moving-the-goal-post

Any political victory is only a temporary victory. At some future point the victory you achieved will be undone. The Cybersecurity Information Sharing Act (CISA) is just the latest example of this. If you go through the history of the bill you will see it was introduced and shutdown several times:

The Cybersecurity Information Sharing Act was introduced on July 10, 2014 during the 113th Congress, and was able to pass the Senate Intelligence Committee by a vote of 12-3. The bill did not reach a full senate vote before the end of the congressional session.

The bill was reintroduced for the 114th Congress on March 12, 2015, and the bill passed the Senate Intelligence Committee by a vote of 14-1. Senate Majority Leader Mitch McConnell, (R-Ky) attempted to attach the bill as an amendment to the annual National Defense Authorization Act, but was blocked 56-40, not reaching the necessary 60 votes to include the amendment. Mitch McConnell hoped to bring the bill to senate-wide vote during the week of August 3–7, but was unable to take up the bill before the summer recess. The Senate tentatively agreed to limit debate to 21 particular amendments and a manager’s amendment, but did not set time limits on debate. In October 2015, the US Senate took the bill back up following legislation concerning sanctuary cities.

If at first you don’t succeed, try, try again. This time the politicians attached CISA to the budget, which as we all know is a must pass bill:

Congress on Friday adopted a $1.15 trillion spending package that included a controversial cybersecurity measure that only passed because it was slipped into the US government’s budget legislation.

House Speaker Paul Ryan, a Republican of Wisconsin, inserted the Cybersecurity Information Sharing Act (CISA) into the Omnibus Appropriations Bill—which includes some $620 billion in tax breaks for business and low-income wage earners. Ryan’s move was a bid to prevent lawmakers from putting a procedural hold on the CISA bill and block it from a vote. Because CISA was tucked into the government’s overall spending package on Wednesday, it had to pass or the government likely would have had to cease operating next week.

Sen. Ron Wyden, a Democrat of Oregon, said the CISA measure, which backers say is designed to help prevent cyber threats, got even worse after it was slipped into the 2,000-page budget deal(PDF, page 1,728). He voted against the spending plan.

All those hours invested in the political process to fight CISA were instantly rendered meaningless with the passage of this bill. However, the bill can be rendered toothless. CISA removes any potential liability from private companies that share customer data with federal agencies. So long as private companies don’t have actionable information to share the provisions outlined in CISA are inconsequential. As with most privacy related issues, effective cryptography is the biggest key. Tools like Off-the-Record (OTR) messaging, OTR’s successor Multi-End Message and Object Encryption (OMEMO), Pretty Good Privacy (PGP), Transport Layer Security (TLS), Tor, and other cryptographic tools designed to keep data private and/or anonymous can go a long ways towards preventing private companies from having any usable data to give to federal agencies.

In addition to effective cryptography it’s also important to encourage businesses not to cooperate with federal agencies. The best way to do this is to buy products and services from companies that have fought attempts by federal agencies to acquire customer information and utilize cryptographic tools that prevent themselves from viewing customer data. As consumers we must make it clear that quislings will not be rewarded while those who stand with us will be.

Effective cryptography, unlike politics, offers a permanent solution to the surveillance problem. It’s wiser, in my opinion, to invest the time you’d otherwise waste with politics in learning how to properly utilize tools that protect your privacy. While your political victories may be undone nobody can take your knowledge from you.

What cryptographic tools are you utilizing in your daily travels?