One of the biggest (and most frustrating) problems with the legislative process is that the people who really want this to go through KNOW that we - "the masses" - eventually start to suffer from "protest exhaustion". They can propose a bill - we can rally our troops and get on TV and black out Wikipedia and do 100 interviews and maybe - just maybe - we can kill it.
The first time. And maybe the second time. And maybe even the third time. But after a while we're going to start to get numb to the calls-to-arms. And eventually our sometimes-well-intentioned-but-pulled-in-30-directions representatives are going to stop getting those concerned phone calls and emails from constituents, and they're going to fall prey to the typical "think of the children" argument that often gets put forward on any security bill, and something ugly is going to get passed.
I hate resigning myself to this, but it's the disappointing reality.
I worry that most of the opposition to this bill is based on FUD that EFF is spreading. Having experience actually working in the security industry and knowing the limitations that this bill is trying to address, the ability of the government and private sector to work together to keep malicious groups out of their networks, I recognize the necessity and intentions of this bill.
This isn't about spying on Americans. This isn't SOPA with a new name. This isn't about stopping piracy or spying on your facebook profile. This bill is about letting government agencies share intelligence on network threats with private companies so those companies can protect their customers information. None of the agencies or companies involved want to share any private information about their citizens or customers. There are lots of lawyers involved in the process to ensure that doesn't happen.
I wonder if some of that exhaustion is also what leads people to not read the bill or understand the context and just assume it's another anti-piracy bill.
Go on the offensive. Instead of just fighting to kill legislation like CISPA, lobby for legislation that will guarantee the freedom of the internet. That will unequivocally protect people's liberties on (and off) the internet.
It's not the reality; lines can and are held. For example, drilling in ANWR has been proposed for decades and it still isn't happening, because the organizations who fight are smart about when they fire up their troops.
In addition, environmental type people are not reflexively opposed to/afraid of the federal government, so they are willing to educate themselves about the process and the issue. They learn to distinguish between issues, and when a threat is real vs. perceived.
In comparison the Internet enthusiast community seems to largely persist in the fantasy that the government should not (or cannot) have a role in the regulation of the Internet. Thus when issues do come up, they are ignorant and reactive. And they are eager for issues to go away so that they can go back to "normal" i.e. ignoring the government.
I really don't think these kinds of bills will end until there is an amendment passed expressly guarenteeing rights relating to internet (or, perhaps more broadly, network) freedom.
In fact, I doubt even that will stop these kinds of laws from being introduced. However, it will give a firm and easy foothold to dismissing them. Similarly, it will become that much easier to retroactively have them removed if they violate an amendment.
The exact text of this kind of amendment would be difficult to craft, frankly, I'm not a lawyer, I have no idea where or how to start crafting this. However, I do fully believe this is the ultimate winning endgame for this kind of legislation.
We need a "legal hacker" a la Richard Stallman to craft something like this.
You are especially likely to become numb to calls to arms when they are in fact cries of "wolf".
SOPA was a genuinely invasive bill and a clear power grab by the content industry. It created a new special second-class "tainted" designation for content sites that refused to play ball with rightsholders and gave rightsholders new means to prosecute their rights outside of civil courts. It was understandable and --- even though I'm a supporter of copyright in general --- commendable that organized opposition to SOPA killed that bill outright.
CISPA is nothing like SOPA.
To begin with, CISPA has none of the same objectives of SOPA. It isn't about the content industry at all. In fact, when early opposition to CISPA by organizations like EFF started catching on, its sponsors scrubbed the bill of language that could have been read (in a stretch) as protecting rightsholders. CISPA is about online security attacks, not about piracy.
Next, CISPA isn't invasive. SOPA threatened to create a kangaroo court system of copyright-noncompliant sites that the content industry could starve by banning commercial transactions with them. CISPA is an opt-i bill; the USG cannot compel any organization to cooperate with any USG agency, but instead creates a facility that companies can use if they need to share attack information but don't want to spend $100,000 in ECPA-interpreting legal review each time they do it.
In fact, CISPA in practice probably has more to do with information moving FROM the USG TO private companies. The USG spends hundreds of millions of dollars a year monitoring its networks (which together constitute the largest IT organization in the world). It is true that the largest IT org in the world happens to be a shitty IT shop, but it has nevertheless built up about a decade of experience tracking malware and botnets and DOS attack information; when Blaster broke out, the experience of the Naval Marine Corp Intranet getting overrun by it was some of the first shared among ISPs. All sorts of random rules prevent USG IT shops from running any kind of central clearinghouse of attack information, and still more rules prevent any of that information from being published.
I don't particularly like CISPA. It obviously sounds like I do, but that's because the uninformed paranoia about CISPA is so virulent that any measured take on the bill sounds like cheerleading. I don't care whether CISPA passes or doesn't pass. But it drives me a little bananas to see how easily the ostensibly curious and well-informed people on HN are bamboozled by identity politics on issues like this.
I'm envisioning a web dashboard that lets federal agents do fuzzy queries on individuals, to see all the sites visited, emails sent, web searches, browsing habits, etc, from all the IP addresses used by the given individual in the past several years. The system would aggregate information gathered from ISPs and web companies. The government can already get anything they want from an ISP or web company, but they have to do it on a case by case basis and it is probably annoying to correlate information across sources. In the future, I imagine that a federal agent can go to his big brother dashboard, type in a name, and have immediate access to all sorts of information gathered from credit card companies, search providers, ISPs, telecoms.
I would bet, at least for the NSA and probably the FBI, this already exists. It just isn't quite as real-time as they would like it to be. Instead of the instant fuzzy-search, it's a couple of quick letters, but the oversight seems to be about the same.
Don't forget an "add person to cyber threat watchlist" button!
It should automatically advise internet services that a person/account may be trouble, thus granting those private companies the blanket "exemption from liability... for decisions made based on cyber threat information identified, obtained, or shared under this [law]." (That's one of the most concerning vague and elastic provisions in the current proposed bill text.)
There should also be a 'redress number' subsystem, for when people on the watchlist start noticing their accounts being restricted or disabled, and want to make the case they're not the bad guy the agent who pressed the button thought they were.
Just tell the gun lobby that if any of the Gun Shops keep an online database of their customers that's subject to the law. No need to worry about a national gun registry, the GOV gets it for free. Get the NRA involved and ALL OF CONGRESS will run screaming about how this goes against the 2nd Amendment.
This actually would work. I think the general public either (a) doesn't know about this law at all or (b) doesn't think it will interfere with their daily activities. Getting other big organizations who value privacy would help solve both problems. I think that anyone who begins to understand the law will be opposed to it.
As a wise man pointed out on HN the last time around, we haven't won when this law fails to pass. We've only won a law explicitly stating the opposite passes.
So what you're saying is, the best possible thing to happen would be a law specifically preventing any American company from relaying threat information --- packet captures of exploits, netflow traffic profiles of botnets, &c --- to the US government, and, further, preventing any agency in the USG from providing traffic capture information, packet filter information, or botnet identification information to private companies.
I am never more reminded of how smart people can succumb to groupthink than I am when I read HN posts about CISPA. There are a lot of misconceptions about the law, including what kind of data gets shared (only relevant threat data, this isn't your bank account info, and the RIAA can't sue you if shared data reveals you to be torrenting movies - can elaborate more on this if there's interest), who does the sharing (orgs share to the government voluntarily), who has access to the sharing (government and people the government decide to share the data with), etc.
I saw an infographic a little while back that I thought made a pretty good representation of what the bill actually proposes, I wonder if anyone has a link available to it.
I supposed I would ask what privacy-protecting language would make the approach envisioned in CISPA (cyber threat data sharing) acceptable to privacy-oriented organizations like the ones listed. If the answer is "none," I would question their good faith in the process--or at least the public face they put on it.
This "CISPA is the next SOPA" meme is about as fact-based as "Electronic Arts is literally Hitler." I'm not telling you it's good or bad, but it's not remotely SOPA. It isn't even addressing the same general topic as SOPA.
[+] [-] nlh|13 years ago|reply
The first time. And maybe the second time. And maybe even the third time. But after a while we're going to start to get numb to the calls-to-arms. And eventually our sometimes-well-intentioned-but-pulled-in-30-directions representatives are going to stop getting those concerned phone calls and emails from constituents, and they're going to fall prey to the typical "think of the children" argument that often gets put forward on any security bill, and something ugly is going to get passed.
I hate resigning myself to this, but it's the disappointing reality.
What to do?
[+] [-] daten|13 years ago|reply
This isn't about spying on Americans. This isn't SOPA with a new name. This isn't about stopping piracy or spying on your facebook profile. This bill is about letting government agencies share intelligence on network threats with private companies so those companies can protect their customers information. None of the agencies or companies involved want to share any private information about their citizens or customers. There are lots of lawyers involved in the process to ensure that doesn't happen.
I wonder if some of that exhaustion is also what leads people to not read the bill or understand the context and just assume it's another anti-piracy bill.
[+] [-] ori_b|13 years ago|reply
[+] [-] snowwrestler|13 years ago|reply
In addition, environmental type people are not reflexively opposed to/afraid of the federal government, so they are willing to educate themselves about the process and the issue. They learn to distinguish between issues, and when a threat is real vs. perceived.
In comparison the Internet enthusiast community seems to largely persist in the fantasy that the government should not (or cannot) have a role in the regulation of the Internet. Thus when issues do come up, they are ignorant and reactive. And they are eager for issues to go away so that they can go back to "normal" i.e. ignoring the government.
[+] [-] unix-dude|13 years ago|reply
In fact, I doubt even that will stop these kinds of laws from being introduced. However, it will give a firm and easy foothold to dismissing them. Similarly, it will become that much easier to retroactively have them removed if they violate an amendment.
The exact text of this kind of amendment would be difficult to craft, frankly, I'm not a lawyer, I have no idea where or how to start crafting this. However, I do fully believe this is the ultimate winning endgame for this kind of legislation.
We need a "legal hacker" a la Richard Stallman to craft something like this.
[+] [-] tptacek|13 years ago|reply
SOPA was a genuinely invasive bill and a clear power grab by the content industry. It created a new special second-class "tainted" designation for content sites that refused to play ball with rightsholders and gave rightsholders new means to prosecute their rights outside of civil courts. It was understandable and --- even though I'm a supporter of copyright in general --- commendable that organized opposition to SOPA killed that bill outright.
CISPA is nothing like SOPA.
To begin with, CISPA has none of the same objectives of SOPA. It isn't about the content industry at all. In fact, when early opposition to CISPA by organizations like EFF started catching on, its sponsors scrubbed the bill of language that could have been read (in a stretch) as protecting rightsholders. CISPA is about online security attacks, not about piracy.
Next, CISPA isn't invasive. SOPA threatened to create a kangaroo court system of copyright-noncompliant sites that the content industry could starve by banning commercial transactions with them. CISPA is an opt-i bill; the USG cannot compel any organization to cooperate with any USG agency, but instead creates a facility that companies can use if they need to share attack information but don't want to spend $100,000 in ECPA-interpreting legal review each time they do it.
In fact, CISPA in practice probably has more to do with information moving FROM the USG TO private companies. The USG spends hundreds of millions of dollars a year monitoring its networks (which together constitute the largest IT organization in the world). It is true that the largest IT org in the world happens to be a shitty IT shop, but it has nevertheless built up about a decade of experience tracking malware and botnets and DOS attack information; when Blaster broke out, the experience of the Naval Marine Corp Intranet getting overrun by it was some of the first shared among ISPs. All sorts of random rules prevent USG IT shops from running any kind of central clearinghouse of attack information, and still more rules prevent any of that information from being published.
I don't particularly like CISPA. It obviously sounds like I do, but that's because the uninformed paranoia about CISPA is so virulent that any measured take on the bill sounds like cheerleading. I don't care whether CISPA passes or doesn't pass. But it drives me a little bananas to see how easily the ostensibly curious and well-informed people on HN are bamboozled by identity politics on issues like this.
It's a tiny bill, as bills go. Just go read it.
[+] [-] pasbesoin|13 years ago|reply
Perhaps I'll be "throwing my vote away". Nonetheless, next time around, I'll be choosing from amongst the other choices.
For the Federal elections, it's early enough in the cycle that if people start doing this en masse, it might have some real influence.
[+] [-] Cieplak|13 years ago|reply
http://en.wikipedia.org/wiki/Cyber_Intelligence_Sharing_and_...
I'm envisioning a web dashboard that lets federal agents do fuzzy queries on individuals, to see all the sites visited, emails sent, web searches, browsing habits, etc, from all the IP addresses used by the given individual in the past several years. The system would aggregate information gathered from ISPs and web companies. The government can already get anything they want from an ISP or web company, but they have to do it on a case by case basis and it is probably annoying to correlate information across sources. In the future, I imagine that a federal agent can go to his big brother dashboard, type in a name, and have immediate access to all sorts of information gathered from credit card companies, search providers, ISPs, telecoms.
[+] [-] rayiner|13 years ago|reply
[+] [-] SoftwareMaven|13 years ago|reply
[+] [-] gojomo|13 years ago|reply
It should automatically advise internet services that a person/account may be trouble, thus granting those private companies the blanket "exemption from liability... for decisions made based on cyber threat information identified, obtained, or shared under this [law]." (That's one of the most concerning vague and elastic provisions in the current proposed bill text.)
There should also be a 'redress number' subsystem, for when people on the watchlist start noticing their accounts being restricted or disabled, and want to make the case they're not the bad guy the agent who pressed the button thought they were.
[+] [-] ericjeepn|13 years ago|reply
[+] [-] crisnoble|13 years ago|reply
[+] [-] diminoten|13 years ago|reply
[+] [-] TallGuyShort|13 years ago|reply
[+] [-] tptacek|13 years ago|reply
[+] [-] mtgx|13 years ago|reply
https://www.techdirt.com/articles/20130311/16221022286/white...
[+] [-] diminoten|13 years ago|reply
I saw an infographic a little while back that I thought made a pretty good representation of what the bill actually proposes, I wonder if anyone has a link available to it.
[+] [-] Wingman4l7|13 years ago|reply
[+] [-] tocomment|13 years ago|reply
[1] http://internetdefenseleague.org/
[+] [-] snowwrestler|13 years ago|reply
[+] [-] halviti|13 years ago|reply
http://thebestpageintheuniverse.net/c.cgi?u=pass_sopa
[+] [-] chc|13 years ago|reply
[+] [-] diminoten|13 years ago|reply
[+] [-] unknown|13 years ago|reply
[deleted]