Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Why not just read the bill?


Just read it. Unless I'm mistaken there's a liability shield. If that's true, this bill is bullshit. Liability shields do not protect consumers. They use the force of the State to protect corporations, which is totally against the free market.

"EXEMPTION FROM LIABILITY.—No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self- protected entity, or cybersecurity provider, acting in good faith"


The liability shield is practically the whole point of the bill; there are something like 10 federal laws that restrict what information can be shared in any circumstance, intentionally or not, which precludes a bunch of different forms of cooperation during attack.

A simple use case for this law: you are under a concerted DDOS attack. Your network deals with, say, drivers records. Drivers records are protected under the DPPA. You want to share NetFlow information with a 3rd party DDOS tracking service. Today, your general counsel needs to authorize any such sharing explicitly. Post-CISPA, you could make arrangements to share that information automatically.


Problems sharing information due to existing federal laws and the liability shield, to me, are unrelated. And what is the point of existing laws if they're just going to create another layer of laws to bypass them? Who's going to oversee this network of cyber security entities? The State? I just don't see much accountability in that. Maybe if there were independent, non-state third parties reporting to consumers and providing transparency.


This is in my opinion a totally reasonable criticism of CISPA.

Taking the opposing position, I might argue:

(a) Our total ineffectiveness at responding to current network security attacks is such a pressing issue that a legislative "patch" makes sense, rather than spending time litigating fiddly changes to tens of existing statutes.

(b) It might not be to our benefit to relitigate the protections of those existing privacy bills; the result might be a weakening of existing privacy protections. Creating a common-sense exception that says "you can share malware or DDOS netflow traces no matter what kind of company you are" might leave our civil liberties safer in the long run.


Why on earth would you need to send the actual drivers records? Of course we don't want to share that. Nothing in the DPPA prevents sharing netflows.

And that is kind of a poor justification because we know that society doesn't currently have an epidemic of people DDoSing the DMV.

Someone else wants this passed, and they really want it passed. It ain't the DMV.


You don't. You only need to reveal information that could with analysis be used to derive information protected under some piece of privacy legislation.

Incidentally, the DPPA wasn't written to lock down the DMV.

I use the DPPA as an example of surprising limitations on the ability of private companies to share operational data that could conceivably due to operator error or time constraints potentially include protected information. Another example: FERPA.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: