[kodablah]

If legislation is really required, and I'm not convinced it is, can we start small? This stuff never gets rolled back and tech companies' use of personal data is the new terrorism.

Again I'll take none, but if this ridiculous fervor that's been built requires something, how about not-tech-specific rules around data sharing transparency? Just require details on what's shared and with whom for those seeking it (ideally companies publish it to prevent requiring individual request/response scaling issues, but their choice). You're gonna find most people don't care anyways, so they shouldn't be burdened with more hardline privacy requirements. Just increase the visibility for now.

And please please learn from EU mistakes and establish enforcement mechanisms. Don't just make exorbitant ceilings and move on. Have a framework to punish violators, and again start with small legislation until it can be shown enforcement occurs and is working.

Having said all that, can we just start with pro-privacy PSAs, education, targeted advertisement awareness, punitive measures for breaches, and relaxation of legislation preventing me from scraping/manipulating/proxying these sites however I want? If we all have to hire lawyers and/or compliance assistance, then the first step is too large. We can make our way towards delete-all-my-data-on-request laws later. Not sure what made this an emergency (actually I do know based on media and political driven fervor, but that will be best studied through the lens of history). But all these tech people, OP and commenters here especially, don't speak for many people who accept the current state or reasonably understand heavy-handed government regulations on the internet bring more bad than good.

And for goodness sake, don't use the domain of your should-be-neutral software to make a political post. You aren't gonna feel any pain now because you are in the same line with other popular pitchfork wielders, but your political leanings have bit you before, why would you associate your company with them?

[kiriakasis]

> And please please learn from EU mistakes and establish enforcement mechanisms. Don't just make exorbitant ceilings and move on. Have a framework to punish violators, and again start with small legislation until it can be shown enforcement occurs and is working.

There are enforcement mechanism in the GDPR. IMO they also are quite good. The max fine are huge, but there are mechanism to help misbehaving companies into compliance and also protect companies from random lawsuit by individuals.

[kodablah]

> There are enforcement mechanism in the GDPR. IMO they also are quite good.

Based on my research into the lax enforcement of GDPR predecessors and GDPR leveraging those same enforcement bodies, I disagree. This is why I advocate an incremental approach; so you can prove you are adept at implementing the measures you write down lest it become just words, or worse, an economic warfare tool to subjectively apply on a whim. Sometimes you even have to temper those words knowing your enforcement mechanisms aren't yet prepared. Nobody's asking for going after all offenders, just reasonable attempts at equitable large-scale enforcement.

[svrtknst]

> how about not-tech-specific rules around data sharing transparency

Such as... a General Data Protection Regulation? GDPR is not "tech-specific", it applies to technical solutions, yes, but also to business requirements and administration, and non-technical data collection. One non-tech consequence here is that stores are encouraged not to ask your SSID equivalent, since that exposes deeply personal information to others nearby.

> Just require details on what's shared and with whom for those seeking it

That's a big part of GDPR, actually. You're allowed to collect data, with certain rules about transparency and anonymization, and as long as there are reasonable motivators for collecting it. Within reason and with exceptions, I'm sure, but nonetheless, that's a big part of it.

> You're gonna find most people don't care anyways

I'm willing to bet few people cared about regulations on traffic safety and alcohol as well. That doesn't mean that regulations to hold bad actors responsible aren't necessary, as has been proven countless times through leaks, sometimes very large or sensitive leaks.

> And please please learn from EU mistakes and establish enforcement mechanisms.

What do you mean by this? What "mistake" has the EU made? They have enforcement mechanisms in place to target companies for violations of GDPR. It will take time to work out the details and establish case law, but I don't see anyway around that. Even if you introduce "small" regulations, companies will fight the charges or fines that you bring to establish precedent.

> If we all have to hire lawyers and/or compliance assistance, then the first step is too large.

You all don't. Larger corporations probably do, but that's unavoidable. GDPR was announced something like two years before implementation, and published in a lot of different ways beforehand. There were compliance consultants, yes, but there were also PSAs, education, advertisement, easy-to-read summaries and tons and tons of material to read up on.

> heavy-handed government regulations on the internet bring more bad than good

The view of pre-GDPR internet as something free of regulation, or free from government involvement, or as nothing but a land of milk and honey seems to me like a pretty severe case of rose-tinted glasses, especially if we're talking the last 10-15 years.

There have been a lot of issues with the internet, even without mentioning all the severe privacy breaches, or breaches that are a concern for national security.

[kodablah]

> Such as... a General Data Protection Regulation?

Without the rest, sure. Law's also exist for consumer data sharing transparency in the US, they just need to require more detail and have their scope increased (again, if we're resigned to the fact that something must happen).

> That's a big part of GDPR, actually

Right, my whole point is starting small, i.e. without all the other big parts.

> I'm willing to bet few people cared about regulations on traffic safety and alcohol as well

We have to stop debating like this. I could bring up drug laws or prohibition to bolster my point about government regulatory overreach and its consequences. But doing this at a high level negates the nuances in the debate on this issue which has no historical equivalences from which to draw.

> What do you mean by this?

I have not seen large scale equitable enforcement of EU internet laws to justify their size. It's becoming a more rational approach to ignore the laws. Even proponents of the GDPR use subjective enforcement to allay small business fears of compliance. This is why I promote proving you can enforce before expanding scope.

> You all don't

That is a product of levels of risk, legislation scope, and market reaction to the general murkiness of how it will be interpreted and enforced. It's like telling a business they don't need an accountant, the information is all out there.

> The view of pre-GDPR internet as something free of regulation, or free from government involvement, or as nothing but a land of milk and honey seems to me like a pretty severe case of rose-tinted glasses, especially if we're talking the last 10-15 years.

Agree and I definitely don't share that view. I am proud of my peers for fighting it where we have, I just wish we could separate what we want vs how we get it.

Speaking of breaches, I think that's a great initial place to direct legislation and build citizen support against reckless companies without going all in on legislation of data specifically. It also has the benefit of punishing violations instead of prescribing specific maintenance rules.