Hacker News new | ask | show | jobs
by rubbingalcohol 4010 days ago
> Section 4(d)(2) requires removal of personal information

Section 4(d)(2) of _what?_ These minimization requirements have been removed or weakened in the various iterations of CIS(P)A that have appeared and been defeated year after year. There is currently no bill in front of Congress, so your citing of a specific provision is questionable. Congress is expected to take a new version of CISA up in the next few weeks.

> The Constitution restricts government from forcing companies to give up information against their will.

Except under Section 702, companies are compelled to hand the information via secret orders with gag provisions. Fighting these orders is expensive and the gag orders prevent the companies from openly opposing them.

It _is_ an end-run around the Constitution if the data a company provides belongs to an individual and is disclosed without a proper warrant, unless you agree with the statement that "people have no right to privacy in any data held by third party service providers." Such an attitude ignores the reality that cloud services have become integrated into peoples' lives, and ubiquitous enough that the end-customer should have legal interest and Constitutional protection in data held by third parties.
1 comments
tzs 4010 days ago
> Section 4(d)(2) of _what?_

Section 4(d)(2) of the bill that the article you are commenting on is writing about, S.754, the "Cybersecurity Information Sharing Act of 2015".

link
rubbingalcohol 4010 days ago
Section 4(d)(2) requires removal of information that a company "knows at the time of sharing" to be private personal information. That's complete weak sauce. There is tons of leeway here for the government to demand threat indicators that could "accidentally" vacuum up private info without anyone "knowing" about it. And the bill hasn't even gone through committee. If the past is any indication, the GOP will try to strike it completely.

Anyway, I would appreciate if you could address the other point I raised because I'm very curious to hear your philosophical thoughts on this subject.

link
tzs 4010 days ago
I don't see anything in (this version of, anyway) CISA that would let the government demand threat indicators. If the government wants to come demanding companies give them information, they have to turn to other laws for that.

On the Constitutional issue:

> It _is_ an end-run around the Constitution if the data a company provides belongs to an individual and is disclosed without a proper warrant, unless you agree with the statement that "people have no right to privacy in any data held by third party service providers."

People have multiple rights to privacy related to such data. Some come from state law. Some come from federal agencies. Some come from federal legislation. Some come from the Constitution.

The ones from the Constitution protect against government compelling release of the data. They don't protect against the providers deciding on their own to disclose the information to the government (or to the public, or to private parties). If, for instance, PG&E decided to publish a list of its customers along with contact information and energy use records, it would not be violating a Constitutional right to privacy. If the government demanded that PG&E make and turn over such a list, then we've got a Constitutional issue to talk about.

In that hypothetical, PG&E would be violating some of those other rights to privacy that come from state legislation, federal legislation, and agency rules, and would run into a ton of trouble.

link