
The House passes CISPA with a vote of 248 to 168 - zackzackzack
http://thenextweb.com/us/2012/04/27/the-house-passes-cispa-with-a-vote-of-248-to-168/?utm_source=HackerNews&utm_medium=share%2Bbutton&utm_content=The%20House%20passes%20CISPA%20with%20a%20vote%20of%20248%20to%20168&utm_campaign=social%2Bmedia
======
tptacek
Just a reminder: many (maybe most) of the Dems who voted against CISPA did so
because they favor a _more_ intrusive intervention: they want the government
to establish standards for "cybersecurity" to apply to private industry
systems they consider "critical infrastructure", and then for the government
to deputize specific firms (read: Raytheon, SAIC, Lockheed) to conduct
mandatory audits of those firms. Privacy is a fig leaf here.

Also remember: under the Electronic Communications Privacy Act of 1986, none
of the information disclosure "authorized" by CISPA was already unlawful. 18
USC § 2702 (b) (5): private companies can voluntarily disclose private
customer information "as may be necessarily incident to the rendition of the
service or to the protection of the rights or property of the provider of that
service". Without limitation. With no check on the what the government does
with that information afterwards. CISPA _added_ restrictions (albeit weak
ones) on sharing; it didn't meaningfully broaden what could be shared.

Regardless of what EFF says about this (unfortunately, I personally believe
EFF's interest in CISPA is largely about fundraising), you probably should be
careful about cheering CISPA's demise.

~~~
jellicle
Remember, tptacek has very little idea what he is talking about when he posts
this same comment on every thread. Doesn't have a clue about the politics;
doesn't have a clue about the law. To be charitable. Because he has been
informed, and keeps posting this, which turns it from clueless to
intentionally lying.

Yes, under ECPA, information can be disclosed "as may be necessarily incident
to the rendition of the service", which is to say, not very often, since it's
not often necessarily incident, and a company which disclosed your information
might have to prove in a court of law that it was necessarily incident. Which
is a rather big limitation, as opposed to tptacek's lying characterization of
it as "without limitation".

I don't really understand tptacek's position here - is he being paid for this?
- but this repeated bullshit posting needs to stop. (And the evil-Democrat-
vs.-noble-Republican stuff is pure fantasyland. CISPA isn't about
cybersecurity as computer professionals think of it. It's about copyright
enforcement and general government snooping, not about hacking. Both Democrats
and Republicans are fully behind it, despite the political wrangling, assuming
that the copyright lobby has made the proper campaign contributions this
year.)

~~~
Xuzz
Is there a way to make your point without the ad-hominem or the accusations,
and with more references? You've accused him of deliberately and repeatedly
lying (a pretty serious accusation for one of the top HN contributors); do you
have any evidence besides your differing interpretation of his citation?

(And I still do _not_ see how it is at all related to copyright.)

~~~
throwaway64
not commenting about the other issues, but CISPA grants legal immunity if

"theft or misappropriation of private or government information, intellectual
property, or personally identifiable information." (exact quote from the text
of the bill)

is thought to be occurring, and information is shared, it is very much related
to copyright.

~~~
tptacek
It is likely you are working from the first draft of the bill without its
amendments. In particular, later amendments narrow "cyber threats" to:

    
    
      ‘(3) CYBER THREAT INFORMATION.—
      ‘‘(A) IN GENERAL.—The term ‘cyber 
      threat information’ means information directly 
      pertaining to—
      ‘‘(i) a vulnerability of a system or net-
      work of a government or private entity; 
      ‘‘(ii) a threat to the integrity, con-
      fidentiality, or availability of a system or 
      network of a government or private entity 
      or any information stored on, processed on, 
      or transiting such a system or network; 
      ‘‘(iii) efforts to degrade, disrupt, or 
      destroy a system or network of a govern-
      ment or private entity; or 
      ‘‘(iv) efforts to gain unauthorized ac-
      cess to a system or network of a govern-
      ment or private entity, including to gain 
      such unauthorized access for the purpose 
      of exfiltrating information stored on, proc-
      essed on, or transiting a system or network 
      of a government or private entity
    

I'm not seeing BitTorrent in there.

(By the way, I don't think you deserve the downvotes for bringing this up. I
found the amendments aggravating to track down, too. I'd been working from an
earlier draft of CISPA that struck "intellectual property", which turned out
not to be the one the House voted on.)

------
blhack
Listening to this on cspan was...frustrating.

These are people who only learned what the terms "network" and "line of code"
mean a few months ago, using them as if they are an authority on the topic.

And to hear some of this nonsense, about China being "an organized crime
syndicate", or all the negativity about Russia.

Or about how they're doing all of this because they need to protect citizens
from "cyber threats". FFS, guys, no. Look at the complete disaster of security
that is the TSA. You're telling us that _you're_ the ones that are going to
protect us? Your understanding of what you're talking about is so limited that
it took shutting down wikipedia, reddit, and countless other websites for a
day to keep you from completely breaking the DNS a couple of months ago.

I think we're doing fine protecting ourselves from "cyber threats", guys,
thanks.

[And yes, of course I realize that the "we're doing it for you!" is just
nonsense.]

~~~
tptacek
I know what a network is and I know what a line of code is.

The underlying concern being addressed here is not invalid.

We are not doing "just fine" protecting ourselves from "cyber threats". In
fact, I don't know a single credible person working in software security who
believes that. If anything, things in 2012 are far worse than they were in
2001: more critical systems than ever are networked, either directly to the
Internet, to open GSM networks, or to proprietary RF. Those that aren't are
virtually always one hop away from someone using completely vulnerable
clientside software.

Organized hacking syndicates in China are also not a made-up problem.

I probably share your confidence in the Administration's ability to address
the problem top-down, but comments like yours actually subtract value from the
discussion. Any debate where you lead the opposition to things like CISPA dies
immediately, because you've chosen to attack a totally valid premise instead
of the specific arguments this bill or Obama's makes.

~~~
Retric
If you actually dig into things hacking has directly caused surprisingly
little actual economic harm. The proactive and reactive response tends to be
expensive, but in economic terms good old fashion fraud is still way more
damaging. As to attacks by nation states, we are actually willing to respond
with nukes if things cross a somewhat vague threshold and they are so
unprotected as you suggest.

~~~
tptacek
Like I said upthread: this was mostly true in 2001, when the power grid wasn't
exposed to network attackers.

~~~
Devilboy
How will this new law fix the problem though? I don't see it.

~~~
tptacek
It won't, but that doesn't make the problem bogus.

------
vectorpush
I have no faith in an Obama veto. I feel confident that whatever changes are
made to the bill before it passes the senate will be used as an excuse for
Obama to sign it.

------
r0s
The House passes all kinds of crazy stuff, the Senate is where legislation
goes to die.

~~~
cellis
Seriously who gives a shit what the house does? It's basically a filter for
the real issues in the Senate.

~~~
newbie12
That's exactly how the system was designed to work-- a feature, not a bug, to
let hot issues simmer down before passage.

~~~
Steko
Actually no supermajorities were not in the Senate by design.

[http://upload.wikimedia.org/wikipedia/commons/7/79/Cloture_V...](http://upload.wikimedia.org/wikipedia/commons/7/79/Cloture_Voting%2C_United_States_Senate%2C_1947_to_2008.svg)

~~~
culturestate
He means that the framers' idea was that the Senate should moderate the House,
which is true.

------
akavi
So much for the theory that the threat of a veto is as good as a veto.

Anyone willing to bet Obama won't sign this?

~~~
smashing
168 / 248 = 0.67

Overriding a veto could be quite easy if this gets sent back to the House.

~~~
eck
That's not how the math works. It's 2/3 * 435 = 290, so they're still 42 votes
short.

~~~
InclinedPlane
They'd need a 2/3 majority in the Senate as well.

~~~
ajross
The margin they have isn't even enough to get past the 60% cloture vote to
pass it in the first place.

~~~
r00fus
Hopefully that's where it dies - along with a lot of good legislation in the
past -dead waiting for the "silent filibuster" to end.

------
nextparadigms
So now how do you get a bill like these repealed, and after how much time?
Imagine if SOPA passed like this. I think a lot of people just give up after a
bill like this is passed. Plus it's simply much harder to repeal it afterwards
- could be a decade or more. Just look at the Patriot Act.

No wonder the politicians wants to pass some bills before Christmas or other
vacation. They know once it's passed quickly, the population will do nothing
serious about it, and it's _over_.

~~~
tptacek
Why exactly would you want to repeal CISPA? Fast forward 1 year, at which time
CISPA is in effect, repeal CISPA, and then fast forward again 1 day. How is
that day different than the one before it? Be as specific as you can.

~~~
Peaker
If government pressures telcom to give it user data, and the telcom gives it
data, it becomes open to lawsuits. Thus, telcom might decide it wants a
warrant after all.

~~~
tptacek
How would it be open to lawsuits? Under what law?

~~~
ewillbefull
How about the ECPA? Does this:

> as may be necessarily incident to the rendition of the service or to the
> protection of the rights or property of the provider of that service

allow a telecom to randomly hand private information over to the government?
Because it sounds to me like it's not "necessarily incident" unless it's, you
know, necessarily incident. Thankfully our court system has the authority to
decide that as well.

In the case of CISPA, there are absolutely NO restrictions, and it's been
broadened to apply to even more situations than just the provider's security.
You are mischaracterizing the current nature of the privacy laws, unless you
have something else to add?

~~~
tptacek
Yes, it does. What is it that you think "incident to rendition of service"
means?

(Not that I think this is dispositive, but I had an actual run-in with an ISP
over this clause. They suspected me of hacking their service, because they
read my home directory [yes, this is shell server Internet access; I'm old]
and found SMTP code in it --- so they recorded copies of all my email
messages. A friend worked there and ratted them out. I met with a (good)
lawyer. The response: too bad, so sad. GO ECPA!)

~~~
ewillbefull
I assume that it means there is some compelling, /defensive/ purpose of
disclosing the information. CISPA is completely indiscriminate and does not
carry that same guarantee.

Also your example appears to address what the ISP is allowed to record, not
what they are allowed to share, which is a different issue all-together.

~~~
tptacek
See:

US v. Harvey

US v. Goldstein

US v. Auler

US v. DeLeeuw

Also, reread CISPA, particularly the amendments clarifying what was meant by
"cyber threat" and what activities were exempt from disclosure under CISPA.

~~~
ewillbefull
Thank you.

It appears the EFF disagrees that cyber security threats were meaningfully
narrowed in the amendments -- though this does not specifically pertain to any
of my previous arguments.

> Unfortunately, this amendment doesn’t address the serious problems with the
> vague definitions. Even after amendments, “Cybersecurity system" defines the
> system that “cybersecurity providers” or self-protected entities use to
> monitor and defend against cyber threats. This is a “system” intended to
> safeguard “a system or network.” The definition could mean anything—a Local
> Area Network, a Wide Area Network, a microchip, a website, online service,
> or a DVD. It might easily be stretched to be a catch-all term with no
> meaning. For example, it is unclear whether DRM on a DVD constitutes a
> “cybersecurity system.” And such a “cybersecurity system” is defined to
> protect a system or network from “efforts to degrade, disrupt or
> destroy”—language that is similarly too broad. Degrading a network could be
> construed to mean using a privacy-enhancing technology like Tor, or a p2p
> protocol, or simply downloading too many files.

Your thoughts?

~~~
tptacek
The exclusion which appears _directly beneath_ the language they're commenting
on exempts "attacks" that merely violate licenses.

The language they're commenting on also reads clearly: "efforts to degrade,
disrupt, or destroy a system or network of a government or private entity".
"Efforts" implies intent. BitTorrent doesn't intend to degrade, disrupt, or
destroy systems (though if it violates license agreements it _does_ establish
a nexus for monitoring under the ECPA!).

Beyond that, look: _obviously_ we can all play the Glass Bead Game to connect
_any_ piece of language in _any_ bill back to _any_ action we want to protect.
This is why patents are so impossibly annoying to read. But at some point,
Occam's Razor has to apply. The language in the amendment we're discussing
simply isn't tailored to BitTorrent.

------
rosebush
Every US Citizen that reads & participates in Hacker News needs to protest
this. This will impact all of you if this goes through & is signed by the
President.

America, the home of the free & brave. This is no longer true anymore.

~~~
dholowiski
citizens in other countries need to find out how to participate too, because
as the us goes, so goes many other countries too.

------
sehugg
Don't forget to thank your Congressperson if they voted NO.

~~~
tptacek
How do you know your congressperson doesn't favor some worse intervention than
CISPA? Because by HN standards, the Administration's favored course on
"cybersecurity" is way worse.

~~~
sehugg
Even if a worse intervention is planned (like the one you described above)
wouldn't passage of CISPA help to validate it? Probably even make it easier to
pass because the Internet's rage has already been depleted?

~~~
tptacek
No, that's not how legislation works. When you have two options, one an
interventionist Democratic† bill and the other a self-regulating GOP bill, and
the GOP bill passes, the Democratic bill does not find a _more_ receptive
Congress.

† _< \--- again, note, actual Democrat typing_

~~~
slurgfest
Your scaremongering about an "interventionist Democratic bill" means exactly
nothing until you have such a bill in the same position that CISPA is in
today.

Nor is there anything "self-regulating" about expansive internet surveillance
.

Let politicians be judged by their votes, not the imagined future plans
attributed to them by whoever on no particularly reliable basis...

<http://clerk.house.gov/evs/2012/roll192.xml>

~~~
tptacek
It's "self regulating" when it's voluntary and conducted by private companies.
How could it not be?

------
rdl
What is the deal with the Quayle amendment?

"Would limit government use of shared cyber threat information to only 5
purposes: (1) cybersecurity; (2) investigation and prosecution of
cybersecurity crimes; (3) protection of individuals from the danger of death
or physical injury; (4) protection of minors from physical or psychological
harm; and (5) protection of the national security of the United States."

~~~
cfinke
It's an attempt to gain more votes, as opponents could then be painted as
having voted against preventing "physical or psychological harm" to minors.

------
ajross
Note that this is a 57% margin. If the same holds in the Senate, it won't pass
cloture and won't reach the president's desk.

------
debacle
If CISPA is passed, we, the citizens of the Internet, need to take broad and
quick action to protect ourselves from the affronts of these aging, bloated
government bodies.

Tor has proven to be compromised. Almost every forum on the Internet has its
handful of sock puppets. What can we do to ensure that our future is free,
secure, and anonymous?

------
westicle
Without wanting to sidetrack the thread from the real issue of CISPA, I have
to take issue with the quality of reporting.

"Many have found the bill to be troublesome, given that, in their estimation,
its language was too broad to be safe. Also that the government could use the
mandates and powers contained therein in ways that would be antithetical to
privacy, and even in the cause of cyber security, could be too intrusive."

In their estimation, powers contained therein, antithetical. What happened to
plain language?

"The language of the bill is too broad. It gives the government powers to
intrude on the privacy of individuals. Even in the context of security
legislation these powers are too intrusive."

------
bonjourmr
When SOPA was beaten, I was hoping that our victories against it and each
latter mutation of it would outlast the senators voting for it. Should we be
worried now?

------
bitsoda
With each passing year, Richard Stallman looks wiser.

------
Tipzntrix
EVE is coming to real life. Watch out for space pirates out there man.

"2mil ISK OR PODDED"

------
dguaraglia
Oh, here we go... not this shit again. FFS.

