[tptacek]

There is no intersection between the NSL controversy and CISPA. CISPA is entirely opt-in. Google has to volunteer the information; it can't be coerced into doing so by the government. Even if Google wanted to share emails, voluntarily, it would not find authority to do so in CISPA, because CISPA scopes the kinds of information that can be shared to data incident to actual cyber attacks.

[declan]

I halfway agree. Google and some other left-coast companies are the least likely to take advantage of CISPA's wildcard override-all-existing-privacy-laws loophole. Google has fought the DOJ in court before to protect the privacy of their users; they're fighting the FBI now. Facebook, Amazon, and Twitter have done the same.

But other companies, including AT&T, are far more likely to exploit this loophole (in fact they persuaded Congress to immunize them for illegal activity, post-facto): http://news.cnet.com/8301-13578_3-9986716-38.html

Your claim that a company could "not find authority" to share emails under CISPA is close to the mark but not quite there. First, the House Intelligence committee rejected an amendment by a 4-16 vote that would have required companies to "make reasonable efforts" to delete "information that can be used to identify" individual Americans.

Second, data that can be freely shared with FedGov including NSA encompasses broad categories of information relating to security vulnerabilities, network uptime, intrusion attempts, and denial-of-service attacks, with no limit on sharing emails or personal data. See: http://news.cnet.com/8301-13578_3-57579012-38/privacy-protec...

[tptacek]

You wrote a lengthier comment that enumerated the failed CISPA amendments that I need to take some time to respond to, but in the meantime:

Regarding PII in threat data, we're talking about orthogonal concerns. The amendment you're talking about would require all threat data to use (presumably commercially reasonable methods) to scrub PII. The concern there is accidental inclusion of PII; it's that disclosure of, say, IP addresses in NetFlow information might uniquely identify customers. But providers today aren't required to fully anonymize NetFlow when they cooperate with investigations. The amendment was a sensible measure and I wish it had passed, but its failure does not break new ground for privacy nor does it change the original scope of the bill. When we last discussed CISPA on HN, that amendment didn't exist, and I still didn't think the bill was scary.

The PII concerns I'm referring to involve the idea that CISPA could be used to frame individual citizens as cyber threat protected entities so that raw information about them could be shared by AT&T incident to some supposed attack. That is an interpretation of CISPA that was explicitly rejected by the bill's sponsors; they cite specific language they added to the bill to counter that interpretation.

(I didn't downvote you and don't understand why anyone would downvote you, but I could get downvoted here for saying "water is wet", so oh well.)

[declan]

I upvoted this post as a way to say thank you for a polite debate.

[tptacek]

You and I will never agree on this stuff but I'm always glad to see you participating. Thanks again.