Also remember: under the Electronic Communications Privacy Act of 1986, none of the information disclosure "authorized" by CISPA was already unlawful. 18 USC § 2702 (b) (5): private companies can voluntarily disclose private customer information "as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service". Without limitation. With no check on the what the government does with that information afterwards. CISPA added restrictions (albeit weak ones) on sharing; it didn't meaningfully broaden what could be shared.
Regardless of what EFF says about this (unfortunately, I personally believe EFF's interest in CISPA is largely about fundraising), you probably should be careful about cheering CISPA's demise.
Yes, under ECPA, information can be disclosed "as may be necessarily incident to the rendition of the service", which is to say, not very often, since it's not often necessarily incident, and a company which disclosed your information might have to prove in a court of law that it was necessarily incident. Which is a rather big limitation, as opposed to tptacek's lying characterization of it as "without limitation".
I don't really understand tptacek's position here - is he being paid for this? - but this repeated bullshit posting needs to stop. (And the evil-Democrat-vs.-noble-Republican stuff is pure fantasyland. CISPA isn't about cybersecurity as computer professionals think of it. It's about copyright enforcement and general government snooping, not about hacking. Both Democrats and Republicans are fully behind it, despite the political wrangling, assuming that the copyright lobby has made the proper campaign contributions this year.)
(And I still do not see how it is at all related to copyright.)
"theft or misappropriation of private or government information, intellectual property, or personally identifiable information." (exact quote from the text of the bill)
is thought to be occurring, and information is shared, it is very much related to copyright.
‘(3) CYBER THREAT INFORMATION.—
‘‘(A) IN GENERAL.—The term ‘cyber
threat information’ means information directly
‘‘(i) a vulnerability of a system or net-
work of a government or private entity;
‘‘(ii) a threat to the integrity, con-
fidentiality, or availability of a system or
network of a government or private entity
or any information stored on, processed on,
or transiting such a system or network;
‘‘(iii) efforts to degrade, disrupt, or
destroy a system or network of a govern-
ment or private entity; or
‘‘(iv) efforts to gain unauthorized ac-
cess to a system or network of a govern-
ment or private entity, including to gain
such unauthorized access for the purpose
of exfiltrating information stored on, proc-
essed on, or transiting a system or network
of a government or private entity
(By the way, I don't think you deserve the downvotes for bringing this up. I found the amendments aggravating to track down, too. I'd been working from an earlier draft of CISPA that struck "intellectual property", which turned out not to be the one the House voted on.)
‘(B) EXCLUSION.— Such term does not
include information pertaining to efforts to gain
unauthorized access to a system or network of
a government or private entity that solely in-
volve violations of consumer terms of service or
consumer licensing agreements and do not oth-
erwise constitute unauthorized access.
He makes the usual partisan comments about Democrats but without going into specific detail, and usually follows up with something along the lines of saying he's a Democrat or donates to them. And I usually he presents the non-argument that much of what is in this bill was already lawful.
"you probably should be careful about cheering CISPA's demise."
I really don't trust anyone who takes the fear defense of a piece of legislation that seems to have more flaws than benefits, along with 'already lawful' measures.
If he were simply saying don't trust Republicans or Democrats, I don't think most people would disagree. I wouldn't.
Edit: I think the point that all he says is "be warned about Democrats they support this" without any examples or citations repeatedly is an important point, as it's lacking substance and comes across as spammy by HN standards.
Look at it this way; While the majority of humans are pushing to decrease wars and traditional defense spending, the military industrial complex is looking for a way to transition from conventional ordinance revenue streams to digital ordinance revenue streams.
This will be either a long hard transition, or an immediate windfall transition which lets the traditional ordinance stream die over time with a very fast ramp up of digital streams.
This is why we see an uptick in things like Stuxnet, all sorts of hacker claims, wikileaks, Anonymous, etc.
Some are legit, but I withhold judgement on which.
The fact is that there is NO existential physical threat - and that control model is becoming increasingly difficult to maintain the illusion.
Thus they need to transition the fear factory to the vector where 30% of the globe is connected.
They have been laying the foundation though for some time with respect to the financial infrastructure. They needed to ensure they had a great number of financial control tools in place prior to 100% online lockdown.
Welcome to the oligarchy's police state.
Freedom is still in vogue, ask the world.
If this bill changes nothing, then there is no purpose to vote for this bill is there?
Imagine a new bill is introduced. "Eating apples is legal." The Apple Pickers Union would love to see this bill passed. The Orange Pickers Union would probably oppose it. They'd both spend millions on a blogocampaign to convince you they are right. But passing (or not passing) the bill changes nothing; it's already legal to eat apples.
No it isn't; having the law explicitly call it out as legal shifts the perception of those activities from being ones that the law does not involve itself with at all to ones that are enabled and authorized by the law.
In other words, it makes things subject to the law that were not previously subject to the law, and so ultimately makes those things easier to constrain/regulate in the future.
"easier to constrain/regulate in the future." Ironically, that sounds like motivation for the EFF to support the bill.
The law with regard to privacy in cloud services is not very well established, but if we allow laws like CISPA to pass, this will slowly but surely make it impossible for any service provider to ensure privacy, even if they wanted to. This will mean that we have to give up all the benefits of cloud services if we want privacy.
For the record: the bill has few merits. It appears to do very little at all, other than (a) to associate its sponsors with being "serious" about "cybersecurity", and (b) to block the adoption of the far more intrusive intervention the Democratic administration wants. (Note before cackling: I'm a Democrat).
A bill that provides incentives (for example, legal immunity without any restrictions) is just as bad as a mandate. So that's a terrible argument, irrespective to the rest of your statements.
And from what I've heard about the attacks on various DoD organizations from people I know there, a sharing infrastructure to spread information about vulnerabilities quickly is probably going to be necessary soon. I really hope they're aggressively compartmentalizing those networks.
It's not enough to be right; you also have to be correct.
tptacek seems to be pushing the line that "this bill does nothing, everything it establishes is already legal". But i caution HN users to be aware of his own vested interests in this bill.
I don't agree with those people; I think CISPA is pretty silly. But that's the argument.
Laws such as this embolden those parties that seek to undermine privacy. It is one thing for someone to be able to say "According to a set of disparate laws, X action is legal" and quite another when "According to CISPA, X action is legal."
is significantly different, and much less broad than
"threats to national security", or
"theft or misappropriation of private or government information, intellectual property, or personally identifiable information."
If the dems are bad on this issue for voting no, what does that make the people who votes yes?
What's your opinion of the republicans who voted yes for this bill? It must be worse than voting no, right? Or is this just a partisan issue?
I've no doubt that there have been democrats on the wrong side of these issues at various points. Chris Dodd was a democrat. But don't tell me a "no" vote is actually worse than a "yes" vote on this bill. The only way you can contort yourself into that position is putting partisan loyalty ahead of critical thinking.
I have a generally low opinion of this bill, and of the Senate Cybersecurity bill. I think what's needed is liability, not do-nothing "sharing" or top-down Raytheon audits.
You can safely assume that I've actually read the bill (what I believe to be the final version, including the Amendments that survived) before commenting on it.
So if you have a low opinion of this bill, how come the only people you came into this thread cursing are the people who voted against it?
Also, you actually read the bill? How many pages was it? Did you read all of the laws it references and amends as well? You're more versed on this matter than probably 95% of the congressmen who voted on it.
A few select excerpts to illustrate the point:
> Organizations that suffer a cyber intrusion often ask the Federal Government for assistance with fixing the damage and for advice on building better defenses. For example, organizations sometimes ask DHS to help review their computer logs to see when a hacker broke in. However the lack of a clear statutory framework describing DHS’s authorities has sometimes slowed the ability of DHS to help the requesting organization. The Administration proposal will enable DHS to quickly help a private-sector company, state, or local government when that organization asks for its help.
Companies can share info including server logs with DHS.
> Businesses, states, and local governments sometimes identify new types of computer viruses or other cyber threats or incidents, but they are uncertain about whether they can share this information with the Federal Government. The Administration proposal makes clear that these entities can share information about cyber threats or incidents with DHS. To fully address these entities’ concerns, it provides them with immunity when sharing cybersecurity information with DHS. At the same time, the proposal mandates robust privacy oversight to ensure that the voluntarily shared information does not impinge on individual privacy and civil liberties.
Companies can share data with DHS and get immunity. Sound familiar?
> The Administration proposal requires DHS to work with industry to identify the core critical-infrastructure operators and to prioritize the most important cyber threats and vulnerabilities for those operators. Critical infrastructure operators would develop their own frameworks for addressing cyber threats. Then, each critical-infrastructure operator would have a third-party, commercial auditor assess its cybersecurity risk mitigation plans.
This is where tptacek sees (probably rightly) a giant windfall for the Raytheon type companies.
Question 2: Yes, I have read CISPA.
Question 3: CISPA is very short.
Question 4: Yes, I read all 4 of the amendments that survived the vote. CISPA doesn't specifically reference any other law, but I happen to be familiar with the ECPA and HIPAA too, for professional reasons.
I agree that I'm better versed on this matter than virtually everyone who voted for or against it, but that is faint praise indeed.
The truth is that the democrats voted against this and Obama publicly threatened to veto it. But you're wise in your cynicism that "they're all the same" and this is a trick to lull us into something worse.
The White House said in the message where they signalled the veto! that part of their issue with the bill was that it didn't go far enough. Did you read that message? The whole thing? No? Why are you upset at me for reading it?
Otherwise, they become a good spokesperson for tyranny.
CISPA is the GOP's response to the Rockefeller Cybersecurity bill from the Senate.
These are people who only learned what the terms "network" and "line of code" mean a few months ago, using them as if they are an authority on the topic.
And to hear some of this nonsense, about China being "an organized crime syndicate", or all the negativity about Russia.
Or about how they're doing all of this because they need to protect citizens from "cyber threats". FFS, guys, no. Look at the complete disaster of security that is the TSA. You're telling us that you're the ones that are going to protect us? Your understanding of what you're talking about is so limited that it took shutting down wikipedia, reddit, and countless other websites for a day to keep you from completely breaking the DNS a couple of months ago.
I think we're doing fine protecting ourselves from "cyber threats", guys, thanks.
[And yes, of course I realize that the "we're doing it for you!" is just nonsense.]
The underlying concern being addressed here is not invalid.
We are not doing "just fine" protecting ourselves from "cyber threats". In fact, I don't know a single credible person working in software security who believes that. If anything, things in 2012 are far worse than they were in 2001: more critical systems than ever are networked, either directly to the Internet, to open GSM networks, or to proprietary RF. Those that aren't are virtually always one hop away from someone using completely vulnerable clientside software.
Organized hacking syndicates in China are also not a made-up problem.
I probably share your confidence in the Administration's ability to address the problem top-down, but comments like yours actually subtract value from the discussion. Any debate where you lead the opposition to things like CISPA dies immediately, because you've chosen to attack a totally valid premise instead of the specific arguments this bill or Obama's makes.
Defending yourself from an attack is almost always easier than being the attacker. You just have to know what type of technology you are working with and the inherent security holes in that technology. You don't need to blow millions of dollars on security unless you are already a company worth several hundred million dollars.
And the other problem is that there will always be skillful hackers, and these hackers will always have the means and the knowledge to hide from the government, even if the government has access to a much greater percentage of information going through the internet. If the government has fancier tools to access things like email, hackers will be more careful/liberal with their use of encryption.
I believe that this bill is going to work a lot like DRM. It's going to put hackers and civilians alike in a more uncomfortable position, except that the hackers are going to figure out how to work around it fast enough that its hardly going to make a difference, and the techno-ignorant (for lack of a better term) civilians will just have to deal with it.
How do you figure that?
Anyone willing to bet Obama won't sign this?
Overriding a veto could be quite easy if this gets sent back to the House.
No wonder the politicians wants to pass some bills before Christmas or other vacation. They know once it's passed quickly, the population will do nothing serious about it, and it's over.
> as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service
allow a telecom to randomly hand private information over to the government? Because it sounds to me like it's not "necessarily incident" unless it's, you know, necessarily incident. Thankfully our court system has the authority to decide that as well.
In the case of CISPA, there are absolutely NO restrictions, and it's been broadened to apply to even more situations than just the provider's security. You are mischaracterizing the current nature of the privacy laws, unless you have something else to add?
(Not that I think this is dispositive, but I had an actual run-in with an ISP over this clause. They suspected me of hacking their service, because they read my home directory [yes, this is shell server Internet access; I'm old] and found SMTP code in it --- so they recorded copies of all my email messages. A friend worked there and ratted them out. I met with a (good) lawyer. The response: too bad, so sad. GO ECPA!)
Also your example appears to address what the ISP is allowed to record, not what they are allowed to share, which is a different issue all-together.
US v. Harvey
US v. Goldstein
US v. Auler
US v. DeLeeuw
Also, reread CISPA, particularly the amendments clarifying what was meant by "cyber threat" and what activities were exempt from disclosure under CISPA.
It appears the EFF disagrees that cyber security threats were meaningfully narrowed in the amendments -- though this does not specifically pertain to any of my previous arguments.
> Unfortunately, this amendment doesn’t address the serious problems with the vague definitions. Even after amendments, “Cybersecurity system" defines the system that “cybersecurity providers” or self-protected entities use to monitor and defend against cyber threats. This is a “system” intended to safeguard “a system or network.” The definition could mean anything—a Local Area Network, a Wide Area Network, a microchip, a website, online service, or a DVD. It might easily be stretched to be a catch-all term with no meaning. For example, it is unclear whether DRM on a DVD constitutes a “cybersecurity system.” And such a “cybersecurity system” is defined to protect a system or network from “efforts to degrade, disrupt or destroy”—language that is similarly too broad. Degrading a network could be construed to mean using a privacy-enhancing technology like Tor, or a p2p protocol, or simply downloading too many files.
The language they're commenting on also reads clearly: "efforts to degrade, disrupt, or destroy a system or network of a government or private entity". "Efforts" implies intent. BitTorrent doesn't intend to degrade, disrupt, or destroy systems (though if it violates license agreements it does establish a nexus for monitoring under the ECPA!).
Beyond that, look: obviously we can all play the Glass Bead Game to connect any piece of language in any bill back to any action we want to protect. This is why patents are so impossibly annoying to read. But at some point, Occam's Razor has to apply. The language in the amendment we're discussing simply isn't tailored to BitTorrent.
America, the home of the free & brave. This is no longer true anymore.
† <--- again, note, actual Democrat typing
Nor is there anything "self-regulating" about expansive internet surveillance .
Let politicians be judged by their votes, not the imagined future plans attributed to them by whoever on no particularly reliable basis...
Summarily, people also rally against their congressperson if they vote poorly on something.
Obviously you'd let them know why you were thankful they voted no :)
"Would limit government use of shared cyber threat information to only 5 purposes: (1) cybersecurity; (2) investigation and prosecution of cybersecurity crimes; (3) protection of individuals from the danger of death or physical injury; (4) protection of minors from physical or psychological harm; and (5) protection of the national security of the United States."
Tor has proven to be compromised. Almost every forum on the Internet has its handful of sock puppets. What can we do to ensure that our future is free, secure, and anonymous?
"Many have found the bill to be troublesome, given that, in their estimation, its language was too broad to be safe. Also that the government could use the mandates and powers contained therein in ways that would be antithetical to privacy, and even in the cause of cyber security, could be too intrusive."
In their estimation, powers contained therein, antithetical. What happened to plain language?
"The language of the bill is too broad. It gives the government powers to intrude on the privacy of individuals. Even in the context of security legislation these powers are too intrusive."
"2mil ISK OR PODDED"