August 10, 2020 / by 


Two Intended Consequences CISA Supporters Will Be Responsible For

Tomorrow, the Senate will vote on CISA. It is expected to pass by large margins.

Given that a majority in the Senate is preparing to vote for CISA, I wanted to lay out two intended consequences of CISA, so supporters will know what we will hold them responsible for when these intended consequences prove out:

The government will lose power to crack down on providers who don’t take care of customers’ data. 

As I have laid out, if a company voluntarily shares a cyber indicator with the government, the government cannot use that data to initiate any regulatory action against the company. In the future, then, any Wyndham Hotels or Chrysler that have long ignored known vulnerabilities will be able to avoid FTC lawsuits or NHTSA recalls simply by telling the government about the vulnerability — and continuing to do nothing to protect customers. The bill will even make it less likely customers will otherwise learn about such things (partly through FOIA exemptions, partly by increasing the difficulties of doing security research independent of a company), which would provide them another route — a lawsuit — for holding a company accountable for leaving their data exposed.

So the Senators who vote for CISA tomorrow will be responsible for giving you fewer protections against negligent companies, making it more likely your data will be exposed.

CISA will provide a way around the warrant requirement for domestic collection of content

In 1972, the Supreme Court unanimously held that the government needed a warrant before conducting electronic surveillance for “domestic security” purposes. After some years, Congress set up the FISA court and process, through which the government can obtain warrants — and under FISA Amendments Act, mere certificates — permitting them to spy on US persons, while maintaining some modicum of review both at the warrant stage and (though it never worked in practice) the prosecution stage.

CISA will set up an alternative system for a very broadly defined cyber use, whereby Congress permits corporations to share the fruits of spying on their own customers with the government. Virtually all the protections built into the FISA system — a review by a judge, judicially approved minimization procedures, the requirement to protect US person identities as much as possible, and notice provisions if used for prosecution — will be eliminated here. Corporations will be able to spy on customers and hand over that data under permissive guidelines, giving the government all the benefits of domestic surveillance (again, just for a broadly defined cyber purpose). [See this post for more details on this.]

And make no mistake: the government will be obtaining content, not just metadata. If they didn’t plan on obtaining content, they would not include permission to use CISA-acquired data to prosecute kiddie porn, which after all is always about content (the same is true of IP theft).

Worse, it’s not clear how this abuse of constitutional precedent will be overturned. Without notice to criminal defendants, no one will ever be able to get standing. So SCOTUS will never review the constitutionality of this. By deputizing corporations to spy, the government will have found a way around the Fourth Amendment.

So Senators who vote for CISA tomorrow will be voting to begin to dismantle an imperfect, but nevertheless vastly superior, system designed to uphold the Fourth Amendment.

And note: what Senators will be voting for in exchange for these two intended consequences will be meager. Bill sponsor Richard Burr admitted last week that his earlier claims, that this bill would prevent hacks, was overstated. Now, he only promises this will limit the damage of hacks — though there’s little evidence that’s true either.  So if Senators vote for this bill, they’ll be trading away a lot for very little in terms of security in exchange.

Again, this blog post won’t change the outcome tomorrow. But it should put every Senator preparing to vote for this bad bill on notice that we will hold you responsible for these things.

Post updated with paragraph about how little this bill does to improve cybersecurity.

Copyright © 2018 emptywheel. All rights reserved.
Originally Posted @