Hacker News new | past | comments | ask | show | jobs | submit login

Doctors (as a profession) have a professional regulatory board and are educated on the ethical proceedings, but doctors (as an individual) can be just as corrupt as anyone else. The difference is accountability within the profession. If a doctor starts doling out tons of prescription opiates, an auditing system is in place (Many levels in fact - either within the state, nationally via the DEA, by someone arrested who will rat the doctor out in exchange for lenient terms, or by a pharmacist who has seen one too many "Oxycodone 30 take as needed" pass through his shop.)

Programmers (as individuals) can't be ethically audited, but what we can do is regulate the data which is allowed to be collected. You regulate it like any other industry. Sigma-Aldrich is a corporate company that sells pharmaceutical grade precusors. I was dating a girl who was doing a post-doc in o-chem, in her office waiting to finish up something, and flipped through their catalog. I saw a precursor that was heavily flagged by the DEA which could be used to synthesize massive amounts of a recreational drug. Curious, I asked her the procedure for procurement, and she delineated it. In short, she could get it with a sign-off from the PI and a few other things fairly easily [she would never do that, she's far too ethical - but her PI was famous enough that a request on his letterhead with "Veritas" on it would have been enough] but there's a chain of custody and auditing system in that just like there is with doctors who are issued DEA numbers. If I call up S-A and ask for the same chemical not only would I be laughed off the phone, but they'd likely submit my information to the DEA to flag me for further investigation.

What am I getting at? You can't regulate people, but you can regulate systems. If that precursor was ordered and that drug happened to pop-up, the DEA could easily call up any of the suppliers of those precursors and figure out when it was dispensed fairly easily. We need to regulate any institution that collects data in the same way. When it's at a point where the institution is large enough to collect information at a level like that, issue compliance terms. In the same way publicly traded companies have to release financial information to the SEC and comply with numerous reporting terms (look at EDGAR to see how extensive it is), open up another branch of the government that is in charge of regulating the companies that collect data. That way, your engineer with loosely-defined morals who is capable of doing whatever will be prosecuted just like amoral doctors.




> We need to regulate any institution that collects data in the same way.

I feel like this is too wide. Everyone collects data. I don't mean all tech companies collect data, I mean, for example, your friends have copies of the emails you've sent them. They have photos with you in them of places you've been with timestamps and GPS coordinates. Your coworkers have access to your calendar. Your mechanic has the service history on your car. Your librarian knows which books you have checked out.

These aren't problematic situations because they each only have a little piece of your data, and you trust each those people with that little piece, and if you don't then you don't have to give it to them.

The problem is when you don't have that choice. Which is what happens when you're dealing with a government or a monopoly (or some other concentrated market where you can't trust any of the players). You can't reasonably choose to not have your location collected by your mobile carrier, or the traffic cameras in front of your home. If all your friends use Facebook, then Facebook Facebook Facebook.

But we don't really want to regulate Facebook. I mean holy cow, what is that even supposed to look like?

I think we can separate the problem into two pieces. The first is collection by, let's call it, unavoidable monopolies. Telecommunications carriers and other utility companies. This is where we know exactly what to do, because these entities should not be collecting any information about people at all. There is no reason Verizon needs to know anything about you other than whether you've paid your bill. So regulation here can be useful, e.g. make it unlawful for carriers to triangulate a cellphone's location without a warrant, or collect anything whatsoever about the contents of IP packets. But we also have a strong technical solution here. Encrypt all the things. Fully deprecate HTTP in favor of HTTPS. We need to build, for example, DNS query privacy. Things like that.

The other part of the problem is what you might call avoidable monopolies. There is no fundamental reason why Facebook has to be as centralized as it is. You have a phone which has all your photos on it and is connected to the internet 24/7. Why is there a copy of your photos on Facebook's servers? If one of your friends wants to see one of your photos, why are they not getting it directly from you? Then you don't have to trust Facebook with a copy of it. So the solution for this half of the problem is, disintermediate the avoidable monopolies.


An interesting point, and I generally agree. But RE "avoidable monopolies":

> Why is there a copy of your photos on Facebook's servers? If one of your friends wants to see one of your photos, why are they not getting it directly from you? Then you don't have to trust Facebook with a copy of it. So the solution for this half of the problem is, disintermediate the avoidable monopolies.

It's because decentralization like that is stupidly, stupidly inefficient. Not to mention that the assumption that your phone is actually on-line 24/7 is unrealistic, and that's before we notice we're not on IPv6 yet, or that people also use cameras, or that they change their phones, go out of service range or simply want to free up space on SD card for something else.

So the fundamental reasons are a) efficiency, and b) availability. That's not to say things couldn't be improved wrt. privacy. I don't know that much about crypto yet (that's about to change, for work-related reasons), but I vaguely recall that there are encryption schemes that would let only you and your friends access the data stored on third party servers, and that would make the data unreadable for said third party.


> It's because decentralization like that is stupidly, stupidly inefficient.

Disagree. If you're Netflix wanting to distribute Jessica Jones then you want something like a CDN (although in that context BitTorrent is also "something like a CDN").

But think about wanting to share photos with your friends. There are only thirty people who actually want to see the photos. Twenty five of them live in the same city as you, which makes direction connections to you about as efficient as a local CDN node, and the other five live in four different cities, so in all but one case there is nothing to be gained from caching in any of those places because there will only ever be one copy requested. In that one last case the CDN would conserve just one long-distance copy, and that's assuming we can't make P2P software smart enough to have the second person in Timbuktu get the photos from the first person there.

> we're not on IPv6 yet

This one is probably the main reason why this hasn't actually happened yet, but it's not like we don't know what to do -- how about we get on IPv6 already?

> or that people also use cameras

You seem to be implying there is some reason why a photo taken with a camera couldn't still be distributed using a mobile device (or plug server or PC or whatever you like).

> or that they change their phones

And then they can copy the stuff from one to the other.

> Not to mention that the assumption that your phone is actually on-line 24/7 is unrealistic

Availability is a different tack. OK, your phone doesn't have twelve nines of uptime, but it probably is actually online upwards of 90% of the time. And we know how to build reliable systems out of mostly-reliable pieces.

We're assuming that there is a piece of software on your device which already knows who your friends are. So now it just needs a check box that says "cache things for my friends if they cache things for me" and now your friends can get your photos from your other friends (or from their own device) even when your device is occasionally incommunicado.

> or simply want to free up space on SD card for something else.

I think there's a law of physics that says your photos, to exist, have to exist somewhere. I suppose "I would rather give my private data to Facebook than buy an SD card big enough to hold it" is the sort of thing you have to decide for yourself.


It's only inefficient because NAT ruined the ability to publish.


Not really. Even if you could expect everyone to maintain their own servers (because a phone is not a device suitable for the task) - and remember, we're talking about the general population, not just techies - connecting like this would still be inefficient, compared to a bunch of central CDNs mirroring the data. Also, I can imagine it would be a logistics hell, unless you're willing to add more layers of indirection (e.g. trackers, the torrent kind).


In this particular scenerio you may do better encrypting the content and having keys shared between you and your friend, but not Facebook.


Another important bit that contributes to your excellent comment is that software and data are very hard to control substances. Unlike physical goods such as precursors they can be transported through wires and all over the globe in less time than that it would take you to fill out that sign-off form.


Also, when data is stolen, it is simply copied, the "original" remains on your computer - unlike physical items (which disappear when stolen). So it is really hard to notice.


Very informative reply, thanks! How do we regulate data-collecting institutions internationally? Look at the EU's Data Protection Directive[0]. As extensive as it is, it's struggling in the wake of the failure of the Safe Harbour Decision[1].

[0] https://en.wikipedia.org/wiki/Data_Protection_Directive

[1] https://en.wikipedia.org/wiki/International_Safe_Harbor_Priv...


I'm not informed enough in law, much less international law w/r/t intangible assets [and, maybe more importantly, the political infrastructure surrounding them] to make an informed response to that but I'll try just based on my (limited) historical knowledge. (This is a pundit response, not an informed one.) Even if we constrained you request to simply a domestic domain, it'd be challenging because of the corporate interests who'd actively fight against it. Google et al would stomp on any bill that even remotely infringes upon their ability to aggregate data, as targeted ads are (or were as of circa 2011, when I last bothered to look a cash-flow report of their) ~95% of their revenue.

Magically, should a bill/resolution be introduced to the floor and not be stomped on immediately, enforcing it internationally would be about as difficult as say, enforcing international oil embargoes or a ruling by the ICC (i.e., nearly impossible - you don't see any proceedings against Cheney or Rumsfeld for war-crimes within the Hague, now do you?). Domestically, however, the US has (or had, historically from, say, 1930 until the mid 90s) the economic/political influence to effectively enforce their agendas fairly effectively. The new US gov't entity formed would have to have the intent to limit data collection then exhibit the willingness to penalize those institutions for violating those data collection policies (e.g. similar to an FDA fine issued for a multi-national drug company who has a presence within the US).

Again, too many financial interests opposed to see this happening, but the refusal to adhere to the legislation would mean (in theory) loss of US business, which would be catastrophic for most industries. HackerNews user:grellas (or was, I haven't seen him post in a couple years now) is an attorney specializing in tech affairs who'd be able to make a better response, but from a strictly political POV, even domestic legislation limiting data collection would never occur.


This web site is for you, it insulting to programmers, calling them hacks.

( http://acm.org/about-acm/acm-code-of-ethics-and-professional... )




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: