A passable CISPA is one that wouldn't allow companies to share information specific to its users (except it's not that simple, if I'm a hacker do I get some kind of special immunity if I register on the website I hacked? What if part of the hack required me to register, is that information suddenly invalid because I have a username and a password?).
I should be able to share the md5s of malware I found on my system with my direct competitor without being hit in the face by the Sherman Antitrust Act. I should also be able to disclose to my users/the public that I was hacked in the first place, without fear of being sued.
If you invite the soldier into your home, you're bypassing the Constitutional protections you're granted. If Facebook gives its information to the government willingly, there is no Constitutional question to be had. CISPA was a voluntary program, you had to solicit the government in order to be involved, not the other way around.
CISPA is not me inviting police in to search my home. It's someone else coming into my home on behalf of the police, conducting a search the police couldn't legally do, and then reporting back on the results the police. And they're doing this with the encouragement of the police and with a promise of legal immunity from the police. But we're going to pretend that wasn't really a search and that the restrictions that apply to the police don't apply here.
That's not true at all, the police are entirely capable, legally speaking, of performing the proverbial search. They just don't have the manpower or the expertise.
Furthermore, you don't have to invite anyone into your home if you don't want to, and yet even further you can tell the people you ask to come into your home to not share the information they find with the police. No idea why you would do that, but you absolutely can.
Incorrect. Facebook can't legally aid its direct competitors, and Facebook can currently be sued by its stock holders if it discloses that it was breached and as a result of that disclosure the stock drops.
Incorrect, Facebook can and does do this, and I've personally worked with them on it while being at other companies. Furthermore, the opposite is even true - they have a legal obligation to disclose most breaches. There is no basis for any part of your claim and it's not consistent with how Facebook is actually doing security today. Without CISPA.
What they can't do, is give someone like me private info from user accounts. And they don't need to. And that's the way it should be. Do you really want me reading your private messages with impunity because I'm investigating a security incident? And do you want me to then share it with all of the other companies involved in the breach? Do you care if I leave dirty messages between you and your wife on an unencrypted hard drive somewhere, and people read it? Under current laws, I'd be liable for that (if I actually needed it in the first place).
You shouldn't.
Under CISPA, I can't be charged or sued for any action taken in good faith. I'll just say "oops, sorry, it was an honest mistake while investigating a security incident".
(Not that this use case has anything to do with what is actually motivating CISPA anyway, but I will refrain from repeating myself)
Also, for what it's worth, I've worked with AV industry groups and they all share not only hashes, but actual samples as well. Every single one of them. I'm not talking passing around an interesting sample or two, but full, multi-gigabyte feeds. I don't know where people get the idea that they can get sued for this; it's silly and it's not true.
CISPA wouldn't stop a hired security analyst from reading your Facebook messages, it'd stop Facebook from sharing them with the government. Under a passable CISPA, anyway. And furthermore, the whole point of CISPA is to explicitly codify some very grey area. It is possible they do indeed share threat intel with their direct competitors, but there is no legal precedent for doing so. The whole point of CISPA was to lower that risk exposure for these companies.
And Facebook has no obligation to disclose breaches, not legally, anyway. Where did you get that information? And even if they somehow do have a special obligation, most companies do not, so it's not really relevant. The example is apocryphal.
And AV isn't who this is about, it's about the people who make a living off of having indicators you don't have. I shouldn't have to hire a company who's been hired by everyone else to get the collective knowledge of what hackers look like. They're criminals, and the government takes care of criminals.
For someone repeatedly making demonstrably false assertions, you are oddly sure of yourself. You're not even challenging a viewpoint here, you're just straight up talking out of your ass. You should stop doing that.
I didn't know California law applied to every company in the US. I said Facebook was just an example, and that it's not important if Facebook specifically does or does not have to disclose breaches, or can you not read?
I should be able to share the md5s of malware I found on my system with my direct competitor without being hit in the face by the Sherman Antitrust Act. I should also be able to disclose to my users/the public that I was hacked in the first place, without fear of being sued.
Are you seriously saying these aren't problems?