Incorrect. Facebook can't legally aid its direct competitors, and Facebook can currently be sued by its stock holders if it discloses that it was breached and as a result of that disclosure the stock drops.
Incorrect, Facebook can and does do this, and I've personally worked with them on it while being at other companies. Furthermore, the opposite is even true - they have a legal obligation to disclose most breaches. There is no basis for any part of your claim and it's not consistent with how Facebook is actually doing security today. Without CISPA.
What they can't do, is give someone like me private info from user accounts. And they don't need to. And that's the way it should be. Do you really want me reading your private messages with impunity because I'm investigating a security incident? And do you want me to then share it with all of the other companies involved in the breach? Do you care if I leave dirty messages between you and your wife on an unencrypted hard drive somewhere, and people read it? Under current laws, I'd be liable for that (if I actually needed it in the first place).
You shouldn't.
Under CISPA, I can't be charged or sued for any action taken in good faith. I'll just say "oops, sorry, it was an honest mistake while investigating a security incident".
(Not that this use case has anything to do with what is actually motivating CISPA anyway, but I will refrain from repeating myself)
Also, for what it's worth, I've worked with AV industry groups and they all share not only hashes, but actual samples as well. Every single one of them. I'm not talking passing around an interesting sample or two, but full, multi-gigabyte feeds. I don't know where people get the idea that they can get sued for this; it's silly and it's not true.
CISPA wouldn't stop a hired security analyst from reading your Facebook messages, it'd stop Facebook from sharing them with the government. Under a passable CISPA, anyway. And furthermore, the whole point of CISPA is to explicitly codify some very grey area. It is possible they do indeed share threat intel with their direct competitors, but there is no legal precedent for doing so. The whole point of CISPA was to lower that risk exposure for these companies.
And Facebook has no obligation to disclose breaches, not legally, anyway. Where did you get that information? And even if they somehow do have a special obligation, most companies do not, so it's not really relevant. The example is apocryphal.
And AV isn't who this is about, it's about the people who make a living off of having indicators you don't have. I shouldn't have to hire a company who's been hired by everyone else to get the collective knowledge of what hackers look like. They're criminals, and the government takes care of criminals.
For someone repeatedly making demonstrably false assertions, you are oddly sure of yourself. You're not even challenging a viewpoint here, you're just straight up talking out of your ass. You should stop doing that.
I didn't know California law applied to every company in the US. I said Facebook was just an example, and that it's not important if Facebook specifically does or does not have to disclose breaches, or can you not read?
