1. Cyber threat intelligence is defined as information pertaining to the things you listed. That is much more broad than your definition, for example sharing information pertaining to a vulnerability is much more broad than sharing the vulnerability itself since the latter only includes e.g. the code that results in the vulnerability whereas the former also includes any customer data directly related to it.
2. CISPA does not just grant immunity for the sharing of "cyber threat intelligence". It grants immunity for anything that is shared as such "in good faith". So in reality, it can include anything, as long as it was shared "in good faith". I quote: "EXEMPTION FROM LIABILITY.—No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider, acting in good faith— ‘‘(A) for using cybersecurity systems or sharing information in accordance with this section; or ‘‘(B) for decisions made based on cyber threat information identified, obtained, or shared under this section."
As you can see, the set of things you get immunity for is extremely broad. Far broader than you describe.
Furthermore, this bill puts no oversight in place that even checks that things were shared according to these (extremely broad) rules. And people have no way of knowing what information about them has been shared. So warfangle's scenario is very conceivable. For example if a company thinks you have in some way triggered a vulnerability (accidentally, or though a programming error on their side, or you didn't trigger anything at all but they just think that you have ("in good faith"), doesn't matter), some lazy chap can just dump the database with all data related to your user ID and send that over as long as it is his private opinion that it is information "pertaining to a vulnerability". Not only is that perfectly OK according to this bill, but you'll also have no way of knowing that that happened, and there is nobody evaluating if sharing all that data was actually OK or not.
Apart from the "good faith" thing, which I've mentioned repeatedly on this thread and others, all you've done here is expanded the "vulnerability" clause.
Absolutely. Thing is that those two "buts" greatly expand the scenarios of information sharing relative to what you wrote. If you would have written your comment like this:
"""
CISPA allows for the sharing of information that the company doing the sharing can "in good faith" believe to be "cyber threat intelligence", which is defined as:
(i) Information pertaining to a vulnerability
(ii) Information pertaining to a threat to the integrity, confidentiality, or availability of a system or network or any info stored or transiting one
(iii) Information pertaining to efforts to deny access
(iv) Information pertaining to efforts to gain unauthorized access (with the exception that violations of consumer terms of service are not covered by CISPA)
So indeed your scenario of sharing health records may be a valid concern."""
So basically anything goes as per the CFAA definition of "unauthorized access"? weev got thrown into jail for it, and all he did was increment a number in a URL.
(i) A vulnerability
(ii) A threat to the integrity, confidentiality, or availability of a system or network or any info stored or transiting one
(iii) Efforts to deny access
(iv) Efforts to gain unauthorized access (with the exception that violations of consumer terms of service are not covered by CISPA)
Help me understand the scenario in which anyone would push health records in response to any of these 4 scenarios?