[belak]

There's an AMA on reddit right now with the EFF, Access, Fight for the Future, FFTF, and Demand Progress about this.

https://www.reddit.com/r/IAmA/comments/3qban2/oh_look_its_th...

Looks like it just started a few minutes ago, so no idea if it'll be useful, or not.

[tptacek]

I'm never super happy with EFF's advocacy (I think they do good and important legal and technical work but I'm almost always unhappy with how they represent policy to the public).

I've been uniformly discouraged by FFTF's advocacy, which I find goes way past "misleading" into "straight up dishonest", such as their recent piece that strongly suggested Facebook supported CISA (a fact not in evidence, for whatever that's worth) because doing so would immunize them from privacy suits for user data so long as they dumped all that user data to the USG. No reading of CISA gets you to that.

Example from today's AMA is FFTF's claim that CISA "exempts itself from FOIA", making it impossible to challenge in court: they're referring to Sec 4 (d) (4) (b), which exempts from FOIA individual shared indicators, which of course must be the case, because indicators are things like compromised account names and passwords. That's all the law exempts from disclosure.

[zmanian]

It is uncontroversial to state that corporations and special interest groups frequently lobby in public for a position and in private against a position. Frequently you know this only through un-attributable information passed to you.

Advocacy organizations are not journalists. They don't need to cite their sourcing before making claims they believe are true. The purpose of calling out Facebook is an attempt force them to align their public and private positions if they differ.

As usual, Marcy does excellent analysis about what information NSA will be able to collect, analyze and disseminate under CISA.[1]

[1] https://www.emptywheel.net/2015/10/26/two-intended-consequen...

[tptacek]

This is a blog post that makes two very broad claims:

1. That Chrysler can exploit CISA to avoid liability for vulnerabilities in their cars simply by sharing the flaws with the USG as an "indicator".

2. That the USG can use CISA to collude with private companies to avoid warrant requirements and spy on their customers.

Both of these points are, I think, false. I've linked upthread to the text of the bill and provided a summary. In particular, I don't think the "Chrysler reading" of the bill finds any support at all in the text; Chrysler is immunized from suits stemming from their own sharing, and even in the sharing, they are explicitly on the hook for negligence and misconduct.

If it's helpful, here's the entire limitation of liability in CISA. Notice: companies are exempt from liability for monitoring, sharing, and receipt of indicators. They aren't exempt from liability for having vulnerabilities in the first place!

    6.Protection from liability
     
    (a) Monitoring of information systems 
     
    No cause of action shall lie or be maintained in any court against
    any private entity, and such action shall be promptly dismissed,
    for the monitoring of information systems and information under
    section 4(a) that is conducted in accordance with this Act.
     
    (b) Sharing or receipt of cyber threat
    indicators 
     
    No cause of action shall lie or be maintained in any court against
    any entity, and such action shall be promptly dismissed, for the
    sharing or receipt of cyber threat indicators or defensive
    measures under section 4(c) if—
     
    (1) such sharing or receipt is conducted in accordance with this
    Act; and
     
    (2) in a case in which a cyber threat indicator or defensive
    measure is shared with the Federal Government, the cyber threat
    indicator or defensive measure is shared in a manner that is
    consistent with section 5(c)(1)(B) and the sharing or receipt, as
    the case may be, occurs after the earlier of—
     
    (A) the date on which the interim policies and procedures are
    submitted to Congress under section 5(a)(1); or
     
    (B) the date that is 60 days after the date of the enactment of
    this Act.
     
    (c) Construction
     
    Nothing in this section shall be
    construed—
     
    (1)to require dismissal of a cause of action against an entity
    that has engaged in gross negligence or willful misconduct in the
    course of conducting activities authorized by this Act; or
     
    (2)to undermine or limit the availability of otherwise applicable
    common law or statutory defenses.

[declan]

I'm not sure why you were downvoted for a reasonable post citing original sources (I upvoted you to try to correct that).

I expect I will disagree with you about the desirability of CISA, just as we disagreed years ago about CISPA, but enjoy your posts on the topic nevertheless. They make thoughtful and reasonable points. Even if you end up on the wrong side. :)

[tptacek]

Just to be clear: CISA is bad. I oppose it.

[oceanstone]

How many comments have you made expressing your opposition, versus painting groups fighting CISA in a negative light?

[zmanian]

I could bug Marcy for an answer. I will do totally inadequate job of defending her analysis compared to her.

It seems relatively simple to read this passage in the following way:

Let's say a major car company decided to leave open a port with a remote code execution vulnerability on their cars.

Let's say this car company discovered this port was being exploited and informs the NSA of affected vehicles IMEI numbers, IP addresses etc.

Now let's say FTC/NTSB wanted to put together a case for punishing the car manufacturer for their poor security operations.

It seems perfectly reasonable for a lawyer to read the passage from CISA and claim the court couldn't use any disclosure to the government under like the number of affected vehicles(easily calculated from the threat information previously shared) in any determination of liability.

[tptacek]

Again: they can't be prosecuted for sharing, for monitoring, or for receipt of information. This is statutory language and the words matter.

If there's an authority under which Chrysler can be prosecuted for having vulnerabilities (spoiler: I don't believe there is), CISA doesn't change any of that. Certainly, there's no clear linkage between CISA sharing and a private actor's ability to sue Chrysler for torts emerging from vulnerabilities.

I don't even think there's a stretch reading of the statute that gets you where this blog post lands.

[newman314]

Because the government has NEVER demonstrated any behavior in deliberate (expanded) interpretation of the law to further their interests.

The lengths taken to interpret "torture" for instance. It used to be that we have a fairly logical, common sense interpretation of things but I think those days are gone. I mean, unlimited data should really mean unlimited data not subject to some arbritary cap or throttling .

[zmanian]

It is probably impossible for a lay person to understand how a court is likely to interpret statutory language. I prefer my analysis from folks who devote a substantial amount of time to it.

Marcy compares the CISA liability protections to the very similar Section 314(b) of the Patriot Act financial information sharing liability safe harbor.

It seems at least plausible that they will operate in a similar fashion if CISA becomes law.

https://www.emptywheel.net/2015/10/14/time-to-get-very-conce...

[TeMPOraL]

> Advocacy organizations are not journalists. They don't need to cite their sourcing before making claims they believe are true. The purpose of calling out Facebook is an attempt force them to align their public and private positions if they differ.

So in other words, as long as they are "advocacy organizations" and say that they believe in some view, they get a free pass to lie, spread bullshit and FUD? I thought we should have a higher standard.

Personally, I am for severely punishing liars as a top priority, no matter what side they're on. Then we may get a constructive discussion.

[dpeck]

| Advocacy organizations are not journalists. They don't need to cite their sourcing before making claims they believe are true.

Tell me where you find these journalists today.

[oceanstone]

You can find some on The Intercept (https://theintercept.com/).

[guelo]

If you think they do important work why do you consider it your duty to go on every advocacy thread and say how you disagree with their tactics? How does your tactic of constantly discouraging people from advocating for these issues serve your stated shared goals better than EFF's?

[tptacek]

Probably for the same reason that you clearly feel it's your duty to repeat this same comment on all those threads. I'm guessing it's a shared feeling of someone being wrong on the Internet.

I'm really not sure what's so complicated about this.

I have a hard time thinking of legal support EFF has provided that I don't support. If EFF was just legal support, I'd be a donor.

I think their technical work is mostly good; it would be entirely good but for the egregiously terrible Secure Messaging Scorecard --- but hey, that scorecard won me a $1000 bet against Matt Green, so some good came out of it.

Virtually all of EFF's policy advocacy, I find untrustworthy. I don't even believe they take it seriously. I think they play to the crowds, in the hope that the retweets and upvotes will generate more donations.

Is it really that hard for you to see that as a plausible narrative? I'm not asking you to agree with it.

[Laaw]

You're conducting this conversation in a manner I find to be vocalizing the precise feelings I've had about CISA and CISPA, and especially, EFF.

[oceanstone]

> Virtually all of EFF's policy advocacy, I find untrustworthy. I don't even believe they take it seriously.

This is an interesting conspiracy theory.

> Is it really that hard for you to see that as a plausible narrative?

My theory is that they really believe in what they're doing. They are based in SF, so they are surrounded by well-funded startups offering high salaries. Employees of EFF could be making small fortunes, and instead they choose to fight to secure civil rights. Why? Because some people value freedom over currency. This narrative seems more plausible.

[tptacek]

The people doing advocacy work at EFF are generally not technologists, from what I can tell.

[oceanstone]

I'm not sure what your point is, regarding technologists.

[jellicle]

> Example from today's AMA is FFTF's claim that CISA "exempts itself from FOIA", making it impossible to challenge in court: they're referring to Sec 4 (d) (4) (b), which exempts from FOIA individual shared indicators, which of course must be the case, because indicators are things like compromised account names and passwords. That's all the law exempts from disclosure.

Nope. The bill clearly defines "cyber threat indicators" to include the entire content of whatever these companies disclose to the government. The things that make up "cyber threat indicators" go on for an entire page, and it's an "or" list rather than an "and" list. For Facebook, it would probably be something like a particular Facebook post that tripped their "threat" trigger, plus all the info that Facebook has about that user account (maybe every post that account ever made), including IP addresses that posted to that account and everything else.

And yes, every single thing "shared" with the government (I'm reminded of "the sharing economy" with this usage) is entirely exempt from FOIA disclosure, as the CISA bill clearly says. And of course no cause of action shall lie in any court, so there's no help there either. So no, there will never be any way to review the scope or magnitude of this "sharing", apart from whatever information (truthful or not) the government deigns to share.

Your description of CISA is the one that is straight up dishonest.

[tptacek]

I'm not sure who you're arguing with. Are there people advocating for CISA by saying it's only about metadata? I'm not one of those people.

[jellicle]

I'm arguing with your lies that the only thing CISA exempts from disclosure are "compromised account names and passwords".

[tptacek]

You write that as if my comment isn't right there for everyone to read. That's obviously not what I said.

I even took the time, elsewhere on the thread, to summarize all the different classes of data that CISA deems "indicators":

https://news.ycombinator.com/item?id=10454172

[dsp1234]

they're referring to Sec 4 (d) (4) (b)

Also 5 (d) (3) (a) and (b) which exempts "Cyber threat indicators and defensive measures provided to the Federal Government under this Act".

[tptacek]

Right. Same deal, right? They're simply saying that raw indicators are exempt from FOIA, and, of course, they'd have to be.

[dsp1234]

So I guess the serious (and it is serious) question is this. If I can't FOIA for security indicators, or defensive measures, then how could I ever know that they included illegal or illegitimate information about me?

[tptacek]

You can FOIA for records the government keeps in the management of indicators from different companies; the only thing excluded is the indicators themselves. Again: how could it be otherwise?

[dsp1234]

So, in reality, if I suspected that there was some privacy breach with regards to the transfer of information, I could not prove it. This means that I would have no standing in court (no proof of injury means no standing). This seems problematic, and worthy of examining the privacy implications (or at least discussing them)

how could it be otherwise?

Allow FOIA, and use the existing exemptions for classified material if the information is actually classified. This would mean that breaches of privacy could be found when non-classified information is present.

There seems to be concentration on "indicators" being username/passwords, etc. However, Sec 2 (6) (G) is "any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law;". That's basically anything since cybersecurity threat is defined as "means _an action_ ... on or through an information system that _may_ result in an unauthorized effort ...". That seems to be a rather large hole.

[snowwrestler]

I think a U.S. citizen can file a request for records about themself via the Privacy Act. As I understand it, FOIA allows anyone to ask for anything; Privacy Act allows one person to ask for information about themselves.

I don't know if CISA also prevents Privacy Act requests, or if it only applies to FOIA.

Theoretically, companies using CISA would anonymize personally identifiable information before sharing to the government. An IP address, for example, is probably not PII (as millions of people have pointed out in the context of digital piracy lawsuits). I doubt one could file a Privacy Act request just based on an IP address.

[dsp1234]

It specifically mentions "552(b)(3)(B) of title 5" which is the FOIA statute. No mention of the privacy act.

[RexRollman]

It will be pointless because it is going to happen.

American: Home of the safe and the surveilled.