1) This bill still says what it says, even if it is redundant.
2) Why is Facebook supporting this bill if it does nothing? They like risking social capital for a no-op?
It's sort of like lowering Facebook's "threat surface" with respect to privacy laws. And, IMHO, that's really a Bad Thing. I'll give tptacek some credit: existing privacy laws really are inadequate. But I'll still argue against removing what little protection we have, just because we're going in the wrong direction.
That said, I'd like to see more arguments against the actual provisions of CISPA. I didn't see domain seizure anywhere in the law, for example, so I would greatly prefer it if my fellow CISPA opponents were more careful to advance the best arguments we have against it, not just the most popular.
Why do I care whether Facebook supports the bill?
Whether it carves any exception into the ECPA privacy protections for wholesale disclosure to 3rd parties as tptacek claims looks debatable. What's not debatable is that that exception does not grant immunity from any other laws if you disclose information to a 3rd party.
If tptacek had cited something supporting his position then there could be a real discussion. As it is, all I can do is say his argument looks wrong, Facebook and EFF also apparently think his argument is wrong, but since I'm not a legal expert on ECPA and related laws, I can't say for sure that there isn't some more obscure provision of ECPA that does say what he's saying.
In other words: in the world we're in now, pre-CISPA, what's the specific legal risk you think is preventing Facebook from sharing data?
It's certainly not the ECPA! The ECPA, like I've pointed out repeatedly, specifically carves out an exception for service providers sharing information, and makes no mention of anonymizing that data (ironically, it's CISPA that brings anonymization into the picture).
You yourself make a not-invalid point, that ECPA doesn't prohibit sharing but also doesn't shield providers from claims under other laws. I agree that if CISPA is worth keeping, the language around immunity should be tightened --- oh wait, it just was in the latest draft! --- but again:
For CISPA's sharing immunity to be a meaningful threat, you'd have to cite some statute that could reasonably threaten (again, say) Facebook for sharing information during an investigation.
Finally, I know it's annoying that I keep saying this, but: providers already share information about attacks, and it's not all anonymized or particularly carefully targeted. I have firsthand knowledge of what they used to do a few years ago, and understand that sharing has only increased since then.