If it were coming back "tweaked" to address the flaws of the bill, then sure, that'd be how the system is supposed to work. Except that's not what's happening and things aren't working.
The issue is that CISPA is fundamentally flawed; I have no doubt that there are well-meaning people who believe we need something to address the problems CISPA allegedly addresses. But any solution which consists of "first, we stop caring about the Fourth Amendment" is a non-starter and must always be.
Would you find it unreasonable to have a search warrant on every single American's internet activity? As far as I understand it, that is, in effect, what CISPA proposes.
CISPA's true motivation is becoming very clear. It's needed to expand a pilot program for dragnet surveillance by the NSA and defense contractors. You know, the same thing they've been doing for ages and getting sued over by the EFF. If you read the letters in support of CISPA by the defense contractors who are lobbying for it and funding Mike Rogers who authored it, they even acknowledge this program by name (it's called the DIB cyber pilot).
That's why the bill is so vague, and why they refuse amendments to narrow the scope. It's a get out of jail free card for complicit companies and they can claim virtually anything is related to "security". They can also be wrong, as long as they claim it was "in good faith". It's more or less the "state secrets privilege" equivalent, but for companies cooperating with the "data sharing".
It solves nothing, because it's already legal to share threat data. You just have to scrub it of private or protected information. If its protected, it's because we passed a law for something we felt was worth protecting. For CISPA to just undo all of those laws wholesale is outrageous.
It's needed to expand a pilot program for dragnet surveillance by the NSA and defense contractors.
What horseshit! Even your own link describes the program as applicable to private networks of the participating companies. That's why there's a quote from an email wondering (emphasis mine) "Will the program cover all parts of the company network -- including say day care centers (as mentioned as a question in a [deputies committee meeting]) and what are the policy implications of this?"
There are a lot of advocacy organizations (EPIC, etc) that like to bluster about what it does. Right now EPIC is blustering that it's part of authorizing a secret program.
What they didn't tell you is that this is their real goal is to gain possible congressional support for the FOIA request they filed, they are just trying to tie it all together so they can gain support from CISPA haters.
A lot of these advocacy orgs that lobby are good in the sense of trying to do what they think is right but they often present pretty extreme (IMHO) interpretations of bills/laws and viewpoints to support this.
Full disclosure: I have interned at one of these advocacy orgs before (CDT).
It's true the government would be happy if they could monitor everyone's activity, but that isn't CISPA, and crying wolf repeatedly about every bill just makes people less likely to care. If they really wanted to monitor everyone's activity, they'd just do it, and clean up the mess later.
Like passing retroactive bills so its "not illegal".
(not saying this one is just that but they have done it in the past so the telcos didn't get sued I believe)
Sure, but note that this is completely constitutional, the constitution explicitly grants Congress the right to set the jurisdiction of all courts inferior to the Supreme Court.
And is not part of the problem here trying to determine the "cyber equivalent" of such things as plain sight and hot pursuit? A lot of what goes on online is the equivalent of high noon in the public square, even if people don't quite understand that.
No. The judge signature is basically the other part of the 4th amendment, about warrants. That is what makes an otherwise unreasonable search, reasonable: it was reviewed by a neutral magistrate, and the neutral magistrate determined they had probable cause.
If the search is reasonable, you don't need anything from a judge.
This doesn't mean you can go busting into places, but ...
What? No, no, no, NO. That is completely wrong. There are cases where a warrant is not necessary, such as immediate danger to an officer. However, a warrant is issued only upon probable cause. This still needs to be reasonable, and the judge is the one who decides if the search is reasonable.
What?
You are confusing the warrant requirement, which is completely separate from the reasonableness of a search.
I'm not sure how you are coming up with what you think is th analysis, but every law school textbook, supreme court opinion, etc, will tell you that you start with whether the search was reasonable.
If the search was reasonable by law , there is no 4th amendment violation. Period.
Maybe you are confused because they often say these are not searches? For example, you will read that doing helicopter flyovers, even when looking in people's fields, is reasonable (which at the time, meant it wasn't a violation of the subject's reasonable expectation of privacy), and thus, not considered a search that is subject to the rest of the 4th amendment. This isn't because it's "not a search" in reality, it's because the 4th only protects against unreasonable searches and seizures, not all searches and seizures, and thus, for the rest of 4th amendment purposes, it's not a search.
If the search was not reasonable, it either has to fall into an exception, or requires a warrant.
Now, current jurisprudence considers most searches without a warrant unreasonable (subject to plain sight, automobile exceptions, etc), but that is irrelevant to the steps in the analysis.
You seem to be mixing a lot of the analysis and requirements around.
A passable CISPA is one that wouldn't allow companies to share information specific to its users (except it's not that simple, if I'm a hacker do I get some kind of special immunity if I register on the website I hacked? What if part of the hack required me to register, is that information suddenly invalid because I have a username and a password?).
I should be able to share the md5s of malware I found on my system with my direct competitor without being hit in the face by the Sherman Antitrust Act. I should also be able to disclose to my users/the public that I was hacked in the first place, without fear of being sued.
If you invite the soldier into your home, you're bypassing the Constitutional protections you're granted. If Facebook gives its information to the government willingly, there is no Constitutional question to be had. CISPA was a voluntary program, you had to solicit the government in order to be involved, not the other way around.
CISPA is not me inviting police in to search my home. It's someone else coming into my home on behalf of the police, conducting a search the police couldn't legally do, and then reporting back on the results the police. And they're doing this with the encouragement of the police and with a promise of legal immunity from the police. But we're going to pretend that wasn't really a search and that the restrictions that apply to the police don't apply here.
That's not true at all, the police are entirely capable, legally speaking, of performing the proverbial search. They just don't have the manpower or the expertise.
Furthermore, you don't have to invite anyone into your home if you don't want to, and yet even further you can tell the people you ask to come into your home to not share the information they find with the police. No idea why you would do that, but you absolutely can.
Incorrect. Facebook can't legally aid its direct competitors, and Facebook can currently be sued by its stock holders if it discloses that it was breached and as a result of that disclosure the stock drops.
Incorrect, Facebook can and does do this, and I've personally worked with them on it while being at other companies. Furthermore, the opposite is even true - they have a legal obligation to disclose most breaches. There is no basis for any part of your claim and it's not consistent with how Facebook is actually doing security today. Without CISPA.
What they can't do, is give someone like me private info from user accounts. And they don't need to. And that's the way it should be. Do you really want me reading your private messages with impunity because I'm investigating a security incident? And do you want me to then share it with all of the other companies involved in the breach? Do you care if I leave dirty messages between you and your wife on an unencrypted hard drive somewhere, and people read it? Under current laws, I'd be liable for that (if I actually needed it in the first place).
You shouldn't.
Under CISPA, I can't be charged or sued for any action taken in good faith. I'll just say "oops, sorry, it was an honest mistake while investigating a security incident".
(Not that this use case has anything to do with what is actually motivating CISPA anyway, but I will refrain from repeating myself)
Also, for what it's worth, I've worked with AV industry groups and they all share not only hashes, but actual samples as well. Every single one of them. I'm not talking passing around an interesting sample or two, but full, multi-gigabyte feeds. I don't know where people get the idea that they can get sued for this; it's silly and it's not true.
CISPA wouldn't stop a hired security analyst from reading your Facebook messages, it'd stop Facebook from sharing them with the government. Under a passable CISPA, anyway. And furthermore, the whole point of CISPA is to explicitly codify some very grey area. It is possible they do indeed share threat intel with their direct competitors, but there is no legal precedent for doing so. The whole point of CISPA was to lower that risk exposure for these companies.
And Facebook has no obligation to disclose breaches, not legally, anyway. Where did you get that information? And even if they somehow do have a special obligation, most companies do not, so it's not really relevant. The example is apocryphal.
And AV isn't who this is about, it's about the people who make a living off of having indicators you don't have. I shouldn't have to hire a company who's been hired by everyone else to get the collective knowledge of what hackers look like. They're criminals, and the government takes care of criminals.
For someone repeatedly making demonstrably false assertions, you are oddly sure of yourself. You're not even challenging a viewpoint here, you're just straight up talking out of your ass. You should stop doing that.
I didn't know California law applied to every company in the US. I said Facebook was just an example, and that it's not important if Facebook specifically does or does not have to disclose breaches, or can you not read?
The issue is that CISPA is fundamentally flawed; I have no doubt that there are well-meaning people who believe we need something to address the problems CISPA allegedly addresses. But any solution which consists of "first, we stop caring about the Fourth Amendment" is a non-starter and must always be.