Posted by latexr 1 day ago
How many of you have received notices in the mail your data has been leaked and the only restitution is a free year long credit check? Then maybe a few years down the road you get $20 from a class action lawsuit.
Last year alone, both AT&T and my health care company were breached and all my data was leaked, including details of my personal medical history.
This kind of thing just can't continue. There has to be someone to set standards for how your personal and "private" information is stored or it won't be possible to know who is who going forward in the future. Even state DMV's have been breached.[1] Imagine a point in the future where identity theft has become so rampant that a US ID card or passport can't be trusted because anyone anywhere at anytime can steal another person's identity with ease because everyone's data is out there and available for purchase through some black market.
It's a dystopian thought, but a lot of things from dystopian fiction that I only thought would continue to be fiction seem to be coming to pass on a regular basis these days.
[1] Account compromise leads to crash records data breach https://www.txdot.gov/about/newsroom/statewide/account-compr...
Totally agreed.
> There MUST be consequences for data breaches.
Even if you're following those rules and regulations? I think the general idea of malpractice applies here. People do their best, but you can't prevent every unknown. So as long as you're not a complete idiot or acting in bad faith, it's not your fault. Punishing people for a bad actor's actions wouldn't do anything but make it even harder to enter a market.
Preventing data breaches is a lost cause. For one, most everyone's PII is already on the net. Plugging that hole is like patching the Titanic. We're already sunk. What we need is a way to prevent identity theft. Possibly a way to help people more easily recover from it as well. The US has the FDIC in case a bank implodes. We need something like that, but for all my accounts when some guy in Russia takes out five mortgages on my property.
Or, we need to radically rethink PII. We're still using ink signatures on paper to sign for contracts for Pete's sake. I should have to crytographically sign a house mortgage, not make some hand drawn glyph that nobody can read and anybody could fake. Of course, that comes with other problems such as Big Brother having more data about me, but this reply is long enough.
E.x. if the data breached was not critical to legal retention requirements, the penalty is more severe. (Ofc this assumes good definition of what is critical for legal retention).
At the very least it would encourage companies to keep such data less or for shorter times to minimize damage.
If that is the case & the law(s) aren't being properly followed/enforced then you must speak up about it. Contact your representatives and let them know.
I understand it's easy to be complacent and be apathetic that nothing is being done, but that's how it goes in a representative democracy. At the end of the day, all we have is our voice.
The UK has fined them has fined Clearview AI £7,552,800 in 2022 but they have not paid.
EU data protection authorities did not come up with a way to enforce its fines and bans against the US company, allowing Clearview AI to effectively dodge the law.
https://ico.org.uk/about-the-ico/media-centre/news-and-blogs...
A shit company
This is laughable. You make it illegal for any EU company to do business with them, you imprison leadership as they arrive on EU soil, there's a hundred things you can do. Companies like these that simply ignore the law and seriously damage society need to be treated just like international drug trafficking rings. Never heard a "well they keep ignoring our fines and bans, oh my what do we do" when talking about those.
Why? Because they’ve got no systems in place for that. And to do something out of the ordinary that is hard would require someone with an incentive to do it. That does not fit the profile of your typical government employee. They don’t get paid for taking on difficult cases. They get paid for closing files, or, ideally, finding reasons for not even opening them in the first place.
Laws are like locks. The honest people pay attention to them. The criminals don’t. They look at the enforcement (or lack thereof).
I think that's the step that's being taken (or attempted at least) here.
It's in the article, Austria might issue a criminal warrant for the company executives.
Sure, if they don't want to follow British law, Britain has the right to reject Clearview from British markets, but that's about it. The British government does not have jurisdiction over American companies or American citizens outside of Britain's borders, in spite of what British Parliament seems to believe.
All the more when what Clearview has done is build an index of publicly available images, and associated URLs, derived from the freely-crawlable open web. Legal rulings in the US -- e.g., in Sorrell v. IMS Health -- consistently show that information aggregation and dissemination are treated as speech, so creating and distributing the Clearview index is protected expression under the First Amendment.
Also, Clearview is far from the only game in town. Lots of tech companies -- including some very large ones -- have facial recognition indexes. I suspect that Clearview is being made an example of, pour encourager les autres. But it seems a little bit exceptional, as though the law isn't being fairly or evenly applied.
So it's not just a normal American company in the American market, it wants to be an international company but without respecting international laws, and that's not going to end up well.
Is that decided based on where the public content is hosted, where it was created, or based on the individuals created it or are portrayed in it?
If companies have to follow that then in all likelihood every big tech company would have to follow every law in the world, virtually all of them scrape data from the public internet.
They're previously tried this domestically in every way possible under the purview of things like the MPA and the DMCA. The United States International Trade Commission went so far as to consider electronic transmissions to the U.S. as "articles" so that it could prevent the importation of digital files of counterfeit goods.
In the meantime, AI companies are forgetting when the shoe was on the other foot regarding Russian MP3 websites accessible from the US - with the US trade negotiators warning Russia that allowing AllOfMP3 to continue to operate would jeopardize Russia's entry into the World Trade Organization, and the US copyright lobby subsequently filing a $1.7 trillion lawsuit against them.
"AllofMP3 understands that several U.S. record label companies filed a lawsuit against Media Services in New York. This suit is unjustified as AllofMP3 does not operate in New York. Certainly the labels are free to file any suit they wish, despite knowing full well that AllofMP3 operates legally in Russia. In the meantime, AllofMP3 plans to continue to operate legally and comply with all Russian laws."."
On May 20, 2008, the RIAA dropped all copyright infringement charges against AllOfMP3.com
This phrase does a lot of heavy lifting.
I have a small business for consulting and occasionally need to use hardware made in a foreign country to search online content created and hosted in another country.
I wouldn't expect buying that foreign hardware or searching foreign content would put me under the jurisdiction of laws from the various foreign countries involved.
In deciding whether a U.S. statute may be applied extraterritorially, courts look to two potential foundations for jurisdiction: first, the jurisdictional basis, “territoriality, nationality, passive personality, universality, or the protective principle”; and second, legislative intent. CFAA Passes both these tests. This is clarified in U.S. Const. art. I, § 8s. 10, 3; art. VI, cl. 2. Cf. United States v. Baston, 818 F.3d 651, 666-67 (11th Cir. 2016) (“Congress’s power to enact extraterritorial laws is not limited to the Offenses Clause”).
i.e. the Chinese Military Personnel Charged with Computer Fraud, Economic Espionage and Wire Fraud for Hacking into Credit Reporting Agency Equifax, https://www.justice.gov/opa/pr/chinese-military-personnel-ch...
If you want a phrase that does a lot of heavy lifting, the specific computers in scope are defined under section 18 U.S.C. § 1030(e)(2) - "...including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States."
Similarly, in United States v. Neil Scott Kramer (2011) it was determined that ALL cell-phones represent computers in scope - "...the United States Court of Appeals for the Eighth Circuit found that a cell phone can be considered a computer if "the phone perform[s] arithmetic, logical, and storage functions."
My favourite, however, is the precedent set by Pulte Homes, Inc. v. Laborers' International Union (2011) - urging legitimate communications via official digital channels constitutes a DDOS and breach of the CFAA if the official channel cannot handle the subsequent spike in volume!
This travesty arose after Pulte fired an employee represented by the union and LIUNA urged members to call and send email to the company to express their dissatisfaction. As a result of the increased traffic, the company's email system crashed. The Sixth Circuit ruled that the LIUNA's instruction to call and email "intentionally caused damage".
Scraping people's personal photos and biometric information for shady agencies, is not the same as scraping e-commerce prices, social media posts, or blog websites.
The intention is important. And respecting people's privacy and copyrights.
Hard disagree. They both violate people's privacy and copyrights.
Copyrights are a separate issue and one that LLM companies almost certainly violated.
in principal, yes
i mean… yes? it’s entirely normal for a company to be bound to the laws of jurisdiction it wants to open a store or restaurant in or whatever. why on earth would this be any different?
clearview knows for absolute certain they’ve been operating in the eu.
What? No it's not at all - that exact flow happens tens of millions of times per day every single day. Cloudflare handles a plurality of all global internet traffic and makes extensive use of a geographically distributed CDN.
They are if they trade in the UK (which ClearView does).
The actual answer is for governments to just say clearly "You obey our laws when operating here or you don't operate here".
Instead they faff around with fines that are largely priced into doing business that get negotiated down endlessly.
The alternative is we allow them to operate with no way to constrain them when they break our laws at all and at that point - what use is government regulation on anything related to data protection.
This is a threat personal integrity and it doesn't really matter how the images were obtained. The threat to people exists despite the fact that they were on the public internet.
This is little different from, say, Russian hackers targeting Americans. Practically speaking there’s nothing to be done unless the perps enter American jurisdiction, but it’s entirely sensible to say that they violated US law and face penalties for it. It might be a little off to say that they’re “dodging” that law, but it’s close enough.
I know you're making a point about Ofcom censorship, and I agree, but we cannot set the precedent that "if you commit your crimes using a company in Delaware, they're not illegal." If you program your AI-drone to murder your enemies, that's fine as long as the control server is offshore?
Either laws in other countries matter in yours (regardless of how different they are from your own) or they don't.
Picking and choosing which country's laws you do or don't want to consider yourself bound to on moral grounds is not fundamentally very different from picking which of your own country's laws you do or don't want to consider yourself bound to on moral grounds.
if they do business in those jurisdictions, yes, of course.
if a new york cpa does business in ohio they need to be licensed in ohio and follow ohio laws. even if their firm and majority of work is based in new york.
i’m really surprised people find this confusing.
If I were ever to go to North Korea their government could of course arrest me for insulting Kim Jong Un. What they could not do, and absolutely should not be able to do, is have my local police in the US arrest me for doing the same at home. Yes, even if I do it on the internet where a citizen of North Korea might theoretically see, or make use of content I acquired over the internet that originated in that country.
Are these EU citizens operating/running businesses in the above countries?
Are they even inside the above countries?
How are you even comparing a company which operates in the EU to an EU citizen who is residing in the EU?
If a country wants to control what its citizens access it can put up its own firewall and deal with the backlash from its own citizens. Let's not help move towards per-country internets.