NSA, PRISM, and CISPA: The conspiracy behind the conspiracy

One of the best things to come out of the Snowden affair is the media’s rediscovery of journalism, at least when it comes to the national security state.

Not all, of course — many are still serving up E!-style coverage of the missing Snowden, his pole-dancing girlfriend, and whether he is a traitor or patriot or something in between. But others are busy trying to unravel the Gordian knot that binds the industrial surveillance complex to the keepers of our data.

[ Your online privacy was doomed long before the NSA came around. ]

In yesterday’s New York Times, for example, reporter Claire Cain Miller serves up an illustration of how big tech companies like Google and Yahoo find themselves in a no-win situation when the NSA comes a-callin’. In 2008, Yahoo challenged a secret FISA court order to hand over all information about certain foreign users, arguing that it violated Fourth Amendment strictures against unreasonable search and seizure.

Of course Yahoo lost. Because organizations attempting to fight the industrial surveillance complex almost always come up empty. It’s like betting against the house in Vegas: Every small pile of chips you manage to rake in is matched by a mountain of losses. In that case, the anonymous court called Yahoo’s concerns “overblown.” Per the Times:

“Notwithstanding the parade of horribles trotted out by the petitioner, it has presented no evidence of any actual harm, any egregious risk of error, or any broad potential for abuse,” the court said, adding that the government’s “efforts to protect national security should not be frustrated by the courts.”

It’s a like being ordered to hand a can of gas and a lighter to a guy with a history of arson. When you object, the judge replies, “He hasn’t burned your house down yet, so there’s no harm.” The time to stop these things is before the house is in cinders, which the FISA court apparently fails to understand.

Bigger than Big Brother

But a far bigger and more chilling story comes to us by way of Michael Riley at Bloomberg, who writes of how “thousands” of companies, including big-name firms like Microsoft and Intel, are secretly sharing information with the spooks. These arrangements are often known only to the CEO and a handful of “cleared” employees, and these “trusted partners” are typically granted immunity from lawsuits that might arise from its sharing that data. Riley writes:

Microsoft Corp. … provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes….

Microsoft … and other software or Internet security companies have been aware that this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments, according to two U.S. officials. Microsoft doesn’t ask and can’t be told how the government uses such tip-offs, said the officials, who asked not to be identified because the matter is confidential.

There you have it. If you’ve ever wondered why Microsoft seems to take its sweet time fixing security bugs in its software, this provides a plausible explanation: The spooks weren’t done exploiting them yet. As to whose computers were exploited and which side of the Atlantic and Pacific they resided on, your guess is as good as anyone’s.

All of this is completely legal, by the way. Companies are sharing the data voluntarily, and because it doesn’t include personally identifiable information, not even the kangaroo court known as FISA need be involved.

The CISPA connection

But it does bring the push for CISPA into clearer focus.

We’ve been told that the Cyber Intelligence Sharing and Protection Act is a desperately needed piece of legislation to allow companies to share information about cyber attacks with law enforcement. What it really sounds like, though, is an attempt to codify and expand intelligence gathering in the opposite direction — to retroactively justify the secret data sharing that’s already going on and expand it to include personal information.

Who’s the big sponsor behind CISPA? Rep. Mike Rogers (R-Mich.), who happens to be chair of the House Intelligence Committee (an oxymoron if ever there was one) and has surely been secretly briefed on all of this and much more.

Here’s what I wrote about CISPA last April, after it cleared the House by a vote of 288 to 127:

The problem with CISPA is that in its current form it’s still vague and ripe for abuse. It absolves corporations of being responsible for what happens to the data they’ve collected. It allows data sharing with the entire federal government, not just the parts responsible for ensuring our safety. It circumvents other laws designed to limit governmental access to private information. And it can be deployed for a wide range of perceived threats that have nothing to do with attacks on our nation’s infrastructure. In that it is very much like the Patriot Act, which was allegedly written to combat terrorists but ended up being used primarily against run-of-the-mill drug dealers, money launderers, tree-huggers, and vegetarians (yes, really).

Is North Korea a threat to our nation’s infrastructure? Possibly. WikiLeaks, not so much. But to the legislators who came up with CISPA there’s little difference.

None of that has changed. But given the revelations we’ve witnessed over the past week — and no doubt more to come — it should give pause to even staunch supporters of CISPA. Whether it has a similar affect on our government is less clear.