

I appeared on CNN this morning to talk about why I'm not buying Facebook (CISPA) - kn0thing
http://edition.cnn.com/video/#/video/bestoftv/2012/05/07/exp-point-alexis-ohanian.cnn

======
tptacek
CISPA? What about the Facebook Terms of Service? They include the following
words:

 _We may also share information when we have a good faith belief it is
necessary to: detect, prevent and address fraud and other illegal activity; to
protect ourselves and you from violations of our Statement of Rights and
Responsibilities; and to prevent death or imminent bodily harm._

This is a _broader_ privacy exemption than CISPA offers; CISPA (in its final
amended state) actually goes through some effort to define and narrow the
scope of what it's "protecting" and what "illegal" activity it governs. Unlike
the Facebook ToS, CISPA explicitly excludes mere "violation of consumer
licenses" from its scope.

~~~
djb_hackernews
I'll take the bait (not implying that you are trying to troll).

The difference now is CISPA gets the government involved. Up until now, yes,
FB has had a relaxed attitude toward user data when it comes to the law.
However, I and many others, believe the government and via proxy the MPAA and
RIAAs of the world will now have access to this data and it will be misused
and abused all in the name of CISPA and with authority.

~~~
tptacek
A couple of responses to that which might change your reasoning (let me
know!):

* CISPA is opt-in, so if Facebook doesn't want to share information with the government, CISPA isn't going to change its obligations.

* If Facebook wants to share information with the MPAA and RIAA, its Terms of Service already enable it to do so, explicitly.

* CISPA itself has gone through multiple successive drafts to eliminate the perception that it was merely a tool of license enforcement; the version the House finally passed (a) defines "cyber threat" specifically in regards to the "Confidentiality, Integrity, Availability" triad familiar to netsec practitioners (it is the first piece of federal legislation to do so, I believe) and (b) _specifically_ exempts "consumer licensing" from the events that engage CISPA information sharing.

* SOPA was intended to provide countermeasures to "criminal" copyright infringement and actually did provide some government control over network traffic. CISPA provides _no_ countermeasures of any sort; it only governs information sharing.

What are your thoughts on that? Do you think I'm misreading the law on any of
those four points? Or, having been made aware of them, is your reasoning on
CISPA at all influenced?

~~~
djb_hackernews
Thanks for taking the time to provide some excellent responses. I don't mean
to insult your patience, but I don't think I could say it any better than
chernevik did <http://news.ycombinator.com/item?id=3939974>.

He really got down to my issues with this bill.

* There doesn't seem to be a need for it. Was there a situation where justice was not served but would have been/ could be after CISPA?

* I just don't trust it, no matter how harmless it currently is. There is a term for this type of legislative process, not quite slippery slope, but it escapes me at the moment.

~~~
tptacek
I agree with both of these issues. Not only do I not see a need for CISPA, but
further, I don't think CISPA does anything; the sharing authority CISPA grants
private companies, I believe those companies already had under ECPA.

I've been informed since I started reading and discussing CISPA that a primary
purpose of this bill is actually the _opposite_ of what people are worried
about: that instead of getting private companies to share with the government,
CISPA exists largely to provide a legal framework for the _government_ to
share information with _private companies_ , so that when government systems
are hit with new (say) Microsoft Office malware and "spear phishing" attacks,
they can notify stakeholders in private industry.

So that's one reason for CISPA. Another might just be to encourage private
companies to share more information about network attacks; the supporters of
this bill are not wrong that private companies are loathe to do that now for a
variety of reasons.

But again, ultimately, I agree with you. I don't support CISPA.

~~~
Natsu
> I've been informed since I started reading and discussing CISPA that a
> primary purpose of this bill is actually the opposite of what people are
> worried about: that instead of getting private companies to share with the
> government, CISPA exists largely to provide a legal framework for the
> government to share information with private companies, so that when
> government systems are hit with new (say) Microsoft Office malware and
> "spear phishing" attacks, they can notify stakeholders in private industry.

I honestly wouldn't have a problem with that (who would?), but I have to
wonder exactly what sort of legal problems they were having in doing this and
why they couldn't create private agreements allowing that?

~~~
tptacek
It's possible (I don't know) that there's no way to get sensitive information
about computer network attacks out of DHS, DOJ, CIA and NSA without some kind
of legislative provision, especially if the government wants to be choosy
about who gets it; all this stuff covers "selective disclosure", which, like
it or not, is the only kind of disclosure there is going to be for a lot of
these attacks.

------
chernevik
The point of not buying Facebook because of CISPA would tell more if the point
were expanded to the sustainability of their business model. For example, what
does their support say about their relationship with users going forward?
Bearing in mind that, as users currently don't seem to care, we're talking
about a set of concerns that presumably will emerge down the road. What are
those concerns and how will they emerge?

Remember that we're talking about questions that didn't exist five years ago,
and to which there isn't any community consensus. Most investors won't
understand the argument, never mind Alex's side of it. So educate them: Tell
them how the issue speaks to how these choices will evolve, and bring forth
concerns that are currently held by only a few people. Point out that it was a
similar group of people that worried about the Microsoft OS model twenty years
ago, and that they were so right that the work they did on own on open source
laid much of the groundwork for our current environment.

If you can get investors to link stuff like CISPA to business model
sustainability, they'll go to school on the issues, and the conclusions they
form will shape the equity marketplace for every social media company to come.
But they have to hear what the debate is, and its implications for the
businesses.

~~~
tptacek
As a persuasive strategy this makes a lot of sense and I see the value of the
comment. But on the specifics: do you have something in mind as to how CISPA
might impact Fb's relationship with its users, or its business model?
Obviously, I'm asking because I'm skeptical that there is any such impact, but
I'm very interested in your reasoning.

~~~
chernevik
Honestly I'm not a CISPA expert. I do see two concerns:

1\. It seems to me that inviting government examination and regulation of
network traffic, in the name of security, seems unlikely to make the 'net
_more_ flexible, and potentially could lead real rigidity that would be bad
for development of 'net businesses and degrading the experience possible over
the 'nets.

2\. Stuff like CISPA is generally validating of 'net control regimes such as
in Iran and China. As the malice of those becomes ever more apparent, US
policies viewed as precedents and justifications will be suspect, as will
supporters of those policies. Supporting this stuff will be like supporting
tobacco companies and netting dolphins to catch tuna -- and may cause deep
customer suspicion in a field where trust will be crucial.

Now item item 1, more rigidity, could be seen as positive for incumbents like
FB. To which I'd would say that technology has already evolved around a lot of
rigidity and that any business founded on a particular regulatory environment
is dated to the moment when technology obviates those regulations.

Item 2 is more speculative, but I actually think more likely to prove telling.
But it's going to take 5 - 10 years.

Someone more knowledable of CISPA could do better. The broader point of my
remark is, figure out how those details relate to the Facebook business model
and speak to that. Do that and you'll have an audience. And there's no need to
rush, the stock will be around for a while.

~~~
tptacek
CISPA doesn't add any regulation to network traffic. It doesn't impose
government controls. It's an opt-in mechanism that purports to allow private
companies to share information incident to security attacks on their services;
what it does, essentially, is clarify the (already very weak) privacy controls
of the ECPA to make it clear that companies who are being attacked can share
traffic captures without being sued the way Google is now for the Street View
fiasco.† It doesn't authorize countermeasures; it doesn't enable services to
be shut off; it doesn't alter due process controls for the government to seize
information from non-cooperative services.

With that in mind, I'm curious as to how your reasoning might change. Do you
think an opt-in information sharing mechanism for corporations really
validates the state-sponsored network access control used in Iran and China?
I'm interested in how.

† _They already probably can't be sued for that, but I believe the thinking
here is that by spelling it out in black-letter law, companies will be
encouraged to share information more than they already do; note that ISPs
already do have programs to share attack information among themselves, but
application service providers tend not to._

~~~
chernevik
I have now spent 5 minutes on the EFF site and am now qualified to hold forth
at length.

More seriously, that depends on the terms of "opt-in" and "sharing" and
"security", yes? Such details make nice real estate for the Devil. I'm by no
means convinced that the people writing these laws understand the implications
and possibilities -- I don't trust their values because I don't think they
have the understanding to even have values. Or understand how those values are
advanced or eroded. What opinions I have of their values are formed by the
SOPA episode.

To _my_ mind, I would need to see the compelling argument for why we need
legislation in the first place. At which time I'd have to go to school on this
more than I have. And most of the security problems I've read about have more
to do with corporations doing a terrible job configuring their own equipment
than with some remarkable threat that can only be met through government-
organized action.

So in general, I'm against any law without some compelling need. I don't see
one here, and that might be ignorance, but that's my view at the moment.

How would I relate that to Facebook? If my view were valid, my first stab
would be, "They are supporting over-broad legislation, without a stated need,
that could easily go wrong. That bespeaks a centralized-solution attitude
contrary to the values that have built the 'net we have today, and unlikely to
found the trust needed to make the 'net work best going forward."

But even if that withstood scrutiny I'm not sure their business is going to
live or die based on what is essentially a question of corporate culture. If
they don't die of something else, they'll get opportunities to change their
approach on this stuff.

~~~
tptacek
Your time would be better spent reading the CISPA bill itself, which goes to
some length to define "sharing" and "security". I can summarize, but the
firsthand sources are surprisingly readable:

<http://www.govtrack.us/congress/bills/112/hr3523>

As regards "opt-in": it's inherently opt-in, because it provides no mechanism
for the government to demand information from any provider. Obviously, the
government can already use court orders to get access to information. Beyond
that, the bill explicitly prevents the government from making such demands;
for instance: "Nothing in this section shall be construed to permit the
Federal Government to... ‘(A) require a private-sector entity to share
information with the Federal Government;".

As regards "security": the bill actually defines this term (a novel twist in
"cyber security" legislation):

    
    
        ‘(i) a vulnerability of a system or network of a government or private
        entity;
         
        ‘(ii) a threat to the integrity, confidentiality, or availability of a
        system or network of a government or private entity or any information
        stored on, processed on, or transiting such a system or network;
         
        ‘(iii) efforts to deny access to or degrade, disrupt, or destroy a
        system or network of a government or private entity; or
         
        ‘(iv) efforts to gain unauthorized access to a system or network of a
        government or private entity, including to gain such unauthorized
        access for the purpose of exfiltrating information stored on,
        processed on, or transiting a system or network of a government or
        private entity.

~~~
chernevik
Probably right, if I had reason to take interest in fixing this corner of the
law.

But like refactoring code, I don't see why I'd even discuss changing law
without having some very good reason. And I still don't see why this is a good
place to run the risks of unintended consequences and / or malign legislators.

~~~
18pfsmt
Without diving in even as far as you have, my main problem with the proposed
law is that it would remove FB's liability in complying, so the default will
be to simply hand over any information related to any investigation. "Opt-in"
is the obvious answer for a corporate entity wishing to mitigate its financial
liability.

------
jaysonelliot
Great interview, but I feel there was a missed opportunity when the
interviewer asked about Zuckerberg's comment "we don't build services to make
money, we make money to build great services."

The panel acted as if that were an iconoclastic, even blasphemous thing to
say. That attitude, that only focusing on quarterly results and "building
shareholder value," is of course just the attitude that has gotten the
business world in so much trouble. There have been some great articles of late
exploding the myth of "shareholder value," from Steve Denning's brilliant
Forbes article "The Dumbest Idea in the World"
[http://www.forbes.com/sites/stevedenning/2011/11/28/maximizi...](http://www.forbes.com/sites/stevedenning/2011/11/28/maximizing-
shareholder-value-the-dumbest-idea-in-the-world/) to James Allworth at the
Harvard Business Review talking about Steve Jobs and the Innovator's Dilemma:
[http://blogs.hbr.org/cs/2011/10/steve_jobs_solved_the_innova...](http://blogs.hbr.org/cs/2011/10/steve_jobs_solved_the_innovato.html)

I thought kn0thing had a great answer when he described that as part of the
ethos of "builder culture," to be sure. If only the panel had taken a moment
to ask themselves whether that approach might actually lead to stronger
profits and stronger companies overall, such as one of the best examples
around, Apple.

~~~
AndrewWarner
The kind of discussion you (and I) would have liked to see doesn't happen on
CNN.

------
bryanh
kn0thing is a stellar spokesperson for the hacker community.

I am curious though, how did this (you becoming a go to commentator for tech)
end up happening?

~~~
kn0thing
Thank you.

Well, before the SOPA/PIPA frenzy of MSNBC, CNN, CNBC, Fox, and Bloomberg... I
became a 'regular' tech correspondent on Bloomberg after moving to NY and
appearing on a panel moderated by Margaret Brennan. She invited me to appear
and they kept inviting me back (they liked the combo of 'good on air' and
'actually did it').

[http://search1.bloomberg.com/search/?content_type=video&...](http://search1.bloomberg.com/search/?content_type=video&page=1&template=tv&q=alexis%20ohanian)

To their credit, BloombergTV let me talk about SOPA there before any other
broadcast TV news channel.

After Soledad had me on to talk SOPA/PIPA protests and she and her producers
dug my style.

CNN even let me announce my joining the DonorsChoose.org advisory board
meeting on air at SXSW.

[http://startingpoint.blogs.cnn.com/2012/03/09/harnessing-
ben...](http://startingpoint.blogs.cnn.com/2012/03/09/harnessing-benevolent-
web-for-schools-reddit-coms-alexis-ohanian-on-matching-donorschoose-org-
donations/)

~~~
kelmonroe
I know Brennan's a wahoo, the first time I saw you two on air together it
almost seemed like you guys knew each other from college it was
so...comfortable.

------
mhp
Surprising that no one corrected her about "Zuckerberg owning 57% of the
company", but I guess it's a) not that important and b) rude to correct the
host. (I think he only has about 28% but controls 57% of the voting stock).

~~~
EricDeb
I know!! I kept thinking that throughout the interview. It's implying his
wealth is much greater than it actually is (not that it isn't great already)

------
danvoell
Very eloquent knOthing, keep keeping it real on the big media stage. Not sure
if I will follow your stock tips though.

~~~
kn0thing
Thank you! Hehe. Admittedly, fb is probably going to keep crushing it - I just
wish they weren't crushing our open internet, too.

~~~
dclowd9901
While I agree, they're such a huge target, and so reviled amongst open types
like yourself, I tend to take the more conservative angle on them: If they
were really so insidious, there'd be more smoking guns. More scary activities.

As it stands, Facebook does what it does pretty well: gives people a place to
communicate with each other. The walls of their interactions have a lot of
holes, and you hear them complain, and you certainly see Facebook toe the
line, but I think they've mastered that sport, especially as they approach 1
billion users.

------
blafro
For those of us at work with mute permanently turned on of necessity, a quick
summary?

~~~
guelo
\- He's not planning on buying FB stock because of their support for bills
like CISPA.

\- Investors might not like Zuckerberg's "builder culture"

\- He wouldn't be surprised to see more acquisitions by FB

\- We need more programmers

\- When he sold Reddit to privately-held Conde he knew who he had to satisfy,
unlike Zuckerberg and his investors.

------
Irishsteve
Loved the silence when Mr Reddit discussed his ethical reasons for not
investing. It seemed lost on the panel.

------
namidark
Video cuts off at the end while he's still talking

~~~
kn0thing
You didn't miss much. Just one of the guests making fun of how geeks dress.

~~~
raldi
It also starts abruptly (get with the program, CNN video editors!) ... did we
miss anything there?

~~~
kn0thing
Umm, I don't recall. Just some talk about how Warren Buffett isn't investing.
And Soledad liked my choice of Jay-Z for the 'intro' music guest can select.

------
djb_hackernews
Great job, though I wish it was made clear that CISPA, etc and Facebooks
willingness to participate threatens FB as a business.

~~~
tptacek
How does CISPA threaten Facebook as a business? If CISPA did threaten
Facebook, why did they publicly support it?

~~~
djb_hackernews
I'm lumping in CISPA, SOPA, PIPA, etc as the governments march towards
controlling the internet. I believe government isn't always perfect and this
type of legislation and legislation that follows will result in experiences
and situations FB users don't want.

~~~
tptacek
So, just to be clear: SOPA and PIPA are _wildly_ different bills from CISPA.
There's really barely any relation at all. It's much, _much_ easier to make a
case for SOPA impacting Facebook's business.

~~~
djb_hackernews
Be clear on what? your opinion? I think they are very related, as they are
both trying to control digital communication, one is in the name of security,
the other in the name of piracy. I believe in the end CISPA can be (ab)used to
provide the government the same tools as SOPA/PIPA.

At this point we are talking about personal opinions, which no one can really
be right, but I am not alone[1].

[1]
[http://en.wikipedia.org/wiki/Cyber_Intelligence_Sharing_and_...](http://en.wikipedia.org/wiki/Cyber_Intelligence_Sharing_and_Protection_Act#Opposition)

~~~
tptacek
Have you read the amended CISPA bill that the House passed? Could you point to
something in it that leads you to believe that it provides any of the tools of
SOPA? I know these discussions get contentious, but, respectfully, I don't see
_any_ mechanisms in CISPA that would enable the government to "control"
anything. The bill literally does nothing but provide a mechanism for
potentially private information to be shared; it is explicitly opt-in, meaning
Reddit can't be forced to share anything under the terms of CISPA. There is no
sneaky clause in it anywhere that would enable the government to, say, shut
off an Internet connection, or turn off a DNS name.

I bring this up because there has been a lot of very terrible reporting on
CISPA alleging all of these things; from what I can see, that reporting
squares up with _no_ version of CISPA that has ever been submitted.

If your primary source of information about CISPA is, say, Cory Doctorow, then
of course I can understand why you think it might negatively impact Facebook
to support CISPA. But Doctorow appears to be flatly wrong about CISPA.

Finally, that Wikipedia section is a hodgepodge (tracking opinions on evolving
current events is not something Wikipedia excels at). It would be easy to get
the wrong idea from that list, because many of those sources are discussing
_multiple different bills_ and weren't written or intended as coherent
oppositions to CISPA.

------
pinchyfingers
In addition to opposing CISPA on moral grounds, do you think that Facebook's
attitude towards similar issues and their willingness to compromise user
privacy will have a negative financial impact? That is, will enough users turn
away from Facebook because of a fear and poor user experience to cause the
company to lose money?

------
ma2xd
Q: Who uses Facebook? A: Millions of MySpacers

:)

------
dobalina
"We've never seen a company like this before, ever. I mean it knows things
about our private lives that no one else does."

Um I would be inclined to say Google knows far more about us all then Facebook
does or can ever dream of.

------
faramarz
That's interesting. Is this view shared by other YC Partners?

------
jsnk
How do you go about buying Facebook stocks as a Canadian?

~~~
faramarz
Most banks (CIBC, RBC and TD) have their investment vehicles. Be prepared to
pay as much as $40 commission per trade + 1-3 cent per stock. Look into this
option if you already use online banking and like to keep your investment
aligned with everything else.

otherwise, look at discount brokerages like Questtrade(Toronto based) and
eTrade to execute orders. $9 per trad.

~~~
oijaf888
Or Interactive Brokers for around ~$1 per trade. I think they are a Canadian
company too, not just someone who offers Canadian accounts.

------
sohels
What is Facebook?

~~~
sohels
psst... i was just being sarcastic... why down vote?

~~~
gridspy
Read the FAQ (see <http://ycombinator.com/newsguidelines.html> ) - Some posts
are considered "Content free" - Also, I didn't downvote you. Do try again!

