Privacy and Security

Is Your Data Safe from the New Form of Government-Sanctioned Data Collection?

Electronic data can be revealing and intimate. Individuals should be secure and free from unreasonable government searches of their electronic data.

When law enforcement engages in mass surveillance without appropriate judicial oversight, not only does it infringe upon a most sacred civil right, but it also makes citizens distrust the very institutions that are supposed to protect them.

Indiscriminate data collection encroaches upon long held notions of electronic privacy.  Courts have ruled that warrantless bulk data collection programs infringe upon the Fourth Amendment.  In the wake of the Snowden disclosures, agencies like the NSA and other government entities claim they are adhering to such decisions and becoming more transparent – that is, “rule bound.”

What this really means is that lawmakers, the NSA and other agencies are renaming existing practices,without changing anything.

Rather than discontinue programs violating the Fourth Amendment, legislators rewrite the laws so that government cannot be held liable, while achieving the same outcomes of earlier practices.  Once enacted, agencies “codify” these changes and claim transparency. Once codified, these matters will be difficult to litigate in open court. Courts often put faith in the expertise of the statutory controlling agency when terms or provisions are “ambiguous.”  As a result, the NSA or other relevant agency will have the final say. Recent legislation, such as the “Cybersecurity Information Sharing Act” (CISA) and the “USA Freedom Act,” are examples where the government reworks legislation to achieve its desired objective.

CISA seeks to prevent cybersecurity attacks through the voluntary disclosure of user data by Internet Service Providers, software companies like Microsoft and other entities. Instead of government being in charge of bulk data collection, corporate entities are now encouraged to collect and disclose the information. Upon disclosure, the entities will be immune from Freedom of Information Act (FOIA) requests connected to information sharing.[i] The Patriot Act’s bulk metadata collection program is no longer authorized after November 29.

The USA Freedom Act, passed in June, and CISA are slated to take its place. Similar to past programs, the language of CISA is far-reaching.  For example, threat indicators  may be “disclosed to, retained by, and used by, any Federal agency or department, component, officer, employee, or agent of the Federal Government consistent with otherwise applicable provisions of Federal law” (emphasis added).[ii] During the Cato Institute’s annual conference on surveillance, Rebecca Richards, the Civil Liberties and Privacy Director for the NSA, revealed a lot about the transition from the Patriot Act to the USA Freedom Act. She said, “[Bulk data collection] is important in the tool belt of the NSA” and the switch to the new program “wasn’t substantial in terms of the administrative hurdles you have to go through.”[iii]

Former NSA Director Hayden has also mocked the recent reforms of electronic surveillance.[iv]

CISA and the USA Freedom Act accomplish the same goal as the Patriot Act but without getting the government’s hands dirty. The legislation merely shifts authority – and the blame – from the government to private entities.

Though participation and disclosure of information is voluntary right now mandatory disclosure seems inevitable, as with any government program.

In a recent letter to Senators, professors and researchers suggest lawmakers need to use information that helps to identify and prevent cyber-related attacks, as  private user data plays no role whatsoever in detecting or preventing cyberattacks. This information includes malware file names, code and hashes, code that communicates with malware, and file path locations.

Rather than protect individuals from cyberattacks, CISA will likely place their privacy at risk and potentially put them in harm’s way. For example, bulk data collection, whether maintained by the government or private companies, can result in false-positives. A false positive occurs when an individual is singled out as a potential threat when no such danger exists.

Many individuals are completely unaware their data is being shared. It is one thing for a company to notify an individual that his or her data may be used by the company; it is another for the company voluntarily to share this data with the government or third party entity without the individual’s knowledge or consent.

Many providers, technology companies and privacy right advocates believe CISA is unnecessary. For example, Apple and Dropbox both oppose CISA, with Dropbox stating, “While it’s important for the public and private sector to share relevant data about emerging threats, that type of collaboration should not come at the expense of user’s privacy.”[v] Privacy rights groups like the Electronic Freedom Foundation feel the same way. They call the bill “fundamentally flawed due to its broad immunity clauses, vague definitions, and aggressive spying authorities.”

It is time for the government to engage in true transparency.  This is especially important for laws that potentially impact personal privacy.  All the American people ask is that the government holds itself accountable to its laws and the people.

Nobody is above the law. Period.

[i]  The Cybersecurity Information Sharing Act, S.754, 114th Cong. (2014).

[ii] Ibid at §105(d)(5)(A)

[iii] Savage, Charlie, Rebecca Richards, and Kurt Opsahl. “Welcome and Introduction and After FREEDOM: A Dialogue on NSA in the Post-Snowden Era.” Lecture, The Second Annual Cato Surveillance Conference, The Cato Institute, Washington D.C., October 21, 2015.

[iv] Foomkin, Daniel. “Hayden Mocks Extent of Post-Snowden Reform: “And This Is It After Two Years? Cool!”” June 17, 2015. Accessed November 5, 2015.

[v] Fung, Brian. “Apple and Dropbox Say They Don’t Support a Key Cybersecurity Bill, Days before a Crucial Vote.” Washington Post. October 20, 2015. Accessed October 30, 2015.

In Depth: Privacy and Security

A market environment is essential for future success of the Internet. A consumer and private-sector-driven approach to privacy via self-regulation avoids undue regulatory burden that would threaten a thriving electronic marketplace. The Internet has flourished due in large part to the unregulated environment in which it has developed and grown.

+ Privacy and Security In Depth