
Unite with Namecheap in the fight against CISPA - ted0
http://www.namecheap.com/cispa/alert.aspx
======
tptacek
Wait, is this year's CISPA dramatically different than last year's? Because if
it's basically the same bill, this is a _profoundly_ dishonest campaign.

2012's CISPA:

* Did not provide the government with any capability to shut down traffic

* Explicitly rejected enforcement of intellectual property, going so far as to remove IP from a list of assets protected by the bill

* Created an entirely voluntary opt-in mechanism for companies to share information about attacks

* Limited the information shared to attack data, and provided a definition in the law for what "attack" meant that did not include piracy

CISPA 2012 was not a "warmed over SOPA". SOPA was so much more intrusive than
CISPA 2012 that it is strange to even compare them.

So, is CISPA 2013 much worse?

~~~
gojomo
Organizations ranging from Mozilla and the ACM, to the EFF and ACLU, to
grassroots activist groups of the left and right didn't share your casual
confidence in the reasonableness of 2012 CISPA.

[http://en.wikipedia.org/wiki/Cyber_Intelligence_Sharing_and_...](http://en.wikipedia.org/wiki/Cyber_Intelligence_Sharing_and_Protection_Act#Opposition)

Their analysis was that once a determination of a 'cyber threat' was made and
shared, private communications and other data that would usually require
stronger cause could (and probably would) then be handed over ('shared') on
government request. The words "voluntary opt-in" are not reassuring, if it's a
service provider opting-in customer data to law-enforcement, disregarding
traditional expectations of privacy or even explicitly agreed terms.

When you say 2012 CISPA "remove[d] IP from a list of assets protected by the
bill", they could only 'remove' it because the original draft had it in. And,
that's the sort of insider-wishlist-item that can be re-added as the bill
progresses, or perhaps even interpreted-back-in when the bill contains vague
language.

The 2013 language includes in its definition of covered 'cybersecurity
crimes': "a violation of any provision of title 18, United States Code,
created or amended by the Computer Fraud and Abuse Act of 1986 (Public Law
99-474)."

That's the same CFAA as used in the recent prosecutions of Swartz and
Aurenheimer. It has the open-ended "exceeding authorized access" and "obtains
anything of value" language that lets the violation of terms-of-service and
unauthorized acquisition of commercially-valued copyrighted material become
serious federal crimes.

Advocates of new security powers tend to portray their scope as small and
reasonable, before passage, but then manage to find a more expansive
interpretation, when it behooves them after passage. Because such bills keep
changing and stretching, I tend to trust the EFF and ACLU, who will actually
litigate cases under the enacted legal regime, about the bill's likely
effects.

~~~
snowwrestler
Noting all the concerns about privacy, it is still intellectually dishonest to
compare it to SOPA, with which it shares literally nothing.

But that is not particularly surprising because Namecheap cares more about
getting people fired up to switch their domains to Namecheap, than they do
about being an honest participant in the legislative process.

~~~
gojomo
Sure, it's not the 'same as' SOPA, nor is it SOPA renamed/resuscitated. But
CISPA shares an aspect giving law-enforcement new powers that may be
expansively used, without judicial hearing, against anyone identified as a
'cyber threat' or engaging in 'cybersecurity crimes'.

And CISPA does this via a similar mechanism: broad immunity for those non-
governmental service providers who 'voluntarily' do what law-enforcement may
only informally advise. That's an elastic clause that can look innocent in the
text but be nasty in practice.

So there are enough similarities in mechanism and feared effect that
analogizing it to SOPA is within the bounds of fair discourse. It's the same
approximate way of speaking we see ins headlines that say "Mexico is the new
China" or "Facebook is the new Google"... similarity in _an_ important aspect,
not _all_ important aspects.

~~~
snowwrestler
No, it doesn't give law enforcement any new powers. This is an example of the
misinformation about this bill.

~~~
gojomo
Mere contradiction -- "No, it doesn't" -- isn't convincing.

Your argument doesn't pass a simple-logic smell-test: why would law
enforcement want this, if it doesn't give them any new capabilities?

Organizations that are expert in the legal implications of such bills, like
the EFF and ACLU, disagree with you about the effect. Their concern is that
under CISPA, "these combined power and immunity provisions would override
existing privacy laws like the Wiretap Act and the Stored Communications Act."
[1]

Imagine there were a law which said, search and seizure without a warrant or
probable cause is bad, but any evidence so collected is always admissible in
court, and law officers who collect such evidence may never be disciplined in
any civil, criminal, or administrative fashion. That creates a de facto new
power, because it shifts all the incentives, and agents may then search and
seize with impunity.

The concern of the EFF and the ACLU is that CISPA does something similar. It
sets up a system where doing the federal government the 'voluntary' favor of
sharing information -- even in contravention of other laws or contracts that
could create liability -- is always the safe and easy course. So, agencies
wind up collecting far more info that people expected to be private.

There's an old joke that "national security" is the root password to the
Constitution. Well, CISPA makes "cybersecurity threat" the root password to
every private service-provider data set.

[1] [https://www.eff.org/deeplinks/2013/02/cispa-privacy-
invading...](https://www.eff.org/deeplinks/2013/02/cispa-privacy-invading-
cybersecurity-spying-bill-back-congress)

~~~
snowwrestler
Carefully read the EFF link you posted. It does not say that CISPA gives law
enforcement any new powers. Their objections to the bill center around the
privacy implications of giving private companies liability protection if they
choose to share data with the government.

The language of CISPA explicitly prohibits the government from using such
protections to force companies to give up data. Again--read the EFF article.
It does not even use the phrase "law enforcement" at all, nor the word
"force". The only usage of the word "power" refers to the power of private
companies to collect data related to cybersecurity (which of course they
already do).

The EFF is right to raise questions about privacy in the context of
cybersecurity coordination. Where I part ways with them is that they seem to
have taken a maximalist approach that _any and all_ sharing of data is wrong
and should be prevented. I happen to think that there is a role for the
federal government to help coordinate cyber threat information.

~~~
gojomo
I've read the EFF write-ups, the 2013 proposed bill text, and other sources
carefully.

If after CISPA, federal agencies can receive more private data than before –
in ways that were previously prevented by liability under the Wiretap Act, the
Stored Communication Act, contractual obligations, and other court precedents
about expectations of privacy – then that's a 'new power' for law enforcement.
Even if the way the new power is created is indirect, through immunized
information 'sharing'.

~~~
snowwrestler
I guess we'll just have to disagree about the meaning of the phrase "law
enforcement power." SOPA would have given law enforcement a legal right to
compel certain behavior. CISPA does not grant any right to compel behavior.

------
drucken
This bill is nothing like SOPA and whoever is campaigning on this basis is
doing a massive disservice to themselves because people can tell the
difference.

CISPA is just a continuation of clear "wiretapping" landgrabs by the US
Federal Government, in this case using the basis of "cybersecurity". The US
government have been trying to do this for decades and they will almost
certainly succeed, no matter the resistance.

What is new is that it seeks to indemnify specific third parties who wiretap
or even hack on their behalf.

As for the current version of the bill (H.R.3523.RFS), apart from the
obviously broad language, there is only one section, on the _use_ of
information, that I would be greatly concerned with if I were a US resident,
Section 2.C.1 (specifically part A):

 _LIMITATION- The Federal Government may use cyber threat information shared
with the Federal Government in accordance with subsection (b)--

`(A) for cybersecurity purposes;

`(B) for the investigation and prosecution of cybersecurity crimes;

`(C) for the protection of individuals from the danger of death or serious
bodily harm and the investigation and prosecution of crimes involving such
danger of death or serious bodily harm;

`(D) for the protection of minors from child pornography, any risk of sexual
exploitation, and serious threats to the physical safety of such minor,
including kidnapping and trafficking and the investigation and prosecution of
crimes involving child pornography, any risk of sexual exploitation, and
serious threats to the physical safety of minors, including kidnapping and
trafficking, and any crime referred to in 2258A(a)(2) of title 18, United
States Code; or

`(E) to protect the national security of the United States._

What does "(A)" mean and why is it present when both "(B)" and "(E)" are
already present? Without further highly specific legal binding, _"for
cybersecurity purposes"_ is far too broad an entry for the _use_ at which the
information may be put!

~~~
tptacek
Exactly how would CISPA indemnify a company that hacked on its behalf?
Obviously I'm asking because I think there is no way that it does.

~~~
drucken
Section 2.B.1:

 _SELF-PROTECTED ENTITIES- Notwithstanding any other provision of law, a self-
protected entity may, for cybersecurity purposes--

(i) use cybersecurity systems to identify and obtain cyber threat information
to protect the rights and property of such self-protected entity; and

`(ii) share such cyber threat information with any other entity, including the
Federal Government._

Section 2.B.4:

 _EXEMPTION FROM LIABILITY- No civil or criminal cause of action shall lie or
be maintained in Federal or State court against a protected entity, self-
protected entity, cybersecurity provider, or an officer, employee, or agent of
a protected entity, self-protected entity, or cybersecurity provider, acting
in good faith--

`(A) for using cybersecurity systems to identify or obtain cyber threat
information or for sharing such information in accordance with this section;
or

`(B) for decisions made based on cyber threat information identified,
obtained, or shared under this section._

1\. The key phrase "Notwithstanding any other provision of law" allows those
parts of the bill to ignore all other laws.

2\. "EXEMPTION FROM LIABILITY" subsection could not be any more clear.

3\. "use cybersecurity systems to identify and obtain cyber threat
information" is such broad language as to mean almost anything, especially in
context of software.

But we're getting side-tracked, imo. At this point, I would not even try to
prevent the US government getting whatever information it wanted, however it
wanted - third party or not. The key is what they are allowed to do with it
after they have it...

~~~
tptacek
"Cybersecurity systems" are intrusion detection systems. It's a ludicrous
misreading of the law to suggest that you can call a zero-day exploit a
"cybersecurity system" that you've deployed "preemptively" against a threat.
To see why, reframe: _anybody_ running an exploit against _any_ system could
make that claim. It clearly does not mean that.

The term is defined later in the bill.

------
clicks
> For each Tweet or Facebook share about this threat, using the buttons below,
> you will increase the amount donated to the EFF foundation by $0.10.

My god they are working this thing to their benefit. That is just really
really good marketing.

------
Wazowski
This is something new; a combination of marketing, propaganda, and
demagoguery. Namecheap says that "If CISPA is passed, the US government gains
the power to shut off Internet traffic." That wrong, and so provably wrong
that it may be a lie. The bill is here.
<http://www.govtrack.us/congress/bills/112/hr3523/text> There isn't a word in
there about shutting off Internet traffic. More reputable sources--like EFF,
for whom Namecheap is fundraising--don't make that outrageous claim. Namecheap
is trying to make a buck off the gullible.

~~~
tptacek
EFF made a series of outrageous claims about CISPA. If all your information
about CISPA came from EFF, you might indeed think that CISPA was an attempt to
reintroduce SOPA.

EFF is not a trustworthy source of information about CISPA. I believe they're
using it as a vector for fundraising. They're certainly not trying to educate
about it.

~~~
gojomo
Can you provide more detail about the "outrageous claims about CISPA" made by
the EFF? (That's a strong accusation without details.)

~~~
tptacek
A starting point:

[https://www.eff.org/deeplinks/2012/04/cybersecurity-bill-
faq...](https://www.eff.org/deeplinks/2012/04/cybersecurity-bill-faq-
disturbing-privacy-dangers-cispa-and-how-you-stop-it)

~~~
gojomo
Are you saying that whole FAQ is 'outrageous claims' about the 2012 CISPA, or
can you highlight the most 'outrageous' claim? Has anyone written up an
explanation why?

------
gesman
Short version: "Buy my stuff and I'll donate to a good cause".

Disclaimer: I love and use namecheap and think they're one of the best
registrars. But this is cheap marketing pitch.

~~~
StavrosK
It's actually "spread my stuff" rather than "buy my stuff".

------
meomix
This has been all over HN the past 24 hours [1]. Namecheap (and I use them) is
starting to get known for this sort of marketing. They were ALL over reddit
when SOPA was the big thing. Maybe drop a marketing person and improve their
email/mobile experience? [1]
[http://www.hnsearch.com/search#request/all&q=namecheap](http://www.hnsearch.com/search#request/all&q=namecheap)

------
clark-kent
Namecheap is beginning to look bad in my eyes with all this.

