[throwawayou812]

It starts with the claim that this law could put Flappy Bird on the hook for decades of prison time. I rebut, and you say (paraphrased) "no, read the law, anyone with 1MM users could be sent to prison for failure to comply". This is obviously not true.

Actually, with specific regard to Flappy Bird, it is true because it had more than 100 million installs, far surpassing the 50 million requirement to expose him to criminal as well as civil penalties. So, in contrast to your statement, it actually is true.

Now, the proposal does not in fact have an auditor requirement, but also, the clause that discusses auditors goes out of its way to make it clear that the types of third parties they're referring to are technical experts, which startups already use.

I'm not sure what you mean here. There is an auditor requirement "where reasonable," and presumably "reasonable" would be entirely up to a court's discretion. Also, "technical experts" in the context of this law, wouldn't necessarily be the developer of the site, but rather technical experts who are trained in complying with this law. Likely, that means someone brought in by a law firm or professional auditing outfit, at enormous expense.

[tptacek]

No, you're still not correct, because the problem with your claim isn't simply that you have to be a larger company to face prison time, but that there's only one offense in the bill that includes that thread: knowingly certifying fraudulent data protection reports. I'm like the 4th person on this (broader) thread to point that out, and this is at least the 3rd time I've pointed it out to you.

By the way, did Flappy Bird even collect NPI? Or is this an even sillier example?

[throwawayou812]

there's only one offense in the bill that includes that thread: knowingly certifying fraudulent data protection reports.

That's what it says, but one would have to believe that failing to file such reports would also be a criminal violation in any final draft of the bill. Otherwise what would be the point of the bill? Does it make sense to you that they would have a bill like this, and provide a simple way to avoid it: just don't file? That appears to be an oversight by the author, but one would undoubtedly be fixed.

By the way, did Flappy Bird even collect NPI?

Since this bill uses a vague and legally untested definition of "personal information," simply maintaining weblogs containing IP addresses could trigger this.

[tptacek]

You've now moved the goalposts past the present text of the proposal and into hypothetical future versions of it.

[throwawayou812]

That's not "moving goalposts" as you put it. Are you saying that you believe that they would allow such an enormous loophole in such a bill?

[djur]

It is often the case under US law that failing to file paperwork is treated as a much less serious act than filing fraudulent paperwork. If you fail to file a tax return, you're nearly always assessed a penalty (it's a misdemeanor). If you file a fraudulent tax return, you can easily go to prison for a long time (it's a felony).

[CatRabbit499]

The original discussion was about the bill draft as it stands - not what it might be in the future - so why would you say it isn't "moving the goalposts" to make an argument out of speculation on the future?

[pnutjam]

Don't worry, free market competition among auditing companies will reduce any necessary compliance to pennies. Right? The free market works, right?