[tptacek]

The problem is that none of this information is "classified". PII isn't classified. Zero-day vulnerabilities aren't classified. Classified information is stuff that goes through USG classification process.

So there'd need to be some other regime in place that ensures that no harm is done by publishing information that companies are voluntarily sharing with the USG.

What would that regime look like?

I'm also not really convinced that there's a problem with the catch-all at the end of Sec.2(6) --- that's enabling companies to share things they were already allowed to share, and just bringing it under the same set of controls as the new sensitive stuff they can share. How is that a loophole the USG can exploit? What does that loophole look like in practice, in actual use?