Can you tell a short story about how the legally-binding privacy protections in this bill work, that would prevent sharing with the government without a warrant?
The onus is not on the opposition to this bill to explain how privacy will go wrong, it is on the supporters since it is a new law with vague language and far-reaching potential consequences.
Also, having privacy amendments shot down or not brought to vote doesn't make CISPA seem very democratic.
The whole point of the bill is to facilitate the sharing of a limited set of operational network security data without warrants or court orders, so it is very difficult to respond to your question.
Nothing about the bill suggests it will be limited to operational network security data, so you should stop spreading this untruth. In fact, it's pretty obvious that it won't be just netflows.
(For those following and don't know what a netflow is, it doesn't contain payload data. It's more or less headers and statistics. Nothing about CISPA attempts to limit information to netflows only.)
I don't think it's very honest of you to suggest that I'm claiming CISPA only covers Netflow information. I use Netflow as an example of the kind of benign information that is difficult to share today, and would be easier to share under CISPA. I've explicitly described scenarios that could include message payloads on these threads, and I know you've read those messages because you've replied to them.
So the whole "directly related to a cyber threat" thing doesn't limit the data that can be shared in any way?
I wish this bill were more focused on network security events and didn't have any language in it to deal with stuff like cyberbullying, but I'm glad it's moving forward.
Worst case scenario we find it in the Supreme Court where it gets narrowed to be more like what it should have been written as. Happens all the time, we're not going to wake up to a dystopian future with silent arrests and "we have always been at (cyber) war with Eastasia!" the day this passes.
Company holds Bob's health records on their servers, and also some of his emails. Company forwards health records along with emails to the USG, even though emails were only what was requested by the USG. Company cannot be held liable for HIPAA violation.
1. Cyber threat intelligence is defined as information pertaining to the things you listed. That is much more broad than your definition, for example sharing information pertaining to a vulnerability is much more broad than sharing the vulnerability itself since the latter only includes e.g. the code that results in the vulnerability whereas the former also includes any customer data directly related to it.
2. CISPA does not just grant immunity for the sharing of "cyber threat intelligence". It grants immunity for anything that is shared as such "in good faith". So in reality, it can include anything, as long as it was shared "in good faith". I quote: "EXEMPTION FROM LIABILITY.—No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider, acting in good faith— ‘‘(A) for using cybersecurity systems or sharing information in accordance with this section; or ‘‘(B) for decisions made based on cyber threat information identified, obtained, or shared under this section."
As you can see, the set of things you get immunity for is extremely broad. Far broader than you describe.
Furthermore, this bill puts no oversight in place that even checks that things were shared according to these (extremely broad) rules. And people have no way of knowing what information about them has been shared. So warfangle's scenario is very conceivable. For example if a company thinks you have in some way triggered a vulnerability (accidentally, or though a programming error on their side, or you didn't trigger anything at all but they just think that you have ("in good faith"), doesn't matter), some lazy chap can just dump the database with all data related to your user ID and send that over as long as it is his private opinion that it is information "pertaining to a vulnerability". Not only is that perfectly OK according to this bill, but you'll also have no way of knowing that that happened, and there is nobody evaluating if sharing all that data was actually OK or not.
Apart from the "good faith" thing, which I've mentioned repeatedly on this thread and others, all you've done here is expanded the "vulnerability" clause.
Absolutely. Thing is that those two "buts" greatly expand the scenarios of information sharing relative to what you wrote. If you would have written your comment like this:
"""
CISPA allows for the sharing of information that the company doing the sharing can "in good faith" believe to be "cyber threat intelligence", which is defined as:
(i) Information pertaining to a vulnerability
(ii) Information pertaining to a threat to the integrity, confidentiality, or availability of a system or network or any info stored or transiting one
(iii) Information pertaining to efforts to deny access
(iv) Information pertaining to efforts to gain unauthorized access (with the exception that violations of consumer terms of service are not covered by CISPA)
So indeed your scenario of sharing health records may be a valid concern."""
So basically anything goes as per the CFAA definition of "unauthorized access"? weev got thrown into jail for it, and all he did was increment a number in a URL.
I am no expert on the matter, but I believe what this does is pave the pre-approval for something that has long been in place; echelon.
Basically the government had previously stated that capturing of any electronic information and storing it is not the same as wire-tapping/reviewing the information.
They can capture and record whatever they want and should they at a later date want to look at anything you did, they can get the warrant and look at this historical info.
With CISPA -- the legal process for doing any of this is now far easier for them.
CISPA doesn't revoke ECPA or SCA. It overrides it, purportedly for the sole purpose of enabling the sharing of operational network security information, in roughly two scenarios: discovery/dissemination of new vulnerabilities, and ongoing incidents.
Why do you continue to say that "operational network information", when (A) that clearly isn't the case and (B) the whole bill doesn't even mention the word "operational" once? (nor does it mention "network information" for that matter)
Why not simply say what the bill says:
"The term ‘cyber threat information’ means information directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity."
This way people can decide for themselves what could be the possible interpretations of that which a lawyer could successfully defend to be "in good faith" -- which is all that the bill requires. I would be surprised if anybody would come to the conclusion that the only defensible interpretation of that is "operational network information".
What version of this bill are you quoting from where that is the definition given of "cyber threat information"? URL? I'm looking at the current version on the House Subcommittee site, and that is not the definition, or even the language for that one clause of the definition.
Sorry, you're right, I clicked the older version, my bad. The current version is: [1]
‘(A) IN GENERAL.—The term ‘cyber threat information’ means information directly pertaining to— ‘‘(i) a vulnerability of a system or network of a government or private entity; `‘(ii) a threat to the integrity, confidentiality, or availability of a system or network of a government or private entity or any information stored on, processed on, or transiting such a system or network; ‘‘(iii) efforts to deny access to or degrade, disrupt, or destroy a system or network of a government or private entity; or ‘‘(iv) efforts to gain unauthorized access to a system or network of a government or private entity, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network of a government or private entity.
So the actual meaning hasn't changed much. Because this only clarifies the threats/vulnerabilities/evil efforts and not the information about such threats/vulnerabilities/evil efforts that can be shared, my point applies equally well to this wording. This version of the bill also still has no mention of "operational" or "network information".
Yes, although you've left out the "Exclusion" for terms of use and license contracts.
I do not think your point stands with this definition. You're right that I used a shorthand rather than copying that exact language from the bill into yet another comment, as a cursory Google search will tell you that I've done repeatedly. There was no way the bill was going to use the term "operational network security data", because that term is even more vague than the bill's definition.
A more productive thing for you debate other than semantics would be how this specific definition --- which is far more complete than anything else in the US Code, unless you'd like to correct me on that --- should be tightened.
For lawyers probably "operational network data" is vague, but for the technical readers on HN I think it is clear that this is much more restricted than what is actually allowed by the bill. For example operational network data contains perhaps access logs & http headers, but it does not include, say, your emails. For this bill however, there are many conceivable situations under which it would grant immunity for the sharing of your emails. So for the HN audience "operational network data" does not adequately cover the the bill, and furthermore the things that "operational network data" does not include are exactly the the kind of private information that people are most worried about.
If it was up to me then I would certainly first change other aspects of the bill which are far worse than this definition, but as far as this particular definition goes, I would limit the information that can be shared to the information that can reasonably lead to the solution of the problem (fixing vulnerability / removing threat / stopping evil efforts) not "information pertaining to the vulnerability / threat / efforts". It may well turn out that in court that is already how this will be interpreted, but the problem is that this wording does not make that clear at all. And in a legal case where it has to be decided whether a company gets immunity for a particular piece of information that was shared, "reasonably" should be determined by an external technical expert, and not according to the private opinions of the person who shared the information.
Yeah but it may take me a bit because I'm commenting in between Ansible runs. You may find a good way to get me to write a canonical summary is to make a bunch of egregiously false statements about the bill. :)
