What legislative action could be done? Require companies whose systems have a large impact on peoples lives hire licensed, certified software engineers? There is no such thing. Require them to follow industry standard practices? There is no such thing. Create new regulations governing the manner in which business management addresses concerns raised by developers? There is no such regulatory body.
You can't claim negligence of following industry standard practices when there ARE no industry standard practices. The closest we have in the software field is the work done by NASA on creating legitimately safe code. But companies don't want to follow those sorts of guidelines because they make software development slow and expensive. Sure software development is the primary driver of their businesses existence no matter what industry they are in, but they feel entitled to it being cheap and fast.
Except that there is precedence for these types of standards and laws in other industries:
PCI [0] is an industry standard which is mandated in order to maintain good standing in the payments industry and HIPAA [1] is US legislation which governs the handling of patient health data.
The issue we face is that there is no equivalent for either of these in relation to handling of PII and identity data.
>What legislative action could be done? Require companies whose systems have a large impact on peoples lives hire licensed, certified software engineers? There is no such thing. Require them to follow industry standard practices? There is no such thing. Create new regulations governing the manner in which business management addresses concerns raised by developers? There is no such regulatory body.
Why there're standards for cars, but no standards for computer systems? I think it's possible to create them. If there're standards, it's easy to define malpractice.
I agree entirely. It's just a matter of there not being any standards yet. I would hope that eventually we can all agree that even though such standards will never be perfect, and their establishment will be contentious, we need to do it for the overall benefit of society. It will mean licensed software engineers are more expensive to companies, companies will be required to respect those engineers and treat them like competent experts rather than functionaries, and even give the engineers the ability to grind the business to a halt if they point out fundamental engineering problems with the system. Companies will hate that. Some of the practices made standard will seem boring, over-cautious, etc to some engineers and some will not be able to pass whatever tests are put in place and engineers will hate that. The licensing itself will probably end up being a way for some functionary body to enrich itself while providing dubious value as is the case with many of the existing engineering licensing bodies. But, despite all that, the overall social benefits would outweigh the negatives. And failure to accept those negatives will leave us in an even worse position.
What could be done? Pass a law that you can not store any data about a person without their explicit consent for each type of data. No blanket opt-in, no shady changes to TOS.
You can't claim negligence of following industry standard practices when there ARE no industry standard practices. The closest we have in the software field is the work done by NASA on creating legitimately safe code. But companies don't want to follow those sorts of guidelines because they make software development slow and expensive. Sure software development is the primary driver of their businesses existence no matter what industry they are in, but they feel entitled to it being cheap and fast.