>I was thinking about getting in to the car market but all these pesky requirements that I sell a car with airbags and seatbelts and fuel efficiency compliance are just there to protect existing incumbents.
I think by going to cars to prove your point proves how ridiculous regulation for websites are. For some reason there exists a group of people that believe that websites like facebook need regulations that are as strict as those required for developing cars.
People die from cars that are badly designed. People don't die from facebook (yes I'm sure you can find some contrived example.)
Unrelated but something that further adds to the irony of using cars as an example is that companies such as VW haven't even been fined for cheating on their emissions test.
I doubt a country like Germany would ever consider allowing the EU to fine 4% of Vws global revenue even though they broke the law in a way that has resulted in people's deaths.
My comparison is simply to show the standard laissez faire talking point of "oh, regulation exists just to protect incumbent market players" as bullshit: regulations exist to protect consumers from negligence and misbehaviour on the part of the companies.
The fact you think GDPR only applies to websites rather than the huge clusterfuck of personal data loss means you haven't understood the reason behind GDPR.
Equifax lost millions and millions of records and have so far faced no meaningful punishment from the UK regulators: as far as I can tell, they've so far made one brief statement on their website, and one tweet.
Major ISPs like TalkTalk lost millions of records (and ignored security researchers telling them about gaping security holes) and were given a slap on the wrist - £400,000 by the UK ICO. Mere pennies per user in fines; a drop in the bucket compared to their annual revenue. There is no economic interest to change their behaviour.
The negligence of these companies has led to millions of people having their personal and financial data stolen, having to keep eagle-eyed over bank statements and credit cards, having to worry that their transactions (or their travel bookings) might get flagged up as suspicious, that their credit rating gets eaten, and much else besides.
If a company you've entrusted your personal data with—not just your tweets or whatever, but sensitive personal data including health data, data about your religious affiliation, sexual orientation, etc. loses that data, as a UK citizen, you currently have no right to appeal the ICO failing to take action. GDPR/DPA2018 changes that balance.
Companies tell consumers "hey, trust us with your personal data". Consumers do in the false belief that there is some protection or basic responsibility taken. When they colossally fail to take the most basic steps to protect consumers from data loss, the status quo was this: nothing happens to them.
> My comparison is simply to show the standard laissez faire talking point of "oh, regulation exists just to protect incumbent market players" as bullshit: regulations exist to protect consumers from negligence and misbehaviour on the part of the companies.
You present a false dichotomy here. As much as the GP is wrong for boldly asserting the negative as fact, you are wrong for just as boldly asserting the opposite, without allowing for the panoply of options that inevitably arise from the point a regulation is conceived to the point that it is enacted. During the process of drafting the legislation, at least here in America, the existing players have a voice on the legislation's course, and the larger the existing player is, the louder their voice gets to be.
> During the process of drafting the legislation, at least here in America, the existing players have a voice on the legislation's course, and the larger the existing player is, the louder their voice gets to be.
Sounds like you need campaign finance and lobbying regulations. ;-)
In practice fining companies for getting hacked just boils down to a tax, as no company wants to be hacked, and the primary bottleneck to making software more secure is crap tools, crap platforms, poor training and inability to hire people who deeply understand security.
Hacking is not a problem you can solve by passing a regulation that says "don't get hacked".
> In practice fining companies for getting hacked just boils down to a tax, as no company wants to be hacked
No, it boils down to an incentive. No company wants to get hacked, but a lot those same companies aren't willing to invest in security measures and training that could mitigate the risk.
> Hacking is not a problem you can solve by passing a regulation that says "don't get hacked".
I don't think anyone's proposing a regulation like that. However, it's not fair to put the costs of a data-theft squarely on the victims, when it was really the company that was responsible for securing the data.
But companies that do invest massively still get hacked. See: Google. Yahoo. Microsoft.
It's also not even always clear what hacking actually means. A common way users get hacked is by reusing the same password on every website. One of those small sites gets hacked, the hackers try the users password at bigger sites to see if they work. Big players like Google and Facebook have heuristic systems that try to detect and block that, but sometimes they don't work.
So who's at fault then? The user for losing control of their password? The small site, probably not EU based, doesn't give a shit? Or the big guys who tried to protect the user but failed? Given the way the GDPR is being done my guess is the big guys will get taken to the cleaners even though they did nothing wrong.
Basically, you can't stop a big company from getting hacked no matter how much you spend on security.
> Basically, you can't stop a big company from getting hacked no matter how much you spend on security.
I never said anything to the contrary, but the observation is irrelevant. You can't stop all pollution, but that doesn't mean you shouldn't pass regulations that ether ban it or impose liability for it.
That's an invalid metaphor. The point behind regulating specific types of pollution and fining companies that emit it is in fact to completely eliminate it. When total elimination isn't possible regulators have taken alternative approaches, like phase outs and carbon trading schemes.
The GDPR authors appear to believe that not being hacked is merely a matter of choice, despite all evidence to the contrary. They are clearly dangerously delusional. If even Google, with its pick of the crop, unlimited budget and massive security team, cannot avoid being hacked, then nobody else has a chance.
What they care about is how much data you had (and did you need all of it), did you tell the users, have you put things right, had you done anything to protect the data?
If you have a lump of data that you don't need, that you store with no attempt at encryption, and it's held behind software that you haven't bothered to update even though security patches have been released then yes, you're going to be regulated.
> it was really the company that was responsible for securing the data
It was the financial industry and government that were responsible for implementing an identity scheme with a less insane architecture than handing the same secret material to every relying party. I disagree that we can or should force everyone to tie themselves in knots supporting it.
You say that, but what are the attack vectors in these high-profile breaches?
- Unpatched, publicly documented vulnerabilities.
- Unauthenticated S3 buckets.
- Unencrypted laptops.
- Default passwords.
This isn't subtle crypto weaknesses or attack vectors missed in the security assessment of protocol designs. It's carelessness. It's stuff that any high school kid who's good with computers will tell you about, let alone any IT professional or software engineer.
> Hacking is not a problem you can solve by passing a regulation that says "don't get hacked".
It doesn't say "don't get hacked", it says "if (when?) you get hacked, minimize the the cost to people who trusted you with their data". And the easy way to conform is: 1. do not collect more than you need to provide the service, and 2. do not keep the data you don't need any more just in case. Which should be the default, but in the world of cheap storage and data mining seems to be forgotten, or an afterthought. E.g. when a user unsubscribes we tend to set the flag "subscribed" to false next to the rest of their data, instead of removing the e-mail address we don't need.
So now we get a new status quo: "These measures are onerous and bake in internationally-controversial concepts like 'right to be forgotten,' so now companies may actually decide to punt on doing business with 500 million customers because the risk outweighs the rewards.' "
>My comparison is simply to show the standard laissez faire talking point of "oh, regulation exists just to protect incumbent market players" as bullshit: regulations exist to protect consumers from negligence and misbehaviour on the part of the companies.
We'll see. I have a feeling that European consumers and web companies are in for a world of hurt.
>The fact you think GDPR only applies to websites rather than the huge clusterfuck of personal data loss means you haven't understood the reason behind GDPR.
I know that GDPR applies to everyone, I think it's pretty obvious it will be selectively enforced since the regulation is too burdensome. Do you think your local mom and pop hair salon that is not in compliance will ever be fined?
By the US and 2.8B is a fraction of what they deserved to be fined. All VW execs should be in prison for the rest of their lives for what they have done.
I guess it isn’t. There are laws which US considers to be broken by external entities, yet US introduces a comletely inhumane programme worth of DPRK. Where’s the logic.
The original poster believes software should be regulated like cars. I pointed out that the fines for violating gdpr are larger than any fine VW will ever receive from the EU for literally killing people.
>You must point to the laws violated. E.g. Schmidt made a false statement to the California Air Resources Board under the Clean Air Act.
>Trial in the court of opinion and mob lynching is not compatible with the Western tenements of law.
Stop trying to shift goalposts, my point is that if any company deserved to be fined 4% of global turnover it's VW and they have currently received a total of $0 in fines even though they have probably increased the likelihood of you getting cancer.
I thought we established they received a non-zero dollar fine.
Their annual profit is about $13BN, they were fined $2.8BN which is about 22%. I think that along with imprisoning an exec that was complicit in the lie is a significant and reasonable deterrent/punishment.
As for VW significantly increasing the likelihood of any given arbitrary citizen getting cancer I'd love to see the numbers on that. Sounds like hyperbole to me[0]
> People die from cars that are badly designed. People don't die from facebook (yes I'm sure you can find some contrived example.)
I think the public, and much of HN, disagrees and is beginning to believe that the lack of privacy is undermining democracy, liberty, and human rights.
There are actually some historic examples. A university once performed scientific research on a minority group. Then the Nazis acquired the list and murdered the participants.
Obviously that's at risk of happening again, but machine learning and AI are risk of learning to be discriminatory by training on data sets resulting from historic and modern discrimination.
When applying for jobs, it may be possible to enter somebody's info into a next generation background check software to get a % probability of the candidate voting for a specific political party, and declining to call/interview based on that alone.
Even when it's not intentionally discriminatory, this is leading to a future where the teller says "sorry, you were declined. I don't really know why, the computer just made the decision". Where's the accountability?
In credit reports, I can at least request my credit report and understand how to improve my score or dispute line items.
I think by going to cars to prove your point proves how ridiculous regulation for websites are. For some reason there exists a group of people that believe that websites like facebook need regulations that are as strict as those required for developing cars.
People die from cars that are badly designed. People don't die from facebook (yes I'm sure you can find some contrived example.)
Unrelated but something that further adds to the irony of using cars as an example is that companies such as VW haven't even been fined for cheating on their emissions test.
I doubt a country like Germany would ever consider allowing the EU to fine 4% of Vws global revenue even though they broke the law in a way that has resulted in people's deaths.