The reason it's hard to parse is that random amendments can be added late in the game which totally change the meaning of the law (of course, they could be added to any bill). And, I was trying to be charitable.
It's funny you should mention that. Random amendments were in fact added to CISPA 2012. They did things like, for instance, ensuring that terms of services violations wouldn't constitute cyberthreats, or making it clear that bill wasn't intended to stop piracy.
The amendments are public too. You can actually read them.
As you can see, I'm not very charitable about this. Nerds are to online regulation what the Michigan Militia is to gun control. I respect and defer to fact-based objections to CISPA, but I have no patience for the (large set of) people who simply make things up about it to try to win arguments.
There's a legitimate reason for the Internet Hate Machine to try to preempt bad law -- it takes a long time to power it up, and sometimes bad law is forced through quickly. The forcing through bad laws with minimal public comment and debate (epitomized by PATRIOT) is the real problem, there, though. There is no possible argument that CISPA, SOPA, or PIPA issues are so pressing as to not allow a reasonable period for commentary and debate.
I feel like I'm being charitable by discussing CISPA as if it was somehow similar to SOPA or PIPA, because CISPA has nothing whatsoever to do with SOPA or PIPA.
I do not have a problem with people who generally oppose Internet regulation of all sorts (I don't agree, but I don't make fun of them either).
I do have a problem with "Internet Hate Machines" of all sorts. You are not entitled to invoke principles to deploy bad facts.
Have you read the 2013 House CISPA amendments. I have. They're public. I'm guessing, no, right? Are you a gambling man? Would you like to bet me how agreeable they are relative to the text of the bill itself? The 2012 CISPA amendments tightened and restricted the act. What do you think the new 2013 amendments do?
The connection between SOPA/PIPA and CISPA goes the other way; anti-SOPA/PIPA entities are using CISPA to fundraise and influenceraise, independent of the reality of CISPA.
The only amendments I've read about in 2013 are PII removal and removing the "national security" terms, both of which are civil liberties enhancements. (although I don't know where to find the actual text of the amendments). The 2012 amendments were improvements to baseline CISPA (especially the ToS vs. CTI clarification, which was my only real objection to CISPA originally). I do not think I'd take your bet; the probability of something bad being attached is low, but if something bad is attached, it's high severity, so moderate risk. You'd give odds based on probability and I'd want based on expected-harm.
Re: IHM. Reasonable people don't really win at politics. Look at how AARP/etc. essentially eviscerate anyone who thinks of touching Medicare or SS. Thus, horrible public policy (wealth transfers from the poor and young to the old and wealthy!) persists in the face of all logic. That it does shows how effective their lobbying/rabble-rousing strategy is.
Civil libertarians tend to err on the other side, for "what would be best for society", and end up with all kinds of bad stuff happening to them.
I'm ok with "ends justify means" in this case -- if "means" is "make everyone in Congress terrified of any cyber-laws which aren't explicitly and transparently improvements to individual privacy and freedom."
>(although I don't know where to find the actual text of the amendments).
This¹ site lists the amendments and has a PDF for each. I'm not sure if it's all of them or contains the ones you mention. The PDFs are dated and some are Feb-April 2013. This PDF² seems to be the current bill with the amendments accounted for in the text ("H.R. 624 as Amended").
edit: I just noticed that ² has a date of Feb. 2013 while some of the amendments have April 2013 dates, so I don't think it's the most current version.
I'd be interested to hear defenders of the legislation explain why CISPA remains such a lovely bill after the House Intelligence committee rejected these four amendments that were aimed at protecting privacy:
* Limiting the sharing of private sector data to civilian agencies, and specifically excluding the NSA and the Defense Department. (Failed by a 4-14 vote.)
* Directing the president to create a high-level privacy post that would oversee "the retention, use, and disclosure of communications, records, system traffic, or other information" acquired by the federal government. It would also include "requirements to safeguard communications" with personal information about Americans. (Failed by a 3-16 vote.)
* Eliminating vague language that grants complete civil and criminal liability to companies that "obtain" information about vulnerabilities or security flaws and make "decisions" based on that information. (Failed by a 4-16 vote.)
* Requiring that companies sharing confidential data "make reasonable efforts" to delete "information that can be used to identify" individual Americans. (Failed by a 4-16 vote.)
I kind of hate those amendments (without having read them). I'm not really defending CISPA (I would like better security, but I generally distrust the government both for competence and for goals/morality/ethics).
1) NSA and USAF are specifically the only parts of the USG I want to have access to this data. I trust NSA and DOD way more than I trist FBI, DEA, etc. to not fuck me personally if my data is somehow included in a dump given to them for anti-terrorism purposes.
2) Useless bureaucrat. I don't believe in oversight of government by government; mandatory reporting requirements to the public, with independent watchdogs like EFF/ACLU, are the only thing which would really work for me.
3) Vague thing is vague.
4) I don't really want companies to have to do PII filtering; I'd rather they be able to dump bulk data if under attack, since J. Random big dumb company or non-security startup is in no position to do forensics, filter, etc.
It would have taken me 19 paragraphs to make the same points. I agree with all of them.
Ryan, your head seems to be screwed on properly, so what are the things you would like to see done to CISPA to make it commercially feasible to share bulk data when banks or ISPs come under sustained attack?
in reply to tptacek below (I think I'm still within the too-many-nested-replies thing)
I don't know if it's possible to limit CISPA, while keeping it useful, enough to keep civil libertarians happy. The best solution is probably to take a page from my much more seriously followed personal legislative issue: gun rights.
I'm actually in favor of universal licensing/background checks and such for firearms, if implemented correctly (not building a registry, using a technical solution to make it possible to trace ownership of a gun without enumerating all guns owned by a person, etc.)
But, the gun lobby/gun owners rightly fear any new regulations are just there to kick them down the slippery slope, so they dig in their heels and oppose everything.
The way around it, I think, is to have a good background check bill proposed which ALSO eliminates a bunch of ineffective existing regulations (allow import of 1968+ MGs, non-sporting-use weapons, no 922(r) parts count, sale of transferable new post 1986 MG under existing NFA rules, removal of SBS/SBR/suppressors from NFA, potentially CCW reciprocity). There's enough pro gun stuff in that to make up for the risk/fear of the new licensing regulation.
Maybe do the same thing with CISPA -- information sharing, but at the same time address the NSL issue, fix anti-circumvention in DMCA, potentially limit CALEA (I hate that it applies to anything but POTS telephony), etc. I'm not sure what specific concessions should be made, but the idea of trading some relaxing ineffective or bad existing law for new law seems like the best way forward.
To be fair: THOMAS is usually very slow at putting up amendment text, sometimes taking weeks or months after a vote to put up floor amendments.
(I have complained, and they said the should be there the next day, but then I pointed out about 25 cases where it wasn't, and they kinda stopped talking :P)
