[rdl]

This is the part where tptacek says CISPA doesn't do anything particularly bad vs. the state of law now, other people express fairly emotional vs. fact based arguments about what bad it could do, and no one (in industry or government or watchdog groups) really knows for sure what CISPA would, in practice, mean, right?

[deepblueocean]

Nah. It's bad. Here's a simple argument that covers just one part of the bill.

CISPA would give a safe harbor from other privacy rules to companies that share information with the government as long as that information is about "cyber threats". Now, let's say someone breaks into your database server and you're at a company with not-too-skilled IT people. The government shows up and says "hey, what can you tell us about the attack you experienced? PS - we'd be happy to analyze your data for you."

What do your IT people do? They say "screw it, we'll just send in all the logs we have and let the feds figure it out." And so they do that.

What if the law protects the information in those logs? What if the information is sensitive (like health or financial information) and is protected under a special privacy regime like HIPAA? Or what if the information is protected from disclosure by contract (like in a TOS/TOU document)? CISPA says that the disclosure is exempt from whatever sanctions/punishments would happen under those protection regimes because Cyber Threats Are Important (tm).

Disclosure: I am not a lawyer. Even after it's passed into law, only a court can decide exactly what the safe harbor in CISPA means.

[tptacek]

That is in fact more or less what the law allows firms to do: when their database is compromised, they are allowed to cooperate with other service providers and with law enforcement to track down what actually happened to their systems without spending $50,000 to ensure that they aren't violating, say, DPPA.

[anoncow]

So that means, if the database contained emails, call records, or sms, The feds could read all of it.

That sounds like a security risk waiting to happen at your cell phone carrier and email service provider.

[tptacek]

Sure. What's the alternative? What did you think happened when law enforcement investigated serious computer crimes? If a financial institution has a key database popped and the Secret Service is called in to investigate, was it your expectation that the victim was required to carefully anonymize and blind all the data in that database? How could any criminal investigation work if that was the requirement? (Cliff's Notes: That's not the requirement).

The bill as written, even before the narrowing amendments, acknowledges the risk this subthread discusses. It does that by trying to define "cyber threat information", as information directly implicated in an attack. In the sponsor's notes on the bill on the House site, they explain that the definition of "protected entity" was changed specifically to prevent individual people from being considered as entities, so that person-specific data couldn't be handed over under CISPA authority.

The basic problem the bill addresses is this: large companies are under continuous attack. Let's stipulate that attacks come in two flavors: DDOS and targeted malware.

In both cases, there is clear utility in allowing companies to collaborate with other companies and with the government.

In the DDOS case, you want to share NetFlow information with your upstream ISPs and with DDOS trackers, because those are the organizations that generate black-hole and IP filtering rules, and they all work better if they have lots of different vantage points to work from. At the very least, you want to push sources back up to your immediate upstream providers so they can soak them up on their infrastructure rather than saturating your uplinks.

In the malware case, you want to share forensic information that would help identify (a) the vulnerability the malware exploits, (b) the C&C system the malware is using, (c) any evidence of the source of the malware, and (d) forensic information that would help investigators discern the intent of the malware.

In both cases, your company's general counsel is apt to inform you that the legal risk of sharing just that information is potentially unbounded, because nobody can predict exactly what claims could be made under ECPA, SCA, DPPA, HIPAA, FERPA, &c; nobody even knows what traces of information, overt or statistical, might be lurking in NetFlow.

So the situation we have today is that there is information sharing when attacks happen, but much of it is sub rosa, and you have to be in the right clubs to get access to the right sharing networks.

It does not make intuitive sense to me that electronic privacy should mean that basic low-level systems information incident to a real attack should incur unbounded legal risk when shared with other companies directly involved in mitigating those attacks.

You might disagree, and that's fine. But the notion that CISPA is actually intended to allow NSA to read your email is just not supported by the language of the bill, by any advocacy for the bill, or by any of the bill's amendments, and the problem the bill is addressing is a real problem (I have some limited professional exposure to it).

[declan]

One alternative is to limit CISPA to law enforcement receiving the information rather than the National Security Agency and other arms of the defense-intelligence apparatus. But that amendment failed by a 4-14 vote this week.

May I assume that you'll publicly oppose CISPA if it continues to advance without that amendment? :)

Also, regarding your claims that person-specific data can't be handed over, a separate amendment requiring that failed by a 4-16 vote. So it will be able to be shared with the NSA.

BTW, I'm not arguing that there are not real problems arising from attacks that large companies, and even smaller companies, face. The question is what to do about it, and whether CISPA remains the best vehicle.

[tptacek]

I don't understand why you think CISPA is hard to parse. The 2013 draft bill is public. The bill is extraordinarily short. And much of the objections --- which you rightly call out as emotional --- are contradicted by the text of the bill.

I don't so much care whether CISPA passes. What I do care about is people trying to fundraise by convincing willfully ignorant nerds that CISPA is a backdoor SOPA bill; why, just look, GoDaddy supports it, it must be bad!

[crisnoble]

Any willfully ignorant nerds should read the bill's text, which is available here: http://www.opencongress.org/bill/113-h624/text

[anoncow]

Can you link me to a layman version?

[crisnoble]

I find that if you ignore the white space and numerals, it reads pretty well.

[tptacek]

What parts of the bill are you having trouble understanding?

[rdl]

The reason it's hard to parse is that random amendments can be added late in the game which totally change the meaning of the law (of course, they could be added to any bill). And, I was trying to be charitable.

[tptacek]

It's funny you should mention that. Random amendments were in fact added to CISPA 2012. They did things like, for instance, ensuring that terms of services violations wouldn't constitute cyberthreats, or making it clear that bill wasn't intended to stop piracy.

The amendments are public too. You can actually read them.

As you can see, I'm not very charitable about this. Nerds are to online regulation what the Michigan Militia is to gun control. I respect and defer to fact-based objections to CISPA, but I have no patience for the (large set of) people who simply make things up about it to try to win arguments.

[rdl]

There's a legitimate reason for the Internet Hate Machine to try to preempt bad law -- it takes a long time to power it up, and sometimes bad law is forced through quickly. The forcing through bad laws with minimal public comment and debate (epitomized by PATRIOT) is the real problem, there, though. There is no possible argument that CISPA, SOPA, or PIPA issues are so pressing as to not allow a reasonable period for commentary and debate.

[tptacek]

I feel like I'm being charitable by discussing CISPA as if it was somehow similar to SOPA or PIPA, because CISPA has nothing whatsoever to do with SOPA or PIPA.

I do not have a problem with people who generally oppose Internet regulation of all sorts (I don't agree, but I don't make fun of them either).

I do have a problem with "Internet Hate Machines" of all sorts. You are not entitled to invoke principles to deploy bad facts.

Have you read the 2013 House CISPA amendments. I have. They're public. I'm guessing, no, right? Are you a gambling man? Would you like to bet me how agreeable they are relative to the text of the bill itself? The 2012 CISPA amendments tightened and restricted the act. What do you think the new 2013 amendments do?

[rdl]

The connection between SOPA/PIPA and CISPA goes the other way; anti-SOPA/PIPA entities are using CISPA to fundraise and influenceraise, independent of the reality of CISPA.

The only amendments I've read about in 2013 are PII removal and removing the "national security" terms, both of which are civil liberties enhancements. (although I don't know where to find the actual text of the amendments). The 2012 amendments were improvements to baseline CISPA (especially the ToS vs. CTI clarification, which was my only real objection to CISPA originally). I do not think I'd take your bet; the probability of something bad being attached is low, but if something bad is attached, it's high severity, so moderate risk. You'd give odds based on probability and I'd want based on expected-harm.

Re: IHM. Reasonable people don't really win at politics. Look at how AARP/etc. essentially eviscerate anyone who thinks of touching Medicare or SS. Thus, horrible public policy (wealth transfers from the poor and young to the old and wealthy!) persists in the face of all logic. That it does shows how effective their lobbying/rabble-rousing strategy is.

Civil libertarians tend to err on the other side, for "what would be best for society", and end up with all kinds of bad stuff happening to them.

I'm ok with "ends justify means" in this case -- if "means" is "make everyone in Congress terrified of any cyber-laws which aren't explicitly and transparently improvements to individual privacy and freedom."

[declan]

I have read the 2013 House CISPA amendments and wrote about them here: http://news.cnet.com/8301-13578_3-57579012-38/privacy-protec...

I'd be interested to hear defenders of the legislation explain why CISPA remains such a lovely bill after the House Intelligence committee rejected these four amendments that were aimed at protecting privacy:

* Limiting the sharing of private sector data to civilian agencies, and specifically excluding the NSA and the Defense Department. (Failed by a 4-14 vote.)

* Directing the president to create a high-level privacy post that would oversee "the retention, use, and disclosure of communications, records, system traffic, or other information" acquired by the federal government. It would also include "requirements to safeguard communications" with personal information about Americans. (Failed by a 3-16 vote.)

* Eliminating vague language that grants complete civil and criminal liability to companies that "obtain" information about vulnerabilities or security flaws and make "decisions" based on that information. (Failed by a 4-16 vote.)

* Requiring that companies sharing confidential data "make reasonable efforts" to delete "information that can be used to identify" individual Americans. (Failed by a 4-16 vote.)

[DannyBee]

To be fair: THOMAS is usually very slow at putting up amendment text, sometimes taking weeks or months after a vote to put up floor amendments.

(I have complained, and they said the should be there the next day, but then I pointed out about 25 cases where it wasn't, and they kinda stopped talking :P)

[declan]

In this case the amendments were online on a .gov site about six hours or so after the vote (thanks, I suspect, to my bugging the committee).

[tptacek]

(THOMAS being the Library of Congress document management system).

[declan]

I agree with tptacek (hi there!) that CISPA is not that difficult to parse, and that people might as well read it for themselves. More: http://news.cnet.com/8301-13578_3-57579012-38/privacy-protec...

But I disagree with his "Michigan Militia" analogy, which is a bit silly. Another way to look at it is that starting with Clipper, CDA, CALEA, crypto export controls (plus mandatory domestic key escrow approved by a House committee), we've lived through 20 years of ill-advised regulation. So unless the merits of a new proposed law clearly outweigh the downsides, which is not the case in CISPA, a measure of skepticism is reasonable.

[tptacek]

Wait, what? We don't have Clipper or key escrow of any sort. You seem to be arguing that every measure ever introduced into Congress has to be judged against the dumbest ideas ever introduced into Congress.

[declan]

tptacek: You're quite right that neither are with us today. The reason: Clipper and key escrow were defeated by the same advocacy groups you claim, without any evidence, are trying to "fundraise by convincing willfully ignorant nerds" CISPA is bad.

I can imagine FBI director Louis Freeh saying the same thing when he was defending bans on non-escrowed encryption in the late 1990s: "Nothing wrong with mandatory key escrow! Silly ACLU EFF EPIC etc. are just trying to fundraise off of fear and emotion."

[tptacek]

What does EFF's opposition to Clipper have to do with what CISPA says?

You yourself have conceded on HN that advocacy groups have directly misstated details about CISPA. Now you're writing comments suggesting that I'm being misleading by pointing that track record out. That is not honest debate, Declan.

[declan]

tptacek: Two points. First, if an employee has a history of writing bad code, you may scrutinize their efforts more closely in the future. Same with Congress. I was making a historical point for context that based on rdl's mention below.

Second, I'm not aware that anything ACLU EFF EPIC said that's intentionally false re: CISPA. As you correctly say, other groups may not be as careful (although even then, you could have unintentional falsehoods, and I rarely like to speculate about motives).

[tptacek]

How many of the names on CISPA were in Congress for Clipper? Answer: Frank LoBiondo. That's it, out of a long list of names. Congress is not one monolithic thing.

[snowwrestler]

The basic issue around CISPA is that it puts the power to share info in the hands of the tech companies. They like it because the government cannot compel actions--unlike the Senate bill last year.

Tech companies trust themselves to only share the critical info needed for better security, so they do not see a risk in CISPA.

Citizen groups do not trust tech companies or the government, so they see risk in any legislation that seems to reduce oversight of info sharing between them.

[rdl]

Right, a lot of the issue is that SOPA/PIPA (and before that, PATRIOT, NDAA, etc) have poisoned the water between ~the users of the Internet and ~the Government.

[declan]

Yes. And this retroactive immunity for illegal (and in some cases criminal) activities, which Candidate Obama supported despite telling me ~six months earlier he would not: http://news.cnet.com/8301-13578_3-9986716-38.html

"...voting to derail lawsuits against telecommunications companies that unlawfully opened their networks to the National Security Agency. Senators voted 69 to 28 for the bill, which would rewrite federal wiretap laws by granting retroactive immunity to telecommunications companies..."

[tptacek]

That is probably true, but that fact is not an all-access pass to making inaccurate claims about the bill. But it gets used that way all the time.

[declan]

This is a continuation of our disagreement above, I know, but if you have an entity that has advanced problematic proposals multiple times when it comes to regulating technology -- and at times demonstrated a near-complete lack of understanding of what they're trying to regulate -- it's not unreasonable to apply more scrutiny to future proposals.

You're right that nobody should be making inaccurate claims about the bill (though I try to be charitable and say inaccurate claims in either direction are misunderstandings, not intentional distortions). I'm making a slightly different point, which is an argument for lower threshold to trigger scrutiny, and a higher threshold to legislate in the first place.

[snowwrestler]

My objection to this line of reasoning is that there is only one entity producing U.S. legislation, so there is no real point of comparison. One cannot even compare Congress as a whole over time, since its membership changes (however slightly) every 2 years.

Also, is there any subject for which everyone can agree that Congress is good at proposing legislation? The whole point of the legislative process is to adjudicate between competing opinions; so whether any piece of legislation is "good" or "bad" will vary, to some extent, according to the observer.

Edit to add conclusion: Each bill should be judged on its merits, not on the fact that it comes out of Congress (since that is where they all come from).