What are the scope restrictions and privacy controls you feel the bill is missing? (If you think I'm about to hit you over the head, know that I think the bill is also missing controls.)

To give a couple of examples: The exemption from liability should be default deny rather than default allow. Don't exempt everyone from everything, make a list of the things you feel are problematic, explicitly enumerate them in the bill and don't provide an exemption from anything else. At least that way we know what we're getting ourselves into -- I don't think the intention is to allow corporations to be exempt from liability for dumping toxic waste in the rivers or releasing information previously required to be kept private to foreign governments that directly leads to the deaths of dissidents, but if they can justify a good faith cybersecurity purpose in doing so, that's what the existing language seems to allow.

The other issue is that the exemption encompasses not only information sharing, but any "good faith" action taken based on the information. I understand what they're going for there. If some law prohibits sharing information, it probably prohibits use too, which would get in the way of what they're trying to do. The problem is, again, that they're not talking about specific laws. So if they respond to the information by hiring Blackwater to raid what they believe to be the attacker's home, no liability? That's not OK.

This is an extremely smart and thoughtful comment. I can't find much in it to disagree with --- you could argue that the US Code shouldn't nail down specific kinds of network security attacks, because in 10 years there will be 10 new kinds we didn't think of, but there's nothing wrong with baby steps either.