Tech group representing Google, Yahoo backs CISPA(thehill.com) |
Tech group representing Google, Yahoo backs CISPA(thehill.com) |
CISPA would give a safe harbor from other privacy rules to companies that share information with the government as long as that information is about "cyber threats". Now, let's say someone breaks into your database server and you're at a company with not-too-skilled IT people. The government shows up and says "hey, what can you tell us about the attack you experienced? PS - we'd be happy to analyze your data for you."
What do your IT people do? They say "screw it, we'll just send in all the logs we have and let the feds figure it out." And so they do that.
What if the law protects the information in those logs? What if the information is sensitive (like health or financial information) and is protected under a special privacy regime like HIPAA? Or what if the information is protected from disclosure by contract (like in a TOS/TOU document)? CISPA says that the disclosure is exempt from whatever sanctions/punishments would happen under those protection regimes because Cyber Threats Are Important (tm).
Disclosure: I am not a lawyer. Even after it's passed into law, only a court can decide exactly what the safe harbor in CISPA means.
I don't so much care whether CISPA passes. What I do care about is people trying to fundraise by convincing willfully ignorant nerds that CISPA is a backdoor SOPA bill; why, just look, GoDaddy supports it, it must be bad!
But I disagree with his "Michigan Militia" analogy, which is a bit silly. Another way to look at it is that starting with Clipper, CDA, CALEA, crypto export controls (plus mandatory domestic key escrow approved by a House committee), we've lived through 20 years of ill-advised regulation. So unless the merits of a new proposed law clearly outweigh the downsides, which is not the case in CISPA, a measure of skepticism is reasonable.
Tech companies trust themselves to only share the critical info needed for better security, so they do not see a risk in CISPA.
Citizen groups do not trust tech companies or the government, so they see risk in any legislation that seems to reduce oversight of info sharing between them.
From our point of view it's disgusting but for upper management it's a no-brainer.
For example the Patriot Act was sold as a thing that would only be used to catch terrorists. It's total terrorist-catching prosecutions to date is trivial, zero to a few. But it's still getting used quite a bit.
http://www.nytimes.com/2003/09/28/us/us-uses-terror-law-to-p...
http://www.cbsnews.com/2100-201_162-573155.html
I'm not saying that the people who got caught in many of those cases didn't do something wrong, nor am I saying that they should get away with no consequences. But I don't see how you can charge people with "terrorism" for doing decidedly non-terrorist things.
My fear is that, like the PATRIOT act, CISPA will grant overly-broad powers to intelligence agencies that will be employed for general surveillance. My view is that any law that curtails liberty should do so minimally. I don't oppose fighting cybersecurity threats, but the bill needs work still.
For anyone curious, the ACLU has several blog posts breaking down the problems with CISPA: http://www.aclu.org/search/cispa?show_aff=1
The entity handling this stuff seems to be DHS or FBI, not NSA, but they are all part of IC so the info should, in theory, be shared around.
My wild speculation is they are trying to gather logs to make a sort of national IDS to be more proactive in detecting APT.
http://www.technet.org/leaders/member-companies/
A headline "Tech group representing AT&T, Palantir backs CISPA" isn't good copy. But that could have been the headline. The "Executive Council" (which seems to be the part of the organization that draws the focus on Google and Yahoo) also contains people from Oracle, Microsoft, and VeriSign. And one thing that council doesn't do is sign off on every letter the group sends out (or, probably, every point in the policy platform it espouses).
I doubt without knowing exactly that Google's official position is anti-CISPA and that this group doesn't speak for them because they don't actually control what it says. But I've been surprised in the past.
Perhaps, though, people should read this and think "hey, Google ought to put some pressure on the lobbying groups they participate in not to be stupid/evil/whatever." And perhaps if a few Google executives express that they're upset that their names were used in conjunction with something they don't support, they can rein in groups that want to claim the mantle of "the tech industry".
Sure, sure, you can't keep track of the political positions of every group you're a member of. But if a group holds opinions that are evil, that might just be a good reason to not maintain membership. I could easily Godwin this thread by mentioning certain groups I am not a member of for exactly that reason. The company you keep and all that.
Trade associations tend to remain silent when a good portion of their members oppose legislation. But Google/Facebook/Microsoft aren't opposing CISPA, last I checked. It's more like they're just remaining neutral.
The problem with CISPA is we don't need it. I'm not a libertarian (I want single payer universal health care, for example), but I am fully against the PATRIOT Act, FISA abuse and the numerous other things done in the name of security since 9/11.
The reason 9/11 happened was not a lack of security or intelligence; we had those. It was failure to act on the information we had.
We shouldn't be putting more power in the hands of intelligence agencies which have no public oversight. I understand the need for those agencies, but I think they should be as small as possible. Things like CISPA seem to be based on an opposite view; giving them as much power as possible.
EDIT:
Also the notion that you can learn everything you need to know about these bills by reading the bill itself is so myopic as to be comical.
Edit: They did [1].
[1] http://www.bloomberg.com/news/2013-04-04/google-fights-u-s-n...
But other companies, including AT&T, are far more likely to exploit this loophole (in fact they persuaded Congress to immunize them for illegal activity, post-facto): http://news.cnet.com/8301-13578_3-9986716-38.html
Your claim that a company could "not find authority" to share emails under CISPA is close to the mark but not quite there. First, the House Intelligence committee rejected an amendment by a 4-16 vote that would have required companies to "make reasonable efforts" to delete "information that can be used to identify" individual Americans.
Second, data that can be freely shared with FedGov including NSA encompasses broad categories of information relating to security vulnerabilities, network uptime, intrusion attempts, and denial-of-service attacks, with no limit on sharing emails or personal data. See: http://news.cnet.com/8301-13578_3-57579012-38/privacy-protec...
If you think the real meaning of the bill has nothing to do with the text of the bill, that the text of the bill doesn't matter, just give up. CISPA is tiny compared to ECPA; if you think CISPA has holes a truck could drive through, give a close read to SCA. If you believe the government is going to use milk safety regulations to prosecute movie pirates, just let them pass whatever, and skip the arguments.
No, I couldn't. There are unfortunately a lot of bills I could have said that about (and I mentioned some of them), but not literally any bill ever.
In fact, most bills are not about granting more power to intelligence agencies at the cost of privacy protections.
But thanks for sticking to your role as mindless CISPA defender. You play it well.
EDIT:
> If you think the real meaning of the bill has nothing to do with the text of the bill, that the text of the bill doesn't matter, just give up.
I didn't say that and obviously didn't mean that.
I also couldn't give a shit about movie pirates. I buy my entertainment. That's the bonus of being a full grown adult with a career.
But I do care about the erosion of privacy law for no benefit whatsoever, and in fact, what I see as a detriment; continuing to grow the intelligence industry which has no public oversight. That's a Bad Idea(tm).
So is asking about unintended consequences of legislation that's touted as accomplishing one thing but will be far broader. CISPA's sponsors say it's necessary to respond to the real threat of Chinese military hackers, but of course the legislation isn't limited to that.
If there are a series of related and bad bills, offering the same general criticisms of them is reasonable. If you're pro-choice and are upset by state efforts to ban abortion, then you can use similar language ("fully against..." "we shouldn't be putting more power in the hands...") to talk about bills in Arkansas, Colorado, Mississippi, North Dakota, Kansas, etc.
Of course a more detailed discussion involves going into more depth and talking about the differences between each state's anti-abortion proposals.
You generally need to read it side-by-side with the law it's amending. You need to read any amendments, and the rejected amendments. You need to read caselaw on point so you're aware of how courts have interpreted certain terms. You need to read existing laws in the same area. To the extent that courts will consider it, you need to read the legislative history, floor debate, and committee reports. Ideally you'd want to talk to a lawyer specializing in this area. Obviously the shorter the law, the less all this is necessary, but the text of the law tends to be merely a starting point.
Why not just have the Feds or whoever call up Google and say "Look, this is really important information, as I'm sure you agree, so let's solve the problem, and if any technicalities were violated along the way, we'll get them excused by the overwhelming benefit of your actions" ?
Regarding PII in threat data, we're talking about orthogonal concerns. The amendment you're talking about would require all threat data to use (presumably commercially reasonable methods) to scrub PII. The concern there is accidental inclusion of PII; it's that disclosure of, say, IP addresses in NetFlow information might uniquely identify customers. But providers today aren't required to fully anonymize NetFlow when they cooperate with investigations. The amendment was a sensible measure and I wish it had passed, but its failure does not break new ground for privacy nor does it change the original scope of the bill. When we last discussed CISPA on HN, that amendment didn't exist, and I still didn't think the bill was scary.
The PII concerns I'm referring to involve the idea that CISPA could be used to frame individual citizens as cyber threat protected entities so that raw information about them could be shared by AT&T incident to some supposed attack. That is an interpretation of CISPA that was explicitly rejected by the bill's sponsors; they cite specific language they added to the bill to counter that interpretation.
(I didn't downvote you and don't understand why anyone would downvote you, but I could get downvoted here for saying "water is wet", so oh well.)
That sounds like a security risk waiting to happen at your cell phone carrier and email service provider.
The bill as written, even before the narrowing amendments, acknowledges the risk this subthread discusses. It does that by trying to define "cyber threat information", as information directly implicated in an attack. In the sponsor's notes on the bill on the House site, they explain that the definition of "protected entity" was changed specifically to prevent individual people from being considered as entities, so that person-specific data couldn't be handed over under CISPA authority.
The basic problem the bill addresses is this: large companies are under continuous attack. Let's stipulate that attacks come in two flavors: DDOS and targeted malware.
In both cases, there is clear utility in allowing companies to collaborate with other companies and with the government.
In the DDOS case, you want to share NetFlow information with your upstream ISPs and with DDOS trackers, because those are the organizations that generate black-hole and IP filtering rules, and they all work better if they have lots of different vantage points to work from. At the very least, you want to push sources back up to your immediate upstream providers so they can soak them up on their infrastructure rather than saturating your uplinks.
In the malware case, you want to share forensic information that would help identify (a) the vulnerability the malware exploits, (b) the C&C system the malware is using, (c) any evidence of the source of the malware, and (d) forensic information that would help investigators discern the intent of the malware.
In both cases, your company's general counsel is apt to inform you that the legal risk of sharing just that information is potentially unbounded, because nobody can predict exactly what claims could be made under ECPA, SCA, DPPA, HIPAA, FERPA, &c; nobody even knows what traces of information, overt or statistical, might be lurking in NetFlow.
So the situation we have today is that there is information sharing when attacks happen, but much of it is sub rosa, and you have to be in the right clubs to get access to the right sharing networks.
It does not make intuitive sense to me that electronic privacy should mean that basic low-level systems information incident to a real attack should incur unbounded legal risk when shared with other companies directly involved in mitigating those attacks.
You might disagree, and that's fine. But the notion that CISPA is actually intended to allow NSA to read your email is just not supported by the language of the bill, by any advocacy for the bill, or by any of the bill's amendments, and the problem the bill is addressing is a real problem (I have some limited professional exposure to it).
May I assume that you'll publicly oppose CISPA if it continues to advance without that amendment? :)
Also, regarding your claims that person-specific data can't be handed over, a separate amendment requiring that failed by a 4-16 vote. So it will be able to be shared with the NSA.
BTW, I'm not arguing that there are not real problems arising from attacks that large companies, and even smaller companies, face. The question is what to do about it, and whether CISPA remains the best vehicle.
I can imagine FBI director Louis Freeh saying the same thing when he was defending bans on non-escrowed encryption in the late 1990s: "Nothing wrong with mandatory key escrow! Silly ACLU EFF EPIC etc. are just trying to fundraise off of fear and emotion."
You yourself have conceded on HN that advocacy groups have directly misstated details about CISPA. Now you're writing comments suggesting that I'm being misleading by pointing that track record out. That is not honest debate, Declan.
Second, I'm not aware that anything ACLU EFF EPIC said that's intentionally false re: CISPA. As you correctly say, other groups may not be as careful (although even then, you could have unintentional falsehoods, and I rarely like to speculate about motives).
"...voting to derail lawsuits against telecommunications companies that unlawfully opened their networks to the National Security Agency. Senators voted 69 to 28 for the bill, which would rewrite federal wiretap laws by granting retroactive immunity to telecommunications companies..."
You're right that nobody should be making inaccurate claims about the bill (though I try to be charitable and say inaccurate claims in either direction are misunderstandings, not intentional distortions). I'm making a slightly different point, which is an argument for lower threshold to trigger scrutiny, and a higher threshold to legislate in the first place.
Also, is there any subject for which everyone can agree that Congress is good at proposing legislation? The whole point of the legislative process is to adjudicate between competing opinions; so whether any piece of legislation is "good" or "bad" will vary, to some extent, according to the observer.
Edit to add conclusion: Each bill should be judged on its merits, not on the fact that it comes out of Congress (since that is where they all come from).
‘(B) EXCLUSION.— Such term does not
23 include information pertaining to efforts to gain
24 unauthorized access to a system or network of
25 a government or private entity that solely in
1 volve violations of consumer terms of service or
2 consumer licensing agreements and do not oth-
3 erwise constitute unauthorized access.Mind you, I'm not saying the previous poster's claim is the best argument against CISPA, but that your claim of "directly contradicted" is false.
I called him "mindless CISPA defender" because based on his comments on the subject, that seems like an accurate description.
And in my specific case he seemed to pay no attention whatsoever to what I brought up and replied with a handful of boilerplate responses that didn't really apply to what I was saying. So, that seemed pretty much like a mindless automaton to me.
The amendments are public too. You can actually read them.
As you can see, I'm not very charitable about this. Nerds are to online regulation what the Michigan Militia is to gun control. I respect and defer to fact-based objections to CISPA, but I have no patience for the (large set of) people who simply make things up about it to try to win arguments.
I do not have a problem with people who generally oppose Internet regulation of all sorts (I don't agree, but I don't make fun of them either).
I do have a problem with "Internet Hate Machines" of all sorts. You are not entitled to invoke principles to deploy bad facts.
Have you read the 2013 House CISPA amendments. I have. They're public. I'm guessing, no, right? Are you a gambling man? Would you like to bet me how agreeable they are relative to the text of the bill itself? The 2012 CISPA amendments tightened and restricted the act. What do you think the new 2013 amendments do?
(I have complained, and they said the should be there the next day, but then I pointed out about 25 cases where it wasn't, and they kinda stopped talking :P)
The only amendments I've read about in 2013 are PII removal and removing the "national security" terms, both of which are civil liberties enhancements. (although I don't know where to find the actual text of the amendments). The 2012 amendments were improvements to baseline CISPA (especially the ToS vs. CTI clarification, which was my only real objection to CISPA originally). I do not think I'd take your bet; the probability of something bad being attached is low, but if something bad is attached, it's high severity, so moderate risk. You'd give odds based on probability and I'd want based on expected-harm.
Re: IHM. Reasonable people don't really win at politics. Look at how AARP/etc. essentially eviscerate anyone who thinks of touching Medicare or SS. Thus, horrible public policy (wealth transfers from the poor and young to the old and wealthy!) persists in the face of all logic. That it does shows how effective their lobbying/rabble-rousing strategy is.
Civil libertarians tend to err on the other side, for "what would be best for society", and end up with all kinds of bad stuff happening to them.
I'm ok with "ends justify means" in this case -- if "means" is "make everyone in Congress terrified of any cyber-laws which aren't explicitly and transparently improvements to individual privacy and freedom."
This¹ site lists the amendments and has a PDF for each. I'm not sure if it's all of them or contains the ones you mention. The PDFs are dated and some are Feb-April 2013. This PDF² seems to be the current bill with the amendments accounted for in the text ("H.R. 624 as Amended").
edit: I just noticed that ² has a date of Feb. 2013 while some of the amendments have April 2013 dates, so I don't think it's the most current version.
¹ http://intelligence.house.gov/hr-624-bill-and-amendments
² http://intelligence.house.gov/sites/intelligence.house.gov/f...
I'd be interested to hear defenders of the legislation explain why CISPA remains such a lovely bill after the House Intelligence committee rejected these four amendments that were aimed at protecting privacy:
* Limiting the sharing of private sector data to civilian agencies, and specifically excluding the NSA and the Defense Department. (Failed by a 4-14 vote.)
* Directing the president to create a high-level privacy post that would oversee "the retention, use, and disclosure of communications, records, system traffic, or other information" acquired by the federal government. It would also include "requirements to safeguard communications" with personal information about Americans. (Failed by a 3-16 vote.)
* Eliminating vague language that grants complete civil and criminal liability to companies that "obtain" information about vulnerabilities or security flaws and make "decisions" based on that information. (Failed by a 4-16 vote.)
* Requiring that companies sharing confidential data "make reasonable efforts" to delete "information that can be used to identify" individual Americans. (Failed by a 4-16 vote.)
1) NSA and USAF are specifically the only parts of the USG I want to have access to this data. I trust NSA and DOD way more than I trist FBI, DEA, etc. to not fuck me personally if my data is somehow included in a dump given to them for anti-terrorism purposes.
2) Useless bureaucrat. I don't believe in oversight of government by government; mandatory reporting requirements to the public, with independent watchdogs like EFF/ACLU, are the only thing which would really work for me.
3) Vague thing is vague.
4) I don't really want companies to have to do PII filtering; I'd rather they be able to dump bulk data if under attack, since J. Random big dumb company or non-security startup is in no position to do forensics, filter, etc.
Ryan, your head seems to be screwed on properly, so what are the things you would like to see done to CISPA to make it commercially feasible to share bulk data when banks or ISPs come under sustained attack?
I don't know if it's possible to limit CISPA, while keeping it useful, enough to keep civil libertarians happy. The best solution is probably to take a page from my much more seriously followed personal legislative issue: gun rights.
I'm actually in favor of universal licensing/background checks and such for firearms, if implemented correctly (not building a registry, using a technical solution to make it possible to trace ownership of a gun without enumerating all guns owned by a person, etc.)
But, the gun lobby/gun owners rightly fear any new regulations are just there to kick them down the slippery slope, so they dig in their heels and oppose everything.
The way around it, I think, is to have a good background check bill proposed which ALSO eliminates a bunch of ineffective existing regulations (allow import of 1968+ MGs, non-sporting-use weapons, no 922(r) parts count, sale of transferable new post 1986 MG under existing NFA rules, removal of SBS/SBR/suppressors from NFA, potentially CCW reciprocity). There's enough pro gun stuff in that to make up for the risk/fear of the new licensing regulation.
Maybe do the same thing with CISPA -- information sharing, but at the same time address the NSL issue, fix anti-circumvention in DMCA, potentially limit CALEA (I hate that it applies to anything but POTS telephony), etc. I'm not sure what specific concessions should be made, but the idea of trading some relaxing ineffective or bad existing law for new law seems like the best way forward.