[tzs]

I don't see anything in (this version of, anyway) CISA that would let the government demand threat indicators. If the government wants to come demanding companies give them information, they have to turn to other laws for that.

On the Constitutional issue:

> It _is_ an end-run around the Constitution if the data a company provides belongs to an individual and is disclosed without a proper warrant, unless you agree with the statement that "people have no right to privacy in any data held by third party service providers."

People have multiple rights to privacy related to such data. Some come from state law. Some come from federal agencies. Some come from federal legislation. Some come from the Constitution.

The ones from the Constitution protect against government compelling release of the data. They don't protect against the providers deciding on their own to disclose the information to the government (or to the public, or to private parties). If, for instance, PG&E decided to publish a list of its customers along with contact information and energy use records, it would not be violating a Constitutional right to privacy. If the government demanded that PG&E make and turn over such a list, then we've got a Constitutional issue to talk about.

In that hypothetical, PG&E would be violating some of those other rights to privacy that come from state legislation, federal legislation, and agency rules, and would run into a ton of trouble.