[tptacek]

You are especially likely to become numb to calls to arms when they are in fact cries of "wolf".

SOPA was a genuinely invasive bill and a clear power grab by the content industry. It created a new special second-class "tainted" designation for content sites that refused to play ball with rightsholders and gave rightsholders new means to prosecute their rights outside of civil courts. It was understandable and --- even though I'm a supporter of copyright in general --- commendable that organized opposition to SOPA killed that bill outright.

CISPA is nothing like SOPA.

To begin with, CISPA has none of the same objectives of SOPA. It isn't about the content industry at all. In fact, when early opposition to CISPA by organizations like EFF started catching on, its sponsors scrubbed the bill of language that could have been read (in a stretch) as protecting rightsholders. CISPA is about online security attacks, not about piracy.

Next, CISPA isn't invasive. SOPA threatened to create a kangaroo court system of copyright-noncompliant sites that the content industry could starve by banning commercial transactions with them. CISPA is an opt-i bill; the USG cannot compel any organization to cooperate with any USG agency, but instead creates a facility that companies can use if they need to share attack information but don't want to spend $100,000 in ECPA-interpreting legal review each time they do it.

In fact, CISPA in practice probably has more to do with information moving FROM the USG TO private companies. The USG spends hundreds of millions of dollars a year monitoring its networks (which together constitute the largest IT organization in the world). It is true that the largest IT org in the world happens to be a shitty IT shop, but it has nevertheless built up about a decade of experience tracking malware and botnets and DOS attack information; when Blaster broke out, the experience of the Naval Marine Corp Intranet getting overrun by it was some of the first shared among ISPs. All sorts of random rules prevent USG IT shops from running any kind of central clearinghouse of attack information, and still more rules prevent any of that information from being published.

I don't particularly like CISPA. It obviously sounds like I do, but that's because the uninformed paranoia about CISPA is so virulent that any measured take on the bill sounds like cheerleading. I don't care whether CISPA passes or doesn't pass. But it drives me a little bananas to see how easily the ostensibly curious and well-informed people on HN are bamboozled by identity politics on issues like this.

It's a tiny bill, as bills go. Just go read it.

[declan]

It is true that some of the criticism of CISPA is off the mark. So was some of the criticism of SOPA. It does not necessarily follow that _all_ of the criticism of CISPA is uninformed, and in fact much of it is perfectly accurate. Rebutting uninformed criticism may be an entertaining hobby, but it leaves the informed criticism unrebutted.

I have yet to hear a good argument for why we need CISPA to override all federal and state privacy laws, including laws restricting what companies can turn over to the government in the absence of legal process. In programmerese, CISPA is a wildcard approach -- an "rm -rf *" -- when you haven't done an "ls" to see what's in the directory first. Perhaps one or two need to be overriden for good reason, but why not specify them instead of using a wildcard?

Here are some details: http://news.cnet.com/8301-31921_3-57422693-281/ What sparked significant privacy worries is the section of CISPA that says "notwithstanding any other provision of law," companies may share information "with any other entity, including the federal government." It doesn't, however, require them to do so. By including the word "notwithstanding," House Intelligence Committee Chairman Mike Rogers (R-Mich.) and ranking member Dutch Ruppersberger (D-Md.) intended to make CISPA trump all existing federal and state civil and criminal laws. (It's so broad that the non-partisan Congressional Research Service once warned (PDF) that using the term in legislation may "have unforeseen consequences for both existing and future laws.") "Notwithstanding" would trump wiretap laws, Web companies' privacy policies, gun laws, educational record laws, census data, medical records, and other statutes that protect information, warns the ACLU's Richardson: "For cybersecurity purposes, all of those entities can turn over that information to the federal government."

[tptacek]

I answered your last paragraph upthread.

Since otherwise reputable sources are running articles suggesting that CISPA is "the worst bill since SOPA" and "a power grab by the content industry" and "a backdoor warrantless wiretap" and "a mechanism by which the feds will read our email", I respectfully disagree with you about the utility of refuting uninformed criticism of the bill. Most of the criticism of the bill is uninformed.

[declan]

I've already stipulated that some articles are ill-informed or even wrong. Sadly not everyone who writes about legislation reads it first. But some of us do. :)

[lawnchair_larry]

If you truly don't understand why many are opposed to it, you should read the EFF FAQ page.

It doesn't matter what the objectives are, or whether or not the intention is to protect rights holders. It matters what the law actually allows as written. That's what we take issue with.

And yes, I have read the entire thing.

[tptacek]

We've both read the law! We can actually have an interesting discussion! Even if we both know we're not going to convince each other.

What does the law as written allow to have happen that you object to?

[declan]

Your comment wasn't directed at me, but see the fourth Q&A pair here, and my response above: http://news.cnet.com/8301-31921_3-57422693-281/

[tptacek]

The bill supersedes privacy and communication laws, but is (a) opt-in and (b) severely limited in scope.

Specifically: CISPA provides a positive authority for sharing only "cyber threat information", which is defined in the bill: (i) information about a vulnerability, (ii) information about a confidentiality/integrity/availability threat, (iii) information about denial of service or destructive attacks, and (iv) efforts to hack into systems and exfiltrate data.

The bill incudes language that explicitly exempts the kind of stuff Aaron Swartz got caught up into: it exempts attacks that "solely involve violations of consumer terms of service or consumer licensing agreements and do not otherwise constitute unauthorized access.". That exclusion is repeated multiple times in the definitions section of the bill.

The bill explicitly does not cover individuals, in a fashion that the bill's authors say affirmatively prevents it from being used to allow ISPs to share individual customer records.

So: back to you. What specific state or Federal privacy measure is compromised by CISPA, and how?

[declan]

Thanks for your polite response. Two thoughts: First, I'm not interested in what politicians say in defense of their bill -- I'm interested in what the actual text of the bill says.

Second, asking what specific privacy law is overruled is a bit odd because -all- of them are. ECPA, SCA, Wiretap Act, FCRA, DPPA, FERPA, PPA, RFPA, TCPA, VPPA are among them, and that's not even counting state privacy laws. Remember, CISPA is a legal wildcard. Asking your question is like asking "what specific file does rm -rf * delete?"

[tptacek]

I'm not interested in what politicians say either, except to the extent that in a court challenge, when judges look to interpret the intent behind the statute, they have a clear signal by the authors of the bill that the statute was designed to prevent the collection of personal information by ISPs. Which was why I brought that up.

Your second graf begs my question. Obviously we're both aware of the ECPA and SCA. My question was, in what way do the preemptions on those acts materially harm the public interest? Put it this way: if you think that CISPA is in direct conflict with SCA, then clearly you can imagine situations in which e.g. Facebook could collect Netflow data from a DDOS attack and then worry that they'd somehow contravene SCA by sharing the information. Doesn't that "conflict" explain the need for an act like CISPA?

I'd also note that the first three acts you cited --- obviously the three most important, because they cover the integrity of online communications in general and not with respect to any particular application domain --- already contain exemptions similar in spirit to the ones in CISPA:

* ECPA permits providers to collect and in some limited cases share information that is related to the maintenance of their own infastructure

* SCA permits collection and monitoring of stored communication by the operators of stored communication services

* The Wiretap Act allows operators to intercept and monitor signals causing disruption to networks

CISPA harmonizes collection and sharing of data in cases of direct adversarial attacks. Compared to the exceptions in (for instance) ECPA, CISPA is narrowly tailored and very specific.

Furthermore, when you point out all the laws encumbering sharing of attack information, you start to make the preemption point for me. It may already be possible to share attack information, so long as it doesn't involve raw emails, and the attack information is shared by telecom providers under the ECPA maintenance exemption. UNLESS YOU'RE AN AUTO INSURANCE COMPANY, in which case Congress helpfully (and reasonably!) enacted a specific privacy regime under DPPA, which means now simply to have Progressive push netflow records to Verizon they might have to incur $50,000 in legal review which by the time it's done the attack will be over.

Instead of repeating my original question --- how exactly does CISPA conflict with existing privacy laws in ways that harm the public interest? --- why don't I ask the question in a different framing. If we stipulate that the problem we're talking about here does exist --- that Advocate Health Care in Illinois would incur significant and unnecessary legal risk in pushing netflow DDOS information to a public clearinghouse --- what is the privacy-protecting language YOU would like to see in a bill that aimed to address that problem?

Incidentally: can you do better than thanking me for a polite response? I'm not actually sure I'm being that polite anyways; I feel like I'm being blunt and direct. But on the other hand, you wrote a comment with a complicated technical question last night at 1:00AM, and when you didn't get a prompt response, you accused me of "handwaving". Can I argue now that it it's pretty obvious that neither you nor I is "handwaving", and that we've both done our homework, or at least way more homework than most CISPA commenters have done? Instead of thanking me for polite responses, could you instead just not impugn my motives or intellectual honesty again? We can then just chalk our initial static up to "message boards and politics".

PS: The worst, most crazymaking thing about CISPA debates online is that they invariably put me in the position of "CISPA advocate". I have a position in the CISPA debate: "CISPA is not evil". I think if you believe like I do that CISPA is facially benign, the way organizations like EFF are choosing to message against it starts to get disquieting. But my position does not carry into "CISPA is a great idea". A sane argument against CISPA is that it forestalls a needed reform across all online privacy bills to enable network security to function sanely. CISPA might be a bad idea. I am not a CISPA advocate. I just don't think it's overtly contrary to the public interest.