
It's official: CISPA is back - zizee
http://www.cispaisback.org/
======
tptacek
According to this site, CISPA would "end" online privacy; it urges you to send
letters to Congress saying "this bill would have given federal agencies
unlimited access to virtually any of my personal data and online
communication-- without a warrant."

But of course, CISPA does nothing of the sort. It is:

* An opt-in measure that can't be forced on a private company by the government

* Restricted to "cyber threat information", a term carefully (relative to any other online legislation) defined to apply only to attacks on the confidentiality/integrity/availability of systems and applications

* _Specifically_ restricted from applying to Aaron Swartz-style ToS violations, or, for that matter, to intellectual property misappropriation

* Written to exclude "individuals" from "protected entities" to avoid any reading that would permit ISPs to use it to hand over records for individual targeted customers

And, while it exempts private companies from suits for good-faith attack data
sharing (that is the point of the measure), it deliberately makes the
government liable for any damages from misuse of shared information.

As Declan McCullagh pointed out in another thread here recently, private
companies operate under a bewildering stack of regulations that make it
legally dicey to share even innocuous data during attacks. In addition to ECPA
and SCA, the two omnibus federal electronic privacy laws, there are a number
of domain-specific laws ranging from HIPAA for medical privacy to DPPA for
drivers records. Companies who handle protected data currently either don't
share attack data, or incur legal risks when they do, or incur legal expenses
when they have their sharing practices reviewed.

CISPA is a straightforward (and short) bill that attempts to remedy that
problem. I don't support it (I don't think it will do much to help), but it's
not evil, and organizations that try to fundraise off the idea that it is are
playing games with your attention.

~~~
declan
tptacek: Thanks for the call-out in this thread! To continue our (I think)
polite disagreement from before, I think your description is accurate in
specifics but doesn't address the broader privacy and surveillance landscape.
Remember the debate five years ago over retroactive immunity for the
telecommunications companies that opened their networks to the NSA in
violation of the law?

By overriding every federal and state law on the books -- the wildcard
approach -- CISPA encourages this kind of broad data hoovering for
cybersecurity purposes. Defenders of CISPA claim "cybersecurity" purposes is
narrowly defined; reasonable people may disagree. And I have yet to hear a
good reason why a wildcard approach is necessary, when even CRS raises
questions about unintended consequences.

Also the recent EO accomplishes a lot in terms of info-sharing, and it's worth
reading: [http://www.whitehouse.gov/the-press-
office/2013/02/12/execut...](http://www.whitehouse.gov/the-press-
office/2013/02/12/executive-order-improving-critical-infrastructure-
cybersecurity)

That said, I agree that some advocacy groups may overstate the privacy
concerns about CISPA. I think the charitable interpretation is that they're
overly eager or misinformed, not that they're trying to profit off of
misinformation. People do this sort of advocacy work out of their hearts, not
because they're trying to get rich.* I extend the same charitable explanation
to CISPA's drafters.

* That's why people become entrepreneurs and try to get into YC! :)

edit: FAQ link: [http://news.cnet.com/8301-31921_3-57422693-281/how-cispa-
wou...](http://news.cnet.com/8301-31921_3-57422693-281/how-cispa-would-affect-
you-faq/)

~~~
snowwrestler
If not the wildcard approach, then what is the acceptable alternative? This is
my biggest problem with the opposition to CISPA--they jumped straight to "kill
the bill". The cynical take on that is that "do or die" campaigns are easier,
more fun, and more lucrative to nonprofits than nuanced policy proposals.

~~~
declan
There's nothing wrong with saying: "If this bill is bad, let's kill it." The
proponents are free to fix it and try again.

To answer your question more directly, if privacy law $i or $j or $k
interferes with information sharing, then let's identify those privacy laws
and have a discussion about how to amend them to allow information sharing in
the case of an ACTUAL cyberattack. As anyone who's made a mistake with /bin/rm
knows, wildcards can be dangerous and have unintended consequences. I haven't
seen this argument answered directly, and I'd like to read a thoughtful
response.

More: [http://news.cnet.com/8301-31921_3-57422693-281/how-cispa-
wou...](http://news.cnet.com/8301-31921_3-57422693-281/how-cispa-would-affect-
you-faq/)

~~~
snowwrestler
It just seems to me that if "kill the bill" is the sole entirety of the
message, then there is no way to move forward on the issue. Your 2nd paragraph
makes a lot of sense, but as far as I know has not been offered or endorsed by
any of the opposition groups. If I'm wrong please let me know.

------
hkmurakami
Here's what dismays me about this. We killed it once. It's back again. Let's
say it's bad and we want to kill it, and we succeed again.

What's to say it won't come back again? How long do we have to keep doing this
dance? Even if it _is_ worth killing every time, will our attention spans be
long enough to keep fighting it every single time for the decades that may
still come?

~~~
TruthElixirX
Yay. You understand why this whole process is futile. This bill isn't the
problem. This bill is a symptom of the problem. The problem is not going away.
The problem is the U.S. federal government.

It is an out of control machine of death seeking to criminalize as much
behavior as possible.

The U.S. has the highest incarceration rate. They have the most weapons.

This kind of thing will not end until the government collapses in on itself or
people have an entire paradigm shift in the way that they think of their
relation to their fellow person.

~~~
Aloha
The people have nothing to do with it anymore.

The vested moneyed interests are in control, and will be until the people wake
up from their stupor and pay attention.

~~~
TruthElixirX
Bullshit. We live in a horizontal hierarchy enforced vertically. This stiff
happens because the people are complacent and complicit.

------
ehm_may
I actually wrote a blog post on CISPA a while back.
<http://michaelmay.me/2013/02/17/wtf-is-cispa>

I'm not worried about it. However, I may not be entirely correct in my
analysis. Would be interested in feedback.

------
squozzer
<fact> I went ahead and signed the petition. </fact>

<opinion> The comments I've read so far seem pretty thoughtful both pro and
con.

And for the most part, the US government acts in good faith.

BUT, on occasion we find ourselves looking pretty foolish when we believe
uncritically what a government says (Iraq war) or horrified at what seems to
be gratuitous heavy-handedness on the government's part (Swartz.)

And despite what former Secretary Clinton would like you to believe, there is
no reset button on government legitimacy. Like an individual's reputation, it
takes years to restore what was eroded in hours.

And while cyber attacks seem to represent a threat best countered by an
organization that commands resources on a national scale, can we really trust
them to do the right thing?

Hell, they put a PFC in a position to disseminate State Department messages.
Anyone who's done a stint in the Army knows not to put a PFC in charge of
anything except maybe a trigger, and even then under the guidance of an NCO.
</opinion>

<speculation> I forward the hypothesis that the government has more interest
in tracking (untaxed) financial transactions than thwarting cyber attacks.

The government's ability to fund itself has come to rely heavily on the Fed
buying US debt, which some might call "printing money".

The longer that continues, the less credible the US dollar becomes in world
finance.

The only thing keeping the dollar afloat is the rather poor state of the euro
and yen, and the world's reluctance to trust China or Russia.

So the US is going fishing for sources of loot.

If the hypothesis is true, CISPA might be a godsend to Joe Six-Pack, or at
least better than what's happening in Cyprus.

But in the end I think we'll get CISPA and Cyprus. </speculation>

------
ancarda
How am I not surprised Facebook and Microsoft are on that list. Two companies
I trust SO much with my privacy.

------
zizee
Received this message from the Internet Defence League a short while ago:

FWD----------------

Dear Internet Defense League member,

Last year, right on the heels of our historic victory against SOPA, a piece of
really nasty legislation almost passed that would have radically undermined
online privacy.

It was called CISPA. And it raced through the US House of Representatives,
passing before any of us had a chance to react. We stalled the bill in the
Senate, but now CISPA is back, and we don't want to make the same mistake
twice. Before there is _any_ movement on the bill, we want to send a strong
message to Congress that CISPA shouldn't pass.

That's why we're partnering with the Electronic Frontier Foundation to launch
an Internet Defense League action starting tomorrow, Tuesday March 19th.

Can you participate? If so, get the code for your site here:
<http://members.internetdefenseleague.org>

And help get more people signed up by sharing this page with your social
network.

Wait, what is CISPA? And why does it matter so much?

CISPA (the Cyber Intelligence Sharing and Protection Act) would give companies
complete freedom to share your personal data with the US government. It
doesn't _require_ them to do so, but if the government asked it would be hard
to say no, and they'd have no reason to-- CISPA would free them from any
promises made to customers in public statements or privacy policies.

Your emails, your Facebook account, your bank statements, the websites you
visit, your real-time location (courtesy of your cellphone company)-- all of
it could soon belong to a slew of government agencies and even local police,
who could use it against you without a warrant.

Get the code: <http://members.internetdefenseleague.org>

The IDL action will display only tomorrow. The banner looks like this:
<http://i.imgur.com/mVG9kVX.png> The modal looks like this:
<http://i.imgur.com/tCOtoEC.png>

And they both link to this action page hosted by the EFF:
[https://action.eff.org/o/9042/p/dia/action/public/?action_KE...](https://action.eff.org/o/9042/p/dia/action/public/?action_KEY=9048)

Please spread the word.

Thanks! Sincerely, Holmes Wilson - Internet Defense League

P.S. If you'd like to learn more about CISPA, the EFF has a great FAQ page
here: <https://www.eff.org/cybersecurity-bill-faq>

~~~
GHFigs
_If you'd like to learn more about CISPA, the EFF has a great FAQ page_

Why wouldn't you read the bill yourself?

~~~
zizee
I believe this link will give you the text of the bill:

<http://www.govtrack.us/congress/bills/113/hr624/text>

~~~
GHFigs
Curiously, no such link appears in the "Internet Defense League" email, the
submitted link, the EFF's FAQ, or the EFF's action page.

------
bitgangsta
We worked with Change.org & Twilio to build this petition tool on CISPA, it's
the second-largest with over 43k signatures. <http://cispapetition.org>

