NSA’s PRISM Program Doesn’t Mean the CISPA Fight Was in Vain

Image via Madison Guy/Flickr

Given this whole the NSA-is-looking-at-basically-everything-on-the-Internet-news, it’s easy to look at the whole fight you guys waged over CISPA as a giant waste of time. But, according to privacy experts, knocking CISPA out (at least for now) might have been well worth it.

Here’s a quick recap if you’re getting caught up: PRISM is a newly-discovered FBI / NSA program that, according to the Washington Post, allows the government to “directly tap into the servers” of nine Internet companies, grabbing photos, e-mails, chats, and more from Google, Yahoo, Facebook, Microsoft, Apple, and a few others. It operates based on authority granted through the Foreign Intelligence Surveillance Act (FISA), a 1978 law that allows the government to wiretap basically whatever it wants as long as at least one of those people is a “foreign power” or an “agent of foreign power.” A set of amendment rushed through Congress in 2008 greatly expanded its powers. Theoretically, federal agents are only allowed to grab data under PRISM if they are “51 percent sure” of a target’s “foreignness.” 

If that sounds broad and flimsy, that’s because it is, but at least it’s something. That lack of authority to grab things if a target is an American is built into FISA, but it’s not built into CISPA, which would allow Internet companies to pass personal information to the government in exchange for classified “cyber threat information.” 

We still don’t know much about the inner workings of PRISM, and Rainey Reitman, activism director for the Electronic Frontier Foundation said it’s too early to say whether the NSA has been taking data Mike Rogers wants from CISPA or not.

“We’re still learning about these programs and right now there’s just not enough information to say” what types of data PRISM is harvesting, Reitman told me. 

While the two pieces of legislation are different, the powers granted in FISA should serve as a warning to lawmakers—who by most accounts passed the 2008 amendments without understanding them—not to pass cybersecurity legislation without narrowly-worded limitations.

“With both [CISPA and FISA], it’s the government monitoring the Internet. These programs are looking at expanding government powers,” said Amie Stepanovich, director of the Electronic Privacy Information Center’s Domestic Surveillance Project. “The parallel is there was a kind of non-debate when we had FISA amendments passed, Congress rushed it out the door. This underscores the need to look at the provisions we’re building into CISPA. If anything akin to CISPA goes through we’re not going to want to look up seven years down the road and find similar abuses.”

That means it’s probably a good thing CISPA didn’t fly through Congress and appears dead for the time being. Lawmakers on both sides of the aisle still want to do something to help companies out with cybersecurity, and West Virginia Sen. Jay Rockefeller, who heads the Senate Committee on Commerce, Science, and Transportation has indicated that they may try to pass cybersecurity legislation through piecemeal. 

Even if these recent reports make it sound like the NSA is taking all they want (and they very well might be), FISA at least suggests they probably shouldn’t be monitoring the e-mails you send to your grandma. 

The way CISPA was worded when it passed the House of Representatives earlier this year, ACLU legislative counsel Michelle Richardson says, likely could have been interpreted to mean your inane e-mails are fair game.

“It’s not clear what the authority is. In the FISA context, they believed all of these phone records were  relevant to terrorism. I think it’s a certainty that all Internet records are relevant in a cybersecurity investigation, and the way CISPA was drafted, it was very broad,” she said. “It had generic categories about things considered a cyber threat and asked companies to turn over information that pertains to those threats.”

So basically, keep fighting the good fight, even if these recent reports are pretty discouraging.