Hacker News new | ask | show | jobs
by lawnchair_larry 4841 days ago
So, I didn't really answer because I knew you were kind of baiting me with that question. Whatever I wrote, you probably knew that you were going to be able to reply with "they can already do that under ECPA" (HN has had that discussion previously and I was paying attention). So let's just fast forward all of that.

Last time around, I believe you said CISPA is one giant legislative NOP. I think you have probably revised your position on that. Someone is trying very hard to pass this, and they don't do that for no reason. There is something very important in CISPA to someone.

It sounds like at least part of the reason for it, in your interpretation, is related to legal assurances. Since you have studied both, can you provide an effective 'diff' between CISPA and ECPA, within the scope of 'cyber'?

For what it's worth, after doing some basic searching on who is backing it and what their business objectives are, I feel like it is more probable that there is not evil intent behind CISPA at this time.

The problem, as I said, and as described by EFF, is that it is vague in many key areas (I'm not going to enumerate them, it's too tedious and not relevant enough to go into specifics). Look at the CFAA. The intent there was not to nail a MAC address spoofing wget loop or a fake email submitted to a captive portal to the wall for 35 years. The intent behind the PATRIOT act, at least as far as some supporters were concerned (even though they were probably duped) was actually to fight terrorism. Both have since become wildcards for bad actors to do things that the original supporters didn't intend. We have to expect this when we write laws.

It's the same as auditing C. You know those conversations you have with those "special" clients who respond to your bug report by saying "yeah, but that is only meant to hold a username, no one is REALLY going to try and have a 2GB username"? This is the legal equivalent.

> what is the privacy-protecting language YOU would like to see in a bill that aimed to address that problem?

This is an unreasonable rebuttal. "It's not perfect, but you don't have anything better" is not how we make laws. Obviously, a journalist or a security consultant discussing something as important as this is not going to just spit out a bill that solves every problem in an HN comment.
1 comments
tptacek 4841 days ago
I still don't think CISPA is vital or that it will make much of a difference in online security. Part of the reason I think that is that I have (from previous companies) some professional familiarity with how attack data is already shared. It's cumbersome and not very effective but I don't think CISPA fixes it.

The comparison to CFAA is interesting. Long before the drama with Aaron Swartz (drama you and I are probably on the same page about), CISPA was revised to blunt that concern: TOS violations are explicitly exempted from the sharing provisions of the app. So if you're on online music store and someone starts mass-exploiting a vulnerability to take music without paying for it but doesn't threaten the integrity of your actual computers, you can't share that attack information under CISPA. To me, that is a level of specificity and care that is unique to CISPA. Even the Wiretap Act, which exists almost entirely to suppress monitoring of communications, leaves much larger holes for service operators to monitor traffic.

So my response to you on this --- and I recognize that you want to avoid the nitty-gritty details, and that's fine --- is that CISPA is substantially more detailed than other online regulations. It is written more carefully to cover operational security issues than HIPAA is; it's far more specific than Sarbox was; it actually (IMO) narrows what could already be shared under ECPA, and it does this by spelling out in detail what an actual online security attack is.

I am specifically not making the argument that you have to propose a better bill to justify not passing this one! I agree, that is an infuriating objection. I'm saying, your proposed privacy-protecting language would help clarify the concerns you have with CISPA, so that we could be more sure we're debating each other and not past each other.

Finally, we disagree more than we agree about online policy, across the board. So any time this stuff comes up, any time I ask you to clarify something, you can reasonably expect me to follow up with some kind of rebuttal. I appreciate how that feels like being baited, but I'm not doing it in bad faith. Agreement for the sake of decorum is boring, isn't it? Let's just say what we think.

link
lawnchair_larry 4841 days ago
To clarify on the baiting comment, I didn't intend to accuse bad faith or mean that was generally applicable to debates. For this particular issue, we have already advanced beyond that point in the conversation last time this was on HN, and I just wanted to expedite that. "Debate fatigue" or something :)

So my eventual reply is, if I list off my concerns and you point out that it's already possible to do those things, what is CISPA adding? Let's start the conversation there.

I'm not sure if it's a fallacy to appeal to common sense, but I don't buy that someone is pushing this through so hard to narrow what can already be shared. Even though you are certainly more familiar with previous relevant legislation, I feel pretty safe in saying that if that is your interpretation, it has to be incorrect.

Nobody spends money trying to take permissions away from themselves, and nobody versed in this area of law isn't already aware of their capabilities under ECPA.

link
tptacek 4841 days ago
I guess, if I was going to put my CISPA-advocate hat on, which I don't like because it is an ugly hat that I think my cat peed on, I would say this:

It is already possible for service providers to do the things CISPA enables them to do. However, under current regulations, it is legally risky for them to do it. Some of what they do incurs legal risk. Some of the legal risks mean that whole companies in some verticals won't entertain any conversation about information sharing because they're encumbered by specific privacy rules which, while important, were never intended to hamstring network security. As a result, there is much less information sharing now than there could be.

If I was going to put my political analyst hat on, which is ugly but at least doesn't smell like cat piss, I would point out the following:

CISPA came into being less an urgent fix to an immediate problem than as a response to another, more interventionist approach to regulating cybersecurity. That other approach would essentially have the USG "pick winners" in the information assurance market and, down the road, would allow the USG to designate certain private companies as "critical infrastructure" that would require the commercial ministrations of those companies. The winners in that scenario would have been Raytheon, Lockheed, and SAIC. Nobody in private industry wanted that, and it was antithetical to the Republican House, so they came up with an industry-friendly counterproposal.

link
lawnchair_larry 4841 days ago
Do you think that EFF vs AT&T would have been easier to dismiss, post-CISPA?
link
tptacek 4841 days ago
No. What part of AT&T's defense involved operational network security? For whatever it's worth: AT&T's complicity in NSA monitoring of overseas traffic involving American citizens was despicable.
link
lawnchair_larry 4836 days ago
I'm not sure if you are still watching this thread, but EFF posted a blog article today that covers where I was going with that thought:

https://www.eff.org/deeplinks/2013/03/consequences-cispas-br...

I don't share their concerns about the "hack back" thing. It's hard to take that seriously.

link