One of the biggest (and most frustrating) problems with the legislative process is that the people who really want this to go through KNOW that we - "the masses" - eventually start to suffer from "protest exhaustion". They can propose a bill - we can rally our troops and get on TV and black out Wikipedia and do 100 interviews and maybe - just maybe - we can kill it.
The first time. And maybe the second time. And maybe even the third time. But after a while we're going to start to get numb to the calls-to-arms. And eventually our sometimes-well-intentioned-but-pulled-in-30-directions representatives are going to stop getting those concerned phone calls and emails from constituents, and they're going to fall prey to the typical "think of the children" argument that often gets put forward on any security bill, and something ugly is going to get passed.
I hate resigning myself to this, but it's the disappointing reality.
I worry that most of the opposition to this bill is based on FUD that EFF is spreading. Having experience actually working in the security industry and knowing the limitations that this bill is trying to address, the ability of the government and private sector to work together to keep malicious groups out of their networks, I recognize the necessity and intentions of this bill.
This isn't about spying on Americans. This isn't SOPA with a new name. This isn't about stopping piracy or spying on your facebook profile. This bill is about letting government agencies share intelligence on network threats with private companies so those companies can protect their customers information. None of the agencies or companies involved want to share any private information about their citizens or customers. There are lots of lawyers involved in the process to ensure that doesn't happen.
I wonder if some of that exhaustion is also what leads people to not read the bill or understand the context and just assume it's another anti-piracy bill.
I understand what you're saying, but when legislation is proposed I look at what it very easily could enable, not just what it's written to be for. When I look at what's being proposed I see that the government is using its sovereign power to trade away my right to civil suit against a company in event of a data loss, in exchange to that company for it handing over private information (that very well can include customer information) without a warrant. In big broad, abstract ways this is to my benefit if it improves "cyber security" but it also removes some specific rights I have.
"None of the agencies or companies involved want to share any private information about their citizens or customers." The telcos have monetized their lawful intercept programs and receive bad publicity protection from the government by being legally entitled to keep it a secret. They now have a profit motive and the risk of bad publicity is low. And the civil liability immunity agreement (as I understand it) in CISPA will effectively act as a giant gift that only a sovereign power can grant, we'll offer you protection from being sued if you just hand over business data without a warrant.
If you want to talk about confusing, I watch C-SPAN constantly (it's an illness) and whenever anybody in the legislative or executive branch talks about "cyber security" they always talk about IP protection and "preventing a cyber pearl harbor" in the same breath. So if you want to blame somebody for the confusion start with the people proposing this legislation.
You are not allowed to make arguments that are directly rebutted by the facts. There were drafts of CISPA that were published in which the assets protected by the bill (which defines attacks in terms of the familiar C.I.A. triad) included "IP", which would have included things like the source code to operating system drivers. But the bill that got voted on included a series of amendments, all published, that neutered that language because of exactly that concern.
CISPA is simply not about the interests of rightsholders.
CISPA is simply not about the interests of rightsholders.
The commenter to which you are replying did not make that assertion. The mention of IP was an attempt to identify the source of the confusion between cybersecurity and IP rights, not about CISPA specifically. Here's what the parent comment actually claimed:
When I look at what's being proposed I see that the government is using its sovereign power to trade away my right to civil suit against a company in event of a data loss, in exchange to that company for it handing over private information (that very well can include customer information) without a warrant. In big broad, abstract ways this is to my benefit if it improves "cyber security" but it also removes some specific rights I have....
And the civil liability immunity agreement (as I understand it) in CISPA will effectively act as a giant gift that only a sovereign power can grant, we'll offer you protection from being sued if you just hand over business data without a warrant.
The bill is clearly not about rightsholders, so it is intellectually dishonest to suggest that there is a legitimate concern about power grabs by rightsholders in it. "I watch C-SPAN religiously and they're always talking about IP rights" is not a substitute for reading the bill.
I disagree, but I don't think this subthread is important enough to litigate. If he wants to chime in and say "I absolutely am not saying CISPA is part of a scheme that will increase the powers of rightsholders", I'll apologize for mischaracterizing him.
I absolutely am not saying CISPA is part of a scheme that will increase the powers of "rightsholders." I don't see that in there. I was referring to the "spying" claim of the parent post of my first response.
My concern is with limiting of my right to civil suit against a corporation, and my fear that the bartering of these rights for information bypasses legal constraints on information collecting by government and law enforcement.
Do you think it is reasonable that an auto insurance company that operates under DPPA, or a classroom management service that operates under FERPA, or credit agency operating under FCRA, or nationwide bank under RFPA, or for that matter any online service managing information that could be considered stored communications --- do you think it is reasonable that these organizations should incur either the risk of a class action lawsuit or the expense of tens of thousands of dollars of legal review simply in order to push a worm signature or botnet identification or DDOS netflow information to a public clearinghouse? In other words, do you think it is in the public interest for you to retain the right to sue these kinds of companies to vindicate your theoretical privacy interest in network security data shared in good faith?
Thanks to Declan Mccullagh downthread for making my arguments about CISPA more vivid by citing all the privacy regs CISPA interacts with. :)
Oh: by the way: if I understand you correctly, you're not at all concerned that CISPA is a backdoor attempt to enable copyright enforcement, and by rebutting that idea earlier, I mischaracterized your point. I apologize for doing that. CISPA makes me jumpy.
> If you want to talk about confusing, I watch C-SPAN constantly (it's an illness) and whenever anybody in the legislative or executive branch talks about "cyber security" they always talk about IP protection and "preventing a cyber pearl harbor" in the same breath.
The trouble is that the effective, worthwhile and highly damaging cyberattacks all involve IP, in some way or another. There's not much value in taking down Coca-Cola's internal network. Stealing their M&A strategies or product roadmaps can be extremely lucrative/damaging (I recall seeing estimates that billions have been lost as a result).
No they don't. I think it is extremely confusing to talk about theft of data at the same time as talking about someone hacking a nuclear power plant to go into meltdown or something. When people say things like "cyber pearl harbor" at that time they could be talking about a DDOS that makes it impossible to do online banking or they could be talking about an attack on SCADA systems at a power plant that takes out power for a city. It really drives me nuts because either everybody in government talking about it is a poor thinker or they are intentionally being vague.
I have no idea what this comment is even trying to articulate. You suggest two kinds of "cyber attacks", one which cause power plants to malfunction and the other that attacks online banking. I am not sure what you think this distinction demonstrates about online security.
On the one hand, the attacks on power plants that you allude to are possible. Utilities have been networked and electronically controlled since the 1970s. Nobody builds networks on telephony or X.25 anymore; it's all IP. IP connectivity to insanely sensitive systems leaks routinely; moreover, application-level data sharing between Internet-connected systems and supposedly air-gapped backend systems is extremely common.
On the other hand, the "less serious" attacks you allude to are very very bad. Google and Hotmail aren't national utilities. But they are attacked by state actors because dissident organizations use them to communicate. For that matter, the Internet backbone is a collection of computers sharing information using a decades-old routing protocol for which policy is controlled by regular expressions.
Finally, if you run a startup and happen to say something I disagree with, such as "I think CISPA is a power grab by the content industry", I could today very easily push you off the Internet with a trivial DDoS attack. The people who extorted online casinos with DDoS botnets were not rocket surgeons. When I attack you for disagreeing me online, and you call your ISP, guess what you're going to hear? "You're on your own". It is always very weird for me to see people on Hacker News, a hub for online startup news, downplaying the severity of DOS attacks. I've spent a decent chunk of my career in DOS mitigation and it is not remotely a solved problem.
I think the government has a legitimate interest in protecting against computer attacks on public infrastructure that could result in death, and I see a place in there for government involvement. To a lesser degree there is a legitimate interest for government regarding IP theft. But I think how the government is involved and what powers they have, are different for these two scenarios. I understand that they overlap. CISPA is going to give government a much expanded jurisdiction and I don't think the restrictions are fine-grained enough.
You give EFF too much credit. The ACLU, the American Library Association, the Center for Democracy and Technology, the Competitive Enterprise Institute and the Liberty Coalition (both libertarian/conservative groups -- the latter includes Bob Barr and Grover Norquist's Americans for Tax Reform), Reporters Without Borders, etc. sent a letter yesterday to Congress opposing CISPA.
I'm not sure why you think the very smart lawyers and legislative counsel at the ACLU, the ALA, etc. are incapable of reaching their own conclusions about the relative merits of legislation.
I hope you're right that CISPA isn't about spying on Americans. The problem is that, as written, it allows precisely that, with the cooperation of the same companies that have opened their networks to the FedGov in the past. If the wildcard language trumping all state and federal privacy laws were deleted, I think a lot of the (informed) opposition would vanish.
BTW, there were "lots of lawyers involved in the process" of creating SOPA. Look how that turned out. I'd be far more comforted if there we had fewer lawyers and more technologists involved. :)
What are the current barriers to agencies sharing intelligence with private companies? Can you give an anonymized/abstract example, where the FBI/etc might have actionable info about a 'cyber threat', and under current law can't pick up the phone or send an email warning private companies?
Primarily the barrier from government to company was that much of the valuable info was classified. The Obama executive order on cybersecurity created a mechanism to bypass this barrier that is similar to what was in CISPA.
So why pass CISPA now? To remove the barrier in the other direction, from company to government. Right now there are interpretations of certain federal laws that say that companies cannot share threat data with the government. In addition, public companies fear shareholder lawsuits if they were to disclose publicly that they have been hacked.
In an ideal world you would have a virtuous cycle, where one company stops a threat, sends the critical threat info the government, which shares it with every other company--all basically in real time. That would prevent, or at least reduce, the issue now where one exploit works again and again and again at different companies.
Whether it is possible to do this while adequately protecting privacy is the issue. I'm not a lawyer but it seems to me like it should be doable if the language in the bill is done right.
>In an ideal world you would have a virtuous cycle, where one company stops a threat, sends the critical threat info the government, which shares it with every other company--all basically in real time.
But why does the government need the information at all? Why not have a private consortium of companies who share threat information under NDA (or, for that matter, just allow it to be published), and craft appropriate legislation to allow that?
CISPA allows exactly that to happen! Any "Cyber security provider" can collect and share information (on a voluntary, opt-in basis) under the act. Moreover, the largest repository of threat information --- netflow traces, botnet identification, &c --- is housed inside the USG, which is prevented from sharing that information. That's the other problem CISPA solves.
Did you read the bill? I'm not asking in an accusatory way; I'm wondering where you got your information from, so I can read it too.
Reading bills is usually a headache because they keep changing. Cue Pelosi's idiotic comment about having to pass the law so we can know what's in it. This one seems to be no exception: The original bill is talking about intellectual property, people complained about it, they removed that in later versions. EFF is complaining about how it doesn't put limits on what the federal government can do with the information, so they added some limits, but they're overly broad. (What does "national security" even mean? Because it's pretty plausible it's going to be read as "whatever the National Security Agency or Department of Homeland Security does with it.") I mean it's good that they're taking criticism into account and making modifications, but it seems like a really weird bill, and I think it's a good thing that it's getting a lot of scrutiny.
If you want me to go through it and complain about it, I can do that…
>CISPA allows exactly that to happen!
Not exactly. First of all, publication seems very much not to be the idea. Half the the bill is talking about security clearances and the like, and how if you get "cyber threat information" from the feds (presumably even if they got it from other private sector entities) then it could still be classified and you can't publish it. And I don't see anything in the bill about the information becoming automatically declassified once a patch is available, so that's not going to be good for full disclosure. Plus, if I get this super secret threat information, now how do I e.g. submit a patch to the Linux kernel or OpenSSH to address it without impermissibly letting the cat out of the bag? Have they thought this one through?
But my original point was not that private entities could share information too, the point was, why should we want the federal government to have it? There is a real concern that they would use vulnerability information to advance their stupid "cyberwar" nonsense and then accidentally loose the network equivalent of the black plague, or use vulnerabilities to spy on people and expand their warrantless surveillance of the world population. I can see why they might be able to use the information to patch their own systems, but I would be a lot happier to see a specific restriction that disallows anyone from using any information received under these provisions for offensive or surveillance purposes.
>Moreover, the largest repository of threat information --- netflow traces, botnet identification, &c --- is housed inside the USG, which is prevented from sharing that information. That's the other problem CISPA solves
I don't think that's the part people have a problem with. It's not the information coming out of the government (assuming it really is technical information and not anything that identifies individuals or impinges on privacy), rather it's the information going back into it to feed proto-Skynet.
But let's talk about some of the other crazy things.
1) It seems like a major part of the legislation is the grant of immunity for entities that share information. Which is a really very strange thing. Why do these entities need to be exempted from all state and federal laws? Can we not identify the specific ones that are problematic and then fix them? Certainly at least identifying them would be useful. I'm not really comfortable with the idea of exempting companies from prosecution for, say, polluting the water supply or murdering bystanders when they're reporting or responding to cybersecurity vulnerabilities. And if we can't even identify the laws we're concerned about, that seems like a problem more in need of our attention than this.
2) Why are individuals explicitly excluded from qualifying as "protected entities" or "self-protected entities" that would otherwise qualify them for the immunity provision? Are Microsoft and its employees for some reason more deserving of immunity than e.g. Moxie Marlinspike, or any random schmuck who finds and wants to report a security vulnerability?
3) There is a whole list of things under "protection of sensitive personal documents" like library circulation records and medical records. First of all, how is any of that sort of thing the sort of thing that should qualify for this in the first place? But never mind that. If those things would otherwise qualify, shouldn't we then be concerned about a lot of other stuff that isn't on the list, like browsing history, search history, financial records, purchasing history, location data, etc.?
4) The section on liability for wrongful disclosure by the federal government is pretty extreme. I'm not happy with it as a taxpayer. So if the federal government screws up (it's been known to happen) and releases a vulnerability e.g. in some financial software that causes a trillion dollars in damages to other countries, the U.S. taxpayer is on the hook for that to any person adversely affected, not because they had any responsibility for the vulnerability but only because the government disclosed it? No thank you. How about instead we put some some personal liability on the government employee(s) who actually made the wrongful disclosure.
5) The bill does a lot of talking about the U.S. federal government and not a lot of talking about state governments or foreign governments. It looks like they may qualify as entities however, and if they don't then that's weird (because what if I want to share threat information with my city or state or Canada or something?). But then we're exempting state governments and foreign governments from all state and federal laws for "decisions made based on cyber threat information identified, obtained, or shared under this section"? What???
This is where I reiterate my concern that we're exempting them from laws against things like murder, kidnapping, wiretapping, espionage, terrorism, etc. Granted the exemption requires acting in "good faith" -- but that's putting a lot of work behind two fuzzy words.
The whole immunity thing seems like a huge kludge that doesn't address the underlying problem, which is really the Aaron Swartz problem. Some laws are unnecessarily complicated, overly broad or poorly drafted such that liability under them is arbitrary and unreasonable, but instead of carefully fixing the bad laws individually, we just throw them all away in this one specific case and let anyone else subjected to their continuing insanity fend for themselves.
* Bills start as draft language. The draft is circulated so that organizations like ACLU can point out things like "this bill gives too much deference to content rightsholders". The bill's authors then say, "that's not at all the intent of the bill" and then fix the language. It is very weird to complain about this, since it's the system actually working in the public interest. So, sorry, you're going to have to keep reading the bill. Also: CISPA is tiny. You can read it inside of 5 minutes. It isn't PPACA, the bill Pelosi commented on.
* I don't think software vulnerabilities are the best or most likely example of information that will be shared from the USG to the private sector under CISPA, but to the extent it is, you can simply assume that a (say) OpenSSH bug disclosed under CISPA to (say) Facebook is going to be patched immediately. I am a vulnerability researcher; that's my profession. It is a near-consensus among vulnerability researchers that the sooner vulnerability data is published, the safer we all are. I find it difficult to be concerned that CISPA might get OpenSSL flaws published faster. If that happens, great.
* If organizations don't want to share vulnerability information with the USG, they don't have to. CISPA is entirely opt-in. Moreover: vulnerabilities are a bad example of information CISPA enables sharing for. Companies can already lawfully share vulnerabilities with the USG. There is a whole cottage industry of small companies that sell vulnerabilities to the intelligence services. To the extent that your concerns about CISPA involve trafficking in privacy-harming exploit code (a very legitimate concern in general), you are (respectfully) ill informed about the current state of cybersecurity regulation.
* The reason CISPA preempts existing privacy laws and provides protection from liability is because there are lots of different privacy regulations on the books that make it difficult for companies operating in certain verticals to share any data without expensive legal review. If you deal with classroom data, you've got FERPA. If you have driver records, you have DPPA. CISPA does not repeal DPPA or HIPAA or FERPA; instead, it simply says that as long as companies are dealing in good faith with attack data --- "cyber threat information", a term the bill goes to some lengths to define --- they can reasonably assume they won't get sued for violating HIPAA by sharing that attack data.
* Individuals are exempted as private entities to protect individual privacy. The intent of that definition as stated by the bill's authors was to prevent CISPA from being interpreted as a mechanism for ISPs and the USG to enter into agreements to track individual customers. See "Myths and Facts About CISPA" at the House Intelligence Committee page. So: you have that concern exactly backwards.
* I don't have any response to your concern that the USG should not be liable for negligence in publishing sensitive data. I see it as a good thing that the bill creates accountability for the handling of the data, and wish there was more accountability in the bill, not less.
There are other questions in your comment that I didn't address because I didn't understand them, sorry.
Go on the offensive. Instead of just fighting to kill legislation like CISPA, lobby for legislation that will guarantee the freedom of the internet. That will unequivocally protect people's liberties on (and off) the internet.
The special interests behind legislation like CISPA have professional lobbyists and millions of dollars to pay them. If you're a private citizen and want a law passed at the federal level, you need to have a cute and young white child who died due to something your law legislates against. Otherwise you don't stand a chance of being heard.
That's a bullshit excuse. If you can't raise a few million dollars for your cause, it's probably because nobody gives a shit about your cause.
You think we got clean air, clean water, etc, legislation passed because Sierra Club and Earth Justice are rolling in money? No, it's because they have a cause that people care about and passionate volunteers that dedicate their lives to fighting for it. It's not the system's fault that people don't understand nor care about stuff like CISPA.
They've also got politicians who would love to go to their constituents during campaign season and tell them "Look, I supported clean air!" Contrast this to opposing civil liberties restrictions, which can very easily and effectively be spun by political opponents as leaving America open to terror attacks. Even with the PATRIOT Act, something much more substantial than CISPA, political opposition has been limited to some relatively marginal politicians who are extremely popular in their jurisdictions and not likely to be ousted.
> They've also got politicians who would love to go to their constituents during campaign season and tell them "Look, I supported clean air!"
Because there are people who actually care about clean air.
> Contrast this to opposing civil liberties restrictions, which can very easily and effectively be spun by political opponents as leaving America open to terror attacks.
Supporting environmental legislation is very easily spun by political opponents as costing America jobs.
The amount of political opposition to environmental laws is otherworldly. There are a few companies here and there making money off things like Rapiscanners, but the companies whose profits are hurt by environmental regulations account for trillions in US revenue each year. Everything from Exxon Mobil to small chemical plants with $10 million in revenues. And while "think of 9/11" has a certain impact, it's not only fading but even at it's peak never compared to the visceral cultural opposition towards environmental laws. Industries impacted by environmental laws are literally ways of life in many parts of the country. People in Pennsylvania, West Virginia, etc, fight to allow coal companies to keep poisoning them as part of their cultural heritage.
To put things into context: adding up U.S. box-office, DVD/Blu-Ray/etc, and music (digital and CD) revenues doesn't break $40 billion a year. Apple by itself made more than that last quarter. Exxon by itself makes 10x as much in a year, and there are 8 other petroleum companies in the Fortune 100. But environmentalists somehow manage to get some wins. While tech people whine incessantly about how "the system" is why they can't make any headway against the RIAA/MPAA.
The RIAA/MPAA/News Corp/Disney/etc. own the means of communication to the masses. This is changing with the Internet, which is why they are so opposed to Internet-friendly legislation.
So? When have you ever seen them actually use that to push theirn legislative agenda? Tech companies are far more active in using their status to push politics (e.g. SOPA protest).
Pushing their agenda: "You wouldn't download a car"?
Not covering other agendas: basically any news agency ever that only covers one side of a story (e.g. anti-gun-control news stations only reporting positive gun news, pro-gun-control stations only reporting negative gun news, no news stations reporting on anything outside the viewer-driving manufactured hot button issues). Another example, though this is an isolated case, there was a station in Nevada during the 2008 campaign season that only showed the polling numbers of their selected candidates, even though another candidate was polling higher than some of the ones they listed.
> Pushing their agenda: "You wouldn't download a car"?
I'm not sure I've ever seen one of these in a movie or DVD. I sure as hell saw the "kill SOPA" stuff Wikipedia, Google, etc, put up while I was trying to user their service for something else.
Maybe you're using an unlicensed DVD player (like most computer savvy users) that skips the previews and warnings and jumps straight to the movie. They're practically ubiquitous in the forced-viewing sections of DVDs and Blu-rays.
Actually, the MPAA have shoved their legislative agenda down the throats of moviegoers for many, many years now. Why do you think there are still people who make the mistake of calling copyright violations "theft" even after billions of bytes have been wasted on that semantic debate? Because a constant stream of propaganda has been devoted to drawing that connection in all of our minds.
What "constant stream of propaganda?" I've never seen a movie that tells me to think of copyright violation as "theft." Indeed, the standard "FBI copyright warning" at the beginning of movies calls it infringement.
>Contrast this to opposing civil liberties restrictions, which can very easily and effectively be spun by political opponents as leaving America open to terror attacks.
How is that different from anything else? Pollution controls are painted as "job killing regulation" or "will raise the price of energy" or whatever this year's talking points are.
I kind of get the feeling that the reason things don't get done is only that people think they can't do anything. So they don't write to Congress or protest or donate money to EFF, and then their pessimism becomes self-fulfilling and self-reinforcing.
If you want change then you have to make it happen.
It's not the system's fault that people don't understand nor care about stuff like CISPA.
Actually, it is. The "system" (or, more accurately, the emergent collective behaviors of well-moneyed groups acting in their self interest) tells the masses what to care about, and thanks to being brought up by the "system", they eat it up. Thanks to the direction of the "system", we still have political debates about the age of the Earth, evolution, and other emotionally loaded issues that have no actual bearing on matters that have a substantial impact on the future of the planet.
So start soliciting donations and hire your own professional lobbyist. The amount of whining about how the political process is broken because it actually takes work to influence legislation is a little ridiculous.
Better: Start forming a coalition of private individuals and companies, and use that group to hire lobbyists. The game is broken, but you can't win if you refuse to play.
You can certainly enjoy your life a lot more if you take your ball, go home, and play with your computer. Who knows, computers may even turn out to be popular in a decade's time.
I've come to the conclusion that mainstreaming a technology results in the technology conforming to the mainstream, rather than the mainstream adopting the interests of the early adopters of the technology.
Which is precisely how it should be. Technology is for the use and convenience of the masses--it's not a vector for political minorities to spread their ideological viewpoints. My mom doesn't need to listen to Vint Cerf's politics to use the TCP/IP to trade pictures of my kid with my wife's mom.
Yes, clearly the capabilities of technology shouldn't inform people's philosophies. They should continue to receive their views via mass media social pressure instead.
However, the personal beliefs of the creators inform the design of the technology. And the resulting technology's capabilities can render this moment's squabbling moot.
>Getting such a law passed does nothing to prevent a future law from saying the opposite.
What it does is make the proposal for the future law look like a much larger departure from the status quo, which makes it a harder sell. Furthermore, members of Congress don't like to change their positions for a number of reasons relating to both ego and what it allows election opponents to put in political advertisements, so if you can get them on record supporting your cause then you make them less likely to go against you in the future.
EDIT: Another option is for the courts to decide that freedom was guaranteed in the Constitution all along. But courts are unpredictable so again, good luck!
It's not the reality; lines can and are held. For example, drilling in ANWR has been proposed for decades and it still isn't happening, because the organizations who fight are smart about when they fire up their troops.
In addition, environmental type people are not reflexively opposed to/afraid of the federal government, so they are willing to educate themselves about the process and the issue. They learn to distinguish between issues, and when a threat is real vs. perceived.
In comparison the Internet enthusiast community seems to largely persist in the fantasy that the government should not (or cannot) have a role in the regulation of the Internet. Thus when issues do come up, they are ignorant and reactive. And they are eager for issues to go away so that they can go back to "normal" i.e. ignoring the government.
I really don't think these kinds of bills will end until there is an amendment passed expressly guarenteeing rights relating to internet (or, perhaps more broadly, network) freedom.
In fact, I doubt even that will stop these kinds of laws from being introduced. However, it will give a firm and easy foothold to dismissing them. Similarly, it will become that much easier to retroactively have them removed if they violate an amendment.
The exact text of this kind of amendment would be difficult to craft, frankly, I'm not a lawyer, I have no idea where or how to start crafting this. However, I do fully believe this is the ultimate winning endgame for this kind of legislation.
We need a "legal hacker" a la Richard Stallman to craft something like this.
Step one is to get a good, versatile amendment written. For that, you need a "legal hacker". Step 2 is getting support, which probably would not be particularly difficult. Step 3 is actually going through process, and is probably the most difficult step.
You are especially likely to become numb to calls to arms when they are in fact cries of "wolf".
SOPA was a genuinely invasive bill and a clear power grab by the content industry. It created a new special second-class "tainted" designation for content sites that refused to play ball with rightsholders and gave rightsholders new means to prosecute their rights outside of civil courts. It was understandable and --- even though I'm a supporter of copyright in general --- commendable that organized opposition to SOPA killed that bill outright.
CISPA is nothing like SOPA.
To begin with, CISPA has none of the same objectives of SOPA. It isn't about the content industry at all. In fact, when early opposition to CISPA by organizations like EFF started catching on, its sponsors scrubbed the bill of language that could have been read (in a stretch) as protecting rightsholders. CISPA is about online security attacks, not about piracy.
Next, CISPA isn't invasive. SOPA threatened to create a kangaroo court system of copyright-noncompliant sites that the content industry could starve by banning commercial transactions with them. CISPA is an opt-i bill; the USG cannot compel any organization to cooperate with any USG agency, but instead creates a facility that companies can use if they need to share attack information but don't want to spend $100,000 in ECPA-interpreting legal review each time they do it.
In fact, CISPA in practice probably has more to do with information moving FROM the USG TO private companies. The USG spends hundreds of millions of dollars a year monitoring its networks (which together constitute the largest IT organization in the world). It is true that the largest IT org in the world happens to be a shitty IT shop, but it has nevertheless built up about a decade of experience tracking malware and botnets and DOS attack information; when Blaster broke out, the experience of the Naval Marine Corp Intranet getting overrun by it was some of the first shared among ISPs. All sorts of random rules prevent USG IT shops from running any kind of central clearinghouse of attack information, and still more rules prevent any of that information from being published.
I don't particularly like CISPA. It obviously sounds like I do, but that's because the uninformed paranoia about CISPA is so virulent that any measured take on the bill sounds like cheerleading. I don't care whether CISPA passes or doesn't pass. But it drives me a little bananas to see how easily the ostensibly curious and well-informed people on HN are bamboozled by identity politics on issues like this.
It is true that some of the criticism of CISPA is off the mark. So was some of the criticism of SOPA. It does not necessarily follow that _all_ of the criticism of CISPA is uninformed, and in fact much of it is perfectly accurate. Rebutting uninformed criticism may be an entertaining hobby, but it leaves the informed criticism unrebutted.
I have yet to hear a good argument for why we need CISPA to override all federal and state privacy laws, including laws restricting what companies can turn over to the government in the absence of legal process. In programmerese, CISPA is a wildcard approach -- an "rm -rf *" -- when you haven't done an "ls" to see what's in the directory first. Perhaps one or two need to be overriden for good reason, but why not specify them instead of using a wildcard?
Here are some details:
http://news.cnet.com/8301-31921_3-57422693-281/
What sparked significant privacy worries is the section of CISPA that says "notwithstanding any other provision of law," companies may share information "with any other entity, including the federal government." It doesn't, however, require them to do so.
By including the word "notwithstanding," House Intelligence Committee Chairman Mike Rogers (R-Mich.) and ranking member Dutch Ruppersberger (D-Md.) intended to make CISPA trump all existing federal and state civil and criminal laws. (It's so broad that the non-partisan Congressional Research Service once warned (PDF) that using the term in legislation may "have unforeseen consequences for both existing and future laws.")
"Notwithstanding" would trump wiretap laws, Web companies' privacy policies, gun laws, educational record laws, census data, medical records, and other statutes that protect information, warns the ACLU's Richardson: "For cybersecurity purposes, all of those entities can turn over that information to the federal government."
Since otherwise reputable sources are running articles suggesting that CISPA is "the worst bill since SOPA" and "a power grab by the content industry" and "a backdoor warrantless wiretap" and "a mechanism by which the feds will read our email", I respectfully disagree with you about the utility of refuting uninformed criticism of the bill. Most of the criticism of the bill is uninformed.
I've already stipulated that some articles are ill-informed or even wrong. Sadly not everyone who writes about legislation reads it first. But some of us do. :)
If you truly don't understand why many are opposed to it, you should read the EFF FAQ page.
It doesn't matter what the objectives are, or whether or not the intention is to protect rights holders. It matters what the law actually allows as written. That's what we take issue with.
The bill supersedes privacy and communication laws, but is (a) opt-in and (b) severely limited in scope.
Specifically: CISPA provides a positive authority for sharing only "cyber threat information", which is defined in the bill: (i) information about a vulnerability, (ii) information about a confidentiality/integrity/availability threat, (iii) information about denial of service or destructive attacks, and (iv) efforts to hack into systems and exfiltrate data.
The bill incudes language that explicitly exempts the kind of stuff Aaron Swartz got caught up into: it exempts attacks that "solely involve violations of consumer terms of service or consumer licensing agreements and do not otherwise constitute unauthorized access.". That exclusion is repeated multiple times in the definitions section of the bill.
The bill explicitly does not cover individuals, in a fashion that the bill's authors say affirmatively prevents it from being used to allow ISPs to share individual customer records.
So: back to you. What specific state or Federal privacy measure is compromised by CISPA, and how?
Thanks for your polite response. Two thoughts: First, I'm not interested in what politicians say in defense of their bill -- I'm interested in what the actual text of the bill says.
Second, asking what specific privacy law is overruled is a bit odd because -all- of them are. ECPA, SCA, Wiretap
Act, FCRA, DPPA, FERPA, PPA, RFPA, TCPA, VPPA are among them, and that's not even counting state privacy laws. Remember, CISPA is a legal wildcard. Asking your question is like asking "what specific file does rm -rf * delete?"
I'm not interested in what politicians say either, except to the extent that in a court challenge, when judges look to interpret the intent behind the statute, they have a clear signal by the authors of the bill that the statute was designed to prevent the collection of personal information by ISPs. Which was why I brought that up.
Your second graf begs my question. Obviously we're both aware of the ECPA and SCA. My question was, in what way do the preemptions on those acts materially harm the public interest? Put it this way: if you think that CISPA is in direct conflict with SCA, then clearly you can imagine situations in which e.g. Facebook could collect Netflow data from a DDOS attack and then worry that they'd somehow contravene SCA by sharing the information. Doesn't that "conflict" explain the need for an act like CISPA?
I'd also note that the first three acts you cited --- obviously the three most important, because they cover the integrity of online communications in general and not with respect to any particular application domain --- already contain exemptions similar in spirit to the ones in CISPA:
* ECPA permits providers to collect and in some limited cases share information that is related to the maintenance of their own infastructure
* SCA permits collection and monitoring of stored communication by the operators of stored communication services
* The Wiretap Act allows operators to intercept and monitor signals causing disruption to networks
CISPA harmonizes collection and sharing of data in cases of direct adversarial attacks. Compared to the exceptions in (for instance) ECPA, CISPA is narrowly tailored and very specific.
Furthermore, when you point out all the laws encumbering sharing of attack information, you start to make the preemption point for me. It may already be possible to share attack information, so long as it doesn't involve raw emails, and the attack information is shared by telecom providers under the ECPA maintenance exemption. UNLESS YOU'RE AN AUTO INSURANCE COMPANY, in which case Congress helpfully (and reasonably!) enacted a specific privacy regime under DPPA, which means now simply to have Progressive push netflow records to Verizon they might have to incur $50,000 in legal review which by the time it's done the attack will be over.
Instead of repeating my original question --- how exactly does CISPA conflict with existing privacy laws in ways that harm the public interest? --- why don't I ask the question in a different framing. If we stipulate that the problem we're talking about here does exist --- that Advocate Health Care in Illinois would incur significant and unnecessary legal risk in pushing netflow DDOS information to a public clearinghouse --- what is the privacy-protecting language YOU would like to see in a bill that aimed to address that problem?
Incidentally: can you do better than thanking me for a polite response? I'm not actually sure I'm being that polite anyways; I feel like I'm being blunt and direct. But on the other hand, you wrote a comment with a complicated technical question last night at 1:00AM, and when you didn't get a prompt response, you accused me of "handwaving". Can I argue now that it it's pretty obvious that neither you nor I is "handwaving", and that we've both done our homework, or at least way more homework than most CISPA commenters have done? Instead of thanking me for polite responses, could you instead just not impugn my motives or intellectual honesty again? We can then just chalk our initial static up to "message boards and politics".
PS: The worst, most crazymaking thing about CISPA debates online is that they invariably put me in the position of "CISPA advocate". I have a position in the CISPA debate: "CISPA is not evil". I think if you believe like I do that CISPA is facially benign, the way organizations like EFF are choosing to message against it starts to get disquieting. But my position does not carry into "CISPA is a great idea". A sane argument against CISPA is that it forestalls a needed reform across all online privacy bills to enable network security to function sanely. CISPA might be a bad idea. I am not a CISPA advocate. I just don't think it's overtly contrary to the public interest.
So, I didn't really answer because I knew you were kind of baiting me with that question. Whatever I wrote, you probably knew that you were going to be able to reply with "they can already do that under ECPA" (HN has had that discussion previously and I was paying attention). So let's just fast forward all of that.
Last time around, I believe you said CISPA is one giant legislative NOP. I think you have probably revised your position on that. Someone is trying very hard to pass this, and they don't do that for no reason. There is something very important in CISPA to someone.
It sounds like at least part of the reason for it, in your interpretation, is related to legal assurances. Since you have studied both, can you provide an effective 'diff' between CISPA and ECPA, within the scope of 'cyber'?
For what it's worth, after doing some basic searching on who is backing it and what their business objectives are, I feel like it is more probable that there is not evil intent behind CISPA at this time.
The problem, as I said, and as described by EFF, is that it is vague in many key areas (I'm not going to enumerate them, it's too tedious and not relevant enough to go into specifics). Look at the CFAA. The intent there was not to nail a MAC address spoofing wget loop or a fake email submitted to a captive portal to the wall for 35 years. The intent behind the PATRIOT act, at least as far as some supporters were concerned (even though they were probably duped) was actually to fight terrorism. Both have since become wildcards for bad actors to do things that the original supporters didn't intend. We have to expect this when we write laws.
It's the same as auditing C. You know those conversations you have with those "special" clients who respond to your bug report by saying "yeah, but that is only meant to hold a username, no one is REALLY going to try and have a 2GB username"? This is the legal equivalent.
> what is the privacy-protecting language YOU would like to see in a bill that aimed to address that problem?
This is an unreasonable rebuttal. "It's not perfect, but you don't have anything better" is not how we make laws. Obviously, a journalist or a security consultant discussing something as important as this is not going to just spit out a bill that solves every problem in an HN comment.
I still don't think CISPA is vital or that it will make much of a difference in online security. Part of the reason I think that is that I have (from previous companies) some professional familiarity with how attack data is already shared. It's cumbersome and not very effective but I don't think CISPA fixes it.
The comparison to CFAA is interesting. Long before the drama with Aaron Swartz (drama you and I are probably on the same page about), CISPA was revised to blunt that concern: TOS violations are explicitly exempted from the sharing provisions of the app. So if you're on online music store and someone starts mass-exploiting a vulnerability to take music without paying for it but doesn't threaten the integrity of your actual computers, you can't share that attack information under CISPA. To me, that is a level of specificity and care that is unique to CISPA. Even the Wiretap Act, which exists almost entirely to suppress monitoring of communications, leaves much larger holes for service operators to monitor traffic.
So my response to you on this --- and I recognize that you want to avoid the nitty-gritty details, and that's fine --- is that CISPA is substantially more detailed than other online regulations. It is written more carefully to cover operational security issues than HIPAA is; it's far more specific than Sarbox was; it actually (IMO) narrows what could already be shared under ECPA, and it does this by spelling out in detail what an actual online security attack is.
I am specifically not making the argument that you have to propose a better bill to justify not passing this one! I agree, that is an infuriating objection. I'm saying, your proposed privacy-protecting language would help clarify the concerns you have with CISPA, so that we could be more sure we're debating each other and not past each other.
Finally, we disagree more than we agree about online policy, across the board. So any time this stuff comes up, any time I ask you to clarify something, you can reasonably expect me to follow up with some kind of rebuttal. I appreciate how that feels like being baited, but I'm not doing it in bad faith. Agreement for the sake of decorum is boring, isn't it? Let's just say what we think.
To clarify on the baiting comment, I didn't intend to accuse bad faith or mean that was generally applicable to debates. For this particular issue, we have already advanced beyond that point in the conversation last time this was on HN, and I just wanted to expedite that. "Debate fatigue" or something :)
So my eventual reply is, if I list off my concerns and you point out that it's already possible to do those things, what is CISPA adding? Let's start the conversation there.
I'm not sure if it's a fallacy to appeal to common sense, but I don't buy that someone is pushing this through so hard to narrow what can already be shared. Even though you are certainly more familiar with previous relevant legislation, I feel pretty safe in saying that if that is your interpretation, it has to be incorrect.
Nobody spends money trying to take permissions away from themselves, and nobody versed in this area of law isn't already aware of their capabilities under ECPA.
I guess, if I was going to put my CISPA-advocate hat on, which I don't like because it is an ugly hat that I think my cat peed on, I would say this:
It is already possible for service providers to do the things CISPA enables them to do. However, under current regulations, it is legally risky for them to do it. Some of what they do incurs legal risk. Some of the legal risks mean that whole companies in some verticals won't entertain any conversation about information sharing because they're encumbered by specific privacy rules which, while important, were never intended to hamstring network security. As a result, there is much less information sharing now than there could be.
If I was going to put my political analyst hat on, which is ugly but at least doesn't smell like cat piss, I would point out the following:
CISPA came into being less an urgent fix to an immediate problem than as a response to another, more interventionist approach to regulating cybersecurity. That other approach would essentially have the USG "pick winners" in the information assurance market and, down the road, would allow the USG to designate certain private companies as "critical infrastructure" that would require the commercial ministrations of those companies. The winners in that scenario would have been Raytheon, Lockheed, and SAIC. Nobody in private industry wanted that, and it was antithetical to the Republican House, so they came up with an industry-friendly counterproposal.
No. What part of AT&T's defense involved operational network security? For whatever it's worth: AT&T's complicity in NSA monitoring of overseas traffic involving American citizens was despicable.
I keep telling people this, because it can't be emphasized enough: The reason your choice in the general election is between a giant douche and a turd sandwich is that those are the people who win the primaries. If you want to change that, vote in the primaries.
I'm envisioning a web dashboard that lets federal agents do fuzzy queries on individuals, to see all the sites visited, emails sent, web searches, browsing habits, etc, from all the IP addresses used by the given individual in the past several years. The system would aggregate information gathered from ISPs and web companies. The government can already get anything they want from an ISP or web company, but they have to do it on a case by case basis and it is probably annoying to correlate information across sources. In the future, I imagine that a federal agent can go to his big brother dashboard, type in a name, and have immediate access to all sorts of information gathered from credit card companies, search providers, ISPs, telecoms.
I find it a great way to tell if a person is worth engaging on this issue based on whether or not they think CISPA involves the government proactively asking for information.
I would bet, at least for the NSA and probably the FBI, this already exists. It just isn't quite as real-time as they would like it to be. Instead of the instant fuzzy-search, it's a couple of quick letters, but the oversight seems to be about the same.
Don't forget an "add person to cyber threat watchlist" button!
It should automatically advise internet services that a person/account may be trouble, thus granting those private companies the blanket "exemption from liability... for decisions made based on cyber threat information identified, obtained, or shared under this [law]." (That's one of the most concerning vague and elastic provisions in the current proposed bill text.)
There should also be a 'redress number' subsystem, for when people on the watchlist start noticing their accounts being restricted or disabled, and want to make the case they're not the bad guy the agent who pressed the button thought they were.
Just tell the gun lobby that if any of the Gun Shops keep an online database of their customers that's subject to the law. No need to worry about a national gun registry, the GOV gets it for free. Get the NRA involved and ALL OF CONGRESS will run screaming about how this goes against the 2nd Amendment.
This actually would work. I think the general public either (a) doesn't know about this law at all or (b) doesn't think it will interfere with their daily activities. Getting other big organizations who value privacy would help solve both problems. I think that anyone who begins to understand the law will be opposed to it.
As a wise man pointed out on HN the last time around, we haven't won when this law fails to pass. We've only won a law explicitly stating the opposite passes.
So what you're saying is, the best possible thing to happen would be a law specifically preventing any American company from relaying threat information --- packet captures of exploits, netflow traffic profiles of botnets, &c --- to the US government, and, further, preventing any agency in the USG from providing traffic capture information, packet filter information, or botnet identification information to private companies.
No. In my mind, the best possible thing to happen would be a law specifically preventing any American government agency from requiring any company to hand over such information without due process. Sadly, you would think this was already clear enough from the constitution, but there are already enough loop holes that it happens anyway. Another good thing would be for American internet companies to voluntarily adopt and adhere to privacy policies along the same lines.
I think you're taking the "opposite" in my initial post more literally than I intended. My point was that if the law seeks to violate certain rights to privacy we believe we have, the law being struck down is not the final solution. The final solution if the rights to privacy we believe we have successfully being codified into law to prevent that bad parts from being practical options in the future. I did not mean to imply that each term in CISPA be logically negated and passed into law.
He isn't saying CISPA should be opposed, but rather, additional specific legislation to protect individual's data from being retrieved by the government without due process.
I think the recent thread about how people can be compelled to keep searches and confiscations secret makes my point sufficiently clear. I think by "due process" you mean "according the law". By "due process", I mean in a very fair, transparent, limited and well-defined way.
I am never more reminded of how smart people can succumb to groupthink than I am when I read HN posts about CISPA. There are a lot of misconceptions about the law, including what kind of data gets shared (only relevant threat data, this isn't your bank account info, and the RIAA can't sue you if shared data reveals you to be torrenting movies - can elaborate more on this if there's interest), who does the sharing (orgs share to the government voluntarily), who has access to the sharing (government and people the government decide to share the data with), etc.
I saw an infographic a little while back that I thought made a pretty good representation of what the bill actually proposes, I wonder if anyone has a link available to it.
The USG is actively prevented by current regulations from setting up a clearinghouse that would collect netflow signatures, botnet identification, and traffic captures of exploit code and then sharing that information with companies like Google and Facebook.
Private companies can and do share (heavily scrubbed) electronic signature information, but must go through contortions to do so, and incur huge legal costs to do it. As a result, only the largest companies participate in these efforts.
Because the USG is more or less enjoined from participating in clearinghouses with private companies, information sharing networks are handshake affairs that are often unknown to anyone outside tier-3 network engineering. Other private IT security product companies run de facto clearinghouses, but only for their customers.
As a result, when your startup gets DDoS'd and you call your ISP for help, they generally can't do shit to help you. It may annoy you to know that if your connectivity provider is large, there is a group in there that could offramp your traffic to internal "scrubbing centers" to peel off DDOS traffic. But because high-end DDoS protection at ISPs is done sub rosa, startups have a very hard time finding these people.
There is an actual problem with online security attacks right now, and hysteria over any USG intervention with the Internet at all is helping perpetuate it. And all it appears to take to fuel that hysteria is statements like "think of the overreach that will happen once a law hits the books".
How do your last two paragraphs follow from the first three? How does having large companies share threat data help your small startup mitigate a DDoS?
There is an actual problem with online security attacks right now, and hysteria over any USG intervention with the Internet at all is helping perpetuate it.
This sounds an awful lot like, "We must do something. This is something, therefore we must do this."
ISPs propagate flow-based snapshots of attacks to populate filters and redirect traffic to scrubbing centers, but they do so discreetly in part because of concerns about how well their data --- which is used exclusively to generate filters --- has been anonymized.
What "regulations" are those that weren't addressed by the president's executive order last month? Can you provide a cite to an actual federal law that says this?
No, what I'm asking you for is an actual citation to federal law or the U.S. Code of Federal Regulations that backs up your claim ("USG is actively prevented by current regulations from setting up...")
That you failed to provide any, even though I think my request was fairly clear, provides strong evidence that you're unable to do so and your pro-CISPA argument was hand-waving, not based on facts or the law.
1. FISMA spells out in positive terms that incident data collected by agencie is to be reported out to LEOs and the national security services unless otherwise designated by the President, and
2. much of the data we're discussing is classified, so, 18 U.S.C. § 798 is a starting point.
Do you dispute that, say, botnet identification data collected by DoD is classified? Do you have a source to suggest otherwise? I did network security product work at Pentagon with Arbor Networks and they were bananas about classification, operating an entire clone of their enterprise network to account for classification.
I find it interesting that you can publish an article that suggests CISPA is a backdoor attempt at warrantless wiretapping but accuse other people of handwaving.
You're right, of course, that federal agencies have the power to classify data. But I think saying that overclassification happens all the time is not a controversial statement; President Obama in 2010 signed the Reducing Over-Classification Act and the DOD IG announced last November that it reviewing DOD classification procedures. One of the 9/11 Commission members concluded: "Much more information needs to be declassified. A great deal of information should never be classified at all."
So if the only reason we need CISPA is that DOD is inadvisedly classifying botnet data as SECRET, then a sensible fix is for DOD to declassify it. Or, that failing, Congress could amend 18 USC 798 to allow that to happen. Laws, like computer security, should follow the principle of least privilege, and enacting a broad wildcard law that overrides all federal and state laws to fix a narrow botnet-classification problem violates that principle.
Also: the primary criticism of CISPA is that it overrides all other state and federal laws in allowing the transfer of customer data from private companies to .gov, .mil and other organizations. You're defending .gov->.com data transfer, which is hand-wavingly orthogonal to an explanation of why a wildcard override for .com->.gov data transfer is necessary.
I don't understand how your last graf connects to your first.
Start here: packet captures and netflow traces from operational military networks are a textbook definition of something that reasonably should default to "classified".
So then the fact that CISPA preempts classification is the mechanism by which it crafts the exception allowing that stuff to be published. The law says "you can keep classifying secops data on military networks, but when you come across material that would be valuable to the public if sent to a clearinghouse, CISPA preempts classification".
How is that not a sensible measure? And in context, isn't it clear that preempting things like classified disclosure laws is just a pragmatic measure, since reforming all of classification is a huge can of worms, and not some sinister attempt to create a backdoor wiretapping mechanism?
Having read the criticism the EFF's been pointing at CISPA, I fail to see how they're interpreting the bill to mean that such overreaching is even possible. I want to see what sort of changes the EFF would make to the current bill which would satisfy the privacy concerns they're claiming exist.
I think everyone agrees that companies should be able to describe to the cops what the guy who robbed them looked like, and those companies should be able to tell their customers they've been robbed without getting sued by their shareholders because the ensuing PR fallout tanks the stocks.
I supposed I would ask what privacy-protecting language would make the approach envisioned in CISPA (cyber threat data sharing) acceptable to privacy-oriented organizations like the ones listed. If the answer is "none," I would question their good faith in the process--or at least the public face they put on it.
This "CISPA is the next SOPA" meme is about as fact-based as "Electronic Arts is literally Hitler." I'm not telling you it's good or bad, but it's not remotely SOPA. It isn't even addressing the same general topic as SOPA.
The first time. And maybe the second time. And maybe even the third time. But after a while we're going to start to get numb to the calls-to-arms. And eventually our sometimes-well-intentioned-but-pulled-in-30-directions representatives are going to stop getting those concerned phone calls and emails from constituents, and they're going to fall prey to the typical "think of the children" argument that often gets put forward on any security bill, and something ugly is going to get passed.
I hate resigning myself to this, but it's the disappointing reality.
What to do?