

The Disturbing Privacy Dangers in CISPA and How To Stop It - sathishmanohar
https://www.eff.org/deeplinks/2012/04/cybersecurity-bill-faq-disturbing-privacy-dangers-cispa-and-how-you-stop-it

======
dguido
I'm not sure I have a problem with companies under attack sharing IDS logs.
This whole EFF post seems like a stretch. I think "threat information" is
pretty clearly not my mom's personal e-mail, unless my mom is some kind of
Tibetan supporter and China has been dropping her 0days daily, in which case
it might be nice to have the government send my e-mail provider a heads up or
for my e-mail provider to warn other people who might be affected.

Can we save the grandstanding for actual privacy issues?

~~~
sehugg
A law that grants immunity for sharing vaguely defined information for a
vaguely defined purpose, and then authorizes the government to use that
information for vaguely justifiable purposes is not an actual privacy issue?

~~~
tptacek
No, it's not, because the law of the land already allows service providers to
voluntarily share information about the usage of their service (ie, email if
they operate an email service) to the government without restriction, so long
as that sharing is incident to an effort to protect their own service.

In other words: service providers can share any information that is ostensibly
about abuse of their own services; what they can't do is feed information
about e.g. drug trafficking conducted over their service to help build a case
against drug trafficking.

CISPA also relies on voluntary sharing and is also framed around efforts to
protect services.

That doesn't make it a good bill. I don't think it is, and I "oppose" it (for
whatever that's worth). But I oppose it because it's an ineffective measure,
not because it's a threat to the Internet.

------
tptacek
I've been pretty consistently disappointed with how EFF has been portraying
this bill (which I don't support), to the point where it's causing me to re-
evaluate the EFF as a whole.

The ACLU has had a much more measured response. Instead of trying to mobilize
opposition to the bill by depicting it as "SOPA 2" (which it clearly isn't),
they provided a list of suggestions for narrowing and refining the language in
CISPA. The new draft reflects many of their concerns.

At its heart, CISPA is mostly a publicity measure meant to provide its
sponsors with a veneer of having "done something" about the growing threat to
industry by determined nation-state attackers (which is a real, if perhaps
overhyped, threat to our national security). The kernel of intervention in
CISPA --- the _only_ thing CISPA actually "does" --- is an "official"
provision for sharing information between service providers.

Some things you should know before you make up your mind about how dangerous
that sharing is:

* It is already _broadly_ allowed by the pre-PATRIOT 1986 Electronic Communications Privacy Act, which requires only that information be shared in conjunction with an actual effort to maintain services by the provider of the service itself, establishes no limits on the amount of information share _or who it's shared with_ , explicitly carves out the ability for providers to share information with officials acting under color of law during criminal investigations (without a warrant!), and makes no mention whatsoever of anonymizing or stripping PII (ironically unlike CISPA).

* It reflects already- in- place common industry practice: providers are already sharing often-detailed information about attacks.

* The "monitoring" of your emails is already so commonplace and widely accepted that it forms the basis for products like Google Mail; the capture and sharing of your email during criminal investigations is, sadly, already allowed without a warrant in many US venues!

It is one thing to suggest that the state of affairs for electronic privacy is
sad indeed, and to militate in favor of better laws. Count me in.

It's another thing entirely to attempt to twist every meaningless, do-nothing
piece of legislation to come out of Washington as an attempt to rewire the
Internet in favor of the MPAA, which is exactly what the EFF appears to be
doing here.

I felt like the concern over SOPA was slightly overblown but at least
fundamentally valid. Here I see virtually no validity to the concerns, and any
epsilon of valid concern that is present is so outweighed by hysteria that the
net effect on civic discourse is negative, not positive.

Support organizations that aren't trying to play off your emotions.

~~~
ScottBurson
_I've been pretty consistently disappointed with how EFF has been portraying
this bill_

 _The ACLU has had a much more measured response_

Say what? [http://www.aclu.org/blog/national-security-technology-and-
li...](http://www.aclu.org/blog/national-security-technology-and-
liberty/kicking-stop-cyber-spying-week) Sounds to me like they're singing from
the same hymnal (and the ACLU page specifically says that they're joining the
EFF, among others, in opposing CISPA).

 _It's another thing entirely to attempt to twist every meaningless, do-
nothing piece of legislation to come out of Washington as an attempt to rewire
the Internet in favor of the MPAA, which is exactly what the EFF appears to be
doing here._

Say what? The linked page specifically acknowledges a proposed amendment to
remove "intellectual property" from the relevant spot in the text -- while
reminding us that said amendment has not yet been voted on. If CISPA were to
pass with that phrase "intellectual property" intact, _of course_ content
owners would do their best to use it for their purposes. How far they might
get, I don't know, but I think we can all agree that the amendment, once
accepted, will be a valuable clarification.

Basically your argument seems to be that CISPA isn't a big deal because it's
not much worse than ECPA. This is an important point, I agree. But if the goal
is to improve online privacy generally, it seems to me that further steps in
the wrong direction need to be opposed successfully _before_ there can be any
hope of positive movement.

If the arguments against CISPA are ultimately arguments for revising ECPA and
PATRIOT, those arguments need to gain currency. People need to be sensitized
to them and to think about them. That's going to take time and many battles.
You seem to think we should skip this battle and save our powder. I am more
inclined to the view that even if this is not the most important battle, every
victory helps and this is not the time to concede anything.

~~~
tptacek
That ACLU blog post is from today; I hadn't seen it, and was citing a much
more measured policy statement from several months ago. I find today's blog
post equally as disappointing as EFF's coverage.

I fundamentally disagree with the argument that we should pick sides and
strive towards victory for victory's sake. That's a bad policy mechanism, but
more pragmatically, it also creates fatigue, attenuates opposition to real
issues, and generates a deficit of goodwill. While I don't think the
legislative sponsorship of CISPA is done in good faith, I think its industry
backers genuinely do feel like something needs to be done about online
attacks.

Though you clearly disagree with me, I think you've done a good job of
summarizing my points. I'd only add this: my problem is less with opposition
to the bill (I think it's a bad bill) and more with the way it's been covered
by EFF, Demand Progress and Boing Boing.

~~~
Natsu
One other problem I had with the original was how it would actively prevent
any state level privacy laws from coming into effect to improve things. While
I can certainly sympathize with the idea that, for simplicity's sake, such
laws probably ought to be federal, that explicit preemption in the original
was also worrying, because it would cut off one route towards better privacy.
Perhaps they've amended that--I confess that I've not yet read the latest
draft just yet--but that was a worry I had about the original.

Ultimately, I think what we really need to do here is to push for better
privacy laws, rather than fighting off every half-baked half-measure some
legislator comes up with, and if I've understood you correctly, we agree on
that.

~~~
tptacek
Yep, I think we agree. ECPA2012 sounds like a great goal.

------
iamgilesbowkett
the House votes on the bill on April 23, which is a week away. any opposition
which happens needs to happen fast. (I think that's probably deliberate.)

~~~
tzs
A week from now, the bill will be about a week shy of being five months old.
This doesn't sound lie a rushed vote to thwart opposition.

