Edit: I've seen a few people calling BS on this because of TechDirt. I found it from the EFF, who gave me this number to call. I feel strongly about surveillance legislation because I don't want myself or my friends to go to prison because [insert corp here] decided I did something illegal with their electronic content, and I don't want my geolocation, etc. perpetually in the hands of anyone with a security clearance.
The term cybersecurity threat does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement
So? Your criminal liability for incrementing the URL is totally situational. If you're reading a catalog and you tick the URL to see what the next product is, you aren't going to be liable. If you see a URL used for XHR in the frontend for your bank and you increment it to see other people's bank accounts, you will be.
We don't have a law against "hacking" in the US; we have a law against "unauthorized access", particularly when that access has consequences.
According to one recently tried case, by the way, and one where the sentence was ultimately vacated.
And finally: CISA has almost nothing to do with criminal law (it defines no new offenses does not change CFAA or its sentencing). If you want to have a discussion about how totally broken CFAA's sentencing is, I'm right there with you.
All I'm suggesting is that since CFAA has a history of been construed to be applicable in extremely broad-terms by prosecution and (although I have not done a close reading of the entire act it contains provisions such as the following in it's definition of CYBER THREAT INDICATOR):
> (D) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to unwittingly enable the defeat of a security control or exploitation of a security vulnerability;
That OP's second concern:
> and I don't want my geolocation, etc. perpetually in the hands of anyone with a security clearance.
Regarding being under surveillance for what they may consider to be their normal or otherwise professional activities is quite valid.
Anything that ends up in the yearly budget bill has absolutely no hope of getting voted down. It's not even worth one's breath to call, not even the energy to pick up a cellphone or even to tweet. It's as good as passed.
If you live in the United States, this phone number connects you with your congresspeople and senators in order to make your voice heard.
Citizens stopped CISA before, we can do it again. Don't lie down.