229 comments

[ 2.9 ms ] story [ 242 ms ] thread
America continues the slow spiral down the drain. Good luck folks.
Rand should filibuster everything until a CISA removal bill is passed.
If only Rand was a robot that didn't need to eat, sleep, or piss. :/
How this happened [1]:

In a late-night session of Congress, House Speaker Paul Ryan announced a new version of the “omnibus” bill, a massive piece of legislation that deals with much of the federal government’s funding. It now includes a version of CISA as well. Lumping CISA in with the omnibus bill further reduces any chance for debate over its surveillance-friendly provisions, or a White House veto. And the latest version actually chips away even further at the remaining personal information protections that privacy advocates had fought for in the version of the bill that passed the Senate.

Snowden's comment on this:

Shameful: @Facebook secretly backing Senate's zombie #CISA surveillance bill while publicly pretending to oppose it. https://t.co/du7RK7V1WJ — Edward Snowden (@Snowden) October 25, 2015

[1] http://www.wired.com/2015/12/congress-slips-cisa-into-omnibu...

If the USA Freedom Act was 1 step forward for privacy (also debatable if even that), this is 5 steps back.

The US really needs to break away from its 2-party system, and the only way to do that is to kill the FPTP voting system. Otherwise, Americans will never have real choices for stuff that really matters.

I'm not convinced that even a flat popular vote wouldn't have supported CISA.

Maybe this is just the generation of internet users who are willing to trade other people's freedom for their own security, given the chance?

Can someone explain why/how the CISA portion of the bill can or can't be removed later?
Not by any likely means.
What are you asking exactly? In order to be attached to the bill, the amendment must be approved by a majority of the chamber. So that means it's already garnered support from congress, and congress is unlikely to take it off again before voting on the bill as a whole. Once it passes congress, the only way for it to be defeated would be for the president to veto the enormous budget bill based only on the amendment, which he is very unlikely to do (even if he did disapprove of CISA, which I don't think he does).
I think he means, while they approved the bill, warts and all, that doesn't mean everybody likes all the warts. (Although it is congress, so we have to assume they DO like warts... but let's put that aside). He's asking if they can come back and remove some of the warts, essentially, in a separate action at a later time.
But a majority of congress did like the wart. That's why the amendment adding the CISA text to the omnibus bill passed, and that's while it's very unlikely to be repealed later.

(Of course it's possible to repeal it later, as is true for all laws; they didn't pass a constitutional amendment.)

The public-choice situation as I understand it is that CISA was a bill that concentrated interests (large tech companies) liked but which the public as a whole did not like (insofar as they bothered to know about it). The key to passing such a bill is to minimize publicity and bundle it with a distraction.

Both CISA and PCNA passed with large amounts of publicity and long review periods.
OK, I don't necessarily disagree, but why tack CISA onto the omnibus budget bill if not to avoid publicity? There was no compromise justification (i.e. no argument that CISA + budget bill would pass even though neither would pass alone), correct?
It's the end of the year and they're trying to get shit wrapped up. CISA and PCNA weren't controversial except on message boards. They passed with overwhelming support, positive media coverage, and the overt support of the President.
Although I'm happy to admit that there was no major public pushback against CISA because no one in the public cared, I'm not convinced that it had public support or positive media coverage. I typed "CISA" into Google news, and these were first articles and opinion pieces that came up on the mainstream (not tech-related) news sites. (I couldn't find any positive publicity at all.)

--

Washington Times: "ISA cyber bill squeezed into omnibus spending plan | Lawmakers have contentious cybersecurity legislation into an omnibus spending plan..."

http://www.washingtontimes.com/news/2015/dec/16/cisa-cyber-b...

Huffington Post: "Congress Ties Controversial Cybersecurity Bill To Key Spending Package | And critics are not happy about it."

http://www.huffingtonpost.com/entry/cisa-omnibus-spending-bi...

The Guardian: "Congress just revived the surveillance state in the name of 'cybersecurity'"

http://www.theguardian.com/commentisfree/2015/dec/16/congres...

CNN: "Congress, don't be fooled by cybersurveillance bill"

http://www.cnn.com/2015/12/18/opinions/polis-cybersecurity-l...

International Business Times: "Controversial Cybersecurity Bill CISA Passes House, Takes One Step Closer To Becoming Law"

http://www.ibtimes.com/controversial-cybersecurity-bill-cisa...

Washington Times: "Lawmakers line up to complain about last-minute inclusion of cyber bill CISA in omnibus"

http://www.washingtontimes.com/news/2015/dec/17/lawmakers-li...

All of these stories are just press hits for people like Amash and Wyden, whose PR strategies involve courting Internet privacy supporters.

There's nothing at all wrong with that.

Certainly, even when I disagree with them, I'd rather read Wyden and Amash talking points than hearing about why we should kill the families of ISIS members. And I mostly agree with Wyden!

But it's just worth remembering that no matter what had happened with CISA and PCNA, there were always going to be these stories. You take press hits when you can get them, and these were lay-up press hits.

The House and Senate bills passed with overwhelming support and significant media coverage, and Obama backed the bill. Nobody is hiding.

Replying to tptacek: OK, but I think everything you said is consistent with no one in public having any idea or caring. This was "out in the open" in the same way that essentially all regulations that benefit a concentrated interest with diffuse costs do (like most pork). It's just ignored by the public.

Anyways, sorry to drag this out. I don't have anything more productive to add. I appreciate your insight here.

He has in fact publicly campaigned in favor of CISA.
The law is not append-only. Bills can add and remove anything to/from the current body of law previously passed by the legislature (as distinct from the Constitution—there's a more complex procedure for ammending that—and as distinct from executive branch regulations—which can be effectively neutralized [requiring an executive rewrite] by legislation banning programs or actions or by denying funding, but Congress cannot directly rewrite exec regs). Congress rarely removes anything because there's rarely a benefit to the representatives to remove existing law. Special interests prefer exceptions carved out rather than striking out broad provisions that are currently active.
It's useful to note that Paul Ryan gained his position by saying shady backroom deals like this, plus giving Congress almost no time to read and think about the bill themselves, were the exact things he promised to stop.

So his very first act as speaker is to break every single promise he made to become speaker.

It's useful to note that Paul Ryan gained his position by saying shady backroom deals like this, plus giving Congress almost no time to read and think about the bill themselves, were the exact things he promised to stop.

He did? I thought he got the job (after much cajoling) because he was the only candidate the moderate and right wings of the GOP could agree on.

Yes. He had to be courted; the House Freedom Caucus had to make concessions for him to accept the job. The modal HN user has either a DailyKos or RedState (mostly Kos) understanding of US politics.
What concessions did they make? It was the other way round, he made a list of demands and they said no and then proceeded to not-endorse him.
The Freedom Caucus killed Kevin McCarthy's bid, even after it had been seen as a fait accompli, and made a list of demands for candidates for the speakership. Paul Ryan publicly rejected those demands, and was elected speaker without any of the process change demands that Freedom had said were requirements.

The idea that Ryan got the speakership through backroom deals is false. The House majority was in disarray following the sudden departure of Boehner and the failure of McCarthy's bid; the political media at the time was discussing how long the House could run without a speaker and what kind of rift the debacle would create in the GOP. Ryan was more or less drafted into the position.

They didn't endorse him, did they? He also made a list of demands in order to run, and when his demands were rejected, he ran anyway. Saying they made concessions is a strange way of putting it.
I don't think I meant to imply that Freedom "endorsed" him.
The Freedom Caucus killed Kevin McCarthy's bid

McCarthy killed his bid with one interview on Hannity where he implied that he had helped orchestrate the Benghazi committee as a means to take down Hillary. That was the slip-up that gave the Freedom Caucus the necessary leverage they needed.

Other than that, I agree with your understanding of how Ryan became Speaker.

Drudge and the conservative media has been all over him for this. They're calling him a liar and a failure. Rush Limbaugh is calling for the disbanding of the Republican party over this. So I'm not sure how Kos figures in to this (FYI, I don't read Kos).
I feel like I'm living in a twilight zone episode. I don't think we're ever going to see an end to this and I think its going to get worse and worse and no one is going to notice until there really is no way out. I'm sick of seeing comments about voting bad / good lawmakers out / in. Clearly that doesn't work because most citizens don't give a shit because they're too stupid to understand what is happening. Even when you educate them they're so shell shocked by the news that they're willing to let the powers that be shepherd them into servitude. We're all megafucked. Just wait until trump worms his way into office and uses this to round up whomever he hates at the moment. Imagine if bush had this level of power when he made the comments about atheists not being real citizens... i'm genuinely worried about the future.
> Even when you educate them they're so shell shocked by the news that they're willing to let the powers that be shepherd them into servitude. We're all megafucked.

The shell shocked attitude that's followed by complacency is exactly, "We're all megafucked," possibly in other words.

It's exactly that attitude that we need to steer away from, no matter how grim the landscape looks. That's step 1 to change.

if correcting one's attitude is step one, what is step two? voting? what real victories have been won on this front recently? and i'm not advocating for extremism nor am i advocating for complacency, the game just seems stacked with zero possibility of change.
I have recently gotten involved in local government and local community-supporting non-profits. The US as a world power and example of virtuousness seems to be on its way to the dustbin, so I am focusing on protecting/making healthy my community.

If our local community can become strong enough, we may have a chance to survive to see what the next attempt at national/federal(/world?) government might look like.

It's one of the few ways I can think of to do something positive and legal. And non-violent.

A simplified way of looking at things is that politicans cannot simultaneously be "for the people" and above them. Perhaps way lower down on the totem pole but not in the big leagues.

As for not seeing the end of it, it's the same as TOS and software updates we receive on iOS, et al. Not many people look at the details, rather they just press OK. Attrition as an agent of change is much more effective than a full-frontal assault. https://en.wikipedia.org/wiki/Fabian_strategy

I'd love more reasons to hate Facebook, but is there any real sourcing for that? @Snowden seems to be linking to BoingBoing, who then links to Fight for the Future[1], which just claims secret sources. OK, but are they known to historically have had accurate secret info?

Their landing page has this quote "If CISA passes, all your photos, posts, relationships, and likes will have a path to government databases." Which, from what very little I understand, is not quite true. At a minimum, "government databases" already have such a path via subpoenas, NSLs and such right?

I want to believe FB is worse, yes. I'd just like a more convincing source to give people.

1: https://www.youbetrayedus.org/facebook/

FB made it seem as if their CEO was donating his wealth to charity, even though his wealth was going to a private LLC. Most people believe Zuckerburg is a saint and just know the story propogated by the PR firms.

People are not going to distrust a [free] service they use daily, they'll give FB benefit of the doubt, time and time again. It doesn't matter how good the source, today's users are addicts.

The bill was online for two days before voting. I looked at sections of it. Any Congressman could have read in advance. It was very long and had lots of number amounts. Only an expert could tell if these were increases or decreases.
Increases. There have been very few true "cuts" at the Federal level in the last few generations.

The secret is Baseline Budgeting[1].

If your agency got $100 this year, you ask for $110 next year and that becomes the "baseline." Now when the actual budget negotiations happen, you may only get $105. Most people would call this a 5% increase but instead they consider it a (roughly) 5% cut from the baseline.

This is how the government can claim they're "cutting the budget" while still spending more than last year.

For a bonus, imagine the above agency is sympathetic - like the food stamp program - and requests $200 next year. When some Congressperson says "No wait, you only need $110," they're accused of "cutting food stamps in half" and "wanting people to starve!" It's effective for tearing apart the other person, not effective for actually getting things done.

1 - https://en.wikipedia.org/wiki/Baseline_(budgeting)

you make it sound like the numbers are out of thin air.. but your link says:

Baseline budgeting uses current spending levels as the "baseline" for establishing future funding requirements and assumes future budgets will equal the current budget times the inflation rate times the population growth rate.

Sounds reasonable to me.

That's the idealized definition, yes. But in practice, that's not how it works.

There are one-time projects, ongoing programs, an ever-changing list of agency priorities, and - like any negotiation - groups start higher than they need so they have wiggle room. And yes, many of those things are out of thin air or completely arbitrary.

just so we're clear, you're claiming that the Congressional Budget Office -- which creates baseline budgets twice per year -- is operating outside of the Congressional Budget Act of 1974 (which requires it to create baseline budgets), and is instead creating budgets that are completely arbitrary.

That's quite a claim.

EDIT: Now that I think about it, you're clearing confusing budget requests with baseline budgets. Everything you've said applies to budget requests.. none of it applies to baseline budgeting.

I've specified "agencies" since my first comment, not the CBO. In the US, those are separate branches - executive vs legislative respectively - and use different approaches to build their "baselines."

CBO assumes the government continues current operations and applies the effects of new laws to create their baseline.

Agencies include discretionary spending to create their baseline.

All of this is noted on the Wikipedia page.

yes, I read the entire wikipedia article. Did you read it? Because it does not support what you're saying. You've made up a definition of baseline budgets that does not exist... it sounds like your version combines baseline budgets -- which are created by the CBO; and budget requests -- which are submitted by the various departments of the executive.

Baseline is defined by law. There's no made up definition or arbitrary budget.

Budget requests are not baseline budgets. These are two completely different things.

Other than the words he's using he's basically correct.

Agencies request more than they need so they can say their budget is being cut. That's like negotiations 101.

> Other than the words he's using he's basically correct.

Other than your words, you're basically correct.

There have been very many versions of laws similar to CISA that have been proposed, modified, and changed/passed/failed/delayed. When I try to understand exactly what this CISA version includes, most rhetoric I read is alarmist and not conducive to actually knowing what can and cannot be done under CISA.

Is there a digestible explanation of what this CISA entails?

https://en.wikipedia.org/wiki/Cybersecurity_Information_Shar...

The core problem is it lets major industry players like MS / Google / Apple give the fed access to all the personal info they record without investigators needing a warrant and with no liability on the companies part (ie, you cannot sue them for state disclosure of your personal info that then resulted in harm against you). It basically means do not be surprised when you are charged with crimes for "private" communications over facetime, hangouts, skype, or with email over hotmail / yahoo / gmail.

If you want slightly more editorialized takes on the terms, while the EFF and ACLU are obviously opinionated in this, I've never heard of them lying:

https://www.eff.org/deeplinks/2014/06/zombie-bill-comes-back... https://www.aclu.org/blog/beware-dangers-congress-latest-cyb...

Search without a warrant though sounds unconstitutional. Legislative arbitrage. Passed low key in Congress, Removed at high cost in the courts
I believe CISA is more about what the feds MUST do and what private companies MAY do. It’s incentivising the private companies to rat you out, not requiring that they do so.
And Room 419A shows us how that plays out in practice. Private companies get paid to break the law wih immunity.
Facebook or Google searching their own data isn't a search under the 4th amendment. All that data analysis they run on you is their data not yours.

Them searching your private messages/emails are (probably) a search but since they aren't government the 4th amendment doesn't apply. If government specifically coordinates that brings it under the 4th amendment.

But--here is the problem. Google (and I assume facebook) are already reading your email. They run algorithms and text searches on it. If I were DOJ I'd argue 1) that none of those messages are private since the companies are allowed to read the data whenever they want. 2) if not, then the indexing and analysis is definitely not private.

People should step back and realize this CISA only occurs when you already let companies violate your privacy.

> charged with crimes for "private" communication

TPP/TISA will create new "crimes" to be discovered. Would CISA cause data breaches to supplement legal fishing expeditions? That could incentivize rather than deter the market for mercenary data breaches.

> The core problem is it lets major industry players like MS / Google / Apple give the fed access to all the personal info they record without investigators needing a warrant and with no liability on the companies part (ie, you cannot sue them for state disclosure of your personal info that then resulted in harm against you).

As far as I know, they can already do that. And a lot of tech companies did.

What CISA does is explicitly formalize a voluntary arrangement for sharing 'cybersecurity indicators' and 'defensive measures' among government agencies and private companies.

There are, actually, explicit provisions for removing personal information and making sure that any indicators that do contain personal information anyway are deleted in a timely manner.

It's hard to gauge the accuracy of those links, because both of those are from 2014 and the bill has changed since then.

I think the strongest argument against the law is the potential for abuse, not anything actually in the law. Actually if you removed provisions 3, 4, and 5 on page 1766 I think it'd be a good idea, other than the fact it creates a system that potentially government agencies and corporations could abuse (in violation of the law, but who is going to call them on it?)

There is no way to have actually read the short text of CISA and come away with the conclusion that it "lets major industry players like MS / Google / Apple give the fed access to all the personal info they record without investigators needing a warrant and with no liability on the companies part".

No part of this summary squares with the text of the bill: not the kinds of information shared, nor the methods by which it's shared. Just for absolute ground-floor starters, CISA private->government sharing is PUSH, not PULL, and there is no mechanism whatsoever for the government to request (even by asking nicely) any indicator data.

Wherever you got this summary from, they just fucking made it up.

they just need something extremely vague in place as law to support operations that would otherwise be illegal.

Obama is actively abusing the Authorization of Military Force Against Terrorists who conducted Sept 11 attacks [0] to go out and police the world.

The media is told to frequently link ISIS back to AlQueda in all the fear mongering, so no one questions the president's authority to put "boots on the ground."

Sounds like you're way to trusting of the government and forgot about NSA Director lying to the American people about warrantless spying of citizens and govt. spying overall. [1]

[0] https://en.wikipedia.org/wiki/Authorization_for_Use_of_Milit...

[1]https://theintercept.com/2015/12/17/a-secret-catalogue-of-go...

I don't know what message board you spend most of your time on where you have to expend energy to sneak the string "Obama" past the filters they've set up to keep posts like this off, but HN isn't that board.
completely ignore O and 0 being right next to each other and attack the typo. well played.
I don't know if there's a how you'd tell what's a good summary vs alarmist rhetoric so the best way to tell what's in the bill is probably to read it.

The full text is only about 30 pages, and can be found here: https://www.govtrack.us/congress/bills/114/hr2029/text/eah#l...

This is embedded in the "H.R. 2029: Military Construction and Veterans Affairs and Related Agencies Appropriations Act, 2016", which is the vehicle for the Omnibus bill as passed by the Senate yesterday: https://www.govtrack.us/congress/bills/114/hr2029

Sure.

CISA defines "cybersecurity threats" and "threat indicators", which are now legalese versions of the stuff Intrusion Detection Systems track: exploit code, vulnerability information, and wire traces of attacks.

Everyone already collects this stuff; that's most of what network security teams are paid to do. The government has several huge network security teams (they operate the largest IT system in the world), and, of course, the whole Fortune 500 does as well. All these organizations are collecting information about attacks and siloing it.

CISA requires the government to establish a process to share indicators with private companies. So when analysts or IPS systems or anomaly detection schemes running inside FedGov networks generate a signature for an attack, there will now be federal rules requiring them to submit that data to a process that will disseminate it to the private sector.

CISA allows the private sector to do the same thing in reverse, sharing their data with the government, which will in turn share a facsimile of that data back out to the rest of the private sector. The bill requires companies to have a process to ensure they aren't knowingly sharing any personally identifying information, and they are only allowed to share information that pertains to the types of attacks defined as "cybersecurity threats". Those attacks specifically exclude terms of service violations.

Unlike CISPA, which was a more benign bill, CISA explicitly allows local, state, and federal law enforcement to use threat indicators to prosecute crimes. CISA has a very short list of crimes whose prosecution can be assisted with shared indicators --- identity theft, espionage, and trade secret theft. PCNA, the (now dead) House version of CISA, had a broader list.

Unlike the law of the land before CISPA/CISA/PCNA was proposed, there is now a path for private companies to share data with the USG regardless of the other regulatory regimes they're under. This is good if you think sharing attack information is very important and bad if you think companies that work with regulated information (driving records, credit scores, medical data, student records, &c) should operate under different, stricter rules than other companies. Much of the impetus for these bills was to overcome objections from legal at BigCos that would never allow any information sharing out of fear that such sharing could get them sued. They are now immunized from those suits, so long as they're in good faith sharing only information about actual cybersecurity threats.

That's pretty much it, at a high level. It's a very short bill, just 30 pages, and most of the interesting stuff is in the definitions at the top of the bill. It's worth skimming.

https://www.govtrack.us/congress/bills/114/s754/text

The good or bad of this delends critically on what kind of information is being shared.
Of course, but then, the bill recognizes that up front too.

Here's what the bill says you can share, lightly edited:

Data about malicious reconnaissance and recon anomalies, vulnerabilities and exploit code, anomaly events that describe exploit attempts, privilege escalation attempts that bypass security features for post-auth users, malware C&C, documentation of the data exfiltrated by attackers in breaches, and, finally, anything at all related to cyber attacks iff you were already lawfully allowed to share it.

That's it.

https://www.govtrack.us/congress/bills/114/s754/text

Is there a technical definition of "personally identifiable information"? Would they be required to provide any guarantees on the properties of the released data to ensure that when other data is shared there's no way to link them?
I don't know if there's a general-purpose one, but for medical data HIPAA has had definitions and guidelines for PII for a long, long time.

The deeper problem is that any piece or amount of information can, in the right circumstances, become personally-identifiable, and so the only guaranteed-safe system would be to forbid collecting or sharing anything. Which would necessarily result in literally turning off the internet.

There is some degree of mathematical guarantee that one can provide, if one is only releasing statistics and not individual records. The technique is called "differential privacy" and it was invented in large part because of a few high-profile data de-anonymization stunts, one of which was in the health industry.

At the very least, this allows one to quantify the tradeoff of security and specificity in what is released.

Well, this whole Internet thing was nice while it lasted.
What's the alternative?
Read a book, I guess.
Do you have the right to read it?
End-to-End encryption... Which the UK govt is trying to ban.
Not sure why you single out the UK - fbi recently gave an anti-e2e speech.
Can we make another one?
Not sure if something like this exist but what if you could use a system where people could subscribe to you (a bit like RSS) and get all your content (a bit like newsgroups, so that a third party would have a harder time to figure out at least some of the metadata) but the recipients could only decrypt what is addressed to them personally or to a group that they are part of...
SpiderOak's experimental Kloak provides such a system.

Encrypted pub/sub social will be the only way to ensure privacy, long-term. (Other than purely anonymous networks, which have other use cases.)

The article doesn't mention CISA. If it did, they changed it.
This is the nod, though the CISA provision does the exact opposite of this:

> It strengthens cybersecurity programs

Yeah. I think the modified title used by the OP is effectively editorializing.
How does CISA apply to US companies with subsidiaries in Europe like Microsoft? Will Microsoft now be required to hand over data located in datacenters abroad?
Not if they want to comply with existing European privacy law, which the European courts have no problem at all interpreting in maximally draconian form - up to and including forbidding access to the European market.

Even if the US government would attempt to force companies to do this, they wouldn't. And as far as I can tell, this bill doesn't force companies to comply, it just holds them harmless should they choose to comply.

Sadly not. The US courts have already ruled that data held in other data centres are fair game for a US warrant [1]. In this case the data is held in the EU (in Dublin, Ireland to be precise) and MS was found in contempt of court for failing to hand the data over [2]. They're still fighting this case now - over a year later - and it's currently in the 2nd Circuit Court of Appeals [3].

This means that the precedent is already set. If the company operates in the US and is served a warrant, the US Govt wants ALL of the data WHEREVER it's held.

I'm rooting for MS on this one and hope their appeal is upheld.

[1] http://www.theguardian.com/technology/2014/apr/29/us-court-m...

[2] http://www.zdnet.com/article/microsoft-refuses-to-hand-over-...

[3] http://www.techweekeurope.co.uk/e-regulation/microsoft-resis...

Good Lord. Yeah, that's messed up.
The problem is that the EU recently ruled that it was illegal for US companies to send data back to the US for any reason.

The US and EU obviously have two completely imcompatible rulings in play now.

CISA does not require any company to hand over any data. In fact it explicitly prohibits such requirements.
By the way, I haven't heard CNN or NBC mention CISA once this week.

So apparently corporate media has no problem with CISA for some reason.

Since congress rarely write their own laws and let the industry write it for them - who actually wrote CISA ? There's no way congress would know what to ask for. Did the NSA write CISA?

Lobbyist don't do "back room deals" for the fun of it. They do it so that there's no accountability. Democracy should have no secrets, and this is a disgrace.
What makes you think this is a democracy?
What makes you think this isn't?
The fact that it's not
So, no true Scotsman?
No, this is AMERICA
Oh, I think I misinferred where you were coming from. From context, I had thought you were advocating that we needed to democracy harder. On reflection it seems more likely you're espousing the viewpoint that USG hasn't been specified as a democracy, so people advocating to democracy harder are asking for nonsense.

In some sense that would put us closer to agreement, but from my perspective that viewpoint clings to a prescriptive model that is clearly irrelevant at this time. Democracy has become our national religion, and the mechanics of how the celebrities obtain office isn't so important as the idea that no action is off limits to the court of public opinion, adjudicated by the media.

Like everyone else, CNN covered CISA aggressively when it passed the Senate in October; they even called it "historic".

They're not covering it now because this is boring procedural stuff. There's no story this week. Obama has been on record all year saying he'd sign it. The one dramatic thing that could have happened --- a showdown between the House and Senate over whether the language would be closer to the (bad) PCNA bill --- didn't happen.

All you're noticing is that CNN isn't covering a nonstory.

Consider that CNN and NBC are owned by Time Warner and Comcast.
I believe that CISA is mostly about changes within the government itself about sharing data between agencies. It seems to interface with the non-government world insofar as it lets companies share their data with government agencies without getting sued. I do NOT believe it contains any further provisions requiring private companies to share their data without a warrant. Can someone tell me if I’m reading it correctly? Not saying I like it, but if it’s not specifically requiring cooperation, then I guess there’s still some hope left.
> I do NOT believe it contains any further provisions requiring private companies to share their data without a warrant.

Sure, but that means the companies now face minimal incentive to protect user data but doubtless will experience pressure from the government to give it up even without a warrant.

This bill only allows companies to share data that fit the definition of "cybersecurity threat indicator", and that definition requires companies to not knowingly share personally identifying information. It is not a particularly effective vector for slurping messages out of Facebook.
Does that roughly mean that FB must (to be shielded from lawsuits) anonymize the data before passing it to the government? This isn't particularly comforting, since it could still be used to prosecute individuals if identity can be inferred from other context.

The EFF's criticism is basically that the bill is overly broad and can be used nefariously, even if it's not an all purpose FB message vacuum:

> The bill's broad immunity clauses, vague definitions, and aggressive spying powers combine to make the bill a surveillance bill in disguise. Further, the bill does not address problems from the recent highly publicized computer data breaches that were caused by unencrypted files, poor computer architecture, un-updated servers, and employees (or contractors) clicking malware links.

https://www.eff.org/deeplinks/2015/10/eff-strongly-oppose-ci...

That seems consistent with my aforementioned worry.

They have to do one of two things:

1. They can establish and run a process that ensures that data doesn't have personally identifying information in it. For instance, they can have a process by which they sign off on the types of things they're willing to share, and share only the stuff that never has PII in it.

2. They can instead run software that tries to spot PII and zaps it before sharing it.

I don't know how people can take EFF seriously when they say things like "aggressive spying powers". Whatever "spying powers" are in this bill are subtle; I don't think they're there at all. EFF does this a lot: they know their readers aren't going to read the bill, and further that their readers want to believe that the bill is horrifying, and they play that to the hilt.

Thanks very much for info. Much appreciated.

Agreed that the EFF risks its reputation when it freely uses hyperbolic language. But I think some of this is due to (mostly philosophical) difference about how much we should worry about granting vague powers to the government which are mostly not abused. People similarly differ in how fiercely they fight free speech restrictions, etc.

I think the underlying worry here is very legitimate.

But my interest is in making sure we know the truth as precisely as we can, and I believe nobody is well-served by the propagation of falsehoods, even when the falsehoods support a valid narrative.

3. They aren't required to share any data, and can keep it to themselves.
The bill itself reads mostly mundane, which I think is part of the intention. The main issues are the liberal definitions of "cybersecurity purpose," "cybersecurity threat" and "cyber threat indicator," along with the really half-assed integrity requirements ("Make sure you scrub out personally identifiable information, but only if you're aware of it, so no big deal.") and a repeated insistence on the data being "shared as quickly as operationally practicable".

As such, it strikes me as a try-hard and forced attempt to implement private-to-governmental-entity data sharing with little assurance, and cloaked as a seemingly routine bill. It thus makes perfect tactical sense to bundle it with an omnibus, since it blends in well.

Could you be more specific about the "liberal definitions" of "cybersecurity purpose, threat, and indicator"? I've read all the computer security legislation that's been proposed in the last 8 years or so, and CISA had the least egregious definitions I'd read.

They even inherited the CISPA amendment that established that terms of service violations weren't cybersecurity threats.

That it does, along with consumer licensing agreements (presumably EULAs).

"Cybersecurity purpose" is itself mostly a pointer contingent to the meaning of "cybersecurity threat":

   Except as provided in subparagraph (B), the term 
   cybersecurity threat means an action, not protected by
   the First Amendment to the Constitution of the United
   States, on or through an information system that may 
   result in an unauthorized effort to adversely impact the
   security, availability, confidentiality, or integrity of
   an information system or information that is stored on,
   processed by, or transiting an information system.
(6) Cyber threat indicator is rather loose with F, G and H. B drops the term "security control". A seems to be legitimately trying to address automated scanning, but might seem to let through legitimate scraping since it doesn't further qualify.

If this is, as you say, one of the least egregious definitions, then I'm not sure whether this is a cause for concern or hope.

Let’s assume a government asks Facebook about private information. In the US, it can do so via with secret courts, so the people being surveilled cannot know about and oppose it. In that case, Facebook is the only one who could do something about it: they can do so by arguing that revealing that information would put them in legal trouble. How that works, I have no idea: the court is secret, so is the idiosyncrasies of its appeal process.

The possibility that Facebook could be attacked makes the lawyers unhappy: their job includes minimising risks, and this is a big one given the PR around it. The ability to oppose abusive requests makes the (very many) privacy-concerned employees happy: they really don’t like spending their career helping ideas they strongly oppose. That’s why you can have contradictory statements.

The real issue here is the existence of secret courts, and administrative processes that exclude judges and the basic legal protection (guaranteed by the Fourth amendment in the US). Facebook can’t really oppose that without exposing itself to spin around being pro-terrorists (which is mind-boggling when you think about how loudly the same people talk about “Freedom”). Allowing an appeal and maintaining needed discretion in certain matters is a delicate problem, but hardly a new one in law.

It sounds to me (not a legal expert) that what would be preferable is to have a Public defender for privacy, fluent in legal and technical matter, who be made privy to secret decision, and not allowed to contact the people being targeted before they know about the surveillance. The ACLU sounds like they could recommend good candidates. A judge should be able to do that, and Congress at a higher level — but whomever was in charge lately has dropped the ball quite dramatically, being both lied to and far too lenient in what they knew.

You are reading it correctly. CISA explicitly establishes by statute that private entities are never required to share data, but that the government is required to share with private entities.
It also seems to be addressing, by "cybersecurity threats," the act of trying to hack into information systems. The law seems to be paving the legal way for facebook to work with google and ycombinator if there was a network attack by <insert cyber bad-guys> in order to set up defensive measures against the attack and perhaps share information as to who and where it is coming from. Personal information must be removed from such shared information, and if not the insulted party must be notified.

Specific details of how to do this must be decided in the next 90 (or was it 180)days and compliance oversight reports are required regularly.

I'm a little embarrassed, but I must have missed the part where this makes things worse. I'm being honest here: If I should be upset about this I need to know why, please.

There are reasons not to like CISA. I'm pretty irritated by it: I think organizations like Fight For The Future organized a campaign against CISPA based on a whole lot of FUD, and for their efforts got us a law that actually justifies (a very little bit) of that FUD.

Unlike CISPA, CISA allows shared information to be used for law enforcement purposes. Ideally, threat information shared with the government should be used solely to improve defenses and prevent breaches; instead, anyone who shares data now needs to be cognizant of the other uses to which it will be put.

Law enforcement outside of cyber security? OK, I did miss that. Thanks.
Law enforcement can use indicators to RESPOND TO, PREVENT or MITIGATE "an imminent threat of death, serious bodily harm, or serious economic harm" (e.g. almost anything), but can only use it to assist in the PROSECUTION of identity theft, trade secret theft, or espionage.

(PCNA had broader language that enabled prosecutions of a variety of crimes with indicator data).

Again, CISPA, the bill FFTF takes credit for killing, had none of this language.

I couldn't find language that states the fed has to share data back with private entities. I did see provisions allowing the fed to share submitted data with other federal agencies and even some health care operators.

Where does it state that private cos get access to this data?

Section 103.(a)(2)

103(a)(3) also requires them to share, when possible, with the general public.

In the Senate CISA draft, the language about "entities" is a little confusing. "Entities", unqualified, are private companies; government agencies are "Federal entities".

One the few changes in the budget bill CISA is to have the law now refer to "Federal entities" and "Non-federal entities".

I'm sure Techdirt found a way to spin that into a conspiracy to chopper away the Open Whisper System developers in black helicopters.

Well, more encryption should be our response. It will backfire in ways they didn't even consider.
Since they're enjoying Star Wars while legislating, maybe Padme's quote is apropos: "So this is how liberty dies. With thunderous applause."
CISA passed the Senate with almost 3:1 bipartisan support in October.

PCNA, the House's (worse) version of CISA, passed with similar margins in April.

Obama has publicly supported the bill all year.

As much as HN and Twitter wants to believe CISA was enacted in some shady backroom deal, the process that actually occurred, including publicly available amendments and months-long review, is pretty close to "Schoolhouse Rocks".

The debate on CISA was over. Thankfully. The only debate left was how close CISA would come to PCNA, with its broader law enforcement ties and vaguer language (EFF claims PCNA would have in some cases authorized large private companies to "hack back" computers they believed had been trying to hack them). Instead, Senate's CISA is the law of land almost verbatim to what they passed --- in a drawn out, public process --- in October.

Later:

Someone downthread asked for a summary of the bill. I did my best to strip the legalese out of it:

https://news.ycombinator.com/item?id=10763827

The 14 votes against, FWIW:

    Baldwin (D-WI)
    Booker (D-NJ)
    Brown (D-OH)
    Coons (D-DE)
    Franken (D-MN)
    Leahy (D-VT)
    Markey (D-MA)
    Menendez (D-NJ)
    Merkley (D-OR)
    Paul (R-KY)
    Sanders (I-VT)
    Udall (D-NM)
    Warren (D-MA)
    Wyden (D-OR)
https://www.techdirt.com/articles/20151022/10133932597/cisa-...
I'm honestly starting to think sander's is our last hope -- I was on the fence until seeing this. Meanwhile he is getting undermined by the media.
Not so on social media, however, which makes this election really interesting: we'll be able to see to what extent the old guard (broadcast news networks) reigns supreme.
and to what extent the twittering classes does or does not really effect things.
There's a group of tech volunteers working on apps to try to help out his campaign. I'm sure they would welcome any additional help from HN people.
links? i just signed an acceptance letter for a FT job but would be willing to help remotely if possible.
When do I remember hearing that before.... back in 2008. Everyone was saying the exact same thing. If you really expect Sanders will be any different if he gets in power, you are kidding yourself.

If anything he is being undermined by the DNC, not the media. The DNC should be ashamed of themselves for thier blatant support of one candidate over the other(s) .

No candidate is going to be perfect. Even if there was an hypothetically perfect candidate (for any definition of perfect) he/she will have to compromise when in power.

The thing with Sanders, I think, is that he has been around for so long and he has been so consistent, that you can know what he think about most issues:

https://votesmart.org/candidate/key-votes/27110/bernie-sande...

> If you really expect Sanders will be any different if he gets in power, you are kidding yourself

i don't recall obama being an actual socialist or talking about breaking up the banks. i do recall obama being a dem and giving the banks bailout money though.

> he is being undermined by the DNC

agreed.

I do expect Sanders to be different because he has a 20 year record of being incredibly consistent in his political views.

His ideological framework hasn't changed in the entire time I've been following him (I'm from Vermont) and that includes going from mayor of Burlington up through US Senator.

He's also not saying things to get elected. He'd have a much better chance if he dropped some of his more socialist rhetoric, but he genuinely believes it.

Assume he wins and becomes president, what could he do? Judging by the way congress operates right now, not much.
> he wins and becomes president, what could he do?

Yeah, this whole thing about electing the right president who will somehow magically change all the wrongs of the world overnight is a fairy tale. If someone like Ron Paul or Bernie Sanders got into office, a little would be different, especially with regards to foreign policy, but without a pliable or cooperative congress, literally nothing would get done. It would be a waste of 4 years. People overestimate just how much power the president has. Even with executive orders, there's only so much a president can do within the law. If you want universal health care, or MJ legalized, or CISA repealed, a president can't do that by himself, that requires congress.

Presidential elections are a red herring I'm afraid, and that's no exaggeration. If you want true and real governmental change, it requires you to vote the right congressmen and senators into the government.

>Yeah, this whole thing about electing the right president who will somehow magically change all the wrongs of the world overnight is a fairy tale.

I'm not sure who you guys think you're arguing against.

I understand why you feel like you're correct in naysaying and feeling like you're adding something to the conversation by being contrary. Unfortunately you're setting up a bit of a strawman, as if people who support Bernie feel like somehow he's going to magically change everything by himself. Bernie himself said that will not be the case, and you're mostly just arguing people who have little understanding of government, who honestly aren't even taking part in this conversation.

Bernie is probably the most likely candidate to promote the idea in your comment anyway, as he's the only candidate who I feel truly wants to change the system. So even in regards to your opinion your only real candidate is Bernie. He's the only one talking about political revolution, which is what would be necessary for real change.

> I'm not sure who you guys think you're arguing against.

Sometimes I forget that hackernews has a slightly more intelligent user-base. Unfortunately, I participate on reddit as well, and there, political supporters have a slightly naive view of how politics and the government works (that's putting it nicely). Sometimes I confuse the two websites.

> So even in regards to your opinion your only real candidate is Bernie. He's the only one talking about political revolution, which is what would be necessary for real change.

Well, real change means electing the right congressmen. To up-end our current republic, the first-past-the-post system, and to reform campaign finance requires electing senators who would do just that.

If Bernie wins the nomination, he's definitely getting my vote. Unfortunately, that's a near impossibility. And he also said he wouldn't run against Hillary if she wins the nomination. Bernie recognizes the fact that he would damage the party and take votes away from Hillary if he runs as an independent. He's a pragmatic & logical man and understands that a Clinton presidency is orders of magnitude better for our country than a Bush or Trump presidency. It's simply the lesser of all the evils.

And unless you run for office yourself, it's always, always going to be choosing between the "least evil" because no candidate will represent your views 100% unless, again, you run yourself.

A trump presidency would be horrific -- I'm very opposed to it happening, but if he took power I wonder if it would wake up the swindled masses.
Don't forget that the next President will almost certainly have to nominate one or two Supreme Court justices.
Bernie Sanders and Tammy Baldwin are pretty consistent when it comes to supporting privacy and the internet. They were actually the only two Senators who voted against the "Freedom" Act [1] who also supported net neutrality [2]. Both also voted against the "Patriot" Act in 2001, while they served in the House [3].

[1] http://www.senate.gov/legislative/LIS/roll_call_lists/roll_c...

[2] http://www.baldwin.senate.gov/press-releases/us-senator-tamm... & http://www.markey.senate.gov/news/press-releases/to-protect-...

[3] http://clerk.house.gov/evs/2001/roll398.xml

Don't forget Rand Paul
Rand Paul is actually fighting against net neutrality http://www.reuters.com/article/us-usa-internet-neutrality-id...
(comment deleted)
Net neutrality, as it's currently being implemented, grants the FCC significant amounts of regulatory power over private companies. This regulatory power has the potential to be abused. So, Rand Paul being against it is consistent with his general philosophy of less government intervention.
> grants the FCC significant amounts of regulatory power over private companies.

How would net neutrality work without that regulatory power? The FCC needs teeth to do its job. Net neutrality without anyone to actively enforce it is the same as no net neutrality at all.

Rand Paul (or his supporters) are just using semantics to try and wave away this pretty important issue.

The FCC only needs "teeth to do its job" because they are the only external force acting against cable monopolies. Some believe that, if the FCC were to have less power, it would be easier for more ISPs to come along and compete with the big guys (Comcast, Time Warner, Cox, etc.), and that this market force would be the "teeth" that prevents net neutrality.

I'd argue that, to some extent, we're already seeing this many of T-Mobile's more pro-competition moves in the wireless telecom space, though it's also easy to argue that the FCC is more necessary there as wireless spectrum is a much more finite, common resource than fiber in the ground (theoretically, you could run an unlimited amount of it).

As an aside, of course, many see T-Mobile's moves as bad for net neutrality based on principle, despite the fact that they're actually good for the consumer today.[1] I might argue that those people are making the same argument you are about Rand Paul: that they're " just using semantics to try and wave away this pretty important issue".

[1] http://www.theverge.com/2014/6/18/5822996/t-mobile-music-fre...

The magical thinking with less regulatory power = more competition with regard to utilities like last-mile internet comes down to 1) infrastructure cost and 2) lack of access to shared infrastructure.

For most potential players, it simply costs too much to even think about entering the market. Truly unregulated free markets are great in theory, but are instantly distorted when you take things like reality into account.

Part of what the recent net neutrality rules did is ensure that power utilities must lease pole/conduit access to internet utilities at the same rates they lease to cable tv and telephone utilities. This helps reduce cost to enter the market.

Unregulated free market theory works. When you say it's instantly distorted by reality, I think that's true if you take a small picture view of the world. But if you look at it from a 5 year, 10 year, or even 100 year perspective, the free market is what brought us Dialup, DSL, Cable, FiOS, WiFi and whatever's after WiFi. I think the free market has done a great job.
> the free market is what brought us Dialup, DSL, Cable, FiOS, WiFi and whatever's after WiFi

Government research and subsidies brought us these. The market only sold them.

> Government research and subsidies brought us these. The market only sold them.

You do realize that the government pays (with private company tax dollars) other private companies to do things for them, don't you?

Either that or it hires private individuals and pays them to do it. What is your point? In either case, the govt is making the resource-allocation choice.
Your point is well taken, but if memory serves, the specific technologies listed were developed by private corporations and industry consortiums. Would be interested to see a fact checked history on this, however.
Either that or it hires private individuals and pays them to do it. What is your point? In either case, the govt is making the resource-allocation choice.
> Some believe that, if the FCC were to have less power, it would be easier for more ISPs to come along and compete with the big guys

Except, all the evidence throughout history has shown this never to be the case. It never, ever works. It's what the big companies want you to believe to you'll buy into whatever ideology they're selling. It's libertarian nonsense with no basis in reality. It's a Koch brothers talking point - they literally live by that mantra.

Net neutrality has been the status quo on the internet for 30 years without regulatory intervention. Whether or not there's a credible threat to that status quo is something that's very arguable: there are potentially more forces working against the ISPs' ability to engage in content-based discrimination than working in favor of it. The organizations with the most de facto power on the internet seem to be the ones which stand the most to lose from any breach of net neutrality: the Googles and Facebooks and Apples of the world seem quite a bit more influential than the Comcasts and the Verizons. On the other hand, agency capture is a very real phenomenon, and the Comcasts and Verizons certainly do have disproportionate influence over the FCC: it's entirely possible that the thing most likely to undermine net neutrality in the near future is making its preservation the responsibility of the FCC.

The solution to the problem is to support organizations and institutions that have real substantive incentives to protect net neutrality -- not merely an inherently co-optable political mandate -- and to work in parallel to diminish the actual capacity of ISPs to actually abridge e.g. by promoting widespread end-to-end encryption of everything, etc.

The mindset of "we've got to address this potential problem by giving monopolistic coercive power to this single centralized institution" has just got to go away.

(comment deleted)
I am pretty sure Rand Paul just votes against Budget bills in general and this has nothing to do with CISA being part of it.
Can you explain why you think Bob Kahn is against net neutrality (whereas Vint Cerf is for it)? I am not that familiar with this issue and the other sides arguments (against), but there are prominent people there.
Has he taken a stance against net neutrality recently? He seems to have taken a stance around 2007 that regulation might be detrimental to innovation. I'd be interested to hear his thoughts on the FCC's 2014 ruling, and if he felt those regulations specifically were negative or positive.
People may be on the list to be against the budget, not net nutrality. Downside to a 2000 page bill. What parts are everyone for and against?
I'm a very liberal persion, but I really like Rand Paul. I just wish he didn't think gays were going to burn in hell for all eternity, or at least would stick to libertarian principles on the issue and let people live how they want to live.

The same with abortion laws. I'd be way more into supporting him if he would concede he doesn't agree personally, but that people shouldn't be forced by the government to live according to his religious beliefs.

I've always felt that was how Paul believed. He thinks marriage is between a man and a woman but doesn't think the government should be involved in defining it.
In my experience, people with those beliefs (conservative views on marriage && thinks government should not be involved) tend to protect the status quo. It's nice to say that the government shouldn't be involved, but meanwhile it would be really great and really easy if we just allowed same-sex couples to have the same rights. But that's the arbitrary (read: not at all arbitrary) point where "government involvement" becomes too much for them.
He's open to letting state government define it. I'd say that's something everyone who is for gay rights should be against.
That's the big-government position. You can be in favor of a particular issue without subscribing to this view.
State governments deciding is what led to federal Supreme Court action.

The states-as-testing-grounds concept has always felt pretty reasonable. Some will make objectively bad choices, but the right choices will eventually will themselves out.

The folks fighting for gay rights had to go state-to-state because there was no traction in federal legislature to get changes made.

I suppose technically it could be worse -- he could take Ron Paul's position of forcibly exempting the states from having to respect guaranteed basic rights (Ron Paul has campaigned on literally rolling back that part of the Fourteenth Amendment).
Always interesting to note that:

"I believe marriage is between a man and a woman. I am not in favor of gay marriage."

is exactly what Obama "believed" in 2008.

> at least would stick to libertarian principles on the issue and let people live how they want to live.

Paul is a libertarian and believes that Government should not be involved in the private space, including marriage. I think that's a very reasonable position to have - and I don't think I have seen him saying anything against gays, but please provide a source if you have any.

Exactly, he (unfortunately) feels like he has to say these types of things to pander to the typical Republican voter. However, he's one of the only people out there talking about the real issue: should government be involved in the marriage business at all? Sure, Paul says some seemingly nutty stuff, but if we judge based on his voting record, he's easily the strongest Republican on personal liberty and right to privacy (not to mention a sane foreign policy).
The simple problem is that 99.999999999999999999% of self-professed libertarians I've encountered who simply say "the government should get out of the marriage business" only ever say that. They never lobby for (or introduce, if they're in a position to do so) bills to actually achieve that end, and in fact usually do nothing and let the status quo -- which until very recently was "keep the discriminatory laws on the books" -- stand.

So in extensional terms, such "libertarians" are often indistinguishable from theocrats on key social issues (i.e., regardless of what different set of inner philosophical principles they might claim to be following, the outward result in terms of lawmaking is identical). Which in turn means they're not going to get my vote.

"They never lobby for (or introduce, if they're in a position to do so) bills to actually achieve that end, and in fact usually do nothing and let the status quo -- which until very recently was "keep the discriminatory laws on the books" -- stand."

How many self-professed libertarians are there in the Congress? Paul's not even self-professed libertarian. The only one I know is Justin Amash, and he couldn't introduce any of type of bills you reference because under Boehner's regime only bills blessed by his team could ever make it to the floor.

Very true—what libertarians should do is promote common‐law marriage, which is permitted in 9 states. Unfortunately, over time fewer and fewer states have allowed forming new common‐law marriages. And in those states where it’s still possible, same‐sex common‐law marriage has always been illegal. So “get the government out of the marriage business” still requires active effort to change the laws.

https://en.m.wikipedia.org/wiki/Common-law_marriage_in_the_U...

Wow, this is terrible, common law is just great for tax and separation ("divorce") purposes regardless of orientation, an excellent way to provide a measure of equality.
every liberal has to draw a line somewhere. he might think aborting is murder, so he puts the same restrictions you (hopefully) put on murder.
For what it's worth, Paul was one of only 8 Republicans who voted against rescinding funds from Planned Parenthood.
Paul's views on immigration and refugees are also equally horrendous.

I can't see myself voting in 2016. I find the views of all the Republican and Democratic candidates to be morally repugnant, just for different reasons.

As an LGBT person myself, I refuse to vote for Paul or any other candidate who opposes LGBT rights (including the entire Republican field), and as a Jew, I refuse to vote for any candidate that opposes refugees. However, I also won't vote for the Democrats because their views on other subjects are just as repugnant, including gun control and minimum wage.

Sanders/Paul 2016!

Not a joke. I would vote for it.

One of the few concrete functions of the Vice President once elected, is to serve as a more extreme alternative to the political positions of the President. That way, nobody opposed to the President's platform can assassinate the President in the hopes of killing that platform, because it will only be replaced with a worse version.

This is not the case in an across-the-aisle Presidency. There are lots of Paul supporters who would like to see Sanders dead, and a whole bunch of them have guns and are fond of out-of-the-box thinking about their liberty. I spent a few months participating in online communities associated with Ron Paul back in 2007; It was enlightening, though it left me feeling a little soiled.

The broader problem is that the Vice President has no real power. You can't balance a Presidency with an across-the-aisle candidate because the Vice President can't meaningfully do anything without the President's assent.

The interesting thing is if the Democrats nominate Sanders and the Republicans nominate Paul.

> The interesting thing is if the Democrats nominate Sanders and the Republicans nominate Paul.

Interesting, if only due to its impossibility.

Sanders is a long shot, but plausible. Paul is well outside the realm of possibility.
(comment deleted)
What about, and this would be entirely unconstitutional, but what if they were BOTH the president?

Like, not one the president and the other one the vice president. If they were just, dual presidents. Both the singular president. ( if either died, it would be counted as the president dieing, and the vp would take the place)

I think this list reinforces the fact that there's only one reasonable presidential candidate on each party's ticket.
Note that these were the votes against the original CISA bill, NOT the bill that passed yesterday. Those votes were:

   Nay - Sen. Michael Crapo [R]
   Nay - Sen. Michael Enzi [R]
   Nay - Sen. Charles “Chuck” Grassley [R]
   Nay - Sen. John McCain [R]
   Nay - Sen. Jefferson “Jeff” Sessions [R]
   Nay - Sen. Richard Shelby [R]
   Nay - Sen. John Boozman [R]
   Nay - Sen. Richard Burr [R]
   Nay - Sen. Jeff Flake [R]
   Nay - Sen. Jerry Moran [R]
   Nay - Sen. Robert “Rob” Portman [R]
   Nay - Sen. Patrick “Pat” Toomey [R]
   Nay - Sen. David Vitter [R]
   Nay - Sen. John Thune [R]
   Nay - Sen. Bill Cassidy [R]
   Nay - Sen. James Risch [R]
   Nay - Sen. Tim Scott [R]
   Not Voting - Sen. Marco Rubio [R]
   Nay - Sen. Rand Paul [R]
   Nay - Sen. Mike Lee [R]
   Nay - Sen. Tom Cotton [R]
   Nay - Sen. Steve Daines [R]
   Nay - Sen. Deb Fischer [R]
   Nay - Sen. Ted Cruz [R]
   Nay - Sen. Dan Sullivan [R]
   Nay - Sen. Joni Ernst [R]
   Nay - Sen. Benjamin Sasse [R]

   Nay - Sen. Jeff Merkley [D]
   Nay - Sen. Joe Manchin III [D]
   Nay - Sen. Jon Tester [D]
   Nay - Sen. Claire McCaskill [D]
   Not Voting - Sen. Barbara Boxer [D]
   Nay - Sen. Ron Wyden [D]
   Nay - Sen. Edward “Ed” Markey [D]
   Nay - Sen. Bernard “Bernie” Sanders [I]
Source: https://www.govtrack.us/congress/votes/114-2015/s339
Another way of wording this: a list of people to consider re-electing. :)
HN regular posters? Are you kidding? They will bitch and moan all day long about loss of privacy and things they want and vote for anyone with a D next to their name "for reasons". If they actually stood for what they claim to believe the chance of voting a for D is near nil and the R is next to nil (though go figure why the Republican establishment is in such a tizzy - Cruz doesn't put them first and Trump isn't one of them)

Its like Reddit but with an orange banner here.

Your post condenses to “Everyone here sucks because <hostile overgeneralisations>”. Please try to be more constructive in your criticism.
Not Voting - Sen. Marco Rubio [R] Not Voting - Sen. Barbara Boxer [D]

Cowards.

Rubio is too busy campaigning to actually do his job.
If he had something to gain from voting he would have, but he can use the excuse that he is campaigning (even though that's not much of an excuse).
> Nay - Sen. Bernard “Bernie” Sanders [I]
Not voting for the bill is effectively a "no" vote.
(comment deleted)
It is likely this was intentional. If you don't want to be present for a vote for some reason, you can find someone else who would vote the other way (usually reaching across the aisle) and both agree not to participate. Happens all the time.
Senator Boxer is retiring after her current term, so I doubt that cowardice explains her non-vote.
I must disagree. I believe you are overstating things.

Schoolhouse rocks, last I checked, had one bill moving from one house to the other. Citizens could lobby at any point, including the conference committee.

Each of these were passed in isolation, then stuck together, then stuck into a budget bill. Then the only question was whether you wanted the entire bill to pass or not.

It's a fair interpretation to say that some reasonable public feedback -- if nothing else than what kinds of compromises needed to occur between both bills -- was missing from the mash-up we got this past week. Yes, majorities approved of similar bills in both houses. But there was no point in time where the public was informed "Hey, this is your last chance if you want to change what's going to go into the law"

Another way of looking at this is asking this question: if we're going to use the rules for budget bills on everything else that might be controversial, why have conference committees at all? Just pass kinda the same thing in each house and then look for the right political moment and the right combination of things to lump together so that you can do whatever you want to.

This is just leadership writing laws. If they want to do things like that, fine. I believe the logical conclusion is that we should start having direct election of house and senate leadership.

Bills get passed in omnibus spending bills all the time. For instance, as someone pointed out on the last thread about CISA: your COBRA health insurance? COBRA stands for "Consolidated Omnibus Budget Reconciliation Act".

There was extended public debate and a prolonged amendment process for CISA and PCNA in both houses of Congress. There was intense media coverage and, once CISA passed in October, the consensus was that CISA was going to be the law of the land.

The one uncertainty about it was the extent to which the House would drag CISA towards PCNA's broader law enforcement language. Thankfully, that drama, with its attendant opportunity for "public commentary", didn't happen.

For you to make a strong case for how important a prolonged conference committee would have been to the process, I think you should start by pointing out another bill that died in a conference committee due to public outcry. Has that ever happened?

Now you're just making the case that the Schoolhouse Rock process is never followed for controversial bills. That isn't the process being followed, it's evidence that the proponents required procedural gymnastics to subvert that process in order to get the bill passed.
Yes. The "Nothing to see here, folks!"/tu quoque argument is de rigeur in this type of discussion. Combine that with a little moving of the goalposts? Guaranteed hours of fun for the whole family.

For those who are interested, this type of application is fairly recent. The Reconciliation Act was passed in 74. It hadn't even been out a year before it was being used in ways not anticipated by the sponsors, and the stretching has continued year-after-year. Relevant wiki: https://en.wikipedia.org/wiki/Reconciliation_(United_States_...

IIRC, CORBA was the first big "win", providing continuing insurance privileges to folks when they left their job. A great idea, no doubt, but not a damned thing to do with the budget.

Also more information: https://www.votetocracy.com/blog/what-is-reconciliation

Interesting historical quote from the second article. President Clinton attempted to use reconciliation to pass his 1993 health care plan, but Senator Byrd, according to Wikipedia, “insisted that the health care plan was out of bounds for a process that is theoretically about budgets,”

Times have changed. Each year these things get easier and easier.

CISA was probably the least controversial part of this bill. The real controversy was the budget itself; the bill involves Ryan surrendering the ability to freeze the government with future budget bills until almost after the next election. The GOP has been using that ability on and off for the last 6 years.

In message board land, the fact that the bill was finalized in the middle of the night is evidence that The Man is trying to sneak CISA past us. In reality, nobody in Congress cares about CISA; that's a done deal. It's the budget they're being sneaky about.

I wouldn't be surprised to learn that CISA (and a bunch of other random stuff in the budget bill) had been scheduled to go through on the budget bill for weeks.

> The debate on CISA was over. Thankfully

Thankfully? In the sense that at least it wasn't close to PCNA or that you think this bill will do anything to actually benefit "cybersecurity"? Because if it doesn't serve its purpose, then it doesn't really matter how close was or wasn't to the PCNA, does it?

Also, you're not worried at all about the legal protections companies get for cooperating with the NSA? If they "aren't doing anything wrong", why should they need legal immunity?

In the sense that the only place the "debate" had left to go was "worse".

It is not the way conference committees work that there's a whole new open public process. By the time a bill has passed both houses of Congress, the incentive is declare victory and get the thing over with. The only reason there even is a conference committee is to get the House and Senate to agree on language.

I've explained repeatedly why the legal immunity language in CISA is not only reasonable, but in fact most of the impetus for the entire bill.

I'm a little annoyed at how you're asking me to explain it again, because that once again puts me in the position of being perceived as a supporter of CISA, which I am not. I'm very tired of people --- like, respectfully, you --- equating "effort taken to understand a complicated issue" with "partisan support for one side of that issue".

The "tell" that that's what's happening here is the language you chose to use: "you're not worried at all that...?". In sales, language like that is referred to as "an assumptive close". It is literally a mind control technique. Here, you're trying to deploy it on me to put me on the wrong side of an issue being discussed on HN.

PLEASE STOP DOING THAT.

Anyone know how to find out who wrote the bill?
A semi-serious proposal: why don't we just stop caring about this?

By "we", I mean those of us with the technological know-how to protect our own privacy if desired.

I bring this up because laws like CISA are meant to deal with large-scale collection of data for ostensibly well-meaning reasons from the vast majority of internet users. Those vast majorities that aren't lurking on HN, who don't know or care about the technical details of privacy beyond maybe vaguely wanting it, who want the internet to work, fast, free, and easily.

It seems to me that with the vast law enforcement and intelligence agencies on the one side and the even larger internet economy on the other, there is no serious getting in the way of whatever flow of information those two groups agree on. It doesn't matter what you, me, the EFF, or Edward Snowden think. There is far too much money at stake. And the "privacy" threat, as we discuss it here, is irrelevant to just about everyone.

Beyond implementing strong crypto with trusted software, for those who care to, I don't see that there is anything to be done here. As Schneier pointed out a few years ago, this ship sailed a long time ago: https://www.schneier.com/blog/archives/2013/03/our_internet_...

My favorite clause...

"(e) Prohibited conduct -- Nothing in this title shall be construed to permit price-fixing, allocating a market between competitors, monopolizing or attempting to monopolize a market, boycotting, or exchanges of price or cost information, customer lists, or information regarding future competitive planning."

Does this imply it could have been construed that way without this clause?

I think the "big deal" about CISA is that it essentially gives the heads of state the ability to say "cybersecurity threat indicator" and by so doing collect any information or spy on any system they wish without warrant or any other form of informed oversight.
So is there room to build products to help facilitate the sharing of data as mandated in CISA?

Is there a standard or format for how the government will expect this threat data to be packaged? STIX / TAXII?

Startups; assemble!

The most hated startup up in the world: "We disrupted the internet's privacy"
I don't get it, can somebody explain this to me, why does this stuff happen in democracy?

How can public fight government for years and lose?

How is it possible to pass a law in US that is clearly against everyone's will? I mean for all I know, most of the people are strongly against it, except for a few polititians, nobody wants this to happen, so how is that even a discussion?

> why does this stuff happen in democracy

because democracy only works when people actually care. most us citizens are more concerned about the superbowl than government.

> How is it possible to pass a law in US that is clearly against everyone's will?

Who is everyone? Again - most people don't give a shit.