The world’s cyber security experts say that CISA won’t stop cyber attacks, but it will create a gaping loophole for law enforcement agencies from the NSA right down to your local police departmentto access people’s private information without a warrant. Systems like this have chilling effects on our willingness to be ourselves and speak openly on the Internet, which threatens our most basic rights.
Here’s how it works. Companies would be given new authority to monitor their users -- on their own systems as well as those of any other entity -- and then, in order to get immunity from virtually all existing surveillance laws, they would be encouraged to share vaguely defined “cyber threat indicators” with the government. This could be anything from email content, to passwords, IP addresses, or personal information associated with an account. The language of the bill is written to encourage companies to share liberally and include as many personal details as possible.
That information could then be used to further exploit a loophole in surveillance laws that gives the government legal authority for their holy grail -- “upstream” collection of domestic data directly from the cables and switches that make up the Internet.
Thanks to Edwards Snowden, we know that the NSA, FBI, and CIA have already been conducting this type of upstream surveillance on suspected hackers. CISA would give the government tons of new domestic cyber threat indicators to use for their upstream collection of information that passes over the Internet. This means they will be gathering not just data on the alleged threat, but also all of the sensitive data that may have been hacked as part of the threat. So if someone hacks all of Gmail, the hacker doesn’t just get those emails, so does the U.S. government.