This is the part where tptacek says CISPA doesn't do anything particularly bad vs. the state of law now, other people express fairly emotional vs. fact based arguments about what bad it could do, and no one (in industry or government or watchdog groups) really knows for sure what CISPA would, in practice, mean, right?
Nah. It's bad. Here's a simple argument that covers just one part of the bill.
CISPA would give a safe harbor from other privacy rules to companies that share information with the government as long as that information is about "cyber threats". Now, let's say someone breaks into your database server and you're at a company with not-too-skilled IT people. The government shows up and says "hey, what can you tell us about the attack you experienced? PS - we'd be happy to analyze your data for you."
What do your IT people do? They say "screw it, we'll just send in all the logs we have and let the feds figure it out." And so they do that.
What if the law protects the information in those logs? What if the information is sensitive (like health or financial information) and is protected under a special privacy regime like HIPAA? Or what if the information is protected from disclosure by contract (like in a TOS/TOU document)? CISPA says that the disclosure is exempt from whatever sanctions/punishments would happen under those protection regimes because Cyber Threats Are Important (tm).
Disclosure: I am not a lawyer. Even after it's passed into law, only a court can decide exactly what the safe harbor in CISPA means.
That is in fact more or less what the law allows firms to do: when their database is compromised, they are allowed to cooperate with other service providers and with law enforcement to track down what actually happened to their systems without spending $50,000 to ensure that they aren't violating, say, DPPA.
Sure. What's the alternative? What did you think happened when law enforcement investigated serious computer crimes? If a financial institution has a key database popped and the Secret Service is called in to investigate, was it your expectation that the victim was required to carefully anonymize and blind all the data in that database? How could any criminal investigation work if that was the requirement? (Cliff's Notes: That's not the requirement).
The bill as written, even before the narrowing amendments, acknowledges the risk this subthread discusses. It does that by trying to define "cyber threat information", as information directly implicated in an attack. In the sponsor's notes on the bill on the House site, they explain that the definition of "protected entity" was changed specifically to prevent individual people from being considered as entities, so that person-specific data couldn't be handed over under CISPA authority.
The basic problem the bill addresses is this: large companies are under continuous attack. Let's stipulate that attacks come in two flavors: DDOS and targeted malware.
In both cases, there is clear utility in allowing companies to collaborate with other companies and with the government.
In the DDOS case, you want to share NetFlow information with your upstream ISPs and with DDOS trackers, because those are the organizations that generate black-hole and IP filtering rules, and they all work better if they have lots of different vantage points to work from. At the very least, you want to push sources back up to your immediate upstream providers so they can soak them up on their infrastructure rather than saturating your uplinks.
In the malware case, you want to share forensic information that would help identify (a) the vulnerability the malware exploits, (b) the C&C system the malware is using, (c) any evidence of the source of the malware, and (d) forensic information that would help investigators discern the intent of the malware.
In both cases, your company's general counsel is apt to inform you that the legal risk of sharing just that information is potentially unbounded, because nobody can predict exactly what claims could be made under ECPA, SCA, DPPA, HIPAA, FERPA, &c; nobody even knows what traces of information, overt or statistical, might be lurking in NetFlow.
So the situation we have today is that there is information sharing when attacks happen, but much of it is sub rosa, and you have to be in the right clubs to get access to the right sharing networks.
It does not make intuitive sense to me that electronic privacy should mean that basic low-level systems information incident to a real attack should incur unbounded legal risk when shared with other companies directly involved in mitigating those attacks.
You might disagree, and that's fine. But the notion that CISPA is actually intended to allow NSA to read your email is just not supported by the language of the bill, by any advocacy for the bill, or by any of the bill's amendments, and the problem the bill is addressing is a real problem (I have some limited professional exposure to it).
One alternative is to limit CISPA to law enforcement receiving the information rather than the National Security Agency and other arms of the defense-intelligence apparatus. But that amendment failed by a 4-14 vote this week.
May I assume that you'll publicly oppose CISPA if it continues to advance without that amendment? :)
Also, regarding your claims that person-specific data can't be handed over, a separate amendment requiring that failed by a 4-16 vote. So it will be able to be shared with the NSA.
BTW, I'm not arguing that there are not real problems arising from attacks that large companies, and even smaller companies, face. The question is what to do about it, and whether CISPA remains the best vehicle.
I don't understand why you think CISPA is hard to parse. The 2013 draft bill is public. The bill is extraordinarily short. And much of the objections --- which you rightly call out as emotional --- are contradicted by the text of the bill.
I don't so much care whether CISPA passes. What I do care about is people trying to fundraise by convincing willfully ignorant nerds that CISPA is a backdoor SOPA bill; why, just look, GoDaddy supports it, it must be bad!
The reason it's hard to parse is that random amendments can be added late in the game which totally change the meaning of the law (of course, they could be added to any bill). And, I was trying to be charitable.
It's funny you should mention that. Random amendments were in fact added to CISPA 2012. They did things like, for instance, ensuring that terms of services violations wouldn't constitute cyberthreats, or making it clear that bill wasn't intended to stop piracy.
The amendments are public too. You can actually read them.
As you can see, I'm not very charitable about this. Nerds are to online regulation what the Michigan Militia is to gun control. I respect and defer to fact-based objections to CISPA, but I have no patience for the (large set of) people who simply make things up about it to try to win arguments.
There's a legitimate reason for the Internet Hate Machine to try to preempt bad law -- it takes a long time to power it up, and sometimes bad law is forced through quickly. The forcing through bad laws with minimal public comment and debate (epitomized by PATRIOT) is the real problem, there, though. There is no possible argument that CISPA, SOPA, or PIPA issues are so pressing as to not allow a reasonable period for commentary and debate.
I feel like I'm being charitable by discussing CISPA as if it was somehow similar to SOPA or PIPA, because CISPA has nothing whatsoever to do with SOPA or PIPA.
I do not have a problem with people who generally oppose Internet regulation of all sorts (I don't agree, but I don't make fun of them either).
I do have a problem with "Internet Hate Machines" of all sorts. You are not entitled to invoke principles to deploy bad facts.
Have you read the 2013 House CISPA amendments. I have. They're public. I'm guessing, no, right? Are you a gambling man? Would you like to bet me how agreeable they are relative to the text of the bill itself? The 2012 CISPA amendments tightened and restricted the act. What do you think the new 2013 amendments do?
The connection between SOPA/PIPA and CISPA goes the other way; anti-SOPA/PIPA entities are using CISPA to fundraise and influenceraise, independent of the reality of CISPA.
The only amendments I've read about in 2013 are PII removal and removing the "national security" terms, both of which are civil liberties enhancements. (although I don't know where to find the actual text of the amendments). The 2012 amendments were improvements to baseline CISPA (especially the ToS vs. CTI clarification, which was my only real objection to CISPA originally). I do not think I'd take your bet; the probability of something bad being attached is low, but if something bad is attached, it's high severity, so moderate risk. You'd give odds based on probability and I'd want based on expected-harm.
Re: IHM. Reasonable people don't really win at politics. Look at how AARP/etc. essentially eviscerate anyone who thinks of touching Medicare or SS. Thus, horrible public policy (wealth transfers from the poor and young to the old and wealthy!) persists in the face of all logic. That it does shows how effective their lobbying/rabble-rousing strategy is.
Civil libertarians tend to err on the other side, for "what would be best for society", and end up with all kinds of bad stuff happening to them.
I'm ok with "ends justify means" in this case -- if "means" is "make everyone in Congress terrified of any cyber-laws which aren't explicitly and transparently improvements to individual privacy and freedom."
>(although I don't know where to find the actual text of the amendments).
This¹ site lists the amendments and has a PDF for each. I'm not sure if it's all of them or contains the ones you mention. The PDFs are dated and some are Feb-April 2013. This PDF² seems to be the current bill with the amendments accounted for in the text ("H.R. 624 as Amended").
edit: I just noticed that ² has a date of Feb. 2013 while some of the amendments have April 2013 dates, so I don't think it's the most current version.
I'd be interested to hear defenders of the legislation explain why CISPA remains such a lovely bill after the House Intelligence committee rejected these four amendments that were aimed at protecting privacy:
* Limiting the sharing of private sector data to civilian agencies, and specifically excluding the NSA and the Defense Department. (Failed by a 4-14 vote.)
* Directing the president to create a high-level privacy post that would oversee "the retention, use, and disclosure of communications, records, system traffic, or other information" acquired by the federal government. It would also include "requirements to safeguard communications" with personal information about Americans. (Failed by a 3-16 vote.)
* Eliminating vague language that grants complete civil and criminal liability to companies that "obtain" information about vulnerabilities or security flaws and make "decisions" based on that information. (Failed by a 4-16 vote.)
* Requiring that companies sharing confidential data "make reasonable efforts" to delete "information that can be used to identify" individual Americans. (Failed by a 4-16 vote.)
I kind of hate those amendments (without having read them). I'm not really defending CISPA (I would like better security, but I generally distrust the government both for competence and for goals/morality/ethics).
1) NSA and USAF are specifically the only parts of the USG I want to have access to this data. I trust NSA and DOD way more than I trist FBI, DEA, etc. to not fuck me personally if my data is somehow included in a dump given to them for anti-terrorism purposes.
2) Useless bureaucrat. I don't believe in oversight of government by government; mandatory reporting requirements to the public, with independent watchdogs like EFF/ACLU, are the only thing which would really work for me.
3) Vague thing is vague.
4) I don't really want companies to have to do PII filtering; I'd rather they be able to dump bulk data if under attack, since J. Random big dumb company or non-security startup is in no position to do forensics, filter, etc.
It would have taken me 19 paragraphs to make the same points. I agree with all of them.
Ryan, your head seems to be screwed on properly, so what are the things you would like to see done to CISPA to make it commercially feasible to share bulk data when banks or ISPs come under sustained attack?
in reply to tptacek below (I think I'm still within the too-many-nested-replies thing)
I don't know if it's possible to limit CISPA, while keeping it useful, enough to keep civil libertarians happy. The best solution is probably to take a page from my much more seriously followed personal legislative issue: gun rights.
I'm actually in favor of universal licensing/background checks and such for firearms, if implemented correctly (not building a registry, using a technical solution to make it possible to trace ownership of a gun without enumerating all guns owned by a person, etc.)
But, the gun lobby/gun owners rightly fear any new regulations are just there to kick them down the slippery slope, so they dig in their heels and oppose everything.
The way around it, I think, is to have a good background check bill proposed which ALSO eliminates a bunch of ineffective existing regulations (allow import of 1968+ MGs, non-sporting-use weapons, no 922(r) parts count, sale of transferable new post 1986 MG under existing NFA rules, removal of SBS/SBR/suppressors from NFA, potentially CCW reciprocity). There's enough pro gun stuff in that to make up for the risk/fear of the new licensing regulation.
Maybe do the same thing with CISPA -- information sharing, but at the same time address the NSL issue, fix anti-circumvention in DMCA, potentially limit CALEA (I hate that it applies to anything but POTS telephony), etc. I'm not sure what specific concessions should be made, but the idea of trading some relaxing ineffective or bad existing law for new law seems like the best way forward.
To be fair: THOMAS is usually very slow at putting up amendment text, sometimes taking weeks or months after a vote to put up floor amendments.
(I have complained, and they said the should be there the next day, but then I pointed out about 25 cases where it wasn't, and they kinda stopped talking :P)
But I disagree with his "Michigan Militia" analogy, which is a bit silly. Another way to look at it is that starting with Clipper, CDA, CALEA, crypto export controls (plus mandatory domestic key escrow approved by a House committee), we've lived through 20 years of ill-advised regulation. So unless the merits of a new proposed law clearly outweigh the downsides, which is not the case in CISPA, a measure of skepticism is reasonable.
Wait, what? We don't have Clipper or key escrow of any sort. You seem to be arguing that every measure ever introduced into Congress has to be judged against the dumbest ideas ever introduced into Congress.
tptacek: You're quite right that neither are with us today. The reason: Clipper and key escrow were defeated by the same advocacy groups you claim, without any evidence, are trying to "fundraise by convincing willfully ignorant nerds" CISPA is bad.
I can imagine FBI director Louis Freeh saying the same thing when he was defending bans on non-escrowed encryption in the late 1990s: "Nothing wrong with mandatory key escrow! Silly ACLU EFF EPIC etc. are just trying to fundraise off of fear and emotion."
What does EFF's opposition to Clipper have to do with what CISPA says?
You yourself have conceded on HN that advocacy groups have directly misstated details about CISPA. Now you're writing comments suggesting that I'm being misleading by pointing that track record out. That is not honest debate, Declan.
tptacek: Two points. First, if an employee has a history of writing bad code, you may scrutinize their efforts more closely in the future. Same with Congress. I was making a historical point for context that based on rdl's mention below.
Second, I'm not aware that anything ACLU EFF EPIC said that's intentionally false re: CISPA. As you correctly say, other groups may not be as careful (although even then, you could have unintentional falsehoods, and I rarely like to speculate about motives).
How many of the names on CISPA were in Congress for Clipper? Answer: Frank LoBiondo. That's it, out of a long list of names. Congress is not one monolithic thing.
The basic issue around CISPA is that it puts the power to share info in the hands of the tech companies. They like it because the government cannot compel actions--unlike the Senate bill last year.
Tech companies trust themselves to only share the critical info needed for better security, so they do not see a risk in CISPA.
Citizen groups do not trust tech companies or the government, so they see risk in any legislation that seems to reduce oversight of info sharing between them.
Right, a lot of the issue is that SOPA/PIPA (and before that, PATRIOT, NDAA, etc) have poisoned the water between ~the users of the Internet and ~the Government.
Yes. And this retroactive immunity for illegal (and in some cases criminal) activities, which Candidate Obama supported despite telling me ~six months earlier he would not:
http://news.cnet.com/8301-13578_3-9986716-38.html
"...voting to derail lawsuits against telecommunications companies that unlawfully opened their networks to the National Security Agency. Senators voted 69 to 28 for the bill, which would rewrite federal wiretap laws by granting retroactive immunity to telecommunications companies..."
This is a continuation of our disagreement above, I know, but if you have an entity that has advanced problematic proposals multiple times when it comes to regulating technology -- and at times demonstrated a near-complete lack of understanding of what they're trying to regulate -- it's not unreasonable to apply more scrutiny to future proposals.
You're right that nobody should be making inaccurate claims about the bill (though I try to be charitable and say inaccurate claims in either direction are misunderstandings, not intentional distortions). I'm making a slightly different point, which is an argument for lower threshold to trigger scrutiny, and a higher threshold to legislate in the first place.
My objection to this line of reasoning is that there is only one entity producing U.S. legislation, so there is no real point of comparison. One cannot even compare Congress as a whole over time, since its membership changes (however slightly) every 2 years.
Also, is there any subject for which everyone can agree that Congress is good at proposing legislation? The whole point of the legislative process is to adjudicate between competing opinions; so whether any piece of legislation is "good" or "bad" will vary, to some extent, according to the observer.
Edit to add conclusion: Each bill should be judged on its merits, not on the fact that it comes out of Congress (since that is where they all come from).
Like all new laws this one will be sold one way and used another -- likely very expansionary -- way.
For example the Patriot Act was sold as a thing that would only be used to catch terrorists. It's total terrorist-catching prosecutions to date is trivial, zero to a few. But it's still getting used quite a bit.
I'm not saying that the people who got caught in many of those cases didn't do something wrong, nor am I saying that they should get away with no consequences. But I don't see how you can charge people with "terrorism" for doing decidedly non-terrorist things.
If the text of the bill doesn't matter, the text of every other privacy-related bill doesn't matter either, and we can skip all these pointless arguments and let them pass SOPA. After all, they're just going to use milk safety regulations to combat piracy.
It's not that the text of the bill is COMPLETELY irrelevant. It's that the big companies will use their newfound powers in ways that fall into a gray area in the bill and of course the government will choose not to prosecute them for doing so, or judges will allow it because it's a gray area and not EXPLICITLY disallowed.
Because CISPA's definition of a "cybersecurity" threat is too broad. One of the vague terms it employs is "unauthorized access" -- a term we have seen abused recently in the cases of Aaron Swartz and Weev.
My fear is that, like the PATRIOT act, CISPA will grant overly-broad powers to intelligence agencies that will be employed for general surveillance. My view is that any law that curtails liberty should do so minimally. I don't oppose fighting cybersecurity threats, but the bill needs work still.
You just made an argument that is directly contradicted by the text of the bill.
‘(B) EXCLUSION.— Such term does not
23 include information pertaining to efforts to gain
24 unauthorized access to a system or network of
25 a government or private entity that solely in
1 volve violations of consumer terms of service or
2 consumer licensing agreements and do not oth-
3 erwise constitute unauthorized access.
No, I was responding to the "unauthorized access" point in the parent comment. Since you can't be charged with a crime under CISPA at all, I'm not sure how your comment isn't a non sequitur.
I wouldn't be surprised if this bill simply protected what they're already doing in secret. I'm sure all of these companies already have agreements with the NSA of one kind or another.
Really it just streamlines things and eliminates paperwork shuffles. If you have something they should see and they know you aren't a crank you just say hey, I have this event. If you are interested, send me admin subpoena. If they care, they do.
The entity handling this stuff seems to be DHS or FBI, not NSA, but they are all part of IC so the info should, in theory, be shared around.
My wild speculation is they are trying to gather logs to make a sort of national IDS to be more proactive in detecting APT.
A headline "Tech group representing AT&T, Palantir backs CISPA" isn't good copy. But that could have been the headline. The "Executive Council" (which seems to be the part of the organization that draws the focus on Google and Yahoo) also contains people from Oracle, Microsoft, and VeriSign. And one thing that council doesn't do is sign off on every letter the group sends out (or, probably, every point in the policy platform it espouses).
I doubt without knowing exactly that Google's official position is anti-CISPA and that this group doesn't speak for them because they don't actually control what it says. But I've been surprised in the past.
Perhaps, though, people should read this and think "hey, Google ought to put some pressure on the lobbying groups they participate in not to be stupid/evil/whatever." And perhaps if a few Google executives express that they're upset that their names were used in conjunction with something they don't support, they can rein in groups that want to claim the mantle of "the tech industry".
The difference is, we expect this sort of Evil behavior from AT&T, Palantir, Oracle, VeriSign and definitely Microsoft. But when a company with the supposed motto of "Don't be evil" backs it, it's news. Yahoo, though, I'm only a little surprised. I'm also not surprised Apple is a member, nor that you (and the headline) didn't mention them.
Sure, sure, you can't keep track of the political positions of every group you're a member of. But if a group holds opinions that are evil, that might just be a good reason to not maintain membership. I could easily Godwin this thread by mentioning certain groups I am not a member of for exactly that reason. The company you keep and all that.
Trade associations tend to remain silent when a good portion of their members oppose legislation. But Google/Facebook/Microsoft aren't opposing CISPA, last I checked. It's more like they're just remaining neutral.
And the erosion of privacy protection in the name of "security" continues unabated.
The problem with CISPA is we don't need it. I'm not a libertarian (I want single payer universal health care, for example), but I am fully against the PATRIOT Act, FISA abuse and the numerous other things done in the name of security since 9/11.
The reason 9/11 happened was not a lack of security or intelligence; we had those. It was failure to act on the information we had.
We shouldn't be putting more power in the hands of intelligence agencies which have no public oversight. I understand the need for those agencies, but I think they should be as small as possible. Things like CISPA seem to be based on an opposite view; giving them as much power as possible.
EDIT:
Also the notion that you can learn everything you need to know about these bills by reading the bill itself is so myopic as to be comical.
You could say exactly this set of things about any bill ever. Not one phrase in this comment binds in any way onto CISPA. You literally could have written it 8 years ago, saved it in a tfile in your home directory, and just copy/pasted it into this thread no matter what the bill said.
If you think the real meaning of the bill has nothing to do with the text of the bill, that the text of the bill doesn't matter, just give up. CISPA is tiny compared to ECPA; if you think CISPA has holes a truck could drive through, give a close read to SCA. If you believe the government is going to use milk safety regulations to prosecute movie pirates, just let them pass whatever, and skip the arguments.
> You could say exactly this set of things about any bill ever.
No, I couldn't. There are unfortunately a lot of bills I could have said that about (and I mentioned some of them), but not literally any bill ever.
In fact, most bills are not about granting more power to intelligence agencies at the cost of privacy protections.
But thanks for sticking to your role as mindless CISPA defender. You play it well.
EDIT:
> If you think the real meaning of the bill has nothing to do with the text of the bill, that the text of the bill doesn't matter, just give up.
I didn't say that and obviously didn't mean that.
I also couldn't give a shit about movie pirates. I buy my entertainment. That's the bonus of being a full grown adult with a career.
But I do care about the erosion of privacy law for no benefit whatsoever, and in fact, what I see as a detriment; continuing to grow the intelligence industry which has no public oversight. That's a Bad Idea(tm).
You probably don't care if you can convince tptacek, but to random people following along (who you might be able to convince), calling tptacek mindless undermines your goal.
I'm not really concerned. I mostly post comments because I have all these thoughts in my head and I want to let them out.
I called him "mindless CISPA defender" because based on his comments on the subject, that seems like an accurate description.
And in my specific case he seemed to pay no attention whatsoever to what I brought up and replied with a handful of boilerplate responses that didn't really apply to what I was saying. So, that seemed pretty much like a mindless automaton to me.
I disagree: I think ebbv's analogy is fair, and talking about CISPA (designed to encourage .com->.gov/.mil data flows) as akin to the Patriot Act (designed to increase .com->.gov data flows) and FISA (designed to regulate .com->.gov data flows) is appropriate.
So is asking about unintended consequences of legislation that's touted as accomplishing one thing but will be far broader. CISPA's sponsors say it's necessary to respond to the real threat of Chinese military hackers, but of course the legislation isn't limited to that.
If there are a series of related and bad bills, offering the same general criticisms of them is reasonable. If you're pro-choice and are upset by state efforts to ban abortion, then you can use similar language ("fully against..." "we shouldn't be putting more power in the hands...") to talk about bills in Arkansas, Colorado, Mississippi, North Dakota, Kansas, etc.
Of course a more detailed discussion involves going into more depth and talking about the differences between each state's anti-abortion proposals.
Since we already have a track-record of the government granting retroactive immunity for illegal acts by ISPs, why do we need CISPA at all?
Why not just have the Feds or whoever call up Google and say "Look, this is really important information, as I'm sure you agree, so let's solve the problem, and if any technicalities were violated along the way, we'll get them excused by the overwhelming benefit of your actions" ?
ebbv: You're right that you can't learn everything about legislation by reading it in isolation.
You generally need to read it side-by-side with the law it's amending. You need to read any amendments, and the rejected amendments. You need to read caselaw on point so you're aware of how courts have interpreted certain terms. You need to read existing laws in the same area. To the extent that courts will consider it, you need to read the legislative history, floor debate, and committee reports. Ideally you'd want to talk to a lawyer specializing in this area. Obviously the shorter the law, the less all this is necessary, but the text of the law tends to be merely a starting point.
There is no intersection between the NSL controversy and CISPA. CISPA is entirely opt-in. Google has to volunteer the information; it can't be coerced into doing so by the government. Even if Google wanted to share emails, voluntarily, it would not find authority to do so in CISPA, because CISPA scopes the kinds of information that can be shared to data incident to actual cyber attacks.
I halfway agree. Google and some other left-coast companies are the least likely to take advantage of CISPA's wildcard override-all-existing-privacy-laws loophole. Google has fought the DOJ in court before to protect the privacy of their users; they're fighting the FBI now. Facebook, Amazon, and Twitter have done the same.
But other companies, including AT&T, are far more likely to exploit this loophole (in fact they persuaded Congress to immunize them for illegal activity, post-facto): http://news.cnet.com/8301-13578_3-9986716-38.html
Your claim that a company could "not find authority" to share emails under CISPA is close to the mark but not quite there. First, the House Intelligence committee rejected an amendment by a 4-16 vote that would have required companies to "make reasonable efforts" to delete "information that can be used to identify" individual Americans.
Second, data that can be freely shared with FedGov including NSA encompasses broad categories of information relating to security vulnerabilities, network uptime, intrusion attempts, and denial-of-service attacks, with no limit on sharing emails or personal data. See: http://news.cnet.com/8301-13578_3-57579012-38/privacy-protec...
You wrote a lengthier comment that enumerated the failed CISPA amendments that I need to take some time to respond to, but in the meantime:
Regarding PII in threat data, we're talking about orthogonal concerns. The amendment you're talking about would require all threat data to use (presumably commercially reasonable methods) to scrub PII. The concern there is accidental inclusion of PII; it's that disclosure of, say, IP addresses in NetFlow information might uniquely identify customers. But providers today aren't required to fully anonymize NetFlow when they cooperate with investigations. The amendment was a sensible measure and I wish it had passed, but its failure does not break new ground for privacy nor does it change the original scope of the bill. When we last discussed CISPA on HN, that amendment didn't exist, and I still didn't think the bill was scary.
The PII concerns I'm referring to involve the idea that CISPA could be used to frame individual citizens as cyber threat protected entities so that raw information about them could be shared by AT&T incident to some supposed attack. That is an interpretation of CISPA that was explicitly rejected by the bill's sponsors; they cite specific language they added to the bill to counter that interpretation.
(I didn't downvote you and don't understand why anyone would downvote you, but I could get downvoted here for saying "water is wet", so oh well.)
At this point I'm convinced that they never meant this. It was simply a recruiting slogan to attract all the liberal/libertarian/anti-coporation comp sci students who went to Stanford and Berkeley.
I'm pretty sure that early on (when pb coined the phrase), it was meant like "don't be like the other evil companies we've seen on the Internet in the past") (which presumably at the time meant Microsoft, maybe USG, maybe ITU, etc.) Which Google probably broadly believed internally. (this was in the early 2000s).
