Hacker News new | comments | show | ask | jobs | submit login
CISPA 'dead' in Senate, privacy concerns cited (zdnet.com)
284 points by microwise 1608 days ago | hide | past | web | 92 comments | favorite

"Undead" is more like. This thing will keep coming back under different names until it passes.

Isn't that how it is supposed to work? There is pretty widespread agreement even among opponents of CISPA in its current form that the problems it is trying to address are real, serious, and need to be addressed, and I believe that there is even wide agreement that CISPA addresses them. The objections are that it needs some tweaking to prevent abuse (e.g., tighten up some definitions). Why should it not come back after those tweaks are made?

If it were coming back "tweaked" to address the flaws of the bill, then sure, that'd be how the system is supposed to work. Except that's not what's happening and things aren't working.

The issue is that CISPA is fundamentally flawed; I have no doubt that there are well-meaning people who believe we need something to address the problems CISPA allegedly addresses. But any solution which consists of "first, we stop caring about the Fourth Amendment" is a non-starter and must always be.

The 4th amendment protects against unreasonable searches and seizures, not all of them.

Would you find it unreasonable to have a search warrant on every single American's internet activity? As far as I understand it, that is, in effect, what CISPA proposes.

> a search warrant on every single American's internet activity? As far as I understand it, that is, in effect, what CISPA proposes.



not at all. please read the bill. it says nothing of the sort.

Except that it does, and that's why it's being pushed. See new details uncovered by EPIC:


CISPA's true motivation is becoming very clear. It's needed to expand a pilot program for dragnet surveillance by the NSA and defense contractors. You know, the same thing they've been doing for ages and getting sued over by the EFF. If you read the letters in support of CISPA by the defense contractors who are lobbying for it and funding Mike Rogers who authored it, they even acknowledge this program by name (it's called the DIB cyber pilot).

That's why the bill is so vague, and why they refuse amendments to narrow the scope. It's a get out of jail free card for complicit companies and they can claim virtually anything is related to "security". They can also be wrong, as long as they claim it was "in good faith". It's more or less the "state secrets privilege" equivalent, but for companies cooperating with the "data sharing".

It solves nothing, because it's already legal to share threat data. You just have to scrub it of private or protected information. If its protected, it's because we passed a law for something we felt was worth protecting. For CISPA to just undo all of those laws wholesale is outrageous.

It's needed to expand a pilot program for dragnet surveillance by the NSA and defense contractors.

What horseshit! Even your own link describes the program as applicable to private networks of the participating companies. That's why there's a quote from an email wondering (emphasis mine) "Will the program cover all parts of the company network -- including say day care centers (as mentioned as a question in a [deputies committee meeting]) and what are the policy implications of this?"

No, you stopped reading too soon. It's being extended to ISPs, and customer data.

I didn't stop reading.

This is not what CISPA proposes. It really isn't.

There are a lot of advocacy organizations (EPIC, etc) that like to bluster about what it does. Right now EPIC is blustering that it's part of authorizing a secret program.

What they didn't tell you is that this is their real goal is to gain possible congressional support for the FOIA request they filed, they are just trying to tie it all together so they can gain support from CISPA haters.

A lot of these advocacy orgs that lobby are good in the sense of trying to do what they think is right but they often present pretty extreme (IMHO) interpretations of bills/laws and viewpoints to support this.

Full disclosure: I have interned at one of these advocacy orgs before (CDT).

It's true the government would be happy if they could monitor everyone's activity, but that isn't CISPA, and crying wolf repeatedly about every bill just makes people less likely to care. If they really wanted to monitor everyone's activity, they'd just do it, and clean up the mess later.

Like passing retroactive bills so its "not illegal". (not saying this one is just that but they have done it in the past so the telcos didn't get sued I believe)

Sure, but note that this is completely constitutional, the constitution explicitly grants Congress the right to set the jurisdiction of all courts inferior to the Supreme Court.

And when the guy sysoping your data is the one who makes the decision about what's reasonable...?

Except the ones that aren't unreasonable are carried out with a judge's signature or have very narrow latitude (plain sight, hot pursuit).

And is not part of the problem here trying to determine the "cyber equivalent" of such things as plain sight and hot pursuit? A lot of what goes on online is the equivalent of high noon in the public square, even if people don't quite understand that.

No. The judge signature is basically the other part of the 4th amendment, about warrants. That is what makes an otherwise unreasonable search, reasonable: it was reviewed by a neutral magistrate, and the neutral magistrate determined they had probable cause.

If the search is reasonable, you don't need anything from a judge.

This doesn't mean you can go busting into places, but ...

What? No, no, no, NO. That is completely wrong. There are cases where a warrant is not necessary, such as immediate danger to an officer. However, a warrant is issued only upon probable cause. This still needs to be reasonable, and the judge is the one who decides if the search is reasonable.

What? You are confusing the warrant requirement, which is completely separate from the reasonableness of a search.

I'm not sure how you are coming up with what you think is th analysis, but every law school textbook, supreme court opinion, etc, will tell you that you start with whether the search was reasonable.

If the search was reasonable by law , there is no 4th amendment violation. Period. Maybe you are confused because they often say these are not searches? For example, you will read that doing helicopter flyovers, even when looking in people's fields, is reasonable (which at the time, meant it wasn't a violation of the subject's reasonable expectation of privacy), and thus, not considered a search that is subject to the rest of the 4th amendment. This isn't because it's "not a search" in reality, it's because the 4th only protects against unreasonable searches and seizures, not all searches and seizures, and thus, for the rest of 4th amendment purposes, it's not a search.

If the search was not reasonable, it either has to fall into an exception, or requires a warrant.

Now, current jurisprudence considers most searches without a warrant unreasonable (subject to plain sight, automobile exceptions, etc), but that is irrelevant to the steps in the analysis.

You seem to be mixing a lot of the analysis and requirements around.

A passable CISPA is one that wouldn't allow companies to share information specific to its users (except it's not that simple, if I'm a hacker do I get some kind of special immunity if I register on the website I hacked? What if part of the hack required me to register, is that information suddenly invalid because I have a username and a password?).

I should be able to share the md5s of malware I found on my system with my direct competitor without being hit in the face by the Sherman Antitrust Act. I should also be able to disclose to my users/the public that I was hacked in the first place, without fear of being sued.

Are you seriously saying these aren't problems?

As far as I can tell, I argued that the "solution" CISPA offers is one that is not compatible with the Constitution of the United States.

Again, that makes it a bit of a non-starter, regardless of what problem it's attempting to solve.

If you invite the soldier into your home, you're bypassing the Constitutional protections you're granted. If Facebook gives its information to the government willingly, there is no Constitutional question to be had. CISPA was a voluntary program, you had to solicit the government in order to be involved, not the other way around.

CISPA is not me inviting police in to search my home. It's someone else coming into my home on behalf of the police, conducting a search the police couldn't legally do, and then reporting back on the results the police. And they're doing this with the encouragement of the police and with a promise of legal immunity from the police. But we're going to pretend that wasn't really a search and that the restrictions that apply to the police don't apply here.

That's not true at all, the police are entirely capable, legally speaking, of performing the proverbial search. They just don't have the manpower or the expertise.

Furthermore, you don't have to invite anyone into your home if you don't want to, and yet even further you can tell the people you ask to come into your home to not share the information they find with the police. No idea why you would do that, but you absolutely can.

But you haven't explained why it is incompatible. It looks perfectly compatible to me.

Correct, those are not problems. You can do both of those things already, and they're done every day.

Incorrect. Facebook can't legally aid its direct competitors, and Facebook can currently be sued by its stock holders if it discloses that it was breached and as a result of that disclosure the stock drops.

Incorrect, Facebook can and does do this, and I've personally worked with them on it while being at other companies. Furthermore, the opposite is even true - they have a legal obligation to disclose most breaches. There is no basis for any part of your claim and it's not consistent with how Facebook is actually doing security today. Without CISPA.

What they can't do, is give someone like me private info from user accounts. And they don't need to. And that's the way it should be. Do you really want me reading your private messages with impunity because I'm investigating a security incident? And do you want me to then share it with all of the other companies involved in the breach? Do you care if I leave dirty messages between you and your wife on an unencrypted hard drive somewhere, and people read it? Under current laws, I'd be liable for that (if I actually needed it in the first place).

You shouldn't.

Under CISPA, I can't be charged or sued for any action taken in good faith. I'll just say "oops, sorry, it was an honest mistake while investigating a security incident".

(Not that this use case has anything to do with what is actually motivating CISPA anyway, but I will refrain from repeating myself)

Also, for what it's worth, I've worked with AV industry groups and they all share not only hashes, but actual samples as well. Every single one of them. I'm not talking passing around an interesting sample or two, but full, multi-gigabyte feeds. I don't know where people get the idea that they can get sued for this; it's silly and it's not true.

CISPA wouldn't stop a hired security analyst from reading your Facebook messages, it'd stop Facebook from sharing them with the government. Under a passable CISPA, anyway. And furthermore, the whole point of CISPA is to explicitly codify some very grey area. It is possible they do indeed share threat intel with their direct competitors, but there is no legal precedent for doing so. The whole point of CISPA was to lower that risk exposure for these companies.

And Facebook has no obligation to disclose breaches, not legally, anyway. Where did you get that information? And even if they somehow do have a special obligation, most companies do not, so it's not really relevant. The example is apocryphal.

And AV isn't who this is about, it's about the people who make a living off of having indicators you don't have. I shouldn't have to hire a company who's been hired by everyone else to get the collective knowledge of what hackers look like. They're criminals, and the government takes care of criminals.

> And Facebook has no obligation to disclose breaches, not legally, anyway. Where did you get that information?



For someone repeatedly making demonstrably false assertions, you are oddly sure of yourself. You're not even challenging a viewpoint here, you're just straight up talking out of your ass. You should stop doing that.

I didn't know California law applied to every company in the US. I said Facebook was just an example, and that it's not important if Facebook specifically does or does not have to disclose breaches, or can you not read?

I have not heard a clear case made for where current laws fall short. The existing Computer Fraud and Abuse Act (CFAA) has massive teeth that can be sunk into nearly anyone, and it's but one of many laws that can be used against someone.

For example, the only reason adservers & their cookie tracking escape is because they fall short of the $5000 minimum damages established in law.

One of the main CISPA focuses seems to be upon data-sharing initiatives. Yet I've heard very few examples of where cyber-law hasn't been effective & would have benefited from such federal oversight. The case has been poorly made, so I'm not sure why you're on about objections- objections are a thing that get made once someone has a case, and CISPA seems far more like something the government just wants to do than anything it's tried to justify.

Some people oppose CISPA because of fixable issues regarding privacy or overly broad scope, some oppose it because they they think that it'll let the government spy on every URL they visit or allow the MPAA to take down all of Facebook for copyright infringement. According to the latter, CISPA isn't just a bad idea, it's pure malicious evil - the people supporting it need to be defeated so soundly that they never even try to bring it up again.

Unfortunately, that latter group is quite well-represented here on HN.

You make it sound as though those are the only two kind of people on this issue: Those who are reasonable and think CISPA can be fixed, and those who think CISPA is a bill to make spying on every American citizen the legal obligation of every ISP and internet company.

You leave no room for the vast majority of us who believe that the US government already has more than enough authority to spy on people; the government can get a warrant for collecting all of the data they currently want access to. Pretending the government doesn't already have the tools needed to enforce the law is disingenuous. Pretending that this bill is a "reasonable" response to real problems is disingenuous.

It isn't a debate between calm, rational, reasonable people who think the bill is fine (with maybe a tweak or two) on one side, and nutjobs who are paranoid and think like Gene Hackman in The Conversation on the other. There are reasonable people on both sides...but, I question the intentions (and possibly the integrity) of people, particularly people in the tech industry, who support the bill as it stands today.

It shouldn't be surprising that so many people on HN are uncompromising on Internet freedom. It's something we know more than most about, and something we care more than most about.

Actually, I was talking about the difference between rational, principled opposition and irrational, apocalyptic doomsaying. The groups I gave were meant to be examples, not comprehensive enumerations of every possible belief. Based on your reply, I'd consider you part of the first group - you've articulated a reasonable position that's based on your own beliefs and principles, and I can respect that even if I don't agree with it.

It wasn't my intention to offend by excluding or ignoring anyone, and I'm sorry if my post came off that way.

Do you remember the Ecomom story yesterday, where the VP of Sales had no responsibility for ensuring profits were realized, only for ensuring that revenue was high?

That's the kind of problem that CISPA proponents are trying to solve with regard to "cyberspace security". It's not supposed to be another way for the government to obtain information on people or threat groups, for the exact reasons you listed. It's supposed to be a way for the private sector and government to cooperate on network defense, sharing information as necessary to provide a coordinated defense in response, investigate attackers, etc.

Government can't do it alone as the private sector controls the networks and has a lot of the needed expertise. The private sector can't do it alone as they have no legal authority, which is quite deliberately retained with the government (especially in light of what happened to Sunil Tripathi).

There are actually similar arrangements already in place in other areas. For example disaster relief/emergency management has a lot of tie-in between Federal, state, and local governments, DoD, and NGOs such as the Red Cross, all of which have pre-planned responses to various disaster scenarios. But these can be done without changes to the law, which is at least somewhat unclear in the case of coordinated network security.

Now CISPA as it currently stands is dangerous because it still doesn't provide enough privacy protection (especially on the commercial -> government direction), but please don't act like it's just another feeder source for the FBI, as if that were the only possible motive, especially given existing issues such as the Aurora attack on Google.

Everybody and their dog in the industry, as well as the 200 or so companies hit, got the inside scoop on Aurora, and CISPA does nothing to make that easier. You're being fed BS if someone told you that was a CISPA use case.

> Unfortunately, that latter group is quite well-represented here on HN.

And most of the US except for a few industries with powerful lobbyists.

[Citation Needed].

Reality is, as far as i can tell, tech oriented folks care a lot. "Most of the US" probably doesn't give a shit one way or the other, or worse, would be okay with it.

In a US where a significant percentage of people believe we should be throwing the constitution out the window to 'fight terrorism', you are going to need a bit of evidence to suppor the idea that it's 'most of the US except for a few industries with powerful lobbyists'.

As long as the people that wish to see it pass are around there's a group of people that don't want to see it pass fighting it. If we keep the public educated on the consequences of such bills we'll keep playing this game but hopefully gain a bit more support on each iteration.

This is one of those scenarios, as I see it, where it is as easy as supporting the groups battling on the hill and educating/informing your friends when the topic comes up over a beer or such. My girlfriend asked me yesterday about what a "Kispah" was. Once I figured out what the hell she was talking about I simply gave her the quick overview of what it was introduced for and why it is against our best interests. She knows now and can make up her own decisions on support.

That is the thing though. The senators and interest groups who want this passed understand how to work around their opponents. I'd predict there will be some sort of major hacking scare and this bill will piggyback on that and pass while everyone is scared and willing to forego their rights.

Yeah, they'll just chop it into pieces and attach them to "must pass" legislation. These guys know what they're doing.

I will predict that this does not happen within the next 5 years, 85% confidence.

Questionable confidence ratings aside, what you're betting against is a very narrow example of the many things that could happen that would push this through. It died once and is back; it got farther this time, and whether it's because of a hacking scare, because even fewer people are paying attention, or for any of myriad other reasons, it will eventually go through.

It's the price I'd put on it if Intrade were still around.

Mind if I ask how you explained it to her (in what I'm guessing was a relatively short time)? It seems to me that most explanations of the bill are very biased one way or another, or don't mention enough detail to be worthwhile.

No joke- Obama threatened a veto on privacy concerns and the senate punted on it- and yet:

The government is dead serious about turning every sizable company on the internet into a part of a gross-national cybersecurity infrastrucutre maintainer, and they are not going to quit until the internet has been adequately leashed by the legislative hand.

If corporations are people, this is definitely a violation of the 3rd amendment. Look it up, you probably haven't heard of it in the past couple hundred years or so.

> The government is dead serious about turning every sizable company on the internet into a part of a gross-national cybersecurity infrastrucutre maintainer,

Which government? The head of the executive branch that threatened to veto such a thing over privacy concerns, or the Senate that wouldn't even give the bill the time of day (again, due to privacy concerns).

The government is a big damned huge complicated thing. Statements like "The government wants to do X" are silly simply due to the scale, even more so when two distinct pieces of "the government" are blocking the action you're asserting as their "dead serious" goal.

'tzs is being dry, so, just so you know: the 3rd Amendment is the one that says you can't quarter soldiers in people's houses.

Explain the third amendment bit: "No Soldier shall, in time of peace be quartered in any house, without the consent of the Owner, nor in time of war, but in a manner to be prescribed by law."

Who exactly is suggesting we house soldiers in peoples' houses?

If I understand the GP correctly, the claim is that we are now perpetually at cyberwar and CISPA would invite cyberwarriors into everyone's home.

How is that "quartering soldiers?" Or do words just mean whatever we want them to mean?

Well, if what you do virtually on line can be considered on a par with what you do physically, so inciting terrorism on facebook for example, there has to be some sort of parallel with virtual soldiers, which we could refer to as spy service spybots, spying on out computers in our homes, or on our mobile devices.

Im not sure the government can on one had work that logic to prosecute citizens, while not applying the same logic to its own activities.

So, things have moved on and so "quartering soldiers" applied to today's society should apply with the same logic used elsewhere. Especially if elsewhere is the law.

Words don't mean what ever we want, but their meaning does change and evolve over time to reflect current society.

> Well, if what you do virtually on line can be considered on a par with what you do physically

But it isn't. That's why e.g. the CFAA is separate from plain old criminal trespass.

> Words don't mean what ever we want, but their meaning does change and evolve over time to reflect current society.

Sure words evolve, but some words are more amenable to evolution than others. "Quartering soldiers" is a very specific term, referencing a very specific grievance that the colonists had with the British. It has nothing to do with spying--the grievance was about being forced to "quarter" (literally, to furnish with lodging) soldiers and bear the expense of doing so.

> Words don't mean what ever we want, but their meaning does change and evolve over time to reflect current society.

This is true, but there is some matter of consensus for language shift. Furthermore, if the meaning of words shift, laws become invalid rather than simply applying themselves overbroadly. A law containing the word A meaning B does not suddenly include C, D, and E because society moves on.

This is obvious in any other setting.

More like the farmers who grow the food we eat would be begging the cyberwarriors to look at the footprints the bandits left behind.

But hey, what's accuracy when you've got passion!

That is quite a stretch.

> If corporations are people, this is definitely a violation of the 3rd amendment.

How so? I don't see anything in either the actual CISPA nor the imaginary CISPAs that much of the internet thinks exist that would raise a 3rd Amendment issue.

The 3rd amendment doesn't exist anymore. It only applies in time of peace, and we are now in an eternal global war on terror.

We have always been at war with <enemy>. I kid, but I honestly wasn't aware of that, was the constitution written to exclude wartime or did somebody have to amend it because some condition was untenable during wartime?

The third amendment has always stated "in time of peace". The specification is due to the fact that any foreseeable war was to be fought on US soil (War of 1812!) and we didn't have the infrastructure to deal with housing troops in the event of that war.

I don't think SCOTUS has had to interpret "time of peace" in the 3rd Amendment in modern times.

I don't think you understand who's asking the government to do this.

That's why an online-rights law should be passed, so the offensive things that these bills try do are shut down as a matter of law.

The US Legislative System is built for gridlock. Lots of things come up again and again over the decades, but passage remains unlikely - especially for an issue where the opposition is more engaged (see gun control).

It's neither. It's tabled until the Senate finishes their own CISPA like bill which will presumably be merged with CISPA before being passed.

There should be measures put in place preventing lawmakers from sneaking in questionable (or any) legislation. It is a wanton subversion of democracy to employ underhanded methods to pass unpopular laws.

What exactly is "underhanded" about CISPA? They've got a coalation favoring it that includes companies like Google and Facebook. It's not an unpopular law, except among a small demographic of civil libertarians (and not even really among traditional civil libertarians, just the internet-focused ones). Average people don't care.

An unpopular law would be something like cutting Social Security benefits. That's something people would actually care about.

arjn isn't saying CISPA itself is underhanded, just that the tactics employed to push it through may be. He said CISPA was unpopular, and you can't argue that.

I argue with both of these points. What's underhanded about how it's being passed? It's a bill being voted on like any other.

And CISPA is not unpopular, at least not generally. Most voters have no idea what it is, nor would they care if you explained it to them. What you really have is one small bloc: Google, Facebook, government security people, etc, supporting CISPA, and one small bloc, the ACLU, EFF, etc, opposing it. If CISPA gets passed, it's not some sneaky thing getting passed in an underhanded way against the wishes of the majority of the people. It's one small bloc winning out over another small bloc over an issue the majority of people don't care about.

Mm, I agree with this just on principle, but the problem is that not every law that needs to be passed will be popular.

(The problem with having representatives just being direct, non-autonomous proxies of their constituents is that people will vote for things that benefit them and then not vote to pay for it..)

I've complied with a number of US federal requests made to a corporation that sells internet access and hosting. The requests started out as federal subpoenas detailing exact information to retrieve. Then they started to slide to unofficial requests for "everything you have" on the target and finally settled on, "please observe this account and search for anything we can use to get a subpoena." That was 10 years ago. What exactly is the victory here?

When you "observe this account and search for anything we can use to get a subpoena", have you not made yourself an agent of the government? You are now looking at client information on request of the government. I'd think that triggers the "unreasonable search and seizure" and could (I hope) result in a mistrial.

Anyone taking a look at the Senate bill S.2102? http://www.gpo.gov/fdsys/pkg/BILLS-112s2102is/pdf/BILLS-112s...

Is this the democrat sponsored version of the bill? From what I understand, it's even worse from a privacy standpoint, but I haven't read it myself. Any insight?

Expect it to be introduced on a Friday night and quickly, quietly passed with no notice.

Why wouldn't they have just passed it now? I mean, it might be re-introduced, but surely the idea is to deal with these concerns before doing so, or it'll just be dropped again?

Not usually. Usually the idea is to wait until all the publicity dies down and then quietly slip it through when nobody's looking.

CISPA will come back under a different name. Here is some historic context: http://blog.ted.com/2012/01/18/defend-our-freedom-to-share-o...

tl;dr "Time Warner called, they want you back on the couch!"

I'm glad its dead (again) but it took a long time to kill the misnomer of "Net Neutrality", and I suspect CISPA is going to take a lot longer to go away.

I will always be afraid of legislation that continues to use the term "cyber".

That deflated quickly.

Thank God we have the Senate to check back for a tiny bit of the House's lunacy.

For those not familiar with the legislative process in the U.S., the Senate does not have to pass CISPA. They just need to pass some cybersecurity bill, which can then be conferenced together with CISPA.

Some will take this as proof that the system is broken, but the truth is that we really do need some improvements and clarifications of certain laws to help companies improve their security. If the Senate passes a bill with better privacy protections, those could survive a conference and get signed into law.

> but the truth is that we really do need some improvements and clarifications of certain laws to help companies improve their security.

Oh, well, since you put together such a persuasive argument.

The only people who disagree with this statement are people who are simply not informed.

What you see from groups like the ACLU, EFF, Demand Progress, etc. is opposition to the specific language in CISPA, not opposition to the concept of a cybersecurity bill in general. They did not oppose the Senate bill last year for instance.

> The only people who disagree with this statement are people who are simply not informed.

Please try to be less obvious about your lack of arguments.

Well prove me wrong with substance if it's so easy.

> The only people who disagree with this statement are people who are simply not informed.

So I take it that you don't realize this is a logical error called Argumentum ad populum?


Actually, that's not only a fairly weakly implied argumentum ad populum, as it doesn't actually argue that the number of ignorant people are small or the number of non-ignorant people are large (though the use of "only" might imply that.)

"The only people who disagree with this statement are people who are simply not informed" is more directly argumentum ad hominem, and, particularly, abusive ad hominem.


Its also, simultaneously, petitio principii since claiming that disagreement with an argument can only be due to ignorance to support an argument is equivalent to claiming that the argument is true to support the argument.

I agree with your points, but I set out to mention just one logical error, and Argumentum ad populum seemed most apt as a single example.

The argument that only a minority of misinformed people hold a particular view is a negative version of Argument ad populum. Apart from that, I agree with your analysis.

It's easy to argue about logical fallacies because anyone can look them up on Wikipedia or Less Wrong.

It is harder to make a substantive case against the need for a cybersecurity bill because to do that, one would have to actually know what one is talking about.

Here is an example of the sort of distortion that the current legal environment is causing:


I hope you will consider the idea that if companies feel forced into going to lawyers for network security advice, the system might benefit from a bit of tweaking.

I take it you don't realize that arguing from logical fallacy is itself a logical fallacy?

(Ah, recursion...)

Applications are open for YC Winter 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact