Tired of CISA, yet? We’re almost done, I promise. For those who can’t get enough, a recap:
- The Problems CISA Solves: ECPA Reform in Disguise
- CISA in Context: Privacy Protections and the Portal
- CISA in Context: The Voluntary Sharing Model and that “Other” Portal
I’ll conclude on two final elements of CISA that merit attention. First, CISA does, in theory, authorize the voluntary sharing of information that was previously prohibited under federal law. And second, the government use provisions are possibly the most important privacy element of the entire bill and warrant a close look. As with the rest of the bill, the functional constraints of AIS are highly relevant to the analysis but do not necessarily solve all potential problems.
New Information Sharing Authorization
In my last post, I noted that CISA appears to authorize a lot of information sharing that is already taking place. Private entities are authorized to share cyber threat indicators and defensive measures “notwithstanding any other provision of law” with other private entities and the government. In part, this language works to sweep away perceived limitations to sharing. It simply is not always clear what kind of sharing is permitted under a complex web of federal law, anti-trust regulations, and contractual obligations. For a sense of how complicated the law is in this realm, take a look at the Table of Contents of the (excellent) practitioners’ guide Cybersecurity: A Practical Guide to the Law of Cyber Risk. There are, without exaggeration, dozens of rules and regulations to consider prior to sharing or receiving cybersecurity information. CISA replaces all these considerations with two questions: (1) Is the sharing conducted for a cybersecurity purpose? (2) Does the information in question qualify as a cyber threat indicator or defensive measure?
By and large, the sharing authorization – paired with robust liability protection – operates as a gentle nudge to companies to share information that the government has long maintained they could and should. But, as with the authorization to monitor, this provision also eliminates elements of positive federal law, for example, parts of the Stored Communications Act.
Under 18 USC § 2702(a)(3), a provider of a remote computing service or an electronic communications service provider is prohibited from voluntarily divulging “a record or other information pertaining to a subscriber or customer” to any governmental entity. This provision does not extend to the content of communications, and exceptions permit voluntarily providing records to the government with customer consent, to protect rights and property of the provider, or in emergencies involving the risk of death or serious physical injury. CISA carves out an additional set of information that may be voluntarily shared with the government, notwithstanding § 2702: cyber threat indicators and defensive measures.
Of course, remote computing providers and electronic communication services providers must be certain that the information they share falls within the statutory definitions of cyber threat indicators or defensive measures. Those definitions are intended to be comprehensive; the definition of cyber threat indicators includes parts A – G. However, the catch-all provision intended to capture whatever technical elements Congress inadvertently missed – “any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law” – is less useful where there are actual prohibitions. And here remote computing service providers and electronic communication service providers face an obstacle in § 2702 that no one else does. In this regard, the DHS and AG guidelines on appropriate cyber threat indicators will be important, as will the configuration of the AIS portal. Similarly, the guidelines will be critical to fully fleshing out the scope of privacy protections. Recall that entities are obligated to remove both personal information of and personal information identifying an individual not directly related to the cybersecurity threat. Those guidelines will need to answer what kinds of records which might not identify an individual, are nonetheless personal information entitled to protection.
Government Use Provisions
Though actual data is limited by both statutory and AIS technical constraints, CISA does permit the government to receive information it was unable to access without a court order before. Consequently, there is heightened concern with what the government is permitted to actually do with the information it receives. The government use provisions must be understood in light of the fundamental tension underlying CISA’s drafting: the need for additional information sharing versus the fear of inadvertently limiting productive sharing that was already occurring. This same tension emerges in the fight over liability protection for sharing with the FBI, the many codified assurances to the private sector, and even in the portal control structure of the executive branch. But the stakes are likely highest – both for the government and privacy advocates – in the realm of government use.
The debate surrounding the government use of information shared through the portal has been hotly contested since information sharing bills were first introduced. Under CISA, government use is limited solely to those purposes included in the statute. Prior to passage, some proponents argued that the government should be permitted to use lawfully shared information for any lawful purpose. Because plenty of information was already being shared without restriction, there was a genuine concern that any other language would function to prohibit types of use that was already taking place. A particular fear centered on the scenario in which a company shared evidence of a serious crime or non-cybersecurity threat through the portal, and law enforcement was rendered powerless to respond.
On the opposite end of the spectrum – though admittedly this spectrum excludes those who think the government should not have or use any cyber information at all – were privacy-minded members of Congress, the executive, and the private sector who favored strictly limiting government use to cybersecurity purposes and the identification of cybersecurity threats or security vulnerabilities.
You might not know it from the tenor of commentary around CISA’s passage, but the scope of government use provisions does, in fact, adopt a middle ground. CISA permits government use of shared information for cybersecurity purposes and a number of specified offenses, but nothing else. The government can use shared information to respond to, prevent, or mitigate specific threats of death or bodily harm, or serious economic harm – to include terrorism or use of WMDs. The government is further permitted to use the information to respond to, prevent, or prosecute serious threats to minors. While there are certainly dissenters, there is relatively broad consensus that the government should be empowered to act on this type of lawfully obtained information regardless of the manner in which it was received.
The inclusion of enumerated offenses, however, is more controversial. Information shared pursuant to the Act can also be used to prevent, investigate, or prosecute the following offenses: 18 USC 1028 (Document Fraud), 18 US 1029 (Fraud and Trafficking in Access devices), 18 USC 1030 (the Computer Fraud and Abuse Act), 18 USC 37 (Violence at International Airports), and 18 USC 90 (Protection of Trade Secrets).
Notably, these offenses are those most closely connected to cyber threat indicators and therefore present the highest risk that CISA’s limitations might create a set of newly untouchable information that government had long been able to use. But these laws encompass a broad range of computer crimes, fraud, and economic espionage – most controversially the Computer Fraud and Abuse Act (CFAA). Here the technical constraints of the AIS system cut both ways. On one hand, the scope of cyber threat indicators shared through the portal significantly undercuts claims CISA is a mass surveillance bill. Bluntly stated, the information at issue is not of all that much use for the purposes certain privacy-minded – and conspiracy-minded, for that matter – critics allege. Still, the government presumably anticipates using this information in at least some investigations and prosecutions. And not only does CISA seek to move more information to the government – a specific and limited type of information, but more nonetheless – but it also authorizes at least some amount of new sharing.
But even within the scope of authorized uses, CISA imposes a number of additional constraints. First, though the CFAA is an included offense, under the statute, a cyber security threat “does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement.” The practice of using terms of service as the exclusive basis for CFAA charges has come under widespread criticism in recent years. This limitation means that a company is not authorized to share a cyber threat indicator that solely indicates a violation of a term of service – for example, evidence a user was sharing a password. The information would have to otherwise qualify as a cyber threat indicator within the definition. Furthermore, an entity is obligated to remove personal information of or identifying an individual not directly related to a cyber security threat. That means an entity is required to remove any personal information of or identifying an individual who is solely violating their terms of service, prior to sharing. Coupled with the limitations of the AIS fields, the risk that information shared pursuant to the Act will serve as the basis of controversial CFAA prosecutions is relatively limited.
The government use of information shared pursuant to CISA is limited not only by to the express use provisions but also by all “otherwise applicable provisions of Federal law.” Legally speaking, this provision – the language is a congressional favorite – is obvious enough to go without saying. Yes, the government has to comply with the law. Thanks for pointing that out. But it also foot stomps an important point: Whatever the government could not do before, it cannot do now. The government use provisions operate exclusively as a limitation, and in no way expand the government’s authority. Therefore, whatever genuine civil liberties concerns CISA creates must derive from some new set of information that the government otherwise could not or would not obtain.
That question ultimately resolves to which STIX TAXII fields DHS decides to open or shut in the portal. So as CISA moves towards implementation, the portal fields – and the privacy interests at stake in the actual information being shared – are where civil liberties talk should start.