[tptacek]

This is a frustrating thread.

It starts with the claim that this law could put Flappy Bird on the hook for decades of prison time. I rebut, and you say (paraphrased) "no, read the law, anyone with 1MM users could be sent to prison for failure to comply". This is obviously not true.

Then the claim becomes that pp26-33 of the statute has so many burdensome requirements that it would be impracticable for many startups to comply. I ask for specifics; none emerge. Instead, a new claim appears: every startup would be on the hook for "a couple hundred hours" of legal to verify their compliance.

But the proposal as stated doesn't require formal compliance reviews, making it hard to support an argument that this proposal would somehow cost more than many other regulations that do have that requirement, and for which my firm has done significant engineering and compliance work without spending a hundred hours talking to legal.

But, no, it turns out that's not the argument. The real argument is that the proposal requires auditors, for which legal will have to be deployed prophylactically. Now, the proposal does not in fact have an auditor requirement, but also, the clause that discusses auditors goes out of its way to make it clear that the types of third parties they're referring to are technical experts, which startups already use.

So the argument changes again. Now the argument is that regardless of the specific construction in the proposal (again, these specifics were all brought to the discussion by you!), it would be prohibitively expensive for startups because a lawyer would have to take time to verify the meaning of the law for the startup.

I point out that this is an argument that applies equally to pretty much any privacy or security law, and you respond that this is one is a special case because of the prison time and fines (the "breathtaking" fines are part of the same clauses as the prison liability) --- thus resurrecting the original false claim.

This doesn't read to me like a good-faith argument.

It's of course fine to make the argument that any new regulation would impede startups and would therefore not be worth the trouble (there are other arguments against this proposal you could just as easily make; for instance, that the field isn't mature enough for us to have the FTC use rulemaking authority to establish cybersecurity requirements for startups).

But if those are the kinds of arguments, you're making, make them. Don't move the goalposts.

[throwawayou812]

It starts with the claim that this law could put Flappy Bird on the hook for decades of prison time. I rebut, and you say (paraphrased) "no, read the law, anyone with 1MM users could be sent to prison for failure to comply". This is obviously not true.

Actually, with specific regard to Flappy Bird, it is true because it had more than 100 million installs, far surpassing the 50 million requirement to expose him to criminal as well as civil penalties. So, in contrast to your statement, it actually is true.

Now, the proposal does not in fact have an auditor requirement, but also, the clause that discusses auditors goes out of its way to make it clear that the types of third parties they're referring to are technical experts, which startups already use.

I'm not sure what you mean here. There is an auditor requirement "where reasonable," and presumably "reasonable" would be entirely up to a court's discretion. Also, "technical experts" in the context of this law, wouldn't necessarily be the developer of the site, but rather technical experts who are trained in complying with this law. Likely, that means someone brought in by a law firm or professional auditing outfit, at enormous expense.

[tptacek]

No, you're still not correct, because the problem with your claim isn't simply that you have to be a larger company to face prison time, but that there's only one offense in the bill that includes that thread: knowingly certifying fraudulent data protection reports. I'm like the 4th person on this (broader) thread to point that out, and this is at least the 3rd time I've pointed it out to you.

By the way, did Flappy Bird even collect NPI? Or is this an even sillier example?

[throwawayou812]

there's only one offense in the bill that includes that thread: knowingly certifying fraudulent data protection reports.

That's what it says, but one would have to believe that failing to file such reports would also be a criminal violation in any final draft of the bill. Otherwise what would be the point of the bill? Does it make sense to you that they would have a bill like this, and provide a simple way to avoid it: just don't file? That appears to be an oversight by the author, but one would undoubtedly be fixed.

By the way, did Flappy Bird even collect NPI?

Since this bill uses a vague and legally untested definition of "personal information," simply maintaining weblogs containing IP addresses could trigger this.

[tptacek]

You've now moved the goalposts past the present text of the proposal and into hypothetical future versions of it.

[throwawayou812]

That's not "moving goalposts" as you put it. Are you saying that you believe that they would allow such an enormous loophole in such a bill?

[djur]

It is often the case under US law that failing to file paperwork is treated as a much less serious act than filing fraudulent paperwork. If you fail to file a tax return, you're nearly always assessed a penalty (it's a misdemeanor). If you file a fraudulent tax return, you can easily go to prison for a long time (it's a felony).

[CatRabbit499]

The original discussion was about the bill draft as it stands - not what it might be in the future - so why would you say it isn't "moving the goalposts" to make an argument out of speculation on the future?

[pnutjam]

Don't worry, free market competition among auditing companies will reduce any necessary compliance to pennies. Right? The free market works, right?