This is a public service announcement: by saying "IT is crap because users still buy it" you are effectively blaming the victim.

There is a huge information and resources asymmetry between large companies creating software and hardware, and regular person who just wants their Internet-connected device to, you know, not do harm. Companies effectively made a business model out of that asymmetry.

We need education and regulation to make IT not crap.

@rysiek I don't really understand why there's next to no liability for this sort of thing. Intuitively it seems like that should be the default, no regulation required. If you collect my data and leak it, you need to pay me for that. Even if you just counted the hours of people's time needed to put freezes on their credit, that's a HUGE amount of money. The fact that we're not seeing that seems to be a fundamental failing of the government to provide table stakes protections.

@rysiek In fact, a lot of industries couldn't even really get going until the government came in and provided indemnities for the liability they had by default. Why is it the opposite in IT-land?

@freakazoid @rysiek While I agree with you in principle, I have to tell you, the amount of money involved that you might get won't even cover your lawyers bills. Determining damages isn't easy or simple. On top of that, "leaking" is a word for an act. Getting hacked because security is crap...that's not deliberate.

@gedvondur @rysiek Yeah, the American Rule sucks. But that's what class actions are for, at least in the US. And yeah, the reason that getting hacked because you did a shitty job with security isn't considered an action (i.e. negligence) is because we have no standards around what constitutes sufficient security. Which I guess does mean regulation.

@freakazoid @rysiek I would say that it's a non-starter to say that getting hacked=negligence because that operates on the theory that there is such a thing as perfect security. We need a standard that shows "best practices" and " reasonable measures" and suddenly we are in a quagmire. I'm pretty sure this problem can't be regulated out of existence. We need regulations on what they collect and if then can sell it without express consent first.

@gedvondur @rysiek I'm not saying getting hacked should be automatically considered negligence. But much of the time there is little to no hacking involved, because people leave your data in open S3 buckets. If we can't agree that's negligence, we're all fucked.

@freakazoid @rysiek I think getting masses of people to agree to anything is an issue. For instance, what you do mean by "open" s3 bucket? Bad password security, no password security, no encryption, how do you define it? My point is that people are dickbags and can litigate to death. The best way to stop the practices is to make them untenable or unprofitable and that starts with iron-clad data permissions that CANNOT be click-wrapped.

@gedvondur @rysiek It does seem like it's going to be up to the government to force the industry to agree on what these standards are. In a better world, industry would be BEGGING government to regulate them after a few companies got ended by class actions.

@rysiek @gedvondur The analogy I think of is this: if I borrow your stereo and I leave it on my front lawn and it's stolen, I have to replace it. If it's in my house with the door locked and someone steals it, I don't. There's no specific law that says that, as far as I know. And whether or not I had your permission to have the stereo is irrelevant to whether I have to replace it in the lawn case. If I didn't have your permission, I'd have criminal liability on top of it.

@gedvondur @freakazoid let's start with S3 buckets with no passwords on them -- you know the link, you get the data.

That is gross negligence if private data is involved.

@rysiek It's a failing of our legal system that those haven't been mostly rendered useless, considering how many other rights you cannot sign away.

Also, I don't think any amount of contractual language can get a party out of liability for negligence.

@rysiek Yes. But asides regulation and education, we also need to accept that there are people who want to have sharp, powerful tools that meet their needs and use cases without requiring them to build them entirely on their own. Just like people want to *drive* cars without having to bother how they work internally.

@z428 oh sure, absolutely. But using sharp tools that can get you hurt should be a clear choice, and not the default state of affairs for everyone all the time.

@rysiek Yes, but sharp tools could hurt you for different reasons. Like a car: Driving at 250 km/h possibly is a dangerous idea - but the car itself should be able to handle it if you need that. 😉

Sign in to participate in the conversation

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!