Hacker News new | past | comments | ask | show | jobs | submit login

Quick thing on “vague lingo”.

Vague lingo is currently accepted, among white-collar crime academics, as absolutely the best path forward for reining in corporate behavior.

When you have very specific lingo, it’s extremely easy to circumvent the law. You want to keep the law vague and open so you have lots of maneuver room to prosecute. This assumes you trust the government, which when compared with companies I 97% do. Bruce Schneier’s latest book, “Click Here to Kill”, makes the same point [1].

[1] https://www.amazon.com/Click-Here-Kill-Everybody-Hyper-conne...




Counter argument:

Vague language is the best way to enable selective enforcement. Large companies who can afford the best lawyers will be able to find interpretations that are in their favor. Smaller companies would be unable to do this and thus more likely to lose.

And this only gets worse if large companies spend more effort on lobbying — they can get vague wording that makes the public feel good (like something is happening!) but which requires no effort on the company to comply.


>When you have very specific lingo, it’s extremely easy to circumvent the law. You want to keep the law vague and open so you have lots of maneuver room to prosecute. This assumes you trust the government, which when compared with companies I 97% do. Bruce Schneier’s latest book, “Click Here to Kill”, makes the same point [1].

Companies don't have a monopoly on force that the government does. This greatly changes how you calculate who the law should favor. I much prefer specific laws instead of laws that are selectively applied to whomever the government decides to target, because there is a long history of showing a very evil nature in how they pick targets.


Having recently encountered vague law - specifically GDPR - I cannot give the experience a positive recommendation. The position of being unable to determine what is actually required of your company, what the consequences might be, and thus what the risks actually are makes for an extremely uncomfortable environment.

Core question: what does "reasonable" mean? Do I get to define it, or some information security peer? Is it going to be defined as a matter of convenience by some functionary looking to make quota?

It's my professional responsibility to provide informative and actionable risk assessments and guidance. Crap like this makes that impossible.


The law isn't there to make the company's job easier.


You're absolutely right! Completely, utterly, and unreservedly so.

Laws like GDPR are there to protect people from companies. Not make things easier for them. It's perhaps possible that people might be better protected by laws that are clear than by laws that gesture vaguely in the direction of security. Similarly, people are well-protected by clear automotive safety standards, and poorly protected by the regulation around dietary supplements.

Might that be worth considering?


What makes surveillance capitalism companies scary is not that they make money through ad targeting, it's that the government can force them to give up their data to do much worse things.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: