I'm never super happy with EFF's advocacy (I think they do good and important legal and technical work but I'm almost always unhappy with how they represent policy to the public).
I've been uniformly discouraged by FFTF's advocacy, which I find goes way past "misleading" into "straight up dishonest", such as their recent piece that strongly suggested Facebook supported CISA (a fact not in evidence, for whatever that's worth) because doing so would immunize them from privacy suits for user data so long as they dumped all that user data to the USG. No reading of CISA gets you to that.
Example from today's AMA is FFTF's claim that CISA "exempts itself from FOIA", making it impossible to challenge in court: they're referring to Sec 4 (d) (4) (b), which exempts from FOIA individual shared indicators, which of course must be the case, because indicators are things like compromised account names and passwords. That's all the law exempts from disclosure.
It is uncontroversial to state that corporations and special interest groups frequently lobby in public for a position and in private against a position. Frequently you know this only through un-attributable information passed to you.
Advocacy organizations are not journalists. They don't need to cite their sourcing before making claims they believe are true. The purpose of calling out Facebook is an attempt force them to align their public and private positions if they differ.
As usual, Marcy does excellent analysis about what information NSA will be able to collect, analyze and disseminate under CISA.[1]
This is a blog post that makes two very broad claims:
1. That Chrysler can exploit CISA to avoid liability for vulnerabilities in their cars simply by sharing the flaws with the USG as an "indicator".
2. That the USG can use CISA to collude with private companies to avoid warrant requirements and spy on their customers.
Both of these points are, I think, false. I've linked upthread to the text of the bill and provided a summary. In particular, I don't think the "Chrysler reading" of the bill finds any support at all in the text; Chrysler is immunized from suits stemming from their own sharing, and even in the sharing, they are explicitly on the hook for negligence and misconduct.
If it's helpful, here's the entire limitation of liability in CISA. Notice: companies are exempt from liability for monitoring, sharing, and receipt of indicators. They aren't exempt from liability for having vulnerabilities in the first place!
6.Protection from liability
(a) Monitoring of information systems
No cause of action shall lie or be maintained in any court against
any private entity, and such action shall be promptly dismissed,
for the monitoring of information systems and information under
section 4(a) that is conducted in accordance with this Act.
(b) Sharing or receipt of cyber threat
indicators
No cause of action shall lie or be maintained in any court against
any entity, and such action shall be promptly dismissed, for the
sharing or receipt of cyber threat indicators or defensive
measures under section 4(c) if—
(1) such sharing or receipt is conducted in accordance with this
Act; and
(2) in a case in which a cyber threat indicator or defensive
measure is shared with the Federal Government, the cyber threat
indicator or defensive measure is shared in a manner that is
consistent with section 5(c)(1)(B) and the sharing or receipt, as
the case may be, occurs after the earlier of—
(A) the date on which the interim policies and procedures are
submitted to Congress under section 5(a)(1); or
(B) the date that is 60 days after the date of the enactment of
this Act.
(c) Construction
Nothing in this section shall be
construed—
(1)to require dismissal of a cause of action against an entity
that has engaged in gross negligence or willful misconduct in the
course of conducting activities authorized by this Act; or
(2)to undermine or limit the availability of otherwise applicable
common law or statutory defenses.
I'm not sure why you were downvoted for a reasonable post citing original sources (I upvoted you to try to correct that).
I expect I will disagree with you about the desirability of CISA, just as we disagreed years ago about CISPA, but enjoy your posts on the topic nevertheless. They make thoughtful and reasonable points. Even if you end up on the wrong side. :)
I'm not "painting" anyone. People say things that are misleading, wrong, or outright dishonest. I point them out. I don't feel any need to justify that to you.
I could bug Marcy for an answer. I will do totally inadequate job of defending her analysis compared to her.
It seems relatively simple to read this passage in the following way:
Let's say a major car company decided to leave open a port with a remote code execution vulnerability on their cars.
Let's say this car company discovered this port was being exploited and informs the NSA of affected vehicles IMEI numbers, IP addresses etc.
Now let's say FTC/NTSB wanted to put together a case for punishing the car manufacturer for their poor security operations.
It seems perfectly reasonable for a lawyer to read the passage from CISA and claim the court couldn't use any disclosure to the government under like the number of affected vehicles(easily calculated from the threat information previously shared) in any determination of liability.
Again: they can't be prosecuted for sharing, for monitoring, or for receipt of information. This is statutory language and the words matter.
If there's an authority under which Chrysler can be prosecuted for having vulnerabilities (spoiler: I don't believe there is), CISA doesn't change any of that. Certainly, there's no clear linkage between CISA sharing and a private actor's ability to sue Chrysler for torts emerging from vulnerabilities.
I don't even think there's a stretch reading of the statute that gets you where this blog post lands.
Because the government has NEVER demonstrated any behavior in deliberate (expanded) interpretation of the law to further their interests.
The lengths taken to interpret "torture" for instance. It used to be that we have a fairly logical, common sense interpretation of things but I think those days are gone. I mean, unlimited data should really mean unlimited data not subject to some arbritary cap or throttling .
It is probably impossible for a lay person to understand how a court is likely to interpret statutory language. I prefer my analysis from folks who devote a substantial amount of time to it.
Marcy compares the CISA liability protections to the very similar Section 314(b) of the Patriot Act financial information sharing liability safe harbor.
It seems at least plausible that they will operate in a similar fashion if CISA becomes law.
> Advocacy organizations are not journalists. They don't need to cite their sourcing before making claims they believe are true. The purpose of calling out Facebook is an attempt force them to align their public and private positions if they differ.
So in other words, as long as they are "advocacy organizations" and say that they believe in some view, they get a free pass to lie, spread bullshit and FUD? I thought we should have a higher standard.
Personally, I am for severely punishing liars as a top priority, no matter what side they're on. Then we may get a constructive discussion.
If you think they do important work why do you consider it your duty to go on every advocacy thread and say how you disagree with their tactics? How does your tactic of constantly discouraging people from advocating for these issues serve your stated shared goals better than EFF's?
Probably for the same reason that you clearly feel it's your duty to repeat this same comment on all those threads. I'm guessing it's a shared feeling of someone being wrong on the Internet.
I'm really not sure what's so complicated about this.
I have a hard time thinking of legal support EFF has provided that I don't support. If EFF was just legal support, I'd be a donor.
I think their technical work is mostly good; it would be entirely good but for the egregiously terrible Secure Messaging Scorecard --- but hey, that scorecard won me a $1000 bet against Matt Green, so some good came out of it.
Virtually all of EFF's policy advocacy, I find untrustworthy. I don't even believe they take it seriously. I think they play to the crowds, in the hope that the retweets and upvotes will generate more donations.
Is it really that hard for you to see that as a plausible narrative? I'm not asking you to agree with it.
> Virtually all of EFF's policy advocacy, I find untrustworthy. I don't even believe they take it seriously.
This is an interesting conspiracy theory.
> Is it really that hard for you to see that as a plausible narrative?
My theory is that they really believe in what they're doing. They are based in SF, so they are surrounded by well-funded startups offering high salaries. Employees of EFF could be making small fortunes, and instead they choose to fight to secure civil rights. Why? Because some people value freedom over currency. This narrative seems more plausible.
Technologists working for EFF are probably giving up outsized salaries at SFBA startups. Advocacy journalists are probably not.
I'm sure they're all good people who believe in what they're doing. It does not follow that they believe in every individual position they advocate for; they're a nonprofit, so fundraising is a huge part of their job.
> Example from today's AMA is FFTF's claim that CISA "exempts itself from FOIA", making it impossible to challenge in court: they're referring to Sec 4 (d) (4) (b), which exempts from FOIA individual shared indicators, which of course must be the case, because indicators are things like compromised account names and passwords. That's all the law exempts from disclosure.
Nope. The bill clearly defines "cyber threat indicators" to include the entire content of whatever these companies disclose to the government. The things that make up "cyber threat indicators" go on for an entire page, and it's an "or" list rather than an "and" list. For Facebook, it would probably be something like a particular Facebook post that tripped their "threat" trigger, plus all the info that Facebook has about that user account (maybe every post that account ever made), including IP addresses that posted to that account and everything else.
And yes, every single thing "shared" with the government (I'm reminded of "the sharing economy" with this usage) is entirely exempt from FOIA disclosure, as the CISA bill clearly says. And of course no cause of action shall lie in any court, so there's no help there either. So no, there will never be any way to review the scope or magnitude of this "sharing", apart from whatever information (truthful or not) the government deigns to share.
Your description of CISA is the one that is straight up dishonest.
So I guess the serious (and it is serious) question is this. If I can't FOIA for security indicators, or defensive measures, then how could I ever know that they included illegal or illegitimate information about me?
You can FOIA for records the government keeps in the management of indicators from different companies; the only thing excluded is the indicators themselves. Again: how could it be otherwise?
So, in reality, if I suspected that there was some privacy breach with regards to the transfer of information, I could not prove it. This means that I would have no standing in court (no proof of injury means no standing). This seems problematic, and worthy of examining the privacy implications (or at least discussing them)
how could it be otherwise?
Allow FOIA, and use the existing exemptions for classified material if the information is actually classified. This would mean that breaches of privacy could be found when non-classified information is present.
There seems to be concentration on "indicators" being username/passwords, etc. However, Sec 2 (6) (G) is "any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law;". That's basically anything since cybersecurity threat is defined as "means _an action_ ... on or through an information system that _may_ result in an unauthorized effort ...". That seems to be a rather large hole.
The problem is that none of this information is "classified". PII isn't classified. Zero-day vulnerabilities aren't classified. Classified information is stuff that goes through USG classification process.
So there'd need to be some other regime in place that ensures that no harm is done by publishing information that companies are voluntarily sharing with the USG.
What would that regime look like?
I'm also not really convinced that there's a problem with the catch-all at the end of Sec.2(6) --- that's enabling companies to share things they were already allowed to share, and just bringing it under the same set of controls as the new sensitive stuff they can share. How is that a loophole the USG can exploit? What does that loophole look like in practice, in actual use?
I think a U.S. citizen can file a request for records about themself via the Privacy Act. As I understand it, FOIA allows anyone to ask for anything; Privacy Act allows one person to ask for information about themselves.
I don't know if CISA also prevents Privacy Act requests, or if it only applies to FOIA.
Theoretically, companies using CISA would anonymize personally identifiable information before sharing to the government. An IP address, for example, is probably not PII (as millions of people have pointed out in the context of digital piracy lawsuits). I doubt one could file a Privacy Act request just based on an IP address.
I can't believe the number of times this bill has been voted down, only to come back up for a vote again under a different bill or different name.
It is like they keep submitting bills until it gets passed. This not only is a waste of time, it seems to be how the lobbyists get their bills passed. Eventually one will get passed and then our privacy will no longer exist. If you want our data, get a judge to order a search warrant. Otherwise it is Unconstitutional.
>If you want our data, get a judge to order a search warrant. Otherwise it is Unconstitutional.
This is my position and nothing will move me from it because it is the principled position. Moreover, the advocates of mass surveillance fail to realize that even if their motives are as pure as the driven snow nevertheless a mass surveillance system will attract sociopaths and psychopaths who survive by preying on other human beings instead of creating value and trade. This is exactly why we have a Constitution to limit the powers of government.
I fear a Police State where it is basically an 1984 type of society. Instead of TV sets watching us, it is our smart phones. The only thing protecting us from the Thought Police is the fact that our smart phones are encrypted so that we can have privacy. Take away that encryption and let the Police or anyone else have access to anyone's smart phone and there is no privacy and you can be arrested for stuff you didn't do but might because some machine learning algorithm says you might commit a crime. Sort of like the Minority Report TV show were they stopped using precogs and went to a Hawkeye program that uses ML to tell if someone is going to do a crime and has access to everything in the public to tell.
One of the things that concerns me about this debacle is that ongoing CISA controversy will eliminate the possibility of legislative support for information sharing for good. I appreciate that there are privacy concerns in CISA, however, it is very important to the security field that sharing of intelligence indicators become more plainly safe from a legal perspective.
'Indicators' usually consist of information about external actors and organizations that are relevant to intrusion detection, for example, the most common types of indicators are domains used for C&C and hashes of malicious files. It is difficult to construe a privacy violation from these types of indicators. There are concerns about certain providers who may have indicators relevant to their users - for example, some providers might share the names of otherwise legitimate user accounts which have been compromised as these are often used to send spam that ought to be blocked. However, in general, cyber intel indicators do not involve sensitive information about users.
Right now a great deal of organizations are not participating in public or private threat information sharing because of concerns over liability and compliance, and this significantly impedes defense by letting threat actors get away with infrastructure and tool reuse that ideally should reveal them. These acts originated as an attempt to correct that. It looks alarmingly like many advocacy organizations want to keep it this way for good.
I don't want to be painted as anti-privacy and I would say that I'm not, but the principal goal of this legislation is not to send your data to the NSA, it's to help me do my job. I hope that the internet community will have the foresight to try to resolve the specific problems with current legislation, and not to entirely prevent information sharing.
"I don't want to be painted as anti-privacy and I would say that I'm not, but the principal goal of this legislation is not to send your data to the NSA"
This is what folks with this argument are missing - it doesn't matter one bit what the goal of legislation is, especially when it involves immunity for very vague things. Just because you will use it for that, does not prevent someone else from abusing it now or in the future. The point of legislation should be to protect the people.
Just like the author of the Patriot Act never intended for it to be abused the way it was. And these things are extraordinarily difficult to curtail after the fact.
"Sensenbrenner supported the Amash Amendment, a plan to defund the NSA's telephone surveillance program. "Never, he said, did he intend to allow the wholesale vacuuming up of domestic phone records, nor did his legislation envision that data dragnets would go beyond specific targets of terrorism investigations." The Amendment fell seven votes short of the number it needed to pass."
Also, I don't really buy that businesses are limited by their inability to share threat information, because they have been doing this for years.
There is already a pretty large threat intelligence information sharing effort in place through the ISAC system established by DHS: http://www.isaccouncil.org
These have seen widespread adoption by medium and large sized companies, and are doing good work. Or at least the one I participate in is; I can't speak for the other ISACs.
They have policies that facilitate information sharing without privacy or liability issues.
There are definitely still a very large portion of organizations that are not a member of any ISAC or similar information sharing group, though. I don't know how much CISA may help with that.
You may find it meaningful that, in my interactions with several people involved in operating ISACs, I have heard nothing but support for CISA. One high-up individual in a well-known ISAC expressed a great deal of frustration and said that opposition to CISA came only from people who had no idea what it was indicators were. I don't think that it's quite that simple, but there's certainly an element of that.
Much of the benefit of CISA is specifically in the area of information sharing with the gov't, which has various initiatives like NCCIC that are falling flat in a lot of ways. Of course the ISACs would like to be involved in this. CISA is also seen as a way to get a lot more organizations to contribute to ISACs, as well.
CISA will almost certainly pass tomorrow. It already achieved cloture, typically the hardest part of getting a bill out of the Senate. It needed 60 votes and got 83. It just needs 50 for final passage, and I have a hard time seeing how 34 Senators would change their minds within a week.
Setting aside any hatred for the government and mistrust, how does Company A share information with Company B (or the FBI) about how a hacker got into their networks?
Is the concern that Google is going to hand over your browser history under the guise of CISA?
The law doesn't define how information is to be shared; it merely makes it lawful for the sharing to happen, so long as it meets the conditions in the statute.
This is pretty typical for bills in US Federal Law: Congress enacts a relatively broad statute that establishes principles relied upon in a later "rulemaking" process; the statute will delegate to specific agencies the privilege of making those rules.
I don't think the harm outweighs the limited good in this situation. I'm negative on CISA. I was neutral on CISPA, which didn't have the law enforcement investigative enhancements CISA has.
But I still don't think it's a big deal either way. Like, don't donate money to prevent it from passing if this is the only donation you can make this year.
There are no amendments to CISA that I can find (CISPA collected quite a few amendments, some of which were very relevant to HN, before the bill eventually died).
I read CISA so you don't have to! (You still should). Here's a summary:
There are three particularly important defined concepts:
<<Sec. 2 (5) (A) "Threats">>, which means "unauthorized activity" that might plausibly compromise confidentiality, integrity, or availability, but that isn't either protected speech or a mere ToS violation.
<<Sec 2 (6) "Indicators">>, the most important concept in the bill, which is, roughly: logs of recon activity, exploit techniques, vulnerability data, account hijack techniques (I think this bill actually tries to capture the notion of an XSS), bot C&Cs, damage reports on attacks, and anything else related to security and not already prohibited by law.
<<Sec 2 (7) "Defensive measures">>, roughly, things that stop or monitor attacks.
"Defensive measures" is a confusing concept in the bill. For awhile, it was thought that CISA would authorize something akin to hack-back privilege for private entities; it does not. Meanwhile, defensive measures are probably already lawfully shareable. Anyways, the bill allows you to share both indicators and defenses.
The bill allows the USG to share indicators and defensive measures with private entities, and vice versa.
So then:
Section 3 of the bill authorizes the USG to share stuff with private entities. This isn't the part of the bill that concerns people (we all probably want more sharing from USG to private entities; for instance, that's what we're saying every time we demand NSA fork over its zero-days).
Section 4 authorizes private entities to share with the USG. Here's what it allows:
(a) You can monitor your own systems, or those of people who give you written authorization, for any security purpose, notwithstanding any previous limitation on monitoring. Even if ECPA or student records law says you shouldn't monitor, if you're doing it to deal with security threats, you're now allowed to.
(b) You can run your own defensive measures, or defensive measures on people who give you written authorization. Ok then.
(c) You can share indicators and defenses with the USG, and receive them from the USG so long as you comply with their sharing restrictions.
(d) You have to keep the data secure, you can't share it willy-nilly, and before you share anything, you have to (1) review it for PII and (2) anonymize any PII you find.
Sec 4 (d) (4) has problematic language that allows, say, Facebook to provide written authorization to the USG to prosecute based on shared indicators; in theory, they can do this even if the prosecution they're going to launch isn't related to a computer crime, but just happens to be illuminated by the indicator Facebook shared. (But remember: Facebook can't share under CISA unless they have a bona fide cybersecurity purpose for doing so).
Section 5 has a bunch of rulemaking authority in it, but buried in it is Sec 5 (d) (5) (a), which gives all the purposes FedGov is allowed to use indicators for:
* any security purpose
* attributing threats
* determining whether threats are foreign
* preventing immediate disaster/harm (iv)
* stopping child sex trafficking (v)
* stopping major felonies, espionage, trade secret theft (vi)
(iv), (v), and (vi) are major problems; these aren't cybersecurity purposes at all, but rather a sort of "these crimes are so bad that we're allowed to repurpose indicators to deal with them", which, maybe fair enough (except for trade secret theft), but still, not OK that new investigative capabilities are buried in the middle of a cybersecurity bill.
I could be missing a further limitation, but doesn't Section 4(a) de facto amount to a repeal of all other laws that limit monitoring? Yes, the exception is limited to monitoring for a "security purpose", but a pretty broad range of things can be justified as a "security purpose". I'm also skeptical that courts will seriously second-guess companies' representations on that point.
Yep, I called that section out for that reason. I'm not particularly worried about it (I think this part of CISA mostly just clarifies something that was already pretty much settled).
Companies aren't allowed to just make up "security purpose", though; under CISA, they have to be monitoring for threats as construed in CISA, which means, for instance, they can't find exemption for liability for monitoring for mere ToS violations.
Couldn't one collect logs of all things, under the auspices of collecting logs that (may) contain "recon activity" and "exploits"? It seems on a surface reading that one could collect all those under the umbrella of collecting Indicators, and then also use it also for things like selling-to-advertisers or other business-related things.
Of course, our terms of use on most sites already say they can collect + monetize such things, so maybe this is moot.
I'm not sure I see the part of CISA that allows you to sell your logs to advertisers. I do see lots of places in the bill that allow sharing to other private entities or to the USG for cybersecurity purposes.
it all starts with people not voting for who they are told to vote for. I am quite sure that the majority here will vote for the candidate at the top of the party that the donor class/establishment has decided wins. Just like the Republican party establishment who fights against the Tea Party (for which the media and establishment convinced many voters of both sides to mock them) the Democratic party may be having its own similar moment with Sanders. Yet it doesn't matter if you still vote for whom you are given regardless of your personal choice.
Politics in the US cannot change until people simply say no. That means at least voting for someone not from the big two or voting against your own party to show them the lesson they need.
After all, how can your vote be wasted doing so when so many are convinced their vote already doesn't matter?
It's somewhat ironic to think how "pirate" once meant someone who takes everything you have and gives nothing back, but today a pirate is a very generous individual who contributes their time and money, not to mention risking personal safety, in order to give you free access to contemporary culture.
So just hack this one government system and get everyone's vulnerabilities. Thanks for making it easy. Maybe someone will work as a contractor and post them all somewhere.
She supports the motion-picture industry and has incumbent support in a safe district for her political party. As a senator with real seniority she's quite embedded in the system.
I believe she was more concerned about a) the NSA facing public scrutiny b) that the CIA hacked her computer resources in an attempt to determine what line of inquiry into torture the sub-committee on CIA torture investigation was headed towards. So yes, warrantless-surveillance is for "the little people" as far as she and the other members of Congress are concerned, mostly.
Once again we can thank Dianne Feinstein for this. How did she get re-elected again? Was it gerrymandering or did her NSA buddies, which she keeps propping up, hack the poorly secured voting machines?
Passive gerrymandering. California's state lines were intentionally not redrawn before the last election, so as to not absorb Republican voters from Nevada, which would have diluted the democratic majority in California and made things tough for Feinstein.
The OP is hinting through his username that somehow the Mt. Gox bitcoin exchange was involved.
Have you seen the shape of California? I mean, it's implausible at best. :-)
But seriously, it's kind of fun to imagine what life would be like if U.S. states were shaped like House districts. Maryland is probably the closest, geometrically.
There's a cool exhibit in the Oakland Museum of California about proposals for the shape of the eastern border of California!
Interestingly, some of the motivations for the proposals did involve something like gerrymandering, in terms of arguments about how many Mormons who had emigrated to the west would end up being included in California's territory.
Another interesting thing about the California-Nevada border that ended up getting adopted is where the northwest line turns north (where the bend is): it's inside of Lake Tahoe. That makes it a lot easier to remember!
Did you know that Reno has been gerrymandered so far it's now west of Los Angeles? That has to be some kind of conspiracy. Otherwise it would just be impossible.
California was stretched so far that it covers the full distance from the lowest elevation in the lower 48 to the highest summit in the lower 48.
It was also shaped so that it encompassed the driest point in the U.S.--Death Valley--and one of the wettest: 100 feet underwater below the Golden Gate Bridge.
Also, if the state of California were its own country, it would be referred to as the nation of California. True story.
Feinnstein is a very long running senator with a hugely entrenched power base. Because of that it's hard to remove her from office. She also despite being very authoritarian is fairly progressive in other respects so she is able to appeal to her base of older democrats in that respect.
I really really dislike her, but it totally makes sense that she is basically invulnerable within her senate seat.
This is the reason why I don't fill in a ballot for her whenever her seat comes up. I know it's not going to do much, and I am not really sure I want a Republican in that seat (if that were even possible) since I doubt it would be any better than her positions.
All I see with her about this is the hypocrisy of it all. She is totally fine with the NSA intervening in our lives, but threw a huge fit when the CIA was found to be spying on members of Congress. Yes, spying on the people is OK, but spying on Congress by the CIA is a "violation of separation of powers" and shouldn't be tolerated?
For the vast majority of Americans, surveillance and internet security are pretty close to the bottom of their list of concerns. This is a forum is an echo chamber full of a tiny concentrated group of technical people many of whom are very extreme single issue voters about this sort of thing which is a gross micharacterization of Californians or Americans as a whole.
People elect Feinstein because they think she is doing a good job. They might even agree with you that she's wrong on your pet issue but that issue just isn't as important to them as it is to you.
https://www.reddit.com/r/IAmA/comments/3qban2/oh_look_its_th...
Looks like it just started a few minutes ago, so no idea if it'll be useful, or not.