Just a reminder: many (maybe most) of the Dems who voted against CISPA did so because they favor a more intrusive intervention: they want the government to establish standards for "cybersecurity" to apply to private industry systems they consider "critical infrastructure", and then for the government to deputize specific firms (read: Raytheon, SAIC, Lockheed) to conduct mandatory audits of those firms. Privacy is a fig leaf here.
Also remember: under the Electronic Communications Privacy Act of 1986, none of the information disclosure "authorized" by CISPA was already unlawful. 18 USC § 2702 (b) (5): private companies can voluntarily disclose private customer information "as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service". Without limitation. With no check on the what the government does with that information afterwards. CISPA added restrictions (albeit weak ones) on sharing; it didn't meaningfully broaden what could be shared.
Regardless of what EFF says about this (unfortunately, I personally believe EFF's interest in CISPA is largely about fundraising), you probably should be careful about cheering CISPA's demise.
Remember, tptacek has very little idea what he is talking about when he posts this same comment on every thread. Doesn't have a clue about the politics; doesn't have a clue about the law. To be charitable. Because he has been informed, and keeps posting this, which turns it from clueless to intentionally lying.
Yes, under ECPA, information can be disclosed "as may be necessarily incident to the rendition of the service", which is to say, not very often, since it's not often necessarily incident, and a company which disclosed your information might have to prove in a court of law that it was necessarily incident. Which is a rather big limitation, as opposed to tptacek's lying characterization of it as "without limitation".
I don't really understand tptacek's position here - is he being paid for this? - but this repeated bullshit posting needs to stop. (And the evil-Democrat-vs.-noble-Republican stuff is pure fantasyland. CISPA isn't about cybersecurity as computer professionals think of it. It's about copyright enforcement and general government snooping, not about hacking. Both Democrats and Republicans are fully behind it, despite the political wrangling, assuming that the copyright lobby has made the proper campaign contributions this year.)
Is there a way to make your point without the ad-hominem or the accusations, and with more references? You've accused him of deliberately and repeatedly lying (a pretty serious accusation for one of the top HN contributors); do you have any evidence besides your differing interpretation of his citation?
(And I still do not see how it is at all related to copyright.)
not commenting about the other issues, but CISPA grants legal immunity if
"theft or misappropriation of private or government information, intellectual property, or personally identifiable information." (exact quote from the text of the bill)
is thought to be occurring, and information is shared, it is very much related to copyright.
It is likely you are working from the first draft of the bill without its amendments. In particular, later amendments narrow "cyber threats" to:
‘(3) CYBER THREAT INFORMATION.—
‘‘(A) IN GENERAL.—The term ‘cyber
threat information’ means information directly
pertaining to—
‘‘(i) a vulnerability of a system or net-
work of a government or private entity;
‘‘(ii) a threat to the integrity, con-
fidentiality, or availability of a system or
network of a government or private entity
or any information stored on, processed on,
or transiting such a system or network;
‘‘(iii) efforts to degrade, disrupt, or
destroy a system or network of a govern-
ment or private entity; or
‘‘(iv) efforts to gain unauthorized ac-
cess to a system or network of a govern-
ment or private entity, including to gain
such unauthorized access for the purpose
of exfiltrating information stored on, proc-
essed on, or transiting a system or network
of a government or private entity
I'm not seeing BitTorrent in there.
(By the way, I don't think you deserve the downvotes for bringing this up. I found the amendments aggravating to track down, too. I'd been working from an earlier draft of CISPA that struck "intellectual property", which turned out not to be the one the House voted on.)
‘(B) EXCLUSION.— Such term does not
include information pertaining to efforts to gain
unauthorized access to a system or network of
a government or private entity that solely in-
volve violations of consumer terms of service or
consumer licensing agreements and do not oth-
erwise constitute unauthorized access.
I've seen many posts from tptacek and he often comes across as a shill repeatedly warning people about Democratic intentions.
He makes the usual partisan comments about Democrats but without going into specific detail, and usually follows up with something along the lines of saying he's a Democrat or donates to them. And I usually he presents the non-argument that much of what is in this bill was already lawful.
"you probably should be careful about cheering CISPA's demise."
I really don't trust anyone who takes the fear defense of a piece of legislation that seems to have more flaws than benefits, along with 'already lawful' measures.
If he were simply saying don't trust Republicans or Democrats, I don't think most people would disagree. I wouldn't.
Edit: I think the point that all he says is "be warned about Democrats they support this" without any examples or citations repeatedly is an important point, as it's lacking substance and comes across as spammy by HN standards.
Our National Budget is Defense Industry centric. Anyone who thinks that our policy stance is not Defense Industry leaning as a result is not being objective.
Look at it this way; While the majority of humans are pushing to decrease wars and traditional defense spending, the military industrial complex is looking for a way to transition from conventional ordinance revenue streams to digital ordinance revenue streams.
This will be either a long hard transition, or an immediate windfall transition which lets the traditional ordinance stream die over time with a very fast ramp up of digital streams.
This is why we see an uptick in things like Stuxnet, all sorts of hacker claims, wikileaks, Anonymous, etc.
Some are legit, but I withhold judgement on which.
The fact is that there is NO existential physical threat - and that control model is becoming increasingly difficult to maintain the illusion.
Thus they need to transition the fear factory to the vector where 30% of the globe is connected.
They have been laying the foundation though for some time with respect to the financial infrastructure. They needed to ensure they had a great number of financial control tools in place prior to 100% online lockdown.
That's a common excuse used to defend bills that erode various constitutional rights. "Everything authorized by this bill was already lawful under other bills. Nothing to worry about, keep moving." This means that you can change things gradually with multiple bills and claim each time that "this bill changes nothing, keep moving".
If this bill changes nothing, then there is no purpose to vote for this bill is there?
In between what the law bans and what the law permits, there's all the "you're allowed to do it because nobody said you can't" stuff. If you happen to be doing that stuff, it's comforting to have it explicitly called out as legal. If you want that stuff to be illegal, you obviously don't want it getting promoted to "more" legal, because it's harder to get your ban passed.
Imagine a new bill is introduced. "Eating apples is legal." The Apple Pickers Union would love to see this bill passed. The Orange Pickers Union would probably oppose it. They'd both spend millions on a blogocampaign to convince you they are right. But passing (or not passing) the bill changes nothing; it's already legal to eat apples.
> If you happen to be doing that stuff, it's comforting to have it explicitly called out as legal.
No it isn't; having the law explicitly call it out as legal shifts the perception of those activities from being ones that the law does not involve itself with at all to ones that are enabled and authorized by the law.
In other words, it makes things subject to the law that were not previously subject to the law, and so ultimately makes those things easier to constrain/regulate in the future.
"enabled and authorized by the law." I think if you're Facebook, that's exactly what you want. They would prefer to avoid lawsuits about sharing information, even if they would win those lawsuits anyway. I think Good Samaritan laws are an appropriate analogy. You don't want people worrying about liability instead of doing the right thing (right thing being highly subjective).
"easier to constrain/regulate in the future." Ironically, that sounds like motivation for the EFF to support the bill.
There's no Constitution rights at play here. Sorry, there just aren't. The Constitution protects your right to be secure in your personal effects. Information you hand over to third parties is not protected by the Constitution. It wasn't protected in 1789, it's not protected now.
Not true. Personal papers that are, for example, stored in a hotel room enjoy fourth amendment protection (there are sometimes exceptions for people that do not pay, etc., but the main point stands). Why shouldn't you be able to establish a contractual trust relationship with a services provider that protects your privacy, so that you can enjoy third party services and cloud services while also enjoying fourth amendment protections?
The law with regard to privacy in cloud services is not very well established, but if we allow laws like CISPA to pass, this will slowly but surely make it impossible for any service provider to ensure privacy, even if they wanted to. This will mean that we have to give up all the benefits of cloud services if we want privacy.
In your educated opinion on security, what would you say are CISPA's merits and what are its flaws? Is it a threat to the way websites/organizations that have no bearing on national security operate, or to the way people should treat the internet from a freedom of speech perspective? I imagine that many people fear this is similar somehow to SOPA with a fresh coat of paint, so anything you could do to confirm or dispel that would be helpful.
CISPA has nothing to do with the objectives of SOPA. It contains no provisions to allow sites to be shut down. It is, in fact, voluntary: private companies that do not want to share attack data with the government are not required to participate.
For the record: the bill has few merits. It appears to do very little at all, other than (a) to associate its sponsors with being "serious" about "cybersecurity", and (b) to block the adoption of the far more intrusive intervention the Democratic administration wants. (Note before cackling: I'm a Democrat).
> It is, in fact, voluntary: private companies that do not want to share attack data with the government are not required to participate.
A bill that provides incentives (for example, legal immunity without any restrictions) is just as bad as a mandate. So that's a terrible argument, irrespective to the rest of your statements.
Thanks for the summary. I'm curious why the EFF/DemandProgress would be using up the energy of their supporter base trying to tackle an empty suit of a law, if it is one, and why they've expressed glee at the threat of a veto.
And from what I've heard about the attacks on various DoD organizations from people I know there, a sharing infrastructure to spread information about vulnerabilities quickly is probably going to be necessary soon. I really hope they're aggressively compartmentalizing those networks.
Maybe I'm unusual in that I have a limited number of things I'm willing to get outraged about in a given 6 month period before I start to question the people trying to stir me up. I'm under the impression that that's not terribly unusual, but I guess the popularity of Fox News is a pretty solid counterpoint.
I'm not sure I agree with tptacek about the donations, but one reason might be to keep up the pressure. Blocking SOPA was a big success, so having another battle soon after could be a way to both encourage their supporters as well as show their continued relevance. I'm also not going to argue that it's a bad thing: I love the EFF and donate to them, so if it helps them, I don't really have an issue.
I feel bad for wailing on the EFF about this stuff, because I used to be a fan of the EFF, but come on; their posts on CISPA cite PATRIOT, terrorism, National Security Letters, CARNIVORE, the FBI "bending or suspending the law" (begging the question: then HOW does CISPA matter?) and wait for it DRONE STRIKES.
It's not enough to be right; you also have to be correct.
Yes, thank you. The CISPA fear totally ignores the fact that all of the stuff in CISPA is already legal. You don't have a privacy interest in all of that information you give to third parties every day. Maybe you should, but that's a matter for a Constitutional amendment, because as it is that information is fair game.
there is not however, guaranteed immunity from civil/criminal prosecution for sharing data under the auspices of "national security", thats whats important about CISPA, it is carte blanc for the government to collect whatever data it wants, with zero oversight or accountability.
tptacek seems to be pushing the line that "this bill does nothing, everything it establishes is already legal". But i caution HN users to be aware of his own vested interests in this bill.
you work for a security contracting/consulting firm, it is in your own professional best interests to have cybersecurity information shared as "frictionlessly" as possible
There are supporters of CISPA who believe we need it because private companies manifestly do not share information about attacks, and so one thing the government can do to resolve that is (a) to encourage them to do so, and (b) create a clearinghouse in the government to provide a default place for information to be shared.
I don't agree with those people; I think CISPA is pretty silly. But that's the argument.
Whether or not it's legal does not inform whether or not it is a positive step as far as privacy advocacy is concerned.
Laws such as this embolden those parties that seek to undermine privacy. It is one thing for someone to be able to say "According to a set of disparate laws, X action is legal" and quite another when "According to CISPA, X action is legal."
You're responding on a thread that provides chapter and verse citation to the statute that already made this kind of sharing lawful. You might just as productively oppose every bill for not fixing the ECPA.
I don't understand how "threats to national security" could possibly be broader than "incident to rendition of service" or "protection of rights or property of the provider".
Do you have quote from, sic, "Dems" to this effect? One dem isn't sufficient, you need "many". (Incidentally, "many" is one of my favorite weasel words).
If the dems are bad on this issue for voting no, what does that make the people who votes yes?
You're aware this vote was in the house, right? So you've provided exactly zero out of "many" dems who voted against this bill because they wanted to do way worse.
What's your opinion of the republicans who voted yes for this bill? It must be worse than voting no, right? Or is this just a partisan issue?
I've no doubt that there have been democrats on the wrong side of these issues at various points. Chris Dodd was a democrat. But don't tell me a "no" vote is actually worse than a "yes" vote on this bill. The only way you can contort yourself into that position is putting partisan loyalty ahead of critical thinking.
I don't understand what you're trying to say here. The Administration has publicly stated that CISPA doesn't go far enough to protect critical information systems. The Administration supported the Rockefeller Senate Cybersecurity bill; the Republicans opposed it.
I have a generally low opinion of this bill, and of the Senate Cybersecurity bill. I think what's needed is liability, not do-nothing "sharing" or top-down Raytheon audits.
You can safely assume that I've actually read the bill (what I believe to be the final version, including the Amendments that survived) before commenting on it.
I'm sure the administration, in between threats to veto CISPA, said that it was also ineffective and you could construe that to mean they really want something way more invasive than this. I wouldn't, but you could.
So if you have a low opinion of this bill, how come the only people you came into this thread cursing are the people who voted against it?
Also, you actually read the bill? How many pages was it? Did you read all of the laws it references and amends as well? You're more versed on this matter than probably 95% of the congressmen who voted on it.
Please don't assume that CISPA is the first time this administration has said something about cybersecurity. If you want background for what tptacek is talking about, you can start with the administration's cybersecurity legislative proposal from about this time last year.
> Organizations that suffer a cyber intrusion often ask the Federal Government for assistance with fixing the damage and for advice on building better defenses. For example, organizations sometimes ask DHS to help review their computer logs to see when a hacker broke in. However the lack of a clear statutory framework describing DHS’s authorities has sometimes slowed the ability of DHS to help the requesting organization. The Administration proposal will enable DHS to quickly help a private-sector company, state, or local government when that organization asks for its help.
Companies can share info including server logs with DHS.
> Businesses, states, and local governments sometimes identify new types of computer viruses or other cyber threats or incidents, but they are uncertain about whether they can share this information with the Federal Government. The Administration proposal makes clear that these entities can share information about cyber threats or incidents with DHS. To fully address these entities’ concerns, it provides them with immunity when sharing cybersecurity information with DHS. At the same time, the proposal mandates robust privacy oversight to ensure that the voluntarily shared information does not impinge on individual privacy and civil liberties.
Companies can share data with DHS and get immunity. Sound familiar?
> The Administration proposal requires DHS to work with industry to identify the core critical-infrastructure operators and to prioritize the most important cyber threats and vulnerabilities for those operators. Critical infrastructure operators would develop their own frameworks for addressing cyber threats. Then, each critical-infrastructure operator would have a third-party, commercial auditor assess its cybersecurity risk mitigation plans.
This is where tptacek sees (probably rightly) a giant windfall for the Raytheon type companies.
Question 1: I'm not cursing the Democrats. I'm warning you: you will like their vision of how to secure "cyberspace" less than you will like CISPA. Go read the Rockefeller bill. I am not shilling for CISPA; I think CISPA is silly.
Question 2: Yes, I have read CISPA.
Question 3: CISPA is very short.
Question 4: Yes, I read all 4 of the amendments that survived the vote. CISPA doesn't specifically reference any other law, but I happen to be familiar with the ECPA and HIPAA too, for professional reasons.
I agree that I'm better versed on this matter than virtually everyone who voted for or against it, but that is faint praise indeed.
Well, I'll back off and call it a night, it was just supremely irritating, after seeing something like this passed, that the top comment on hacker news is saying the real bad guys are the ones who voted against it. I'll take you at your word that that wasn't your intention.
The truth is that the democrats voted against this and Obama publicly threatened to veto it. But you're wise in your cynicism that "they're all the same" and this is a trick to lull us into something worse.
I don't understand why you're so eager to ignore the policy that the Obama administration supports. I am, for what it's worth, an Obama fanboy. But it does not surprise me that Constitutional scholar or not, single-payer health care supporter or not, our Administration does not know how to "secure cyberspace", and actually has terrible and counterproductive ideas on how to do it.
The White House said in the message where they signalled the veto! that part of their issue with the bill was that it didn't go far enough. Did you read that message? The whole thing? No? Why are you upset at me for reading it?
Because industry self-regulation vs. top-down government intervention is a partisan political issue. There's momentum to pass some bill about cybersecurity so that Congress can say it got something done; there will be no momentum after this bill becomes law.
CISPA is the GOP's response to the Rockefeller Cybersecurity bill from the Senate.
Also remember: under the Electronic Communications Privacy Act of 1986, none of the information disclosure "authorized" by CISPA was already unlawful. 18 USC § 2702 (b) (5): private companies can voluntarily disclose private customer information "as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service". Without limitation. With no check on the what the government does with that information afterwards. CISPA added restrictions (albeit weak ones) on sharing; it didn't meaningfully broaden what could be shared.
Regardless of what EFF says about this (unfortunately, I personally believe EFF's interest in CISPA is largely about fundraising), you probably should be careful about cheering CISPA's demise.