To clarify on the baiting comment, I didn't intend to accuse bad faith or mean that was generally applicable to debates. For this particular issue, we have already advanced beyond that point in the conversation last time this was on HN, and I just wanted to expedite that. "Debate fatigue" or something :)
So my eventual reply is, if I list off my concerns and you point out that it's already possible to do those things, what is CISPA adding? Let's start the conversation there.
I'm not sure if it's a fallacy to appeal to common sense, but I don't buy that someone is pushing this through so hard to narrow what can already be shared. Even though you are certainly more familiar with previous relevant legislation, I feel pretty safe in saying that if that is your interpretation, it has to be incorrect.
Nobody spends money trying to take permissions away from themselves, and nobody versed in this area of law isn't already aware of their capabilities under ECPA.
I guess, if I was going to put my CISPA-advocate hat on, which I don't like because it is an ugly hat that I think my cat peed on, I would say this:
It is already possible for service providers to do the things CISPA enables them to do. However, under current regulations, it is legally risky for them to do it. Some of what they do incurs legal risk. Some of the legal risks mean that whole companies in some verticals won't entertain any conversation about information sharing because they're encumbered by specific privacy rules which, while important, were never intended to hamstring network security. As a result, there is much less information sharing now than there could be.
If I was going to put my political analyst hat on, which is ugly but at least doesn't smell like cat piss, I would point out the following:
CISPA came into being less an urgent fix to an immediate problem than as a response to another, more interventionist approach to regulating cybersecurity. That other approach would essentially have the USG "pick winners" in the information assurance market and, down the road, would allow the USG to designate certain private companies as "critical infrastructure" that would require the commercial ministrations of those companies. The winners in that scenario would have been Raytheon, Lockheed, and SAIC. Nobody in private industry wanted that, and it was antithetical to the Republican House, so they came up with an industry-friendly counterproposal.
No. What part of AT&T's defense involved operational network security? For whatever it's worth: AT&T's complicity in NSA monitoring of overseas traffic involving American citizens was despicable.
So my eventual reply is, if I list off my concerns and you point out that it's already possible to do those things, what is CISPA adding? Let's start the conversation there.
I'm not sure if it's a fallacy to appeal to common sense, but I don't buy that someone is pushing this through so hard to narrow what can already be shared. Even though you are certainly more familiar with previous relevant legislation, I feel pretty safe in saying that if that is your interpretation, it has to be incorrect.
Nobody spends money trying to take permissions away from themselves, and nobody versed in this area of law isn't already aware of their capabilities under ECPA.