This is a public service announcement: by saying "IT is crap because users still buy it" you are effectively blaming the victim.

There is a huge information and resources asymmetry between large companies creating software and hardware, and regular person who just wants their Internet-connected device to, you know, not do harm. Companies effectively made a business model out of that asymmetry.

We need education and regulation to make IT not crap.

@rysiek I don't really understand why there's next to no liability for this sort of thing. Intuitively it seems like that should be the default, no regulation required. If you collect my data and leak it, you need to pay me for that. Even if you just counted the hours of people's time needed to put freezes on their credit, that's a HUGE amount of money. The fact that we're not seeing that seems to be a fundamental failing of the government to provide table stakes protections.

@freakazoid @rysiek While I agree with you in principle, I have to tell you, the amount of money involved that you might get won't even cover your lawyers bills. Determining damages isn't easy or simple. On top of that, "leaking" is a word for an act. Getting hacked because security is crap...that's not deliberate.

@gedvondur @rysiek Yeah, the American Rule sucks. But that's what class actions are for, at least in the US. And yeah, the reason that getting hacked because you did a shitty job with security isn't considered an action (i.e. negligence) is because we have no standards around what constitutes sufficient security. Which I guess does mean regulation.

@freakazoid @rysiek I would say that it's a non-starter to say that getting hacked=negligence because that operates on the theory that there is such a thing as perfect security. We need a standard that shows "best practices" and " reasonable measures" and suddenly we are in a quagmire. I'm pretty sure this problem can't be regulated out of existence. We need regulations on what they collect and if then can sell it without express consent first.

@gedvondur @rysiek I'm not saying getting hacked should be automatically considered negligence. But much of the time there is little to no hacking involved, because people leave your data in open S3 buckets. If we can't agree that's negligence, we're all fucked.

@freakazoid @rysiek I think getting masses of people to agree to anything is an issue. For instance, what you do mean by "open" s3 bucket? Bad password security, no password security, no encryption, how do you define it? My point is that people are dickbags and can litigate to death. The best way to stop the practices is to make them untenable or unprofitable and that starts with iron-clad data permissions that CANNOT be click-wrapped.


@gedvondur @rysiek It does seem like it's going to be up to the government to force the industry to agree on what these standards are. In a better world, industry would be BEGGING government to regulate them after a few companies got ended by class actions.

@rysiek @gedvondur The analogy I think of is this: if I borrow your stereo and I leave it on my front lawn and it's stolen, I have to replace it. If it's in my house with the door locked and someone steals it, I don't. There's no specific law that says that, as far as I know. And whether or not I had your permission to have the stereo is irrelevant to whether I have to replace it in the lawn case. If I didn't have your permission, I'd have criminal liability on top of it.

Sign in to participate in the conversation
R E T R O  S O C I A L

A social network for the 19A0s.