Organizations ranging from Mozilla and the ACM, to the EFF and ACLU, to grassroots activist groups of the left and right didn't share your casual confidence in the reasonableness of 2012 CISPA.
Their analysis was that once a determination of a 'cyber threat' was made and shared, private communications and other data that would usually require stronger cause could (and probably would) then be handed over ('shared') on government request. The words "voluntary opt-in" are not reassuring, if it's a service provider opting-in customer data to law-enforcement, disregarding traditional expectations of privacy or even explicitly agreed terms.
When you say 2012 CISPA "remove[d] IP from a list of assets protected by the bill", they could only 'remove' it because the original draft had it in. And, that's the sort of insider-wishlist-item that can be re-added as the bill progresses, or perhaps even interpreted-back-in when the bill contains vague language.
The 2013 language includes in its definition of covered 'cybersecurity crimes': "a violation of any provision of title 18, United States Code, created or amended by the Computer Fraud and Abuse Act of 1986 (Public Law 99-474)."
That's the same CFAA as used in the recent prosecutions of Swartz and Aurenheimer. It has the open-ended "exceeding authorized access" and "obtains anything of value" language that lets the violation of terms-of-service and unauthorized acquisition of commercially-valued copyrighted material become serious federal crimes.
Advocates of new security powers tend to portray their scope as small and reasonable, before passage, but then manage to find a more expansive interpretation, when it behooves them after passage. Because such bills keep changing and stretching, I tend to trust the EFF and ACLU, who will actually litigate cases under the enacted legal regime, about the bill's likely effects.
Noting all the concerns about privacy, it is still intellectually dishonest to compare it to SOPA, with which it shares literally nothing.
But that is not particularly surprising because Namecheap cares more about getting people fired up to switch their domains to Namecheap, than they do about being an honest participant in the legislative process.
Sure, it's not the 'same as' SOPA, nor is it SOPA renamed/resuscitated. But CISPA shares an aspect giving law-enforcement new powers that may be expansively used, without judicial hearing, against anyone identified as a 'cyber threat' or engaging in 'cybersecurity crimes'.
And CISPA does this via a similar mechanism: broad immunity for those non-governmental service providers who 'voluntarily' do what law-enforcement may only informally advise. That's an elastic clause that can look innocent in the text but be nasty in practice.
So there are enough similarities in mechanism and feared effect that analogizing it to SOPA is within the bounds of fair discourse. It's the same approximate way of speaking we see ins headlines that say "Mexico is the new China" or "Facebook is the new Google"... similarity in an important aspect, not all important aspects.
Mere contradiction -- "No, it doesn't" -- isn't convincing.
Your argument doesn't pass a simple-logic smell-test: why would law enforcement want this, if it doesn't give them any new capabilities?
Organizations that are expert in the legal implications of such bills, like the EFF and ACLU, disagree with you about the effect. Their concern is that under CISPA, "these combined power and immunity provisions would override existing privacy laws like the Wiretap Act and the Stored Communications Act." [1]
Imagine there were a law which said, search and seizure without a warrant or probable cause is bad, but any evidence so collected is always admissible in court, and law officers who collect such evidence may never be disciplined in any civil, criminal, or administrative fashion. That creates a de facto new power, because it shifts all the incentives, and agents may then search and seize with impunity.
The concern of the EFF and the ACLU is that CISPA does something similar. It sets up a system where doing the federal government the 'voluntary' favor of sharing information -- even in contravention of other laws or contracts that could create liability -- is always the safe and easy course. So, agencies wind up collecting far more info that people expected to be private.
There's an old joke that "national security" is the root password to the Constitution. Well, CISPA makes "cybersecurity threat" the root password to every private service-provider data set.
Carefully read the EFF link you posted. It does not say that CISPA gives law enforcement any new powers. Their objections to the bill center around the privacy implications of giving private companies liability protection if they choose to share data with the government.
The language of CISPA explicitly prohibits the government from using such protections to force companies to give up data. Again--read the EFF article. It does not even use the phrase "law enforcement" at all, nor the word "force". The only usage of the word "power" refers to the power of private companies to collect data related to cybersecurity (which of course they already do).
The EFF is right to raise questions about privacy in the context of cybersecurity coordination. Where I part ways with them is that they seem to have taken a maximalist approach that any and all sharing of data is wrong and should be prevented. I happen to think that there is a role for the federal government to help coordinate cyber threat information.
I've read the EFF write-ups, the 2013 proposed bill text, and other sources carefully.
If after CISPA, federal agencies can receive more private data than before – in ways that were previously prevented by liability under the Wiretap Act, the Stored Communication Act, contractual obligations, and other court precedents about expectations of privacy – then that's a 'new power' for law enforcement. Even if the way the new power is created is indirect, through immunized information 'sharing'.
I guess we'll just have to disagree about the meaning of the phrase "law enforcement power." SOPA would have given law enforcement a legal right to compel certain behavior. CISPA does not grant any right to compel behavior.
This bill is nothing like SOPA and whoever is campaigning on this basis is doing a massive disservice to themselves because people can tell the difference.
CISPA is just a continuation of clear "wiretapping" landgrabs by the US Federal Government, in this case using the basis of "cybersecurity". The US government have been trying to do this for decades and they will almost certainly succeed, no matter the resistance.
What is new is that it seeks to indemnify specific third parties who wiretap or even hack on their behalf.
As for the current version of the bill (H.R.3523.RFS), apart from the obviously broad language, there is only one section, on the use of information, that I would be greatly concerned with if I were a US resident, Section 2.C.1 (specifically part A):
LIMITATION- The Federal Government may use cyber threat information shared with the Federal Government in accordance with subsection (b)--
`(A) for cybersecurity purposes;
`(B) for the investigation and prosecution of cybersecurity crimes;
`(C) for the protection of individuals from the danger of death or serious bodily harm and the investigation and prosecution of crimes involving such danger of death or serious bodily harm;
`(D) for the protection of minors from child pornography, any risk of sexual exploitation, and serious threats to the physical safety of such minor, including kidnapping and trafficking and the investigation and prosecution of crimes involving child pornography, any risk of sexual exploitation, and serious threats to the physical safety of minors, including kidnapping and trafficking, and any crime referred to in 2258A(a)(2) of title 18, United States Code; or
`(E) to protect the national security of the United States.
What does "(A)" mean and why is it present when both "(B)" and "(E)" are already present? Without further highly specific legal binding, "for cybersecurity purposes" is far too broad an entry for the use at which the information may be put!
SELF-PROTECTED ENTITIES- Notwithstanding any other provision of law, a self-protected entity may, for cybersecurity purposes--
(i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such self-protected entity; and
`(ii) share such cyber threat information with any other entity, including the Federal Government.
Section 2.B.4:
EXEMPTION FROM LIABILITY- No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider, acting in good faith--
`(A) for using cybersecurity systems to identify or obtain cyber threat information or for sharing such information in accordance with this section; or
`(B) for decisions made based on cyber threat information identified, obtained, or shared under this section.
1. The key phrase "Notwithstanding any other provision of law" allows those parts of the bill to ignore all other laws.
2. "EXEMPTION FROM LIABILITY" subsection could not be any more clear.
3. "use cybersecurity systems to identify and obtain cyber threat information" is such broad language as to mean almost anything, especially in context of software.
But we're getting side-tracked, imo. At this point, I would not even try to prevent the US government getting whatever information it wanted, however it wanted - third party or not. The key is what they are allowed to do with it after they have it...
"Cybersecurity systems" are intrusion detection systems. It's a ludicrous misreading of the law to suggest that you can call a zero-day exploit a "cybersecurity system" that you've deployed "preemptively" against a threat. To see why, reframe: anybody running an exploit against any system could make that claim. It clearly does not mean that.
This is something new; a combination of marketing, propaganda, and demagoguery. Namecheap says that "If CISPA is passed, the US government gains the power to shut off Internet traffic." That wrong, and so provably wrong that it may be a lie. The bill is here. http://www.govtrack.us/congress/bills/112/hr3523/text There isn't a word in there about shutting off Internet traffic. More reputable sources--like EFF, for whom Namecheap is fundraising--don't make that outrageous claim. Namecheap is trying to make a buck off the gullible.
EFF made a series of outrageous claims about CISPA. If all your information about CISPA came from EFF, you might indeed think that CISPA was an attempt to reintroduce SOPA.
EFF is not a trustworthy source of information about CISPA. I believe they're using it as a vector for fundraising. They're certainly not trying to educate about it.
Are you saying that whole FAQ is 'outrageous claims' about the 2012 CISPA, or can you highlight the most 'outrageous' claim? Has anyone written up an explanation why?
Namecheap's claim seems overly definitive, but after a quick skim I think one area of concern might be the proposed new Section 1104(b)(4)(B), granting everyone involved civil and criminal immunity "for decisions made based on cyber threat information identified, obtained, or shared under this section."
That's a vague and broad grant that might enable many abuses: essentially, a government agent might say, "we'll share cyber threat info with you if you promptly turn off the threats we point out, and you'll be safe from any liability... or you can refuse to coordinate with us, and risk prosecution without this immunity". I would welcome more clarification from a legal expert with CISPA concerns.
It's not any different than the marketing that companies on the other side of these bills use to get public support for them. It's a game of lies and honesty doesn't pay.
I'm just glad to be using a company that is consistently (thus far) on the right side of this issue.
My 13 year old son, who is not exactly a lodestar of ethical and moral judgement at this point in his development, understands intuitively that other people's lies do not actually build a space for him to comfortably fill with his own lies.
If you think I'm approving of the practice, you're wrong.
They're doing it though because it works and because there is no likelihood that they will actually be held accountable in a way that affects their bottom line.
We're talking about marketing here. Truth has no place in marketing. If your truth has any impact, you wouldn't need to market.
This has been all over HN the past 24 hours [1]. Namecheap (and I use them) is starting to get known for this sort of marketing. They were ALL over reddit when SOPA was the big thing. Maybe drop a marketing person and improve their email/mobile experience?
[1] http://www.hnsearch.com/search#request/all&q=namecheap
2012's CISPA:
* Did not provide the government with any capability to shut down traffic
* Explicitly rejected enforcement of intellectual property, going so far as to remove IP from a list of assets protected by the bill
* Created an entirely voluntary opt-in mechanism for companies to share information about attacks
* Limited the information shared to attack data, and provided a definition in the law for what "attack" meant that did not include piracy
CISPA 2012 was not a "warmed over SOPA". SOPA was so much more intrusive than CISPA 2012 that it is strange to even compare them.
So, is CISPA 2013 much worse?