[tptacek]

I'm not interested in what politicians say either, except to the extent that in a court challenge, when judges look to interpret the intent behind the statute, they have a clear signal by the authors of the bill that the statute was designed to prevent the collection of personal information by ISPs. Which was why I brought that up.

Your second graf begs my question. Obviously we're both aware of the ECPA and SCA. My question was, in what way do the preemptions on those acts materially harm the public interest? Put it this way: if you think that CISPA is in direct conflict with SCA, then clearly you can imagine situations in which e.g. Facebook could collect Netflow data from a DDOS attack and then worry that they'd somehow contravene SCA by sharing the information. Doesn't that "conflict" explain the need for an act like CISPA?

I'd also note that the first three acts you cited --- obviously the three most important, because they cover the integrity of online communications in general and not with respect to any particular application domain --- already contain exemptions similar in spirit to the ones in CISPA:

* ECPA permits providers to collect and in some limited cases share information that is related to the maintenance of their own infastructure

* SCA permits collection and monitoring of stored communication by the operators of stored communication services

* The Wiretap Act allows operators to intercept and monitor signals causing disruption to networks

CISPA harmonizes collection and sharing of data in cases of direct adversarial attacks. Compared to the exceptions in (for instance) ECPA, CISPA is narrowly tailored and very specific.

Furthermore, when you point out all the laws encumbering sharing of attack information, you start to make the preemption point for me. It may already be possible to share attack information, so long as it doesn't involve raw emails, and the attack information is shared by telecom providers under the ECPA maintenance exemption. UNLESS YOU'RE AN AUTO INSURANCE COMPANY, in which case Congress helpfully (and reasonably!) enacted a specific privacy regime under DPPA, which means now simply to have Progressive push netflow records to Verizon they might have to incur $50,000 in legal review which by the time it's done the attack will be over.

Instead of repeating my original question --- how exactly does CISPA conflict with existing privacy laws in ways that harm the public interest? --- why don't I ask the question in a different framing. If we stipulate that the problem we're talking about here does exist --- that Advocate Health Care in Illinois would incur significant and unnecessary legal risk in pushing netflow DDOS information to a public clearinghouse --- what is the privacy-protecting language YOU would like to see in a bill that aimed to address that problem?

Incidentally: can you do better than thanking me for a polite response? I'm not actually sure I'm being that polite anyways; I feel like I'm being blunt and direct. But on the other hand, you wrote a comment with a complicated technical question last night at 1:00AM, and when you didn't get a prompt response, you accused me of "handwaving". Can I argue now that it it's pretty obvious that neither you nor I is "handwaving", and that we've both done our homework, or at least way more homework than most CISPA commenters have done? Instead of thanking me for polite responses, could you instead just not impugn my motives or intellectual honesty again? We can then just chalk our initial static up to "message boards and politics".

PS: The worst, most crazymaking thing about CISPA debates online is that they invariably put me in the position of "CISPA advocate". I have a position in the CISPA debate: "CISPA is not evil". I think if you believe like I do that CISPA is facially benign, the way organizations like EFF are choosing to message against it starts to get disquieting. But my position does not carry into "CISPA is a great idea". A sane argument against CISPA is that it forestalls a needed reform across all online privacy bills to enable network security to function sanely. CISPA might be a bad idea. I am not a CISPA advocate. I just don't think it's overtly contrary to the public interest.

[lawnchair_larry]

So, I didn't really answer because I knew you were kind of baiting me with that question. Whatever I wrote, you probably knew that you were going to be able to reply with "they can already do that under ECPA" (HN has had that discussion previously and I was paying attention). So let's just fast forward all of that.

Last time around, I believe you said CISPA is one giant legislative NOP. I think you have probably revised your position on that. Someone is trying very hard to pass this, and they don't do that for no reason. There is something very important in CISPA to someone.

It sounds like at least part of the reason for it, in your interpretation, is related to legal assurances. Since you have studied both, can you provide an effective 'diff' between CISPA and ECPA, within the scope of 'cyber'?

For what it's worth, after doing some basic searching on who is backing it and what their business objectives are, I feel like it is more probable that there is not evil intent behind CISPA at this time.

The problem, as I said, and as described by EFF, is that it is vague in many key areas (I'm not going to enumerate them, it's too tedious and not relevant enough to go into specifics). Look at the CFAA. The intent there was not to nail a MAC address spoofing wget loop or a fake email submitted to a captive portal to the wall for 35 years. The intent behind the PATRIOT act, at least as far as some supporters were concerned (even though they were probably duped) was actually to fight terrorism. Both have since become wildcards for bad actors to do things that the original supporters didn't intend. We have to expect this when we write laws.

It's the same as auditing C. You know those conversations you have with those "special" clients who respond to your bug report by saying "yeah, but that is only meant to hold a username, no one is REALLY going to try and have a 2GB username"? This is the legal equivalent.

> what is the privacy-protecting language YOU would like to see in a bill that aimed to address that problem?

This is an unreasonable rebuttal. "It's not perfect, but you don't have anything better" is not how we make laws. Obviously, a journalist or a security consultant discussing something as important as this is not going to just spit out a bill that solves every problem in an HN comment.

[tptacek]

I still don't think CISPA is vital or that it will make much of a difference in online security. Part of the reason I think that is that I have (from previous companies) some professional familiarity with how attack data is already shared. It's cumbersome and not very effective but I don't think CISPA fixes it.

The comparison to CFAA is interesting. Long before the drama with Aaron Swartz (drama you and I are probably on the same page about), CISPA was revised to blunt that concern: TOS violations are explicitly exempted from the sharing provisions of the app. So if you're on online music store and someone starts mass-exploiting a vulnerability to take music without paying for it but doesn't threaten the integrity of your actual computers, you can't share that attack information under CISPA. To me, that is a level of specificity and care that is unique to CISPA. Even the Wiretap Act, which exists almost entirely to suppress monitoring of communications, leaves much larger holes for service operators to monitor traffic.

So my response to you on this --- and I recognize that you want to avoid the nitty-gritty details, and that's fine --- is that CISPA is substantially more detailed than other online regulations. It is written more carefully to cover operational security issues than HIPAA is; it's far more specific than Sarbox was; it actually (IMO) narrows what could already be shared under ECPA, and it does this by spelling out in detail what an actual online security attack is.

I am specifically not making the argument that you have to propose a better bill to justify not passing this one! I agree, that is an infuriating objection. I'm saying, your proposed privacy-protecting language would help clarify the concerns you have with CISPA, so that we could be more sure we're debating each other and not past each other.

Finally, we disagree more than we agree about online policy, across the board. So any time this stuff comes up, any time I ask you to clarify something, you can reasonably expect me to follow up with some kind of rebuttal. I appreciate how that feels like being baited, but I'm not doing it in bad faith. Agreement for the sake of decorum is boring, isn't it? Let's just say what we think.

[lawnchair_larry]

To clarify on the baiting comment, I didn't intend to accuse bad faith or mean that was generally applicable to debates. For this particular issue, we have already advanced beyond that point in the conversation last time this was on HN, and I just wanted to expedite that. "Debate fatigue" or something :)

So my eventual reply is, if I list off my concerns and you point out that it's already possible to do those things, what is CISPA adding? Let's start the conversation there.

I'm not sure if it's a fallacy to appeal to common sense, but I don't buy that someone is pushing this through so hard to narrow what can already be shared. Even though you are certainly more familiar with previous relevant legislation, I feel pretty safe in saying that if that is your interpretation, it has to be incorrect.

Nobody spends money trying to take permissions away from themselves, and nobody versed in this area of law isn't already aware of their capabilities under ECPA.

[tptacek]

I guess, if I was going to put my CISPA-advocate hat on, which I don't like because it is an ugly hat that I think my cat peed on, I would say this:

It is already possible for service providers to do the things CISPA enables them to do. However, under current regulations, it is legally risky for them to do it. Some of what they do incurs legal risk. Some of the legal risks mean that whole companies in some verticals won't entertain any conversation about information sharing because they're encumbered by specific privacy rules which, while important, were never intended to hamstring network security. As a result, there is much less information sharing now than there could be.

If I was going to put my political analyst hat on, which is ugly but at least doesn't smell like cat piss, I would point out the following:

CISPA came into being less an urgent fix to an immediate problem than as a response to another, more interventionist approach to regulating cybersecurity. That other approach would essentially have the USG "pick winners" in the information assurance market and, down the road, would allow the USG to designate certain private companies as "critical infrastructure" that would require the commercial ministrations of those companies. The winners in that scenario would have been Raytheon, Lockheed, and SAIC. Nobody in private industry wanted that, and it was antithetical to the Republican House, so they came up with an industry-friendly counterproposal.

[lawnchair_larry]

Do you think that EFF vs AT&T would have been easier to dismiss, post-CISPA?

[tptacek]

No. What part of AT&T's defense involved operational network security? For whatever it's worth: AT&T's complicity in NSA monitoring of overseas traffic involving American citizens was despicable.