Defining Stingray Emergencies … or Not
A couple of weeks ago, ACLU NoCal released more documents on the use of Stingray. While much of the attention focused on the admission that innocent people get sucked up in Stingray usage, I was at least as interested in the definition of an emergency during which a Stingray could be used with retroactive authorization:
I was interested both in the invocation of organized crime (which would implicate drug dealing), but also the suggestion the government would get a Stingray to pursue a hacker under the CFAA. Equally curiously, the definition here leaves out part of the definition of “protected computer” under CFAA, one used in interstate communication.
(2) the term “protected computer” means a computer—
(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
(B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;
Does the existing definition of an emergency describe how DOJ has most often used Stingrays to pursue CFAA violations (which of course, as far as we know, have never been noticed to defendants).
Now compare the definition Jason Chaffetz used in his Stingray Privacy Act, a worthwhile bill limiting the use of Stingrays, though this emergency section is the one I and others have most concerns about. Chaffetz doesn’t have anything that explicitly invokes the CFAA definition, and collapses the “threat to national security” and, potentially, the CFAA one into “conspiratorial activities threatening the national security interest.”
(A) such governmental entity reasonably determines an emergency exists that—
(i) involves—
(I) immediate danger of death or serious physical injury to any person;
(II) conspiratorial activities threatening the national security interest; or
(III) conspiratorial activities characteristic of organized crime;
Presumably, requiring conspiratorial activities threatening the national security interest might raise the bar — but would still permit — the use of Stingrays against low level terrorism wannabes. Likewise, while it would likely permit the use of Stingrays against hackers (who are generally treated as counterinteligence threats among NatSec investigators), it might require some conspiracy between hackers.
All that said, there’s a whole lot of flux in what even someone who is often decent on civil liberties like Chaffetz considers a national security threat.
And, of course, in the FISA context, the notion of what might be regarded as an immediate danger of physical injury continues to grow.
These definitions are both far too broad, and far too vague.
“When bad things potentially are afoot”.
There, fixed that for everybody. That’s how it will be interpreted, so saving printing costs might as well be a salutary achievement of the settled text.
I’m not sure I want the government protecting financial institutions (or other businesses) from problems they bring on themselves by ignoring computer security. That’ s poor decision making, and the businesses should own the consequences.
How will the the sheaf of new trade agreements affect how the government can go after just about anyone whose actions could be remotely considered to adversely affect Big Bidness, Big Finance, etc., etc.
WIll the agreements give government and its corporate partners just about carte blanche?
It will probably expand it, but it gets much worse when you couple it with CISA which lets corporations share evidence of IP theft with the govt.