there is not however, guaranteed immunity from civil/criminal prosecution for sharing data under the auspices of "national security", thats whats important about CISPA, it is carte blanc for the government to collect whatever data it wants, with zero oversight or accountability.

tptacek seems to be pushing the line that "this bill does nothing, everything it establishes is already legal". But i caution HN users to be aware of his own vested interests in this bill.

Which would be what?

you work for a security contracting/consulting firm, it is in your own professional best interests to have cybersecurity information shared as "frictionlessly" as possible

We're an appsec firm. What part of pentesting applications benefits from "frictionless" sharing of personal information?

If all the stuff in CISPA is already legal, then we do not need CISPA, do we?

There are supporters of CISPA who believe we need it because private companies manifestly do not share information about attacks, and so one thing the government can do to resolve that is (a) to encourage them to do so, and (b) create a clearinghouse in the government to provide a default place for information to be shared.

I don't agree with those people; I think CISPA is pretty silly. But that's the argument.

Because "not illegal" is distinct from "legal."

Whether or not it's legal does not inform whether or not it is a positive step as far as privacy advocacy is concerned.

Laws such as this embolden those parties that seek to undermine privacy. It is one thing for someone to be able to say "According to a set of disparate laws, X action is legal" and quite another when "According to CISPA, X action is legal."

You're responding on a thread that provides chapter and verse citation to the statute that already made this kind of sharing lawful. You might just as productively oppose every bill for not fixing the ECPA.

"as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service"

is significantly different, and much less broad than

"threats to national security", or

"theft or misappropriation of private or government information, intellectual property, or personally identifiable information."

I don't understand how "threats to national security" could possibly be broader than "incident to rendition of service" or "protection of rights or property of the provider".