[danudey]

If a company can't 'innovate' without sharing users' data with third parties or treating it recklessly through lax security (or uploading database dumps to publicly-accessible S3 buckets) then that company doesn't deserve to be in business.

It doesn't take a suite of lawyers to enforce that, either. Health care is gigantic mess of bullshit in the US especially, because of the multiple different 'stakeholders' - customers, insurance companies, brokers, "networks", hospitals, doctors, etc., and every mistake is a gigantic lawsuit waiting to happen. It's a disaster however you cut it.

As for personal data for some arbitrary startup, any argument that "innovation" depends on being able to be careless or cavalier with that data is just ridiculous. Be careful with it. Store it properly. Only collect what you need, and delete the rest. Expunge data you no longer need. Never send it to any third party without asking the user, and provide clear information about where and with whom the data is processed and stored at rest.

There, now you're being careful with user data and you can still "innovate" decent products, as long as your business model isn't user-hostile from the start.

[dahfizz]

I think you've missed your parents point.

The problem they point out is that well intentioned businesspeople who want to provide you a useful service and store your data correctly are priced out.

If you want to deal with medical data of any kind, you need a lawyer. Full stop. It doesn't matter how good your intentions are, or how many "best practice" blog posts you follow. You need to hire a lawyer, and lawyers are incredibly expensive.

> Be careful with it. Store it properly. Only collect what you need, and delete the rest.

This is great advice, but that's not how laws work. Congress won't pass a law that says "store it properly". They are going to pass a law that describes how you can and cannot store data in 600+ pages of legalese. And no matter how properly you think you're doing things, you have to have a lawyer to know you're actually doing it properly.

Said another way: regulation always adds cost and barriers to entry. These affect the "good" business just as much as the "bad" business.

[dx87]

Not every business has to be viable for a startup. I'd rather a company that can't afford a single lawyer not have access to my personal information. If that means pricing them out of it through regulation, then so be it.

[dahfizz]

That's a perfectly reasonable position. If you have considered the pros and cons and decided one outweighs out the other, that's fine.

My parent was not doing that, and instead flippantly remarked that you should just store data correctly and everything is fine.

My point is that it is important to consider the implications of government action, because they are always numerous.

[bpodgursky]

Then don't use the startup? Not everyone has the same calculus as you. You don't need regulation in order for you to not use a product.

[toomuchtodo]

Regulation exists to protect citizens at scale. “Don’t use the business” isn’t how we’ve built society, rightfully so. If you believe the regulation to be onerous, fix it.

One is not entitled to do whatever one wants to generate a profit, at the detriment to uneducated or unsophisticated citizens, or society as a whole.

[manigandham]

> If you believe the regulation to be onerous, fix it.

Well, that's what they're doing by not wanting it.

[gentleman11]

We are trading the personal information of billions of people for the ability for tech startups to iterate quickly, who will for the most part decide on a freemium business model revolving around mining and selling private data

[searchableguy]

And may be trading away our ability of choice in the future and being stuck with a monopoly.

Nobody talks about regulated industries with duopoly or monopolies that everyone has to deal with. Tech industry is exotic ain't?

Big companies will still find a way to track you. That won't change. You can pull up a list of all the privacy focused laws released recently and you can still see Facebook and all their products working fine but you never hear about someone who wanted to bootstrap an idea and couldn't invest much upfront to deal with slow expensive law system.

We don't need more regulations. We need more selective punishments proportional to the damage and presence. Not a lame fine that is not proportional to what companies are profiting from . And if you know anything, Facebook is the one lobbying for privacy these days. They are pushing for some of the requirements they are already compliant with to be put into law .

[godelski]

> The problem they point out is that well intentioned businesspeople who want to provide you a useful service and store your data correctly are priced out.

Then the way to do this is to simplify laws and their understanding. A company shouldn't need a large legal team just to figure out if they are doing something legal or not. It kinda sounds ridiculous when you think about it. That you have to hire a bunch of lawyers to figure out if you are a criminal or not. That clearly means things are too complex. I get that there are places this should apply to, but not small businesses and startups.

You can have regulation that is both easy to understand and effective. There is also letter and spirit of the law. We should never let the letter hinder the spirit.

[dahfizz]

I completely agree with you. The legal system is entirely out of reach for the average citizen, and this is something we should fix.

However, us wanting things to be a certain way doesn't change how things are. If Congress passed a "Data Protection Act" it would be indecipherable, full of technical illiteracy, and heavily influenced by the richest lobbyists (Facebook and Amazon, anyone?).

This is my objection. I would love for a real data protection act to be legislated. But Congress has its own agenda and ineptitudes. Do you really trust the people who wrote the Patriot act to protect your sensitive information?

[Spooky23]

That’s bullshit. The federal government is able to produce a lot of useful technical regulation and guidance.

Hell the whole infosec policy framework used everywhere is built off of NIST 800-53.

[r-w]

I’m pretty sure NIST has more engineers than politicians. The same cannot be said of Congress.

[Spooky23]

Congress would write a law with general objectives, and leave the regulatory work to an exec branch agency. The regulations generally either reference or draw inspiration from NIST.

HHS uses NIST stuff to guide HIPPA. IRS is more prescriptive, but everything in IRS 1075 is still based on NIST stuff.

You have to separate the political puffery from reality. The Federal government is very good at establishing effective regulatory frameworks. They fall down with the long-term maintenance of regulations, as it's often difficult to keep the legal mandate up to date.

[Legogris]

If you don't store any data you won't need any lawyers. You don't need to store a single byte of data on your users or customers to provide a service or software using that data.

[dahfizz]

> If you don't store any data you won't need any lawyers.

Wrong. HIPAA applies to any business that transmits and/or has access to PHI. You don't need to be storing data on your own hard drives to be subject to these laws.

This is exactly my point. You are thinking like an engineer, and Congress is not. You cannot assume anything. You need to hire a lawyer, or you are opening yourself up to serious liability.

[Legogris]

I worded that poorly. How about this: If you don't own, manage, solicit or control any servers having access to PHI or PII you don't have any risk of being liable.

Put all of that on the client, do your best to protect it but ultimately make it the clients responsibility.

I still haven't seen any lawsuits or regulation targeting software in that sense, apart from DRM.

[manigandham]

There is no distinction between client vs server when it comes to the law. The same organization created and operates both and is liable as a data processor in both situations.

This is again the difference between engineer vs policymaker.

[Legogris]

Do you have a source to back that up?

As far as I understand it, Microsoft has no responsibility for PIIs e-mails going through the Outlook e-mail client. Maybe the US is different, but at least in Europe, the GDPR is clear that software vendors have no responsibility in data being processed locally when it's deployed and run by others.

Oracle has no liability for the data stored in their database.

If you have no way of touching the data, your servers (self-managed or otherwise) aren't touching data in any form, you have no legal liabilities wrt data (apart from agreements of course).

Or am I missing something?

[aguyfromnb]

>The problem they point out is that well intentioned businesspeople who want to provide you a useful service and store your data correctly are priced out.

I think pricing out the odd well-intentioned business person is a good tradeoff for avoiding the "move-fast and break things" snake-oil salesmen.

>Said another way: regulation always adds cost and barriers to entry.

And saves money and harm when things go bad.