xkcd

[Ghostbear]

Let's assume TSA is 0% effective. Doesn't matter. The efficacy of a program has nothing to do with whether or not it's unreasonable.

I disagree. If you do something with the expected positive result of "not a damn thing", then it is unreasonable; it is not guided by or based on good sense.

No. The court has straight up rejected what you're saying (that everything can be speech.) First the easy thing: Not all speech is protected. If for some reason murder could be speech, it would fall under unprotected speech like obscenity or fighting words, and the only restriction there is rational basis review. Pretty much nothing ever fails rational basis review. (Latest I can think of is Perry vs. Schwarzenegger, in which the district court decided that Proposition 8 did not meet rational basis review, although that was irrelevant as he also held that Prop 8 should be tested on strict scrutiny.)

Secondly, speech must meet the following criteria: It must carry a message, and it must be a message that could be understood by others. Good luck arguing that flying on a plane is speech.

You're missing the point of that section. I specifically pointed out that just because you can make something speech doesn't make it protected -- the example of murder was meant to go with that, because it is very clearly not protected. Anything can be speech. That doesn't mean that anything can be protected speech, nor does it mean that any of those things that can be speech would default to being speech. You're essentially agreeing with the point I was making: flying on a plane or wearing a hat are not always acts of speech (I would argue they are rarely acts of speech, typically being done for their practical purposes).

I was making that point to show that sourmilk's response of "I think clothing probably counts as protected speech" doesn't answer the question of "where am I granted the right to wear hats but not fly on planes?". We're never explicitly granted the right to either.

[Panonadin]

Unreasonable search and seizure.

Exactly zero terror attacks have been stopped by the methods employed by the TSA. What exactly is the justification there again?

Are you saying that the methods employed by the TSA have had no positive effect at all? Or just that they haven't caught anyone while doing a pat down/invasive search?

In my opinion they have to at least have stopped an attack through deterrence. Of course that isn't fact. It's just that an attacker, if one existed would probably look for another route of attack if he/she knew they have a .01% chance of making on the plane and a 99.09% chance of being detained in gitmo and tortured for the rest of their lives.

[sourmìlk]

I was making that point to show that sourmilk's response of "I think clothing probably counts as protected speech" doesn't answer the question of "where am I granted the right to wear hats but not fly on planes?". We're never explicitly granted the right to either.

I know we're not explicitly granted the right to either. I'm pretty sure I specifically said that.

[Ghostbear]

I know we're not explicitly granted the right to either. I'm pretty sure I specifically said that.

Nope, you didn't say it at all in this thread.

You did, however, specifically say that wearing a hat "probably" is a right while flying on a plane isn't. I've been asking you to back that argument up, and your only responses to that so far have been to point to the 1st amendment.

[omgryebread]

I disagree. If you do something with the expected positive result of "not a damn thing", then it is unreasonable; it is not guided by or based on good sense.

The Supreme Court doesn't use the Oxford dictionary to decide what words in the constitution mean. Futhermore, they cannot and should not examine the practical effect of each law. Your interpretation makes them a legislative branch, and by far the strongest part of government. Every government action would be subject to review by the Court where they could reject it if they thought it was a bad law. The health care law wouldn't be judged on whether or not it's constitutional, but on whether or not the justices like it. Same with every single other law.

You're missing the point of that section. I specifically pointed out that just because you can make something speech doesn't make it protected -- the example of murder was meant to go with that, because it is very clearly not protected. Anything can be speech. That doesn't mean that anything can be protected speech, nor does it mean that any of those things that can be speech would default to being speech. You're essentially agreeing with the point I was making: flying on a plane or wearing a hat are not always acts of speech (I would argue they are rarely acts of speech, typically being done for their practical purposes).

I was making that point to show that sourmilk's response of "I think clothing probably counts as protected speech" doesn't answer the question of "where am I granted the right to wear hats but not fly on planes?". We're never explicitly granted the right to either.

Protected: Wearing a hat that says "Vote for Bob" (fully protected speech)
Also protected: Wearing a hat that says "marijuana is cool!" (fully protected speech)
Kind of protected: Wearing a hat that says "Coca-Cola" (commercial speech is not fully protected, falls under intermediate scrutiny)
Not Protected: Wearing a hat that says "Kill the Jews!" (speech, but it's incitement, government action is only limited by a rational basis test)
Not Protected: Wearing a hat that says nothing (not speech)
Not Protected: wearing a hat that says "colorless green ideas sleep furiously" (not a message that could be understood by others)
Not Protected: Flying (not a message, or certainly not a message that could be understood by others)

So in some cases, you have the right to wear a hat. Specifically in the first and second cases above, and a less protected right in the third. I'll grant that it's not a right to wear a hat, but a right to express yourself (by wearing a hat). That's a key difference.

[Ghostbear]

The Supreme Court doesn't use the Oxford dictionary to decide what words in the constitution mean. Futhermore, they cannot and should not examine the practical effect of each law. Your interpretation makes them a legislative branch, and by far the strongest part of government. Every government action would be subject to review by the Court where they could reject it if they thought it was a bad law. The health care law wouldn't be judged on whether or not it's constitutional, but on whether or not the justices like it. Same with every single other law.

No, they probably don't use the OED, but they're going to pay attention to what the words mean, and that is one of the definitions of unreasonable. They would have to determine if that definition applies, but if they decide it does, then noting that the TSA accomplishes nothing would be part of their judicial review, because they would need to determine whether or not the search is unreasonable, and the expected effectiveness of would factor into that. This would not apply to all laws however. To use the ACA example, the effectiveness of the law would not come up, because the commerce clause, which the argument around it is mostly based around, states "[The Congress shall have Power] To regulate Commerce with foreign Nations, and among the several States, and with the Indian tribes;". It does not state "to regulate effective commerce" or "to properly regulate" or in some way imply or require efficacy. The definition of unreasonable, however, can include it.

So in some cases, you have the right to wear a hat. Specifically in the first and second cases above, and a less protected right in the third. I'll grant that it's not a right to wear a hat, but a right to express yourself (by wearing a hat). That's a key difference.

Exactly my point.

[nitePhyyre]

Isn't the question "is this constitutional?" a red herring compared to the question "is this a good thing?"

Well, yes. But it seems the US government is aiming for bad laws. That's why everyone jumps straight into constitutional questions.

[sourmìlk]

Particularly because I don't think anybody here is going to contest that it's a bad law. If that were the question being discussed, everybody would just say "Yep, that law sucks" and the thread would close.

[FrancisDrake]

I think this article by Wired goes along nicely with this conversation.
http://www.wired.com/threatlevel/2012/0 ... nter/all/1

[Amie]

Facebook has signed its support. Wow.

[sourmìlk]

Why? With SOPA, there was pretty much unanimous opposition from internet companies. What changed?

[Ghostbear]

Why wouldn't companies like Facebook love this bill? It removes any liabilities from them for sharing information with the government. It gives more power to those companies while lowering their legal (and through that, financial) risks. What is there for them to not like about it from a business standpoint?

Facebook isn't on "our" side, and never has been; their shit privacy policies should be example enough of why they wouldn't care about a law that is bad for privacy.

[kiklion]

Why wouldn't companies like Facebook love this bill? It removes any liabilities from them for sharing information with the government. It gives more power to those companies while lowering their legal (and through that, financial) risks. What is there for them to not like about it from a business standpoint?

Facebook isn't on "our" side, and never has been; their shit privacy policies should be example enough of why they wouldn't care about a law that is bad for privacy.

Two issues, first, from their experience with those shit privacy policies, they know their users care about privacy and don't want to strip the privacy too much too fast. They know they need to do it a little at a time.

Secondly, if the bill would force companies to proactively censor it would drastically increase operational costs and reduce people's ability to use the product. It is unfeasible for a company to be able to proactively censor all user generated posts without a massive amount of labor, or a large false positive rate.

[Ghostbear]

Two issues, first, from their experience with those shit privacy policies, they know their users care about privacy and don't want to strip the privacy too much too fast. They know they need to do it a little at a time.

No, they've learned that if they have one of the worst privacy reputations around, that they'll still be wildly successful, as seen in this graph:

What they've learned is that people love making noise about being annoyed about their poor privacy protections, but that people aren't willing to stop using their site. Since, for Facebook (and Google as well) the user is not the customer, but the product for advertisers, they aren't really hurt at all.

Secondly, if the bill would force companies to proactively censor it would drastically increase operational costs and reduce people's ability to use the product. It is unfeasible for a company to be able to proactively censor all user generated posts without a massive amount of labor, or a large false positive rate.

I haven't seen anything about forced censorship, only the power to censor if they want to, in the name of security. Just going by the EFF link provided earlier in the thread, this bill, from the perspective of tech companies, isn't SOPA 2.0, but closer to an apology for SOPA; it's a giant goodies bag for the companies. They aren't being fucked over by this, it's the users, the public at large, that would get fucked over by it. We have every reason to hate it, but Facebook and friends have every reason to not hate it, because it helps them.

[KnightExemplar]

I'll have to read into the details of this bill (unlike SOPA, I haven't read this bill yet).

But on the surface, this doesn't look anything like SOPA. I'd compare CISPA to the Patriot Act actually. Whereas SOPA was a clear power-grab on behalf of the entertainment industry to get more control over content they've created.... CISPA is looking more like your typical a defense bill that may be eroding our 4th Amendment rights..

Unlike SOPA, CISPA has been written with the tech industry in mind. I don't see anything that would make Google or Facebook cower in fear over this bill. After all, they already collect a ton of information. (ex: Google advertisements are based off of the contents of your gmail emails and viewing history in youtube). If Google is collecting all that information anyway, the government seems to want a piece of that pie... with appropriate legal rewards. (Google wouldn't be held liable for the information they gave to the government)

SOPA on the other hand would have made internet companies (especially search engines) directly responsible for the links that they had. The government would force (through SOPA) google to change its search results to censor... I mean better protect copyright. But ultimately, there was a big reason for Google to attack SOPA: it would have made google more expensive to run.

I really don't see why people compare the two bills at all. They're completely different concepts. And as far as what costs money... SOPA would have put burdens on internet companies. CISPA on the other hand removes any legal burden from internet companies from any litigation that would result from this bill.

[Randomizer]

Here's a good, short video summary of the bill: http://www.youtube.com/watch?v=xLjj6RD6-MI

There's supposed to be a vote on it the week of the 23rd, so contact your reps TODAY!

From Rep David Schweikert's twitter account @RepDavid:

Like #SOPA, I cannot support #CISPA because of lack of government accountability for individual protection. #AZ05 #azright

the Ronpaul speaking up against CISPA. You can listen Dr. Paul speak about this on your telephone toll-free as well at 1-888-322-1414 (the message changes weekly every Monday. The CISPA message is for the week of April 23rd). The text of the talk is here.

[Panonadin]

Wait ..... what ?


http://www.wired.com/threatlevel/2012/0 ... ses-cispa/
Please add a description of what's behind the link

Sorry, it was in the hyperlink on my screen so I just left it.

The above link is a report saying apparently CISPA passed. So, what the hell?

Also http://www.forbes.com/sites/kashmirhill ... out-cispa/

The above is a link to an article that says they don't even need SOPA/CISPA by using a "legal workaround". Shits getting a little out of hand.

[Iulus Cofield]

It only passed in the House. It still has to pass the Senate and apparently Obama has threatened to veto it, so it needs a two thirds majority in both houses to pass. The House vote wasn't a two thirds majority, so it's unlikely that, in case of a veto, a revote would override it.

[Ghostbear]

[...] and apparently Obama has threatened to veto it [...]

It's only a half-hearted threat though. What was actually said was "my advisers would suggest vetoing it". It's a veto threat, but it's the kind that's easily backed down from. If the republicans can win the messaging war on it, I suspect he'll cave. If they don't, I suspect he'll stand his ground. Though a lot of that also depends on what the senate does -- they have their own cyber security bill in the works that (as far as I can tell) doesn't piss all over our privacy. If they abandon that and pass CISPA, Obama will be in a poor spot for to veto it, but his veto threat also gives them a lot of grounds to not even bother giving CISPA floor time, since it'd be a "waste of time" if it's going to be vetoed anyway.

What amazes me, is that after I did some more looking at CISPA.. it doesn't actually seem to accomplish the goals often used in the messaging war over it -- I'm not sure it really accomplishes anything for protecting anything important from cyber-attacks. Or anything unimportant either. It just gives companies more power to tell us to go fuck ourselves.

[Randomizer]

This video has an AT&T guy basically telling congress that he can't see what a government agency could tell them to make security better that they aren't already doing. Really, congress isn't very good with computers anyway - I certainly wouldn't want some noob trying to act like they know better than the IT guys at how to prevent websites from getting hacked. They should stay out of this.

Obama threatened to veto the NDAA, but he signed it anyway. There's a petition asking Obama to veto CISPA, but I wouldn't rely on Obama following through.

I think the best way to kill the bill in the Senate is to hold the Representatives who voted for this bill responsible for their actions:

Here's Mike Roger's home page. Here's the home page of his opponent, Lance Enderle. Here's Michigan's voter website. I don't know if there's anyone else running against Mike, or if there's a Primary election for him to lose before the general election (if there is, let me know), but this is what I've got.

Besides that, reddit has a comprehensive list of information on CISPA and how to fight it here, as well as round two: the Senate fight with three related cyber bills here. There's a website set up where you can easily call your congressmen from your computer so you don't have to pay long distance, which is cool.

Also, check out imageshack - they've got an anti-CISPA banner up. =O

[KnightExemplar]

Alrighty... analysis time. Now this analysis is about the bill as it passed the House. There are a number of limitations that were added to the bill, including the restriction on "affirmative search", which definitely protects our privacy.

http://www.govtrack.us/congress/bills/112/hr3523/text

The above is the bill as it passed the House. Frankly, I'm surprised this isn't happening already. I've personally been operating as if this bill has always existed: actions you do online are tracked by various companies. Even if this bill weren't passed, companies have been collaborating with the Feds for years.

Don't yall remember? The NSA was brought into the Google hacks as well as the Nasdaq hacks. And when Anonymous was doing their thing two years back, 35 Arrest Warrents were issued by the FBI.

How do you think the FBI got that information? They asked companies to give them IP logs and other such information... BEFORE they got warrants obviously.

-----------------

What the bill does is grease the wheels a bit so that companies are encouraged to share such data with the government. But ultimately, I'm of the opinion that this is already happening. Companies still have the right to refuse to give information out.

‘(5) NO LIABILITY FOR NON-PARTICIPATION- Nothing in this section shall be construed to subject a protected entity, self-protected entity, cyber security provider, or an officer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider, to liability for choosing not to engage in the voluntary activities authorized under this section.

I'm not sure if we got better privacy from this, but there are now clearer limitations on these "powers". For example:

‘(c) Federal Government Use of Information-

‘(1) LIMITATION- The Federal Government may use cyber threat information shared with the Federal Government in accordance with subsection (b)--

‘(A) for cybersecurity purposes;

‘(B) for the investigation and prosecution of cybersecurity crimes;

‘(C) for the protection of individuals from the danger of death or serious bodily harm and the investigation and prosecution of crimes involving such danger of death or serious bodily harm;

‘(D) for the protection of minors from child pornography, any risk of sexual exploitation, and serious threats to the physical safety of such minor, including kidnapping and trafficking and the investigation and prosecution of crimes involving child pornography, any risk of sexual exploitation, and serious threats to the physical safety of minors, including kidnapping and trafficking, and any crime referred to in 2258A(a)(2) of title 18, United States Code; or

‘(E) to protect the national security of the United States.

‘(2) AFFIRMATIVE SEARCH RESTRICTION- The Federal Government may not affirmatively search cyber threat information shared with the Federal Government under subsection (b) for a purpose other than a purpose referred to in paragraph (1)(B).

I should note. The Affirmative Search Restriction is one of the privacy protections that were pushed onto this bill right before it passed the house. I don't fully understand what it means however

‘(3) ANTI-TASKING RESTRICTION- Nothing in this section shall be construed to permit the Federal Government to--

‘(A) require a private-sector entity to share information with the Federal Government; or

‘(B) condition the sharing of cyber threat intelligence with a private-sector entity on the provision of cyber threat information to the Federal Government.

‘(4) PROTECTION OF SENSITIVE PERSONAL DOCUMENTS- The Federal Government may not use the following information, containing information that identifies a person, shared with the Federal Government in accordance with subsection (b):

‘(A) Library circulation records.

‘(B) Library patron lists.

‘(C) Book sales records.

‘(D) Book customer lists.

‘(E) Firearms sales records.

‘(F) Tax return records.

‘(G) Educational records.

‘(H) Medical records.

‘(5) NOTIFICATION OF NON-CYBER THREAT INFORMATION- If a department or agency of the Federal Government receiving information pursuant to subsection (b)(1) determines that such information is not cyber threat information, such department or agency shall notify the entity or provider sharing such information pursuant to subsection (b)(1).

‘(6) RETENTION AND USE OF CYBER THREAT INFORMATION- No department or agency of the Federal Government shall retain or use information shared pursuant to subsection (b)(1) for any use other than a use permitted under subsection (c)(1).

‘(7) PROTECTION OF INDIVIDUAL INFORMATION- The Federal Government may, consistent with the need to protect Federal systems and critical information infrastructure from cybersecurity threats and to mitigate such threats, undertake reasonable efforts to limit the impact on privacy and civil liberties of the sharing of cyber threat information with the Federal Government pursuant to this subsection.

More important than whats listed here is what is NOT listed here. The Government cannot use the powers in the bill to look for petty theft (unless the theft happened online). Outside of child pornography, potential death / serious bodily harm, "cybersecurity", and "national security" the powers contained in this bill cannot be used.

I admit, this is vague here. Its important for the "limits" to be well defined. IMO, I think I'd be fine with the bill if "cybersecurity" were defined better, and if "national security" were removed. But if shady people walked up to Google and said "give me information because of NATIONAL SECURITY", I can practically guarantee you that Google will give up the information freely. Its the culture of our society: we trust the higher-ups with information.

I'm not necessarily saying its right, but its how this country works. And the fact that we've got a law that reflects reality is a good thing IMO. (Even if reality isn't something that you necessarily agree with)

Anyway, I'd like to know what everyone's thoughts are on the limitations above. Where do you think they go wrong? IMO, I'd rather have a bill like this pass that formalizes the relationship between the Government and Companies. I honestly think this stuff is already going on, and its better to know what the limits are.

ATM, I don't see whats so bad about this bill actually... (Actually, I can see where companies can hide behind a veil of anonymity if they gave up information like this. IE: If this bill passes... I don't think the FBI has to say "Google has given us this information". The FBI probably can say "A Large Internet Company has given us this information, and the identity of this company is protected by CISPA". True, it reduces liability and encourages companies to share information with the Government. But in the majority of cases, I don't think this would make a difference)

EDIT: Actually, I found the definition for Cybersecurity thingies.

‘(4) CYBER THREAT INFORMATION-

‘(A) IN GENERAL- The term ‘cyber threat information’ means information directly pertaining to--

‘(i) a vulnerability of a system or network of a government or private entity;

‘(ii) a threat to the integrity, confidentiality, or availability of a system or network of a government or private entity or any information stored on, processed on, or transiting such a system or network;

‘(iii) efforts to deny access to or degrade, disrupt, or destroy a system or network of a government or private entity; or

‘(iv) efforts to gain unauthorized access to a system or network of a government or private entity, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network of a government or private entity.

‘(B) EXCLUSION- Such term does not include information pertaining to efforts to gain unauthorized access to a system or network of a government or private entity that solely involve violations of consumer terms of service or consumer licensing agreements and do not otherwise constitute unauthorized access.

So Cybersecurity threats actually seem reasonably defined to me. I agree with the definition, there seem to be some good restraints (see limitations section), and the entire bill is voluntary. (no one is forcing anyone to do anything).

Is it really that bad? Like SOPA, I'm sure the devil is in the details. But upon my initial analysis, I really don't see the major privacy concerns that everyone is talking about. (at least... when compared to the status quo. IE: whats already being done without this bill)

[addams]

I think this article by Wired goes along nicely with this conversation.
http://www.wired.com/threatlevel/2012/0 ... nter/all/1

Yes. Yes it does.

From the article:
"Binney left the NSA in late 2001, shortly after the agency launched its warrantless-wiretapping program."

Yes. A very weary and sad voice says, "Yes. There is nothing new under the sun."

This was a done deal when the Patriot Act was signed into law.
Those that are fussing about this new law may not understand.

The Patriot Act not only allows for surveillance by both private and public agencies, The Patriot Act encourages it. Private agencies can surveille and charge the government.

Not such a big deal. Hey! Spread the wealth around! The only reason money is money is because the government says it is. The only place to REALLY get money is from the government. Oh, I digress.

Sour Milk's plan to be dull as dust still works. Right?

What happens to people that stand up and quietly speak in public buildings in public to up and coming politicians? Do you know? I do.

Spoiler:

Sour Milk; You have the internet persona of a young person. So; I will defer to your parents. Talk to them. Where did they get their lives? What is important to them?

Well; Sweet internet; Lives are built one brick at a time. Sometimes lives are built several bricks at a time; It is possible for more than one person to work on one life at the same time. Have you never heard human's say, "Build a life, together."?

Lives can be destroyed, too.
What are your secrets? There are no secrets.
Basic human psychology can outline the process of destroying a person's life.
A life can be destroyed much easier than it is built.

Loyal friends and family are a buffer. You are fortunate if your friends and family are courageous and not influenced by money or the threat of no money.

A jail cell is a cheep way to make money for the company and it is a good way to convince most people. I did have one friend that said, "No One Tells Me Who MY Friends Can Be!" She was taken down in a little over a week. Lost her apartment. Lost her job. Lost her boyfriend. Just coincidence? Yeah. She and I both thought so, for a while.

I loved her. She was so much fun. She was alive, so, we did not always agree. But, we found the middle way and there was laughter involved.

I left the country. By the time I left I was 'running scared'. I gave her my car. She drove it. The number on the plates got her stopped and they treated her like they had me. The poor baby. She did not go quietly. She fussed. They took her to a psych ward and drugged her.

Thank God she is enough different from me that even the Police were able to figure out that she is not me.

She is fine now. I hope. I am far from her. It is sad. I, sometimes, show my love for others by staying away from them.

No one is untouchable. By the time I was sued by the government and had my business closed and was threatened with continued legal action, I was already a broken person. I had become numb, sort of.

I still am. Did you know that the "Inside, At, and Outside" of the borders thing is uncontested? Why would any nation want to stand up to the US? It could only mean trouble.

Do all of your posts get into the internet? Do your e-mails go through as you wrote them? Have you ever had the honor of having a protest and a little performance art, just, for you? Oh, fun!

Sometimes when I think about that political stuff I still smile. Sid Liken, from Springfield, Oregon. He has a bunch of friends that came up to Oregon with money from L.A. and they were going to set things right.

When I stood up to speak he yelled at me, "Go back to California!"

Pfft. I was born in Oregon! I owned property and business in Oregon. I liked it O.K. I was not as pro Oregon as the Californians were.

I did go back to California. I do not want to be where I am not wanted. Those people actively did not want me.

California is not where I came from, but, a lot of people go to California. My mother was born and buried in California.

Like the international borders, the borders between the states is permeable to the whim and will of people most of us do not know.

Does it matter who reads your e-mails? Really?

The Police have a very expensive and fancy new facility in Springfield, Oregon. They have a place that is for waiting. It is also for watching. You people may not believe it, but, it is true. They had me there for over an hour one time. I had a friend with me. My fall back position is read a book; Any book.

Yep. It is now possible to zero in on a person from one of those little cameras and look at the pores on their skin. Read over their shoulder. Watch the pupils of their eyes. The subtle changes in color and temperature of the skin. What do any of us have to worry about?

I got excited about something in the book and started to talk to my friend about it. The Police got all frustrated with us. Surrealism and Quantum Mechanics is not all that interesting to most folks. I was attempting to draw a line from 1920's surrealism to 1940's Quantum Mechanics. !!1940's!! That is not cutting edge stuff. It is old!

What is common knowledge? Quantum Mechanics is interesting. It is also common knowledge! Sometimes I feel like the girl in the movie MIB. She got shot for having a physics text book that was too advance for her.

Yes. It is a dystopian nightmare and it is really cool; All at the same time.

It is dystopian for the losers and cool for the winners.
See? Nothing new under the sun.

Spoilered for being too many words. I have always been dull as dust.

Spoiler:

Umm. I am one of the losers. Huh? I may be the only loser. This computer is cool. But; Are there real people out there? I wonder, sometimes. Don't you?

It could be like an old pen and paper. But, it is not. This is better. In loads of ways, this is better.

There is nothing interesting about me. Nothing. Why distroy me? Oh. Money and Power.

Oh, And; There are a few things that I might say that would both embarrass some of those Assholes and cause some of their 'fun' to be looked at. But; probably not. The world does not want to know.

The other reason to distroy me is that I looked too happy. That bugs the shit out of some people.

And; There is the fun of it. The individual people are having a great time! The winners.

See? Listen to the facts.
Terror is the enemy. Who is scared? Those are the losers.
The winners have nothing to fear. They are the winners.

How fast can that change in the digital world?

Nothing new under the sun.
It took more than ten years to implement the Patriot Act. It would take that long to undo some of the damage. Some of the damage can not be undone; Ever.

[aoeu]

This video has an AT&T guy basically telling congress that he can't see what a government agency could tell them to make security better that they aren't already doing. Really, congress isn't very good with computers anyway - I certainly wouldn't want some noob trying to act like they know better than the IT guys at how to prevent websites from getting hacked. They should stay out of this.

I'm sure the intelligence agencies have connections. It's an issue of national security.

[Ghostbear]

I'm not necessarily saying its right, but its how this country works. And the fact that we've got a law that reflects reality is a good thing IMO. (Even if reality isn't something that you necessarily agree with)

Anyway, I'd like to know what everyone's thoughts are on the limitations above. Where do you think they go wrong? IMO, I'd rather have a bill like this pass that formalizes the relationship between the Government and Companies. I honestly think this stuff is already going on, and its better to know what the limits are.

If this is already happening then why is this bill needed at all? If they're already doing it, and it's already legal, we don't need a law to make it double plus legal. Nor do we need a law with such nebulous restrictions as "national security" that simultaneously removes any potential punishment for wrongdoing.

I'm still not sure how much of the potential threat this mitigates -- it seems to me that most of the hacks that we've seen have resulted from the same old reasons as usual: the network or system in question wasn't fully updated, leaving it with known yet unplugged vulnerabilities, or someone designed something really poorly (leaving the default password for some section as "admin" or something) and nobody noticed, or simple human engineering; or put simply, it's caused by people being lazy or the systems being worked on being too complicated for the resources devoted to them.

Letting companies share information with the government without fear of repercussion won't mean they'll stop preventing the IT department from updating some piece of software because it breaks another piece of software and replacing that one would cost money. All it does is remove our ability to punish them for sharing information wrongly -- why should we remove that ability at all? If there aren't any possible costs associated with fucking up, they have no incentive not to fuck up -- the easiest course of action will be just sharing anything with the government that the government asks for. Without any means for punishing wrongful sharing of information, without any additional oversight added, then we just have another loss of privacy. The best outcome for us from this bill is that nothing changes, things just become official; in the best case scenario, this bill is a complete waste of time. I'm not a fan of things where the best outcome is "we wasted our, and by association of being your representatives, your, time".

[addams]

Not just the sharing of information. How about what is done with the information?

I had no secrets.

What is done with all of that information? For most people, nothing.

When a customer, a Mayor, Police Chief, Congressman, Don Trump, Any of the Bushes, has a problem to be solved. A call to the right people will give data that will allow agents to dismantle the lives of dissidents. That is US today.

When this system is up and running, then what? Every person in every nation in every language will have lost to the US?

Those translation programs are getting better each day.

What does the US want? What is the goal? Don't you wonder, sometimes?

Is it build and spend; Build and spend? They don't really want anything. Only more of it.

I know for a fact that some want the Gap. It is a human thing. Some want the poor, disabled, old and other to be below them. And that Gap has to be big for the entertainment. To uses the unwashed and unwell as entertainment. I know it sound weird. I think it is true.

It is exciting to propel ones group and self into God like positions. Then to observe the defeated.

The Europeans study history. They know about this stuff. It pops up in other areas of study, too.

The last fifteen years have been Hell for many people. There is suffering and sadness, always. To ease it is a high moral calling. To cause it is something else.

We are typing about people that have God like status.

[KnightExemplar]

I'm not necessarily saying its right, but its how this country works. And the fact that we've got a law that reflects reality is a good thing IMO. (Even if reality isn't something that you necessarily agree with)

Anyway, I'd like to know what everyone's thoughts are on the limitations above. Where do you think they go wrong? IMO, I'd rather have a bill like this pass that formalizes the relationship between the Government and Companies. I honestly think this stuff is already going on, and its better to know what the limits are.

If this is already happening then why is this bill needed at all? If they're already doing it, and it's already legal, we don't need a law to make it double plus legal. Nor do we need a law with such nebulous restrictions as "national security" that simultaneously removes any potential punishment for wrongdoing.

I'm still not sure how much of the potential threat this mitigates -- it seems to me that most of the hacks that we've seen have resulted from the same old reasons as usual: the network or system in question wasn't fully updated, leaving it with known yet unplugged vulnerabilities, or someone designed something really poorly (leaving the default password for some section as "admin" or something) and nobody noticed, or simple human engineering; or put simply, it's caused by people being lazy or the systems being worked on being too complicated for the resources devoted to them.

You're forgetting about the "attack" side of defense.

Microsoft, in conjunction with US Marshals, recently physically sized control over the Zeus botnet. As such, people infected with any Zeus-based virus are neutralized. (The virus is no longer stealing information, and the hackers behind it were arrested and are now in jail).

Of course, this bill isn't "necessary" for this collaboration between Government and Industry. (Microsoft, F-Secure, and other companies volunteered this information and CISPA hasn't passed yet). But I certainly see some benefits to what they are doing. I don't think Microsoft + F-Secure + Government working together was a bad thing at all.

In the best case, Industry are able to better coordinate with the Government to take down hackers. I don't necessarily think this sort of collaboration is a completely bad thing if its done correctly.

Now yes, you're right in that there are some privacy concerns. Which is why I asked the question the way I did. Where do the limitations go wrong? There are seven sections that limit the powers of CISPA. As far as I can see, the only one I have an issue with is the "National Security" excuse. The rest looks pretty clean to me, and clearly defines "cybersecurity" matters.

Letting companies share information with the government without fear of repercussion won't mean they'll stop preventing the IT department from updating some piece of software because it breaks another piece of software and replacing that one would cost money. All it does is remove our ability to punish them for sharing information wrongly -- why should we remove that ability at all? If there aren't any possible costs associated with fucking up, they have no incentive not to fuck up -- the easiest course of action will be just sharing anything with the government that the government asks for. Without any means for punishing wrongful sharing of information, without any additional oversight added, then we just have another loss of privacy. The best outcome for us from this bill is that nothing changes, things just become official; in the best case scenario, this bill is a complete waste of time. I'm not a fan of things where the best outcome is "we wasted our, and by association of being your representatives, your, time".

In making things official, the US Government has also limited itself in what it can do with this information. The US Government cannot use the information gathered from CISPA to regulate companies. And they cannot give that information to other companies either. Etc. etc. (nothing to do with privacy... but everything in helping encourage industry / government interaction).

Its a law where the US Government is making a promise to not do certain things with the data they get from companies. I'd hardly call this bill a waste of time, especially if you are an industry executive.

Perhaps its a waste of time for you, but thats because the bill was designed to please the Computer Industry. That said, the most important question to this whole thing hasn't been answered yet. Where are your privacy concerns with this whole matter? Why don't the limitations go far enough for you? And are there any additional limitations you'd put on these powers to make them more fair?

In the best case, we get a bill that doesn't cause any privacy concerns, and then Industry members can better cooperate with the government to catch hackers.

(And since my only concern is the "National Security" excuse... which would happen whether or not that excuse was formalized in law... adding / removing that section doesn't actually change the law IMO).

[Ghostbear]

When this system is up and running, then what? Every person in every nation in every language will have lost to the US?

Those translation programs are getting better each day.

This is an interesting point, I think. A lot of the internet's infrastructure passes through the US, and a lot of the companies that are in the most popular parts of the internet (Google, Facebook, Microsoft, etc.) are all US based as well. I wonder how this interacts with foreign branches of those companies.

You're forgetting about the "attack" side of defense.

No, I'm not. What I'm missing is how this "double plus legal" setup allows them to prevent cyber issues any better than they can now. What additional security is gained by this? Prior successes just reinforces the point that we don't need CISPA; government and industry are already able to coordinate sufficiently to succeed at major tasks. I doubt it's readily available information to any of us, but the type of evidence that is needed is prior security failures that CISPA would have prevented -- not prior security successes that happened without CISPA.

Now yes, you're right in that there are some privacy concerns. Which is why I asked the question the way I did. Where do the limitations go wrong? There are seven sections that limit the powers of CISPA. As far as I can see, the only one I have an issue with is the "National Security" excuse. The rest looks pretty clean to me, and clearly defines "cybersecurity" matters.
[...]

You said it yourself: the limit of "national security" is so potentially broad, ill-defined, or otherwise nebulous that it might as well amount to a limit on how loudly they yell about China/Iran/Russia/["hated" American rival of the moment]. A set of limits that includes a non-limit isn't reassuring at all. Whether the other limits are otherwise good is immaterial when we have another condition that basically allows them to do whatever. Imagine if the 4th amendment was instead:

Spoiler:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause or if we really, really want to, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

That'd be a pretty useless 4th amendment, because even though the rest of the restrictions are sound, we just added in a "do whatever you want" non-limit. The same applies here -- restrictions (A) through (D) might be acceptable, they might not, it doesn't matter; restriction (E) is a non-limit that undoes any (or most) potential limitation brought about by the others.

In making things official, the US Government has also limited itself in what it can do with this information. The US Government cannot use the information gathered from CISPA to regulate companies. And they cannot give that information to other companies either. Etc. etc.

Its a law where the US Government is making a promise to not do certain things with the data they get from companies. I'd hardly call this bill a waste of time, especially if you are an industry executive.

Perhaps its a waste of time for you, but thats because the bill was designed to please the Computer Industry.

Do we have any reason to believe that the government is legally able to do anything of those things right now? This is just another "double plus legal", except in reverse; making it "double plus illegal" doesn't really do anything to make this less of a waste of time. It does not ease any worries I have with this bill to say that they're codifying that they can not do things that they almost certainly can't do anyway.

The government is not "of, by, and for the executives and shareholders". Just because the CEO of TechCorp thinks this law is great doesn't make it not a waste of time on the security front -- which is what I was addressing when I said "waste of time". All I see is a giant handout to the IT industry without any actual security gains. I've probably said it too many times already in this post, but: how does this make us better able to protect from threats than we already are? If the only thing CISPA accomplishes is making IT executives happy and/or wealthier at the expense of our privacy, then it is in fact a waste of time; it's failing to accomplish anything to make anyone/anything safer.

That said, the most important question to this whole thing hasn't been answered yet. Where are your privacy concerns with this whole matter? Why don't the limitations go far enough for you? And are there any additional limitations you'd put on these powers to make them more fair?

I already covered that, I think:

Spoiler:

All it does is remove our ability to punish them for sharing information wrongly -- why should we remove that ability at all? If there aren't any possible costs associated with fucking up, they have no incentive not to fuck up -- the easiest course of action will be just sharing anything with the government that the government asks for. Without any means for punishing wrongful sharing of information, without any additional oversight added, then we just have another loss of privacy

It just lets them share more information, and if they share my* information when they shouldn't have, I can't do anything about it. If they share someone's information and it harms them, too bad for them. Since there is no potential harm that will befall them from sharing that person's information improperly, they have no reason to care if they do share that person's information improperly. If they have no reason to care if they share data improperly, they have no reason to prevent sharing data improperly. It means that Google can decide "Hey FBI, here's every email and search from this user, have fun", and the summary of what that user can do about it, should they find out, is: jack shit.

If there is no incentive to protect my privacy, and protecting my privacy is the harder of two options (the other being "just give them whatever info they want so they shut up and we can go back to making money"),then they're going to ignore my privacy.

In the best case, we get a bill that doesn't cause any privacy concerns, and then Industry members can better cooperate with the government to catch hackers.

It is still not clear to me at all how this allows anyone to better cooperate on anything -- all I see is the removal of liability for fucking up. What do we, the citizens, gain from removing incentives to not fuck up? That's a huge question I have with this bill, and I haven't seen any potential addressing of it, so I'm going to italicize it and highlight how big of a question it is to me by writing this sentence.

[KnightExemplar]

We agree on a few points. I'll grant you the privacy concerns over the lack of liability. But I definitely disagree on this:

The government is not "of, by, and for the executives and shareholders". Just because the CEO of TechCorp thinks this law is great doesn't make it not a waste of time on the security front -- which is what I was addressing when I said "waste of time". All I see is a giant handout to the IT industry without any actual security gains. I've probably said it too many times already in this post, but: how does this make us better able to protect from threats than we already are? If the only thing CISPA accomplishes is making IT executives happy and/or wealthier at the expense of our privacy, then it is in fact a waste of time; it's failing to accomplish anything to make anyone/anything safer.

The government now has restrictions on how it will treat proprietary information given to it through CISPA powers.

As far as I can tell, Microsoft is now encouraged to share Windows source code with the government. (Read the law, there are lots of protections for this sort of case). In which case, a security analyst would have an edge over hackers in understanding malware threats that targeted Windows.

If CISPA is passed, it'd be illegal for the Government to share the source code to regulators or competitors. Why else would this provision have been put into CISPA unless it were for a reason like this? Surely that is a good thing? Don't we want to be encouraging that kind of information sharing?

True, there are privacy issues on customer data and Google and such. But "cybersecurity information" is far more generic than just that. The sharing of proprietary source code between the government and industry has absolutely no privacy concerns what-so-ever, but would be encouraged through CISPA. And if the Government has found some top-secret computer virus (aka: Stuxnet), there are now provisions in CISPA that allow the Government to give that sort of information to companies like Microsoft.

Ultimately, this is an information sharing law between Industry and Government. I am not against that, provided that the privacy concerns are taken care of.

It just lets them share more information, and if they share my* information when they shouldn't have, I can't do anything about it. If they share someone's information and it harms them, too bad for them. Since there is no potential harm that will befall them from sharing that person's information improperly, they have no reason to care if they do share that person's information improperly. If they have no reason to care if they share data improperly, they have no reason to prevent sharing data improperly. It means that Google can decide "Hey FBI, here's every email and search from this user, have fun", and the summary of what that user can do about it, should they find out, is: jack shit.

Well first of all, thats a terrible example. You can PGP encrypt your emails and the FBI can't break it without a search warrant and a subpoena IIRC. I forgot whether or not you can "plead the fifth" on your encryption key, but those sorts of things exist if you're actually worried about this sort of thing.

Furthermore, Gmail doesn't care about your privacy. The services that do (ie: Hushmail and DuckDuckGo) would lose their competitive edge against Google if people learned that they were freely sharing information with the government. IIRC, Hushmail takes privacy seriously and had to be subpoena'd to decrypt some guy's emails a few years ago.

So really, the "obvious" answer to your question is... stop using Gmail. And start using companies that do care about your privacy. Or set it up yourself with PGP. There are a ton of ways to get back at Gmail, but no one bothers switching off. Even when Google made it public that they scan our emails for advertisement reasons... no one switched off of gmail. >_<. Basically, the problem is between the computer and the chair. YOU have the power to protect yourself online already, and this bill doesn't change that at all.

----------

As for your point and the applicability to the law... I'm not sure if that actually is a legitimate example either. The government cannot "affirmatively search" the Gmail Database if it were given it through CISPA.

I don't fully understand what that restriction means... but for what its worth, its there. I can't seem to find any reference as to what that exactly means...

[Ghostbear]

The government now has restrictions on how it will treat proprietary information given to it through CISPA powers.

As far as I can tell, Microsoft is now encouraged to share Windows source code with the government. (Read the law, there are lots of protections for this sort of case). In which case, a security analyst would have an edge over hackers in understanding malware threats that targeted Windows.

If CISPA is passed, it'd be illegal for the Government to share the source code to regulators or competitors. Why else would this provision have been put into CISPA unless it were for a reason like this? Surely that is a good thing? Don't we want to be encouraging that kind of information sharing?

This is a good example of something it might enable that is not available (in a practical sense) now -- thank you. All the same, if that situations such as that are the overall goal of CISPA, then a lot of the stuff in it can just be cut out completely. Remove the non-liability (which is probably my biggest issue with CISPA), tighten up the restrictions, add in some straight up privacy protection (e.g. make it so that CISPA only covers situations such as that source code example -- data that is wholly and completely the property of the entity in question, with no personal data of private citizens as part of it*), and I'd probably be fine with it overall.

That doesn't mean that the cons aren't worth being opposed to however. The cons are huge and wholly incidental to any benefits gained. We shouldn't accept the cons with the gains, no matter how great those gains may or may not be, because we can have the gains (or most of the gains) without any (or most) of the cons. Remove the gold plated handouts to the IT industry and we could possibly a bill that is OK, but with them it's just giving up privacy (for no reason) for some security -- not a particularly good trade off, especially if we can possibly attain that security in other ways (such as the senate bill, though I haven't read much on that).

* There's probably a lot of nitpicking possible with this specific statement, but it's just meant to highlight the spirit of the idea I'm going for.

Well first of all, thats a terrible example. You can PGP encrypt your emails and the FBI can't break it without a search warrant and a subpoena IIRC. I forgot whether or not you can "plead the fifth" on your encryption key, but those sorts of things exist if you're actually worried about this sort of thing.

Furthermore, Gmail doesn't care about your privacy. The services that do (ie: Hushmail and DuckDuckGo) would lose their competitive edge against Google if people learned that they were freely sharing information with the government. IIRC, Hushmail takes privacy seriously and had to be subpoena'd to decrypt some guy's emails a few years ago.

So really, the "obvious" answer to your question is... stop using Gmail. And start using companies that do care about your privacy.

Saying that if that's my concern I should just "stop using Google" is missing the point; I don't want a law that makes "stop using Google" my best course of action -- I want to avoid that law. Yeah, Google doesn't give any special consideration to my privacy now, but they also don't really give any significant disregard to it either. They're incentivized not to go and give all of a person's data to the government right now, because they have the potential to be sued if they do that in a way that they shouldn't -- they're actively discouraged from fucking up too much, because there is a financial cost to them for doing so. Removing their ability to be liable for fucking up means they have no incentive to care.

EDIT: I believe the 5th amendment with respect to encryption keys is still not fully legally defined. There was a thread here quite a few months ago about a judge ruling that the 5th amendment didn't apply, if I remember correctly. I also remember reading about other judges deciding the opposite of that -- it'll probably be stuck in a murky unknown until the supreme court visits it.

As for your point and the applicability to the law... I'm not sure if that actually is a legitimate example either. The government cannot "affirmatively search" the Gmail Database if it were given it through CISPA.

I don't fully understand what that restriction means... but for what its worth, its there. I can't seem to find any reference as to what that exactly means...

I take it as meaning that they can't check the data to see if there's anything illegal in there without any reason to think they should be checking that data. A "probable cause" clause, in essence, though I suspect they'd be able to argue that they had sufficient grounds to search any data given to them for whatever they found in it under the grounds "We were given this data and told it might contain cyber security threat information, so we started searching it for that info." -- making it another non-limitation.

[addams]

Unreasonable search and seizure.

Exactly zero terror attacks have been stopped by the methods employed by the TSA. What exactly is the justification there again?

Are you saying that the methods employed by the TSA have had no positive effect at all? Or just that they haven't caught anyone while doing a pat down/invasive search?

In my opinion they have to at least have stopped an attack through deterrence. Of course that isn't fact. It's just that an attacker, if one existed would probably look for another route of attack if he/she knew they have a .01% chance of making on the plane and a 99.09% chance of being detained in gitmo and tortured for the rest of their lives.

That is a heck of a threat. What kind of people are we?

"Power corrupts. Absolute power corrupts, absolutely." by, Sir Action

Was it Stanford that did the study on how quickly students became cruel to the people that they had power over? There was no crime committed. The groups were randomly chosen.

Now; Back to the laws that govern the internet.

Huh? What are these laws, really?

Are they simply a distraction? Do they effect people outside the borders of the US? Is that "Inside, at and outside the borders." thing in effect?

Did the Patriot act leave a big old hole open for suing private agencies?

Is this a bunch of stuff that is already covered in the Patriot Act, with a nod and protection to private agencies from the actions of damaged private citizens?

Looks like that, to me. What does it look like to you?

Jeeze. The large agencies have nothing to fear from the private individual. What is all the fuss about? Once the private individual is damaged, what can it do?

Think about Real Life. We all know that evidence can be planted. "We found this. Or; We found that." Very convent.

Warrants are issued for planted evidence. It does not happen all the time. But; It happens. What is the Judge to do? Judges are simply human.

The digital world is even stranger. Evidence can be planted from a remote location. That is weird. ewww.

What if you got up in the morning and looked at your sweet little screen and found, Oh God! Who knows what?!

Well; Programmers would look at the code. Some people, most people, are not literate in code. Well? It has never happened, that I know of. Could it happen? I think so. I do. Do you?

I have gotten up in the morning and found some weird stuff on my screen. For me it was text. Only words. I guess I was lucky, now that I look back at it. I would wake up to questions on my screen.

What?! I like to answer questions. The internet has a lot of answers. I like to go find them. The computer is a library in my lap. Better than books in some ways. Not as good as books in other ways.

What is on your computer in the morning? Can someone at a remote location effect your computer? I have heard that it is possible. How would the common man prove it? One way or the other?

Nightly back up into one of those hard drives? That might do it.

What do we want protection from. The gross indiscretions of others?

If, it is a War, then all is fair. Right? Is it a war to see who can frighten who more?

It is possible to walk away from the internet. People did not always have the internet. Is the best protection is to walk away? Don't have an internet.

eww. Ignorance is bliss? What if someone became you on the internet and you did not have the internet? I think that might have happened to me, one time.

How would I know? I can not read code. A few words. Not much.

[Randomizer]

For those looking for the "pro" side, here's a video where Michael McCaul [R-TX 10th district] explains why he thinks cybersecurity laws are important. He mentioned Stuxnet, which according to Ralph Langer is the United States' doing against Iran, and McCaul also mentions denial of service attacks several times... -_-

[HungryHobo]

for the protection of individuals from the danger of death or serious bodily harm and the investigation and prosecution of crimes involving such danger of death or serious bodily harm;

out of interest would this allow the government to harvest information from cell phone and satnav providers to prosecute people for speeding or even (at the far end of the scale) jaywalking?

I could shoe horn in a remarkable amount of stuff if there merely has to be the vague posibility of bodily harm.(does danger have a specific legal meaning?)

it doesn't say "serious bodily harm to others", just serious bodily harm so I'm wondering if this could be used to dig up stuff on teenagers anonymously implying drug use/posession.

[KnightExemplar]

Well first of all, thats a terrible example. You can PGP encrypt your emails and the FBI can't break it without a search warrant and a subpoena IIRC. I forgot whether or not you can "plead the fifth" on your encryption key, but those sorts of things exist if you're actually worried about this sort of thing.

Furthermore, Gmail doesn't care about your privacy. The services that do (ie: Hushmail and DuckDuckGo) would lose their competitive edge against Google if people learned that they were freely sharing information with the government. IIRC, Hushmail takes privacy seriously and had to be subpoena'd to decrypt some guy's emails a few years ago.

So really, the "obvious" answer to your question is... stop using Gmail. And start using companies that do care about your privacy.

Saying that if that's my concern I should just "stop using Google" is missing the point; I don't want a law that makes "stop using Google" my best course of action -- I want to avoid that law. Yeah, Google doesn't give any special consideration to my privacy now, but they also don't really give any significant disregard to it either. They're incentivized not to go and give all of a person's data to the government right now, because they have the potential to be sued if they do that in a way that they shouldn't -- they're actively discouraged from fucking up too much, because there is a financial cost to them for doing so. Removing their ability to be liable for fucking up means they have no incentive to care.

EDIT: I believe the 5th amendment with respect to encryption keys is still not fully legally defined. There was a thread here quite a few months ago about a judge ruling that the 5th amendment didn't apply, if I remember correctly. I also remember reading about other judges deciding the opposite of that -- it'll probably be stuck in a murky unknown until the supreme court visits it.

Two things. I'm not sure that your analysis on suing Google is correct (the bolded part). And I'm pretty damn sure Gmail regularly violates our privacy anyway.

1. Outside of CISPA... What can we do if Google "violates our privacy" and gives our emails to the FBI? Are you sure we can sue them? According to the latest court cases, email that is left on web servers for more than 6 months is considered abandoned. and Google can already give all of that to the FBI with absolutely no worries.

"ECPA's privacy rules reflect the technology of 1986," according to an analysis published by the Center For Democracy & Technology. "For example, when ECPA was drafted, electronic storage was expensive and providers discarded email shortly after the user downloaded it to his or her computer, or after a few months if it was not downloaded. As a result, ECPA treats emails stored with a provider for more than 180 days as if they were abandoned and makes them available to the government with a mere subpoena."

2. Remember that Gmail regularly scans your emails for context-sensitive ads. Their AI bots know what all of your emails say so that the ads works better for you. And no one has sued Gmail for this obvious violation of privacy yet... so I doubt we can punish them if they changed that AI to check for "keywords" under cooperation of the FBI. (And we certainly wouldn't know about it).

-----------

Here's a funny thing about security and trust. If you don't trust the service you're using, you have no security. Period. Google has violated our privacy on multiple occasions in the effort of generating better advertisements for us.

Its a matter of this: Google doesn't care about our privacy. And the way our laws are set up right now, they cannot be punished for giving a hell-of-a-lot of our information to the government as it is anyway.

As for your point and the applicability to the law... I'm not sure if that actually is a legitimate example either. The government cannot "affirmatively search" the Gmail Database if it were given it through CISPA.

I don't fully understand what that restriction means... but for what its worth, its there. I can't seem to find any reference as to what that exactly means...

I take it as meaning that they can't check the data to see if there's anything illegal in there without any reason to think they should be checking that data. A "probable cause" clause, in essence, though I suspect they'd be able to argue that they had sufficient grounds to search any data given to them for whatever they found in it under the grounds "We were given this data and told it might contain cyber security threat information, so we started searching it for that info." -- making it another non-limitation.

The funny thing about the FBI, the Justice Department, and how our courts work. If they can't prove that they legally obtained the piece of evidence, then the defense attorney can throw out the evidence. (at least, if your defense attorney is working correctly). If the FBI screws up and shows "illegal evidence" to the jury, then its a mistrial and they have to find a new jury.

So if they scan through the email collection and find that you sell Crack Cocaine... they probably can't use that email. They wouldn't be able to build a case why they managed to find that email in your ~10 GB personal gmail database dump. Let alone in the petabytes of a full gmail database dump. (They probably have exabytes of email data actually) Now if you said "I'm a hacker, lets hack the CIA tomorrow. And then I'll sell Crack Cocaine like I always do on 5th avenue" all in the same email... they probably can use that evidence.

IIRC, there was a concern that Warez and Piracy might be considered part of "cybersecurity" crimes. Which would make the 1(b) restriction extremely broad. (ex: An email like "I downloaded that pirated version of Windows from blah.blah.com. Also, I sell crack" might be allowed to be taken with CISPA...)

That doesn't mean that the cons aren't worth being opposed to however. The cons are huge and wholly incidental to any benefits gained. We shouldn't accept the cons with the gains, no matter how great those gains may or may not be, because we can have the gains (or most of the gains) without any (or most) of the cons. Remove the gold plated handouts to the IT industry and we could possibly a bill that is OK, but with them it's just giving up privacy (for no reason) for some security -- not a particularly good trade off, especially if we can possibly attain that security in other ways (such as the senate bill, though I haven't read much on that).

Yeah, I can agree with that.

But with all of the press surrounding this that "this is worse than SOPA!!?!?!??!?!". No, this is alarmist rhetoric and damages the internet's case. This bill does damage privacy, but it is no where on the level of crap that SOPA was. There are magnitudes of difference between SOPA and CISPA on multiple levels.

(Whereas SOPA changed things. I'm still of the opinion that CISPA is keeping with the status quo, as per my arguments above. I'd like there to be a real privacy reform for our emails and all that... but that goes beyond the scope of a single bill like this.)

I at least see the point of CISPA, while SOPA was rotten to the core. And I can imagine CISPA actually getting fixed.

[Ghostbear]

Two things. I'm not sure that your analysis on suing Google is correct (the bolded part). And I'm pretty damn sure Gmail regularly violates our privacy anyway.

1. Outside of CISPA... What can we do if Google "violates our privacy" and gives our emails to the FBI? Are you sure we can sue them? According to the latest court cases, email that is left on web servers for more than 6 months is considered abandoned. and Google can already give all of that to the FBI with absolutely no worries.

2. Remember that Gmail regularly scans your emails for context-sensitive ads. Their AI bots know what all of your emails say so that the ads works better for you. And no one has sued Gmail for this obvious violation of privacy yet... so I doubt we can punish them if they changed that AI to check for "keywords" under cooperation of the FBI. (And we certainly wouldn't know about it).
[...]
Its a matter of this: Google doesn't care about our privacy. And the way our laws are set up right now, they cannot be punished for giving a hell-of-a-lot of our information to the government as it is anyway.

It's more than just emails, and Google was just some sample company pulled out of a hat -- companies can be and are sued for violating privacy. Just because Gmail has not created a relevant court case yet doesn't mean that it can't; it just means that it hasn't yet. They have decided that their current level of invasiveness is legally permitted and that they're safe to do so -- that does not mean that, were they to lose all liability for acting wrongly with someone's information, that they would not decide to be more invasive. Yes, Google doesn't have the best policies on privacy right now: that's not the point, the point is that they could have even worse policies if you removed any liability for them if they share information with the government. The point is that they (or any other tech company) could care even less about our privacy with that change than they already do.

The funny thing about the FBI, the Justice Department, and how our courts work. If they can't prove that they legally obtained the piece of evidence, then the defense attorney can throw out the evidence. (at least, if your defense attorney is working correctly). If the FBI screws up and shows "illegal evidence" to the jury, then its a mistrial and they have to find a new jury.

So if they scan through the email collection and find that you sell Crack Cocaine... they probably can't use that email. They wouldn't be able to build a case why they managed to find that email in your ~10 GB personal gmail database dump. Let alone in the petabytes of a full gmail database dump. (They probably have exabytes of email data actually) Now if you said "I'm a hacker, lets hack the CIA tomorrow. And then I'll sell Crack Cocaine like I always do on 5th avenue" all in the same email... they probably can use that evidence.

IIRC, there was a concern that Warez and Piracy might be considered part of "cybersecurity" crimes. Which would make the 1(b) restriction extremely broad. (ex: An email like "I downloaded that pirated version of Windows from blah.blah.com. Also, I sell crack" might be allowed to be taken with CISPA...)

Well, it's my understanding that if they already have a justification for looking through something ("We had a warrant to search their house for evidence relating to the murder") and they find something else ("Then we found the 40 kilos of cocaine in the basement"), then they can persecute for that something else. I believe (feel free to correct me, folks) there's a limitation where they do have to be searching for the former when they find the latter -- they can't get a warrant for murder evidence and then search the person's computer for pirated music. But they can get a warrant for murder evidence, search the person's computer for anything relevant to that, and if they find the pirated music on the way, use it in court.

I don't think they'd have a hard time making a case for "we just found it while searching for cybersecurity stuff" with this kind of data. To follow the example of crack, they might analyze an email database for sentences containing the word "crack", wanting to search for it because it's often used to denote breaching security ("I cracked the door code!") -- then if their search finds the word "sell" to often be associated with it, they might want to search those examples under the assumptions that groups are selling security cracks, only to find a bunch of people selling crack cocaine instead. With the data under their possession, I don't think there's any practical limitations preventing them from being able to pull off the latter often enough.

Yeah, I can agree with that.

But with all of the press surrounding this that "this is worse than SOPA!!?!?!??!?!". No, this is alarmist rhetoric and damages the internet's case. This bill does damage privacy, but it is no where on the level of crap that SOPA was. There are magnitudes of difference between SOPA and CISPA on multiple levels.

(Whereas SOPA changed things. I'm still of the opinion that CISPA is keeping with the status quo, as per my arguments above. I'd like there to be a real privacy reform for our emails and all that... but that goes beyond the scope of a single bill like this.)

I at least see the point of CISPA, while SOPA was rotten to the core. And I can imagine CISPA actually getting fixed.

Yeah, "Worse than SOPA" might be over the top, but just because someone gave an exaggerated headline for something doesn't mean we have to take the opposite stance . The problem with hoping for CISPA to get fixed is that (1) It wasn't fixed before the house passed it, and (2) supporting something on the hope that it's eventually reformed to not be shit is short-sighted -- if we can't get the bill to not suck before it's passed into law, why should we expect that we can amend it to not suck later? I think that's a naive hope to work with. I don't think we can justify passing CISPA into law the way it stands.

[KnightExemplar]

Two things. I'm not sure that your analysis on suing Google is correct (the bolded part). And I'm pretty damn sure Gmail regularly violates our privacy anyway.

1. Outside of CISPA... What can we do if Google "violates our privacy" and gives our emails to the FBI? Are you sure we can sue them? According to the latest court cases, email that is left on web servers for more than 6 months is considered abandoned. and Google can already give all of that to the FBI with absolutely no worries.

2. Remember that Gmail regularly scans your emails for context-sensitive ads. Their AI bots know what all of your emails say so that the ads works better for you. And no one has sued Gmail for this obvious violation of privacy yet... so I doubt we can punish them if they changed that AI to check for "keywords" under cooperation of the FBI. (And we certainly wouldn't know about it).
[...]
Its a matter of this: Google doesn't care about our privacy. And the way our laws are set up right now, they cannot be punished for giving a hell-of-a-lot of our information to the government as it is anyway.

It's more than just emails, and Google was just some sample company pulled out of a hat -- companies can be and are sued for violating privacy. Just because Gmail has not created a relevant court case yet doesn't mean that it can't; it just means that it hasn't yet. They have decided that their current level of invasiveness is legally permitted and that they're safe to do so -- that does not mean that, were they to lose all liability for acting wrongly with someone's information, that they would not decide to be more invasive. Yes, Google doesn't have the best policies on privacy right now: that's not the point, the point is that they could have even worse policies if you removed any liability for them if they share information with the government. The point is that they (or any other tech company) could care even less about our privacy with that change than they already do.

That case seems to support my point.

Facebook was sued for just collecting the information in the first place, which is how it should be done. If they already (legally) have some information, then it probably would be legal for them to hand it over to the government unless there was some sort of expectation of privacy. (ex: a safety deposit box or something). CISPA doesn't change this case what-so-ever either.

At very least, I'm finding it very difficult to figure out "private data" I'm willing to share with Facebook but not the Government. If I'm sharing something with online companies, I probably don't have expectations of privacy.

Maybe I'm just having a brainfart right now... but do you have a counterexample to my bolded claim above?

The funny thing about the FBI, the Justice Department, and how our courts work. If they can't prove that they legally obtained the piece of evidence, then the defense attorney can throw out the evidence. (at least, if your defense attorney is working correctly). If the FBI screws up and shows "illegal evidence" to the jury, then its a mistrial and they have to find a new jury.

So if they scan through the email collection and find that you sell Crack Cocaine... they probably can't use that email. They wouldn't be able to build a case why they managed to find that email in your ~10 GB personal gmail database dump. Let alone in the petabytes of a full gmail database dump. (They probably have exabytes of email data actually) Now if you said "I'm a hacker, lets hack the CIA tomorrow. And then I'll sell Crack Cocaine like I always do on 5th avenue" all in the same email... they probably can use that evidence.

IIRC, there was a concern that Warez and Piracy might be considered part of "cybersecurity" crimes. Which would make the 1(b) restriction extremely broad. (ex: An email like "I downloaded that pirated version of Windows from blah.blah.com. Also, I sell crack" might be allowed to be taken with CISPA...)

Well, it's my understanding that if they already have a justification for looking through something ("We had a warrant to search their house for evidence relating to the murder") and they find something else ("Then we found the 40 kilos of cocaine in the basement"), then they can persecute for that something else. I believe (feel free to correct me, folks) there's a limitation where they do have to be searching for the former when they find the latter -- they can't get a warrant for murder evidence and then search the person's computer for pirated music. But they can get a warrant for murder evidence, search the person's computer for anything relevant to that, and if they find the pirated music on the way, use it in court.

I don't think they'd have a hard time making a case for "we just found it while searching for cybersecurity stuff" with this kind of data. To follow the example of crack, they might analyze an email database for sentences containing the word "crack", wanting to search for it because it's often used to denote breaching security ("I cracked the door code!") -- then if their search finds the word "sell" to often be associated with it, they might want to search those examples under the assumptions that groups are selling security cracks, only to find a bunch of people selling crack cocaine instead. With the data under their possession, I don't think there's any practical limitations preventing them from being able to pull off the latter often enough.

Lol, my bad for choosing a word that actually works in both a drug context and a hacking context. I think your analysis is correct, but I'm not a lawyer so I can't 100% confirm it.

[MartianInvader]

Do you mind if I ask why you're "damn sure Gmail violates our privacy?" Is it just because they have machines reading your e-mails? Because, you know, every email provider has machines reading your emails.

[Ghostbear]

At very least, I'm finding it very difficult to figure out "private data" I'm willing to share with Facebook but not the Government. If I'm sharing something with online companies, I probably don't have expectations of privacy.

Maybe I'm just having a brainfart right now... but do you have a counterexample to my bolded claim above?

There's tons of things I wouldn't want the government to know if things go south -- things like how you tend to vote or your stance of various issues. Such information might not be abused now, but that's not much of a reassurance. Beyond that, I don't think there needs to be specific examples; there's different amounts people are willing to trust different entities. If someone is willing to trust Facebook with where they were this weekend, and Google with their emails, and Visa with their purchase history, it doesn't meant they're willing to trust Facebook with their purchase history or Google with where they were this weekend, and it doesn't mean they're willing to trust someone else with all three.

The issue is that it's removing the ability to punish a company if it fucks up with that data. It doesn't matter how it fucks up, or if it's even likely to fuck up, or if I can even imagine a scenario where it could fuck up -- what matters is that there is no longer a way to punish them for fucking up, so their principle encouragement to not do so is now gone. If there's no conceivable way that they could fuck up right now, then there's still nothing gained by removing that potential for liability if they do anyway.

[KnightExemplar]

Do you mind if I ask why you're "damn sure Gmail violates our privacy?" Is it just because they have machines reading your e-mails? Because, you know, every email provider has machines reading your emails.

More like because they clearly have advertisements that are tailored for me depending on which email I click... and those advertisements follow me around when I'm on Youtube and Google Searches.

So its clear from practical experience that Google is tracking your emails, your search history, youtube browsing history, and potentially other searches (I know they have a database of searches of Financial Information... are they using that for stock picking?). And they have a methodology of combining it all of this information together in the name of advertisements. Plus, with the recently changed privacy policy, Google unifies the tracking across all of their services.

Given Ghostbear's example... people can now trust Google+ with where they are this weekend, Gmail their friends, and use their NFC-enabled Android Google Wallet for purchases. It can also track where you've searched for directions (ie: exact location of where you're going this weekend), what stocks you're watching on Google Finance, the videos you like on Youtube, the images you're tagged in Picasa, the books you buy on Google Play etc. etc. And Google's current privacy policy allows all of that tracked behavior to be combined into a single database.

I'm uncomfortable with that alone. Certainly I don't want all that information given to the Government. But I don't want Google tracking me that much anyway! Its a problem that Google is even in a situation where it can do all of this tracking on us. And as far as I know, we consumers can't do anything about it outside of using other companies.

As for Ghostbear's argument in particular...

At very least, I'm finding it very difficult to figure out "private data" I'm willing to share with Facebook but not the Government. If I'm sharing something with online companies, I probably don't have expectations of privacy.

Maybe I'm just having a brainfart right now... but do you have a counterexample to my bolded claim above?

There's tons of things I wouldn't want the government to know if things go south -- things like how you tend to vote or your stance of various issues. Such information might not be abused now, but that's not much of a reassurance. Beyond that, I don't think there needs to be specific examples; there's different amounts people are willing to trust different entities. If someone is willing to trust Facebook with where they were this weekend, and Google with their emails, and Visa with their purchase history, it doesn't meant they're willing to trust Facebook with their purchase history or Google with where they were this weekend, and it doesn't mean they're willing to trust someone else with all three.

The issue is that it's removing the ability to punish a company if it fucks up with that data. It doesn't matter how it fucks up, or if it's even likely to fuck up, or if I can even imagine a scenario where it could fuck up -- what matters is that there is no longer a way to punish them for fucking up, so their principle encouragement to not do so is now gone. If there's no conceivable way that they could fuck up right now, then there's still nothing gained by removing that potential for liability if they do anyway.

Its not so much that we can sue them if they fuck up. Its whether or not we can sue them if they fuck up in the context of CISPA. Does CISPA actually make anything harder on your side of the argument? We can probably still sue Google for sharing our information with Facebook, but that has nothing to do with CISPA. (And strangely... we can't sue them if Google purchases Youtube and then changes their privacy policy to explicitly start sharing information across both apparently >_<)

Anyway, the parenthetical aside... I'm not a laywer... so I'd like to know if companies are ever punished for giving stuff to the Government. Typically, what I hear about is "illegal evidence" getting tossed out in court, but the company or individual who gave the evidence gets off scott free. If you've got an example where the giver of information "illegally gave evidence" and then was sued over it, I'm all ears. (outside of libel / slander / lying of course. I'm talking about some company submitting true information to court but somehow doing it illegally)

I've never heard of a company that cooperated with the FBI / CIA / NSA / etc. etc. and then got sued over it. Perhaps I'm just ignorant in this fact so I'll be interested if you can prove me wrong. If you can do that, I'll grant you the point of course.

[Ghostbear]

Its not so much that we can sue them if they fuck up. Its whether or not we can sue them if they fuck up in the context of CISPA. Does CISPA actually make anything harder on your side of the argument?

Of course it does: it ensures that they have no liability for sharing "cybersecurity" information. It makes it so we can't sue them, period. It changes the difficulty from 'very difficult' to 'impossible'.

Anyway, the parenthetical aside... I'm not a laywer... so I'd like to know if companies are ever punished for giving stuff to the Government.
[...]
I've never heard of a company that cooperated with the FBI / CIA / NSA / etc. etc. and then got sued over it. Perhaps I'm just ignorant in this fact so I'll be interested if you can prove me wrong. If you can do that, I'll grant you the point of course.

Even if nobody has ever gotten punished for doing yet, it does not make removing the ability to punish them for it in the future a good idea. It's quite possible nobody has been sued for such in the past. Maybe nobody has gotten punished for it yet because they refrain from (or at least curtail) those activities because of the potential for punishment. Maybe nobody has been punished because the situations where they shared information was specifically protected in a manner similar to what CISPA wants to implement. Maybe nobody has been punished because it's just so amazingly difficult to win a case*. None of those would mean that we have a good argument for structurally removing our potential to punish them.

* I remember there was a group trying to sue a telecom (AT&T?) for granting wiretaps without a warrant or something linked to the PATRIOT Act or similar, and the government just ended the trial with a "state's secrets" order or something along those lines.

[KnightExemplar]

I guess you have somewhat of a point.

Mine however, was that CISPA doesn't seem like much of a change from the status quo. According to one of my research pages...

http://news.cnet.com/8301-31921_3-57422 ... t-you-faq/

Louis Tordella, the longest-serving deputy director of the NSA, acknowledged overseeing a similar project to intercept telegrams as recently as the 1970s. It relied on the major telegraph companies including Western Union secretly turning over copies of all messages sent to or from the United States. "All of the big international carriers were involved, but none of 'em ever got a nickel for what they did," Tordella said before his death in 1996, according to a history written by L. Britt Snider, a Senate aide who became the CIA's inspector general.

--------

This apparently has continued. In his 2006 book titled "State of War," New York Times reporter James Risen wrote: "The NSA has extremely close relationships with both the telecommunications and computer industries, according to several government officials. Only a very few top executives in each corporation are aware of such relationships."

In a recent Wired article, author James Bamford described how the NSA is currently building the nation's biggest spy center, a $2 billion facility in the Utah desert. Bamford quoted William Binney, a former NSA official, as saying the NSA's backdoor into the U.S. telecommunications network goes far beyond AT&T's facility on Second Street in San Francisco. "I think there's 10 to 20 of them," Binney said. "That's not just San Francisco; they have them in the middle of the country and also on the East Coast."

It sounds like this sort of information sharing has been done before, and might be going on as we speak. And back then, I can't seem to find any references of telegraph companies getting sued over this. Of course, we were a lot more militant in the 1970s (our culture accepted more things as a defense against the Communist threat. Nukes were scarier than terrorists). Either way, I'd expect that this sort of behavior has set a precedent in this country.

Changing the law... when on one hand we have incredibly difficult odds of actually winning a court case against a company that cooperated with the government... to a law where that company has a few provisions where we don't have a chance of suing them is not much of a change at all. Thats all I'm saying.