Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The point of not buying Facebook because of CISPA would tell more if the point were expanded to the sustainability of their business model. For example, what does their support say about their relationship with users going forward? Bearing in mind that, as users currently don't seem to care, we're talking about a set of concerns that presumably will emerge down the road. What are those concerns and how will they emerge?

Remember that we're talking about questions that didn't exist five years ago, and to which there isn't any community consensus. Most investors won't understand the argument, never mind Alex's side of it. So educate them: Tell them how the issue speaks to how these choices will evolve, and bring forth concerns that are currently held by only a few people. Point out that it was a similar group of people that worried about the Microsoft OS model twenty years ago, and that they were so right that the work they did on own on open source laid much of the groundwork for our current environment.

If you can get investors to link stuff like CISPA to business model sustainability, they'll go to school on the issues, and the conclusions they form will shape the equity marketplace for every social media company to come. But they have to hear what the debate is, and its implications for the businesses.



As a persuasive strategy this makes a lot of sense and I see the value of the comment. But on the specifics: do you have something in mind as to how CISPA might impact Fb's relationship with its users, or its business model? Obviously, I'm asking because I'm skeptical that there is any such impact, but I'm very interested in your reasoning.


Honestly I'm not a CISPA expert. I do see two concerns:

1. It seems to me that inviting government examination and regulation of network traffic, in the name of security, seems unlikely to make the 'net _more_ flexible, and potentially could lead real rigidity that would be bad for development of 'net businesses and degrading the experience possible over the 'nets.

2. Stuff like CISPA is generally validating of 'net control regimes such as in Iran and China. As the malice of those becomes ever more apparent, US policies viewed as precedents and justifications will be suspect, as will supporters of those policies. Supporting this stuff will be like supporting tobacco companies and netting dolphins to catch tuna -- and may cause deep customer suspicion in a field where trust will be crucial.

Now item item 1, more rigidity, could be seen as positive for incumbents like FB. To which I'd would say that technology has already evolved around a lot of rigidity and that any business founded on a particular regulatory environment is dated to the moment when technology obviates those regulations.

Item 2 is more speculative, but I actually think more likely to prove telling. But it's going to take 5 - 10 years.

Someone more knowledable of CISPA could do better. The broader point of my remark is, figure out how those details relate to the Facebook business model and speak to that. Do that and you'll have an audience. And there's no need to rush, the stock will be around for a while.


CISPA doesn't add any regulation to network traffic. It doesn't impose government controls. It's an opt-in mechanism that purports to allow private companies to share information incident to security attacks on their services; what it does, essentially, is clarify the (already very weak) privacy controls of the ECPA to make it clear that companies who are being attacked can share traffic captures without being sued the way Google is now for the Street View fiasco.† It doesn't authorize countermeasures; it doesn't enable services to be shut off; it doesn't alter due process controls for the government to seize information from non-cooperative services.

With that in mind, I'm curious as to how your reasoning might change. Do you think an opt-in information sharing mechanism for corporations really validates the state-sponsored network access control used in Iran and China? I'm interested in how.

They already probably can't be sued for that, but I believe the thinking here is that by spelling it out in black-letter law, companies will be encouraged to share information more than they already do; note that ISPs already do have programs to share attack information among themselves, but application service providers tend not to.


I have now spent 5 minutes on the EFF site and am now qualified to hold forth at length.

More seriously, that depends on the terms of "opt-in" and "sharing" and "security", yes? Such details make nice real estate for the Devil. I'm by no means convinced that the people writing these laws understand the implications and possibilities -- I don't trust their values because I don't think they have the understanding to even have values. Or understand how those values are advanced or eroded. What opinions I have of their values are formed by the SOPA episode.

To _my_ mind, I would need to see the compelling argument for why we need legislation in the first place. At which time I'd have to go to school on this more than I have. And most of the security problems I've read about have more to do with corporations doing a terrible job configuring their own equipment than with some remarkable threat that can only be met through government-organized action.

So in general, I'm against any law without some compelling need. I don't see one here, and that might be ignorance, but that's my view at the moment.

How would I relate that to Facebook? If my view were valid, my first stab would be, "They are supporting over-broad legislation, without a stated need, that could easily go wrong. That bespeaks a centralized-solution attitude contrary to the values that have built the 'net we have today, and unlikely to found the trust needed to make the 'net work best going forward."

But even if that withstood scrutiny I'm not sure their business is going to live or die based on what is essentially a question of corporate culture. If they don't die of something else, they'll get opportunities to change their approach on this stuff.


Your time would be better spent reading the CISPA bill itself, which goes to some length to define "sharing" and "security". I can summarize, but the firsthand sources are surprisingly readable:

http://www.govtrack.us/congress/bills/112/hr3523

As regards "opt-in": it's inherently opt-in, because it provides no mechanism for the government to demand information from any provider. Obviously, the government can already use court orders to get access to information. Beyond that, the bill explicitly prevents the government from making such demands; for instance: "Nothing in this section shall be construed to permit the Federal Government to... ‘(A) require a private-sector entity to share information with the Federal Government;".

As regards "security": the bill actually defines this term (a novel twist in "cyber security" legislation):

    ‘(i) a vulnerability of a system or network of a government or private
    entity;
     
    ‘(ii) a threat to the integrity, confidentiality, or availability of a
    system or network of a government or private entity or any information
    stored on, processed on, or transiting such a system or network;
     
    ‘(iii) efforts to deny access to or degrade, disrupt, or destroy a
    system or network of a government or private entity; or
     
    ‘(iv) efforts to gain unauthorized access to a system or network of a
    government or private entity, including to gain such unauthorized
    access for the purpose of exfiltrating information stored on,
    processed on, or transiting a system or network of a government or
    private entity.


Probably right, if I had reason to take interest in fixing this corner of the law.

But like refactoring code, I don't see why I'd even discuss changing law without having some very good reason. And I still don't see why this is a good place to run the risks of unintended consequences and / or malign legislators.


Without diving in even as far as you have, my main problem with the proposed law is that it would remove FB's liability in complying, so the default will be to simply hand over any information related to any investigation. "Opt-in" is the obvious answer for a corporate entity wishing to mitigate its financial liability.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: