
Tech group representing Google, Yahoo backs CISPA - daspion
http://thehill.com/blogs/hillicon-valley/technology/293399-tech-group-representing-google-yahoo-backs-cispa
======
rdl
This is the part where tptacek says CISPA doesn't do anything particularly bad
vs. the state of law now, other people express fairly emotional vs. fact based
arguments about what bad it could do, and no one (in industry or government or
watchdog groups) really knows for sure what CISPA would, in practice, mean,
right?

~~~
tptacek
I don't understand why you think CISPA is hard to parse. The 2013 draft bill
is public. The bill is extraordinarily short. And much of the objections ---
which you rightly call out as emotional --- are contradicted by the text of
the bill.

I don't so much care whether CISPA passes. What I do care about is people
trying to fundraise by convincing willfully ignorant nerds that CISPA is a
backdoor SOPA bill; why, just look, GoDaddy supports it, it must be bad!

~~~
declan
I agree with tptacek (hi there!) that CISPA is not that difficult to parse,
and that people might as well read it for themselves. More:
[http://news.cnet.com/8301-13578_3-57579012-38/privacy-
protec...](http://news.cnet.com/8301-13578_3-57579012-38/privacy-protections-
booted-from-cispa-data-sharing-bill/)

But I disagree with his "Michigan Militia" analogy, which is a bit silly.
Another way to look at it is that starting with Clipper, CDA, CALEA, crypto
export controls (plus mandatory domestic key escrow approved by a House
committee), we've lived through 20 years of ill-advised regulation. So unless
the merits of a new proposed law _clearly_ outweigh the downsides, which is
not the case in CISPA, a measure of skepticism is reasonable.

~~~
declan
tptacek: You're quite right that neither are with us today. The reason:
Clipper and key escrow were defeated by the same advocacy groups you claim,
without any evidence, are trying to "fundraise by convincing willfully
ignorant nerds" CISPA is bad.

I can imagine FBI director Louis Freeh saying the same thing when he was
defending bans on non-escrowed encryption in the late 1990s: "Nothing wrong
with mandatory key escrow! Silly ACLU EFF EPIC etc. are just trying to
fundraise off of fear and emotion."

~~~
tptacek
What does EFF's opposition to Clipper have to do with what CISPA says?

You yourself have conceded on HN that advocacy groups have directly misstated
details about CISPA. Now you're writing comments suggesting that I'm being
misleading by pointing that track record out. That is not honest debate,
Declan.

~~~
declan
tptacek: Two points. First, if an employee has a history of writing bad code,
you may scrutinize their efforts more closely in the future. Same with
Congress. I was making a historical point for context that based on rdl's
mention below.

Second, I'm not aware that anything ACLU EFF EPIC said that's intentionally
false re: CISPA. As you correctly say, other groups may not be as careful
(although even then, you could have unintentional falsehoods, and I rarely
like to speculate about motives).

~~~
tptacek
How many of the names on CISPA were in Congress for Clipper? Answer: Frank
LoBiondo. That's it, out of a long list of names. Congress is not one
monolithic thing.

------
msandford
Sure, why not? Why would you NOT want to avoid all kinds of lawsuits?

From our point of view it's disgusting but for upper management it's a no-
brainer.

~~~
tptacek
Why is it "disgusting"?

~~~
msandford
Like all new laws this one will be sold one way and used another -- likely
very expansionary -- way.

For example the Patriot Act was sold as a thing that would only be used to
catch terrorists. It's total terrorist-catching prosecutions to date is
trivial, zero to a few. But it's still getting used quite a bit.

[http://www.nytimes.com/2003/09/28/us/us-uses-terror-law-
to-p...](http://www.nytimes.com/2003/09/28/us/us-uses-terror-law-to-pursue-
crimes-from-drugs-to-swindling.html?pagewanted=all&src=pm)

<http://www.cbsnews.com/2100-201_162-573155.html>

I'm not saying that the people who got caught in many of those cases didn't do
something wrong, nor am I saying that they should get away with no
consequences. But I don't see how you can charge people with "terrorism" for
doing decidedly non-terrorist things.

~~~
tptacek
If the text of the bill doesn't matter, the text of every other privacy-
related bill doesn't matter either, and we can skip all these pointless
arguments and let them pass SOPA. After all, they're just going to use milk
safety regulations to combat piracy.

~~~
msandford
It's not that the text of the bill is COMPLETELY irrelevant. It's that the big
companies will use their newfound powers in ways that fall into a gray area in
the bill and of course the government will choose not to prosecute them for
doing so, or judges will allow it because it's a gray area and not EXPLICITLY
disallowed.

------
mratzloff
I wouldn't be surprised if this bill simply protected what they're already
doing in secret. I'm sure all of these companies already have agreements with
the NSA of one kind or another.

~~~
jauer
Really it just streamlines things and eliminates paperwork shuffles. If you
have something they should see and they know you aren't a crank you just say
hey, I have this event. If you are interested, send me admin subpoena. If they
care, they do.

The entity handling this stuff seems to be DHS or FBI, not NSA, but they are
all part of IC so the info should, in theory, be shared around.

My wild speculation is they are trying to gather logs to make a sort of
national IDS to be more proactive in detecting APT.

------
deepblueocean
So who is TechNet? It's not really fair to cherry-pick from their members when
writing a story like this. So let's take a look:

<http://www.technet.org/leaders/member-companies/>

A headline "Tech group representing AT&T, Palantir backs CISPA" isn't good
copy. But that could have been the headline. The "Executive Council" (which
seems to be the part of the organization that draws the focus on Google and
Yahoo) also contains people from Oracle, Microsoft, and VeriSign. And one
thing that council doesn't do is sign off on every letter the group sends out
(or, probably, every point in the policy platform it espouses).

I _doubt_ without knowing exactly that Google's official position is anti-
CISPA and that this group doesn't speak for them because they don't actually
control what it says. But I've been surprised in the past.

Perhaps, though, people should read this and think "hey, Google ought to put
some pressure on the lobbying groups they participate in not to be
stupid/evil/whatever." And perhaps if a few Google executives express that
they're upset that their names were used in conjunction with something they
don't support, they can rein in groups that want to claim the mantle of "the
tech industry".

~~~
npsimons
The difference is, we expect this sort of Evil behavior from AT&T, Palantir,
Oracle, VeriSign and definitely Microsoft. But when a company with the
supposed motto of "Don't be evil" backs it, it's news. Yahoo, though, I'm only
a little surprised. I'm also not surprised Apple is a member, nor that you
(and the headline) didn't mention them.

Sure, sure, you can't keep track of the political positions of every group
you're a member of. But if a group holds opinions that are evil, that might
just be a good reason to not maintain membership. I could easily Godwin this
thread by mentioning certain groups I am not a member of for exactly that
reason. The company you keep and all that.

~~~
declan
Google has never "backed" CIPSA. Facebook and Microsoft _previously_ backed
CISPA but then distanced themselves. See:
[http://news.cnet.com/8301-13578_3-57579012-38/privacy-
protec...](http://news.cnet.com/8301-13578_3-57579012-38/privacy-protections-
booted-from-cispa-data-sharing-bill/)

Trade associations tend to remain silent when a good portion of their members
oppose legislation. But Google/Facebook/Microsoft aren't opposing CISPA, last
I checked. It's more like they're just remaining neutral.

------
ebbv
And the erosion of privacy protection in the name of "security" continues
unabated.

The problem with CISPA is we don't need it. I'm not a libertarian (I want
single payer universal health care, for example), but I am fully against the
PATRIOT Act, FISA abuse and the numerous other things done in the name of
security since 9/11.

The reason 9/11 happened was not a lack of security or intelligence; we had
those. It was failure to act on the information we had.

We shouldn't be putting more power in the hands of intelligence agencies which
have no public oversight. I understand the need for those agencies, but I
think they should be as small as possible. Things like CISPA seem to be based
on an opposite view; giving them as much power as possible.

EDIT:

Also the notion that you can learn everything you need to know about these
bills by reading the bill itself is so myopic as to be comical.

~~~
tptacek
You could say exactly this set of things about any bill ever. Not one phrase
in this comment binds in any way onto CISPA. You literally could have written
it 8 years ago, saved it in a tfile in your home directory, and just
copy/pasted it into this thread no matter what the bill said.

If you think the real meaning of the bill has nothing to do with the text of
the bill, that the text of the bill doesn't matter, just give up. CISPA is
tiny compared to ECPA; if you think CISPA has holes a truck could drive
through, give a close read to SCA. If you believe the government is going to
use milk safety regulations to prosecute movie pirates, just let them pass
whatever, and skip the arguments.

~~~
ebbv
> You could say exactly this set of things about any bill ever.

No, I couldn't. There are unfortunately a lot of bills I could have said that
about (and I mentioned some of them), but not literally any bill ever.

In fact, most bills are _not_ about granting more power to intelligence
agencies at the cost of privacy protections.

But thanks for sticking to your role as mindless CISPA defender. You play it
well.

EDIT:

> If you think the real meaning of the bill has nothing to do with the text of
> the bill, that the text of the bill doesn't matter, just give up.

I didn't say that and obviously didn't mean that.

I also couldn't give a shit about movie pirates. I buy my entertainment.
That's the bonus of being a full grown adult with a career.

But I do care about the erosion of privacy law for no benefit whatsoever, and
in fact, what I see as a detriment; continuing to grow the intelligence
industry which has no public oversight. That's a Bad Idea(tm).

~~~
loumf
You probably don't care if you can convince tptacek, but to random people
following along (who you might be able to convince), calling tptacek mindless
undermines your goal.

~~~
Terretta
tptacek has a dog in this hunt. I'd say his comments here are quite _mindful_
of that.

~~~
tptacek
That is news to me.

------
6thSigma
Didn't Google recently file a lawsuit claiming that NSLs which are used to
uncover private user information are unconstitutional?

Edit: They did [1].

[1] [http://www.bloomberg.com/news/2013-04-04/google-fights-u-
s-n...](http://www.bloomberg.com/news/2013-04-04/google-fights-u-s-national-
security-probe-data-demand.html)

~~~
tptacek
There is no intersection between the NSL controversy and CISPA. CISPA is
_entirely opt-in_. Google has to volunteer the information; it can't be
coerced into doing so by the government. Even if Google wanted to share
emails, voluntarily, it would not find authority to do so in CISPA, because
CISPA scopes the kinds of information that can be shared to data incident to
actual cyber attacks.

~~~
declan
I halfway agree. Google and some other left-coast companies are the least
likely to take advantage of CISPA's wildcard override-all-existing-privacy-
laws loophole. Google has fought the DOJ in court before to protect the
privacy of their users; they're fighting the FBI now. Facebook, Amazon, and
Twitter have done the same.

But other companies, including AT&T, are far more likely to exploit this
loophole (in fact they persuaded Congress to immunize them for illegal
activity, post-facto): <http://news.cnet.com/8301-13578_3-9986716-38.html>

Your claim that a company could "not find authority" to share emails under
CISPA is close to the mark but not quite there. First, the House Intelligence
committee rejected an amendment by a 4-16 vote that would have required
companies to "make reasonable efforts" to delete "information that can be used
to identify" individual Americans.

Second, data that can be freely shared with FedGov including NSA encompasses
broad categories of information relating to security vulnerabilities, network
uptime, intrusion attempts, and denial-of-service attacks, with no limit on
sharing emails or personal data. See:
[http://news.cnet.com/8301-13578_3-57579012-38/privacy-
protec...](http://news.cnet.com/8301-13578_3-57579012-38/privacy-protections-
booted-from-cispa-data-sharing-bill/)

~~~
tptacek
You wrote a lengthier comment that enumerated the failed CISPA amendments that
I need to take some time to respond to, but in the meantime:

Regarding PII in threat data, we're talking about orthogonal concerns. The
amendment you're talking about would require all threat data to use
(presumably commercially reasonable methods) to scrub PII. The concern there
is accidental inclusion of PII; it's that disclosure of, say, IP addresses in
NetFlow information might uniquely identify customers. But providers today
aren't required to fully anonymize NetFlow when they cooperate with
investigations. The amendment was a sensible measure and I wish it had passed,
but its failure does not break new ground for privacy nor does it change the
original scope of the bill. When we last discussed CISPA on HN, that amendment
didn't exist, and I still didn't think the bill was scary.

The PII concerns I'm referring to involve the idea that CISPA could be used to
frame individual citizens as cyber threat protected entities so that raw
information about them could be shared by AT&T incident to some supposed
attack. That is an interpretation of CISPA that was explicitly rejected by the
bill's sponsors; they cite specific language they added to the bill to counter
that interpretation.

 _(I didn't downvote you and don't understand why anyone would downvote you,
but I could get downvoted here for saying "water is wet", so oh well.)_

~~~
declan
I upvoted this post as a way to say thank you for a polite debate.

~~~
tptacek
You and I will never agree on this stuff but I'm always glad to see you
participating. Thanks again.

------
benmarks
Based on the post title, my brain read the link name as thehell.com.

------
abdophoto
Don't be evil.

~~~
enraged_camel
At this point I'm convinced that they never meant this. It was simply a
recruiting slogan to attract all the liberal/libertarian/anti-coporation comp
sci students who went to Stanford and Berkeley.

~~~
rdl
I'm pretty sure that early on (when pb coined the phrase), it was meant like
"don't be like the other evil companies we've seen on the Internet in the
past") (which presumably at the time meant Microsoft, maybe USG, maybe ITU,
etc.) Which Google probably broadly believed internally. (this was in the
early 2000s).

