@lnxw48a1 I think so. It’s been a while since I handled medical records, but even if your company is not in the medical field, health status rules apply

@rook I’m all for that. The purpose of these agencies is to protect the public and they can certainly intervene in this case without hurting the market

“We care about your privacy” means a lot more when backed by millions in guaranteed fines

@cypnk There's a possibly apocryphal story that the Romans would make the engineers responsible for building a bridge stand under it as the first legions crossed. Whether or not this is true, we need something like this for commercial software. All the private data of every software engineer goes in and must be correct. And because of treble damages, they should be required to put in a bunch of additional data as well that the app doesn't normally collect.

@cypnk One might say "But then developers will be terrified to build apps that collect and store private data!"

To that I say:

@seanl I strongly support treating software engineers as material engineers

We have standards (and serious consequences) for failures and it should be the same for software when lives are impacted

Then we can finally develop established and well-tested standards for treating critical information and move away from the Wild West approach to releasing products

@cypnk
You also have the right to not sign off on something. Legally if I choose not to work on something because I think it's dangerous or immoral I would be fired and would have no recourse.
@seanl

@cypnk @seanl
The idea of passing the buck to the laborers just recreates the Wells Fargo incident.

@Vopo @seanl Treating software engineers the same as material engineers offers that same protection

You’ll have the benefit of objecting to unsafe or unethical practices

An engineer can’t be legally fired for insisting on safety

@Vopo @cypnk @seanl agreed. there's more to software being shitty than rank and file software developers being cavalier about their work or bad engineers.

There's a whole industry, (sometimes perverse) incentive system, disagreeable directives from management, pump-and-dump startup culture at play, not to mention the lack of protection for programmers who would take a stand on ethical grounds.

@pho4cexa @Vopo @cypnk As far as I can tell startups consider their biggest risk to be getting to market too slowly. At the moment they're right. We need to make the risk of a breach bigger than the risk of being too slow to market, even if that means breaking the corporate firewall and going after investors for more than they put in like they used to do (and should do again) with bank shareholders in the US.

@seanl @cypnk

I'm contemplating the horrible state of malpractice insurance and how it would likely come into play in this situation.

@RussSharek @cypnk It's not the insurance that's in a horrible state; it's the liability itself. The law needs to take into account the fact that juries are unable to think rationally about medical malpractice.

Of course, they're not really able to think rationally about anything and the government won't make even the most basic, obvious reforms like having the jury read a transcript instead of being physically present in the courtroom.

@RussSharek @cypnk But this could be restitution imposed by the criminal system rather than civil liability. Just assign a value to each type of data by law and if they're convicted they pay up.

Or if it does need to go to the civil court on it, just put an upper limit on the liability. This would help a lot with medical malpractice, too. A life is not worth infinity dollars but humans are constitutionally incapable of accepting that.

@seanl @cypnk

Good point. Only potential downside would be the threat of those mistakes being a disincentive to develop free tools for those needs.

@seanl @cypnk

You're asking a lot of reactive people. :)

@cypnk @seanl ...which is why I think that Europe is on the right track with the new General Data Protection Regulation, even if it is far from perfect.

@galaxis @seanl We need some of that over here

Sadly, there’s so much lobbying and private money influencing officials, it’s nearly impossible to get sensible data protection laws enacted in the U.S.

Worse, they write in silly laws like making the breach of an EULA a crime or downloading publicity available data if the link was “hidden”

@seanl @cypnk Well, there's some interdependency there... On the plus side, US companies that want to safely do business in Europe will need to react to the GDPR in some way... On the negative side, there's a lot of "we need to catch up to Silicon Valley" rhetoric going on over here, which usually means "let's get rid of the GDPR as soon as possible"...

@galaxis @seanl @cypnk I had to check GDPR compliance statement for Surveymonkey today as one of the matrons wanted to use it (they did at least have one). Interestingly the UK is still pressing ahead of GDPR for the moment in spite of Brexit with no obvious plans to repeal it (even if USA lobbies for it to be removed it would be balanced against further loss of business to the rest of Europe)

@seanl
@cypnk

This times a thousand. Every time a company comes back with "no one cared about their security for ten years" this should be read to their face

@thickermatters If you don’t see the difference between sharing the infectious status with a medical provider and sharing with a private corporate entity that farms your identity, you are truly lost