The first time. And maybe the second time. And maybe even the third time. But after a while we're going to start to get numb to the calls-to-arms. And eventually our sometimes-well-intentioned-but-pulled-in-30-directions representatives are going to stop getting those concerned phone calls and emails from constituents, and they're going to fall prey to the typical "think of the children" argument that often gets put forward on any security bill, and something ugly is going to get passed.
I hate resigning myself to this, but it's the disappointing reality.
What to do?
This isn't about spying on Americans. This isn't SOPA with a new name. This isn't about stopping piracy or spying on your facebook profile. This bill is about letting government agencies share intelligence on network threats with private companies so those companies can protect their customers information. None of the agencies or companies involved want to share any private information about their citizens or customers. There are lots of lawyers involved in the process to ensure that doesn't happen.
I wonder if some of that exhaustion is also what leads people to not read the bill or understand the context and just assume it's another anti-piracy bill.
"None of the agencies or companies involved want to share any private information about their citizens or customers." The telcos have monetized their lawful intercept programs and receive bad publicity protection from the government by being legally entitled to keep it a secret. They now have a profit motive and the risk of bad publicity is low. And the civil liability immunity agreement (as I understand it) in CISPA will effectively act as a giant gift that only a sovereign power can grant, we'll offer you protection from being sued if you just hand over business data without a warrant.
If you want to talk about confusing, I watch C-SPAN constantly (it's an illness) and whenever anybody in the legislative or executive branch talks about "cyber security" they always talk about IP protection and "preventing a cyber pearl harbor" in the same breath. So if you want to blame somebody for the confusion start with the people proposing this legislation.
I'm not sure why you think the very smart lawyers and legislative counsel at the ACLU, the ALA, etc. are incapable of reaching their own conclusions about the relative merits of legislation.
I hope you're right that CISPA isn't about spying on Americans. The problem is that, as written, it allows precisely that, with the cooperation of the same companies that have opened their networks to the FedGov in the past. If the wildcard language trumping all state and federal privacy laws were deleted, I think a lot of the (informed) opposition would vanish.
BTW, there were "lots of lawyers involved in the process" of creating SOPA. Look how that turned out. I'd be far more comforted if there we had fewer lawyers and more technologists involved. :)
More: http://news.cnet.com/8301-31921_3-57422693-281/ and http://news.cnet.com/8301-13578_3-57574196-38/
In addition, environmental type people are not reflexively opposed to/afraid of the federal government, so they are willing to educate themselves about the process and the issue. They learn to distinguish between issues, and when a threat is real vs. perceived.
In comparison the Internet enthusiast community seems to largely persist in the fantasy that the government should not (or cannot) have a role in the regulation of the Internet. Thus when issues do come up, they are ignorant and reactive. And they are eager for issues to go away so that they can go back to "normal" i.e. ignoring the government.
In fact, I doubt even that will stop these kinds of laws from being introduced. However, it will give a firm and easy foothold to dismissing them. Similarly, it will become that much easier to retroactively have them removed if they violate an amendment.
The exact text of this kind of amendment would be difficult to craft, frankly, I'm not a lawyer, I have no idea where or how to start crafting this. However, I do fully believe this is the ultimate winning endgame for this kind of legislation.
We need a "legal hacker" a la Richard Stallman to craft something like this.
SOPA was a genuinely invasive bill and a clear power grab by the content industry. It created a new special second-class "tainted" designation for content sites that refused to play ball with rightsholders and gave rightsholders new means to prosecute their rights outside of civil courts. It was understandable and --- even though I'm a supporter of copyright in general --- commendable that organized opposition to SOPA killed that bill outright.
CISPA is nothing like SOPA.
To begin with, CISPA has none of the same objectives of SOPA. It isn't about the content industry at all. In fact, when early opposition to CISPA by organizations like EFF started catching on, its sponsors scrubbed the bill of language that could have been read (in a stretch) as protecting rightsholders. CISPA is about online security attacks, not about piracy.
Next, CISPA isn't invasive. SOPA threatened to create a kangaroo court system of copyright-noncompliant sites that the content industry could starve by banning commercial transactions with them. CISPA is an opt-i bill; the USG cannot compel any organization to cooperate with any USG agency, but instead creates a facility that companies can use if they need to share attack information but don't want to spend $100,000 in ECPA-interpreting legal review each time they do it.
In fact, CISPA in practice probably has more to do with information moving FROM the USG TO private companies. The USG spends hundreds of millions of dollars a year monitoring its networks (which together constitute the largest IT organization in the world). It is true that the largest IT org in the world happens to be a shitty IT shop, but it has nevertheless built up about a decade of experience tracking malware and botnets and DOS attack information; when Blaster broke out, the experience of the Naval Marine Corp Intranet getting overrun by it was some of the first shared among ISPs. All sorts of random rules prevent USG IT shops from running any kind of central clearinghouse of attack information, and still more rules prevent any of that information from being published.
I don't particularly like CISPA. It obviously sounds like I do, but that's because the uninformed paranoia about CISPA is so virulent that any measured take on the bill sounds like cheerleading. I don't care whether CISPA passes or doesn't pass. But it drives me a little bananas to see how easily the ostensibly curious and well-informed people on HN are bamboozled by identity politics on issues like this.
It's a tiny bill, as bills go. Just go read it.
I have yet to hear a good argument for why we need CISPA to override all federal and state privacy laws, including laws restricting what companies can turn over to the government in the absence of legal process. In programmerese, CISPA is a wildcard approach -- an "rm -rf *" -- when you haven't done an "ls" to see what's in the directory first. Perhaps one or two need to be overriden for good reason, but why not specify them instead of using a wildcard?
Here are some details: http://news.cnet.com/8301-31921_3-57422693-281/ What sparked significant privacy worries is the section of CISPA that says "notwithstanding any other provision of law," companies may share information "with any other entity, including the federal government." It doesn't, however, require them to do so. By including the word "notwithstanding," House Intelligence Committee Chairman Mike Rogers (R-Mich.) and ranking member Dutch Ruppersberger (D-Md.) intended to make CISPA trump all existing federal and state civil and criminal laws. (It's so broad that the non-partisan Congressional Research Service once warned (PDF) that using the term in legislation may "have unforeseen consequences for both existing and future laws.") "Notwithstanding" would trump wiretap laws, Web companies' privacy policies, gun laws, educational record laws, census data, medical records, and other statutes that protect information, warns the ACLU's Richardson: "For cybersecurity purposes, all of those entities can turn over that information to the federal government."
It doesn't matter what the objectives are, or whether or not the intention is to protect rights holders. It matters what the law actually allows as written. That's what we take issue with.
And yes, I have read the entire thing.
Perhaps I'll be "throwing my vote away". Nonetheless, next time around, I'll be choosing from amongst the other choices.
For the Federal elections, it's early enough in the cycle that if people start doing this en masse, it might have some real influence.
http://en.wikipedia.org/wiki/Cyber_Intelligence_Sharing_and_...
I'm envisioning a web dashboard that lets federal agents do fuzzy queries on individuals, to see all the sites visited, emails sent, web searches, browsing habits, etc, from all the IP addresses used by the given individual in the past several years. The system would aggregate information gathered from ISPs and web companies. The government can already get anything they want from an ISP or web company, but they have to do it on a case by case basis and it is probably annoying to correlate information across sources. In the future, I imagine that a federal agent can go to his big brother dashboard, type in a name, and have immediate access to all sorts of information gathered from credit card companies, search providers, ISPs, telecoms.
It should automatically advise internet services that a person/account may be trouble, thus granting those private companies the blanket "exemption from liability... for decisions made based on cyber threat information identified, obtained, or shared under this [law]." (That's one of the most concerning vague and elastic provisions in the current proposed bill text.)
There should also be a 'redress number' subsystem, for when people on the watchlist start noticing their accounts being restricted or disabled, and want to make the case they're not the bad guy the agent who pressed the button thought they were.
https://www.techdirt.com/articles/20130311/16221022286/white...
I saw an infographic a little while back that I thought made a pretty good representation of what the bill actually proposes, I wonder if anyone has a link available to it.
Private companies can and do share (heavily scrubbed) electronic signature information, but must go through contortions to do so, and incur huge legal costs to do it. As a result, only the largest companies participate in these efforts.
Because the USG is more or less enjoined from participating in clearinghouses with private companies, information sharing networks are handshake affairs that are often unknown to anyone outside tier-3 network engineering. Other private IT security product companies run de facto clearinghouses, but only for their customers.
As a result, when your startup gets DDoS'd and you call your ISP for help, they generally can't do shit to help you. It may annoy you to know that if your connectivity provider is large, there is a group in there that could offramp your traffic to internal "scrubbing centers" to peel off DDOS traffic. But because high-end DDoS protection at ISPs is done sub rosa, startups have a very hard time finding these people.
There is an actual problem with online security attacks right now, and hysteria over any USG intervention with the Internet at all is helping perpetuate it. And all it appears to take to fuel that hysteria is statements like "think of the overreach that will happen once a law hits the books".
I think everyone agrees that companies should be able to describe to the cops what the guy who robbed them looked like, and those companies should be able to tell their customers they've been robbed without getting sued by their shareholders because the ensuing PR fallout tanks the stocks.
So why pass CISPA now? To remove the barrier in the other direction, from company to government. Right now there are interpretations of certain federal laws that say that companies cannot share threat data with the government. In addition, public companies fear shareholder lawsuits if they were to disclose publicly that they have been hacked.
In an ideal world you would have a virtuous cycle, where one company stops a threat, sends the critical threat info the government, which shares it with every other company--all basically in real time. That would prevent, or at least reduce, the issue now where one exploit works again and again and again at different companies.
Whether it is possible to do this while adequately protecting privacy is the issue. I'm not a lawyer but it seems to me like it should be doable if the language in the bill is done right.
But why does the government need the information at all? Why not have a private consortium of companies who share threat information under NDA (or, for that matter, just allow it to be published), and craft appropriate legislation to allow that?
Did you read the bill? I'm not asking in an accusatory way; I'm wondering where you got your information from, so I can read it too.
Since otherwise reputable sources are running articles suggesting that CISPA is "the worst bill since SOPA" and "a power grab by the content industry" and "a backdoor warrantless wiretap" and "a mechanism by which the feds will read our email", I respectfully disagree with you about the utility of refuting uninformed criticism of the bill. Most of the criticism of the bill is uninformed.
What it does is make the proposal for the future law look like a much larger departure from the status quo, which makes it a harder sell. Furthermore, members of Congress don't like to change their positions for a number of reasons relating to both ego and what it allows election opponents to put in political advertisements, so if you can get them on record supporting your cause then you make them less likely to go against you in the future.
EDIT: Another option is for the courts to decide that freedom was guaranteed in the Constitution all along. But courts are unpredictable so again, good luck!
CISPA is simply not about the interests of rightsholders.
The commenter to which you are replying did not make that assertion. The mention of IP was an attempt to identify the source of the confusion between cybersecurity and IP rights, not about CISPA specifically. Here's what the parent comment actually claimed:
When I look at what's being proposed I see that the government is using its sovereign power to trade away my right to civil suit against a company in event of a data loss, in exchange to that company for it handing over private information (that very well can include customer information) without a warrant. In big broad, abstract ways this is to my benefit if it improves "cyber security" but it also removes some specific rights I have....
And the civil liability immunity agreement (as I understand it) in CISPA will effectively act as a giant gift that only a sovereign power can grant, we'll offer you protection from being sued if you just hand over business data without a warrant.
Nothing about rightsholders in there.
The trouble is that the effective, worthwhile and highly damaging cyberattacks all involve IP, in some way or another. There's not much value in taking down Coca-Cola's internal network. Stealing their M&A strategies or product roadmaps can be extremely lucrative/damaging (I recall seeing estimates that billions have been lost as a result).
On the one hand, the attacks on power plants that you allude to are possible. Utilities have been networked and electronically controlled since the 1970s. Nobody builds networks on telephony or X.25 anymore; it's all IP. IP connectivity to insanely sensitive systems leaks routinely; moreover, application-level data sharing between Internet-connected systems and supposedly air-gapped backend systems is extremely common.
On the other hand, the "less serious" attacks you allude to are very very bad. Google and Hotmail aren't national utilities. But they are attacked by state actors because dissident organizations use them to communicate. For that matter, the Internet backbone is a collection of computers sharing information using a decades-old routing protocol for which policy is controlled by regular expressions.
Finally, if you run a startup and happen to say something I disagree with, such as "I think CISPA is a power grab by the content industry", I could today very easily push you off the Internet with a trivial DDoS attack. The people who extorted online casinos with DDoS botnets were not rocket surgeons. When I attack you for disagreeing me online, and you call your ISP, guess what you're going to hear? "You're on your own". It is always very weird for me to see people on Hacker News, a hub for online startup news, downplaying the severity of DOS attacks. I've spent a decent chunk of my career in DOS mitigation and it is not remotely a solved problem.
What does the law as written allow to have happen that you object to?
Specifically: CISPA provides a positive authority for sharing only "cyber threat information", which is defined in the bill: (i) information about a vulnerability, (ii) information about a confidentiality/integrity/availability threat, (iii) information about denial of service or destructive attacks, and (iv) efforts to hack into systems and exfiltrate data.
The bill incudes language that explicitly exempts the kind of stuff Aaron Swartz got caught up into: it exempts attacks that "solely involve violations of consumer terms of service or consumer licensing agreements and do not otherwise constitute unauthorized access.". That exclusion is repeated multiple times in the definitions section of the bill.
The bill explicitly does not cover individuals, in a fashion that the bill's authors say affirmatively prevents it from being used to allow ISPs to share individual customer records.
So: back to you. What specific state or Federal privacy measure is compromised by CISPA, and how?
There is an actual problem with online security attacks right now, and hysteria over any USG intervention with the Internet at all is helping perpetuate it.
This sounds an awful lot like, "We must do something. This is something, therefore we must do this."
That you failed to provide any, even though I think my request was fairly clear, provides strong evidence that you're unable to do so and your pro-CISPA argument was hand-waving, not based on facts or the law.
Reading bills is usually a headache because they keep changing. Cue Pelosi's idiotic comment about having to pass the law so we can know what's in it. This one seems to be no exception: The original bill is talking about intellectual property, people complained about it, they removed that in later versions. EFF is complaining about how it doesn't put limits on what the federal government can do with the information, so they added some limits, but they're overly broad. (What does "national security" even mean? Because it's pretty plausible it's going to be read as "whatever the National Security Agency or Department of Homeland Security does with it.") I mean it's good that they're taking criticism into account and making modifications, but it seems like a really weird bill, and I think it's a good thing that it's getting a lot of scrutiny.
If you want me to go through it and complain about it, I can do that…
>CISPA allows exactly that to happen!
Not exactly. First of all, publication seems very much not to be the idea. Half the the bill is talking about security clearances and the like, and how if you get "cyber threat information" from the feds (presumably even if they got it from other private sector entities) then it could still be classified and you can't publish it. And I don't see anything in the bill about the information becoming automatically declassified once a patch is available, so that's not going to be good for full disclosure. Plus, if I get this super secret threat information, now how do I e.g. submit a patch to the Linux kernel or OpenSSH to address it without impermissibly letting the cat out of the bag? Have they thought this one through?
But my original point was not that private entities could share information too, the point was, why should we want the federal government to have it? There is a real concern that they would use vulnerability information to advance their stupid "cyberwar" nonsense and then accidentally loose the network equivalent of the black plague, or use vulnerabilities to spy on people and expand their warrantless surveillance of the world population. I can see why they might be able to use the information to patch their own systems, but I would be a lot happier to see a specific restriction that disallows anyone from using any information received under these provisions for offensive or surveillance purposes.
>Moreover, the largest repository of threat information --- netflow traces, botnet identification, &c --- is housed inside the USG, which is prevented from sharing that information. That's the other problem CISPA solves
I don't think that's the part people have a problem with. It's not the information coming out of the government (assuming it really is technical information and not anything that identifies individuals or impinges on privacy), rather it's the information going back into it to feed proto-Skynet.
But let's talk about some of the other crazy things.
1) It seems like a major part of the legislation is the grant of immunity for entities that share information. Which is a really very strange thing. Why do these entities need to be exempted from all state and federal laws? Can we not identify the specific ones that are problematic and then fix them? Certainly at least identifying them would be useful. I'm not really comfortable with the idea of exempting companies from prosecution for, say, polluting the water supply or murdering bystanders when they're reporting or responding to cybersecurity vulnerabilities. And if we can't even identify the laws we're concerned about, that seems like a problem more in need of our attention than this.
2) Why are individuals explicitly excluded from qualifying as "protected entities" or "self-protected entities" that would otherwise qualify them for the immunity provision? Are Microsoft and its employees for some reason more deserving of immunity than e.g. Moxie Marlinspike, or any random schmuck who finds and wants to report a security vulnerability?
3) There is a whole list of things under "protection of sensitive personal documents" like library circulation records and medical records. First of all, how is any of that sort of thing the sort of thing that should qualify for this in the first place? But never mind that. If those things would otherwise qualify, shouldn't we then be concerned about a lot of other stuff that isn't on the list, like browsing history, search history, financial records, purchasing history, location data, etc.?
4) The section on liability for wrongful disclosure by the federal government is pretty extreme. I'm not happy with it as a taxpayer. So if the federal government screws up (it's been known to happen) and releases a vulnerability e.g. in some financial software that causes a trillion dollars in damages to other countries, the U.S. taxpayer is on the hook for that to any person adversely affected, not because they had any responsibility for the vulnerability but only because the government disclosed it? No thank you. How about instead we put some some personal liability on the government employee(s) who actually made the wrongful disclosure.
5) The bill does a lot of talking about the U.S. federal government and not a lot of talking about state governments or foreign governments. It looks like they may qualify as entities however, and if they don't then that's weird (because what if I want to share threat information with my city or state or Canada or something?). But then we're exempting state governments and foreign governments from all state and federal laws for "decisions made based on cyber threat information identified, obtained, or shared under this section"? What???
This is where I reiterate my concern that we're exempting them from laws against things like murder, kidnapping, wiretapping, espionage, terrorism, etc. Granted the exemption requires acting in "good faith" -- but that's putting a lot of work behind two fuzzy words.
The whole immunity thing seems like a huge kludge that doesn't address the underlying problem, which is really the Aaron Swartz problem. Some laws are unnecessarily complicated, overly broad or poorly drafted such that liability under them is arbitrary and unreasonable, but instead of carefully fixing the bad laws individually, we just throw them all away in this one specific case and let anyone else subjected to their continuing insanity fend for themselves.
* Bills start as draft language. The draft is circulated so that organizations like ACLU can point out things like "this bill gives too much deference to content rightsholders". The bill's authors then say, "that's not at all the intent of the bill" and then fix the language. It is very weird to complain about this, since it's the system actually working in the public interest. So, sorry, you're going to have to keep reading the bill. Also: CISPA is tiny. You can read it inside of 5 minutes. It isn't PPACA, the bill Pelosi commented on.
* I don't think software vulnerabilities are the best or most likely example of information that will be shared from the USG to the private sector under CISPA, but to the extent it is, you can simply assume that a (say) OpenSSH bug disclosed under CISPA to (say) Facebook is going to be patched immediately. I am a vulnerability researcher; that's my profession. It is a near-consensus among vulnerability researchers that the sooner vulnerability data is published, the safer we all are. I find it difficult to be concerned that CISPA might get OpenSSL flaws published faster. If that happens, great.
* If organizations don't want to share vulnerability information with the USG, they don't have to. CISPA is entirely opt-in. Moreover: vulnerabilities are a bad example of information CISPA enables sharing for. Companies can already lawfully share vulnerabilities with the USG. There is a whole cottage industry of small companies that sell vulnerabilities to the intelligence services. To the extent that your concerns about CISPA involve trafficking in privacy-harming exploit code (a very legitimate concern in general), you are (respectfully) ill informed about the current state of cybersecurity regulation.
* The reason CISPA preempts existing privacy laws and provides protection from liability is because there are lots of different privacy regulations on the books that make it difficult for companies operating in certain verticals to share any data without expensive legal review. If you deal with classroom data, you've got FERPA. If you have driver records, you have DPPA. CISPA does not repeal DPPA or HIPAA or FERPA; instead, it simply says that as long as companies are dealing in good faith with attack data --- "cyber threat information", a term the bill goes to some lengths to define --- they can reasonably assume they won't get sued for violating HIPAA by sharing that attack data.
* Individuals are exempted as private entities to protect individual privacy. The intent of that definition as stated by the bill's authors was to prevent CISPA from being interpreted as a mechanism for ISPs and the USG to enter into agreements to track individual customers. See "Myths and Facts About CISPA" at the House Intelligence Committee page. So: you have that concern exactly backwards.
* I don't have any response to your concern that the USG should not be liable for negligence in publishing sensitive data. I see it as a good thing that the bill creates accountability for the handling of the data, and wish there was more accountability in the bill, not less.
There are other questions in your comment that I didn't address because I didn't understand them, sorry.
edit: Specifically, this is a precedent that is a big step in the right direction for this kind of thing, IMO: https://news.ycombinator.com/item?id=5382891
You think we got clean air, clean water, etc, legislation passed because Sierra Club and Earth Justice are rolling in money? No, it's because they have a cause that people care about and passionate volunteers that dedicate their lives to fighting for it. It's not the system's fault that people don't understand nor care about stuff like CISPA.
Because there are people who actually care about clean air.
> Contrast this to opposing civil liberties restrictions, which can very easily and effectively be spun by political opponents as leaving America open to terror attacks.
Supporting environmental legislation is very easily spun by political opponents as costing America jobs.
The amount of political opposition to environmental laws is otherworldly. There are a few companies here and there making money off things like Rapiscanners, but the companies whose profits are hurt by environmental regulations account for trillions in US revenue each year. Everything from Exxon Mobil to small chemical plants with $10 million in revenues. And while "think of 9/11" has a certain impact, it's not only fading but even at it's peak never compared to the visceral cultural opposition towards environmental laws. Industries impacted by environmental laws are literally ways of life in many parts of the country. People in Pennsylvania, West Virginia, etc, fight to allow coal companies to keep poisoning them as part of their cultural heritage.
To put things into context: adding up U.S. box-office, DVD/Blu-Ray/etc, and music (digital and CD) revenues doesn't break $40 billion a year. Apple by itself made more than that last quarter. Exxon by itself makes 10x as much in a year, and there are 8 other petroleum companies in the Fortune 100. But environmentalists somehow manage to get some wins. While tech people whine incessantly about how "the system" is why they can't make any headway against the RIAA/MPAA.
How is that different from anything else? Pollution controls are painted as "job killing regulation" or "will raise the price of energy" or whatever this year's talking points are.
I kind of get the feeling that the reason things don't get done is only that people think they can't do anything. So they don't write to Congress or protest or donate money to EFF, and then their pessimism becomes self-fulfilling and self-reinforcing.
If you want change then you have to make it happen.
Actually, it is. The "system" (or, more accurately, the emergent collective behaviors of well-moneyed groups acting in their self interest) tells the masses what to care about, and thanks to being brought up by the "system", they eat it up. Thanks to the direction of the "system", we still have political debates about the age of the Earth, evolution, and other emotionally loaded issues that have no actual bearing on matters that have a substantial impact on the future of the planet.
Second, asking what specific privacy law is overruled is a bit odd because -all- of them are. ECPA, SCA, Wiretap Act, FCRA, DPPA, FERPA, PPA, RFPA, TCPA, VPPA are among them, and that's not even counting state privacy laws. Remember, CISPA is a legal wildcard. Asking your question is like asking "what specific file does rm -rf * delete?"
Your second graf begs my question. Obviously we're both aware of the ECPA and SCA. My question was, in what way do the preemptions on those acts materially harm the public interest? Put it this way: if you think that CISPA is in direct conflict with SCA, then clearly you can imagine situations in which e.g. Facebook could collect Netflow data from a DDOS attack and then worry that they'd somehow contravene SCA by sharing the information. Doesn't that "conflict" explain the need for an act like CISPA?
I'd also note that the first three acts you cited --- obviously the three most important, because they cover the integrity of online communications in general and not with respect to any particular application domain --- already contain exemptions similar in spirit to the ones in CISPA:
* ECPA permits providers to collect and in some limited cases share information that is related to the maintenance of their own infastructure
* SCA permits collection and monitoring of stored communication by the operators of stored communication services
* The Wiretap Act allows operators to intercept and monitor signals causing disruption to networks
CISPA harmonizes collection and sharing of data in cases of direct adversarial attacks. Compared to the exceptions in (for instance) ECPA, CISPA is narrowly tailored and very specific.
Furthermore, when you point out all the laws encumbering sharing of attack information, you start to make the preemption point for me. It may already be possible to share attack information, so long as it doesn't involve raw emails, and the attack information is shared by telecom providers under the ECPA maintenance exemption. UNLESS YOU'RE AN AUTO INSURANCE COMPANY, in which case Congress helpfully (and reasonably!) enacted a specific privacy regime under DPPA, which means now simply to have Progressive push netflow records to Verizon they might have to incur $50,000 in legal review which by the time it's done the attack will be over.
Instead of repeating my original question --- how exactly does CISPA conflict with existing privacy laws in ways that harm the public interest? --- why don't I ask the question in a different framing. If we stipulate that the problem we're talking about here does exist --- that Advocate Health Care in Illinois would incur significant and unnecessary legal risk in pushing netflow DDOS information to a public clearinghouse --- what is the privacy-protecting language YOU would like to see in a bill that aimed to address that problem?
Incidentally: can you do better than thanking me for a polite response? I'm not actually sure I'm being that polite anyways; I feel like I'm being blunt and direct. But on the other hand, you wrote a comment with a complicated technical question last night at 1:00AM, and when you didn't get a prompt response, you accused me of "handwaving". Can I argue now that it it's pretty obvious that neither you nor I is "handwaving", and that we've both done our homework, or at least way more homework than most CISPA commenters have done? Instead of thanking me for polite responses, could you instead just not impugn my motives or intellectual honesty again? We can then just chalk our initial static up to "message boards and politics".
PS: The worst, most crazymaking thing about CISPA debates online is that they invariably put me in the position of "CISPA advocate". I have a position in the CISPA debate: "CISPA is not evil". I think if you believe like I do that CISPA is facially benign, the way organizations like EFF are choosing to message against it starts to get disquieting. But my position does not carry into "CISPA is a great idea". A sane argument against CISPA is that it forestalls a needed reform across all online privacy bills to enable network security to function sanely. CISPA might be a bad idea. I am not a CISPA advocate. I just don't think it's overtly contrary to the public interest.
Last time around, I believe you said CISPA is one giant legislative NOP. I think you have probably revised your position on that. Someone is trying very hard to pass this, and they don't do that for no reason. There is something very important in CISPA to someone.
It sounds like at least part of the reason for it, in your interpretation, is related to legal assurances. Since you have studied both, can you provide an effective 'diff' between CISPA and ECPA, within the scope of 'cyber'?
For what it's worth, after doing some basic searching on who is backing it and what their business objectives are, I feel like it is more probable that there is not evil intent behind CISPA at this time.
The problem, as I said, and as described by EFF, is that it is vague in many key areas (I'm not going to enumerate them, it's too tedious and not relevant enough to go into specifics). Look at the CFAA. The intent there was not to nail a MAC address spoofing wget loop or a fake email submitted to a captive portal to the wall for 35 years. The intent behind the PATRIOT act, at least as far as some supporters were concerned (even though they were probably duped) was actually to fight terrorism. Both have since become wildcards for bad actors to do things that the original supporters didn't intend. We have to expect this when we write laws.
It's the same as auditing C. You know those conversations you have with those "special" clients who respond to your bug report by saying "yeah, but that is only meant to hold a username, no one is REALLY going to try and have a 2GB username"? This is the legal equivalent.
> what is the privacy-protecting language YOU would like to see in a bill that aimed to address that problem?
This is an unreasonable rebuttal. "It's not perfect, but you don't have anything better" is not how we make laws. Obviously, a journalist or a security consultant discussing something as important as this is not going to just spit out a bill that solves every problem in an HN comment.
My concern is with limiting of my right to civil suit against a corporation, and my fear that the bartering of these rights for information bypasses legal constraints on information collecting by government and law enforcement.
Two responses, briefly:
1. FISMA spells out in positive terms that incident data collected by agencie is to be reported out to LEOs and the national security services unless otherwise designated by the President, and
2. much of the data we're discussing is classified, so, 18 U.S.C. § 798 is a starting point.
Do you dispute that, say, botnet identification data collected by DoD is classified? Do you have a source to suggest otherwise? I did network security product work at Pentagon with Arbor Networks and they were bananas about classification, operating an entire clone of their enterprise network to account for classification.
I find it interesting that you can publish an article that suggests CISPA is a backdoor attempt at warrantless wiretapping but accuse other people of handwaving.
You're right, of course, that federal agencies have the power to classify data. But I think saying that overclassification happens all the time is not a controversial statement; President Obama in 2010 signed the Reducing Over-Classification Act and the DOD IG announced last November that it reviewing DOD classification procedures. One of the 9/11 Commission members concluded: "Much more information needs to be declassified. A great deal of information should never be classified at all."
So if the only reason we need CISPA is that DOD is inadvisedly classifying botnet data as SECRET, then a sensible fix is for DOD to declassify it. Or, that failing, Congress could amend 18 USC 798 to allow that to happen. Laws, like computer security, should follow the principle of least privilege, and enacting a broad wildcard law that overrides all federal and state laws to fix a narrow botnet-classification problem violates that principle.
Also: the primary criticism of CISPA is that it overrides all other state and federal laws in allowing the transfer of customer data from private companies to .gov, .mil and other organizations. You're defending .gov->.com data transfer, which is hand-wavingly orthogonal to an explanation of why a wildcard override for .com->.gov data transfer is necessary.
Start here: packet captures and netflow traces from operational military networks are a textbook definition of something that reasonably should default to "classified".
So then the fact that CISPA preempts classification is the mechanism by which it crafts the exception allowing that stuff to be published. The law says "you can keep classifying secops data on military networks, but when you come across material that would be valuable to the public if sent to a clearinghouse, CISPA preempts classification".
How is that not a sensible measure? And in context, isn't it clear that preempting things like classified disclosure laws is just a pragmatic measure, since reforming all of classification is a huge can of worms, and not some sinister attempt to create a backdoor wiretapping mechanism?
Thanks to Declan Mccullagh downthread for making my arguments about CISPA more vivid by citing all the privacy regs CISPA interacts with. :)
Oh: by the way: if I understand you correctly, you're not at all concerned that CISPA is a backdoor attempt to enable copyright enforcement, and by rebutting that idea earlier, I mischaracterized your point. I apologize for doing that. CISPA makes me jumpy.
Not covering other agendas: basically any news agency ever that only covers one side of a story (e.g. anti-gun-control news stations only reporting positive gun news, pro-gun-control stations only reporting negative gun news, no news stations reporting on anything outside the viewer-driving manufactured hot button issues). Another example, though this is an isolated case, there was a station in Nevada during the 2008 campaign season that only showed the polling numbers of their selected candidates, even though another candidate was polling higher than some of the ones they listed.
I'm not sure I've ever seen one of these in a movie or DVD. I sure as hell saw the "kill SOPA" stuff Wikipedia, Google, etc, put up while I was trying to user their service for something else.
The comparison to CFAA is interesting. Long before the drama with Aaron Swartz (drama you and I are probably on the same page about), CISPA was revised to blunt that concern: TOS violations are explicitly exempted from the sharing provisions of the app. So if you're on online music store and someone starts mass-exploiting a vulnerability to take music without paying for it but doesn't threaten the integrity of your actual computers, you can't share that attack information under CISPA. To me, that is a level of specificity and care that is unique to CISPA. Even the Wiretap Act, which exists almost entirely to suppress monitoring of communications, leaves much larger holes for service operators to monitor traffic.
So my response to you on this --- and I recognize that you want to avoid the nitty-gritty details, and that's fine --- is that CISPA is substantially more detailed than other online regulations. It is written more carefully to cover operational security issues than HIPAA is; it's far more specific than Sarbox was; it actually (IMO) narrows what could already be shared under ECPA, and it does this by spelling out in detail what an actual online security attack is.
I am specifically not making the argument that you have to propose a better bill to justify not passing this one! I agree, that is an infuriating objection. I'm saying, your proposed privacy-protecting language would help clarify the concerns you have with CISPA, so that we could be more sure we're debating each other and not past each other.
Finally, we disagree more than we agree about online policy, across the board. So any time this stuff comes up, any time I ask you to clarify something, you can reasonably expect me to follow up with some kind of rebuttal. I appreciate how that feels like being baited, but I'm not doing it in bad faith. Agreement for the sake of decorum is boring, isn't it? Let's just say what we think.
So my eventual reply is, if I list off my concerns and you point out that it's already possible to do those things, what is CISPA adding? Let's start the conversation there.
I'm not sure if it's a fallacy to appeal to common sense, but I don't buy that someone is pushing this through so hard to narrow what can already be shared. Even though you are certainly more familiar with previous relevant legislation, I feel pretty safe in saying that if that is your interpretation, it has to be incorrect.
Nobody spends money trying to take permissions away from themselves, and nobody versed in this area of law isn't already aware of their capabilities under ECPA.
It is already possible for service providers to do the things CISPA enables them to do. However, under current regulations, it is legally risky for them to do it. Some of what they do incurs legal risk. Some of the legal risks mean that whole companies in some verticals won't entertain any conversation about information sharing because they're encumbered by specific privacy rules which, while important, were never intended to hamstring network security. As a result, there is much less information sharing now than there could be.
If I was going to put my political analyst hat on, which is ugly but at least doesn't smell like cat piss, I would point out the following:
CISPA came into being less an urgent fix to an immediate problem than as a response to another, more interventionist approach to regulating cybersecurity. That other approach would essentially have the USG "pick winners" in the information assurance market and, down the road, would allow the USG to designate certain private companies as "critical infrastructure" that would require the commercial ministrations of those companies. The winners in that scenario would have been Raytheon, Lockheed, and SAIC. Nobody in private industry wanted that, and it was antithetical to the Republican House, so they came up with an industry-friendly counterproposal.
https://www.eff.org/deeplinks/2013/03/consequences-cispas-br...
I don't share their concerns about the "hack back" thing. It's hard to take that seriously.