Late last Friday [18.12.], the US Congress and President Obama signed into law the CISA Surveillance Law using very underhanded methods.
Jan 3, 2016
With it came the loss of numerous protections extremely important to internet privacy. To understand why the CISA surveillance law is bad for email privacy, we will go over some of the main points of the law and how it managed to be passed. Then, we will discuss some of the things we can do about CISA. Despite being law now, there are in fact some ways the CISA surveillance law can be circumvented and online privacy protected.
What is CISA?
CISA stands for Cybersecurity Information Sharing Act, which is a deceptive title used by the sponsors of the law to hide its real purpose. From the name, one would assume that CISA is a cybersecurity law, but in reality, it is a surveillance law. In the past week, Congress has dropped all pretense that this is a cybersecurity law by quietly stripping away the privacy protections that used to be in the law, and expanding how the collected information can be used and shared.
CISA creates a massive legal loophole that allows the NSA to circumvent privacy laws. This means US companies can now share ANY information with the US government, bypassing privacy laws without legal consequences. Furthermore, all of this information is automatically shared with the NSA and there are no restrictions on how the NSA can use this data.
How did CISA get passed?
The CISA surveillance law has been hotly debated for over a year in the US. Privacy groups, some corporations, and hundreds of thousands of private citizens have strongly fought against the law. It was deemed by Congress to be too controversial to pass. In order to get CISA approved, the law’s sponsors turned to very underhanded methods.
First, they attached the law to a completely unrelated budget bill, which is a critical bill that must be passed immediately for the US government to continue to function. Then, they waited until Monday, December 14th, 2015 to release the full text of the budget bill, which contains over 2000 pages, and they buried CISA in near the end on page 1728. Finally, they set the vote to happen on Friday, December 18th, 2015.
This ensured that congressional representatives would have less than a week to read the entire bill and there would not be sufficient time for public debate. Furthermore, by sticking it into a critical budget bill, the law’s sponsors virtually guaranteed that it would be passed. Lastly, to minimize the fallout, the vote was scheduled for the last Friday before Christmas, so that by the time president Obama signed it into law, it would be too late to make it into that day’s news. Just like that, a second Patriot Act has become law without any public outcry. This is how democracy is undermined, and we should be outraged.
CISA doesn’t just impact Americans
CISA is an American law, but unfortunately, it doesn’t only impact Americans. If you use Facebook, Dropbox, Google, or WhatsApp, CISA impacts you. With CISA, US corporations can now hand your data over to the NSA without having to worry about the privacy laws which currently protect your data. This doesn’t matter whether you are a US citizen or a EU citizen, if a US corporation has your data, it can be handed over, under the guise of “cybersecurity”. As a Swiss company, ProtonMail is safe from CISA, your data continues to be protected by Switzerland’s very strong privacy laws. However, on a whole, CISA is very bad news for online privacy.
What we can do about CISA
CISA has now been signed into law by President Obama, which means that practically, there is no way to reverse the law. However, the tricks used by the NSA can also work for us. If we can’t change the law, we can still do our best to circumvent it, and fortunately, there are some ways around CISA.
First, because CISA is an American law, it only applies to American companies. Swiss and EU companies are still protected by stronger European privacy laws which cannot be circumvented by CISA. Thus, one way to work around CISA is to avoid the products of US companies. For example, if we all ditch WhatsApp (owned by Facebook) and instead switch to community software such as Signal, Facebook may think twice before publicly opposing CISA but privately supporting it. Switching your email from Gmail to ProtonMail’s private email service based in Switzerland would be another way. If American companies feel the pressure, they will apply pressure to the US government, which is the only way CISA can be repealed.
Secondly, we can take our business to services which deliver end-to-end encryption. For example, end-to-end encrypted email providers such as ProtonMail cannot actually read your messages, so even if we were a US company, we cannot hand over private emails under the CISA surveillance law, or any other law. CISA teaches us that technology, specifically end-to-end encryption, is the best possible defense for privacy. Encryption algorithms offer protection through mathematical law which always holds true, no matter how many laws the US Congress passes using underhanded methods.
Most importantly, we must remember that as the consumer, the choice is ours, and by making the right choices, we can still beat CISA, even when the politicians let us down (again).