You wrote a lengthier comment that enumerated the failed CISPA amendments that I need to take some time to respond to, but in the meantime:
Regarding PII in threat data, we're talking about orthogonal concerns. The amendment you're talking about would require all threat data to use (presumably commercially reasonable methods) to scrub PII. The concern there is accidental inclusion of PII; it's that disclosure of, say, IP addresses in NetFlow information might uniquely identify customers. But providers today aren't required to fully anonymize NetFlow when they cooperate with investigations. The amendment was a sensible measure and I wish it had passed, but its failure does not break new ground for privacy nor does it change the original scope of the bill. When we last discussed CISPA on HN, that amendment didn't exist, and I still didn't think the bill was scary.
The PII concerns I'm referring to involve the idea that CISPA could be used to frame individual citizens as cyber threat protected entities so that raw information about them could be shared by AT&T incident to some supposed attack. That is an interpretation of CISPA that was explicitly rejected by the bill's sponsors; they cite specific language they added to the bill to counter that interpretation.
(I didn't downvote you and don't understand why anyone would downvote you, but I could get downvoted here for saying "water is wet", so oh well.)
Regarding PII in threat data, we're talking about orthogonal concerns. The amendment you're talking about would require all threat data to use (presumably commercially reasonable methods) to scrub PII. The concern there is accidental inclusion of PII; it's that disclosure of, say, IP addresses in NetFlow information might uniquely identify customers. But providers today aren't required to fully anonymize NetFlow when they cooperate with investigations. The amendment was a sensible measure and I wish it had passed, but its failure does not break new ground for privacy nor does it change the original scope of the bill. When we last discussed CISPA on HN, that amendment didn't exist, and I still didn't think the bill was scary.
The PII concerns I'm referring to involve the idea that CISPA could be used to frame individual citizens as cyber threat protected entities so that raw information about them could be shared by AT&T incident to some supposed attack. That is an interpretation of CISPA that was explicitly rejected by the bill's sponsors; they cite specific language they added to the bill to counter that interpretation.
(I didn't downvote you and don't understand why anyone would downvote you, but I could get downvoted here for saying "water is wet", so oh well.)