One of the biggest (and most frustrating) problems with the legislative process is that the people who really want this to go through KNOW that we - "the masses" - eventually start to suffer from "protest exhaustion". They can propose a bill - we can rally our troops and get on TV and black out Wikipedia and do 100 interviews and maybe - just maybe - we can kill it.
The first time. And maybe the second time. And maybe even the third time. But after a while we're going to start to get numb to the calls-to-arms. And eventually our sometimes-well-intentioned-but-pulled-in-30-directions representatives are going to stop getting those concerned phone calls and emails from constituents, and they're going to fall prey to the typical "think of the children" argument that often gets put forward on any security bill, and something ugly is going to get passed.
I hate resigning myself to this, but it's the disappointing reality.
I worry that most of the opposition to this bill is based on FUD that EFF is spreading. Having experience actually working in the security industry and knowing the limitations that this bill is trying to address, the ability of the government and private sector to work together to keep malicious groups out of their networks, I recognize the necessity and intentions of this bill.
This isn't about spying on Americans. This isn't SOPA with a new name. This isn't about stopping piracy or spying on your facebook profile. This bill is about letting government agencies share intelligence on network threats with private companies so those companies can protect their customers information. None of the agencies or companies involved want to share any private information about their citizens or customers. There are lots of lawyers involved in the process to ensure that doesn't happen.
I wonder if some of that exhaustion is also what leads people to not read the bill or understand the context and just assume it's another anti-piracy bill.
I understand what you're saying, but when legislation is proposed I look at what it very easily could enable, not just what it's written to be for. When I look at what's being proposed I see that the government is using its sovereign power to trade away my right to civil suit against a company in event of a data loss, in exchange to that company for it handing over private information (that very well can include customer information) without a warrant. In big broad, abstract ways this is to my benefit if it improves "cyber security" but it also removes some specific rights I have.
"None of the agencies or companies involved want to share any private information about their citizens or customers." The telcos have monetized their lawful intercept programs and receive bad publicity protection from the government by being legally entitled to keep it a secret. They now have a profit motive and the risk of bad publicity is low. And the civil liability immunity agreement (as I understand it) in CISPA will effectively act as a giant gift that only a sovereign power can grant, we'll offer you protection from being sued if you just hand over business data without a warrant.
If you want to talk about confusing, I watch C-SPAN constantly (it's an illness) and whenever anybody in the legislative or executive branch talks about "cyber security" they always talk about IP protection and "preventing a cyber pearl harbor" in the same breath. So if you want to blame somebody for the confusion start with the people proposing this legislation.
You are not allowed to make arguments that are directly rebutted by the facts. There were drafts of CISPA that were published in which the assets protected by the bill (which defines attacks in terms of the familiar C.I.A. triad) included "IP", which would have included things like the source code to operating system drivers. But the bill that got voted on included a series of amendments, all published, that neutered that language because of exactly that concern.
CISPA is simply not about the interests of rightsholders.
CISPA is simply not about the interests of rightsholders.
The commenter to which you are replying did not make that assertion. The mention of IP was an attempt to identify the source of the confusion between cybersecurity and IP rights, not about CISPA specifically. Here's what the parent comment actually claimed:
When I look at what's being proposed I see that the government is using its sovereign power to trade away my right to civil suit against a company in event of a data loss, in exchange to that company for it handing over private information (that very well can include customer information) without a warrant. In big broad, abstract ways this is to my benefit if it improves "cyber security" but it also removes some specific rights I have....
And the civil liability immunity agreement (as I understand it) in CISPA will effectively act as a giant gift that only a sovereign power can grant, we'll offer you protection from being sued if you just hand over business data without a warrant.
The bill is clearly not about rightsholders, so it is intellectually dishonest to suggest that there is a legitimate concern about power grabs by rightsholders in it. "I watch C-SPAN religiously and they're always talking about IP rights" is not a substitute for reading the bill.
> If you want to talk about confusing, I watch C-SPAN constantly (it's an illness) and whenever anybody in the legislative or executive branch talks about "cyber security" they always talk about IP protection and "preventing a cyber pearl harbor" in the same breath.
The trouble is that the effective, worthwhile and highly damaging cyberattacks all involve IP, in some way or another. There's not much value in taking down Coca-Cola's internal network. Stealing their M&A strategies or product roadmaps can be extremely lucrative/damaging (I recall seeing estimates that billions have been lost as a result).
No they don't. I think it is extremely confusing to talk about theft of data at the same time as talking about someone hacking a nuclear power plant to go into meltdown or something. When people say things like "cyber pearl harbor" at that time they could be talking about a DDOS that makes it impossible to do online banking or they could be talking about an attack on SCADA systems at a power plant that takes out power for a city. It really drives me nuts because either everybody in government talking about it is a poor thinker or they are intentionally being vague.
I have no idea what this comment is even trying to articulate. You suggest two kinds of "cyber attacks", one which cause power plants to malfunction and the other that attacks online banking. I am not sure what you think this distinction demonstrates about online security.
On the one hand, the attacks on power plants that you allude to are possible. Utilities have been networked and electronically controlled since the 1970s. Nobody builds networks on telephony or X.25 anymore; it's all IP. IP connectivity to insanely sensitive systems leaks routinely; moreover, application-level data sharing between Internet-connected systems and supposedly air-gapped backend systems is extremely common.
On the other hand, the "less serious" attacks you allude to are very very bad. Google and Hotmail aren't national utilities. But they are attacked by state actors because dissident organizations use them to communicate. For that matter, the Internet backbone is a collection of computers sharing information using a decades-old routing protocol for which policy is controlled by regular expressions.
Finally, if you run a startup and happen to say something I disagree with, such as "I think CISPA is a power grab by the content industry", I could today very easily push you off the Internet with a trivial DDoS attack. The people who extorted online casinos with DDoS botnets were not rocket surgeons. When I attack you for disagreeing me online, and you call your ISP, guess what you're going to hear? "You're on your own". It is always very weird for me to see people on Hacker News, a hub for online startup news, downplaying the severity of DOS attacks. I've spent a decent chunk of my career in DOS mitigation and it is not remotely a solved problem.
You give EFF too much credit. The ACLU, the American Library Association, the Center for Democracy and Technology, the Competitive Enterprise Institute and the Liberty Coalition (both libertarian/conservative groups -- the latter includes Bob Barr and Grover Norquist's Americans for Tax Reform), Reporters Without Borders, etc. sent a letter yesterday to Congress opposing CISPA.
I'm not sure why you think the very smart lawyers and legislative counsel at the ACLU, the ALA, etc. are incapable of reaching their own conclusions about the relative merits of legislation.
I hope you're right that CISPA isn't about spying on Americans. The problem is that, as written, it allows precisely that, with the cooperation of the same companies that have opened their networks to the FedGov in the past. If the wildcard language trumping all state and federal privacy laws were deleted, I think a lot of the (informed) opposition would vanish.
BTW, there were "lots of lawyers involved in the process" of creating SOPA. Look how that turned out. I'd be far more comforted if there we had fewer lawyers and more technologists involved. :)
What are the current barriers to agencies sharing intelligence with private companies? Can you give an anonymized/abstract example, where the FBI/etc might have actionable info about a 'cyber threat', and under current law can't pick up the phone or send an email warning private companies?
Primarily the barrier from government to company was that much of the valuable info was classified. The Obama executive order on cybersecurity created a mechanism to bypass this barrier that is similar to what was in CISPA.
So why pass CISPA now? To remove the barrier in the other direction, from company to government. Right now there are interpretations of certain federal laws that say that companies cannot share threat data with the government. In addition, public companies fear shareholder lawsuits if they were to disclose publicly that they have been hacked.
In an ideal world you would have a virtuous cycle, where one company stops a threat, sends the critical threat info the government, which shares it with every other company--all basically in real time. That would prevent, or at least reduce, the issue now where one exploit works again and again and again at different companies.
Whether it is possible to do this while adequately protecting privacy is the issue. I'm not a lawyer but it seems to me like it should be doable if the language in the bill is done right.
>In an ideal world you would have a virtuous cycle, where one company stops a threat, sends the critical threat info the government, which shares it with every other company--all basically in real time.
But why does the government need the information at all? Why not have a private consortium of companies who share threat information under NDA (or, for that matter, just allow it to be published), and craft appropriate legislation to allow that?
CISPA allows exactly that to happen! Any "Cyber security provider" can collect and share information (on a voluntary, opt-in basis) under the act. Moreover, the largest repository of threat information --- netflow traces, botnet identification, &c --- is housed inside the USG, which is prevented from sharing that information. That's the other problem CISPA solves.
Did you read the bill? I'm not asking in an accusatory way; I'm wondering where you got your information from, so I can read it too.
Go on the offensive. Instead of just fighting to kill legislation like CISPA, lobby for legislation that will guarantee the freedom of the internet. That will unequivocally protect people's liberties on (and off) the internet.
The special interests behind legislation like CISPA have professional lobbyists and millions of dollars to pay them. If you're a private citizen and want a law passed at the federal level, you need to have a cute and young white child who died due to something your law legislates against. Otherwise you don't stand a chance of being heard.
That's a bullshit excuse. If you can't raise a few million dollars for your cause, it's probably because nobody gives a shit about your cause.
You think we got clean air, clean water, etc, legislation passed because Sierra Club and Earth Justice are rolling in money? No, it's because they have a cause that people care about and passionate volunteers that dedicate their lives to fighting for it. It's not the system's fault that people don't understand nor care about stuff like CISPA.
They've also got politicians who would love to go to their constituents during campaign season and tell them "Look, I supported clean air!" Contrast this to opposing civil liberties restrictions, which can very easily and effectively be spun by political opponents as leaving America open to terror attacks. Even with the PATRIOT Act, something much more substantial than CISPA, political opposition has been limited to some relatively marginal politicians who are extremely popular in their jurisdictions and not likely to be ousted.
> They've also got politicians who would love to go to their constituents during campaign season and tell them "Look, I supported clean air!"
Because there are people who actually care about clean air.
> Contrast this to opposing civil liberties restrictions, which can very easily and effectively be spun by political opponents as leaving America open to terror attacks.
Supporting environmental legislation is very easily spun by political opponents as costing America jobs.
The amount of political opposition to environmental laws is otherworldly. There are a few companies here and there making money off things like Rapiscanners, but the companies whose profits are hurt by environmental regulations account for trillions in US revenue each year. Everything from Exxon Mobil to small chemical plants with $10 million in revenues. And while "think of 9/11" has a certain impact, it's not only fading but even at it's peak never compared to the visceral cultural opposition towards environmental laws. Industries impacted by environmental laws are literally ways of life in many parts of the country. People in Pennsylvania, West Virginia, etc, fight to allow coal companies to keep poisoning them as part of their cultural heritage.
To put things into context: adding up U.S. box-office, DVD/Blu-Ray/etc, and music (digital and CD) revenues doesn't break $40 billion a year. Apple by itself made more than that last quarter. Exxon by itself makes 10x as much in a year, and there are 8 other petroleum companies in the Fortune 100. But environmentalists somehow manage to get some wins. While tech people whine incessantly about how "the system" is why they can't make any headway against the RIAA/MPAA.
>Contrast this to opposing civil liberties restrictions, which can very easily and effectively be spun by political opponents as leaving America open to terror attacks.
How is that different from anything else? Pollution controls are painted as "job killing regulation" or "will raise the price of energy" or whatever this year's talking points are.
I kind of get the feeling that the reason things don't get done is only that people think they can't do anything. So they don't write to Congress or protest or donate money to EFF, and then their pessimism becomes self-fulfilling and self-reinforcing.
If you want change then you have to make it happen.
It's not the system's fault that people don't understand nor care about stuff like CISPA.
Actually, it is. The "system" (or, more accurately, the emergent collective behaviors of well-moneyed groups acting in their self interest) tells the masses what to care about, and thanks to being brought up by the "system", they eat it up. Thanks to the direction of the "system", we still have political debates about the age of the Earth, evolution, and other emotionally loaded issues that have no actual bearing on matters that have a substantial impact on the future of the planet.
So start soliciting donations and hire your own professional lobbyist. The amount of whining about how the political process is broken because it actually takes work to influence legislation is a little ridiculous.
Better: Start forming a coalition of private individuals and companies, and use that group to hire lobbyists. The game is broken, but you can't win if you refuse to play.
You can certainly enjoy your life a lot more if you take your ball, go home, and play with your computer. Who knows, computers may even turn out to be popular in a decade's time.
>Getting such a law passed does nothing to prevent a future law from saying the opposite.
What it does is make the proposal for the future law look like a much larger departure from the status quo, which makes it a harder sell. Furthermore, members of Congress don't like to change their positions for a number of reasons relating to both ego and what it allows election opponents to put in political advertisements, so if you can get them on record supporting your cause then you make them less likely to go against you in the future.
EDIT: Another option is for the courts to decide that freedom was guaranteed in the Constitution all along. But courts are unpredictable so again, good luck!
It's not the reality; lines can and are held. For example, drilling in ANWR has been proposed for decades and it still isn't happening, because the organizations who fight are smart about when they fire up their troops.
In addition, environmental type people are not reflexively opposed to/afraid of the federal government, so they are willing to educate themselves about the process and the issue. They learn to distinguish between issues, and when a threat is real vs. perceived.
In comparison the Internet enthusiast community seems to largely persist in the fantasy that the government should not (or cannot) have a role in the regulation of the Internet. Thus when issues do come up, they are ignorant and reactive. And they are eager for issues to go away so that they can go back to "normal" i.e. ignoring the government.
I really don't think these kinds of bills will end until there is an amendment passed expressly guarenteeing rights relating to internet (or, perhaps more broadly, network) freedom.
In fact, I doubt even that will stop these kinds of laws from being introduced. However, it will give a firm and easy foothold to dismissing them. Similarly, it will become that much easier to retroactively have them removed if they violate an amendment.
The exact text of this kind of amendment would be difficult to craft, frankly, I'm not a lawyer, I have no idea where or how to start crafting this. However, I do fully believe this is the ultimate winning endgame for this kind of legislation.
We need a "legal hacker" a la Richard Stallman to craft something like this.
Step one is to get a good, versatile amendment written. For that, you need a "legal hacker". Step 2 is getting support, which probably would not be particularly difficult. Step 3 is actually going through process, and is probably the most difficult step.
You are especially likely to become numb to calls to arms when they are in fact cries of "wolf".
SOPA was a genuinely invasive bill and a clear power grab by the content industry. It created a new special second-class "tainted" designation for content sites that refused to play ball with rightsholders and gave rightsholders new means to prosecute their rights outside of civil courts. It was understandable and --- even though I'm a supporter of copyright in general --- commendable that organized opposition to SOPA killed that bill outright.
CISPA is nothing like SOPA.
To begin with, CISPA has none of the same objectives of SOPA. It isn't about the content industry at all. In fact, when early opposition to CISPA by organizations like EFF started catching on, its sponsors scrubbed the bill of language that could have been read (in a stretch) as protecting rightsholders. CISPA is about online security attacks, not about piracy.
Next, CISPA isn't invasive. SOPA threatened to create a kangaroo court system of copyright-noncompliant sites that the content industry could starve by banning commercial transactions with them. CISPA is an opt-i bill; the USG cannot compel any organization to cooperate with any USG agency, but instead creates a facility that companies can use if they need to share attack information but don't want to spend $100,000 in ECPA-interpreting legal review each time they do it.
In fact, CISPA in practice probably has more to do with information moving FROM the USG TO private companies. The USG spends hundreds of millions of dollars a year monitoring its networks (which together constitute the largest IT organization in the world). It is true that the largest IT org in the world happens to be a shitty IT shop, but it has nevertheless built up about a decade of experience tracking malware and botnets and DOS attack information; when Blaster broke out, the experience of the Naval Marine Corp Intranet getting overrun by it was some of the first shared among ISPs. All sorts of random rules prevent USG IT shops from running any kind of central clearinghouse of attack information, and still more rules prevent any of that information from being published.
I don't particularly like CISPA. It obviously sounds like I do, but that's because the uninformed paranoia about CISPA is so virulent that any measured take on the bill sounds like cheerleading. I don't care whether CISPA passes or doesn't pass. But it drives me a little bananas to see how easily the ostensibly curious and well-informed people on HN are bamboozled by identity politics on issues like this.
It is true that some of the criticism of CISPA is off the mark. So was some of the criticism of SOPA. It does not necessarily follow that _all_ of the criticism of CISPA is uninformed, and in fact much of it is perfectly accurate. Rebutting uninformed criticism may be an entertaining hobby, but it leaves the informed criticism unrebutted.
I have yet to hear a good argument for why we need CISPA to override all federal and state privacy laws, including laws restricting what companies can turn over to the government in the absence of legal process. In programmerese, CISPA is a wildcard approach -- an "rm -rf *" -- when you haven't done an "ls" to see what's in the directory first. Perhaps one or two need to be overriden for good reason, but why not specify them instead of using a wildcard?
Here are some details:
http://news.cnet.com/8301-31921_3-57422693-281/
What sparked significant privacy worries is the section of CISPA that says "notwithstanding any other provision of law," companies may share information "with any other entity, including the federal government." It doesn't, however, require them to do so.
By including the word "notwithstanding," House Intelligence Committee Chairman Mike Rogers (R-Mich.) and ranking member Dutch Ruppersberger (D-Md.) intended to make CISPA trump all existing federal and state civil and criminal laws. (It's so broad that the non-partisan Congressional Research Service once warned (PDF) that using the term in legislation may "have unforeseen consequences for both existing and future laws.")
"Notwithstanding" would trump wiretap laws, Web companies' privacy policies, gun laws, educational record laws, census data, medical records, and other statutes that protect information, warns the ACLU's Richardson: "For cybersecurity purposes, all of those entities can turn over that information to the federal government."
Since otherwise reputable sources are running articles suggesting that CISPA is "the worst bill since SOPA" and "a power grab by the content industry" and "a backdoor warrantless wiretap" and "a mechanism by which the feds will read our email", I respectfully disagree with you about the utility of refuting uninformed criticism of the bill. Most of the criticism of the bill is uninformed.
I've already stipulated that some articles are ill-informed or even wrong. Sadly not everyone who writes about legislation reads it first. But some of us do. :)
If you truly don't understand why many are opposed to it, you should read the EFF FAQ page.
It doesn't matter what the objectives are, or whether or not the intention is to protect rights holders. It matters what the law actually allows as written. That's what we take issue with.
The bill supersedes privacy and communication laws, but is (a) opt-in and (b) severely limited in scope.
Specifically: CISPA provides a positive authority for sharing only "cyber threat information", which is defined in the bill: (i) information about a vulnerability, (ii) information about a confidentiality/integrity/availability threat, (iii) information about denial of service or destructive attacks, and (iv) efforts to hack into systems and exfiltrate data.
The bill incudes language that explicitly exempts the kind of stuff Aaron Swartz got caught up into: it exempts attacks that "solely involve violations of consumer terms of service or consumer licensing agreements and do not otherwise constitute unauthorized access.". That exclusion is repeated multiple times in the definitions section of the bill.
The bill explicitly does not cover individuals, in a fashion that the bill's authors say affirmatively prevents it from being used to allow ISPs to share individual customer records.
So: back to you. What specific state or Federal privacy measure is compromised by CISPA, and how?
I keep telling people this, because it can't be emphasized enough: The reason your choice in the general election is between a giant douche and a turd sandwich is that those are the people who win the primaries. If you want to change that, vote in the primaries.
I'm envisioning a web dashboard that lets federal agents do fuzzy queries on individuals, to see all the sites visited, emails sent, web searches, browsing habits, etc, from all the IP addresses used by the given individual in the past several years. The system would aggregate information gathered from ISPs and web companies. The government can already get anything they want from an ISP or web company, but they have to do it on a case by case basis and it is probably annoying to correlate information across sources. In the future, I imagine that a federal agent can go to his big brother dashboard, type in a name, and have immediate access to all sorts of information gathered from credit card companies, search providers, ISPs, telecoms.
I find it a great way to tell if a person is worth engaging on this issue based on whether or not they think CISPA involves the government proactively asking for information.
I would bet, at least for the NSA and probably the FBI, this already exists. It just isn't quite as real-time as they would like it to be. Instead of the instant fuzzy-search, it's a couple of quick letters, but the oversight seems to be about the same.
Don't forget an "add person to cyber threat watchlist" button!
It should automatically advise internet services that a person/account may be trouble, thus granting those private companies the blanket "exemption from liability... for decisions made based on cyber threat information identified, obtained, or shared under this [law]." (That's one of the most concerning vague and elastic provisions in the current proposed bill text.)
There should also be a 'redress number' subsystem, for when people on the watchlist start noticing their accounts being restricted or disabled, and want to make the case they're not the bad guy the agent who pressed the button thought they were.
Just tell the gun lobby that if any of the Gun Shops keep an online database of their customers that's subject to the law. No need to worry about a national gun registry, the GOV gets it for free. Get the NRA involved and ALL OF CONGRESS will run screaming about how this goes against the 2nd Amendment.
This actually would work. I think the general public either (a) doesn't know about this law at all or (b) doesn't think it will interfere with their daily activities. Getting other big organizations who value privacy would help solve both problems. I think that anyone who begins to understand the law will be opposed to it.
As a wise man pointed out on HN the last time around, we haven't won when this law fails to pass. We've only won a law explicitly stating the opposite passes.
So what you're saying is, the best possible thing to happen would be a law specifically preventing any American company from relaying threat information --- packet captures of exploits, netflow traffic profiles of botnets, &c --- to the US government, and, further, preventing any agency in the USG from providing traffic capture information, packet filter information, or botnet identification information to private companies.
No. In my mind, the best possible thing to happen would be a law specifically preventing any American government agency from requiring any company to hand over such information without due process. Sadly, you would think this was already clear enough from the constitution, but there are already enough loop holes that it happens anyway. Another good thing would be for American internet companies to voluntarily adopt and adhere to privacy policies along the same lines.
I think you're taking the "opposite" in my initial post more literally than I intended. My point was that if the law seeks to violate certain rights to privacy we believe we have, the law being struck down is not the final solution. The final solution if the rights to privacy we believe we have successfully being codified into law to prevent that bad parts from being practical options in the future. I did not mean to imply that each term in CISPA be logically negated and passed into law.
He isn't saying CISPA should be opposed, but rather, additional specific legislation to protect individual's data from being retrieved by the government without due process.
I am never more reminded of how smart people can succumb to groupthink than I am when I read HN posts about CISPA. There are a lot of misconceptions about the law, including what kind of data gets shared (only relevant threat data, this isn't your bank account info, and the RIAA can't sue you if shared data reveals you to be torrenting movies - can elaborate more on this if there's interest), who does the sharing (orgs share to the government voluntarily), who has access to the sharing (government and people the government decide to share the data with), etc.
I saw an infographic a little while back that I thought made a pretty good representation of what the bill actually proposes, I wonder if anyone has a link available to it.
The USG is actively prevented by current regulations from setting up a clearinghouse that would collect netflow signatures, botnet identification, and traffic captures of exploit code and then sharing that information with companies like Google and Facebook.
Private companies can and do share (heavily scrubbed) electronic signature information, but must go through contortions to do so, and incur huge legal costs to do it. As a result, only the largest companies participate in these efforts.
Because the USG is more or less enjoined from participating in clearinghouses with private companies, information sharing networks are handshake affairs that are often unknown to anyone outside tier-3 network engineering. Other private IT security product companies run de facto clearinghouses, but only for their customers.
As a result, when your startup gets DDoS'd and you call your ISP for help, they generally can't do shit to help you. It may annoy you to know that if your connectivity provider is large, there is a group in there that could offramp your traffic to internal "scrubbing centers" to peel off DDOS traffic. But because high-end DDoS protection at ISPs is done sub rosa, startups have a very hard time finding these people.
There is an actual problem with online security attacks right now, and hysteria over any USG intervention with the Internet at all is helping perpetuate it. And all it appears to take to fuel that hysteria is statements like "think of the overreach that will happen once a law hits the books".
How do your last two paragraphs follow from the first three? How does having large companies share threat data help your small startup mitigate a DDoS?
There is an actual problem with online security attacks right now, and hysteria over any USG intervention with the Internet at all is helping perpetuate it.
This sounds an awful lot like, "We must do something. This is something, therefore we must do this."
ISPs propagate flow-based snapshots of attacks to populate filters and redirect traffic to scrubbing centers, but they do so discreetly in part because of concerns about how well their data --- which is used exclusively to generate filters --- has been anonymized.
What "regulations" are those that weren't addressed by the president's executive order last month? Can you provide a cite to an actual federal law that says this?
No, what I'm asking you for is an actual citation to federal law or the U.S. Code of Federal Regulations that backs up your claim ("USG is actively prevented by current regulations from setting up...")
That you failed to provide any, even though I think my request was fairly clear, provides strong evidence that you're unable to do so and your pro-CISPA argument was hand-waving, not based on facts or the law.
Having read the criticism the EFF's been pointing at CISPA, I fail to see how they're interpreting the bill to mean that such overreaching is even possible. I want to see what sort of changes the EFF would make to the current bill which would satisfy the privacy concerns they're claiming exist.
I think everyone agrees that companies should be able to describe to the cops what the guy who robbed them looked like, and those companies should be able to tell their customers they've been robbed without getting sued by their shareholders because the ensuing PR fallout tanks the stocks.
I supposed I would ask what privacy-protecting language would make the approach envisioned in CISPA (cyber threat data sharing) acceptable to privacy-oriented organizations like the ones listed. If the answer is "none," I would question their good faith in the process--or at least the public face they put on it.
This "CISPA is the next SOPA" meme is about as fact-based as "Electronic Arts is literally Hitler." I'm not telling you it's good or bad, but it's not remotely SOPA. It isn't even addressing the same general topic as SOPA.
The first time. And maybe the second time. And maybe even the third time. But after a while we're going to start to get numb to the calls-to-arms. And eventually our sometimes-well-intentioned-but-pulled-in-30-directions representatives are going to stop getting those concerned phone calls and emails from constituents, and they're going to fall prey to the typical "think of the children" argument that often gets put forward on any security bill, and something ugly is going to get passed.
I hate resigning myself to this, but it's the disappointing reality.
What to do?