

Netflix Could Be Classified As a 'Cybersecurity Threat' Under New CISPA Rules - bane
http://motherboard.vice.com/read/netflix-could-be-classified-as-a-cybersecurity-threat-under-new-cispa-rules

======
cheald
Man, this is some _terrible_ reporting.

Here's the bill:
[http://www.feinstein.senate.gov/public/index.cfm/files/serve...](http://www.feinstein.senate.gov/public/index.cfm/files/serve/?File_id=08de1c1b-446b-478c-84a8-0c3f35963216)

It's actually called the "Cybersecurity Information Sharing Act", not the
"Cybersecurity Information Protection Act" (the latter makes googling
sufficiently hard). The definition in question states:

> (7) CYBERSECURITY THREAT - The term cybersecurity threat means an action,
> not protected by the First Amendment to the Constitution of the United
> States, on or through an information system that may result in an
> unauthorized effort to adversely impact the security, availability,
> confidentiality, or integrity of an information system or information that
> is stored on, processed by, or transiting an information system.

That is quite a far cry from "anything that makes information unavailable or
less available".

The First Amendment qualifier itself offers extremely broad protections, since
the only qualifying actions would be things which the government could already
legally forbid (that is, any communication which would already be protected
from censorship or government reprisal under the First Amendment would not
qualify as a threat under this bill).

Do journalists even read these bills they're reporting on?

All that said, it's Feinstein, so it's a pretty good bet that she's serving a
corporate interest with this bill and has absol-friggin-lutely no idea about
the technology she's proposing to regulate.

All _that_ said, can someone make a cogent (hah) argument as to why network
engineers should not be able to benevolently police their networks to minimize
the degradation of flow of information? That's the side of net neutrality that
nobody ever really seems to talk about - we all want to keep business
interests from extorting companies through traffic shaping (which is
legitimate), but then we all want high-priority routing for all our latency-
sensitive traffic, even if our neighbor is torrenting a copy of all the porn
on the internet. Net neutrality is a two-edged sword, one which would prevent
monopolistic abuses at the expense of exposing the network to failure by
tragedy of the commons, and I constantly wonder why we fail to talk about the
flipside of the dumb pipes coin.

~~~
SAI_Peregrinus
Net neutrality isn't about preventing QoS, it's about preventing ISPs from
degrading service based on the source of the packet, instead of on the
protocol.

For example with net neutrality an ISP shouldn't be able to slow down or block
Skype while allowing its own VOIP service to work at full speed, but it should
be able to give all VOIP packets higher priority than HTTP packets.

The recent squabbles about paid peering agreements aren't really a part of
what was originally meant by net neutrality, they've been tacked and mostly
serve to confuse the issue. They can be a problem, but they're a different
problem.

~~~
cheald
Part of the problem is that there are multiple parties with multiple
definitions of what has become a catchphrase to generally mean "I want fast
internet".

The EFF says net neutrality is "the idea that Internet service providers
(ISPs) should treat all data that travels over their networks equally"
([https://www.eff.org/issues/net-neutrality](https://www.eff.org/issues/net-
neutrality)). That is, without regard to _both_ source and protocol. They
specifically list Comcast throttling the BitTorrent protocol as an example of
a violation. The people leading the charge against net neutrality are very
squarely opposed to the idea of QoS (malevolent and benevolent) at the ISP
level.

I have very little issue with saying "thou shalt not different prioritize
same-content traffic by originating IP" (provided said sources are actually
not engaged in abusive behavior, ie, DDOS attacks or similar), but that's not
what _most_ people are talking about when they talk about net neutrality -
they're literally talking about dumb pipes which carry and route every packet
at the same priority as every other packet, and that's...just not how the
internet works. Some packets are more latency-sensitive than others. You
aren't really going to care if your BT or Netflix packets have 1k MS latency
as long as the throughput is high, but you're really going to have an issue
with your VOIP and online gaming packets when there's a 1-second delay on both
ends of the pipe.

------
tptacek
This is a potently stupid article.

Surprisingly though, the primary source it tried to work from is quite good:

[https://d1ovv0c9tw0h0c.cloudfront.net/files/2014/06/CISA-
Let...](https://d1ovv0c9tw0h0c.cloudfront.net/files/2014/06/CISA-
Letter-62614.pdf)

The shorter story here is: the Senate is introducing a new version of CISPA,
called CISA, and CISA is broader than CISPA. It also (ludicrously) introduces
into federal law a privilege for private entities to conduct "countermeasures"
against threats.

Communications from collaborative efforts to squelch regulation are often
misleading, superficial, and hyperbolic. But after reading the new CISA bill,
and having read both CISPA and its amendments 2 years ago, I find all the
points here compelling (none of them are that CISA would class Netflix as a
"threat").

It would be sad if all the deception used in the effort to kill CISPA created
space for a much worse bill to pass instead.

------
pstop
Nope, that's too much of a stretch and doesn't pass legal muster. Just FUD. I
wish we didn't see these, because it makes noise when there are real issues
here.

------
opendais
While this is FUD..."making information less available" as a crime is a
ridiculously broad brush to paint with. :/

~~~
tptacek
I agree, and so does the Senate. Two things:

The bill defines a "cybersecurity threat" as:

    
    
        (7) CYBERSECURITY THREAT.—The term ‘‘cybersecurity threat’’ 
        means an action, not protected
         
        1 by the First Amendment to the Constitution of the 
        2 United States, on or through an information system 
        3 that may result in an unauthorized effort to ad-
        4 versely impact the security, availability, confiden-
        5 tiality, or integrity of an information system or in-
        6 formation that is stored on, processed by, or 
        7 transiting an information system.
    

Second, this bill doesn't create _any_ new criminal statutes.

------
shmerl
Since Netflix has DRM shouldn't it be always viewed as a security threat?

I.e. DRM always increases security risks, so it always should be viewed as
potential malware.

UPDATE: I guess some here like DRM? That's quite surprising.

~~~
pstop
You're likely being down voted for not adding to the conversation, and simply
trying to cheerlead.

~~~
sigzero
That is exactly the reason. "Netflix deserves to be seen as a threat" is just
nonsense.

~~~
shmerl
_> Netflix deserves to be seen as a threat" is just nonsense._

No, any DRM deserves such treatment. It's not more nonsense than DRM treating
all its users as potential criminals by default. It's a symmetrical response.

And, all sensible security experts agree that DRM never makes security better
- on the contrary, it always makes it worse.

~~~
pstop
> It's not more nonsense than DRM treating all its users as potential
> criminals by default. It is nonsense, treating a user as a criminal is not a
> security threat. DRM is just encryption, and although I'll agree that some
> containers (flash primarily) have been vectors, so has every other piece of
> software that has any filesystem access. The DRM itself is NOT a security
> threat.

I dislike DRM, and clearly envision a day where it's no longer used. But your
argument doesn't address the article, nor does it add any value to the DRM
conversation as a whole. Again, cheerleading.

~~~
shmerl
It addresses the criticism of the article which (criticism) misses the forest
behind the trees. I.e. Netflix deserves to be viewed as a threat indeed. Just
for different reasons.

 _> It is nonsense, treating a user as a criminal is not a security threat.
DRM is just encryption_

Tell it to these folks:
[https://en.wikipedia.org/wiki/Sony_rootkit](https://en.wikipedia.org/wiki/Sony_rootkit)

Or to security experts:
[https://www.schneier.com/blog/archives/2007/02/drm_in_window...](https://www.schneier.com/blog/archives/2007/02/drm_in_windows_1.html)

DRM is obviously a security threat because of its very nature.

~~~
pstop
Nope. Still not understanding.

~~~
shmerl
It's really simple. Trust is a mutual relation. I.e. since DRM always views
users as potential criminals, it's natural always to view DRM as potential
malware (and thus a security threat).

Here it's put in easy to understand terms:
[https://www.youtube.com/watch?v=XgFbqSYdNK4](https://www.youtube.com/watch?v=XgFbqSYdNK4)

Practice proves that point spectacularly, because DRM always has an
overreaching unethical nature (since it's an overreaching preemptive policing
which uses the logic of presumption of guilt). As the Sony exec voiced the
core idea behind DRM:

 _> We will develop technology that transcends the individual user. We will
firewall Napster at source - we will block it at your cable company. We will
block it at your phone company. We will block it at your ISP. We will firewall
it at your PC... These strategies are being aggressively pursued because there
is simply too much at stake._

(See
[https://en.wikipedia.org/wiki/Sony_rootkit#Background](https://en.wikipedia.org/wiki/Sony_rootkit#Background)
).

I.e. overreaching nature of DRM straight from the DRM proponents mouth. And it
applies to all DRM by its very definition.

