54 comments

[ 5.6 ms ] story [ 155 ms ] thread
> One will require companies to let customers know within 30 days if their personal information went astray in a data breach.

What, we will know when the NSA grabbed our data, then? Too good to be true...

The laws absolutely scream to be mocked.
I'm sure they'll come up with some great alternative interpretations of the wording.

"In this case, no 'personal' information was lost at all, because after 30 days, all of the data had been effectively made public." - NSA

The law is aimed at commercial loss and identity theft stemming from data breaches. Whatever you think of the NSA, there's not a high risk its going to start selling data it collects on the black market for use in identity theft.
And when the NSA acquires, for example, German data and gives it to an American competitor? That satisfies the commercial loss objective, from an American point of view.
They are also alleged to give information to established players so they can fend off upstarts.

The NSA is a threat to Americans just as much as anyone else.

Which established players did NSA give competitive information to?
How is that distinction relevant? I want my data not to be with NSA as much as I want it not to be with hackers or marketers. In some ways, even moreso.
It's relevant because the vast majority of people living in the U.S. are far more comfortable with the NSA having this data than hackers. Policies are rarely made for outliers, and in this case, you are an outlier.
I'd rather have a hacker have 100% of my info than the NSA.

A hacker can steal my identity and drain my bank account.I can survive that, and I can defend myself by being careful.

The NSA can arrange to have me blackmailed, my reputation destroyed, or even killed, and they are confirmed to do this to people in an industrial fashion.

Whether I agree with you or not, my point is merely that your position is vastly in the minority. People broadly trust the NSA more than random hackers.
I think this is only true in the short term. Enormous stretches of the Russian and Eastern European mafias are made up of ex-KGB who went into business for themselves when the Soviet Union fell.

Imagine the private criminal opportunities that will become available to the NSA after 20 years of Moore's Law and bulk data collection.

Whatever you think of the NSA, there's not a high risk its going to start selling data it collects on the black market for use in identity theft.

That's a big assumption considering you're talking about an agency which openly flaunts the law or lobbies it out of existence as needed (thereby showing very little respect for the rule of law) and whose individual agents have shown very variable levels of judgement in the use of those systems (e.g. the LOVEINT stuff).

On the contrary, I think that once that data is in the possession of a large amorphous non-accountable organisation with relatively few checks and balances, it is inevitable that said data will end up on the black market. Why wouldn't it? There's money to be made.

This sort of slippery slope argument is precisely why I'm so anal-retentive about pointing out that the NSA programs that have been revealed thus far seem designed with a careful attention to toeing the line of various well-established legal precedents. You may not like Smith v. Maryland, but there's a big difference between the NSA following an interpretation of the law you don't like, and flouting the law entirely. And that difference is wholly salient to the question of whether the NSA would engage in conduct that's obviously illegal, such as selling private information on the black market.
Let me quote from today's article by Cory Doctorow: ( http://boingboing.net/2015/01/13/what-david-cameron-just-pro... )

> If your Whatsapp or Google Hangouts has a deliberately introduced flaw in it, then foreign spies, criminals, crooked police (like those who fed sensitive information to the tabloids who were implicated in the hacking scandal -- and like the high-level police who secretly worked for organised crime for years), and criminals will eventually discover this vulnerability.

The police, the NSA, etc, cannot be trusted not to misuse information which they obtain. In fact, you can quite reliably trust them to misuse that information, if history is any guide (and it is).

Whether the misuse will include actually boldly grabbing some private information that's currently valuable and selling it on Evolution or Silkroute 3 or whatever, is a purely academic question. If the information is on NSA servers, and is valuable, and someone at the NSA knows about it, it probably will be misused in some way.

(comment deleted)
If your Whatsapp or Google Hangouts has an embedded elliptic curve public key in it, will criminals eventually discover the private key? Are we using an especially generous definition of "eventually"?
I think this is to wash away the NSA stuff while making it look like Obama cares about your privacy - even though this law only applies to private companies, not himself/the government.

If he really cared about privacy he'd at least try to reform the ECPA.

Obama isn't able to beef up much with Congress voting on the laws first. That might prove difficult given the current makeup of Congress.
Congress doesn't seem to be shy about passing national security legislation. That often trumps partisan politics.

I think we've entered the age where we can no longer ignore our national IT infrastructure shortcomings. As someone who has had more than a few sysadmin jobs, and at a couple places you've heard of, its incredible how little security matters, how poorly software is written, how few developers can write secure code, and how management can force IT to make boneheaded implementations that bite everyone in the ass later.

I would love to see a HIPAA-type regulation for all businesses, encryption everywhere, force change of default credentials, etc. The wild west days of the internet need to come to an end.

No thanks. I can see this kind of legislation turning any online presence into a horribly expensive bureaucratic nightmare while accomplishing fuck-all security-wise. (At best.. Given current governments' track record, any privacy act would be all about stomping on people's privacy.)

I'd rather not be subjected to (and pay for) more security theater, or see every small business out there drown in a paper mill suitable for the fortune 500s.

We are already liable for any gross misconduct.

Do you honestly think patient information would be safer without HIPAA?

Do you honestly think the EU privacy laws that we don't have in the US aren't doing anything?

Its incredible how the anti-regulation types think everything is fine and that no regulation has ever worked.

As someone who has worked in multiple regulated industries, including with HIPAA, what they accomplish is rarely the intended goals.

Regulation is a weapon to be used by powerful interests to bash competitors. For example, utilities love regulation as it gives them a de-factor monopoly and predictable income.

The medical industry widely ignores HIPAA in a holistic way. Ask any practice you visit about their handling of medical records, IT security practices, etc. Heck, ask them if they still use Windows XP.

> For example, utilities love regulation as it gives them a de-factor monopoly and predictable income.

This is kind of nonsense argument, because most utilities are monopolies by design. The idea is to give utilities a predictable income stream in return for agreeing to abide by certain public interest policies.

I get that that is the idea. The reality is that most utilities pass along their expenses, whatever they are, into a "rate case" with a percentage tacked on top. That is opposed to every other business where more efficiency == more profit and decreasing prices due to competition.

Models of efficiency, they are not, to the point that their inefficiency severely hinders their ability to serve "the public interest." They also tend to use their size to squash any potential competitors in their space (see power companies with private solar and the telecom industry versus VOIP).

> I get that that is the idea. The reality is that most utilities pass along their expenses, whatever they are, into a "rate case" with a percentage tacked on top.

Again, that's by design. The public authority sets rates at some fixed cost plus reasonable rate of return on capital. The idea is to encourage potentially very expensive capital investment without the perceived danger of subjecting a critical utility to the ups and downs of market pricing.

And utilities act to squash competitors because lack of competition is the whole quid-pro-quo of being a utility. Utilities don't make Twitter-like 30% margins with double-digit growth. The reason private capital is willing to sink money into them is that they get their consistent 10-15% return on a regular basis. Competitors not only upset the arrangement, they can quickly jeopardize that margin.

I'm not defending regulated utilities. I think they're mostly a bad idea, but judging by the discussions around here where people talk about the wonderfulness of water utilities, lots of people are on board with sanctioned monopolies with guaranteed rates of return. But the flaws you're pointing to aren't "abuses of regulation"--they're a conscious bargain between municipalities and utilities.

> Do you honestly think patient information would be safer without HIPAA?

Quite possibly; the privacy and security portions of HIPAA were included to mitigate the risks associated with the push for electronic systems and standardized data that were more central to HIPAA -- and the enhanced privacy and security features added later in amendments to HIPAA were furthering that in the context of increased standardization and automation that was being promoted in the same legislation; without HIPAA, you might not have as much formal protection of patient data, but you also might have a lot less data in forms that were easy to compromise en masse in the first place.

(Of course, that would also have consequences for administrative efficiency and quality of care, and without HIPAA and the related subsequent acts that included those patient protections as mitigations to potential negative effects of their primary functions, the US might have the least efficient health care system in the developed world by an even larger margin than it currently does, which, even if HIPAA does net some increased risk to patient information, might not be worth the cost.)

> I can see this kind of legislation turning any online presence into a horribly expensive bureaucratic nightmare while accomplishing fuck-all security-wise.

One of the sources of a push for federal standards is frustration with multiple conflicting state standards doing the same thing.

I worry about the regulations being wrong or becoming wrong over time then being very difficult to change. What happens if we are legally obligated to engineer a system in an insecure manner and we can't fix it without a series of bureaucratic moves?

If sweeping regulations do come along, I hope there's a strong push for them to be loose or amiable enough to avoid these problems. For now, though, I'm skeptical.

The cynic in me thinks that's the entire point. Things like this an the free community college are great but he has to be going into it with confidence that it'll never happen under the current climate. For the community college proposal I'd go so far as to say it can't work in America at all because American's don't care about each other enough to support something like that. But now that he's at the second half of his second term he can at least propose these things and go out saying "I tried ...".
I'm not so sure that Americans don't care enough about each other to support the community college proposal. I haven't really heard any opposition to it from any of my friends or acquaintances. In fact, it's actually quite difficult to argue against. The GOP-controlled Congress is going to have a pretty hard time building support for opposition to the proposal, although I'm sure they'll figure out some way to do it.
Comments sections on some sites have had the regular "way to waste money ..." types of comments but that's hardly indicative of the nation as a whole. The reason I believe it will run up against a lot of opposition is because every year when my town sends out the breakdown of how taxes were spent I can't count the number of people I hear whining about school taxes already. "I don't have any kids in school so why the hell should I have to pay for it!?" is a VERY common theme in my area. Maybe it's not as common everywhere, this is a big diverse place after all, but it's common enough that some places have started to implement charter schools as a response to it.

The best argument I've heard, that I agree with in a way, is that we should first focus on fixing our broken pre-college school system. I don't see why we couldn't do both at the same time but if we're forced to pick one or the other I'd agree that that is probably of greater importance. Though that's a separate debate :)

Yeah, I don't see why you folks couldn't fix both the school and the college system at the same time. You should be free to fix your problems in any order you want.

Just remember that I don't have kids in school nor in college, and taking my money to pay for more unfireable teachers is not "fixing".

One can argue that the problem is that we've cared too much, not that we don't care at all. The biggest argument I've heard against it from various sources is just "Where's the money going to come from?" Individually everything the government is doing could be fantastic and wonderful, yet the whole can still end up being a bad idea when the whole turns out to be unaffordable. Of course it's wonderful if we don't have to consider costs, but we do.

I could also argue that if 4 year colleges have even in part become so expensive because of all the subsidized money available that bringing subsidized money to the community college will have an "unexpected result" so expected that one could hardly call it "unexpected" anymore.

You're entirely right, it is the entire point of his proposals.

Why else would he be floating proposals he knows can never pass, except to be winning cheap gains from the suckers who don't see it for what it is? A president proposing a huge program like free college for everyone without controlling Congress is basically talking to a wall.

Obama is trying to help the Democratic party with its stagnant voter base problem. The people who would regularly vote Democrat have moved far to the left of the Democratic mainline and are tired of seeing nothing come out of the Democratic party, meaning that they no longer have any motivation to vote for Democrats-- not to say they are voting for Republicans either.

Sure, you're going to say Obamacare came out of the Democracts-- but the left leaning segment of the Democratic base didn't want Obamacare, they wanted single payer, and Obamacare fell horrendously short of that. This election was a wakeup call for the Democrats, and indicated to them that they have lost their base to the more radical members of their party like Elizabeth Warren.

Thus, we see the Democrats attempt to show people that they still have big ideas, because they are incapable of showing people that they have big actions.

I've become extremely disillusioned with US Politics and I find it hard to not be apathetic about it no matter how much I don't want to be. It seems like everyone treats it as a big game. Just look at the landscape and how its implemented. Talking heads providing endless commentary, the entire country being broken into teams, people taking sides and playing favorites, presidential elections have more in common with American Idol than with actual political elections, politicians being more concerned with being the "winner", or at least not being the "loser", than doing what's right (even when "right" is defined by their own beliefs). I'm sure its always been like this in some way but it feels like it just gets worse every election cycle.
The truth is probably somewhere in between. Obama can't be maneuvering for re-election, of course, but can try to set things up for the 2016 elections.

But good legislation does not just magically appear in Congress. Many government programs got a big boost from the President "calling for them"--national parks, for example, or the moon landings. These were not new ideas when Roosevelt or Kennedy spoke about them, but speaking about them helped generate the public momentum for Congress to act.

The U.S. was the first nation in the world to provide free, publicly funded education through high school. It was implemented locally, but it was an idea that was discussed and promoted nationally. The idea of free education is a powerful one in the U.S. culture.

And many community colleges are already heavily funded by state and local governments; making them totally free might not be as big a step as it seems on paper.

> Obama isn't able to beef up much with Congress voting on the laws first. That might prove difficult given the current makeup of Congress.

Policy change can be sudden and radical, but durable shifts in political priorities often start with legislative proposals, which build support for the idea in the public consciousness, which translate into pressure on elected politicians, which turn into policies -- maybe not this year, and maybe not until after several election cycles.

But if you never propose anything that won't pass today, you never move things in the direction you prefer.

More placebos.

>Another will attempt to give people more control over what can be done with the data companies gather about them.

Key word is attempt. One can be sure Google and friends will be lobbying hard for no such control, and if something does perchance pass, it won't be for years whatever it is is implemented and will be purposely difficult to reach.

Okay,guys,any solutions to the current scenario?
This conversation is important. It's a bit disappointing that we see legislation instead of dialogue. The initiatives here sound kind of knee-jerk and rather difficult to enforce.

Companies should be held accountable for the data they collect and how it is used. Most TOS are unconscionable. I'm sure some of the folks here read the entire TOS of every web service they use, but I've never met a person in real life who does. I think a framework for TOS that is basically just a check box "Do you collect: A, B, C" "Do you distribute: X, Y, Z" could be really useful. There could be some pretty cool strategies between web sites and browsers to help users determine what the site is doing and whether they want to proceed.

This is a time for a dialogue that builds a working framework, not a burst of legislation that pacifies the public and accomplishes at best a couple of short term goals.

For that we would need all companies to come together and accept a new legislation.I don't see that happenning soon?
Which part requires everyone agreeing? Building a working framework or having a dialogue?
I think maybe the important question is people having a lack of faith in these stuff.You can't have faith when all you see is everytime the same thing repeating one way or the another.
> It's a bit disappointing that we see legislation instead of dialogue.

Legislative proposals are part of dialogue. You can talk all day about generalities and get nowhere, having specific proposals to discuss -- and either criticize or propose alternatives to -- is what moves the dialogue forward.

It can, but I don't think these will. It looks like this dialogue is already framed in "regulation vs no regulation" without much depth. I think that a long drawn-out discussion among professionals would be more effective (if slower than) sound-byte politics.
> It looks like this dialogue is already framed in "regulation vs no regulation" without much depth

If you read even the news articles on this particular proposal you'd see that's not the case:

(1) There are people who are simply set against regulation, (2) There are people who believe regulation is necessary, and favor the status quo of state-by-state regulation without federal regulation, (3) There are people who believe regulation is necessary, see value in federal regulation, but are concerned that federal regulation may be counterproductive if it fails to be as good as some of the existing state regulations and preempts them, (4) There are people who believe regulation is necessary, but that patchwork state-by-state regulation is itself counterproductive, so that it is important that consistent regulation be adopted at the federal level.

And there are fairly sophisticated arguments for all those positions.

> I think that a long drawn-out discussion among professionals would be more effective (if slower than) sound-byte politics.

This proposal is one of the products of the decades-long drawn-out discussion among professionals (and others) that have been going on about this issue (which has intensified in the last 1-2 decades with the growth of online commerce, but started long before that.)

(comment deleted)
This is the grand dichotomy of government ethics. Its ok to enforce rules on others, but not themselves. They uphold neither privacy, nor attack data breaches from the NSA, for example.
I'm quite certain that all my consumer rights are sufficiently protected by the actual bill of rights.

Moreover, my concern is that these laws will give government even more oversight into the management of user data, and therefore the data itself, in order to enforce the laws.

Yep, plenty of laws in place already.

It's the enforcing of those laws that's currently lacking, and I don't see this fixing that at all.

> Obama to beef up laws on privacy and data breaches

I hate headlines like this. The President is a figurehead. He can't really do anything (shy of directing federal agencies not to enforce certain laws) without Congressional action.

Executive orders beg to differ.

Admittedly, the next guy can just come in and get rid of those orders, but it's not like he can't do anything.

It's also powerful if the President says, "All federal agencies are no longer allowed to use Google or Microsoft until they comply with these new privacy standards."

The actual headline is more accurate: 'Barack Obama calls for stronger data privacy laws' (at the time that I'm writing this it is 'Obama to beef up laws on privacy and data breaches').

The President of the United States is not able to 'beef up' federal laws; he can execute the ones that exist and call for new ones to be passed.