If you are not familiar with the CISA Bill, please refer to this article.

CISA has been designed to protect businesses from legal liability in cases when they volunteer to hand over intelligence information to the federal government. It means that CISA supersedes the Privacy Act of 1974 and Electronic Communications Privacy Act of 1986 that establish a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals.

Let’s first consider what the above Acts protect. The Privacy Act essentially requires a public notice of all requests and prohibits disclosure of such information from system of records without the written consent of the subject individual. ECPA was an amendment to Title III of the Omnibus Crime Control and Safe Streets Act of 1968 primarily designed to prevent unauthorized government access to private electronic communication. It extended wire tap restrictions from phone calls to include electronic data transmission as well.

In other words, these Acts protect our right to privacy and prohibit unlawful sharing of personal information with other agencies without the court warrant or our written consent. If the business was to share sensitive user data, the customer could sue the company for violating not only privacy laws, but also their Privacy Policy without sufficient grounds.

Considering that CISA is written broadly enough to allow tech firms to provide access to information that may include, but not limited to your text messages, emails, cloud storage files, any private sector company can now freely share any personal information that they feel is related to “cybercrime” without any notice to their customers and never suffer any legal consequences for doing so. Which means US based businesses can now legally violate their Privacy Policy and Terms of Service and regularly provide sensitive user info to the Department of Homeland Security that can then share it with the DoD, NSA and other entities. In addition to this, there is virtually no transparency or individual accountability.

It’s important to note, however, that CISA applies to US based companies only. Private companies based in the UK, Europe, Australia are not susceptible to CISA and are protected by their own privacy laws.

So how can you protect your information from being freely shared between random businesses and government agencies without your consent?

Encrypt your communication with a non US based VPN. VPN creates a secure tunnel between your your computer & the Internet and replaces your real IP address with an IP address that belongs to a particular VPN provider. Therefore, VPN secures your internet connection to ensure that all incoming and outgoing data is encrypted and secured from 3rd parties who might be prying on you, including your ISP or government. Please refer to the Most Secure VPN guide to select the best VPN provider.

Change search engine. Consider using StartPage or DuckDuckGo search engines that do not collect personal data, hence, do not track you. If you must use Google, Bing or any other tracking search engine, do not search while you are logged into Gmail/Outlook email accounts since all your search activities are not only tied to your IP address, but also stored under those “email profiles”. Which means that if you regularly search for sex toys, for instance, while you are logged into johnsmith@gmail.com, Google knows that this particular John Smith likes “experimenting with certain activities”.

Change browser preferences. Set your browsers to “Do Not Track Me” mode and use Private Browsing mode as often as you can to prevent tracking cookies from being stored on your device. You can also use 3rd party software for this purpose or sign up with a VPN provider like ZenMate that offers tracking protection as a part of their VPN subscription.

Change email providers. Ditch Gmail, Outlook, Yahoo and similar email services that are known to have complete access to your email contents in favor of end-to-end encrypted services such as Tutanota or ProtonMail.

Move sensitive info from online storage. Reconsider using cloud storage for sensitive info. Instead store it on secure hardware that you keep at home, for instance, a hard drive.

Pay with cash. Instead of Credit Cards and PayPal, consider paying with cash more often, so that your bank doesn’t have full access to your spending habits.

Separate accounts. Have a main phone phone number & email address for regular use and a separate phone number & email address for random purchases that you don’t want to be associated with your name.