I would like to hear from Ohanian about what changes he would like to see to improve the scope and privacy controls in CISPA.

I just read the definition of Cybersecurity Threat in the bill. I think the EFF's recommendation to specifically exclude the content of communication would be a major improvement.

I think the complaint that there is no real recourse if a company chooses to share information that does not fit the definition- as the bill grants immunity for such actions and there is no way for an individual to know the information was shared (in order to sue the Fed within the 2 year time frame required) is valid. So one improvement would be to remove the immunity clause. (Or something similar to Rep. Justin Amash's proposed amendment)

When Quest refused to participate in the Fed's illegal spying program, they punished them by moving a large contract from the company. I read nothing in skimming the bill that would prevent the Feds from pulling a similar stunt, promising immunity under CISPA as the carrot, while threatening them with a stick (money) like they did to Quest.

Another possible improvement would be to expand the mission of US-CERT, to make them the point of contact for all information sharing, require them to validate it is cybersecurity related, and then they become the clearing house and the single accountable agency within the US Government for all CISPA related data. (There may be another agency more suitable than USCERT, but I use them as an example.)

There have been several amendments proposed to improve the privacy protections in CISPA, but they have been blocked- and thus we are left to ask why? If it is all good intentions, why block the proposed protections that help ensure that good intentions don't go awry?

Thank you for this comment. I actually disagree with a lot of it, but you clearly know what the bill is talking about.

You have three concerns:

1. That even though the bill tries to specify what kinds of information can be shared under CISPA, the penalties for "over-sharing" with the USG are very fuzzy (you are immunized not just for sharing to the letter of the bill, but also for "good faith" sharing).

2. That the bill does not prevent the USG from retaliating for failing to cooperate with efforts outside the scope of the bill.

3. That the bill could build up US-CERT instead of diffusing authority (and potential conflicts of interest) through DOJ, DOD, and DNI.

I agree with the 1st, but not the 2nd or the 3rd concern. In particular: your 2nd concern militates for another bill, not an amendment to CISPA.

I agree that concern #2 would perhaps better be mitigated via a Seperate, more generic bill, but I won't hold my breath waiting for that to happen!

It's funny that you mention Qwest (Now CenturyLink), and the illegal spying program, because they (along with AT&T) are brokering access to the NSA's latest spying toy, which CISPA is intended to expand.

http://www.dc3.mil/dcise/DIB%20Enhanced%20Cybersecurity%20Se...

This DIB Enhanced Cybersecurity Service is being handled by the defense contractors who donate to Mike Rogers:

http://www.opensecrets.org/politicians/contrib.php?cycle=201...

4. AT&T

8. General Dynamics

9. Raytheon

9. SAIC Inc

9. Lockheed Martin

9. Northrop Grumman

19. BAE Systems

Their letters of support for CISPA, referencing the DIB program, are on the Senate website:

http://intelligence.house.gov/sites/intelligence.house.gov/f...

I write to you on behalf of the National Defense Industrial Association (NDIA) to express our support for The Cyber Intelligence Sharing and Protection Act of 2011 (HR 3523). ... As you are aware, NDIA is a non-profit organization, and is America's leading Defense Industry association, ... Our members represent the entire spectrum of the Defense Industrial Base (DIB). ... To illustrate, some NDIA members have participated in the Department of Defense's DIB Pilot program...

http://intelligence.house.gov/sites/intelligence.house.gov/f...

ASIS

... The bill also gives businesses certainty that cybersecurity information shared with the government would be provided safe harbor and would not lead to frivolous lawsuits, among other protections.

http://intelligence.house.gov/sites/intelligence.house.gov/f...

"I am please to write to you to express CSC's wholehearted endorsement of the "Cyber Intelligence Sharing and Protection Act of 2011" which you released today and which requires the Director of National Intelligence to establish a program allowing certified organizations to use classified cyber signatures to help protect their IT enterprises...

As you know, CSC was the first IT enterprise company invited to join the defense industrial base pilot program (DIB)...

This program was quietly started around 2011:

http://www.washingtonpost.com/national/major-internet-servic...

NSA allies with Internet carriers to thwart cyber attacks against defense firms

The National Security Agency is working with Internet service providers to deploy a new generation of tools to scan e-mail and other digital traffic with the goal of thwarting cyberattacks against defense firms by foreign adversaries... The Internet carriers are AT&T, Verizon and CenturyLink. Together they are seeking to filter the traffic of 15 defense contractors, including Lockheed, CSC, SAIC and Northrop Grumman.

There is at least $6B waiting to go to the defense contractors to help the NSA. (They're already working with the NSA on the big Utah datacenter):

ttp://www.bizjournals.com/washington/blog/fedbiz_daily/2013/01/northrop-saic-mantech-among-those-to.html?page=all

Northrop, SAIC, ManTech among those to bid for DHS' $6B cyber program

Northrop Grumman Corp., ManTech International Corp. and SAIC all confirmed to me their plans to bid as a prime contractor for DHS' Continuous Monitoring as a Service program, which will be worth up to $6 billion over five years

I have worked directly with one of the bidders, won't say which or in what capacity. As far as I'm concerned, this will result in six billion dollars thrown right into a hole, with no enhancement to "cybersecurity." I don't expect anybody to take my statement seriously since I provided no evidence, but I for one now see this as a giant waste of fucking money.

I have absolutely no trouble believing that this is going to be a giant waste of money.

All the evidence thus far points to yes.

1. John Poindexter + SAIC + TIA Program = $200 million turd.

https://en.wikipedia.org/wiki/Information_Awareness_Office

2. ADVISE (DHS ) $47 million turd

https://en.wikipedia.org/wiki/ADVISE

3. Trailblazer (NSA) $280 million fiasco + turd

https://en.wikipedia.org/wiki/Trailblazer_Project

4 Turbulance $500 million /year as of yet to be disclosed but very likely turd.

https://en.wikipedia.org/wiki/Turbulence_(NSA)

Having seen what a mess TSA has made of "security improvements", I have no problem believing your claims.

I am confused. Why are you opposed to the USG spending money on protecting defense information transiting private-sector networks because of private-sector contractors? You strike me as the kind of person who would be irritated that information was being insecurely shared between DOD and (say) Lockheed to begin with.

You mean why am I opposed to blanket legal protection for ISPs to quietly share my packets with the NSA and their contractors?

Why am I annoyed that everybody behind CISPA is participating in a charade, when we could just cut to the point and debate the merits and concerns regarding the project motivating it?

Why am I annoyed that we don't get a voice in this, and the companies receiving the billion dollar contracts for this specific bill, who also fund the politicians putting it through, do?

Why am I annoyed that attempts were made to amend the bill to actually almost fit what you're claiming it is for, by protecting customer payload data, and they were shot down?

I am confused about why you aren't. I feel like you've been stuck in anti-rageview mode when it was first said that this was about copyright issues, and you over-committed to that position, and that you normally wouldn't support this.

How about not passing the beshitted thing in the first place?

If there are better scope and privacy controls, then what is the issue? The bill has a valid purpose, people are complaining because of the fear of abuse because the language is vague in parts.

Because the scope will be misused, and the data will be given away. It's not like the US government doesn't have an extensive history of privacy & rights abuses.

Tasers were passed as an alternative to shooting a suspect, now they're used routinely for detainment. The various terrorism laws are now being used clearly outside the scope of terrorism (hackers, drugs, etc). The DMCA is being all kinds of abused outside its scope.

This is what we're rightly-concerned about.

The "purpose" is to fill an NSA datacenter in Utah through voluntary, liability-free sharing, and to make defense contractors rich. Nobody wants to let the NSA siphon their data because they got sued last time. This bill is a liability shield, so even companies not really interested in sharing all that much are dumb to turn it down.

Edited to add: The NSA, in cooperation with the DHS, has been running the pilot program related to this for several years. AT&T, the largest non-defense contractor throwing money at this, is helping them. There are billions in government contracts and quasi-regulatory-capture (note the language about certified cyber security providers) waiting to change hands over this. Then everybody can share with the NSA, customers lose all rights, and don't even know its happening. This is a legalized version of the warrantless wiretapping scandal.

The Democratic (note before you yell: I am one of those) alternative to CISPA is the one designed to make defense contractors rich. It created a stratum of professional service firms more or less deputized by the USG to conduct mandated audits on private-sector systems determined by some process within the USG to constitute "critical infrastructure"; it was, in other words, a giveaway to Raytheon and SAIC.

False dichotomy. Dems are just as bad obviously. The original CISPA was "bipartisan".

Actually, it's the opposite. The original CISPA was the free-market deregulating alternative to Rockefeller. It's taken on more bipartisan support over the last year (but that's now receding, I think due to the climate in DC).

You're right that it's not a dichotomy; I'll try not to portray it as one (as much --- the failure of CISPA does set the Democrats up for another bite at the apple on their proposed regs, which are OMG worse).

CISPA had a democrat co-sponsor the first time around is what I mean. Dutch whateverwiththelongname.

For what it's worth, that guy is preposterousness incarnate.

What valid purpose? The Internet does not need more regulation. The FBI/CIA do not need easier access to everyone's communication. Please demonstrate what the threat is requiring FBI and CIA to read my emails and access my entire browsing history.

Let me guess... "Terrorism."

The Internet absolutely does need more regulation. I disagree in principle that regulation is bad, but I also think that simply saying "quit regulating" is myopic. Regulations exist, and refusing to touch them because we're afraid of "more regulation" just leaves them dysfunctional.

For example, right now due to the lack of clear regulations concerning digital storage, a lot of law enforcement agencies believe that they can legally access people's personal email without a warrant. This should be corrected with a clear law that says you need a warrant, since the 4th amendment's talk of being secure in "papers" is too vague.

There's good regulation and bad regulation. "Less regulation" is a good sound byte, not a good strategy.

There are already regulations in place to protect people against unwarranted searches. There's nothing in those laws that even suggests "this doesn't apply to personal email".

This is just scaremongering combined with a deliberate abuse of power on order to trick a compliant public into even more repressive laws.

This is not about less or more regulation, this is about burying new regulation removing people's rights hidden unnecessary fake regulation.

Useful new regulation regarding the internet is very, very rare. 99% of it is a cover for something else.

And of course the biggest giveaway is that internet should have lead to less regulation, because all kinds of physical restrictions no longer apply or are impossible to enforce. But we don't see proposals for that, now do we?

What is repressive about enabling Yahoo to share Netflow information with Verizon and the USG during a sustained denial of service attack?

I don't recall seeing a definition of a "attack" when I skimmed the bill. Since every website is always under "attack", what's to stop a company from handing over everything, all the time?

My understanding of the situation is that the government has taken the position that warrants are only needed for e-mail that has been stored for less than 180 days. https://www.eff.org/deeplinks/2012/11/when-will-our-email-be...

> For example, right now due to the lack of clear regulations concerning digital storage, a lot of law enforcement agencies believe that they can legally access people's personal email without a warrant.

CISPA has no intention of stopping this. Quite the opposite really. The vague wording and hush hush push to get this passed gives rise to the idea that CISPA is a tool to force more of this kind of behavior not stop it.

>The Internet absolutely does need more regulation

Really? That's a scary thought.

I'm not sure I'd call it "more regulation" - the purpose of this law is to disable in certain cases the regulations that prevent data sharing. In a way, it's less regulation.

I haven't read and understood the whole bill honestly, but the first paragraph: "The Director of National Intelligence shall establish procedures to allow elements of the intelligence community to share cyber threat intelligence with PRIVATE-SECTOR ENTITIES AND UTILITIES and to encourage the sharing of such intelligence."

This would allow the USG, which operates the largest IT department in the world and the largest computer security team in the world, to share malware samples and vulnerability data with private companies, instead of the current state of affairs, where we can safely presume the USG often must sit back and watch as people get owned up by attacks they've been aware of for months.

That sounds extremely difficult to buy. Does there really not exist any legal avenue in which USG could hand over the pertinent data to the authorities? Why is it that Google (as it has claimed) can hand over thousands of e-mail accounts' contents to various 3-letter agencies but USG cannot hand over samples of malware.

Because malware and attack signature might be classified depending on how they were collected.

In the general case, I really wish we could agree to not try to argue factual or legal matters according to vague notions of "common sense." I feel like a lot of these types of discussions on HN quickly devolve into one person stating a fact, and the other person saying "that doesn't seem right." Lots of things that are factually true don't match your or my conceptions of how the world should work.

Google hands over email addresses based on court orders and (less frequently) warrants.

It is not reasonable to run a security response group that needs to get a court order every time an incident occurs.

    Google hands over email addresses based on court orders and     
    (less frequently) warrants.

So, the authorities have the resources to request user data by the numbers 14,000 and above from just Google alone for Gmail accounts [1]... and you're telling me we need more cyber security bills to make it even easier for them. Don't you think they already have it easy enough? I'm still skeptical about your claim that presently there exist no means for USG to legally hand over malware samples to the authorities in existing legal frameworks. Can you provide some citation that talks about this?

[1] http://www.google.com/transparencyreport/userdatarequests/ -- it should be noted that Google complies with the requests a majority of times. Also, it is reasonable to assume that it is mostly American gov't agencies who make up for most of the requests.

The bill isn't about user data!

Even if you think it is, you're not addressing the concern, which is that regardless of what the situation is with user data, it is difficult for private companies to share operational intel with the USG, and even more difficult for the USG to share operational intel out.

Argh, you're describing two entirely unrelated scenarios. And tptacek has explained this many many times already; I've read half a dozen explanations by him in HN comments in the last 3 days alone. Disagree with his suggestions for what we ought to do, sure, but at least try to understand what's going on before you make snippy comments.

If the USG thinks John Doe is a criminal, they can go after his data via various avenues, including warrants, subpoenas, NSLs, blah blah. This is one situation.

A separate situation is that Google thinks there is crime afoot, and wants to report it, but they cannot meaningfully give any information to law enforcement because of privacy laws.

It's like if your business got burgled, and you let the cops into your business to collect evidence, and while doing their job there they find out that John Doe is one of your customers, and that he visited your shop on July 9th, or something, and now you committed a crime for letting the cops know about John Doe.

I'm not saying CISPA is a good idea or a bad idea. (And I think various people have raised some legitimate concerns.) I'm saying that you should try to understand what it's permitting; it's not giving the USG new abilities to force their way in to read user data, it's giving victims of crime permission to take certain actions to fight crime. (Maybe we shouldn't give them those permissions, though.)

And by the way, it might be reasonable to make assumptions about how many of those transparencyreport requests are USG agencies... EXCEPT that the same *@$% page you linked has actual numbers, that prove your assumption wrong. In the most recent 6-month reporting period, 21,389 total requests, 8,438 of them (40%) from the USG.

Why are court orders unreasonable?

Because the tempo of incidents in a real security response practice is very high, orders of magnitude more than the temp of criminal investigations.

This is one of those places where I'd suggest you want to be careful what you wish for. Here's why:

If we can generally agree that there is a kind of operational network security data that should reasonably be shareable --- say, Netflow records corresponding to a DDoS in progress --- and that data is routinely generated, then requiring a court order to share it routinizes the court order process.

When you make a routine out of what was intended to be an exception, it stops being an exception. A court order is a demand from the state that someone do things. We probably want court orders to be on the "right" side of the base rate fallacy.

Perhaps a more strict definition of Cyber Threat Intelligence would help. If the definition was narrowed to exclude private data, that would go a long way. But doesn't the US-CERT already do this? What information would the US-CERT like to share that they cannot currently share?

I think people thing US-CERT is more important than it actually is because of its history, which included a long stretch where it was the only incident response team anyone had heard of. But in reality, US-CERT does very, very little: it is a clearinghouse for heavily redacted vulnerability information that has usually been in the mainstream for a long time.

Did you read the definition of cyber threat information in the bill? It's here: http://intelligence.house.gov/hr-624-bill-and-amendments

If so, I'd be interested in your ideas for improving the definition.

Thank you for the thoughtful comment.

What law stops the USG from sharing malware samples and vulnerabilities? What part of CISPA changes that? I don't see anything about this when I skim through the bill.

Sec 1104 (a) (1)

>If there are better scope and privacy controls, then what is the issue?

The issue is that there aren't. You can't argue that we should pass this bill because you believe some different bill would be less problematic. Get the Senate to insert an amendment with whatever language you're talking about and show a page on eff.org explaining how the amendment addresses all of their concerns, then you can make that argument.

What are the scope restrictions and privacy controls you feel the bill is missing? (If you think I'm about to hit you over the head, know that I think the bill is also missing controls.)

To give a couple of examples: The exemption from liability should be default deny rather than default allow. Don't exempt everyone from everything, make a list of the things you feel are problematic, explicitly enumerate them in the bill and don't provide an exemption from anything else. At least that way we know what we're getting ourselves into -- I don't think the intention is to allow corporations to be exempt from liability for dumping toxic waste in the rivers or releasing information previously required to be kept private to foreign governments that directly leads to the deaths of dissidents, but if they can justify a good faith cybersecurity purpose in doing so, that's what the existing language seems to allow.

The other issue is that the exemption encompasses not only information sharing, but any "good faith" action taken based on the information. I understand what they're going for there. If some law prohibits sharing information, it probably prohibits use too, which would get in the way of what they're trying to do. The problem is, again, that they're not talking about specific laws. So if they respond to the information by hiring Blackwater to raid what they believe to be the attacker's home, no liability? That's not OK.

This is an extremely smart and thoughtful comment. I can't find much in it to disagree with --- you could argue that the US Code shouldn't nail down specific kinds of network security attacks, because in 10 years there will be 10 new kinds we didn't think of, but there's nothing wrong with baby steps either.

Agreed. There are valid reasons for the bill(mostly around giving agencies the ability to do their jobs in the digital age without unnecessary restrictions). Also, there's that whole issue of having the ability to do something about cyberterrorism(which is happening today by the way). The implementation may not be sound, but something does need to be done.

The CIA and FBI need to be able to research and distribute malware. The government needs to have a way to do something in cyber warefare scenarios. This is why the bill has so many supporters.

My guess is that big businesses are supporting this(Google) due to them having been bit by state sponsored attacks in the past(http://world.time.com/2012/06/06/google-warns-gmail-users-of...).

>something does need to be done.

Can you elaborate on why that is?

"Something must be done" is the refrain of private defense contractors seeking new revenue streams following the tapering off of our most recent foreign excursions. "Cyber war" is total B.S. It's just taking the same industrial espionage issues that have existed forever and adding "on a computer" to it in order to increase the hype level.

There are a ton of things the government could actually do to help with information security. Some of them are even in the bill -- I don't think anyone has a problem with government providing threat information to the private sector. Or how about more funding for security research. Incentives to implement protocols like DNSSEC.

But there is no excuse for exempting corporations from all privacy laws using extremely vague language. The problem with this bill is very much the implementation rather than the intent, but "good intentions" are no justification for bad legislation.

> "Something must be done" is the refrain of private defense contractors seeking new revenue streams...

TechDirt points out a key Congressman's wife is in security contracting, an industry very interested in the outcome of this bill:

... as we've noted all along, all attempts at cybersecurity legislation have always been about money. Mainly, money to big defense contractors aiming to provide the government with lots of very expensive "solutions" to the cybersecurity "problem" -- a problem that still has not been adequately defined beyond fake scare stories. Just last month, Rogers accidentally tweeted (and then deleted) a story about how CISPA supporters, like himself, had received 15 times more money from pro-CISPA group that the opposition had received from anti-CISPA groups.

So it seems rather interesting to note that Rogers' wife, Kristi Clemens Rogers, was, until recently, the president and CEO of Aegis LLC a "security" defense contractor company, whom she helped to secure a $10 billion (with a b) contract with the State Department. The company describes itself as "a leading private security company, provides government and corporate clients with a full spectrum of intelligence-led, culturally-sensitive security solutions to operational and development challenges around the world."

Hmm. Sounds like a company like that would benefit greatly to seeing a big ramp up in cybersecurity FUD around the globe, and, with it, big budgets by various government agencies to spend on such things.

-- http://www.techdirt.com/articles/20130417/16253022748/oh-loo...

Of course, now it's up to the Senate.

Incidentally, not to get me started on another topic that will result in 18,000 new comments from me, but DNSSEC is a boondoggle that won't help the Internet and is a massive favor to the largest registrars. We should be thankful that we dodged the bullet of a bill that mandated DNSSEC.

It seems like your argument is that TLS is better than DNSSEC, so use that instead. But how is that better than using both?

I'll give you that DNSSEC is imperfectly designed, but given that it hasn't been widely deployed, why not just make DNSSECv2 which addresses the concerns (like have the end user device verify the signature)?

TLS isn't simply better than DNSSEC: DNSSEC still requires TLS. If you use just DNSSEC, and you stipulate that DNSSEC does what it's supposed to do (spoiler: it doesn't) then all you've done is protect your DNS lookup. So TLS is a non-optional component in the web stack even in the very unlikely event DNSSEC is deployed.

So the problems with DNSSEC then boil down to:

* TLS isn't designed to depend on the security of the DNS. How you know that is, TLS works today, and nobody uses DNSSEC. So if everything needs TLS anyways, why forklift in a new DNS when we could instead work on making TLS better?

* DNSSEC actually degrades the DNS. In a couple ways. First, DNSSEC changes the security model of DNS records; they're now signed, but also they're public. For a long time, DNSSEC advocates claims that DNS records were always public, but that's clearly not true; try to dump Bank of America's zone files. When the advocates lost the argument, they introduced a grotesque hack that turned DNS zones into crackable password files (this is "NSEC3"). That's just one example; there are better examples.

There is a proposed alternative to DNSSEC that I like: DNSCurve. DNSCurve gives up on the idea of signing DNS records and instead just allows any DNS client to create a secure connection to any DNS server. That's a totally sane improvement to the DNS which inexplicably isn't included in DNSSEC (your DNS lookups in a DNSSEC world are still unprotected!). We should do that instead of DNSSEC.

>So if everything needs TLS anyways, why forklift in a new DNS when we could instead work on making TLS better?

For one thing, not everything uses TLS (even if it should). TLS normally requires support by the application, securing DNS could be done in the OS. You could fix DNS and have at least that fixed even for all the legacy applications that nobody is ever going to update to use TLS. It would also make IPSec easier to deploy to the same effect because it would allow the DNS to be used for key distribution. And likewise for distributing ssh host keys.

I'll give you that DNSSEC is poorly designed, but I don't necessarily want "DNSSEC" in particular, I'm just looking for something that allows client devices to securely verify DNS query responses. Does DNSCurve do that? The Wikipedia entry doesn't clearly distinguish whether it's securing the connection to the server or the query response. In other words, does DNSCurve allow you to detect if your ISP's DNS resolver is compromised?

That is exactly what DNSCurve does, and is something DNSSEC does not do.

See, this is why I like this place. People who can teach me things. OK then, so why haven't we deployed DNSCurve?

That's interesting. Have you (or someone else) written about the issues with DNSSEC somewhere? It always seemed to me that the role of the registrars wouldn't change much.

I've written a lot about DNSSEC, but we tore the blog down so I can't cite it; the best I can do is:

https://news.ycombinator.com/item?id=4071178

"giving agencies the ability to do their jobs in the digital age without unnecessary restrictions"

Personally, I would happy to see less power given to law enforcement agencies. Maybe a quid pro quo: we let them access communications more easily if they stop using soldiers to do police work.

"that whole issue of having the ability to do something about cyberterrorism"

Something like this?

https://en.wikipedia.org/wiki/Operation_Sundevil

Do you really think we need another E911 document prosecution in this country?

"The CIA and FBI need to be able to research and distribute malware"

They already do that. What does CISPA add?

Do you see the contradiction here? Google pulled out of China a few years ago because Chinese government was supposedly doing shits like this. Google followed its unofficial "Do not Evil" motto. That's cool. Then this time it is OK for the US to do the same?

I think you misunderstood me. I wasn't saying the govt. should be allowed to conduct cyberwarfare. However, they should be allowed to conduct investigations into cyberwarfare and protect it's citizens against it. That's one of the major intents here. The FBI and CIA can not work together on investigations when it involves doing something like working with private entities to share maleware or explore attack vectors. To be clear, they can't even do whitehat things today that private citizens are allowed due to regulatory restrictions. I'm not saying this justifies cispa. It doesn't. But, it does help frame the discussion in a productive way.

No problem. Maybe just me (perhaps quite some people here as well) had a high expectation over Google. I thought Google pulled off that stunt from a human right stand, rather than from simply being patriotic to the USA. GOOG has much more resources than Elon Musk to do lots of stuffs meaningful for the greater good of human being.

Any control over the content on the web is inherently bad, regardless of what the media tells you.

Actually... Why do they want to pass this bill in the first place?

I mean... The things they want to do are comparable with monitoring all phone calls. Listening to all phone calls and trying to catch dangerous words in the conversations. Why nobody tried to do this with phone calls, but now they try to do this with on-line messaging and social networks?

What CISPA purports to do is not comparable with monitoring all phone calls. Where, in the text of the bill or any of its amendments, do you find support for the concern that the law would be used that way?

They don't have to say those exact words pre se. All they have to do is keep the wording vague enough so that those actions can be justified.

In what words in the law do you find refuge for mass collection of the texts of online messages?

They dont need it. Look at the FBI's Carnivore Program, now obsolete. All they needed was a warrant (or, nowadays an NSL) to do so. Just because its not explicitly stated does not mean it cannot be a reality, justified by vague wording and obfuscation.

If the text of the bill doesn't matter, why does the bill matter? If they can do whatever they want, why protest this bill?

This seems like a generalized concern about the government's practices rather than a specific concern about CISPA.

Well of course it is.

All CISPA is, is the next logical progression of the totalitarian[1] state. It harks back to the Patriot Act. There was an event of terror. Therefore there must be "terrorists" out there and we really need protection from them. So much so that we are willing to surrender our rights to a fair trial.

CISPA is the same thing. It focuses on one instance, or issue and abstracts peoples actions away from that to make it seem like something they'll never have to deal with. Case in point, no one thinks that they'll be detained and held without trial, but that still doesn't mean the government can't do that.

[1. http://en.wikipedia.org/wiki/Totalitarianism]

You could make the same argument about any law. The point is that makes it a weaker argument, not a stronger one.

Could be this?

http://www.techdirt.com/articles/20130417/16253022748/oh-loo...

Yep, and that's just the tip of the iceberg.

Because text analysis is very easy compared to audio analysis.

Check YouTube's transcriptions. They suck.

Well. That's obvious.

The question is if we need it, and if it won't be abused?

I think we were doing pretty fine without monitoring phone calls, so why do we want to monitor on-line services? Because it's simpler is not a good answer.

> The video is clearly meant to be less than totally serious - it seems unlikely that Ohanian, himself a prominent figure in the tech world, would need to resort to trying to talk his way to Page through Google's public phone number...

I realize that the author probably meant that Ohanian would have connections who might have connections who would have Larry Page's phone number, but the wording of that briefly made me think that the author thought there was some secret phone book you get when you cash out your popular startup for a certain amount.

Here's the petition: http://www.saveyourprivacypolicy.org/

If only Aaron Swartz was still alive.

Hopefully Namecoin will see some more development out of this: http://reddit.com/r/namecoin

I would have a beer with that guy.

Why does this only have 73,000 views on YouTube?....

freaky moves in the last part

well the market just went uptick for the encryption products/services :P