
CISPA Passes in the House - Full Roll Call - sethbannon
http://clerk.house.gov/evs/2013/roll117.xml#
======
Lewisham
Nothing says "small government" like expanding government oversight, right? I
really don't understand what the Republican party actually stands for. There's
no consistency in their platform. I might not agree with the Libertarian Party
either, but at least I understand why they say what they say.

Can someone help me out here?

~~~
ajscherer
When politicians say "small government" they really mean "low taxes", and when
they say "liberty" that is measured as 100% minus the top marginal tax rate.
Restrictions on people's behavior or privacy aren't really part of the
discussion. When they say "spending" you can safely suffix that with "on
someone other than me".

Seriously though, the Republican party isn't a libertarian organization and
never has been. They've been marketing themselves that way lately, since they
are a bit closer to the libertarian ideal than the Democrats (I guess not in
this case though!).

~~~
mtgx
If you're talking about the "old Republicans" who may pretend right now that
they are also libertarians (like Glenn Beck is doing for example), then I
agree. But since the "Ron Paul movement" a lot of true libertarian people
entered the Republican party and are still trying to take over it. The "real"
Republicans are actually fighting them, though, because besides lower taxes
they have almost nothing in common.

Also if you were thinking about Rand Paul, in a way he's his father's son, and
unlike others who just pay lip service for liberty and such, he's actually
fought hard against the Patriot Act, FISA, NDAA, drones and so on. He
filibustered them for many hours, introduced amendments (which obviously got
rejected), etc. However, he also seems to play way too much towards the overly
religious base in the Republican party, and in that way he's also much like
the "old" Republicans, which is a shame, and I think it makes even
libertarians have second thoughts about him. The "always lower taxes" attitude
at least could work on most libertarians, but the very religious side of him,
kind of ruins it for libertarians, too.

~~~
aclevernickname
Rand Paul is nothing like his father. While Ron Paul fought hard against FISA,
NDAA, PATRIOT, and Drones, his son follows the party line, but gives enough
lip service to not turn off his father's supporters.

~~~
wyclif
Sorry, but that's incorrect. Rand Paul fought hard against CISPA, FISA, the
Patriot Act, and drones.

~~~
aclevernickname
Rand Paul wasn't in office during PATRIOT's passing, so I suspect a troll.

~~~
wyclif
I didn't say Rand Paul fought against the bill when it was up for a vote. He
has, however, been fighting hard against the expansion of the Patriot Act's
provisions.

------
sailfast
Forgive my ignorance but can I get a clarification on what specific parts of
the bill will be damaging to privacy? From what I've read so far of the bill
it will permit government organizations with classified intelligence about a
possible threat to tell those that might be attacked without going through a
lengthy declassification process. While that is certainly valuable, I gather
there are other provisions that allow for sharing of user data without consent
by those under threat?

EDIT: Seeing now that the measure does not require participants to remove user
data, but it doesn't prohibit that, correct?

EDIT2: The CISPA Myths vs. Facts and the EFF articles are informative.
Regardless, I think it is important to note that because of classification
this information may not have been able to be communicated to organizations
prior to something like this bill being in place. I would highly recommend
encapsulating each constructive measure in its own bill (and I favor that for
all legislative endeavors) however that may not work given the difficulty of
the process these days.

------
w1ntermute
Like I said before guys, start using end-to-end encryption. Stop talking and
start sticking it to the man. If a company cooperates with the government,
then don't use their products or services.

~~~
tptacek
The man _wants_ you use end-to-end encryption. NIST has been trying to tell
you how to do it for years. They even published Suite B to try to get us to
use modern crypto instead of the '90s stuff we're using today.

~~~
w1ntermute
The man has many different hands. Just because NIST is doing something doesn't
mean the NSA isn't doing something completely different.

~~~
tptacek
The NSA is the reason NIST got behind Suite B.

~~~
dmix
But rationally supporting the adoption of encryption among all citizens would
still be counter to many of the NSA's primary goals.

Maybe it was just primarily a technology contribution among the nerds at NSA,
and not the bureaucrats intended goals?

~~~
tptacek
If NSA is trying to retard cryptography, why are they getting people to
migrate from RSA-1024 to ECC? Can you find a cryptographer that believes _RSA_
is the future?

~~~
betterunix
ECC is a minefield of patents, making it basically impossible to deploy;
pushing for ECC does little to advance cryptography in practice. ECC also does
not address concerns about quantum computers. In terms of mathematics, ECC is
based on a problem that is in the intersection of NP and coNP, the same
complexity class as the RSA assumption; there are more modern constructions
based on NP-hard lattice problems.

Really, if you want to point to the NSA/NIST helping to advance the state of
cryptography, point to the AES contest.

~~~
tptacek
That was true 10 years ago. It is not at all true today. Meanwhile, RSA and
simple prime-field DL crypto are the subject of serious progress, while whole
avenues of attacks seem to be precluded for the ECDL problem.

Here's one summary of the ECC patent situation:

<http://cr.yp.to/ecdh/patents.html>

ECC is increasingly common in commercial systems. Who's asserting patents
against those systems?

~~~
betterunix
"Meanwhile, RSA and simple prime-field DL crypto are the subject of serious
progress, while whole avenues of attacks seem to be precluded for the ECDL
problem."

When last I checked, the 20-year-old GNFS algorithm was the most efficient way
to attack RSA. Yes, this is faster than the best known attacks on ECDLP, but
ECDLP attacks are still subexponential. Nothing has changed in the past ten
years about the complexity class of ECDLP (it is still both in NP and in
coNP).

Really, the future of cryptography is not elliptic curves, it is systems based
on lattices, hidden linear codes, and hard learning problems (these are all
related). You can do some interesting things with ECC, but there are far more
interesting lattice cryptosystems being developed by researchers.

"ECC is increasingly common in commercial systems. Who's asserting patents
against those systems?"

Certicom filed this famous lawsuit:

[http://www.certicom.com/index.php/2007-press-
releases/20-cer...](http://www.certicom.com/index.php/2007-press-
releases/20-certicom-files-suit-against-sony-for-patent-infringement)

Really though, Dan Bernstein is not a lawyer, and I would not trust his
analysis if I had a business to run. Even if he is right, that does not change
the fact that ECC deployment is lagging because of fears about patent suits.
The NSA's response to concerns about patents was to get a special license,
specifically for government uses of ECC; they did nothing at all to encourage
ECC deployment elsewhere, and they did not demonstrate that such deployment
was a priority.

~~~
tptacek
Good background on DL v. factoring v. ECDL is Odlyzko,
<http://www.dtc.umn.edu/~odlyzko/doc/discrete.logs.future.pdf>.

Good background on PQ cryptography (McEliece, &c, the stuff you're referring
to later in your comment): Bernstein's intro to Post-Quantum Crypto:
[http://pqcrypto.org/www.springer.com/cda/content/document/cd...](http://pqcrypto.org/www.springer.com/cda/content/document/cda_downloaddocument/9783540887010-c1.pdf)

I've never seen anyone use McEliece, NTRU, &c commercially. Unlike ECC, these
schemes aren't on the horizon for TLS.

ECC goes back to Lenstra and Koblitz in the mid-80's. I'm not wading into the
validity of the patents the way DJB does, just saying, we're coming to the end
of their lifespan.

------
deepblueocean
I found this slightly more readable:
<http://www.govtrack.us/congress/votes/113-2013/h117>

Call your congressperson. They do care what you think, at least a little bit,
especially if you take the time to call or write their office thoughtfully.

~~~
gknoy
What good does it do for me to contact my congressman now, since it's already
passed?

~~~
toomuchtodo
Agreed. We should be funding a tech-based SuperPAC to get those who voted yes
out of office.

~~~
redblacktree
I'd donate.

~~~
charonn0
Ditto.

------
buro9
On a related note, is there a list of cloud providers and hosts with zero US
presence?

I'm looking for a European provider of virtual machines, with competitive
prices and features, but with no US company behind it and ideally not even a
US datacenter. Just a strong IaaS offering within the EU and a commitment to
stay out of the US.

~~~
larrydavid
Take a look LowEndBox, and the related forums LowEndTalk.

The first site collates prices/deals, where you can filter by location.

They also carry out a quarterly survey as an attempt to gauge customer
satisfaction for each provider (<http://www.lowendtalk.com/wiki/top-
providers>).

I've been looking for a VPS recently and found the above 2 sites very useful.

<http://www.lowendbox.com/> <http://www.lowendtalk.com/>

~~~
gboudrias
That site (LowEndBox) is full of sketchy deals, and a lot of companies it
promotes stop existing a few months afterwards.

It shouldn't surprise anyone that choosing their VPS provider by price alone
can be a bad idea, but I really don't recommend it.

~~~
avenger123
Yes and No.

You have to look at the companies with a critical eye but there are well
established ones.

Buyvm.net is a no fuss provider and they have been around for a while.

------
badalyan
CISPA: Myths vs Facts

[http://intelligence.house.gov/sites/intelligence.house.gov/f...](http://intelligence.house.gov/sites/intelligence.house.gov/files/images/041613cispamythfact.pdf)

~~~
u2328
CISPA: FAQ on What it is and Why it's Still Dangerous

<https://www.eff.org/cybersecurity-bill-faq>

~~~
tptacek
This FAQ includes what I think are very misleading statements about CISPA; for
instance, CISPA is clearly not intended to enforce copyright, and includes
provisions that no copyright advocate would have accepted were that the
purpose of the law. For instance, CISPA, unlike any other statute in the US
Code, specifically exempts ToS violations from the purview of the statute.

~~~
ldng
Not intended to but might/will be used to ?

~~~
tptacek
Reread my comment: the bill contains measures that make it difficult to use
the act to defend copyright. If it's a backdoor SOPA (the venn diagram between
those two acts are two adjacent disconnected circles), why does it do that?

~~~
u2328
'Backdoor SOPA?' Those are your words, not the EFF's, and they're concerned
about a lot of this legislation besides the abuse by copright holders.

Anyways, I believe you're referring to this section: _'Does CISPA do enough to
prevent abuse of the law for copyright enforcement?'_

Here's the relevant text from that section:

 _CISPA’s definition of "cyber threat information" includes information
directly pertaining to a threat to "confidentiality." But what does
confidentiality mean? The definition encompasses measures designed for
preserving "authorized restrictions on access," including means for protecting
"proprietary information." "Proprietary information" is not defined, and could
be read to include copyrighted information. For example, one type of
restriction on access that is designed to protect proprietary information is
digital rights management (DRM)._

The problem here is the vagueness of the language. As others as have pointed
out, the concern is not so much about _intent_ of the language, but _abuse_ of
the vagueness to strongly serve the interests' of copyright holders over the
general public.

~~~
tptacek
Please read the bill, not just EFF's summary of the bill. To be covered under
CISPA, the information must be stored or transmitted on a protected system,
and whatever the violation is, it can't be _either_ a consumer terms of
service agreement _or_ a consumer licensing agreement.

Additionally, published content isn't confidential.

~~~
D9u
_...published content isn't confidential._

Unless you happen to increment a public-facing URL in a numeric fashion...

~~~
diminoten
No, that wouldn't do it.

There are just easier ways to string someone up for copyright infringement if
you really wanted to than CISPA.

------
dguido
I find opposition to this bill somewhat hilarious. On one hand on the front
page right now, we have FBI soliciting the public for information after we've
experienced a serious attack. Efforts are underway to crowdsource the
identities of the perpetrators in a completely unstructured and privacy-
invading manner on forums like Reddit (/r/findbostonbombers). On the other, we
have people loudly complaining that companies shouldn't be able to do the same
when they experience an attack. Sharing of this information would occur via
structured records and include oversight and audits that get reported to the
public.

I think the problem is one of perspective. In the Boston bombings, it's
incredibly simple to see the harm and it directly affects those being asked to
share the information they have to help. In the persistent and ongoing
computer intrusions that are now a reality for any successful business, the
public is largely unaware and only indirectly affected by such events. Hence,
why try to solve it?

~~~
psionski
* for any successful business that doesn't care the slightest bit about security, i.e. remains the lowest hanging fruit.

------
tocomment
Why aren't we invoking the internet bat signal already? [1]

[1] <http://internetdefenseleague.org/>

~~~
Udo
That already happened. From the IDL release on March 19th:

    
    
      Dear Internet Defense League member,
    
      Last year, right on the heels of our historic victory against SOPA, a piece 
      of really nasty legislation almost passed that would have radically undermined 
      online privacy.
    
      It was called CISPA.  And it raced through the US House of Representatives, 
      passing before any of us had a chance to react.  We stalled the bill in the 
      Senate, but now CISPA is back, and we don't want to make the same mistake twice.  
      Before there is *any* movement on the bill, we want to send a strong message 
      to Congress that CISPA shouldn't pass.  
    
      That's why we're partnering with the Electronic Frontier Foundation to launch 
      an Internet Defense League action starting tomorrow, Tuesday March 19th.  
    
      Can you participate? If so, get the code for your site here: http://members.internetdefenseleague.org
    

The problem is that online activism seldomly accomplishes anything. But a more
pessimistic point of view might also suggest that we don't stand a chance
against this, because this shit will come back _every year_ until it passes.
It will pass in pieces because they have to hack it up into easily swallowable
packets, but it will pass. Online privacy and freedom goes the same way as net
neutrality, sadly.

~~~
sinak
I'd love to have a meaningful conversation about how we can make online
activism actually have an effect on Congress. Any takers?

It seems to me like we need a new generation of tools that allow people to
take actions that matter. Beyond relatively poorly designed click-to-call your
congress person tools, we really don't have much right now. I think with
better software we can do a lot more, but I'm still trying to figure out
exactly what that'll look like.

I'd love to hear HN's thoughts.

~~~
tocomment
I like your thinking!

I have a few ideas.

First and foremost I think the internet needs to focus on one issue at a time.
Once you divide the activists the whole message gets blurred and no one cares.
(Case in point, look at occupy wall street, what exactly did the protesters
want??)

Point two, it can't involve petitions, those are stupid and counter-
productive.

Point Three, activists like to be involved. Have a way for people to earn
points contacting their representatives or helping the site in other ways and
perhaps be able to use those points to vote on what issue to tackle next, or
the actions presented for an issue?

Really I'm picturing something like a cross between reddit and stack overflow
geared towards political action. Power users can vote on issues, have meta
discussions in the background, but normal users just see the one issue that's
going on at the moment with a simple interface that explains the issue and has
1-3 meaningful actions they can take.

My thoughts for the 3 actions could be: Call your representative, Request a
pre-addressed envelope be mailed to you so you can write a letter in your own
words, or donate money to pay for mailing the pre-addressed letters to people.

~~~
jlev
Glad to see the HN community getting excited about this issue. In my
professional capacity as the resident technologist at an activist-y non-
profit, I have a few things to note:

1) Single issue organizations are quick to grow but hard to sustain. Once the
first fight is over, how do you take your list and pivot to a new issue?
People lose interest quickly unless there's a hook to keep them involved.

2) Petitions may seem silly, and many of them are, but some have actually had
big successes. These are due more to the strategy behind them than the actual
numbers; you have to find the right leverage point in the political process to
make the numbers matter. They are also useful as signals to organizers that
people are interested in an issue, even if they won't be successfully
delivered.

3) Gamification in this space is hard. You're one step away from the
"slacktivism" critique, and sliding ever closer with each point or badge you
give out. For some examples of this being done well, see
<http://repurpose.workersvoice.org/>

For the "3 actions you must take", the handwritten letter is probably the most
impactful. Staffers tend to weight online signatures, phone calls, letters,
and in person visits by increasing orders of magnitude of importance. Getting
100,000 signatures is now "worth" less than 1,000 letters, particularly as
petition numbers continually increase.

~~~
cpeterso
> _1) Single issue organizations are quick to grow but hard to sustain. Once
> the first fight is over, how do you take your list and pivot to a new issue?
> People lose interest quickly unless there's a hook to keep them involved._

Instead of working to sustain single-issue organizations, a better strategy
might be to reduce the friction to creating successful, short-term
organizations in the first place. Something like an activist flash mob.

------
Xcelerate
Could someone give me a specific _concrete_ example of how this would be bad?
I read the bill and found that many of the online claims about it are simply
incorrect. Maybe I missed something.

------
27182818284
Weren't they supposed to activate the "Cat Signal" that would go up on
everyone's favorite websites? I never saw it, and that seems like it would
have been the only thing that could have re-invigorated people to action like
they were for SOPA and such.

------
rockmeamedee
Everybody's saying contact your senator. Call them, write them a letter... Is
the problem the disconnect between the elected officials and the public? If
so, can we make the communication a bit easier? My grandparents write me
letters. I barely use my phone to call. What if each elected official's
website had a place where their electorate can create and fill out polls,
giving the member of congress access to much finer grain information?

It seems to me that if you told me that you're running for the House in my
district and you'll answer my questions on 8thdistrictva.com or whatever, I
would completely believe you're better than the other guy. You might listen to
me.

Has anybody tried to do this? To be fair I've barely looked at my
representative's web page. But this seems much better than calling or writing
a letter. I guess you could email them, but every standard means of
communication I just imagine an office full of overcaffeinated interns
skimming the message for keywords and picking the closest automatic reply.
Most of the time, I'd just want to communicate a simple feeling (eg I don't
like this bill) and I'd be okay with them looking at a graph of the poll
results.

~~~
xradionut
You need to buy your senator and make sure they stay bought.

------
gdubya
Obviously this is bad for those of us in the USA, but can someone explain how
this will affect the rest of the world? And is there anything that those of us
outside the US can do to try and defeat this, other than spread the word?

~~~
Andrenid
> can someone explain how this will affect the rest of the world?

A lot of the "rest of the world" data is stored in the US, or passes through
US servers. That gives them access to it.

Anything you have in Google services, Microsoft services, Yahoo, Apple iCloud,
etc etc etc

~~~
lucb1e
It's frightening to see how much of my data is stored in the US. The new
Whatpulse (2.0+) keeps track of how much data is sent per country, using a
geoip database. By far, most data went to America. That quite convinced me I
should get my e-mail out of there at the very least (MS/Hotmail), and possibly
find alternatives for Google services like Plus and Drive.

Edit: For clarity, I'm from the Netherlands.

~~~
gdubya
Right, so the only option for "the rest of the world" is to switch to
solutions that do not store any data in the US? Is that realistically
feasible? How can "the rest of the world" protest against CISPA?

~~~
lucb1e
Well put it this way: What can they do that we can't replicate? ;) Behind
China's great firewall there are lots of alternatives to twitter, youtube,
facebook, google (this one I know by name: Baidu), etc.

So technically feasible, yes. Realistically... depends on whether developers
of these clones can find something that gives them an advantage over the
originals, besides privacy or legal issues. Businesses want to keep data in-
house regardless, and not many consumers care enough. Having one global
network for social networks has certainly advantages, but when the laws in the
"home country" (for the lack of a better word, if there is any) become hostile
and privacy invading... then I don't know. If I could pay to get off of all
google services and have my data imported into a dutch google clone, I'd do
it.

------
st0p
I live in the Netherlands, can anyone tell me what this law is about and why
it is damaging to the internet?

~~~
wavefunction
Do you use any sites in America? Do you access any sites hosted outside of
America but accessed via any network infrastructure owned by an American
company?

If so, any of this information can be easily shared with the US Government
free of charge to you!

~~~
tptacek
Can you tell a short story about how some specific piece of information this
person shares with a US site winds up shared with the USG?

~~~
mscarborough
Can you tell a short story about how the legally-binding privacy protections
in this bill work, that would prevent sharing with the government without a
warrant?

The onus is not on the opposition to this bill to explain how privacy will go
wrong, it is on the supporters since it is a new law with vague language and
far-reaching potential consequences.

Also, having privacy amendments shot down or not brought to vote doesn't make
CISPA seem very democratic.

~~~
tptacek
The whole point of the bill is to facilitate the sharing of a limited set of
operational network security data without warrants or court orders, so it is
very difficult to respond to your question.

~~~
lawnchair_larry
Nothing about the bill suggests it will be limited to operational network
security data, so you should stop spreading this untruth. In fact, it's pretty
obvious that it _won't_ be just netflows.

(For those following and don't know what a netflow is, it doesn't contain
payload data. It's more or less headers and statistics. Nothing about CISPA
attempts to limit information to netflows only.)

~~~
tptacek
I don't think it's very honest of you to suggest that I'm claiming CISPA only
covers Netflow information. I use Netflow as an example of the kind of benign
information that is difficult to share today, and would be easier to share
under CISPA. I've explicitly described scenarios that could include message
payloads on these threads, and I know you've read those messages because
you've replied to them.

------
kylec
So Massachusetts didn't even vote at all? That's extremely frustrating.

~~~
keithwinstein
Most of the delegation is attending the interfaith services here today re: the
attack on the Boston marathon.

~~~
eyeface
Are the MA representatives allowed to vote while not present? It seems very
strange that an entire state's representatives will not have a vote on this
issue because of a scheduling conflict. Can the votes not be phoned in?

~~~
chimeracoder
Unfortunately, that sets a very dangerous precedent. Already we have a
situation in which senators and congressmen skip debates and skip votes, and
end up uninformed about the bills they do vote on. Do you really want to
increase that?

And if they can vote absentee for 'extreme' circumstances only, who gets to
decide? The party leaders? The proponents of the bill? The opponents?

Feingold is the only one that sticks out in my mind as bucking this trend - he
never missed a single vote, even as he was losing his 2010 re-election
campaign and his opponent was working the campaign trail every day.

Unfortunately, people like Feingold are the exception, not the rule.

------
DigitalSea
Time to see if Obama and his office are going to follow through with their
veto threats and play their hand. Considering the amount of publicity his
opposition to the bill has received, it would be in his best interests to
follow through.

------
t0dd
the only way this is going to be stopped now is if Google, Twitter, and the
other big tech companies come out strongly against it. except for reddit,
they've been quiet so far. don't count on Obama's veto threat at all.

~~~
notmarkus
To be fair, the majority of YEA's come from Republicans, who control the
House, and the majority of NAY's come from Democrats, who control the Senate.
This has already died in the Senate once, so I wouldn't be surprised if that
happens again.

~~~
firefoxman1
So much for the "small government" Republicans advocate, huh?

~~~
csense
Republicans are by no means unified about that.

Libertarians are probably the weakest leg of the Republican coalition. The
religious right and the neocons are much stronger, the former has little
reason to oppose this, the latter might be naturally inclined to support it.

Interestingly, I've been hearing a bit about Democratic-leaning "civil
libertarians" -- people who want small government without buying into any of
the Republican social agenda. Maybe there's a way to build a coalition that
can take a big enough bite out of both parties to force them to take notice...

------
LandoCalrissian
Thank you Keith Ellison for being sensible and voting no on this bill.

------
artursapek
Look at them custom HTML tags!

    
    
        <vote-data>
        <recorded-vote><legislator name-id="A000055" sort-field="Aderholt" unaccented-name="Aderholt" party="R" state="AL" role="legislator">Aderholt</legislator><vote>Yea</vote></recorded-vote>

------
aamar
288 Yea votes. They're very close to 290, which would be enough to override a
veto.

Even if it doesn't come to that, a credible veto threat is often enough to get
the President to sign the thing. So bending even a few votes in either
direction may have some political meaning here.

------
jimktrains2
If your rep voted "nay," be sure to thank them.

------
dllthomas
I want to thank my representative for voting against. Hopefully she can pull
more of her colleagues next time 'round.

------
fedxc
So it passed... now what?

~~~
moens
It still has to pass the Senate.

------
eyuelt
Now how do I get the roll call of the vote on the gun control bill?

