Hacker News new | ask | show | jobs
by Novashi 2694 days ago
>You are still processing that data. Part of processing that data involves you shipping it off...

>The data is moving through your servers.

So if a random company gets breached, everyone involved from cloud providers to ISPs are also responsible because they facilitated moving and storing the data and they are just hosting code?

This is problematic. Cloud providers give you permission to publish code. I could position myself to allow another company to publish code on my popular website to collect data and my role is basically no different than a cloud provider. We don't have to agree that is what it's specifically for, I just need to give them access to upload their own code for whatever expensive fee.
1 comments
figgis 2694 days ago
>So if a random company gets breached, everyone involved from cloud providers to ISPs are also responsible because they facilitated moving and storing the data and they are just hosting code?

ISP's aren't (supposed to be) "storing" that data. They are transferring bits between computers. You on the other hand are hosting a website with some sort of form that people input PII into. You are accepting that PII, whether or not it gets forwarded or not is irrelevant. You are processing it. So do your due diligence, contact your users and let them know what is going on, and speak with a lawyer for more information.

link
Novashi 2694 days ago
>You on the other hand are hosting a website with some sort of form that people input PII into.

That's what cloud providers do! If there's a spirit-of-the-law that is supposed to protect them, this would be a good time to write that in!

link
heavenlyblue 2694 days ago
Do they specifically mention rental cars in the code of law, when they say that the driver can't drive over the speed limit?
link
Novashi 2694 days ago
"Process PII" is incredibly vague. You could define that in a hilarious amount of ways with the amount of complexity we introduce to our software products, especially with code we don't even write ourselves that widens your security surface.

This is especially true if you use a service that allows others to inject code into your code base. If NPM has a security failure that leads to a breach at a company, who is at fault? Both? Or only the company that chose to use the code? An NPM package might be processing PII after all. Does that mean NPM can never be held responsible for security breaches?

Secondly, your example would be backed up by historical cases and this law is brand new, so it is not clear. I'm not even sure how you guys can confidently argue that the new law ISN'T outright vague.

link
heavenlyblue 2694 days ago
>> You could define that in a hilarious amount of ways with the amount of complexity we introduce to our software products, especially with code we don't even write ourselves that widens your security surface.

You could define in a hilarious amount of ways in which your chef can pee in the broth you ordered in a local diner. But it generally doesn't happen, does it?

link