Hacker News new | ask | show | jobs
by zmanian 3895 days ago
It is uncontroversial to state that corporations and special interest groups frequently lobby in public for a position and in private against a position. Frequently you know this only through un-attributable information passed to you.

Advocacy organizations are not journalists. They don't need to cite their sourcing before making claims they believe are true. The purpose of calling out Facebook is an attempt force them to align their public and private positions if they differ.

As usual, Marcy does excellent analysis about what information NSA will be able to collect, analyze and disseminate under CISA.[1]

[1] https://www.emptywheel.net/2015/10/26/two-intended-consequen...
3 comments
tptacek 3895 days ago
This is a blog post that makes two very broad claims:

1. That Chrysler can exploit CISA to avoid liability for vulnerabilities in their cars simply by sharing the flaws with the USG as an "indicator".

2. That the USG can use CISA to collude with private companies to avoid warrant requirements and spy on their customers.

Both of these points are, I think, false. I've linked upthread to the text of the bill and provided a summary. In particular, I don't think the "Chrysler reading" of the bill finds any support at all in the text; Chrysler is immunized from suits stemming from their own sharing, and even in the sharing, they are explicitly on the hook for negligence and misconduct.

If it's helpful, here's the entire limitation of liability in CISA. Notice: companies are exempt from liability for monitoring, sharing, and receipt of indicators. They aren't exempt from liability for having vulnerabilities in the first place!

    6.Protection from liability
     
    (a) Monitoring of information systems 
     
    No cause of action shall lie or be maintained in any court against
    any private entity, and such action shall be promptly dismissed,
    for the monitoring of information systems and information under
    section 4(a) that is conducted in accordance with this Act.
     
    (b) Sharing or receipt of cyber threat
    indicators 
     
    No cause of action shall lie or be maintained in any court against
    any entity, and such action shall be promptly dismissed, for the
    sharing or receipt of cyber threat indicators or defensive
    measures under section 4(c) if—
     
    (1) such sharing or receipt is conducted in accordance with this
    Act; and
     
    (2) in a case in which a cyber threat indicator or defensive
    measure is shared with the Federal Government, the cyber threat
    indicator or defensive measure is shared in a manner that is
    consistent with section 5(c)(1)(B) and the sharing or receipt, as
    the case may be, occurs after the earlier of—
     
    (A) the date on which the interim policies and procedures are
    submitted to Congress under section 5(a)(1); or
     
    (B) the date that is 60 days after the date of the enactment of
    this Act.
     
    (c) Construction
     
    Nothing in this section shall be
    construed—
     
    (1)to require dismissal of a cause of action against an entity
    that has engaged in gross negligence or willful misconduct in the
    course of conducting activities authorized by this Act; or
     
    (2)to undermine or limit the availability of otherwise applicable
    common law or statutory defenses.
link
declan 3895 days ago
I'm not sure why you were downvoted for a reasonable post citing original sources (I upvoted you to try to correct that).

I expect I will disagree with you about the desirability of CISA, just as we disagreed years ago about CISPA, but enjoy your posts on the topic nevertheless. They make thoughtful and reasonable points. Even if you end up on the wrong side. :)

link
tptacek 3895 days ago
Just to be clear: CISA is bad. I oppose it.
link
oceanstone 3894 days ago
How many comments have you made expressing your opposition, versus painting groups fighting CISA in a negative light?
link
tptacek 3894 days ago
I'm not "painting" anyone. People say things that are misleading, wrong, or outright dishonest. I point them out. I don't feel any need to justify that to you.
link
oceanstone 3894 days ago
Well, wouldn't it be more productive to write your own blog post(s) on why CISA should be opposed?
link
zmanian 3895 days ago
I could bug Marcy for an answer. I will do totally inadequate job of defending her analysis compared to her.

It seems relatively simple to read this passage in the following way:

Let's say a major car company decided to leave open a port with a remote code execution vulnerability on their cars.

Let's say this car company discovered this port was being exploited and informs the NSA of affected vehicles IMEI numbers, IP addresses etc.

Now let's say FTC/NTSB wanted to put together a case for punishing the car manufacturer for their poor security operations.

It seems perfectly reasonable for a lawyer to read the passage from CISA and claim the court couldn't use any disclosure to the government under like the number of affected vehicles(easily calculated from the threat information previously shared) in any determination of liability.

link
tptacek 3895 days ago
Again: they can't be prosecuted for sharing, for monitoring, or for receipt of information. This is statutory language and the words matter.

If there's an authority under which Chrysler can be prosecuted for having vulnerabilities (spoiler: I don't believe there is), CISA doesn't change any of that. Certainly, there's no clear linkage between CISA sharing and a private actor's ability to sue Chrysler for torts emerging from vulnerabilities.

I don't even think there's a stretch reading of the statute that gets you where this blog post lands.

link
newman314 3895 days ago
Because the government has NEVER demonstrated any behavior in deliberate (expanded) interpretation of the law to further their interests.

The lengths taken to interpret "torture" for instance. It used to be that we have a fairly logical, common sense interpretation of things but I think those days are gone. I mean, unlimited data should really mean unlimited data not subject to some arbritary cap or throttling .

link
tptacek 3895 days ago
Non-falsifiable argument is non-falsifiable.
link
newman314 3894 days ago
I wish your echo chamber of trust were true. Unfortunately, it's not.
link
zmanian 3895 days ago
It is probably impossible for a lay person to understand how a court is likely to interpret statutory language. I prefer my analysis from folks who devote a substantial amount of time to it.

Marcy compares the CISA liability protections to the very similar Section 314(b) of the Patriot Act financial information sharing liability safe harbor.

It seems at least plausible that they will operate in a similar fashion if CISA becomes law.

https://www.emptywheel.net/2015/10/14/time-to-get-very-conce...

link
tptacek 3895 days ago
But that statute has also never been used to shield vendors from lawsuit or prosecution for vulnerabilities!
link
TeMPOraL 3895 days ago
> Advocacy organizations are not journalists. They don't need to cite their sourcing before making claims they believe are true. The purpose of calling out Facebook is an attempt force them to align their public and private positions if they differ.

So in other words, as long as they are "advocacy organizations" and say that they believe in some view, they get a free pass to lie, spread bullshit and FUD? I thought we should have a higher standard.

Personally, I am for severely punishing liars as a top priority, no matter what side they're on. Then we may get a constructive discussion.

link
dpeck 3895 days ago
| Advocacy organizations are not journalists. They don't need to cite their sourcing before making claims they believe are true.

Tell me where you find these journalists today.

link
oceanstone 3895 days ago
You can find some on The Intercept (https://theintercept.com/).
link