Does CISA Contain a Surveillance Law XSS Attack?

Skeptical concerns about the proposed Cybersecurity Information Sharing Act have, thus far, tended to fall into two main categories: Doubts about efficacy—most actual practitioners seem to think the law’s impact on network security would be marginal at best—and worries about the nature and volume of private data about users being funneled to the government (and intelligence agencies) by companies who opt to participate in the information sharing scheme contemplated by the law.  Precisely because I’m among the skeptics on the question of CISA’s efficacy, my anxiety about its privacy implications has been relatively tempered: Because I doubt it will yield much in the way of demonstrable benefit, I don’t expect the enactment of a liability shield will induce a huge number of companies to suddenly begin piping terabytes of data to the government, which itself has a less than stellar track record on data breaches.

Recently, though, I’ve been mulling over how CISA might interact with other provisions of electronic privacy law—in particular the Foreign Intelligence Surveillance Act—and gotten somewhat more concerned.  In web application security, a “cross site scripting” attack is a type of exploit wherein a site trusted by users (and, more importantly, the user’s browser) is tricked into delivering data to or from a malicious site controlled by the attacker.  It seems to me that a clever Justice Department lawyer might well be able to carry off a legal equivalent—injecting code from CISA into the operating instructions executed by the Foreign Intelligence Surveillance Court.  Here’s how.

Broadly speaking, FISA requires intelligence agencies to obtain a warrant for any form of digital spying that qualifies as “electronic surveillance” under the notoriously complex set of definitions laid out in 50 U.S.C. §1801(f).    Live interception of “wire communications”—which for the moment includes Internet traffic collected in transit from a user’s ISP—counts as “electronic surveillance” so long as one party to the communication is a non-consenting American.  But that’s contingent on the collection involving data “in motion” on a wire operated by a “common carrier.”  Since the FCC reclassified broadband services under Title II of the Communications Act in order to impose net neutrality regulations, that covers at least consumer-facing ISPs. (I wrote about the intersection of “common carrier” rules with FISA for Wired a few years back).  If court challenges (or legislative action) were to reverse that reclassification, it seems likely the wire communication definition would no longer apply.  Even if the classification stands, the packet switched nature of the Internet  means a communication will typically traverse several networks on its path between your ISP and its ultimate destination, several of which may not qualify as common carriers.  Moreover, once that data is “at rest” on a server rather than moving on a wire, the “wire communication” definition ceases to apply.

Here’s where CISA potentially comes into play.  When Internet communications data is not covered by the “wire” prong of the FISA “electronic surveillance” definition, it will instead typically fall under the fourth catchall prong of the definition, which covers:

the installation or use of an electronic, mechanical, or other surveillance device in the United States for monitoring to acquire information, other than from a wire or radio communication, under circumstances in which a person has a reasonable expectation of privacy and a warrant would be required for law enforcement purposes.

Critically, if Internet data—assuming it does not qualify as a “wire communication” at the time and place of collection, for any of these reasons—is either obtainable without a warrant for law enforcement purposes or is not data in which users have a reasonable expectation of privacy, it will fall outside the FISA definition of electronic surveillance.  That would also place such data outside the scope of the statutory stipulation that FISA is the “exclusive means” by which electronic surveillance may be conducted for foreign intelligence purposes.  Moreover, at least for communications with an international component, the ordinary domestic electronic surveillance statute contains a loophole exempting foreign intelligence collection by any means that doesn’t qualify as “electronic surveillance.”

Now what happens to the status of Internet communications data if CISA becomes law and many companies are routinely sharing “cyber threat indicators”—potentially including the contents of communications—with the government?  Well, surely any minimally clever DOJ attorney will want to argue that such data is no longer covered by a reasonable expectation of privacy.  After all, the data can lawfully be shared with the government, without a warrant, by the network operator—and even when specific data isn’t being shared, it could be as far as the average user knows.  From there it’s just a short hop to the conclusion that—again assuming the information is not collected “in motion” from an entity “operating as a common carrier”—it now falls wholly outside FISA’s definitions of electronic surveillance and can be acquired without going through FISA’s procedures.

Of potential relevance here is the recent New York Times report that NSA sought—but apparently did not obtain—authorization for bulk collection of cybersecurity threat information under §702 of the FISA Amendments Act (eliminating the need for particularized approval by the Foreign Intelligence Surveillance Court).  There are presumably other  means by which NSA can obtain much of that data, but things become considerably simpler if the government can persuade the FISC that (because routinely legally shared with the government) the entire category of “cybersecurity threat” information falls outside the protection of both FISA and the Fourth Amendment.

Which is where my (possibly strained) analogy to cross-site scripting attacks comes in.  Privacy advocates have been worried primarily about how the communications data and metadata shared directly with the government under CISA might be used.  But if an argument along the lines I’ve just sketched persuades the FISC, the implications could be significantly broader: It would potentially free intelligence agencies to independently and warrantlessly collect all data falling into the category of “cybersecurity threat indicators” whether or not that data is actively being shared pursuant to CISA.  In short, NSA and its brethren might obtain access to such data not as a direct consequence of CISA sharing, but because CISA has “injected” an exception into the legal code parsed by the FISC, conveniently giving NSA the access it wanted regardless of whether particular companies are (wittingly) participating in CISA info sharing.

It’s hard to say whether this kind of argument would be accepted by the FISC without knowing more about their relevant precedents.  But I’d be shocked if the Justice Department didn’t at least attempt it. 

Filed under:
About the Author(s)

Julian Sanchez

Senior Fellow at the Cato Institute, contributing Editor for Reason magazine. Member of the editorial board at Just Security. You can follow him on Twitter (@normative).