Create an Account
username: password:
 
  MemeStreams Logo

CISPA and Warrant Requirements

search

Decius
Picture of Decius
Decius's Pics
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Decius's topics
Arts
  Literature
   Sci-Fi/Fantasy Literature
  Movies
   Sci-Fi/Fantasy Films
  Music
   Electronic Music
Business
  Finance & Accounting
  Tech Industry
  Telecom Industry
  Management
  Markets & Investing
Games
Health and Wellness
Home and Garden
  Parenting
Miscellaneous
  Humor
  MemeStreams
Current Events
  War on Terrorism
Recreation
  Cars and Trucks
  Travel
Local Information
  United States
   SF Bay Area
    SF Bay Area News
Science
  Biology
  History
  Math
  Nano Tech
  Physics
Society
  Economics
  Politics and Law
   Civil Liberties
    Internet Civil Liberties
    Surveillance
   Intellectual Property
  Media
   Blogging
Sports
Technology
  Computer Security
  Macintosh
  Spam
  High Tech Developments

support us

Get MemeStreams Stuff!


 
CISPA and Warrant Requirements
Topic: Miscellaneous 3:05 pm EDT, Apr 20, 2013

I had an interesting conversation with Prof. Orin Kerr on Twitter yesterday. An op-ed at ZDNet proclaimed the passage of CISPA to be the death of the Fourth Amendment. Kerr tweeted that CISPA has nothing to do with the Fourth Amendment, and I countered that laypersons don't understand the difference between Fourth Amendment warrant requirements and statutory warrant requirements. (As a corollary, I also think that laypersons don't understand the difference between Fourth Amendment warrant requirements and statutory requirements for court orders, such as ยง2703(d) orders.)

Kerr asked what statutory warrant requirements CISPA eliminates. This is a complicated question, and although I attempted to answer via twitter, I think a blog post would detail the various issues more clearly. I've performed this analysis to the best of my abilities given my knowledge of CISPA and the law. I am not an authoritative source, and in fact I hope that the concerns that I am raising here are completely unwarranted, but I think that they are worth raising.

The primary concern with CISPA is that it allows service providers to disclose cyber threat information to the government notwithstanding any other law. Is this a good idea or not? Because this provision is so broad it is difficult to be sure that one has considered every law that could possibly prohibit such an information disclosure and determined whether or not one agrees that exceptions to each are acceptable.

Statutory warrant requirements (and court order requirements)

One category of statutory requirements for either warrants or court orders that I think CISPA implicates are requirements for compelled access to certain kinds of data that may not be well protected by the Fourth Amendment, such as the requirements created by the Stored Communications Act. There are a variety of similar privacy laws that raise the same concerns, but for the sake of simplicity I'm going to focus this analysis on the SCA.

The SCA's warrant and court order requirements have to do with compelled information disclosure. CISPA does not create a process for the government to compel service providers to disclose information to them. CISPA does allow these service providers to voluntarily disclose any information they find that directly pertains to efforts to commit a computer crime, but the Stored Communications Act already allows service providers to disclose any information pertaining to the commission of any crime, so CISPA does not appear at first blush to create any new voluntary information disclosure power beyond what the SCA already affords.

However, one open question regarding the SCA has to do with the line between voluntary and compelled information disclosure. CISPA potentially leads to a tight coupling between the sharing of threat intelligence by the government, searches performed by service providers based on that information, and subsequent disclosure of search results back to the government. This coupling is tight enough that the service providers could be seen as acting as agents of the government.

The agency standard

The government cannot avoid Fourth Amendment warrant requirements by relying on private entities as agents in this fashion (See, e.g., United States v. Lambert, 771 F.2d 83, 89 (6th Cir. 1985)). It seems logical to me that if the government cannot rely on private agents to avoid a Fourth Amendment warrant requirement, that they cannot rely on private agents to avoid a statutory warrant requirement or a statutory requirement for a court order. However, opinions apparently differ on this question. Prof Kerr presented this problem as mostly unresolved in a paper titled "A User's Guide to the Stored Communications Act, and a Legislator's Guide to Amending It." However, in that paper he did provide an example of one court who referred to a government request for voluntary information disclosure from a service provider as "disingenuous" and contravening the intent of Congress.

IF one accepts that the agency standard applies to statutory warrant and court order requirements as well as Fourth Amendment warrant requirements, than CISPA would create an exception to it. Under current law, the government is unlikely to create relationships in which they hand pieces of information to service providers and ask them to voluntarily search their networks for those pieces of information and return the search results back. The fruits of this sort of relationship would not be admissible in court, and so it would be unlikely for such a relationship to exist in the first place. If fact, one could argue that Congress has created statutory warrant and court order requirements with the specific intent of discouraging these kinds of relationships. (Freedman v. Am. Online, Inc., 303 F. Supp. 2d 121 (D. Conn. 2004). at 126)

CISPA is a big move in the opposite direction. It encourages the creation of these relationships in which government intel prompts service provider searches. Presumably the fruits of these transactions could be used in court, because CISPA allows information sharing notwithstanding any other law. Any concern that the SCA's warrant & court order requirements were being bypassed would be eliminated by CIPSA's notwithstanding clause. The result is a significant change in terms of the susceptibility of private information to government prompted warrantless searches.

To many laypersons, the elimination of these warrant and court order requirements constitutes the loss of privacy rights that they associate with the Fourth Amendment, even though they are really the product of Acts of Congress.

The Foreign Intelligence Surveillance Act

In additional to privacy laws like the Stored Communications Act, the other kind of statutory warrant requirement that CISPA implicates is the requirement that warrants be obtained when searches are performed for national security reasons, such as under the Foreign Intelligence Surveillance Act. This is a particularly sensitive area, because where CISPA creates exceptions to FISA, there may not be any underlying Fourth Amendment warrant requirement.

Clearly, attacks on American computer networks by foreign intelligence agencies is activity that would be considered a national security issue and searches targeting that activity would probably fall within the scope of FISA. However, the tight coupling between government and service providers that CISPA creates would allow the government to use the service providers to search the content of private communications without going through the FISA court. Any argument that the government was using the service providers as agents in order to bypass FISA's warrant requirements would be eliminated by CISPA's notwithstanding clause. The relationship created by CISPA supersedes the requirements created by FISA.

Under CISPA, the NSA would therefore have the ability to spy on the content American's private telecommunications, without a warrant, at least in the context of cybersecurity investigations, as long as the service providers agreed to facilitate that surveillance.

Liability Limitations

Another potential threat to Fourth Amendment rights represented by CISPA is the broad liability protections offered to service providers under the law. CISPA exempts service providers from any criminal liability stemming from decisions made for cyber security purposes stemming from information that the government has shared with them. If not for the "good faith" limitation this would be equivalent to a general warrant. As it stands, it seems unclear exactly what the scope of this limitation is.

Presumably the "good faith" limitation against any act taken with intent to "injure" an individual would prohibit recipients of government threat intelligence from trespassing on other people's property or breaking into other people's computer systems in their zealous efforts to protect their own networks, but that doesn't seem to be clear. Numerous privacy groups have raised the concern that this liability limitation would allow victims of cyber crime to "hack back" in retaliation. Unless those concerns are completely unreasonable, then one must consider a wide array of criminal acts that victims of cyber crime might also engage in under the scope of this liability limitation that would threaten people's personal privacy.

Conclusion

For the past 10 years I've been employed in the design and development of network intrusion prevention systems. I am intimately familiar with how they operate. I am also intimately familiar with the nature of the threats our computer networks face today. I think that, in general, CISPA is well intentioned. The government needs to be sharing more threat intelligence with private industry than it currently is. Private industry should also be able to share information about criminal activity back to the government. However, in doing so it is not clear that it is necessary to create blanket exceptions to privacy laws, and it is not clear that we have a full understanding of all the potential problems that those exceptions could create.



 
 
Powered By Industrial Memetics
RSS2.0