Hacker News new | past | comments | ask | show | jobs | submit login

I have to say, an argument that a particular proposed law does nothing - literally has no effect - seems inherently dishonest on its face. Your argument then is that the proponents are, um, doing it for their health? Because they're bored and have nothing else to do? I've only ever seen such arguments made about governmental actions by the most dishonest and most self-interested parties. I would say there's a 100% overlap in the sets of people who say "pay no attention to bill 17, it does nothing" and people who stand to benefit substantially from bill 17.

ECPA is actually fairly strict. It would be both illegal and tortious for Google to, for example, share the entire contents of your Gmail archives with the MPAA, currently. But after CISPA passes, it would be neither illegal nor a tort.

As for the government, it overturns and eliminates warrant/certification requirements for a wide swath of purposes. Under ECPA, a communications provider could give data to the government only if it reasonably believed it was immediately necessary to prevent death or serious injury. Under CISPA, any internet entity can give any data to the government OR ANY OTHER ENTITY for almost any sort of reason - "ensuring the integrity" of any internet service cuts a giant, giant swath. And specifically enumerated in CISPA, but entirely absent from ECPA, are that anything relating to antipiracy efforts is also covered.

You seem to have a very confused idea about ECPA-1986 if you think it has much in common with CISPA-2012. To the extent that they overlap, CISPA is intended to overrule protections that ECPA provided.

As someone who has actually had dialog with an attorney after having his mail stolen by a provider incident to a (bogus) security investigation, I believe you're wrong.

Service providers have broad authority to capture, read, and even disclose information carried on their networks incident to their (sweeping) duties to operate their services and protect their property.

Also: your understanding of warrant requirements under ECPA is skewed; service providers also have broad authority to disclose information to people acting under color of law in the course of criminal investigations. Again: under the restrictive 1986 ECPA (which is not the current law of the land).

Also, you're mistaken about the argument I'm making. I don't think CISPA replaces ECPA.

Okay, so we've discovered the problem. You had a situation, where an attorney told you that you had no remedy at law for some privacy breach, and you've turned that into "any new law that eliminates privacy protections doesn't do anything because I already don't have any privacy". I don't think that was a good life lesson to have learned.

ECPA says service providers can access data "as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service;". This is an narrow exception intended to make it legal for a sysadmin, doing legitimate work, to tail a mail queue or something like that.

CISPA grabs that exception with both hands and does a goatse.cx on it. I think there's a big big difference between allowing providers access to data necessary for providing the service, and eliminating ALL civil and criminal liability for giving your data to, well, just about anyone, for just about any reason.

Again, CISPA is intended to legalize the wholesale sharing of your online activities FROM Google/Facebook/Verizon/etc. TO the MPAA/RIAA/Media Defender/government/etc., based on any tangible connection to the integrity of any online service (spamming? too many comments on HN? That's a-sharin'!) or any sort of copyright/trademark/trade secret infringement claim. That simply isn't legal today.

None of this follows from my previous comment. You seem intent on making this argument about me, and not about the law we're discussing.

> I don't think CISPA replaces ECPA.

CISPA has a bunch of clauses saying that it trumps any law to the contrary ("Notwithstanding any other provision of law"), so the ECPA only applies when CISPA doesn't. CISPA even has a redundant clause talking about federal preemption that appears to be there just to emphasize the fact that it was intended to overrule everything else.

Perhaps you would prefer to hear the ACLU's opposition piece: https://www.aclu.org/technology-and-liberty/aclu-opposition-...

They repeat a fair number of the EFF's complaints, including how the law is too broad. I don't think the sky is falling here, but I do think that putting a giant loophole in every single privacy law, however inadequate the current ones may be, is a mistake. If they really want to do something, they ought to update the ECPA. It's rather dated.

I think I agree with everything the ACLU is arguing for, while noting that these are things we don't have today. For instance, when security and investigations info is shared with the government today under the post-PATRIOT ECPA, there aren't "use restrictions" and there isn't a requirement for PII to be scrubbed.

One by one, ACLU wants CISPA to:

* Narrowly define the privacy laws it will contravene. In other words, the law should directly reference the ECPA & Communications Act and carefully define the parts of it it overrides. Sure, but this won't fundamentally change the character of the law, because the ECPA doesn't offer strict protections either.

* House domestic cybersecurity efforts in a civilian agency. I'm skeptical of all government cybersecurity efforts and could care less where they're housed. If anything, I might rather have the military leading this, since they actually have operational experience. I don't buy that we need a new "Cyber TSA" to be created.

* Require companies to remove personally identifiable information (PII) from data they share with the government CISPA already suggests anonymization. ACLU would presumably prefer to make anonymization the default. That's fine. But there is no provision requiring scrubbing of PII in ECPA.

* Limit government use of information shared for cybersecurity purposes Who's going to disagree with this? Certainly not me. But: the protection ACLU is asking for does not exist today.

* Create an oversight and accountability structure that includes public and congressional reporting Zzzzzzz.

I'm glad for the reference to the ACLU statement on this bill (I support the ACLU). But again, I think a lot of opposition to CISPA falls into a mold of "if we're going to pass new laws, they should improve privacy from the status quo". And: I like privacy! But "not improving privacy" is just not the same thing as "demolishing privacy" or, as Doctorow thinks, "selling the whole Internet out to the MPAA".

You have a point that one of the most interesting points in CISPA is that the entity sharing the data can put restrictions on the use of it. But the suggestion in CISPA that data could be anonymized where appropriate is nothing more than a suggestion.

I feel like we're arguing over whether or not to get rid of a few toothless guard dogs. While I can understand the argument that getting rid of toothless guard dogs is a no-op, I'm worried because the current plan does not involve replacing them at all. And there I think we agree: reform is needed.

Party A who hosted or provided net transit for your email saved copies of your email pursuant to a (bogus) security investigation? Did they provide that email to any third party?

Regarding your third paragraph, this bill does away with any necessity to be acting under direction of law enforcement or the courts. It further allows sharing of information between private parties, which you do not mention.

The "self-protected entity" definition is the real kicker. Any organization with a computer meets the definition, because every OS these days comes with some sort of security measures and any organization collecting private information is going to at least look at firewall rules or filesystem permissions at some point.

Private parties are already allowed to share information amongst themselves under ECPA.

There are numerous laws on the books that do absolutely nothing. For instance, it has been illegal since 1986 to manufacture a handgun containing less than four ounces of metal. No such practical design existed at the time, nor was any being developed, nor was there any plan from any manufacturer about ever making one.

Actually, they were reacting to a patented design and the announced intention to manufacture such weapons:


I'd imagine this was to combat making guns readily available that would bypass metal detectors. Just because there weren't any planed at the time, forsight may have been enough to avoid that situation? /speculation

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact