

The 28 Corporations Supporting CISPA - CowboyRobot
http://intelligence.house.gov/bill/cyber-intelligence-sharing-and-protection-act-2011

======
Xuzz
Please read the actual text of CISPA before making any judgements. It's
reasonably short and not all that hard to understand. It's also nowhere near
as evil as it is being made out to be.

For those interested, here's a link:
<http://www.opencongress.org/bill/112-h3523/text>

As far as I can tell, it appears to be essentially a data-sharing bill for
network intrusions, to allow companies and government to get around existing
barriers to investigate network intrusions. I'm certainly open to the
possibility that it is somehow worse, but I am really having a hard time
seeing how.

~~~
tptacek
SOPA was a rageview bonanza for sites like Wired and Mashable. This bill could
declare the sky to be periodically be blue; so long as it contained the word
"cyber" or mentioned computers, a credulous mob will vote it up.

In this particular case, venues like the EFF blog are counting on the idea
that readers don't know what the ECPA is, and that they'll believe that it was
somehow unlawful for companies like AT&T and Google to monitor their networks
and, yes, your data for evidence of intrusions, or to share that data once
it's uncovered. It is not unlawful. This bill does virtually nothing. It's
probably just a ploy for attention.

~~~
rdl
ECPA primarily covers networks and attacks on networks, and incidentally
protects certain forms of communication, including stored information. In
general, ECPA seems to restrict government activity. I don't think it goes far
enough (it protects certain types of communication more than others, and the
way they were picked seems to be a historical accident.)

CISPA, as I read it, both protects networks AND "information rights holders".
Given the history with DMCA, COPA, (+ SOPA, PIPA), etc., it doesn't seem at
all unreasonable to think the government (and those information rights
holders) will use CISPA to use the tools provided for national security to
address copyright violation.

This is the same government using PATRIOT to go after local drug dealers.

I could support CISPA if it focused solely on information sharing from
government to private enterprise (and protection from liability) for network
or infrastructure attacks.

Most of the legitimate network-defense activities which would be permitted
under CISPA are already allowed under existing laws. There might be a few
corner cases around classified intelligence and uncleared entities, but this
legislation is overly broad.

~~~
tptacek
What action currently unlawful under the ECPA would be made lawful in a plain
reading of CISPA?

~~~
rdl
I'm not sure. (You probably know/care more about this than I do; I assume
everything can be done under NSL already, or entirely internal to large
companies or their existing business partners, or by criminal organizations,
so the legal protections are largely irrelevant.)

I assume by ECPA you mean "ECPA as modified by the Patriot Act", which is a
substantial change in protections. Under ECPA as originally enacted, a great
many things currently done would be illegal.

However, there's at least one major area which is currently illegal but would
become lawful under CISPA:

Providing classified intelligence to private companies in violation of the NSA
of 1947 (which I don't think is permitted by ECPA; ECPA just allows info to go
from private company to government in ways which would otherwise be wiretap
act violations without specific court orders). Couple this with the government
enjoying overclassifying everything, and it's a problem.

I don't really have a problem with this, except that the procedures and
safeguards need to be built well to protect that information. I think they can
do this.

The other addition is that intellectual property is covered. If "theft of
[...] private information, intellectual property ..." provides "exemption from
all liability [...] acting in good faith", this would seem to allow private
entities to do a lot of things. I don't think ECPA/Patriot gives those powers
to private entities, so a provider could have one (badly written) legal
contract with customers (violation of which might lead to civil liability),
then invoke CISPA to violate it. Most contracts are written to permit
information sharing for security issues, but adding copyright protection would
greatly expand their scope. I think it would allow a copyright holder to
request (with no legal basis) information from an ISP, including ECPA
protected information like VOIP/email in transit/etc., and or the ISP to turn
it over with no legal protections to the requestor.

So, overall: The Lungren (<http://www.govtrack.us/congress/bills/112/hr3674>)
HR 3674 does not have this feature/defect. I'd support Lungren as written.

~~~
tptacek
This act doesn't allow private companies to provide classified intelligence to
other private companies, or the government to provide classified intelligence
to anyone (the government can obviously just declassify).

To keep things simple though: what's lawful under this act that was unlawful
under _pre-PATRIOT ECPA_? I'm most familiar with the pre-PATRIOT ECPA anyways.

~~~
rdl
I agree, basically nothing, in a non-paranoid reading. You could stretch
interpretation of the law in crazy ways (which has been done), but it's not
reasonable to predict that.

The most clear example I can think of is protection from civil liability for a
provider turning over information (stored messages or on-wire communications)
to another third-party where the user hasn't already consented to terms of
service which allow that. I don't think any ToS are written to not allow that
kind of thing, for this very reason.

I'm still against the law, but it's in one house now; it could change for the
better or worse. If they struck some of the language related to intellectual
property/copyright to make it more clear, I'd actually support it.

------
rdl
I am somewhat shocked that Facebook is on the list. I'd like to know their
reasoning.

~~~
yuvadam
> "800 million users entrust Facebook with their personal information" [1]

Make that 799,999,999. I do not trust any corporation that supports further
institutionalized intervention in our lives.

[1] -
[http://intelligence.house.gov/sites/intelligence.house.gov/f...](http://intelligence.house.gov/sites/intelligence.house.gov/files/documents/FacebookHR3523.pdf)

------
lallysingh
A cybersec tightening is inevitable. The US is getting hit _hard_. The
lockheed hack (
[http://www.dailytech.com/Reports+Hackers+Use+Stolen+RSA+Info...](http://www.dailytech.com/Reports+Hackers+Use+Stolen+RSA+Information+to+Hack+Lockheed+Martin/article21757.htm)
) was a pretty loud wake-up call. The "not a nerds" in DC are slowly realizing
that this issue can help them get election money.

The US's infrastructure is predominantly private so the tightening will
inevitable be in (a) policy and (b) spending. Not speaking directly about this
bill, but when the government does both for security, it's always a
cluster-!@#$ shit-show.

~~~
snowwrestler
The RSA -> Lockheed attacks were what led directly to this bill. That is why,
for instance, the bill includes language on "intellectual property". The
attackers were trying to steal design and software files from Lockheed, which
could both be considered intellectual property. Personally I think they could
drop that language from the bill entirely, since unauthorized network access
is already a crime in the U.S.

The private ownership of U.S. infrastructure is why this bill is built
primarily around limitation of liability. The idea is that U.S. private
companies will do a better job communicating with one another on cybersecurity
if they don't have to worry about getting sued for admitting that they got
attacked.

------
dmoy
Most of these are not terribly surprising. Defense contractors, telecom,
Facebook, etc.

~~~
nextparadigms
Microsoft being there is not that surprising either. They will always support
an anti-piracy or similar law, at least until the public outrage is big enough
for them to withdraw.

