Hacker News new | past | comments | ask | show | jobs | submit login
Facebook supports horrible proposed Internet bill CISPA (boingboing.net)
163 points by voodoochilo on Apr 13, 2012 | hide | past | web | favorite | 57 comments



A short summary of CISPA:

-- any large internet company can share your data with the government; they can't be sued for it. The U.S. will end up with large data hoses stuck into all large internet companies.

-- any large internet company can share your data with the RIAA/MPAA/private copyright police; they can't be sued for it. The copyright police will end up with large data hoses stuck into all large internet companies.

That's about the start and the end of it. If you think it's great that the RIAA/MPAA will end up with the ability to suck down everything that Google/Facebook/Twitter/Verizon/Comcast/etc. know about you, with no subpoena or other legal process required, based on their allegation that you are infringing their copyrights, then you should be cool with this bill. If you think it's great that the NSA will end up with the ability to suck down everything those companies know about you based on their allegation that you are a threat to national security, again with no legal process required, then you should be cool with this bill.

If you don't think that's great, you should probably oppose this bill.


Here's the actual text of the bill, which of course doesn't say any of that:

http://www.opencongress.org/bill/112-h3523/text

Boing Boing, the EFF, and Demand Progress have seized upon the words "theft or misappropriation of private or government information, intellectual property, or personally identifiable information", claiming that they betray an intent for CISPA to be used as a tool for antipiracy. But, of course, "DVD rips" are just one of a zillion kinds of "intellectual property", most of which is obviously worth protecting.

The real problem with this bill is that it doesn't do anything that private industry already does. ISPs already share information about attacks between themselves. The ECPA already allows potentially private information to be shared as part of good-faith investigations of computer misuse.

I am personally much more cynical about the motives of major anti-CISPA activists.


>Here's the actual text of the bill, which of course doesn't say any of that:

Of course it does. Learn to read.

>Boing Boing, the EFF, and Demand Progress have seized upon the words "theft or misappropriation of private or government information, intellectual property, or personally identifiable information", claiming that they betray an intent for CISPA to be used as a tool for antipiracy.

Yes, they "claim" that a law about the theft of intellectual property is about anti-piracy. Heavens to Betsy! What will they claim next?

>I am personally much more cynical about the motives of major anti-CISPA activists.

Do tell! What are the motives of Boing Boing, the EFF and Demand Progress? They hate America, right?

Sorry tptacek, but your above comment is truth-free. If you have any actual comment on the bill, feel free to make it. The bill says exactly what I said it says.


Wow, what an incredibly hostile comment. "Learn to read"? "Truth-free"? "Actual comment"? Really? A little civility, please. It'd be much appreciated if you worked to keep this from degenerating into the usual shouting matches found elsewhere on the internet.


What action currently unlawful under the more restrictive, pre-PATRIOT ECPA would be made lawful in a plain reading of CISPA?


I have to say, an argument that a particular proposed law does nothing - literally has no effect - seems inherently dishonest on its face. Your argument then is that the proponents are, um, doing it for their health? Because they're bored and have nothing else to do? I've only ever seen such arguments made about governmental actions by the most dishonest and most self-interested parties. I would say there's a 100% overlap in the sets of people who say "pay no attention to bill 17, it does nothing" and people who stand to benefit substantially from bill 17.

ECPA is actually fairly strict. It would be both illegal and tortious for Google to, for example, share the entire contents of your Gmail archives with the MPAA, currently. But after CISPA passes, it would be neither illegal nor a tort.

As for the government, it overturns and eliminates warrant/certification requirements for a wide swath of purposes. Under ECPA, a communications provider could give data to the government only if it reasonably believed it was immediately necessary to prevent death or serious injury. Under CISPA, any internet entity can give any data to the government OR ANY OTHER ENTITY for almost any sort of reason - "ensuring the integrity" of any internet service cuts a giant, giant swath. And specifically enumerated in CISPA, but entirely absent from ECPA, are that anything relating to antipiracy efforts is also covered.

You seem to have a very confused idea about ECPA-1986 if you think it has much in common with CISPA-2012. To the extent that they overlap, CISPA is intended to overrule protections that ECPA provided.


As someone who has actually had dialog with an attorney after having his mail stolen by a provider incident to a (bogus) security investigation, I believe you're wrong.

Service providers have broad authority to capture, read, and even disclose information carried on their networks incident to their (sweeping) duties to operate their services and protect their property.

Also: your understanding of warrant requirements under ECPA is skewed; service providers also have broad authority to disclose information to people acting under color of law in the course of criminal investigations. Again: under the restrictive 1986 ECPA (which is not the current law of the land).

Also, you're mistaken about the argument I'm making. I don't think CISPA replaces ECPA.


Okay, so we've discovered the problem. You had a situation, where an attorney told you that you had no remedy at law for some privacy breach, and you've turned that into "any new law that eliminates privacy protections doesn't do anything because I already don't have any privacy". I don't think that was a good life lesson to have learned.

ECPA says service providers can access data "as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service;". This is an narrow exception intended to make it legal for a sysadmin, doing legitimate work, to tail a mail queue or something like that.

CISPA grabs that exception with both hands and does a goatse.cx on it. I think there's a big big difference between allowing providers access to data necessary for providing the service, and eliminating ALL civil and criminal liability for giving your data to, well, just about anyone, for just about any reason.

Again, CISPA is intended to legalize the wholesale sharing of your online activities FROM Google/Facebook/Verizon/etc. TO the MPAA/RIAA/Media Defender/government/etc., based on any tangible connection to the integrity of any online service (spamming? too many comments on HN? That's a-sharin'!) or any sort of copyright/trademark/trade secret infringement claim. That simply isn't legal today.


None of this follows from my previous comment. You seem intent on making this argument about me, and not about the law we're discussing.


> I don't think CISPA replaces ECPA.

CISPA has a bunch of clauses saying that it trumps any law to the contrary ("Notwithstanding any other provision of law"), so the ECPA only applies when CISPA doesn't. CISPA even has a redundant clause talking about federal preemption that appears to be there just to emphasize the fact that it was intended to overrule everything else.

Perhaps you would prefer to hear the ACLU's opposition piece: https://www.aclu.org/technology-and-liberty/aclu-opposition-...

They repeat a fair number of the EFF's complaints, including how the law is too broad. I don't think the sky is falling here, but I do think that putting a giant loophole in every single privacy law, however inadequate the current ones may be, is a mistake. If they really want to do something, they ought to update the ECPA. It's rather dated.


I think I agree with everything the ACLU is arguing for, while noting that these are things we don't have today. For instance, when security and investigations info is shared with the government today under the post-PATRIOT ECPA, there aren't "use restrictions" and there isn't a requirement for PII to be scrubbed.

One by one, ACLU wants CISPA to:

* Narrowly define the privacy laws it will contravene. In other words, the law should directly reference the ECPA & Communications Act and carefully define the parts of it it overrides. Sure, but this won't fundamentally change the character of the law, because the ECPA doesn't offer strict protections either.

* House domestic cybersecurity efforts in a civilian agency. I'm skeptical of all government cybersecurity efforts and could care less where they're housed. If anything, I might rather have the military leading this, since they actually have operational experience. I don't buy that we need a new "Cyber TSA" to be created.

* Require companies to remove personally identifiable information (PII) from data they share with the government CISPA already suggests anonymization. ACLU would presumably prefer to make anonymization the default. That's fine. But there is no provision requiring scrubbing of PII in ECPA.

* Limit government use of information shared for cybersecurity purposes Who's going to disagree with this? Certainly not me. But: the protection ACLU is asking for does not exist today.

* Create an oversight and accountability structure that includes public and congressional reporting Zzzzzzz.

I'm glad for the reference to the ACLU statement on this bill (I support the ACLU). But again, I think a lot of opposition to CISPA falls into a mold of "if we're going to pass new laws, they should improve privacy from the status quo". And: I like privacy! But "not improving privacy" is just not the same thing as "demolishing privacy" or, as Doctorow thinks, "selling the whole Internet out to the MPAA".


You have a point that one of the most interesting points in CISPA is that the entity sharing the data can put restrictions on the use of it. But the suggestion in CISPA that data could be anonymized where appropriate is nothing more than a suggestion.

I feel like we're arguing over whether or not to get rid of a few toothless guard dogs. While I can understand the argument that getting rid of toothless guard dogs is a no-op, I'm worried because the current plan does not involve replacing them at all. And there I think we agree: reform is needed.


Party A who hosted or provided net transit for your email saved copies of your email pursuant to a (bogus) security investigation? Did they provide that email to any third party?

Regarding your third paragraph, this bill does away with any necessity to be acting under direction of law enforcement or the courts. It further allows sharing of information between private parties, which you do not mention.

The "self-protected entity" definition is the real kicker. Any organization with a computer meets the definition, because every OS these days comes with some sort of security measures and any organization collecting private information is going to at least look at firewall rules or filesystem permissions at some point.


Private parties are already allowed to share information amongst themselves under ECPA.


There are numerous laws on the books that do absolutely nothing. For instance, it has been illegal since 1986 to manufacture a handgun containing less than four ounces of metal. No such practical design existed at the time, nor was any being developed, nor was there any plan from any manufacturer about ever making one.


Actually, they were reacting to a patented design and the announced intention to manufacture such weapons:

http://www.thefirearmblog.com/blog/2011/10/05/what-happened-...


I'd imagine this was to combat making guns readily available that would bypass metal detectors. Just because there weren't any planed at the time, forsight may have been enough to avoid that situation? /speculation


tptacek already made a very reasonable claim about the bill which you have yet to refute: that the bill doesn't make anything important legal that wasn't already legal.


Let's assume the ECPA already allows all the information sharing and immunity from liability and disclosure that this bill allows.

1) This bill still says what it says, even if it is redundant.

2) Why is Facebook supporting this bill if it does nothing? They like risking social capital for a no-op?


Even doesn't do much, CISPA preempts any state laws to the contrary. So if Facebook does something later and some individual state dislikes it? Too bad. State laws would no longer be able to do anything about it, you'd have to amend CISPA.

It's sort of like lowering Facebook's "threat surface" with respect to privacy laws. And, IMHO, that's really a Bad Thing. I'll give tptacek some credit: existing privacy laws really are inadequate. But I'll still argue against removing what little protection we have, just because we're going in the wrong direction.

That said, I'd like to see more arguments against the actual provisions of CISPA. I didn't see domain seizure anywhere in the law, for example, so I would greatly prefer it if my fellow CISPA opponents were more careful to advance the best arguments we have against it, not just the most popular.


This mindset, very common on HN, confuses me. It says, in effect, that it's more important for us to pick sides and cheer on our teams than to understand what is actually happening. If I said that about a Javascript library, I'd be run off the site on a rail. But when I suggest people actually read the bills they're yelling about, the opposite happens.

Why do I care whether Facebook supports the bill?


To figure out why Facebook supports this bill. What do they have to gain from it? That will help me understand the bigger picture.


It's hard to show how right you are without proving how wrong someone else is. Today you get to be the somebody who is wrong.


Oh, I'm not indignant about it. It's obvious why pointing out the specifics of CISPA is bound to be unpopular here. I'm just confused by the mindset that says "what Cory Doctorow thinks about CISPA is more important than what the bill says".


He's not wrong. He's giving an argument based on a reading got the text of the bill, while harshreality is giving an argument (it doesn't even rise to the level of argument) based on nothing.


If you want to read what the ECPA says, here's one relevant portion: 18 USC 2511 (2)(a)(i).

Whether it carves any exception into the ECPA privacy protections for wholesale disclosure to 3rd parties as tptacek claims looks debatable. What's not debatable is that that exception does not grant immunity from any other laws if you disclose information to a 3rd party.

If tptacek had cited something supporting his position then there could be a real discussion. As it is, all I can do is say his argument looks wrong, Facebook and EFF also apparently think his argument is wrong, but since I'm not a legal expert on ECPA and related laws, I can't say for sure that there isn't some more obscure provision of ECPA that does say what he's saying.


What's the law you think Facebook would be violating by sharing potentially PII-encumbered data with another service provider incident to anything they could claim was a legitimate investigation?

In other words: in the world we're in now, pre-CISPA, what's the specific legal risk you think is preventing Facebook from sharing data?

It's certainly not the ECPA! The ECPA, like I've pointed out repeatedly, specifically carves out an exception for service providers sharing information, and makes no mention of anonymizing that data (ironically, it's CISPA that brings anonymization into the picture).

You yourself make a not-invalid point, that ECPA doesn't prohibit sharing but also doesn't shield providers from claims under other laws. I agree that if CISPA is worth keeping, the language around immunity should be tightened --- oh wait, it just was in the latest draft! --- but again:

For CISPA's sharing immunity to be a meaningful threat, you'd have to cite some statute that could reasonably threaten (again, say) Facebook for sharing information during an investigation.

Finally, I know it's annoying that I keep saying this, but: providers already share information about attacks, and it's not all anonymized or particularly carefully targeted. I have firsthand knowledge of what they used to do a few years ago, and understand that sharing has only increased since then.


A claim that is nonsense on its face. Even if you knew absolutely nothing about any of the issues involved, the claim that the government is busy making legislation that does nothing is nonsensical.


The government makes legislation that clarifies rights or the status quo all the time.


1104 (b)(1)(B)(ii) and (b)(2)(C) and (b)(3)


Remember guys, this bill does pretty much nothing. If you read it, it simply allows some completely optional data sharing for prevention against attacks. However, in most cases, there is already no law against completely optionally sharing data with the government or private security firms.

But, tptacek said it better than I can: http://news.ycombinator.com/item?id=3815912


I'm trying to understand this bill better before taking a true stance on it. Is there a possibility that the powers that it grants can be abused?


To answer that question, you need to have a pretty complete understanding of the "powers" service providers already have under the ECPA, and the "powers" they can enforceably claim through contracts (like privacy policies). Those preexisting "powers" are already very broad; they are not, for instance, nailed down to specific definitions of "cybersecurity threats".


If one is a fan of the National Security State, this is a great bill. For the rest of us, not so much.

https://www.cdt.org/blogs/greg-nojeim/112cyber-intelligence-... :

- The bill has a very broad, almost unlimited definition of the information that can be shared with government agencies notwithstanding privacy and other laws;

- The bill is likely to lead to expansion of the government’s role in the monitoring of private communications as a result of this sharing;

- It is likely to shift control of government cybersecurity efforts from civilian agencies to the military;

- Once the information is shared with the government, it wouldn’t have to be used for cybersecurity, but could instead be used for any purpose that is not specifically prohibited.


What information that service providers and app providers are currently not authorized to share under the 1986 ECPA would become lawful to share under this act?


The vagueness of this bill IS the problem. Vagueness in the law makes for really bad laws.

Give me one reason I should support this bill.


I don't support it (I think it's a NOP designed solely to gain attention for its sponsors), so I certainly won't be offering you any such arguments.

Where I take exception is with efforts to stir up hysteria about it.


Valid concern ≠ hysteria.


Sure, that's true. But not all the concerns regarding CISPA are valid.


Which ones?


See: every other comment of mine on this thread.


CISPA does not include domain seizure. Doctorow has a tendency to go for sensationalism instead of accuracy. His writings are getting close to going on my "automatically flag" list because of this.


You might then enjoy a more accurate critique of the law:

https://www.aclu.org/technology-and-liberty/aclu-opposition-...


agreed, but it does not need to be included either because they simply do it already.


Words mean things. This is what Doctorow wrote:

CISPA, the pending US cybersecurity bill, is a terrible law, with many of the worst features of SOPA -- surveillance and domain seizures and censorship and so on

But 'tzs is right. CISPA does not include "domain seizures" or, for that matter, censorship. It's an information sharing mechanism.


The linked article doesn't have a source for this, but after a bit of digging I found this page - http://intelligence.house.gov/hr-3523-letters-support which does unfortunately list Facebook as a supporter. Looks like it's time to delete my Facebook account, sigh.


Meta note: while usually it's considered good practice to leave the title of the article, when the title of the original article is extremely opinionated without direct explanation (this specific article is about Facebook supporting CISPA, not CISPA being bad), I would consider it good practice to rewrite the title to moderate the language.


Shouldn't be any surprise there really. Facebook is now a major corporation and is listed alongside Microsoft, IBM, Symantec, Intel, EMC, and Oracle as supporting the bill.

http://intelligence.house.gov/hr-3523-letters-support


Are people really under the impression that Google and Facebook opposed SOPA for surveillance reasons? SOPA would have broken the Internet so fundamentally that they couldn't continue operating without special immunity from the US Government. Failing something that serious, I wouldn't expect them to be on my side, generally speaking.


Its funny, I remember starting out on the internet, I would never put an ounce of "real" information on there and that was how people lived... now we have facebook/myspace/twitter/"blogging" and people are happy to disclose all types of personal information. Let alone geodata on photos.

As far as I can tell CISPA will only give out the information you provide to them. As bad as it is, you can mitigate it by not giving people your information on the webz?


I understand why some people can be upset, but when i think about what I enter into websites... are people really under the impression the government doesn't have this data?

The government knows my credit card numbers, they know where I live, they know how much I make, etc. They don't give two shits that I bought new racketball glasses yesterday on Amazon, and they really, really don't care that I posted a new picture on facebook.

It seems to me the people who are really upset with this bill are the people doing the illegal activity. Everyone is torn on the whole pirating issue (probably because they love consuming for free), but the fact is that it's still illegal in the US. I imagine the opponents of this saying "Oh, well, look at these rights they're taking away from us!!" while they've got six torrents in the background in an attempt to distract from the point.


See: "'I've Got Nothing to Hide' and Other Misunderstandings of Privacy": http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565


I had a long post that talked about this paper, which you may or may not still be able to see. If not, I'm replacing it with a much shorter version:

A 28 page PDF, which is single column, and takes up about 25% of a page is an absolute joke. To think this has actually been deemed a "book" is outrageous. Also, it's padded with comments he received on HIS BLOG. He references fiction novels to prove points, and he generally skirts the question.

I read the whole thing, which honestly seemed like it had no real point, and I still say (as a business intel guy): No company- no entity care about me or you unless we do something very wrong. We're so full of ourselves thinking "The government is going to read my e-mails!" The fuck they will; in the grand scheme of things, your e-mails are as important as goose shit.

As I'm reading this PDF I get the feeling the author is under the impression that for every person on the planet there are two more in a backroom somewhere just following his life. We all need to get over ourselves. We're just not that important.


it's an election times, you have your votes to make the difference. why show any surrender. use it to stop this bill. If republican is behind this then vote for them, so did with the dems but if both of them inside then just vote them out. As for the presidential election, push to all the candidates in which running for the primary and the one who now incumbent. Vote for the law from one of your party; then you're history. what I truly meant is that you have to power right now. so use it. if any of the presidential candidate party supported this bill, tell those presidential candidates either the challenger or the incumbent; that the support from the people who love the freedom is lost forever for them and their party should any of the candidate party member who sit on the congress or senates support this bill. Against it then we'll support your candidancy; is just that plain and simple. Truly there's no need to black out the net. Please shared this to every one that love the freedom ASAP.


Horrible for us and internet in general, but probably as good as Facebook Inc can do to protect ITS own, vast, interests. What if a key US Senator offered them help with a privacy /cookie tracking bill in exchange for supporting this? It's just one of the many possibilities.

Remember the Verizon-Google neutrality thing?


since i "cancelled" my FB account 15 months ago i miss nothing.


i would me much more concerned if the contents of my email box were shared than my FB profile. the government already has 100 ways to get at most of the info i give to facebook and the rest is pretty meaningless. if i want to do something questionable or off the radar, don't f*cking post it online or have a trackable device with you while doing it. common sense 101 here.

case in point: if your data is transmitted without encryption or can be decrypted by anyone other than you, don't expect privacy, the law is much more flexible than AES.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: