
Civil Liberties Groups Speak Out Against CISPA in Lead Up to Hearings - rbur0425
https://www.eff.org/deeplinks/2013/03/34-civil-liberties-groups-speak-out-against-cispa-lead-hearings
======
nlh
One of the biggest (and most frustrating) problems with the legislative
process is that the people who really want this to go through KNOW that we -
"the masses" - eventually start to suffer from "protest exhaustion". They can
propose a bill - we can rally our troops and get on TV and black out Wikipedia
and do 100 interviews and maybe - just maybe - we can kill it.

The first time. And maybe the second time. And maybe even the third time. But
after a while we're going to start to get numb to the calls-to-arms. And
eventually our sometimes-well-intentioned-but-pulled-in-30-directions
representatives are going to stop getting those concerned phone calls and
emails from constituents, and they're going to fall prey to the typical "think
of the children" argument that often gets put forward on any security bill,
and something ugly is going to get passed.

I hate resigning myself to this, but it's the disappointing reality.

What to do?

~~~
daten
I worry that most of the opposition to this bill is based on FUD that EFF is
spreading. Having experience actually working in the security industry and
knowing the limitations that this bill is trying to address, the ability of
the government and private sector to work together to keep malicious groups
out of their networks, I recognize the necessity and intentions of this bill.

This isn't about spying on Americans. This isn't SOPA with a new name. This
isn't about stopping piracy or spying on your facebook profile. This bill is
about letting government agencies share intelligence on network threats with
private companies so those companies can protect their customers information.
None of the agencies or companies involved want to share any private
information about their citizens or customers. There are lots of lawyers
involved in the process to ensure that doesn't happen.

I wonder if some of that exhaustion is also what leads people to not read the
bill or understand the context and just assume it's another anti-piracy bill.

~~~
Torgo
I understand what you're saying, but when legislation is proposed I look at
what it very easily could enable, not just what it's written to be for. When I
look at what's being proposed I see that the government is using its sovereign
power to trade away my right to civil suit against a company in event of a
data loss, in exchange to that company for it handing over private information
(that very well can include customer information) without a warrant. In big
broad, abstract ways this is to my benefit if it improves "cyber security" but
it also removes some specific rights I have.

"None of the agencies or companies involved want to share any private
information about their citizens or customers." The telcos have monetized
their lawful intercept programs and receive bad publicity protection from the
government by being legally entitled to keep it a secret. They now have a
profit motive and the risk of bad publicity is low. And the civil liability
immunity agreement (as I understand it) in CISPA will effectively act as a
giant gift that only a sovereign power can grant, we'll offer you protection
from being sued if you just hand over business data without a warrant.

If you want to talk about confusing, I watch C-SPAN constantly (it's an
illness) and whenever anybody in the legislative or executive branch talks
about "cyber security" they always talk about IP protection and "preventing a
cyber pearl harbor" in the same breath. So if you want to blame somebody for
the confusion start with the people proposing this legislation.

~~~
tptacek
You are not allowed to make arguments that are directly rebutted by the facts.
There were drafts of CISPA that were published in which the assets protected
by the bill (which defines attacks in terms of the familiar C.I.A. triad)
included "IP", which would have included things like the source code to
operating system drivers. But the bill that got voted on included a series of
amendments, all published, that neutered that language because of exactly that
concern.

CISPA is simply not about the interests of rightsholders.

~~~
nitrogen
_CISPA is simply not about the interests of rightsholders._

The commenter to which you are replying did not make that assertion. The
mention of IP was an attempt to identify the source of the confusion between
cybersecurity and IP rights, not about CISPA specifically. Here's what the
parent comment actually claimed:

 _When I look at what's being proposed I see that the government is using its
sovereign power to trade away my right to civil suit against a company in
event of a data loss, in exchange to that company for it handing over private
information (that very well can include customer information) without a
warrant. In big broad, abstract ways this is to my benefit if it improves
"cyber security" but it also removes some specific rights I have....

And the civil liability immunity agreement (as I understand it) in CISPA will
effectively act as a giant gift that only a sovereign power can grant, we'll
offer you protection from being sued if you just hand over business data
without a warrant._

Nothing about rightsholders in there.

~~~
tptacek
The bill is clearly not about rightsholders, so it is intellectually dishonest
to suggest that there is a legitimate concern about power grabs by
rightsholders in it. "I watch C-SPAN religiously and they're always talking
about IP rights" is not a substitute for reading the bill.

~~~
nitrogen
The sentence you quote is referring to the confusion about the bill, not the
bill itself. Again, the OP didn't claim that CISPA was about IP.

~~~
tptacek
I disagree, but I don't think this subthread is important enough to litigate.
If he wants to chime in and say "I absolutely am not saying CISPA is part of a
scheme that will increase the powers of rightsholders", I'll apologize for
mischaracterizing him.

~~~
Torgo
I absolutely am not saying CISPA is part of a scheme that will increase the
powers of "rightsholders." I don't see that in there. I was referring to the
"spying" claim of the parent post of my first response.

My concern is with limiting of my right to civil suit against a corporation,
and my fear that the bartering of these rights for information bypasses legal
constraints on information collecting by government and law enforcement.

~~~
tptacek
Do you think it is reasonable that an auto insurance company that operates
under DPPA, or a classroom management service that operates under FERPA, or
credit agency operating under FCRA, or nationwide bank under RFPA, or for that
matter any online service managing information that could be considered stored
communications --- do you think it is reasonable that these organizations
should incur either the risk of a class action lawsuit or the expense of tens
of thousands of dollars of legal review simply in order to push a worm
signature or botnet identification or DDOS netflow information to a public
clearinghouse? In other words, do you think it is in the public interest for
you to retain the right to sue these kinds of companies to vindicate your
theoretical privacy interest in network security data shared in good faith?

Thanks to Declan Mccullagh downthread for making my arguments about CISPA more
vivid by citing all the privacy regs CISPA interacts with. :)

Oh: by the way: if I understand you correctly, you're not at all concerned
that CISPA is a backdoor attempt to enable copyright enforcement, and by
rebutting that idea earlier, I mischaracterized your point. I apologize for
doing that. CISPA makes me jumpy.

------
Cieplak
Supporters include companies like AT&T, Facebook, IBM, Intel, Oracle
Corporation, Symantec, Verizon, and Microsoft.

[http://en.wikipedia.org/wiki/Cyber_Intelligence_Sharing_and_...](http://en.wikipedia.org/wiki/Cyber_Intelligence_Sharing_and_Protection_Act#Supporters)

I'm envisioning a web dashboard that lets federal agents do fuzzy queries on
individuals, to see all the sites visited, emails sent, web searches, browsing
habits, etc, from all the IP addresses used by the given individual in the
past several years. The system would aggregate information gathered from ISPs
and web companies. The government can already get anything they want from an
ISP or web company, but they have to do it on a case by case basis and it is
probably annoying to correlate information across sources. In the future, I
imagine that a federal agent can go to his big brother dashboard, type in a
name, and have immediate access to all sorts of information gathered from
credit card companies, search providers, ISPs, telecoms.

~~~
rayiner
That would be scary, if CISPA had anything to do with any of that.

~~~
diminoten
I find it a great way to tell if a person is worth engaging on this issue
based on whether or not they think CISPA involves the government proactively
asking for information.

------
ericjeepn
Just tell the gun lobby that if any of the Gun Shops keep an online database
of their customers that's subject to the law. No need to worry about a
national gun registry, the GOV gets it for free. Get the NRA involved and ALL
OF CONGRESS will run screaming about how this goes against the 2nd Amendment.

~~~
diminoten
The Gun Shop would have to volunteer that information to the government
according to CISPA, so that wouldn't work.

~~~
wmf
Political maneuvering has nothing to do with what CISPA _actually_ says (as
many others in this thread have pointed out).

~~~
diminoten
The bill is too short to lie about what's in it. Anyone with about 5 minutes
and a 4th grade reading level can at least muddle through.

~~~
fision-e
For anyone wants to read it you can find the full text here:
<http://www.govtrack.us/congress/bills/112/hr3523/text>

------
TallGuyShort
As a wise man pointed out on HN the last time around, we haven't won when this
law fails to pass. We've only won a law explicitly stating the opposite
passes.

~~~
tptacek
So what you're saying is, the best possible thing to happen would be a law
specifically preventing any American company from relaying threat information
--- packet captures of exploits, netflow traffic profiles of botnets, &c ---
to the US government, and, further, preventing any agency in the USG from
providing traffic capture information, packet filter information, or botnet
identification information to private companies.

~~~
TallGuyShort
No. In my mind, the best possible thing to happen would be a law specifically
preventing any American government agency from requiring any company to hand
over such information without due process. Sadly, you would think this was
already clear enough from the constitution, but there are already enough loop
holes that it happens anyway. Another good thing would be for American
internet companies to voluntarily adopt and adhere to privacy policies along
the same lines.

~~~
tptacek
CISPA does not require any company to hand over any information to the USG
without due process!

~~~
meric
He isn't saying CISPA should be opposed, but rather, additional specific
legislation to protect individual's data from being retrieved by the
government without due process.

~~~
tptacek
But that is already unlawful.

~~~
TallGuyShort
I think the recent thread about how people can be compelled to keep searches
and confiscations secret makes my point sufficiently clear. I think by "due
process" you mean "according the law". By "due process", I mean in a very
fair, transparent, limited and well-defined way.

edit: Specifically, this is a precedent that is a big step in the right
direction for this kind of thing, IMO:
<https://news.ycombinator.com/item?id=5382891>

------
mtgx
The White House petition against it passed 100,000 signatures, too:

[https://www.techdirt.com/articles/20130311/16221022286/white...](https://www.techdirt.com/articles/20130311/16221022286/white-
house-petition-against-cispa-gets-over-100000-signature-threshold.shtml)

------
diminoten
I am never more reminded of how smart people can succumb to groupthink than I
am when I read HN posts about CISPA. There are a lot of misconceptions about
the law, including what kind of data gets shared (only relevant threat data,
this isn't your bank account info, and the RIAA can't sue you if shared data
reveals you to be torrenting movies - can elaborate more on this if there's
interest), who does the sharing (orgs share to the government voluntarily),
who has access to the sharing (government and people the government decide to
share the data with), etc.

I saw an infographic a little while back that I thought made a pretty good
representation of what the bill actually proposes, I wonder if anyone has a
link available to it.

~~~
Wingman4l7
It's not necessarily the letter of the law that people are worried about, it's
the overreach that would result once it's on the books.

~~~
tptacek
The USG is actively prevented by current regulations from setting up a
clearinghouse that would collect netflow signatures, botnet identification,
and traffic captures of exploit code and then sharing that information with
companies like Google and Facebook.

Private companies can and do share (heavily scrubbed) electronic signature
information, but must go through contortions to do so, and incur huge legal
costs to do it. As a result, only the largest companies participate in these
efforts.

Because the USG is more or less enjoined from participating in clearinghouses
with private companies, information sharing networks are handshake affairs
that are often unknown to anyone outside tier-3 network engineering. Other
private IT security product companies run de facto clearinghouses, but only
for their customers.

As a result, when your startup gets DDoS'd and you call your ISP for help,
they generally can't do shit to help you. It may annoy you to know that if
your connectivity provider is large, there _is_ a group in there that could
offramp your traffic to internal "scrubbing centers" to peel off DDOS traffic.
But because high-end DDoS protection at ISPs is done _sub rosa_ , startups
have a very hard time finding these people.

There is an actual problem with online security attacks right now, and
hysteria over any USG intervention with the Internet at all is helping
perpetuate it. And all it appears to take to fuel that hysteria is statements
like "think of the overreach that will happen once a law hits the books".

~~~
nitrogen
How do your last two paragraphs follow from the first three? How does having
large companies share threat data help your small startup mitigate a DDoS?

 _There is an actual problem with online security attacks right now, and
hysteria over any USG intervention with the Internet at all is helping
perpetuate it._

This sounds an awful lot like, "We must do something. This is something,
therefore we must do this."

~~~
tptacek
ISPs propagate flow-based snapshots of attacks to populate filters and
redirect traffic to scrubbing centers, but they do so discreetly in part
because of concerns about how well their data --- which is used exclusively to
generate filters --- has been anonymized.

------
tocomment
Should we use a the internet bat signal[1] on this issue? What do you guys
think? Is it already under discussion?

[1] <http://internetdefenseleague.org/>

------
snowwrestler
I supposed I would ask what privacy-protecting language would make the
approach envisioned in CISPA (cyber threat data sharing) acceptable to
privacy-oriented organizations like the ones listed. If the answer is "none,"
I would question their good faith in the process--or at least the public face
they put on it.

------
halviti
Obligatory Maddox from SOPA 1

<http://thebestpageintheuniverse.net/c.cgi?u=pass_sopa>

~~~
diminoten
SOPA isn't really related to CISPA all that much, I don't know why people
think they're similar.

~~~
tptacek
Because the EFF actively campaigned (dishonestly) against CISPA as a sort of
second coming of the objectives of SOPA.

