Just a reminder: many (maybe most) of the Dems who voted against CISPA did so because they favor a more intrusive intervention: they want the government to establish standards for "cybersecurity" to apply to private industry systems they consider "critical infrastructure", and then for the government to deputize specific firms (read: Raytheon, SAIC, Lockheed) to conduct mandatory audits of those firms. Privacy is a fig leaf here.
Also remember: under the Electronic Communications Privacy Act of 1986, none of the information disclosure "authorized" by CISPA was already unlawful. 18 USC § 2702 (b) (5): private companies can voluntarily disclose private customer information "as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service". Without limitation. With no check on the what the government does with that information afterwards. CISPA added restrictions (albeit weak ones) on sharing; it didn't meaningfully broaden what could be shared.
Regardless of what EFF says about this (unfortunately, I personally believe EFF's interest in CISPA is largely about fundraising), you probably should be careful about cheering CISPA's demise.
That's a common excuse used to defend bills that erode various constitutional rights. "Everything authorized by this bill was already lawful under other bills. Nothing to worry about, keep moving." This means that you can change things gradually with multiple bills and claim each time that "this bill changes nothing, keep moving".
If this bill changes nothing, then there is no purpose to vote for this bill is there?
In between what the law bans and what the law permits, there's all the "you're allowed to do it because nobody said you can't" stuff. If you happen to be doing that stuff, it's comforting to have it explicitly called out as legal. If you want that stuff to be illegal, you obviously don't want it getting promoted to "more" legal, because it's harder to get your ban passed.
Imagine a new bill is introduced. "Eating apples is legal." The Apple Pickers Union would love to see this bill passed. The Orange Pickers Union would probably oppose it. They'd both spend millions on a blogocampaign to convince you they are right. But passing (or not passing) the bill changes nothing; it's already legal to eat apples.
> If you happen to be doing that stuff, it's comforting to have it explicitly called out as legal.
No it isn't; having the law explicitly call it out as legal shifts the perception of those activities from being ones that the law does not involve itself with at all to ones that are enabled and authorized by the law.
In other words, it makes things subject to the law that were not previously subject to the law, and so ultimately makes those things easier to constrain/regulate in the future.
"enabled and authorized by the law." I think if you're Facebook, that's exactly what you want. They would prefer to avoid lawsuits about sharing information, even if they would win those lawsuits anyway. I think Good Samaritan laws are an appropriate analogy. You don't want people worrying about liability instead of doing the right thing (right thing being highly subjective).
"easier to constrain/regulate in the future." Ironically, that sounds like motivation for the EFF to support the bill.
There's no Constitution rights at play here. Sorry, there just aren't. The Constitution protects your right to be secure in your personal effects. Information you hand over to third parties is not protected by the Constitution. It wasn't protected in 1789, it's not protected now.
Not true. Personal papers that are, for example, stored in a hotel room enjoy fourth amendment protection (there are sometimes exceptions for people that do not pay, etc., but the main point stands). Why shouldn't you be able to establish a contractual trust relationship with a services provider that protects your privacy, so that you can enjoy third party services and cloud services while also enjoying fourth amendment protections?
The law with regard to privacy in cloud services is not very well established, but if we allow laws like CISPA to pass, this will slowly but surely make it impossible for any service provider to ensure privacy, even if they wanted to. This will mean that we have to give up all the benefits of cloud services if we want privacy.
In your educated opinion on security, what would you say are CISPA's merits and what are its flaws? Is it a threat to the way websites/organizations that have no bearing on national security operate, or to the way people should treat the internet from a freedom of speech perspective? I imagine that many people fear this is similar somehow to SOPA with a fresh coat of paint, so anything you could do to confirm or dispel that would be helpful.
CISPA has nothing to do with the objectives of SOPA. It contains no provisions to allow sites to be shut down. It is, in fact, voluntary: private companies that do not want to share attack data with the government are not required to participate.
For the record: the bill has few merits. It appears to do very little at all, other than (a) to associate its sponsors with being "serious" about "cybersecurity", and (b) to block the adoption of the far more intrusive intervention the Democratic administration wants. (Note before cackling: I'm a Democrat).
Thanks for the summary. I'm curious why the EFF/DemandProgress would be using up the energy of their supporter base trying to tackle an empty suit of a law, if it is one, and why they've expressed glee at the threat of a veto.
And from what I've heard about the attacks on various DoD organizations from people I know there, a sharing infrastructure to spread information about vulnerabilities quickly is probably going to be necessary soon. I really hope they're aggressively compartmentalizing those networks.
I'm not sure I agree with tptacek about the donations, but one reason might be to keep up the pressure. Blocking SOPA was a big success, so having another battle soon after could be a way to both encourage their supporters as well as show their continued relevance. I'm also not going to argue that it's a bad thing: I love the EFF and donate to them, so if it helps them, I don't really have an issue.
I feel bad for wailing on the EFF about this stuff, because I used to be a fan of the EFF, but come on; their posts on CISPA cite PATRIOT, terrorism, National Security Letters, CARNIVORE, the FBI "bending or suspending the law" (begging the question: then HOW does CISPA matter?) and wait for it DRONE STRIKES.
It's not enough to be right; you also have to be correct.
Maybe I'm unusual in that I have a limited number of things I'm willing to get outraged about in a given 6 month period before I start to question the people trying to stir me up. I'm under the impression that that's not terribly unusual, but I guess the popularity of Fox News is a pretty solid counterpoint.
Yes, thank you. The CISPA fear totally ignores the fact that all of the stuff in CISPA is already legal. You don't have a privacy interest in all of that information you give to third parties every day. Maybe you should, but that's a matter for a Constitutional amendment, because as it is that information is fair game.
there is not however, guaranteed immunity from civil/criminal prosecution for sharing data under the auspices of "national security", thats whats important about CISPA, it is carte blanc for the government to collect whatever data it wants, with zero oversight or accountability.
tptacek seems to be pushing the line that "this bill does nothing, everything it establishes is already legal". But i caution HN users to be aware of his own vested interests in this bill.
There are supporters of CISPA who believe we need it because private companies manifestly do not share information about attacks, and so one thing the government can do to resolve that is (a) to encourage them to do so, and (b) create a clearinghouse in the government to provide a default place for information to be shared.
I don't agree with those people; I think CISPA is pretty silly. But that's the argument.
Whether or not it's legal does not inform whether or not it is a positive step as far as privacy advocacy is concerned.
Laws such as this embolden those parties that seek to undermine privacy. It is one thing for someone to be able to say "According to a set of disparate laws, X action is legal" and quite another when "According to CISPA, X action is legal."
You're responding on a thread that provides chapter and verse citation to the statute that already made this kind of sharing lawful. You might just as productively oppose every bill for not fixing the ECPA.
Remember, tptacek has very little idea what he is talking about when he posts this same comment on every thread. Doesn't have a clue about the politics; doesn't have a clue about the law. To be charitable. Because he has been informed, and keeps posting this, which turns it from clueless to intentionally lying.
Yes, under ECPA, information can be disclosed "as may be necessarily incident to the rendition of the service", which is to say, not very often, since it's not often necessarily incident, and a company which disclosed your information might have to prove in a court of law that it was necessarily incident. Which is a rather big limitation, as opposed to tptacek's lying characterization of it as "without limitation".
I don't really understand tptacek's position here - is he being paid for this? - but this repeated bullshit posting needs to stop. (And the evil-Democrat-vs.-noble-Republican stuff is pure fantasyland. CISPA isn't about cybersecurity as computer professionals think of it. It's about copyright enforcement and general government snooping, not about hacking. Both Democrats and Republicans are fully behind it, despite the political wrangling, assuming that the copyright lobby has made the proper campaign contributions this year.)
Is there a way to make your point without the ad-hominem or the accusations, and with more references? You've accused him of deliberately and repeatedly lying (a pretty serious accusation for one of the top HN contributors); do you have any evidence besides your differing interpretation of his citation?
(And I still do not see how it is at all related to copyright.)
It is likely you are working from the first draft of the bill without its amendments. In particular, later amendments narrow "cyber threats" to:
‘(3) CYBER THREAT INFORMATION.—
‘‘(A) IN GENERAL.—The term ‘cyber
threat information’ means information directly
‘‘(i) a vulnerability of a system or net-
work of a government or private entity;
‘‘(ii) a threat to the integrity, con-
fidentiality, or availability of a system or
network of a government or private entity
or any information stored on, processed on,
or transiting such a system or network;
‘‘(iii) efforts to degrade, disrupt, or
destroy a system or network of a govern-
ment or private entity; or
‘‘(iv) efforts to gain unauthorized ac-
cess to a system or network of a govern-
ment or private entity, including to gain
such unauthorized access for the purpose
of exfiltrating information stored on, proc-
essed on, or transiting a system or network
of a government or private entity
I'm not seeing BitTorrent in there.
(By the way, I don't think you deserve the downvotes for bringing this up. I found the amendments aggravating to track down, too. I'd been working from an earlier draft of CISPA that struck "intellectual property", which turned out not to be the one the House voted on.)
‘(B) EXCLUSION.— Such term does not
include information pertaining to efforts to gain
unauthorized access to a system or network of
a government or private entity that solely in-
volve violations of consumer terms of service or
consumer licensing agreements and do not oth-
erwise constitute unauthorized access.
I've seen many posts from tptacek and he often comes across as a shill repeatedly warning people about Democratic intentions.
He makes the usual partisan comments about Democrats but without going into specific detail, and usually follows up with something along the lines of saying he's a Democrat or donates to them. And I usually he presents the non-argument that much of what is in this bill was already lawful.
"you probably should be careful about cheering CISPA's demise."
I really don't trust anyone who takes the fear defense of a piece of legislation that seems to have more flaws than benefits, along with 'already lawful' measures.
If he were simply saying don't trust Republicans or Democrats, I don't think most people would disagree. I wouldn't.
Edit: I think the point that all he says is "be warned about Democrats they support this" without any examples or citations repeatedly is an important point, as it's lacking substance and comes across as spammy by HN standards.
You're aware this vote was in the house, right? So you've provided exactly zero out of "many" dems who voted against this bill because they wanted to do way worse.
What's your opinion of the republicans who voted yes for this bill? It must be worse than voting no, right? Or is this just a partisan issue?
I've no doubt that there have been democrats on the wrong side of these issues at various points. Chris Dodd was a democrat. But don't tell me a "no" vote is actually worse than a "yes" vote on this bill. The only way you can contort yourself into that position is putting partisan loyalty ahead of critical thinking.
I don't understand what you're trying to say here. The Administration has publicly stated that CISPA doesn't go far enough to protect critical information systems. The Administration supported the Rockefeller Senate Cybersecurity bill; the Republicans opposed it.
I have a generally low opinion of this bill, and of the Senate Cybersecurity bill. I think what's needed is liability, not do-nothing "sharing" or top-down Raytheon audits.
You can safely assume that I've actually read the bill (what I believe to be the final version, including the Amendments that survived) before commenting on it.
I'm sure the administration, in between threats to veto CISPA, said that it was also ineffective and you could construe that to mean they really want something way more invasive than this. I wouldn't, but you could.
So if you have a low opinion of this bill, how come the only people you came into this thread cursing are the people who voted against it?
Also, you actually read the bill? How many pages was it? Did you read all of the laws it references and amends as well? You're more versed on this matter than probably 95% of the congressmen who voted on it.
Question 1: I'm not cursing the Democrats. I'm warning you: you will like their vision of how to secure "cyberspace" less than you will like CISPA. Go read the Rockefeller bill. I am not shilling for CISPA; I think CISPA is silly.
Question 2: Yes, I have read CISPA.
Question 3: CISPA is very short.
Question 4: Yes, I read all 4 of the amendments that survived the vote. CISPA doesn't specifically reference any other law, but I happen to be familiar with the ECPA and HIPAA too, for professional reasons.
I agree that I'm better versed on this matter than virtually everyone who voted for or against it, but that is faint praise indeed.
Well, I'll back off and call it a night, it was just supremely irritating, after seeing something like this passed, that the top comment on hacker news is saying the real bad guys are the ones who voted against it. I'll take you at your word that that wasn't your intention.
The truth is that the democrats voted against this and Obama publicly threatened to veto it. But you're wise in your cynicism that "they're all the same" and this is a trick to lull us into something worse.
I don't understand why you're so eager to ignore the policy that the Obama administration supports. I am, for what it's worth, an Obama fanboy. But it does not surprise me that Constitutional scholar or not, single-payer health care supporter or not, our Administration does not know how to "secure cyberspace", and actually has terrible and counterproductive ideas on how to do it.
The White House said in the message where they signalled the veto! that part of their issue with the bill was that it didn't go far enough. Did you read that message? The whole thing? No? Why are you upset at me for reading it?
Please don't assume that CISPA is the first time this administration has said something about cybersecurity. If you want background for what tptacek is talking about, you can start with the administration's cybersecurity legislative proposal from about this time last year.
> Organizations that suffer a cyber intrusion often ask the Federal Government for assistance with fixing the damage and for advice on building better defenses. For example, organizations sometimes ask DHS to help review their computer logs to see when a hacker broke in. However the lack of a clear statutory framework describing DHS’s authorities has sometimes slowed the ability of DHS to help the requesting organization. The Administration proposal will enable DHS to quickly help a private-sector company, state, or local government when that organization asks for its help.
Companies can share info including server logs with DHS.
> Businesses, states, and local governments sometimes identify new types of computer viruses or other cyber threats or incidents, but they are uncertain about whether they can share this information with the Federal Government. The Administration proposal makes clear that these entities can share information about cyber threats or incidents with DHS. To fully address these entities’ concerns, it provides them with immunity when sharing cybersecurity information with DHS. At the same time, the proposal mandates robust privacy oversight to ensure that the voluntarily shared information does not impinge on individual privacy and civil liberties.
Companies can share data with DHS and get immunity. Sound familiar?
> The Administration proposal requires DHS to work with industry to identify the core critical-infrastructure operators and to prioritize the most important cyber threats and vulnerabilities for those operators. Critical infrastructure operators would develop their own frameworks for addressing cyber threats. Then, each critical-infrastructure operator would have a third-party, commercial auditor assess its cybersecurity risk mitigation plans.
This is where tptacek sees (probably rightly) a giant windfall for the Raytheon type companies.
Because industry self-regulation vs. top-down government intervention is a partisan political issue. There's momentum to pass some bill about cybersecurity so that Congress can say it got something done; there will be no momentum after this bill becomes law.
CISPA is the GOP's response to the Rockefeller Cybersecurity bill from the Senate.
Our National Budget is Defense Industry centric. Anyone who thinks that our policy stance is not Defense Industry leaning as a result is not being objective.
Look at it this way; While the majority of humans are pushing to decrease wars and traditional defense spending, the military industrial complex is looking for a way to transition from conventional ordinance revenue streams to digital ordinance revenue streams.
This will be either a long hard transition, or an immediate windfall transition which lets the traditional ordinance stream die over time with a very fast ramp up of digital streams.
This is why we see an uptick in things like Stuxnet, all sorts of hacker claims, wikileaks, Anonymous, etc.
Some are legit, but I withhold judgement on which.
The fact is that there is NO existential physical threat - and that control model is becoming increasingly difficult to maintain the illusion.
Thus they need to transition the fear factory to the vector where 30% of the globe is connected.
They have been laying the foundation though for some time with respect to the financial infrastructure. They needed to ensure they had a great number of financial control tools in place prior to 100% online lockdown.
These are people who only learned what the terms "network" and "line of code" mean a few months ago, using them as if they are an authority on the topic.
And to hear some of this nonsense, about China being "an organized crime syndicate", or all the negativity about Russia.
Or about how they're doing all of this because they need to protect citizens from "cyber threats". FFS, guys, no. Look at the complete disaster of security that is the TSA. You're telling us that you're the ones that are going to protect us? Your understanding of what you're talking about is so limited that it took shutting down wikipedia, reddit, and countless other websites for a day to keep you from completely breaking the DNS a couple of months ago.
I think we're doing fine protecting ourselves from "cyber threats", guys, thanks.
[And yes, of course I realize that the "we're doing it for you!" is just nonsense.]
I know what a network is and I know what a line of code is.
The underlying concern being addressed here is not invalid.
We are not doing "just fine" protecting ourselves from "cyber threats". In fact, I don't know a single credible person working in software security who believes that. If anything, things in 2012 are far worse than they were in 2001: more critical systems than ever are networked, either directly to the Internet, to open GSM networks, or to proprietary RF. Those that aren't are virtually always one hop away from someone using completely vulnerable clientside software.
Organized hacking syndicates in China are also not a made-up problem.
I probably share your confidence in the Administration's ability to address the problem top-down, but comments like yours actually subtract value from the discussion. Any debate where you lead the opposition to things like CISPA dies immediately, because you've chosen to attack a totally valid premise instead of the specific arguments this bill or Obama's makes.
If you actually dig into things hacking has directly caused surprisingly little actual economic harm. The proactive and reactive response tends to be expensive, but in economic terms good old fashion fraud is still way more damaging. As to attacks by nation states, we are actually willing to respond with nukes if things cross a somewhat vague threshold and they are so unprotected as you suggest.
I think that to give the responsibility of security to the government is a fallacy, not only because the government is very capable of abusing the power and screwing up in a huge way, but also because it will make private companies less likely to take the appropriate measures to protect themselves.
Defending yourself from an attack is almost always easier than being the attacker. You just have to know what type of technology you are working with and the inherent security holes in that technology. You don't need to blow millions of dollars on security unless you are already a company worth several hundred million dollars.
And the other problem is that there will always be skillful hackers, and these hackers will always have the means and the knowledge to hide from the government, even if the government has access to a much greater percentage of information going through the internet. If the government has fancier tools to access things like email, hackers will be more careful/liberal with their use of encryption.
I believe that this bill is going to work a lot like DRM. It's going to put hackers and civilians alike in a more uncomfortable position, except that the hackers are going to figure out how to work around it fast enough that its hardly going to make a difference, and the techno-ignorant (for lack of a better term) civilians will just have to deal with it.
So now how do you get a bill like these repealed, and after how much time? Imagine if SOPA passed like this. I think a lot of people just give up after a bill like this is passed. Plus it's simply much harder to repeal it afterwards - could be a decade or more. Just look at the Patriot Act.
No wonder the politicians wants to pass some bills before Christmas or other vacation. They know once it's passed quickly, the population will do nothing serious about it, and it's over.
Why exactly would you want to repeal CISPA? Fast forward 1 year, at which time CISPA is in effect, repeal CISPA, and then fast forward again 1 day. How is that day different than the one before it? Be as specific as you can.
> as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service
allow a telecom to randomly hand private information over to the government? Because it sounds to me like it's not "necessarily incident" unless it's, you know, necessarily incident. Thankfully our court system has the authority to decide that as well.
In the case of CISPA, there are absolutely NO restrictions, and it's been broadened to apply to even more situations than just the provider's security. You are mischaracterizing the current nature of the privacy laws, unless you have something else to add?
Yes, it does. What is it that you think "incident to rendition of service" means?
(Not that I think this is dispositive, but I had an actual run-in with an ISP over this clause. They suspected me of hacking their service, because they read my home directory [yes, this is shell server Internet access; I'm old] and found SMTP code in it --- so they recorded copies of all my email messages. A friend worked there and ratted them out. I met with a (good) lawyer. The response: too bad, so sad. GO ECPA!)
It appears the EFF disagrees that cyber security threats were meaningfully narrowed in the amendments -- though this does not specifically pertain to any of my previous arguments.
> Unfortunately, this amendment doesn’t address the serious problems with the vague definitions. Even after amendments, “Cybersecurity system" defines the system that “cybersecurity providers” or self-protected entities use to monitor and defend against cyber threats. This is a “system” intended to safeguard “a system or network.” The definition could mean anything—a Local Area Network, a Wide Area Network, a microchip, a website, online service, or a DVD. It might easily be stretched to be a catch-all term with no meaning. For example, it is unclear whether DRM on a DVD constitutes a “cybersecurity system.” And such a “cybersecurity system” is defined to protect a system or network from “efforts to degrade, disrupt or destroy”—language that is similarly too broad. Degrading a network could be construed to mean using a privacy-enhancing technology like Tor, or a p2p protocol, or simply downloading too many files.
The exclusion which appears directly beneath the language they're commenting on exempts "attacks" that merely violate licenses.
The language they're commenting on also reads clearly: "efforts to degrade, disrupt, or destroy a system or network of a government or private entity". "Efforts" implies intent. BitTorrent doesn't intend to degrade, disrupt, or destroy systems (though if it violates license agreements it does establish a nexus for monitoring under the ECPA!).
Beyond that, look: obviously we can all play the Glass Bead Game to connect any piece of language in any bill back to any action we want to protect. This is why patents are so impossibly annoying to read. But at some point, Occam's Razor has to apply. The language in the amendment we're discussing simply isn't tailored to BitTorrent.
Even if a worse intervention is planned (like the one you described above) wouldn't passage of CISPA help to validate it? Probably even make it easier to pass because the Internet's rage has already been depleted?
No, that's not how legislation works. When you have two options, one an interventionist Democratic† bill and the other a self-regulating GOP bill, and the GOP bill passes, the Democratic bill does not find a more receptive Congress.
"Would limit government use of shared cyber threat information to only 5 purposes: (1) cybersecurity; (2) investigation and prosecution of cybersecurity crimes; (3) protection of individuals from the danger of death or physical injury; (4) protection of minors from physical or psychological harm; and (5) protection of the national security of the United States."
Without wanting to sidetrack the thread from the real issue of CISPA, I have to take issue with the quality of reporting.
"Many have found the bill to be troublesome, given that, in their estimation, its language was too broad to be safe. Also that the government could use the mandates and powers contained therein in ways that would be antithetical to privacy, and even in the cause of cyber security, could be too intrusive."
In their estimation, powers contained therein, antithetical. What happened to plain language?
"The language of the bill is too broad. It gives the government powers to intrude on the privacy of individuals. Even in the context of security legislation these powers are too intrusive."