peoples’ privacy.

“Would it give our spy agencies greater visibility? Definitely. That’s the point,” the official said.

Yes. That’s the point. Not only does this confirm that NSA, FBI, Treasury, ODNI, and others will get databases full of content, but given that NSA’s rules will not be applied here (FBI will get the data at the same time as NSA) the rules to protect people’s privacy that are currently in place won’t be in effect.

4 replies
  1. orionATL says:


    this was one nearly impenetrable maze. i wonder if some of the nsa cryptologists designed it :)

    maybe the cisa’s real purpose exlais why a modestly computer savy person like me just could never get a feel for exactly how this act would protect a home depot or a target. it all seemed focused on the retroactive, on reporting.

    question for any interested pubic official:

    just how would the cisa protect any american corporation or institution right now?

    “well, first we would help build a data base of threat signatures.”

    o.k., how long will that take to become effective?

    “dunno for sure, but we can do it.”

    why can’t ametrican corporations and other private institutions do this for themselves?

    “well, they probaby could.”

    how did the chamber of commerce get so deeply involved in a national security issue like this?

    “sorry? audio is bad here. next question”

Comments are closed.