So I guess the serious (and it is serious) question is this. If I can't FOIA for security indicators, or defensive measures, then how could I ever know that they included illegal or illegitimate information about me?
You can FOIA for records the government keeps in the management of indicators from different companies; the only thing excluded is the indicators themselves. Again: how could it be otherwise?
So, in reality, if I suspected that there was some privacy breach with regards to the transfer of information, I could not prove it. This means that I would have no standing in court (no proof of injury means no standing). This seems problematic, and worthy of examining the privacy implications (or at least discussing them)
how could it be otherwise?
Allow FOIA, and use the existing exemptions for classified material if the information is actually classified. This would mean that breaches of privacy could be found when non-classified information is present.
There seems to be concentration on "indicators" being username/passwords, etc. However, Sec 2 (6) (G) is "any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law;". That's basically anything since cybersecurity threat is defined as "means _an action_ ... on or through an information system that _may_ result in an unauthorized effort ...". That seems to be a rather large hole.
The problem is that none of this information is "classified". PII isn't classified. Zero-day vulnerabilities aren't classified. Classified information is stuff that goes through USG classification process.
So there'd need to be some other regime in place that ensures that no harm is done by publishing information that companies are voluntarily sharing with the USG.
What would that regime look like?
I'm also not really convinced that there's a problem with the catch-all at the end of Sec.2(6) --- that's enabling companies to share things they were already allowed to share, and just bringing it under the same set of controls as the new sensitive stuff they can share. How is that a loophole the USG can exploit? What does that loophole look like in practice, in actual use?
I think a U.S. citizen can file a request for records about themself via the Privacy Act. As I understand it, FOIA allows anyone to ask for anything; Privacy Act allows one person to ask for information about themselves.
I don't know if CISA also prevents Privacy Act requests, or if it only applies to FOIA.
Theoretically, companies using CISA would anonymize personally identifiable information before sharing to the government. An IP address, for example, is probably not PII (as millions of people have pointed out in the context of digital piracy lawsuits). I doubt one could file a Privacy Act request just based on an IP address.
Also 5 (d) (3) (a) and (b) which exempts "Cyber threat indicators and defensive measures provided to the Federal Government under this Act".