In the last few days, I have laid out how CISA will permit the intelligence community to bypass the rules currently imposing reasonable limits on the sharing of domestic cyberattack information implicating Americans. Currently, any upstream collection comes in through NSA; unlike PRISM data, NSA cannot share raw upstream collection. Thus, any US person data collected via upstream collection must be treated according to minimization procedures that are especially strict for this purpose.
But under CISA, data comes in through DHS and — assuming NSA and FBI veto its data scrub, as they are sure to do — gets circulated immediately to NSA, FBI, Treasury, ODNI, and several other agencies. Unlike under the current regime, FBI and other agencies that can imprison or sanction Americans will get raw data, without US person identifiers “relevant to” the threat indicator (as they will be, by virtue of being collected with them) minimized. Once FBI gets it, the data will be shared promiscuously, because that’s FBI’s job.
Not everyone buys this. But CNN just quoted an anonymous senior intel official confirming my fears.
There’s yet another issue. Jonathan Mayer, a computer scientist and lawyer with expertise on national security, is worried that if a hacker steals a database of Americans’ private information from a company, the NSA gets to keep that.
But a former senior U.S. official told CNNMoney that NSA already grabs stolen data in its mission to protect the United States from hackers. And it has rules in place to minimize the effect on peoples’ privacy.
“Would it give our spy agencies greater visibility? Definitely. That’s the point,” the official said.
Yes. That’s the point. Not only does this confirm that NSA, FBI, Treasury, ODNI, and others will get databases full of content, but given that NSA’s rules will not be applied here (FBI will get the data at the same time as NSA) the rules to protect people’s privacy that are currently in place won’t be in effect.