Comment by zeroonetwothree
Comment by zeroonetwothree 8 hours ago
If you aren’t directly harmed yet what liability would they have? I imagine if your identity is stolen and it can be tied to a breach then they would already be liable.
Comment by zeroonetwothree 8 hours ago
If you aren’t directly harmed yet what liability would they have? I imagine if your identity is stolen and it can be tied to a breach then they would already be liable.
I don't think thats a proper parallel.
I think a better example would be You (AirBnB Host) rent a house to Person and Person loses the house key. Later on (perhaps many years later), You are robbed. Does Person have liability for the robbery?
Of course it also gets really muddy because you'll have renting the house out for those years and during that time many people will have lost keys. So does liability get divided? Is it the most recent lost key?
Personally, I think it should just be some statutory damages of probably a very small amount per piece of data.
The particular problem comes in because the amount of data lost tends to be massive when these breaches occur.
It's kind of like the idea of robbing a minute from someone's life. It's not every much to an individual, but across large populations it's a massive theft.
Sure and if you pay a statutory fine times 10 million then it becomes a big deal and therefore companies would be incentivized to protect it better the larger they get.
Right now they probably get some near free rate to offer you credit monitoring and dgaf.
This version loses multiple parts of things that are important
1. I have no control over what was stored 2. I have no control over where the storage is
The liability in this case is the homeowner/host, as you should have and had full ability to change out the locks.
To make it more similar, I think you'd need one of the guests to have taken some amount of art off the wall, and brought it to a storage unit, and then the art later was stolen from the storage unit, and you don't have access to the storage unit.
It's not as good as the naked pictures example because what's been taken is copies of something sensitive, not the whole thing
> I think a better example would be You (AirBnB Host) rent a house to Person and Person loses the house key.
This is not a direct analogue, a closer analogy would be when the guest creates a copy of the key (why?) without my direct consent (signing a 2138 page "user agreement" doesn't count) and at some later point when I am no longer renting to them, loses the key.
> before anyone asks, "personalized advertisements" is not a good reason
The good reason is growth. Our AI sector is based on, in large part, the fruits of these data. Maybe it's all baloney, I don't know. But those are jobs, investment and taxes that e.g. Europe has skipped out on that America and China are capitalising on.
My point, by the way, isn't pro surveillance. I enjoy my privacy. But blanket labelling personal data as radioactive doesn't seem to have any benefit to it outside emotional comfort. Instead, we need to do a better job of specifying which data are harmful to accumulate and why. SSNs are obviously not an issue. Data that can be used to target e.g. election misinformation are.
> it's all vastly valuable and that's why it is right that it is taken without consent or compensation?
No, I'm saying it's a common with a benefit to utilisation. A lot of discussions around data involve zealouts on both sides. (One claiming it's the god-given right to harvest everyone's personal information. The other acting like it's the crime of the century for their email address to be leaked.)
I mean it's pretty clear that you are directly harmed if someone takes naked photos of you without your knowledge or consent and then keeps them. It's not a good analogy so if we want to convince people like the GP of the points you're making, you need to make a good case because that is not how the law is currently structured. "I don't like ads" is not a good reason, and comments like this that are seething with rage and hyperbole don't convince anyone of anything.
These are exactly my questions. If I never, ever know about those pictures and never, ever have my life affected by those pictures, what is the actual harm to me?
If the answer to them ends up being "Well, it's illegal to take non-consensual nudie pictures.", then my follow-up question is "So, why isn't the failure to protect my personal information also illegal?".
To be perfectly clear, I do believe that the scenario kibwen describes SHOULD be illegal. But I ALSO believe that it should be SUPER illegal for a company to fail to secure data that it has on me. Regardless of whether they are retaining that information because there is literally no way they could provide me with the service I'm paying them for without it, or if they're only retaining that information in the hopes of making a few pennies off of it by selling it to data brokers or whoever, they should have a VERY SERIOUS legal obligation to keep that information safe and secure.
> it's pretty clear that you are directly harmed if someone takes naked photos of you without your knowledge or consent and then keeps them
Sure. In those cases, there are damages and that creates liability. I'm not sure what damages I've ever faced from any leak of e.g. my SSN.
I mean most people won't until that day they find out theirs a house in Idaho under their name (and yes I've seen just this happen).
The problem here is because of all these little data leaks you as an individual now bear a cost ensuring that others out there are not using your identity and if it happens you have to clean up the mess by pleading it wasn't you in the first place.
>I neither consented to allowing these companies to have my data, nor benefit from them having my data.
I think both of those are debatable.
This is the traditional way of thinking, and a good question, but it is not the only way.
An able bodied person can fully make complaints against any business that fails their Americans with Disabilities Act obligation. In fact these complaints by able bodied well-doers is the de facto enforcement mechanism even though these people can never suffer damage from that failure.
The answer is simply to legislate the liability into existence.
That's the whole problem with "liability", isn't it? If the harms you do are diffuse enough then nobody can sue you!
The same way you can get ticketed for speeding in your car despite not actually hitting anyone or anything.
This is exactly why thinking of it in terms of individual cases of actual harm, as Americans have been conditioned to do by default, is precisely the wrong way to think about it. We're all familiar with the phrase "an ounce of prevention is worth a pound of cure", right?
It's better to to think of it in terms of prevention. This fits into a category of things where we know they create a disproportionate risk of harm, and we therefore decide that the behavior just shouldn't be allowed in the first place. This is why there are building codes that don't allow certain ways of doing the plumbing that tend to lead to increased risk of raw sewage flowing into living spaces. The point isn't to punish people for getting poop water all over someone's nice clean carpet; the point is to keep the poop water from soaking the carpet in the first place.
Safety rules are written in blood. After a disaster there’s a push to regulate. After enough years we only see the costs of the rules and not the prevented injuries and damage. The safety regulations are then considered annoying and burdensome to businesses. Rules are repealed or left unenforced. There is another disaster…
Tangentially, there was an internet kerfuffle about someone getting in trouble for having flower planters hanging out the window of their Manhattan high rise apartment a while back, and people's responses really struck me.
People from less dense areas generally saw this as draconian nanny state absurdity. People who had spent time living in dense urban areas with high rise residential buildings, on the other hand, were more likely to think, "Yeah, duh, this rule makes perfect sense."
Similarly, I've noticed that my fellow data scientists are MUCH less likely to have social media accounts. I'd like to think it's because we are more likely to understand the kinds of harm that are possible with this kind of data collection, and just how irreparable that harm can be.
Perhaps Americans are less likely to support Europe-style privacy rules than Europeans are because Americans are less likely than Europeans to know people who saw first-hand some of what was happening in Europe in the 20th century.
The fact that my data can be stolen in the first place is already outrageous, because I neither consented to allowing these companies to have my data, nor benefit from them having my data.
It's like if you go to an AirBNB and the owner sneaks in at night and takes photos of you sleeping naked and keeps those photos in a folder on his bookshelf. Would you be okay with that? If you're not directly harmed, what liability would they have?
Personal data should be radioactive. Any company retaining it better have a damn good reason, and if not then their company should be burned to the ground and the owners clapped in irons. And before anyone asks, "personalized advertisements" is not a good reason.