What version of this bill are you quoting from where that is the definition given of "cyber threat information"? URL? I'm looking at the current version on the House Subcommittee site, and that is not the definition, or even the language for that one clause of the definition.
Sorry, you're right, I clicked the older version, my bad. The current version is: [1]
‘(A) IN GENERAL.—The term ‘cyber threat information’ means information directly pertaining to— ‘‘(i) a vulnerability of a system or network of a government or private entity; `‘(ii) a threat to the integrity, confidentiality, or availability of a system or network of a government or private entity or any information stored on, processed on, or transiting such a system or network; ‘‘(iii) efforts to deny access to or degrade, disrupt, or destroy a system or network of a government or private entity; or ‘‘(iv) efforts to gain unauthorized access to a system or network of a government or private entity, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network of a government or private entity.
So the actual meaning hasn't changed much. Because this only clarifies the threats/vulnerabilities/evil efforts and not the information about such threats/vulnerabilities/evil efforts that can be shared, my point applies equally well to this wording. This version of the bill also still has no mention of "operational" or "network information".
Yes, although you've left out the "Exclusion" for terms of use and license contracts.
I do not think your point stands with this definition. You're right that I used a shorthand rather than copying that exact language from the bill into yet another comment, as a cursory Google search will tell you that I've done repeatedly. There was no way the bill was going to use the term "operational network security data", because that term is even more vague than the bill's definition.
A more productive thing for you debate other than semantics would be how this specific definition --- which is far more complete than anything else in the US Code, unless you'd like to correct me on that --- should be tightened.
For lawyers probably "operational network data" is vague, but for the technical readers on HN I think it is clear that this is much more restricted than what is actually allowed by the bill. For example operational network data contains perhaps access logs & http headers, but it does not include, say, your emails. For this bill however, there are many conceivable situations under which it would grant immunity for the sharing of your emails. So for the HN audience "operational network data" does not adequately cover the the bill, and furthermore the things that "operational network data" does not include are exactly the the kind of private information that people are most worried about.
If it was up to me then I would certainly first change other aspects of the bill which are far worse than this definition, but as far as this particular definition goes, I would limit the information that can be shared to the information that can reasonably lead to the solution of the problem (fixing vulnerability / removing threat / stopping evil efforts) not "information pertaining to the vulnerability / threat / efforts". It may well turn out that in court that is already how this will be interpreted, but the problem is that this wording does not make that clear at all. And in a legal case where it has to be decided whether a company gets immunity for a particular piece of information that was shared, "reasonably" should be determined by an external technical expert, and not according to the private opinions of the person who shared the information.
