[tptacek]

I still don't think CISPA is vital or that it will make much of a difference in online security. Part of the reason I think that is that I have (from previous companies) some professional familiarity with how attack data is already shared. It's cumbersome and not very effective but I don't think CISPA fixes it.

The comparison to CFAA is interesting. Long before the drama with Aaron Swartz (drama you and I are probably on the same page about), CISPA was revised to blunt that concern: TOS violations are explicitly exempted from the sharing provisions of the app. So if you're on online music store and someone starts mass-exploiting a vulnerability to take music without paying for it but doesn't threaten the integrity of your actual computers, you can't share that attack information under CISPA. To me, that is a level of specificity and care that is unique to CISPA. Even the Wiretap Act, which exists almost entirely to suppress monitoring of communications, leaves much larger holes for service operators to monitor traffic.

So my response to you on this --- and I recognize that you want to avoid the nitty-gritty details, and that's fine --- is that CISPA is substantially more detailed than other online regulations. It is written more carefully to cover operational security issues than HIPAA is; it's far more specific than Sarbox was; it actually (IMO) narrows what could already be shared under ECPA, and it does this by spelling out in detail what an actual online security attack is.

I am specifically not making the argument that you have to propose a better bill to justify not passing this one! I agree, that is an infuriating objection. I'm saying, your proposed privacy-protecting language would help clarify the concerns you have with CISPA, so that we could be more sure we're debating each other and not past each other.

Finally, we disagree more than we agree about online policy, across the board. So any time this stuff comes up, any time I ask you to clarify something, you can reasonably expect me to follow up with some kind of rebuttal. I appreciate how that feels like being baited, but I'm not doing it in bad faith. Agreement for the sake of decorum is boring, isn't it? Let's just say what we think.

[lawnchair_larry]

To clarify on the baiting comment, I didn't intend to accuse bad faith or mean that was generally applicable to debates. For this particular issue, we have already advanced beyond that point in the conversation last time this was on HN, and I just wanted to expedite that. "Debate fatigue" or something :)

So my eventual reply is, if I list off my concerns and you point out that it's already possible to do those things, what is CISPA adding? Let's start the conversation there.

I'm not sure if it's a fallacy to appeal to common sense, but I don't buy that someone is pushing this through so hard to narrow what can already be shared. Even though you are certainly more familiar with previous relevant legislation, I feel pretty safe in saying that if that is your interpretation, it has to be incorrect.

Nobody spends money trying to take permissions away from themselves, and nobody versed in this area of law isn't already aware of their capabilities under ECPA.

[tptacek]

I guess, if I was going to put my CISPA-advocate hat on, which I don't like because it is an ugly hat that I think my cat peed on, I would say this:

It is already possible for service providers to do the things CISPA enables them to do. However, under current regulations, it is legally risky for them to do it. Some of what they do incurs legal risk. Some of the legal risks mean that whole companies in some verticals won't entertain any conversation about information sharing because they're encumbered by specific privacy rules which, while important, were never intended to hamstring network security. As a result, there is much less information sharing now than there could be.

If I was going to put my political analyst hat on, which is ugly but at least doesn't smell like cat piss, I would point out the following:

CISPA came into being less an urgent fix to an immediate problem than as a response to another, more interventionist approach to regulating cybersecurity. That other approach would essentially have the USG "pick winners" in the information assurance market and, down the road, would allow the USG to designate certain private companies as "critical infrastructure" that would require the commercial ministrations of those companies. The winners in that scenario would have been Raytheon, Lockheed, and SAIC. Nobody in private industry wanted that, and it was antithetical to the Republican House, so they came up with an industry-friendly counterproposal.

[lawnchair_larry]

Do you think that EFF vs AT&T would have been easier to dismiss, post-CISPA?

[tptacek]

No. What part of AT&T's defense involved operational network security? For whatever it's worth: AT&T's complicity in NSA monitoring of overseas traffic involving American citizens was despicable.

[lawnchair_larry]

I'm not sure if you are still watching this thread, but EFF posted a blog article today that covers where I was going with that thought:

https://www.eff.org/deeplinks/2013/03/consequences-cispas-br...

I don't share their concerns about the "hack back" thing. It's hard to take that seriously.