undefined | Better HN

0 pointstptacek13y ago0 comments

The bill supersedes privacy and communication laws, but is (a) opt-in and (b) severely limited in scope.

Specifically: CISPA provides a positive authority for sharing only "cyber threat information", which is defined in the bill: (i) information about a vulnerability, (ii) information about a confidentiality/integrity/availability threat, (iii) information about denial of service or destructive attacks, and (iv) efforts to hack into systems and exfiltrate data.

The bill incudes language that explicitly exempts the kind of stuff Aaron Swartz got caught up into: it exempts attacks that "solely involve violations of consumer terms of service or consumer licensing agreements and do not otherwise constitute unauthorized access.". That exclusion is repeated multiple times in the definitions section of the bill.

The bill explicitly does not cover individuals, in a fashion that the bill's authors say affirmatively prevents it from being used to allow ISPs to share individual customer records.

So: back to you. What specific state or Federal privacy measure is compromised by CISPA, and how?

0 comments

declan13y ago

Thanks for your polite response. Two thoughts: First, I'm not interested in what politicians say in defense of their bill -- I'm interested in what the actual text of the bill says.

Second, asking what specific privacy law is overruled is a bit odd because -all- of them are. ECPA, SCA, Wiretap Act, FCRA, DPPA, FERPA, PPA, RFPA, TCPA, VPPA are among them, and that's not even counting state privacy laws. Remember, CISPA is a legal wildcard. Asking your question is like asking "what specific file does rm -rf * delete?"

tptacekOP13y ago

I'm not interested in what politicians say either, except to the extent that in a court challenge, when judges look to interpret the intent behind the statute, they have a clear signal by the authors of the bill that the statute was designed to prevent the collection of personal information by ISPs. Which was why I brought that up.

Your second graf begs my question. Obviously we're both aware of the ECPA and SCA. My question was, in what way do the preemptions on those acts materially harm the public interest? Put it this way: if you think that CISPA is in direct conflict with SCA, then clearly you can imagine situations in which e.g. Facebook could collect Netflow data from a DDOS attack and then worry that they'd somehow contravene SCA by sharing the information. Doesn't that "conflict" explain the need for an act like CISPA?

I'd also note that the first three acts you cited --- obviously the three most important, because they cover the integrity of online communications in general and not with respect to any particular application domain --- already contain exemptions similar in spirit to the ones in CISPA:

* ECPA permits providers to collect and in some limited cases share information that is related to the maintenance of their own infastructure

* SCA permits collection and monitoring of stored communication by the operators of stored communication services

* The Wiretap Act allows operators to intercept and monitor signals causing disruption to networks

CISPA harmonizes collection and sharing of data in cases of direct adversarial attacks. Compared to the exceptions in (for instance) ECPA, CISPA is narrowly tailored and very specific.

Furthermore, when you point out all the laws encumbering sharing of attack information, you start to make the preemption point for me. It may already be possible to share attack information, so long as it doesn't involve raw emails, and the attack information is shared by telecom providers under the ECPA maintenance exemption. UNLESS YOU'RE AN AUTO INSURANCE COMPANY, in which case Congress helpfully (and reasonably!) enacted a specific privacy regime under DPPA, which means now simply to have Progressive push netflow records to Verizon they might have to incur $50,000 in legal review which by the time it's done the attack will be over.

Instead of repeating my original question --- how exactly does CISPA conflict with existing privacy laws in ways that harm the public interest? --- why don't I ask the question in a different framing. If we stipulate that the problem we're talking about here does exist --- that Advocate Health Care in Illinois would incur significant and unnecessary legal risk in pushing netflow DDOS information to a public clearinghouse --- what is the privacy-protecting language YOU would like to see in a bill that aimed to address that problem?

Incidentally: can you do better than thanking me for a polite response? I'm not actually sure I'm being that polite anyways; I feel like I'm being blunt and direct. But on the other hand, you wrote a comment with a complicated technical question last night at 1:00AM, and when you didn't get a prompt response, you accused me of "handwaving". Can I argue now that it it's pretty obvious that neither you nor I is "handwaving", and that we've both done our homework, or at least way more homework than most CISPA commenters have done? Instead of thanking me for polite responses, could you instead just not impugn my motives or intellectual honesty again? We can then just chalk our initial static up to "message boards and politics".

PS: The worst, most crazymaking thing about CISPA debates online is that they invariably put me in the position of "CISPA advocate". I have a position in the CISPA debate: "CISPA is not evil". I think if you believe like I do that CISPA is facially benign, the way organizations like EFF are choosing to message against it starts to get disquieting. But my position does not carry into "CISPA is a great idea". A sane argument against CISPA is that it forestalls a needed reform across all online privacy bills to enable network security to function sanely. CISPA might be a bad idea. I am not a CISPA advocate. I just don't think it's overtly contrary to the public interest.

lawnchair_larry13y ago

So, I didn't really answer because I knew you were kind of baiting me with that question. Whatever I wrote, you probably knew that you were going to be able to reply with "they can already do that under ECPA" (HN has had that discussion previously and I was paying attention). So let's just fast forward all of that.

Last time around, I believe you said CISPA is one giant legislative NOP. I think you have probably revised your position on that. Someone is trying very hard to pass this, and they don't do that for no reason. There is something very important in CISPA to someone.

It sounds like at least part of the reason for it, in your interpretation, is related to legal assurances. Since you have studied both, can you provide an effective 'diff' between CISPA and ECPA, within the scope of 'cyber'?

For what it's worth, after doing some basic searching on who is backing it and what their business objectives are, I feel like it is more probable that there is not evil intent behind CISPA at this time.

The problem, as I said, and as described by EFF, is that it is vague in many key areas (I'm not going to enumerate them, it's too tedious and not relevant enough to go into specifics). Look at the CFAA. The intent there was not to nail a MAC address spoofing wget loop or a fake email submitted to a captive portal to the wall for 35 years. The intent behind the PATRIOT act, at least as far as some supporters were concerned (even though they were probably duped) was actually to fight terrorism. Both have since become wildcards for bad actors to do things that the original supporters didn't intend. We have to expect this when we write laws.

It's the same as auditing C. You know those conversations you have with those "special" clients who respond to your bug report by saying "yeah, but that is only meant to hold a username, no one is REALLY going to try and have a 2GB username"? This is the legal equivalent.

> what is the privacy-protecting language YOU would like to see in a bill that aimed to address that problem?

This is an unreasonable rebuttal. "It's not perfect, but you don't have anything better" is not how we make laws. Obviously, a journalist or a security consultant discussing something as important as this is not going to just spit out a bill that solves every problem in an HN comment.

1 more reply

j / k navigate · click thread line to collapse