Hacker News new | more | comments | ask | show | jobs | submit login
I appeared on CNN this morning to talk about why I'm not buying Facebook (CISPA) (cnn.com)
214 points by kn0thing on May 7, 2012 | hide | past | web | favorite | 69 comments

CISPA? What about the Facebook Terms of Service? They include the following words:

We may also share information when we have a good faith belief it is necessary to: detect, prevent and address fraud and other illegal activity; to protect ourselves and you from violations of our Statement of Rights and Responsibilities; and to prevent death or imminent bodily harm.

This is a broader privacy exemption than CISPA offers; CISPA (in its final amended state) actually goes through some effort to define and narrow the scope of what it's "protecting" and what "illegal" activity it governs. Unlike the Facebook ToS, CISPA explicitly excludes mere "violation of consumer licenses" from its scope.

I'll take the bait (not implying that you are trying to troll).

The difference now is CISPA gets the government involved. Up until now, yes, FB has had a relaxed attitude toward user data when it comes to the law. However, I and many others, believe the government and via proxy the MPAA and RIAAs of the world will now have access to this data and it will be misused and abused all in the name of CISPA and with authority.

A couple of responses to that which might change your reasoning (let me know!):

* CISPA is opt-in, so if Facebook doesn't want to share information with the government, CISPA isn't going to change its obligations.

* If Facebook wants to share information with the MPAA and RIAA, its Terms of Service already enable it to do so, explicitly.

* CISPA itself has gone through multiple successive drafts to eliminate the perception that it was merely a tool of license enforcement; the version the House finally passed (a) defines "cyber threat" specifically in regards to the "Confidentiality, Integrity, Availability" triad familiar to netsec practitioners (it is the first piece of federal legislation to do so, I believe) and (b) specifically exempts "consumer licensing" from the events that engage CISPA information sharing.

* SOPA was intended to provide countermeasures to "criminal" copyright infringement and actually did provide some government control over network traffic. CISPA provides no countermeasures of any sort; it only governs information sharing.

What are your thoughts on that? Do you think I'm misreading the law on any of those four points? Or, having been made aware of them, is your reasoning on CISPA at all influenced?

Thanks for taking the time to provide some excellent responses. I don't mean to insult your patience, but I don't think I could say it any better than chernevik did http://news.ycombinator.com/item?id=3939974.

He really got down to my issues with this bill.

* There doesn't seem to be a need for it. Was there a situation where justice was not served but would have been/ could be after CISPA?

* I just don't trust it, no matter how harmless it currently is. There is a term for this type of legislative process, not quite slippery slope, but it escapes me at the moment.

I agree with both of these issues. Not only do I not see a need for CISPA, but further, I don't think CISPA does anything; the sharing authority CISPA grants private companies, I believe those companies already had under ECPA.

I've been informed since I started reading and discussing CISPA that a primary purpose of this bill is actually the opposite of what people are worried about: that instead of getting private companies to share with the government, CISPA exists largely to provide a legal framework for the government to share information with private companies, so that when government systems are hit with new (say) Microsoft Office malware and "spear phishing" attacks, they can notify stakeholders in private industry.

So that's one reason for CISPA. Another might just be to encourage private companies to share more information about network attacks; the supporters of this bill are not wrong that private companies are loathe to do that now for a variety of reasons.

But again, ultimately, I agree with you. I don't support CISPA.

> I've been informed since I started reading and discussing CISPA that a primary purpose of this bill is actually the opposite of what people are worried about: that instead of getting private companies to share with the government, CISPA exists largely to provide a legal framework for the government to share information with private companies, so that when government systems are hit with new (say) Microsoft Office malware and "spear phishing" attacks, they can notify stakeholders in private industry.

I honestly wouldn't have a problem with that (who would?), but I have to wonder exactly what sort of legal problems they were having in doing this and why they couldn't create private agreements allowing that?

It's possible (I don't know) that there's no way to get sensitive information about computer network attacks out of DHS, DOJ, CIA and NSA without some kind of legislative provision, especially if the government wants to be choosy about who gets it; all this stuff covers "selective disclosure", which, like it or not, is the only kind of disclosure there is going to be for a lot of these attacks.

> There is a term for this type of legislative process

In sales and negotiation circles, it's known as the foot-in-the-door technique:


The point of not buying Facebook because of CISPA would tell more if the point were expanded to the sustainability of their business model. For example, what does their support say about their relationship with users going forward? Bearing in mind that, as users currently don't seem to care, we're talking about a set of concerns that presumably will emerge down the road. What are those concerns and how will they emerge?

Remember that we're talking about questions that didn't exist five years ago, and to which there isn't any community consensus. Most investors won't understand the argument, never mind Alex's side of it. So educate them: Tell them how the issue speaks to how these choices will evolve, and bring forth concerns that are currently held by only a few people. Point out that it was a similar group of people that worried about the Microsoft OS model twenty years ago, and that they were so right that the work they did on own on open source laid much of the groundwork for our current environment.

If you can get investors to link stuff like CISPA to business model sustainability, they'll go to school on the issues, and the conclusions they form will shape the equity marketplace for every social media company to come. But they have to hear what the debate is, and its implications for the businesses.

As a persuasive strategy this makes a lot of sense and I see the value of the comment. But on the specifics: do you have something in mind as to how CISPA might impact Fb's relationship with its users, or its business model? Obviously, I'm asking because I'm skeptical that there is any such impact, but I'm very interested in your reasoning.

Honestly I'm not a CISPA expert. I do see two concerns:

1. It seems to me that inviting government examination and regulation of network traffic, in the name of security, seems unlikely to make the 'net _more_ flexible, and potentially could lead real rigidity that would be bad for development of 'net businesses and degrading the experience possible over the 'nets.

2. Stuff like CISPA is generally validating of 'net control regimes such as in Iran and China. As the malice of those becomes ever more apparent, US policies viewed as precedents and justifications will be suspect, as will supporters of those policies. Supporting this stuff will be like supporting tobacco companies and netting dolphins to catch tuna -- and may cause deep customer suspicion in a field where trust will be crucial.

Now item item 1, more rigidity, could be seen as positive for incumbents like FB. To which I'd would say that technology has already evolved around a lot of rigidity and that any business founded on a particular regulatory environment is dated to the moment when technology obviates those regulations.

Item 2 is more speculative, but I actually think more likely to prove telling. But it's going to take 5 - 10 years.

Someone more knowledable of CISPA could do better. The broader point of my remark is, figure out how those details relate to the Facebook business model and speak to that. Do that and you'll have an audience. And there's no need to rush, the stock will be around for a while.

CISPA doesn't add any regulation to network traffic. It doesn't impose government controls. It's an opt-in mechanism that purports to allow private companies to share information incident to security attacks on their services; what it does, essentially, is clarify the (already very weak) privacy controls of the ECPA to make it clear that companies who are being attacked can share traffic captures without being sued the way Google is now for the Street View fiasco.† It doesn't authorize countermeasures; it doesn't enable services to be shut off; it doesn't alter due process controls for the government to seize information from non-cooperative services.

With that in mind, I'm curious as to how your reasoning might change. Do you think an opt-in information sharing mechanism for corporations really validates the state-sponsored network access control used in Iran and China? I'm interested in how.

They already probably can't be sued for that, but I believe the thinking here is that by spelling it out in black-letter law, companies will be encouraged to share information more than they already do; note that ISPs already do have programs to share attack information among themselves, but application service providers tend not to.

I have now spent 5 minutes on the EFF site and am now qualified to hold forth at length.

More seriously, that depends on the terms of "opt-in" and "sharing" and "security", yes? Such details make nice real estate for the Devil. I'm by no means convinced that the people writing these laws understand the implications and possibilities -- I don't trust their values because I don't think they have the understanding to even have values. Or understand how those values are advanced or eroded. What opinions I have of their values are formed by the SOPA episode.

To _my_ mind, I would need to see the compelling argument for why we need legislation in the first place. At which time I'd have to go to school on this more than I have. And most of the security problems I've read about have more to do with corporations doing a terrible job configuring their own equipment than with some remarkable threat that can only be met through government-organized action.

So in general, I'm against any law without some compelling need. I don't see one here, and that might be ignorance, but that's my view at the moment.

How would I relate that to Facebook? If my view were valid, my first stab would be, "They are supporting over-broad legislation, without a stated need, that could easily go wrong. That bespeaks a centralized-solution attitude contrary to the values that have built the 'net we have today, and unlikely to found the trust needed to make the 'net work best going forward."

But even if that withstood scrutiny I'm not sure their business is going to live or die based on what is essentially a question of corporate culture. If they don't die of something else, they'll get opportunities to change their approach on this stuff.

Your time would be better spent reading the CISPA bill itself, which goes to some length to define "sharing" and "security". I can summarize, but the firsthand sources are surprisingly readable:


As regards "opt-in": it's inherently opt-in, because it provides no mechanism for the government to demand information from any provider. Obviously, the government can already use court orders to get access to information. Beyond that, the bill explicitly prevents the government from making such demands; for instance: "Nothing in this section shall be construed to permit the Federal Government to... ‘(A) require a private-sector entity to share information with the Federal Government;".

As regards "security": the bill actually defines this term (a novel twist in "cyber security" legislation):

    ‘(i) a vulnerability of a system or network of a government or private
    ‘(ii) a threat to the integrity, confidentiality, or availability of a
    system or network of a government or private entity or any information
    stored on, processed on, or transiting such a system or network;
    ‘(iii) efforts to deny access to or degrade, disrupt, or destroy a
    system or network of a government or private entity; or
    ‘(iv) efforts to gain unauthorized access to a system or network of a
    government or private entity, including to gain such unauthorized
    access for the purpose of exfiltrating information stored on,
    processed on, or transiting a system or network of a government or
    private entity.

Probably right, if I had reason to take interest in fixing this corner of the law.

But like refactoring code, I don't see why I'd even discuss changing law without having some very good reason. And I still don't see why this is a good place to run the risks of unintended consequences and / or malign legislators.

Without diving in even as far as you have, my main problem with the proposed law is that it would remove FB's liability in complying, so the default will be to simply hand over any information related to any investigation. "Opt-in" is the obvious answer for a corporate entity wishing to mitigate its financial liability.

Great interview, but I feel there was a missed opportunity when the interviewer asked about Zuckerberg's comment "we don't build services to make money, we make money to build great services."

The panel acted as if that were an iconoclastic, even blasphemous thing to say. That attitude, that only focusing on quarterly results and "building shareholder value," is of course just the attitude that has gotten the business world in so much trouble. There have been some great articles of late exploding the myth of "shareholder value," from Steve Denning's brilliant Forbes article "The Dumbest Idea in the World" http://www.forbes.com/sites/stevedenning/2011/11/28/maximizi... to James Allworth at the Harvard Business Review talking about Steve Jobs and the Innovator's Dilemma: http://blogs.hbr.org/cs/2011/10/steve_jobs_solved_the_innova...

I thought kn0thing had a great answer when he described that as part of the ethos of "builder culture," to be sure. If only the panel had taken a moment to ask themselves whether that approach might actually lead to stronger profits and stronger companies overall, such as one of the best examples around, Apple.

The kind of discussion you (and I) would have liked to see doesn't happen on CNN.

kn0thing is a stellar spokesperson for the hacker community.

I am curious though, how did this (you becoming a go to commentator for tech) end up happening?

Thank you.

Well, before the SOPA/PIPA frenzy of MSNBC, CNN, CNBC, Fox, and Bloomberg... I became a 'regular' tech correspondent on Bloomberg after moving to NY and appearing on a panel moderated by Margaret Brennan. She invited me to appear and they kept inviting me back (they liked the combo of 'good on air' and 'actually did it').


To their credit, BloombergTV let me talk about SOPA there before any other broadcast TV news channel.

After Soledad had me on to talk SOPA/PIPA protests and she and her producers dug my style.

CNN even let me announce my joining the DonorsChoose.org advisory board meeting on air at SXSW.


I know Brennan's a wahoo, the first time I saw you two on air together it almost seemed like you guys knew each other from college it was so...comfortable.

As I understand it, and from very limited experience: it is extremely difficult to speak that naturally and coherently on television. It seems plausible that having spoken compellingly once on CNN (when Reddit was at the center of the SOPA debate), CNN has now locked onto him as a viable tech commentator.

(I'm glad of that, in case that comment sounded dismissive.)

There's also a media "stamp of approval" effect going on: get cited as an authority once on X by a major publication (CNN, NYT, etc) and you go in everyone's Rolodex for it.

There is at least one reporter at a well-respected news organization who thinks that "Patrick appeared in the NYT and said 'Japan'" makes me an excellent source for coverage of Japanese politics. (Who is the prime minister right now?)

> (Who is the prime minister right now?)

It's Yoshihiko Noda.

Try telling them you learned everything you know about Japanese politics from watching "Reform Without Wasted Draws" (ムダヅモ無き改革) ;)

A difference, to me, is that they don't have as great a pool of people to choose from who are knowledgable about Japan, are connected (and speak English). I think is his case, they do have a good quality pool but feel comfortable with his subject matter knowledge and demeanor.

Surprising that no one corrected her about "Zuckerberg owning 57% of the company", but I guess it's a) not that important and b) rude to correct the host. (I think he only has about 28% but controls 57% of the voting stock).

I know!! I kept thinking that throughout the interview. It's implying his wealth is much greater than it actually is (not that it isn't great already)

I was going to make the same comment but before I made it I "CTRL+F" 57 and found your comment.

"...and the rest would be up for sale"

I don't think she understands how IPOs work.

Very eloquent knOthing, keep keeping it real on the big media stage. Not sure if I will follow your stock tips though.

Thank you! Hehe. Admittedly, fb is probably going to keep crushing it - I just wish they weren't crushing our open internet, too.

While I agree, they're such a huge target, and so reviled amongst open types like yourself, I tend to take the more conservative angle on them: If they were really so insidious, there'd be more smoking guns. More scary activities.

As it stands, Facebook does what it does pretty well: gives people a place to communicate with each other. The walls of their interactions have a lot of holes, and you hear them complain, and you certainly see Facebook toe the line, but I think they've mastered that sport, especially as they approach 1 billion users.

Im curious if reddit will make any information public on any requests for user information by the government. Something like http://www.google.com/transparencyreport/ would be nice for a site that is as open as reddit.

For those of us at work with mute permanently turned on of necessity, a quick summary?

- He's not planning on buying FB stock because of their support for bills like CISPA.

- Investors might not like Zuckerberg's "builder culture"

- He wouldn't be surprised to see more acquisitions by FB

- We need more programmers

- When he sold Reddit to privately-held Conde he knew who he had to satisfy, unlike Zuckerberg and his investors.

As the headline suggests, CISPA.

Loved the silence when Mr Reddit discussed his ethical reasons for not investing. It seemed lost on the panel.

Video cuts off at the end while he's still talking

You didn't miss much. Just one of the guests making fun of how geeks dress.

It also starts abruptly (get with the program, CNN video editors!) ... did we miss anything there?

Umm, I don't recall. Just some talk about how Warren Buffett isn't investing. And Soledad liked my choice of Jay-Z for the 'intro' music guest can select.

Great job, though I wish it was made clear that CISPA, etc and Facebooks willingness to participate threatens FB as a business.

How does CISPA threaten Facebook as a business? If CISPA did threaten Facebook, why did they publicly support it?

I'm lumping in CISPA, SOPA, PIPA, etc as the governments march towards controlling the internet. I believe government isn't always perfect and this type of legislation and legislation that follows will result in experiences and situations FB users don't want.

So, just to be clear: SOPA and PIPA are wildly different bills from CISPA. There's really barely any relation at all. It's much, much easier to make a case for SOPA impacting Facebook's business.

Be clear on what? your opinion? I think they are very related, as they are both trying to control digital communication, one is in the name of security, the other in the name of piracy. I believe in the end CISPA can be (ab)used to provide the government the same tools as SOPA/PIPA.

At this point we are talking about personal opinions, which no one can really be right, but I am not alone[1].

[1] http://en.wikipedia.org/wiki/Cyber_Intelligence_Sharing_and_...

Have you read the amended CISPA bill that the House passed? Could you point to something in it that leads you to believe that it provides any of the tools of SOPA? I know these discussions get contentious, but, respectfully, I don't see any mechanisms in CISPA that would enable the government to "control" anything. The bill literally does nothing but provide a mechanism for potentially private information to be shared; it is explicitly opt-in, meaning Reddit can't be forced to share anything under the terms of CISPA. There is no sneaky clause in it anywhere that would enable the government to, say, shut off an Internet connection, or turn off a DNS name.

I bring this up because there has been a lot of very terrible reporting on CISPA alleging all of these things; from what I can see, that reporting squares up with no version of CISPA that has ever been submitted.

If your primary source of information about CISPA is, say, Cory Doctorow, then of course I can understand why you think it might negatively impact Facebook to support CISPA. But Doctorow appears to be flatly wrong about CISPA.

Finally, that Wikipedia section is a hodgepodge (tracking opinions on evolving current events is not something Wikipedia excels at). It would be easy to get the wrong idea from that list, because many of those sources are discussing multiple different bills and weren't written or intended as coherent oppositions to CISPA.

You're welcome to believe whatever you want, but you're not welcome to your own facts. If you can point to specific language in CISPA that would relate to or enable powers similar to SOPA (or any powers to control digital communication at all), I'd be really interested to see it.

In addition to opposing CISPA on moral grounds, do you think that Facebook's attitude towards similar issues and their willingness to compromise user privacy will have a negative financial impact? That is, will enough users turn away from Facebook because of a fear and poor user experience to cause the company to lose money?

Q: Who uses Facebook? A: Millions of MySpacers


"We've never seen a company like this before, ever. I mean it knows things about our private lives that no one else does."

Um I would be inclined to say Google knows far more about us all then Facebook does or can ever dream of.

That's interesting. Is this view shared by other YC Partners?

How do you go about buying Facebook stocks as a Canadian?

Just like you'd buy any other stock on the NASDAQ or NYSE...

Most banks (CIBC, RBC and TD) have their investment vehicles. Be prepared to pay as much as $40 commission per trade + 1-3 cent per stock. Look into this option if you already use online banking and like to keep your investment aligned with everything else.

otherwise, look at discount brokerages like Questtrade(Toronto based) and eTrade to execute orders. $9 per trad.

Or Interactive Brokers for around ~$1 per trade. I think they are a Canadian company too, not just someone who offers Canadian accounts.

What is Facebook?

It's a social network like MySpace and Friendster.

Pfft. After watching the death of those previous companies, no retail investor would be dumb enough to buy stock in another.

I'm sure they've learned their lesson about investing in "hot" companies.

Like investing in Apple after learning about the death's of other mp3-player-companies?

You really think that is a good comparison? I am not an Apple user, but Apple nowhere in my mind competes with MP3 player makers. It is a vast tech company with massive investments in designing and manufacturing of MP3 players to Laptops, phones and developing a host of really large software.

That is not Facebook, it sells nothing other than the network, much like MySpace used to. If yours friends drop off Facebook, you will drop off too. That is not same for Apple. Apple users will continue using the products even if their friends do not. Its a personal device.

If yours friends drop off Facebook, you will drop off too. That is not same for Apple. Apple users will continue using the products even if their friends do not. Its a personal device.

This works both ways. I use Facebook because my friends are there. I use Apple products because I like the products. Switching social networks is has a high friction point - all my friends need to move. Switching phones is my own choice and easy to do.

Look how much easier it is for Google to gain half the smart phone market compared to how (relatively when compared to Facebook) unsuccessful they've been at getting "social network" market share. I think a very good argument can be made that Facebook's position is more defensible then Apples.

> Apple users will continue using the products even if their friends do not.

A lot of the value in Apple's products comes from the ecosystem: iTunes, the App Store, and so on. Don't discount the value of a platform on which a large number of developers are incentivized to build.

To be fair, you'd equate this to Facebook's own integrated ecosystem (groups, events, marketplace) -- not your friends. There's benefits to having my friends and I both on iOS (iMessage, etc.), but the deciding factor for a social network are the people, and if your friends aren't there, it doesn't matter how many party RSVPs I send out.

> It is a vast tech company with massive investments in designing and manufacturing of MP3 players to Laptops, phones and developing a host of really large software.

It is now, but the iPod is a good portion of what made all that possible.

If you want to use directly comparable companies (recent social network IPOs), it's still inconclusive.

ZNGA: sends lots of traffic to facebook, gets users from facebook. Not a great investment for people who bought at the IPO ($10, $8.36 now), but not horrible.

LNKD: ($45 IPO, $114 now) -- social network, but professional vs. personal/social. Small percentage of the company was put on the market, so I'm not sure how valid the market cap really is.

psst... i was just being sarcastic... why down vote?

Read the FAQ (see http://ycombinator.com/newsguidelines.html ) - Some posts are considered "Content free" - Also, I didn't downvote you. Do try again!

Because it added nothing of value to the conversation, since it was pure noise. The moderation system on HN exists to promote high signal, low noise discussions.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact