Even doesn't do much, CISPA preempts any state laws to the contrary. So if Facebook does something later and some individual state dislikes it? Too bad. State laws would no longer be able to do anything about it, you'd have to amend CISPA.
It's sort of like lowering Facebook's "threat surface" with respect to privacy laws. And, IMHO, that's really a Bad Thing. I'll give tptacek some credit: existing privacy laws really are inadequate. But I'll still argue against removing what little protection we have, just because we're going in the wrong direction.
That said, I'd like to see more arguments against the actual provisions of CISPA. I didn't see domain seizure anywhere in the law, for example, so I would greatly prefer it if my fellow CISPA opponents were more careful to advance the best arguments we have against it, not just the most popular.
This mindset, very common on HN, confuses me. It says, in effect, that it's more important for us to pick sides and cheer on our teams than to understand what is actually happening. If I said that about a Javascript library, I'd be run off the site on a rail. But when I suggest people actually read the bills they're yelling about, the opposite happens.
Oh, I'm not indignant about it. It's obvious why pointing out the specifics of CISPA is bound to be unpopular here. I'm just confused by the mindset that says "what Cory Doctorow thinks about CISPA is more important than what the bill says".
He's not wrong. He's giving an argument based on a reading got the text of the bill, while harshreality is giving an argument (it doesn't even rise to the level of argument) based on nothing.
If you want to read what the ECPA says, here's one relevant portion: 18 USC 2511 (2)(a)(i).
Whether it carves any exception into the ECPA privacy protections for wholesale disclosure to 3rd parties as tptacek claims looks debatable. What's not debatable is that that exception does not grant immunity from any other laws if you disclose information to a 3rd party.
If tptacek had cited something supporting his position then there could be a real discussion. As it is, all I can do is say his argument looks wrong, Facebook and EFF also apparently think his argument is wrong, but since I'm not a legal expert on ECPA and related laws, I can't say for sure that there isn't some more obscure provision of ECPA that does say what he's saying.
What's the law you think Facebook would be violating by sharing potentially PII-encumbered data with another service provider incident to anything they could claim was a legitimate investigation?
In other words: in the world we're in now, pre-CISPA, what's the specific legal risk you think is preventing Facebook from sharing data?
It's certainly not the ECPA! The ECPA, like I've pointed out repeatedly, specifically carves out an exception for service providers sharing information, and makes no mention of anonymizing that data (ironically, it's CISPA that brings anonymization into the picture).
You yourself make a not-invalid point, that ECPA doesn't prohibit sharing but also doesn't shield providers from claims under other laws. I agree that if CISPA is worth keeping, the language around immunity should be tightened --- oh wait, it just was in the latest draft! --- but again:
For CISPA's sharing immunity to be a meaningful threat, you'd have to cite some statute that could reasonably threaten (again, say) Facebook for sharing information during an investigation.
Finally, I know it's annoying that I keep saying this, but: providers already share information about attacks, and it's not all anonymized or particularly carefully targeted. I have firsthand knowledge of what they used to do a few years ago, and understand that sharing has only increased since then.
1) This bill still says what it says, even if it is redundant.
2) Why is Facebook supporting this bill if it does nothing? They like risking social capital for a no-op?