[chclt]

Well thats the case for every crime.

And this one deserves (in my opinion) to be punished more harshly than other things which today are already punished (you mention selling drugs, which is way better morally). The amount of people damaged by this privacy infringement is quite high.

[p1esk]

You think there are more victims from privacy infringement than victims from illegal drug trade? I’d like to see some data.

[Zak]

Any attempt to answer that would heavily depend on how a "victim" is defined in each case.

Are people who attempted to opt out of online tracking, but got tracked anyway[0] victims? That's probably less severe than this case where a company sold health information, but it's definitely illegal in the EU and likely at least a deceptive business practice in other jurisdictions.

Are people who buy drugs and harm themselves by overdosing or spending all their time intoxicated victims? If the person is an adult and the drug is alcohol, that's not even illegal most places.

Are victims of secondary crimes victims of the illegal drug trade, of drug prohibition itself, or simply of the secondary crime? One could easily make a case for any of those.

[0] https://www.theregister.com/2023/03/03/online_privacy_tracki...

[p1esk]

One definition of victimhood could be how much a person has suffered as a result of the crime. I'd say if someone has lost their job because the data leak, or had their identity stolen with actual serious financial consequences, they are a victim.

True, a lot of people are victims of their own stupid decisions. A society should still try reduce the likelihood of the stupid decisions, especially when there are obvious bad actors actively trying to increase such likelihood.

[anigbrowl]

But your approach requires us to wait for something bad to happen to someone else before forming an opinion. Why exactly should people whose privacy has been violated have to be sacrificed further before any value is assigned to their privacy? We can use retroactive data to estimate the downside risk.

[p1esk]

Sure. What does the retroactive data say? If the data is bad then I agree - it should be punished accordingly.

[Zak]

When measuring a large scale crime like that of Cerebral, the number of victims is as important as the magnitude of the impact. There were 3.1 million victims. Stealing a dollar each from 3.1 million people would get the kind of law enforcement response that stealing $3.1M does even though the individual impact of that crime is virtually nil.

[p1esk]

Stealing a dollar each from 3.1 million people would get the kind of law enforcement response that stealing $3.1M does even though the individual impact of that crime is virtually nil

That's an interesting question whether it's fair to treat it this way. I can see valid arguments on both sides.

[chclt]

The people affected by the drug trade are not affected by the act of selling drugs but by secondary crimes (which arise because selling drugs is illegal and vendors cannot take advantage of the legal framework).

Also the people affected by this incident alone number in the millions.

[donatj]

The harm of data loss is entirely the harm caused by secondary bad actors.

No ones life is directly injured because of a data leak. It's just data, it is entirely inert on it's own. Their life is injured entirely because of what third parties do with that data.

If data leaked and there were no bad actors in the world, there would be zero harm.

[p1esk]

How many people will die or have their lives destroyed because of this incident?

[chclt]

As a sibling comment to mine points out, people who "die or have their life destroyed" is simply one way to define victim in this context.

With mental health data being at stake here, the amount of victims under this definition could also very well be non-zero.

Anyway there are a lot of crimes, that don't produce those kind of victims. If I mug someone and don't kill them or destroy their life in the process, have I not commited a crime?

The privacy infringement here is an obvious damage to the dignity of everyone affected. Wouldn't you feel victimized if I listened in on you speaking with your doctor, wrote everything down, stamped your name, address, and date of birth on it and started giving out copies of the resulting paper to random people? Which is exactly whats happening here, except my example is more harmless by a factor of a few million people and has a lot fewer data points.

[p1esk]

Wouldn't you feel victimized if I listened in on you speaking with your doctor, wrote everything down, stamped your name, address, and date of birth on it and started giving out copies of the resulting paper to random people?

I would. I would also feel victimized if you mugged me (without killing me or hurting me physically). The question we are debating here is - should you be punished equally harshly in this two scenarios? I'm leaning towards "no". If you disagree I would like to understand your reasoning.

[gameman144]

Scope of impact is important here.

A doctor who reveals some information on one of their patients should be treated less harshly then a mugger of one person.

A mugger who robs ten people should be treated more harshly than a mugger who robs one person.

A doctor/company who reveals thousands of patients' information can reasonably treated more harshly than a mugger of ten people, because the absolute negative impact may be greater.