
Proposed Jail Time for Tech Companies Who Steal Data - badrabbit
https://trofire.com/2019/02/08/democrat-proposes-jail-time-for-tech-companies-who-steal-your-data/
======
tarr11
Is personal information really a kind of property, that can be stolen? If it
is, aren’t we doing this all the time, any time we perceive anything about
anyone?

How is this different than taking a picture of someone? The image is owned by
the photographer, not the subject(s) according to current laws.

if I meet someone on the street, and record their name, the conversation we
had, and the location where I met them, and their phone number, have I “taken
their data”?

Do they have the right to demand that I not record that information?

Does my perspective or interpretation of that information give me some
ownership to that data?

What if I use that information for commercial gain? Is that what makes this
illegal?

Or is it only if I do this at a scale beyond which humans are not capable, and
store it digitally, is that what makes this illegal?

~~~
coldtea
> _Is personal information really a kind of property, that can be stolen? If
> it is, aren’t we doing this all the time, any time we perceive anything
> about anyone?_

We are flexible and smarter than Vulcans. Something doesn't have to be
necessarily expressible into a single, unambiguous universal formula to be
made illegal.

We can e.g. allow people to perceive things about other people in their brains
(or even notebooks) as we've done for millennia, but not allow them to compile
them into large aggregated digital databases of thousands or millions of
people without their consent, or give them to advertisers.

> _How is this different than taking a picture of someone? The image is owned
> by the photographer, not the subject(s) according to current laws._

Depending on the jurisdiction, taking an image of someone can be illegal.
Sometimes, even if it's a public space. And using an image of someone to
advertise stuff without their consent is illegal, including in public space.

~~~
wbl
Rule of law demands it be clear what is and is not illegal. Make it illegal to
film people in public and the guy who made the Rodney King tape is going to
jail.

~~~
beobab
You can’t retroactively apply laws, thankfully.

~~~
coldtea
Depends on the jurisdiction.

[https://en.wikipedia.org/wiki/Ex_post_facto_law](https://en.wikipedia.org/wiki/Ex_post_facto_law)

~~~
beobab
I am astonished. I had no idea.

------
srkmno
Pitchfork mobs dictating policy, that is why you don't elect an ex state
attorney general to the legislative branch: prosecution and grandstanding is
all they know.

Also the principle concept of "stealing your data" is more ludicrous than
"stealing" in the copyright sense; that data is meta data and it's not yours,
it was generated by machines you don't own and have no claim over.

~~~
fzeroracer
Let's say someone really hates Facebook. What exactly is their recourse for
them to say 'I don't want you to keep a shadow profile and I don't want you to
sell or use that in any way shape for form'.

In that case, they're directly monetizing data about me as a person.

~~~
throw23421
That person can simply choose not to use Facebook.

~~~
betterunix2
"Shadow Profile"

[https://www.theverge.com/2018/4/11/17225482/facebook-
shadow-...](https://www.theverge.com/2018/4/11/17225482/facebook-shadow-
profiles-zuckerberg-congress-data-privacy)

------
plainOldText

      > ...including jail time, if their companies steal and sell user data, 
      > or allow a massive data breach to occur at their company.
    

What if the government loses our data? Then what? Will they go to jail too?

Software is a moving target. It has become such a complex endeavor, always
changing, always evolving. It's difficult to determine who's responsible for
which part of the system; and by this I'm not suggesting we abolish
responsibility. Good outcomes will be the result of multiple forces, balanced
in the right mix:

A. Users should ask more of their favorite companies (and mean it, e.g.
boycott your favorite tech company when they behave unethically)

B. Legislators should be more mindful of the legislation they propose (for one
separate data (re)selling from data breaches, and what exactly is my data vs
data generated by machines, etc)

C. Reckless tech leaders should have their reputation affected by lose
security, privacy & business practices

D. And engineers should be more aware their craft affects the lives of
millions and maintain a high standard of quality across their work

In the grand scheme of things, we've just barely gotten off the ground with
this thing called software. And software changed everything, but so did
agriculture, which is 10,000 years old.

If we develop careless regulation and start throwing people in jail for
software faults, we're hardly encouraging innovation.

~~~
908087
How many more decades does the "tech" industry get to continue using the "you
can't regulate us because we're new and stuff, also innovation or something"
line for?

I've been working in this industry for nearly 30 years, and it wasn't even
"new" when I got my start. I can't help but laugh at people who act as though
it just popped up last year. Is this just a result of young kids trying to
convince themselves and others that they got in on the ground floor of
something that existed well before they were born?

~~~
plainOldText
Software is unlike any industry we've had before. Software is now the craft of
developing extensions of our minds, and it is evolving rapidly.

It's easier to delegate responsibility and enforcement rights to some higher
authority, but since software is so complex, a much more powerful and robust
solution in the long run is to embrace personal responsibility and agency.
Complex systems evolve faster without or limited centralized control.

For example, the cryptocurrency space is already providing us with a
playground where we can experiment with the next generation social systems.
But like I've mentioned earlier, we're just beginning to scratch the surface
and no one truly knows what will come next. But the beauty of it, is that we
have the freedom to thinker, and figure out what works best.

~~~
Apocryphon
Sounds like an excuse to behave without accountability or responsibility.

------
vjeux
“Oops, we didn’t notice, but it’s another to be a company like Facebook that
takes your private messages and sells that data. It takes your address, it
takes your interest, it takes your browsing history and sells that to people
without your permission Wydens.”

Does anyone know what context he refers to? I wasn’t aware that Facebook ever
directly sold private messages. Same for address, interest...

~~~
crooked-v
They don't sell your private messages. What they actually do is just give them
away to business partners.

[https://www.nytimes.com/2018/12/18/technology/facebook-
priva...](https://www.nytimes.com/2018/12/18/technology/facebook-privacy.html)

> Facebook allowed Microsoft’s Bing search engine to see the names of
> virtually all Facebook users’ friends without consent, the records show, and
> gave Netflix and Spotify the ability to read Facebook users’ private
> messages.

~~~
simplecomplex
No, they didn’t “give it away”. Please let’s stick to facts. The news is being
extremely dishonest. Apps that you could send FB messages through could see
the message (how else would it work?) And it was explicitly opt-in, users had
to authorize it.

“Take Spotify for example. After signing in to your Facebook account in
Spotify’s desktop app, you could then send and receive messages without ever
leaving the app. Our API provided partners with access to the person’s
messages in order to power this type of feature.”

[https://www.thewrap.com/members/2018/12/19/facebook-
admits-n...](https://www.thewrap.com/members/2018/12/19/facebook-admits-
netflix-spotify-access-user-messages/)

~~~
shaki-dora
Read that quote again. It only says opt-in was needed to use this „feature“,
not for data access. And that does not even include the other parties in those
messages.

~~~
simplecomplex
“Did partners get access to messages? Yes. But people had to explicitly sign
in to Facebook first to use a partner’s messaging feature,” Konstantinos
Papamiltiadis, director of developer platforms and programs at Facebook, wrote
in the blog post.

“Take Spotify for example. After signing in to your Facebook account in
Spotify’s desktop app, you could then send and receive messages without ever
leaving the app. Our API provided partners with access to the person’s
messages in order to power this type of feature.”

Facebook did not play fast and loose with peoples data or abuse their privacy.
They don’t sell or give away user data.

~~~
Dylan16807
So all they had to do was sign in, and those programs got access to private
messages.

What are you trying to refute, exactly?

~~~
simplecomplex
I'm refuting that they gave away user data, which is factually false. Here's
Facebook's explanation: [https://newsroom.fb.com/news/2018/12/facebooks-
messaging-par...](https://newsroom.fb.com/news/2018/12/facebooks-messaging-
partnerships/)

"In order for you to write a message to a Facebook friend from within Spotify,
for instance, we needed to give Spotify “write access.” For you to be able to
read messages back, we needed Spotify to have “read access.” “Delete access”
meant that if you deleted a message from within Spotify, it would also delete
from Facebook. No third party was reading your private messages, or writing
messages to your friends without your permission. Many news stories imply we
were shipping over private messages to partners, which is not correct."

It's become clear from engaging in this discussion that people aren't
interested in facts or context, but have a chip on their shoulder about
Facebook. Others have also been misinformed by inaccurate news stories.

I don't even use Facebook, yet it's pretty easy to understand the facts if
you're actually interested in them.

~~~
Dylan16807
The claim wasn't that they opened a TCP connection to the partners and forced
private data over the line. The claim was that they gave away _access_ to
partners that didn't need it, or even know about it.

"These partnerships were agreed via extensive negotiations and documentation,
detailing how the third party would use the API, and what data they could and
couldn’t access."

That's not how you treat people's private data. Allow the app to send
messages, maybe allow the app to read replies to what it sent (did Netflix
even need this at all?), don't give it full read access that relies on a pinky
swear to keep data safe.

And at your earlier comment, sending a message does _not_ inherently require
that the sender be able to read anything.

~~~
simplecomplex
The linked Facebook article includes a screenshot of the feature in Spotify
allowing people to send and _receive_ Facebook messages.

"In order for you to write a message to a Facebook friend from within Spotify,
for instance, we needed to give Spotify “write access.” For you to be able to
read messages back, we needed Spotify to have “read access.” “Delete access”
meant that if you deleted a message from within Spotify, it would also delete
from Facebook."

You've got an axe to grind and its tiring me out. Whatever.

~~~
Dylan16807
Spotify still has a feature to share music through facebook, and that current
feature doesn't require the ability to read messages. So that screenshot that
only shows a "send recommendation" feature doesn't prove anything at all. No
non-recommendation text is displayed on that screenshot.

Both Spotify and Netflix claim they only used access to send messages, and
were _unaware_ of broader powers. Netflix: “At no time did we access people’s
private messages on Facebook, or ask for the ability to do so” Spotify:
“Spotify’s integration with Facebook has always been about sharing and
discovering music and podcasts. Spotify cannot read users’ private Facebook
inbox messages across any of our current integrations. Previously, when users
shared music from Spotify, they could add on text that was visible to Spotify.
This has since been discontinued. We have no evidence that Spotify ever
accessed users’ private Facebook messages.”

Note that even in the facebook statement, they don't say that the companies
_couldn 't_ have accessed unrelated data. They claim that the permissions were
appropriate (which they did not justify) and that none of the companies _did_
access unrelated data.

I don't have an axe to grind, I'm pointing out that the spotify and netflix
statements are pretty condemning and in a contradiction between them and
facebook I trust the company saying "we did nothing wrong" less.

And nobody's voting on these posts...

------
edoo
If a human would have gone to jail for the crime the company should have its
charter revoked for at least an equal amount of time. Even the giants.

Usually at best a corporation gets a fine and it just becomes a cost of doing
business. Everyone involved including the government profits from the crime.

------
smsm42
Looking at actual bill, it proposes:

\- Creating a paid "no tracking" option. Obvious failure mode: the option
price is $100M, and anybody who uses it is unable to use 99% of the
functionality, since it requires some form of tracking. Obvious next step -
the law requiring this option to be no more than 10% more expensive than
regular membership. Obvious next failure mode: inapplicable to sites that do
not charge for membership. Obvious next step - creating a government
commission empowered to decide what sites are supposed to charge for "no
tracking" membership and which services it is supposed to cover. If you like
your site subscription - you can keep your site subscription.

\- Penalize large companies that submit false information in their annual
privacy report - thought submitting false information to any government agency
is a crime anyway? And for a public company, I assume publishing almost any
false report would immediately put them under the shadow of fraud charges from
SEC. So declaring something that is already a crime a crime again is supposed
to... what?

\- Require companies to assess their algorithms for accuracy, fairness, bias
and discrimination. Obvious failure mode: who does the assessment? Obvious
next step: creating a government commission empowered to approve algorithm
fairness assessment standards. Obvious failure mode: since nobody knows what
"fairness" it, it turns into another partisan tug of war, to be used as a club
against companies affiliated with opposite tribe or just representing a good
jumpstart to the next political campaign. Reasonable academic discussion of
algorithmic bias becomes impossible, buried under layers of partisan tribal
rhetoric and professional offense miners. Billions are spent annually on "bias
prevention", without any shade of solution on the horizon, on the contrary,
the problem becomes worse every day - at least if you're listen to bias
prevention industry, but they're the only ones who are allowed to speak on the
topic.

~~~
bsder
It's easy to complain, but the problem is that status quo _ISN 'T WORKING_.
That's no longer on the table.

So, you either have to come up with something constructive, or someone else
will.

~~~
smsm42
That's called "politician's fallacy" \- "something needs to be done! This is
something, therefore this needs to be done!".

Obvious comment on it is that "something" must improve the situation after
being done, merely doing something that doesn't work because current situation
doesn't work is not likely to make it work.

And if you're implying I have to right to criticize stupid proposals from
politicians before I myself am elected into political office and make a full-
formed policy proposal that solves all the problems - sorry, it's not how this
thing works.

~~~
bsder
> That's called "politician's fallacy" \- "something needs to be done! This is
> something, therefore this needs to be done!".

You are arguing that doing nothing is superior to this proposal. While you may
be correct, that train has left the station and is no longer on the table.
Both the public and the politicians are in agreement on this, so, good luck
changing that narrative.

> And if you're implying I have to right to criticize stupid proposals from
> politicians before I myself am elected into political office and make a
> full-formed policy proposal that solves all the problems - sorry, it's not
> how this thing works.

Sorry, but, at this point, either you come up with an alternative, or a
proposed alternative is likely to get implemented. This _IS_ already moving,
so all you can do at this point is nudge the direction.

"The avalanche has already started, it is too late for the pebbles to vote."

~~~
bryan_w
Don't mistake motion for progress

------
desc
The problem, as always, is externalisation of costs.

If they don't pay for the consequences of the risks they take (such as
prioritising profits over security, etc) market forces demand that they take
those risks.

People talk about the market fixing things, but that only works if it's not
possible to externalise costs.

Unfortunately, the only practical way to enforce that is through government
regulation.

The government is also a system which seeks to externalise costs...

------
Cyclone_
What if a data breach happens due to an 0 day exploit with a 3rd party
library? Do people from the company where the data breach happened still go to
jail then?

~~~
currymj
as far as I can tell, this bill would only allow jail time if there was a
serious breach, at a large company, and higher-ups left it out of an official
report they would be required to make to the government.

in other words, all they have to do is fulfill their obligation disclose that
they were hit by this 0-day, in order to at least be protected from jail time.

~~~
pm90
Which seems like a reasonable policy IMO. Its encouraging companies to be
forthcoming with their data breaches .... or else.

------
xorgar831
> it’s one thing to just be bad at your job and you leak a bunch of data and
> oops, you didn’t notice that a hacker was in your system like a Kofax for
> months.

Na, I'm tired of these excuses too. Maybe jail is too extreme in this case,
but being sloppy isn't ok. Or not supporting MFA when you're dealing with
financial data.

------
inamberclad
Wyden seems like he's been on top of the ball recently.

~~~
maxxxxx
Wyden is one of the few people in Congress who seems to make a real effort to
address difficult issues in balanced and reasonable way.

------
E_Quivocation
I was going to laugh at how stupid this sounds, but, then again, It would be
cool to see corporate overlords suffering a comparable level of punishment for
the equivalent of peer-to-peer MP3 file sharing.

Bonus points if we can write a law for something like genetic profiling, or
abuse of facial recognition, or microphone eavesdropping that becomes the
corporate equivalent of internet child pornography, and carries the death
penalty for C level officers.

Perhaps by way of equivocating that voice, face and gene surveillance
endangers the privacy of children because it is indiscriminate like chemical
or biological weapons, so life in prison and capital punishment for upper
echelon high command at the Nuremburg trials.

------
leroy_masochist
> There is no reason why any person on Capitol Hill should vote against this.

If I were an elected official, one reason why I would be very cautious about
voting for this is that, if we make allowing a data breach a felony punishable
by imprisonment, it is likely to have a somewhat chilling effect on the
likelihood of engineers to start new companies where they as founders would be
potentially prosecutable for such failures.

I share the author's stated frustrations, and agree that jail time for gross
data-related negligence would be right at least in some cases, but it's not
the simple problem-simple solution issue he's making it out to be.

~~~
crooked-v
> it is likely to have a somewhat chilling effect on the likelihood of
> engineers to start new companies where they as founders would be potentially
> prosecutable for such failures

You seem to think that's a bad thing, for some reason.

~~~
chillacy
Perhaps some of us browsing HN, a site by a venture capital firm in the bay
area, might want to consider the effects of legislation on tech startups.

~~~
scarejunba
Please. This forum has more people saying they just want a 9-5 job than actual
founders. It’s no surprise it’s anti-startup. It’s just
/r/programming+technology now.

------
ilovecaching
Putting people in jail is the wrong solution. You're going to put CEOs in jail
because some angry employee at the company decided to add some backdoors, or
someone in middle management made the wrong call. Either way, the CEO and high
level execs can't constantly monitor every part of a world scale business.
Anyone in technology also knows it's impossible to become invulnerable to
breaches.

The people in congress/senate have no idea how technology works, because the
younger generations are severely underrepresented, and so are technologists.

~~~
escape_goat
Most of the responses so far seem to concern themselves with law and policy
rather than technology. It might be a bit more on-point to complain that the
people in technology have no idea how laws or legislation works, perhaps
because the older generations are severely underrepresented, as are
lawyers/legislators.

------
JacobJans
The great irony here is that people have no issue stealing data -- copyright
theft is considered "normal" by many people.

However, if it's _your_ data, then maybe jail time should be on the table?

~~~
majewsky
Yes, because the potential damage is much more severe. If someone pirates a
movie, the damage is about the price of a movie ticket. If someone's private
data gets stolen, it can ruin their entire life.

------
mimixco
Quit expecting governments to save you. The easiest fix for this problem is to
_stop using_ these products! No matter how much bad news comes out about
Facebook, Apple, Google, and Amazon using your data in bad ways -- people
still keep using them. If enough people quit, this will stop or a competitor
will rise up who doesn't do this stuff.

~~~
mnm1
Nonsense.

Can you provide a way I can get Equifax and similar companies to stop stealing
and selling my data? I've been trying to do that for decades. No. Your
argument is bullshit. I didn't sign up for this shit and neither did anyone
else, yet we still got fucked. How do you propose we fix it now? The cellular
companies are still selling my data. Should I not own a cell phone because I
can't get a cell plan that won't steal and sell my data? The ISPs are selling
my data. Should I not have an Internet connection? Yes, I can get rid of
those, lose my job, be homeless and starve while I wait for the idiot masses
to do the same so maybe a competitor could rise up. That's your brilliant
solution. And it still doesn't deal with the fact that companies I didn't sign
up with are stealing and selling my data.

~~~
simplecomplex
Equifax is a credit reporting agency. So, for example, someone gets a loan
from a bank, then fails to pay it and the bank reports that to them. Other
lenders check with them before lending to people.

You’re being disingenuous by equating that with theft.

~~~
mnm1
Not patching servers for months and leaving them for attackers to exploit is
definitely stealing. It doesn't matter how they got the data, they let others
steal it and were therefore complicit in the theft itself due to negligence,
willful or not.

~~~
simplecomplex
Yeah, they didn’t steal your data. They were negligent with storing data on
you given to them by lenders, and if you can demonstrate you were actually
damaged by their negligence you can join the class action that’s happening.
You should have got an email about it. I know I did.

------
mnm1
About fucking time. Until legislation like this passes, nothing will change.
I'm glad at least one of our senators has the balls to actually hold CEOs and
companies accountable for their atrocious actions. This behavior should be
criminal and this should be just the start. It doesn't make sense to send
petty thieves to jail and hard labor, yet reward CEOs who cause millions or
billions of dollars of damage to our society with gigantic resignation
packages. These CEOs should languish in jail and find out for themselves what
it's like to work for pennies a day. I'd bet any amount of money that once
CEOs are actually held responsible for their reprehensible actions, things
will change in regards to security and other overlooked practices. Once a
company's profit and the CEO's resignation package can be clawed back with
fines, these CEOs will think twice. Perhaps as a society we may rethink the
idea of limited (in reality that just means nonexistent) liability
corporations where even the officers who have the power of life or death over
millions have no repercussions when they inevitably abuse and misuse that
power to hurt and even kill people. That will probably take a lot longer,
however. Until then, the best way to commit a crime and get away with it
(including murder, poisoning, and other atrocious crimes) is still being a
company executive.

------
donohoe
I love how we understand the value of intellectual property, but when we talk
about private personal information we are unable.

~~~
skybrian
It's strange how some people think that gossip and intellectual property are
somehow the same thing. You have no right to be paid when people talk about
you.

~~~
chillacy
But I think everyone understands that it's shitty to be on the receiving end
of gossip, especially if the rumors are untrue or can be used against you.

~~~
skybrian
Certainly! But when you abstract it away as "personal information" then you
also abstract away why sharing it is sometimes harmful.

------
solomatov
If you are interested in a text of the bill, one of its drafts is available
here:
[https://www.wyden.senate.gov/imo/media/doc/Wyden%20Privacy%2...](https://www.wyden.senate.gov/imo/media/doc/Wyden%20Privacy%20Bill%20Discussion%20Draft%20Nov%201.pdf)

------
Animats
A tough interpretation of the existing US Computer Fraud and Abuse Act, which
has criminal penalties, could do much of that right now. See the "exceeds
authorized access" provisions. Any slip-up in asking for permission could
place a company stealing your data in serious legal jeopardy.

~~~
solomatov
I am not a lawyer, but vague laws are unconstitutional, so, your
interpretation is highly unlikely to pass scrutiny.

------
scarejunba
It's not "stealing" because the data isn't being taken away. It's "copying".

