The first time. And maybe the second time. And maybe even the third time. But after a while we're going to start to get numb to the calls-to-arms. And eventually our sometimes-well-intentioned-but-pulled-in-30-directions representatives are going to stop getting those concerned phone calls and emails from constituents, and they're going to fall prey to the typical "think of the children" argument that often gets put forward on any security bill, and something ugly is going to get passed.
I hate resigning myself to this, but it's the disappointing reality.
What to do?
This isn't about spying on Americans. This isn't SOPA with a new name. This isn't about stopping piracy or spying on your facebook profile. This bill is about letting government agencies share intelligence on network threats with private companies so those companies can protect their customers information. None of the agencies or companies involved want to share any private information about their citizens or customers. There are lots of lawyers involved in the process to ensure that doesn't happen.
I wonder if some of that exhaustion is also what leads people to not read the bill or understand the context and just assume it's another anti-piracy bill.
"None of the agencies or companies involved want to share any private information about their citizens or customers." The telcos have monetized their lawful intercept programs and receive bad publicity protection from the government by being legally entitled to keep it a secret. They now have a profit motive and the risk of bad publicity is low. And the civil liability immunity agreement (as I understand it) in CISPA will effectively act as a giant gift that only a sovereign power can grant, we'll offer you protection from being sued if you just hand over business data without a warrant.
If you want to talk about confusing, I watch C-SPAN constantly (it's an illness) and whenever anybody in the legislative or executive branch talks about "cyber security" they always talk about IP protection and "preventing a cyber pearl harbor" in the same breath. So if you want to blame somebody for the confusion start with the people proposing this legislation.
I'm not sure why you think the very smart lawyers and legislative counsel at the ACLU, the ALA, etc. are incapable of reaching their own conclusions about the relative merits of legislation.
I hope you're right that CISPA isn't about spying on Americans. The problem is that, as written, it allows precisely that, with the cooperation of the same companies that have opened their networks to the FedGov in the past. If the wildcard language trumping all state and federal privacy laws were deleted, I think a lot of the (informed) opposition would vanish.
BTW, there were "lots of lawyers involved in the process" of creating SOPA. Look how that turned out. I'd be far more comforted if there we had fewer lawyers and more technologists involved. :)
More: http://news.cnet.com/8301-31921_3-57422693-281/ and http://news.cnet.com/8301-13578_3-57574196-38/
In addition, environmental type people are not reflexively opposed to/afraid of the federal government, so they are willing to educate themselves about the process and the issue. They learn to distinguish between issues, and when a threat is real vs. perceived.
In comparison the Internet enthusiast community seems to largely persist in the fantasy that the government should not (or cannot) have a role in the regulation of the Internet. Thus when issues do come up, they are ignorant and reactive. And they are eager for issues to go away so that they can go back to "normal" i.e. ignoring the government.
In fact, I doubt even that will stop these kinds of laws from being introduced. However, it will give a firm and easy foothold to dismissing them. Similarly, it will become that much easier to retroactively have them removed if they violate an amendment.
The exact text of this kind of amendment would be difficult to craft, frankly, I'm not a lawyer, I have no idea where or how to start crafting this. However, I do fully believe this is the ultimate winning endgame for this kind of legislation.
We need a "legal hacker" a la Richard Stallman to craft something like this.
SOPA was a genuinely invasive bill and a clear power grab by the content industry. It created a new special second-class "tainted" designation for content sites that refused to play ball with rightsholders and gave rightsholders new means to prosecute their rights outside of civil courts. It was understandable and --- even though I'm a supporter of copyright in general --- commendable that organized opposition to SOPA killed that bill outright.
CISPA is nothing like SOPA.
To begin with, CISPA has none of the same objectives of SOPA. It isn't about the content industry at all. In fact, when early opposition to CISPA by organizations like EFF started catching on, its sponsors scrubbed the bill of language that could have been read (in a stretch) as protecting rightsholders. CISPA is about online security attacks, not about piracy.
Next, CISPA isn't invasive. SOPA threatened to create a kangaroo court system of copyright-noncompliant sites that the content industry could starve by banning commercial transactions with them. CISPA is an opt-i bill; the USG cannot compel any organization to cooperate with any USG agency, but instead creates a facility that companies can use if they need to share attack information but don't want to spend $100,000 in ECPA-interpreting legal review each time they do it.
In fact, CISPA in practice probably has more to do with information moving FROM the USG TO private companies. The USG spends hundreds of millions of dollars a year monitoring its networks (which together constitute the largest IT organization in the world). It is true that the largest IT org in the world happens to be a shitty IT shop, but it has nevertheless built up about a decade of experience tracking malware and botnets and DOS attack information; when Blaster broke out, the experience of the Naval Marine Corp Intranet getting overrun by it was some of the first shared among ISPs. All sorts of random rules prevent USG IT shops from running any kind of central clearinghouse of attack information, and still more rules prevent any of that information from being published.
I don't particularly like CISPA. It obviously sounds like I do, but that's because the uninformed paranoia about CISPA is so virulent that any measured take on the bill sounds like cheerleading. I don't care whether CISPA passes or doesn't pass. But it drives me a little bananas to see how easily the ostensibly curious and well-informed people on HN are bamboozled by identity politics on issues like this.
It's a tiny bill, as bills go. Just go read it.
I have yet to hear a good argument for why we need CISPA to override all federal and state privacy laws, including laws restricting what companies can turn over to the government in the absence of legal process. In programmerese, CISPA is a wildcard approach -- an "rm -rf *" -- when you haven't done an "ls" to see what's in the directory first. Perhaps one or two need to be overriden for good reason, but why not specify them instead of using a wildcard?
Here are some details: http://news.cnet.com/8301-31921_3-57422693-281/ What sparked significant privacy worries is the section of CISPA that says "notwithstanding any other provision of law," companies may share information "with any other entity, including the federal government." It doesn't, however, require them to do so. By including the word "notwithstanding," House Intelligence Committee Chairman Mike Rogers (R-Mich.) and ranking member Dutch Ruppersberger (D-Md.) intended to make CISPA trump all existing federal and state civil and criminal laws. (It's so broad that the non-partisan Congressional Research Service once warned (PDF) that using the term in legislation may "have unforeseen consequences for both existing and future laws.") "Notwithstanding" would trump wiretap laws, Web companies' privacy policies, gun laws, educational record laws, census data, medical records, and other statutes that protect information, warns the ACLU's Richardson: "For cybersecurity purposes, all of those entities can turn over that information to the federal government."
It doesn't matter what the objectives are, or whether or not the intention is to protect rights holders. It matters what the law actually allows as written. That's what we take issue with.
And yes, I have read the entire thing.
Perhaps I'll be "throwing my vote away". Nonetheless, next time around, I'll be choosing from amongst the other choices.
For the Federal elections, it's early enough in the cycle that if people start doing this en masse, it might have some real influence.
http://en.wikipedia.org/wiki/Cyber_Intelligence_Sharing_and_...
I'm envisioning a web dashboard that lets federal agents do fuzzy queries on individuals, to see all the sites visited, emails sent, web searches, browsing habits, etc, from all the IP addresses used by the given individual in the past several years. The system would aggregate information gathered from ISPs and web companies. The government can already get anything they want from an ISP or web company, but they have to do it on a case by case basis and it is probably annoying to correlate information across sources. In the future, I imagine that a federal agent can go to his big brother dashboard, type in a name, and have immediate access to all sorts of information gathered from credit card companies, search providers, ISPs, telecoms.
It should automatically advise internet services that a person/account may be trouble, thus granting those private companies the blanket "exemption from liability... for decisions made based on cyber threat information identified, obtained, or shared under this [law]." (That's one of the most concerning vague and elastic provisions in the current proposed bill text.)
There should also be a 'redress number' subsystem, for when people on the watchlist start noticing their accounts being restricted or disabled, and want to make the case they're not the bad guy the agent who pressed the button thought they were.
https://www.techdirt.com/articles/20130311/16221022286/white...
I saw an infographic a little while back that I thought made a pretty good representation of what the bill actually proposes, I wonder if anyone has a link available to it.
Private companies can and do share (heavily scrubbed) electronic signature information, but must go through contortions to do so, and incur huge legal costs to do it. As a result, only the largest companies participate in these efforts.
Because the USG is more or less enjoined from participating in clearinghouses with private companies, information sharing networks are handshake affairs that are often unknown to anyone outside tier-3 network engineering. Other private IT security product companies run de facto clearinghouses, but only for their customers.
As a result, when your startup gets DDoS'd and you call your ISP for help, they generally can't do shit to help you. It may annoy you to know that if your connectivity provider is large, there is a group in there that could offramp your traffic to internal "scrubbing centers" to peel off DDOS traffic. But because high-end DDoS protection at ISPs is done sub rosa, startups have a very hard time finding these people.
There is an actual problem with online security attacks right now, and hysteria over any USG intervention with the Internet at all is helping perpetuate it. And all it appears to take to fuel that hysteria is statements like "think of the overreach that will happen once a law hits the books".
I think everyone agrees that companies should be able to describe to the cops what the guy who robbed them looked like, and those companies should be able to tell their customers they've been robbed without getting sued by their shareholders because the ensuing PR fallout tanks the stocks.
