Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Senate Introduces Strong Privacy Bill

samzenpus posted more than 7 years ago | from the protect-yourself-at-all-times dept.

Privacy 176

amigoro writes "US Senators introduced a bill that better protects the privacy of citizens' personal information in the face of data security breaches across the country. Key features of the bipartisan legislation include increasing criminal penalties for identity theft involving electronic personal data and making it a crime to intentionally or willfully conceal a security breach involving personal data."

cancel ×

176 comments

Sorry! There are no comments related to the filter you selected.

A little late isn't it? (3, Insightful)

AltGrendel (175092) | more than 7 years ago | (#17932940)

I thought that horse was already out of the barn.

Re:A little late isn't it? (5, Insightful)

mr_matticus (928346) | more than 7 years ago | (#17932960)

A few horses are out of the barn, but that doesn't mean someone shouldn't close the gate to keep the rest in.

A few horses are but OMG Ponies!!! (5, Informative)

Anonymous Coward | more than 7 years ago | (#17933152)

This doesn't do a lot for privacy. It still permits widespread snooping, selling of information by commercial entities, etc.

It does nothing for example to the recent FBI snooping case:
http://yro.slashdot.org/article.pl?sid=07/01/30/15 8227 [slashdot.org]

Where the FBI has been found to capturing all an ISP's traffic, then filtering as needed to match the warrants they had. (The argument for that is bogus, if the FBI can do the filtering then the ISP could do the filtering. It's some sort of game to remove the 'minimization' requirement for search warrants.)

Nothing to stop logging of everything you do. Nothing to stop AOL or Google collecting search information, which as we found can be used to identify individuals:
http://news.com.com/2100-1030_3-6102793.html [com.com]

The gate isn't closed, they're proposing to part close it. Better than nothing, but only a little better.

How about making it all like video tape rentals? (1)

Dr. Manhattan (29720) | more than 7 years ago | (#17934766)

We have the Video Privacy Protection Act [cornell.edu] which gives better protection than almost all other data except possibly medical data.

(Well, we had that. Note that, by the strict language of the law, I'm not sure it applies to DVDs, and the Patriot Act put in a double-wide back door that lets them get your video rental records as long as they pinky-swear they're somehow fighting terrorism.)

But why can't we set the bar that high for other data?

Re:A few horses are but OMG Ponies!!! (1)

Shadowlore (10860) | more than 7 years ago | (#17935422)

...not to mention I bet they follow tradition and exempt the government from abusing privacy, failing to publicly report breaches, etc..

Re:A little late isn't it? (1)

VirusEqualsVeryYes (981719) | more than 7 years ago | (#17933176)

That's very profound and all, but given their track record, more than likely they'll go back to bickering over abortion and global warming as the rest of the horses jump the fence.

Re:A little late isn't it? (1)

mr_matticus (928346) | more than 7 years ago | (#17933392)

Are you saying that the US government has jumped the shark?

Re:A little late isn't it? (1)

Captain Splendid (673276) | more than 7 years ago | (#17934306)

Are you saying that the US government has jumped the shark?

Yes, it has. [wonkette.com]

Re:A little late isn't it? (1)

UbuntuDupe (970646) | more than 7 years ago | (#17933724)

The problem is that closing the gate (passing the law) is most likely an excuse not to pursue the horses (spammers) that have already escaped (violated users' privacy), even though previously existing lassos (laws) are sufficient to capture (prosecute) them.

Close the gate, sure, but don't disband the posse that's going after the horses!

Re:A little late isn't it? (4, Funny)

mfh (56) | more than 7 years ago | (#17932982)

I thought that horse was already out of the barn.

I'm sorry to inform you, sir, that your horse had to be sent to the glue factory. Please sign here.

Re:A little late isn't it? (4, Insightful)

TheMeuge (645043) | more than 7 years ago | (#17933228)

I am just wondering when there will be a bipartisan legislative effort to institute mandatory minimums for violation of the constitution by congress or the executive.

Re:A little late isn't it? (1)

gEvil (beta) (945888) | more than 7 years ago | (#17933932)

I am just wondering when there will be a bipartisan legislative effort to institute mandatory minimums for violation of the constitution by congress or the executive.

Oh c'mon! Where are they 'funny' moderations when they're needed?

So does this mean... (0, Funny)

Anonymous Coward | more than 7 years ago | (#17932944)

... that you have to disclose each time a clients personal data is stored on/accessed from a computer running windows?

wait a minute, I'm confused (1, Flamebait)

jimstapleton (999106) | more than 7 years ago | (#17932954)

Isn't this the Republicans domain, increasing privacy?

Aren't the Democrats in power now in congress? Didn't the opposite happen with the Reps?

When did hell freeze over, and why wasn't I informed.

I swear US politics is such a screwed up thing, and it just keeps getting worse.

Re:wait a minute, I'm confused (1)

mr_matticus (928346) | more than 7 years ago | (#17932986)

If by 'screwed up' you mean 'fluid and dynamic,' then yeah, I guess it is.

Look at it this way: would the Republicans ever punish big business for being inept?

Of course the Democrats would be the ones to put this bill on the table; they're not communists. Hell, most of them aren't even liberals, but they have no problem sticking it to corporate America when it suits them.

Re:wait a minute, I'm confused (1, Troll)

db32 (862117) | more than 7 years ago | (#17932996)

No no no, this is business as normal. Current "Republicans" are for increasing big business and Democrats for big government. Penalties against business for screwing the citizen is typically left of the Republican agenda these days. As a (mostly) Republican I am more upset that the "Republicans" in power right now really have nothing to do with what Republican ideals are supposed to be, and rather amused that the Democrats took so many seats by basically running on traditionally Republican ideals.

I am actually kind of curious on how this will jive with earlier reports of government agencies paying data miners and theives for personal information as part of the "OMFG everyone is a terrorist!" spying programs.

Re:wait a minute, I'm confused (1)

jimstapleton (999106) | more than 7 years ago | (#17933036)

but Republicans aren't just increasing big business, they are increasing big government too...

But I see you point, that does make it clearer. We still have a pretty screwed up government.

Re:wait a minute, I'm confused (2, Insightful)

db32 (862117) | more than 7 years ago | (#17933414)

Exactly, the current crop of Republicans are failing absolutely to hold to any kind of Republican values. True Republican values does not involve this twisted religious bent on things, it advocates personal responsibility, no nanny state crap, no blame society crap. You screwed up making yourself poor by signing a 20% interest rate payday loan and Rent-to-own contracts to live above your means...not my problem to bail your ass out. (Now the fact is, most of the poor are poor by choice doing stupid crap like this and its a failure of the education system not teaching financial responsibility, the gap between rich and poor wouldn't be growing nearly as fast and eliminating the middle class if everyone didn't buy all their wizbang-gottahavits on credit...when it was normal to save for years for a house/car/stuff the gap was much smaller and the middle class was much larger)

Additionally traditional Republican values want lowered taxes (the current crop pay lipservice to this with tax cuts), but the financial responsibility part of low taxes involves less spending. Leaving the war out since that is a twisted mess of a wreck to begin with, we can see the bloat in HomeSec, TSA, and other such nonsense. Our state sponsored paranoia is costing us billions. Ironically the current Republicans bitch about how we are all doomed because the Democrats will break the bank on social programs, but as much as I disagree with most of those programs (ain't the governments problem, and sure as shit ain't mine, why should I have to pay taxes because some fat bastard needs a quadruple bypass that he can't afford because he eats McDonalds 18 times a day) at least they have more of a positive impact on society as a whole vs x-ray scans, anal probings and other such nonsense every time I go through an airport.

All in all the traditional Republican is more concerned about making the people take care of themselves instead of the government doing everything. This includes heathcare, legislating morality, church and state issues, the whole nine, ideally are handled outside of the government and outside of the federal budgets. This also includes not being Team America World Police. I can't figure out if I got modded as flamebait for making a joke about Republicans protecting big business or saying that I am mostly Republican (I am guessing the latter since this is /.)

Re:wait a minute, I'm confused (2, Informative)

jimstapleton (999106) | more than 7 years ago | (#17933494)

A bit of a side track, but not everyone who is poor is there because they were lazy or irresponsible. I'll grant you, there are plenty as bad or worse than you described, but there's plenty who have just had "hard luck".

I'm all for 'working to earn your keep', but there are plenty of rich people who didn't earn their riches, and plenty of poor people who had been responsible, did more than their fair share, and just ran into bad luck.

Re:wait a minute, I'm confused (1)

db32 (862117) | more than 7 years ago | (#17934932)

Well to be honest, it boils down to the whole make lemonaide thing. A great number of filthy rich folks spent some years living out of the back of their van eating day old donuts from dumpsters. Now there certainly are some people who really just did get the short end of the stick, but generally speaking here in America there really is more than enough opportunity to get yourself out...just is a matter of how much effort it will take. Now I also support the inheretance tax because that right wing "the farmers will lose farms" shit is a load of horse crap and they have been unable to produce one single example of a family actually losing their land, however, hundreds to thousands of examples exist of rich overprivlidged spoiled brats never working a day in their life because they get to inheret billions and not lose a cent.

That's a myth. (1)

FatSean (18753) | more than 7 years ago | (#17935362)

The myth that the common man can become 'rich' in the United States is just that...a myth. It happens extremely rarely, and most people who are rich now came from rich parents.

Re:wait a minute, I'm confused (0)

Anonymous Coward | more than 7 years ago | (#17933636)

So in other words you are totally in favor of vastly increasing school budgets and college scholarships to correct the mistakes of the educational system, as well as helping out those people who are already screwed because education failed them? Yes, increase spending! (Just be sure that you have the money: i.e. you're going to need more taxes)

As for said fat bastard who needs a quadruple bypass, I'm sure he can sue McDonalds for the money instead of using tax money. Clearly a good thing.

As for flamebait it was probably more the tone of your post. You came off as contrary and sarcastic, and insulted both republicans (as they stand now) and Democrats (as they were 10 years ago). Saying you're a republican is probably worth a -1 pretty fast, but I find that usually (especially if you are in the first few posts) that'll quickly be over-ridden by positive mods if you have anything constructive to say. Next time just say "I'll probably get modded down for this" or "I have karma to burn, so..." to be sure you end up with positive mods.

I like the idea of a stupidity tax, don't get me wrong, and I hate paying peoples' way in the world because they make stupid mistakes, but sometimes the only way a person can get a place to live at all is to agree to the insane interest rates of loan sharks. If no bank will give you money because you don't have a job or that job doesn't pay enough... you still need a place to live.

Re:wait a minute, I'm confused (2, Insightful)

WhiplashII (542766) | more than 7 years ago | (#17935512)

when it was normal to save for years for a house/car/stuff the gap was much smaller and the middle class was much larger

I wonder how much advertising/marketing had to do with this. After all, marketing has changed from "explaining how you fill a need" to "create a need and then fill it". Should marketing to certain segnments have government oversight?

(I'd say no - any government oversight is bad oversight by definition, but as you say the problem is education - and these people are getting their education from marketing departments...)

Re:wait a minute, I'm confused (1)

aborchers (471342) | more than 7 years ago | (#17935672)

"the poor are poor by choice doing stupid crap like this and its a failure of the education system not teaching financial responsibility"

Huh? Is it the poor's fault or the educational system's fault?

How is the parent post flamebait? (1)

Travoltus (110240) | more than 7 years ago | (#17933790)

Unbelievable.

Re:How is the parent post flamebait? (1)

db32 (862117) | more than 7 years ago | (#17934970)

Apparently because I mentioned Republicans in a positive way and then "insulted" Democrats by insinuating they have anything in common with Republican values. Left wingers have just as many blind extremists as Right wingers. Just leaves everyone willing to leave the emotional insanity behind and try and think through problems out in the cold. Tons of logical solutions to all our problems, they just get drowned out with irrational emotional cries from both sides.

Re:wait a minute, I'm confused (1, Insightful)

SwedishPenguin (1035756) | more than 7 years ago | (#17933040)

Where have you been for the past few years? Republicans are very much in favor of invasion of privacy.
This is the party in favor of extending the invasions of privacy in the "Patriot act" and refused to even consider launching an investigation into Bush's warantless wiretapping.

Re:wait a minute, I'm confused (1)

jimstapleton (999106) | more than 7 years ago | (#17933082)

"Didn't the opposite happen with the Reps?" I believe I said.

I had the last couple years covered, if not explicitly.

Re:wait a minute, I'm confused (5, Insightful)

gbulmash (688770) | more than 7 years ago | (#17933068)

Isn't this the Republicans domain, increasing privacy?

Are you being sarcastic?

The Republicans have always positioned themselves as champions of law and order, and their favorite tool for it is intelligence gathering. Things like the Patriot Act as well as the warrantless wiretapping controversy just prove that out.

Both parties like to pick and choose which civil liberties they defend and which ones they attack in the name of fighting crime. While the Republicans are big on intelligence gathering at the expense of our right to privacy, the Democrats are big on gun control at the expense of our right to bear arms.

Re:wait a minute, I'm confused (1, Interesting)

db32 (862117) | more than 7 years ago | (#17933508)

Republicans these days favor the Big Brother spy on everyone method to law and order

Democrats these days favor the Nanny state censor everything method to law and order

The people these days favor whatever party makes them most scared of the consequences of disagreeing

We see a huge swing right with "Fear the boogey man!" and now that we have seen the consequences we are swinging left we are back to "Hell no we won't go!". Whole nation of extremists.

Fix it the right way (5, Insightful)

Anonymous Coward | more than 7 years ago | (#17932958)

Why isn't it fixed the right way? If the use of Social Security numbers by non-government agencies was ended then much of this would fix itself. Each company would likely pick a different number/id for each individual and it would partition the information. Then, stealing a single number wouldn't give you access to an entire individual.

Re:Fix it the right way (1)

jimstapleton (999106) | more than 7 years ago | (#17933058)

I don't think people would go for that. Most people wouldn't want a different number for:

1) Their "normal" bank
2) Their mortgage lender
3) Each of their credit cards (if they have any)
4) Their employer
5) Their school/university
6) The credit report companies(?)

And the credit report companies wouldn't want that confusion either, nor would the government. It'd be too confusing to figure things out. In the latter cases, it make tax avoidance much easier, and probably make the IRS even bigger, as if it wasn't overstuffed as it is.

Re:Fix it the right way (3, Insightful)

Silver Sloth (770927) | more than 7 years ago | (#17933146)

Err... We Brits have exactly that. If you hack one of my bank accounts you haven't hacked them all. There is no reason for any one of my credit cards to know, or have anything in common, with any of my other credit cards. It works fine for us, we're not confused, credit report agencies work as well here as they do anywhere, and tax avoidance isn't a particular problem

I am not a number, I am a free man!

And long may it remain that way.

Re:Fix it the right way (-1, Troll)

tomstdenis (446163) | more than 7 years ago | (#17933184)

You're not free, you don't even have a constitution in which said freedoms would be granted.

You're a royal subject, property of her Majesty the Queen of England.

sucker.

Re:Fix it the right way (1)

Silver Sloth (770927) | more than 7 years ago | (#17933648)

You'll lose your geek credentials if you don't recognise the quote!

Re:Fix it the right way (1)

digitig (1056110) | more than 7 years ago | (#17934092)

You're not free, you don't even have a constitution in which said freedoms would be granted.

The constitution is not an issue; there are lots of other things our government can ignore instead.

In our case, said freedom is granted by virtue of the UK being a party to the International Covenant on Economic, Social and Cultural Rights, the International Covenant on Civil and Political Rights, and various other treaties deriving from the Universal Declaration of Human Rights. As the Perl man page says, "There's more than one way to do it".

You're a royal subject, property of her Majesty the Queen of England.

A royal subject yes. Although ISTR a test case a few years ago that determined minors to be the property of the House of Lords, I don't think the Queen's ownership of her subjects has ever been tested (or even asserted) in law.

Re:Fix it the right way (1)

Ihlosi (895663) | more than 7 years ago | (#17933158)

I don't think people would go for that. Most people wouldn't want a different number for:



It's a perfectly workable approach in much of the civilized world. It's just that the US doesn't really care about that.

Re:Fix it the right way (1)

Slithe (894946) | more than 7 years ago | (#17933434)

I thought we had different numbers for different systems. My bank account number is not the same as my credit card number (regular or medical), and both my SSN and my School ID are different as well.

Re:Fix it the right way (1)

trianglman (1024223) | more than 7 years ago | (#17935242)

Actually, in America, we already have that too. I have a bank account number, a mortgage account, credit card numbers, a number my employer uses, when I was in school I had a student ID, etc. The thing is, here in America, there is also this other number that gives a person just as much access to all of this information. If that were removed then, as the GP says, we wouldn't have nearly the issue we do today.

Re:Fix it the right way (4, Insightful)

mwilliamson (672411) | more than 7 years ago | (#17933090)

The SSN should be only considered as a gov't assigned userid. The government should now issue everyone in the USA a password and provide a government sponsored pluggable authentication system anyone could use for their company. Those using this system to authenticate customers would fund it. Password reset would be available at SSN offices only with verified photo ID. Lets end this bullshit once and for all and empower the end user to protect their identify credentials via at least a password, maybe even a RSA dongle.

Re:Fix it the right way (1)

Dachannien (617929) | more than 7 years ago | (#17933260)

That isn't the solution either. Instead, credit-issuing agencies should be required to verify requests for credit lines before approving them.

Re:Fix it the right way (5, Insightful)

nasor (690345) | more than 7 years ago | (#17933948)

A much better solution would be for companies to simply stop pretending that knowing a social security number somehow magically proves that you are who you claim to be.

Re:Fix it the right way (1)

Cyberax (705495) | more than 7 years ago | (#17934254)

Have you TRIED to do this? I'm working on a project which uses SSNs as user identifiers in automatic biometric door locks. We know that it is way too insecure, but there's no other good way (no, we can't use smart cards for access control).

Users either too stupid to use something else or just plainly REFUSE something different from SSN. We tried to use phone numbers as IDs, and we still get tons of support calls from users who change their phone number and expect our system to magically pick up this change. Yes, people are that stupid.

The entire SSN system is a hack.

SSNs should be public info, not a closely guarded secrets. It's quite a good identifier but SUCKS as authenticator. Something like government-issued smart cards would be MUCH better.

Re:Fix it the right way (1)

trianglman (1024223) | more than 7 years ago | (#17935324)

Why are you using SSNs and biometrics, you already have all the identifier you need in the biometrics. If you need to give the users something else to identify themselves with let them set a password or issue a unique ID of your own. Using something like an SSN that can be used for any number of other things is a privacy issue that needs to be stopped dead, now. Unless you are trying to keep track of every single taxpayer in America, there is no reason to use the number that was created just for that purpose.

Re:Fix it the right way (1)

Cyberax (705495) | more than 7 years ago | (#17935442)

Biometric data from cheap devices can be used only for authentication. I.e. to confirm that a user with ID 12435478 is really the user with ID 12435478.

And people just can't (or don't care to) remember anything other than their SSN. We allow them to use any identifier in place of SSN if they wish but most people just don't care.

Won't Stop Hackers, Might Scare Hackees (5, Interesting)

gbulmash (688770) | more than 7 years ago | (#17932966)

I think the more important aspect is the increased penalties for willfully concealing a security breach. Increasing criminal penalties is of varying value. One of the reasons criminals commit crimes is because they think they won't get caught, so whether they risk 2 years in jail or 4 isn't going to matter that much to them.

But increasing penalties for willfully covering up a data breach may have more effect. As we've seen, bigger breaches cannot be kept secret for long. There are too many ways for them to be ferreted out. Furthermore, the people who would be in a position to conceal a data breach are often people who are more afraid of jail than those who willfully commit crimes like identity theft.

Of course, what I'd really like to see is a death penalty for spammers.

- Greg

Re:Won't Stop Hackers, Might Scare Hackees (1)

tehtest (995812) | more than 7 years ago | (#17933362)

This is a law with good intent targeted at the wrong area. There should be consequences for people, companies and, organizations who keep databases of personal information without properly securing said information. This information should; - NEVER be housed on a laptop or any other portable media, there is no need. - NEVER be without sufficient encryption, symmetric 256 These two steps alone would limit the majority of recent personal information exposure incidents. People who expose this information to security risks should be held accountable. Only than will we see a dramatic decrease of these exposures.

Re:Won't Stop Hackers, Might Scare Hackees (1)

kabocox (199019) | more than 7 years ago | (#17933462)

Of course, what I'd really like to see is a death penalty for spammers.

Them, folks? Nah, those that practise ID theft yes. Spammers are just annoying. Those that do ID theft or forgery ruin living lives.

So what are the implications (3, Insightful)

o'reor (581921) | more than 7 years ago | (#17932968)

concerning whistleblowers who want to draw attention on possible security breaches inside a company, and who've been hit on hard both by corporations and justice every time it happened so far ?

if you do it legally then I don't see an issue (1)

Shivetya (243324) | more than 7 years ago | (#17933420)

where has someone legally revealed a problem such as what this law will address that has been mistreated by the courts? Its one thing to make people worried, its a whole 'nuther thing to back it up.

In other words, I get so tired of this "implied knowledge" that people have getting rated insightful when all they are doing is hearsay. Give us links so your accusation has basis.

I hope the secondary effects ... (3, Interesting)

Ihlosi (895663) | more than 7 years ago | (#17932970)

... are better than what is in the actual legislation.



Key features of the bipartisan legislation include increasing criminal penalties for identity theft involving electronic personal data and ...



Great. Increase the penalties. That's not really going to deter the criminals, they operate on the thought that they don't get caught.

... making it a crime to intentionally or willfully conceal a security breach involving personal data.



Also great. How about prohibiting the collection and storage of data that is not necessary for business transactions in the first place ?



One can just hope that companies will think a little more about what and how much data they collect and store.

Re:I hope the secondary effects ... (1)

k1e0x (1040314) | more than 7 years ago | (#17933552)

Yeah, I dont think this is in governments power to fix, its like Can Spam.. all they can do is send more people to jail it wont stop spam.

We need to look to the industry to fix this.. have them design better databases and start asking .. why do we need peoples SSN again?

Exceptions? (0)

Anonymous Coward | more than 7 years ago | (#17932972)

I wonder groups are going to get their lobbyists to get an exception/exclusion/whatever for them?

My first choice is the banks and the credit card companies. They get anything they want!

Also, how about a bill that would stop colleges and universities from using our SSN as an ID number!! When I went back to grad school a few years ago, I was shocked at the lax security at the bursar's office! Through a thick plate glass window, the clerk needed the student to yell his name, DOB, and SSN. WTF!!!!!! All an identity thief had to do was stand and take notes or record!

Re:Exceptions? (1)

DrSkwid (118965) | more than 7 years ago | (#17933412)

this glass was clear ?

how about writing it down & holding it up

Re:Exceptions? (0)

Anonymous Coward | more than 7 years ago | (#17933658)

this glass was clear ?

No, it was black glass, so it was opaque.

how about writing it down & holding it up

Sure, because things that appear to be obvious, are not; and things that are not obvious, are.

Ever get into a contract dispute? Things that you thought were obvious, were not to the other party. And the same goes for the other way, too.

Also, what is the sound of one hand clapping?

Would not pass. (4, Insightful)

EveryNickIsTaken (1054794) | more than 7 years ago | (#17932974)

The bill would increase oversight of government programs to collect personal information on citizens. I wouldn't expect this bill to move anywhere right now, with the 2008 presidential candidates starting to gear up. Nobody wants to vote for a bill that would "Let the terrorists win."

Re:Would not pass. (1)

DaMattster (977781) | more than 7 years ago | (#17933062)

I strongly disagree. I think this bill will pass and that is just what Bush does not want to happen. This bill probably has more support than you would think in the democratic majority; especially because there was considerable outrage in the democratic community at the warrantless searches and domestic spying programs. I think this will turn out to be a political move to provide some checks and balances. Finally, in addition, there should be some move to reaffirm the existing laws and begin enforcing them with real, tangible penalties for their violations.

Make It Cost Prohibitive To Store Too Much PD (5, Interesting)

Anonymous Coward | more than 7 years ago | (#17932984)

A fundemental personal privacy/personal data concept that should be the basis of all laws governing how businesses and governments handle and are responsible for personal data should be liability for PD loss/leakage is directly proportional to the amount of PD per individual.

For example, your company leaks:

1) Addresses
2) SSN
3) Email addresses

That will give you three times the liability of a company that leaks:

1) Address

Make it financially worthwhile for companies to store the absolute minimum PD necessary to operate their business and to create the incentive to delete all unnecessary data at the earliest opportunity.

With storage so cheap and the liability for companies or governments essentially divorced from the actual damage done to personal privacy breaches there is absolutely no reason for any company to store every bit of PD about you on their(insecure) systems.

Re:Make It Cost Prohibitive To Store Too Much PD (1)

jimstapleton (999106) | more than 7 years ago | (#17933128)

why not add the following as well:

No personal information may be stored on a computer accessable to an external nextwork except:

1) For up to 24 hours after recieving the information.
2) For up to 24 hours after the information is needed in a business transaction
3) For no more than 72 hours consecutive for any reason
4) For no more than 1 in 3 hours over any given timeframe of 216 hours or larger, except where initiated by the person to whom the data describes

And
5) No personal data can be taken outside of the secured data storage facility except via protected mechanisms for secure backup purposes (and the backups must be in a similarly secure facility). I.E. Joe Schmoe can take the data home on his laptop.

Violations of #1 and #2 would have heavy but standard fines.
Violations of 3 would have double the normal fines
Violations of 4 and 5 would have triple the normal fines and

Re:Make It Cost Prohibitive To Store Too Much PD (0)

Anonymous Coward | more than 7 years ago | (#17933524)

"1) Addresses
2) SSN
3) Email addresses"

Yes, there should be a standard breakdown of liability for the complete array of personal data that can be stored so that company accountants can easily do these types of sums:

1 million customer database
Each record has:
A) Street address
B) SSN
C) Phone number

So total company liability for that particular database is:

1 million * (liability cost for A + liability cost for B + liability cost for C) = X millions of dollars for example

And have the CFO go apeshit and start demanding to know if the company really NEEDS to store every customers SSN for example.

Better yet... just levy a tax (0)

Anonymous Coward | more than 7 years ago | (#17934014)

Since the Democrats are now in control of Congress, they ought to just simply do what Democrats do naturally.... create a new tax. Let them levy a "intellectual property tax" on businesses' gathering and storing of large volumes of individual' personal data.

Damned if you do, damned if you don't (1, Insightful)

Anonymous Coward | more than 7 years ago | (#17932990)

So what is it? Store everything to protect the children and hand it over to the ex-wife when she sues, or protect the privacy of your customers by not storing personal data?

Enforcement, not new laws (5, Insightful)

imag0 (605684) | more than 7 years ago | (#17932998)

I happen to deal with a lot of regulated information (PHI with HIPPA, PCI in some environments as well). One thing that always astonishes me is not that security breaches happen (we're human, things happen), but that there is little to no reported repercussions from those losses.

It's one thing to have a security breach, but it's another one just to announce it, issue new cards to everyone and keep on working like nothing happened.

I think the best thing would be that the gov steps up to the plate and actually *enforce* the current laws and not spend our time and taxpayer money to create a new raft of laws that will end up never getting enforced in the first place.

Cheers,

imag0

Boycotts (Re:Enforcement, not new laws) (0)

Anonymous Coward | more than 7 years ago | (#17933450)

There's a better tool available: Boycott the companies that are leaky. Laws are not as good an enforcement tool as money is. Once they and their competitors see they will lose future business, things will change. So keep publicizing the names of firms, their sponsoring banks, the companies who audit their books, and the number of accounts compromised, and other details here so we can make informed choices.

Re:Boycotts (Re:Enforcement, not new laws) (1)

Ihlosi (895663) | more than 7 years ago | (#17933772)

There's a better tool available: Boycott the companies that are leaky.

You forget that that would need informed, intelligent and concerned customers, instead of just "consumers".

Re:Boycotts (Re:Enforcement, not new laws) (1)

AusIV (950840) | more than 7 years ago | (#17934340)

There's a better tool available: Boycott the companies that are leaky

Please define "leaky". I got a letter from my bank a few weeks ago saying that someone somewhere had leaked my debit card number, and that I would be receiving a new one within a few days. I don't know where they fault lies - most likely it was vendor where I had used my card that had some kind of security breach - but my bank took care of the issue quickly, so aside from the 2 minute hassle of activating a new card, there wasn't really any problem. My guess is that the vendor realized the error, and called visa or my bank and gave them a list of cards that may have been compromised. If the bank were going to tell customers exactly which company had compromised my card, the vendor would be less forthcoming - maybe nothing bad would happen and they'd get off without damaging their reputation. Frankly, I'd rather have them contact my bank and be able to maintain a cloak of privacy than risk having my debit card compromised because they didn't want bad advertising.

Just an empty gesture (3, Insightful)

140Mandak262Jamuna (970587) | more than 7 years ago | (#17933024)

Nothing will come out of Senate to increase privacy. Remember CAN-SPAM act and how it stamped out all the spam emails? This bill will protect privacy exactly the same way. If you think this bill will improve privacy, contact me. I have 22 million dollars stuck in a bank in Nigeria. Help me get it out I will give you 33% of it. Please dont be greedy and steal all that 22 million dollars from me. OK?

Fair Enough (1)

TheVelvetFlamebait (986083) | more than 7 years ago | (#17933166)

So what would it take for the senate to impress you on the privacy front?

Re:Just an empty gesture (1)

AlHunt (982887) | more than 7 years ago | (#17933268)

Nothing will come out of Senate to increase privacy

No kidding. How the hell does congress reconcile on the one hand play at protecting "privacy" while at the same time doing this: ISP Tracking Legislation Hits the House [slashdot.org] ?
I know, I know - congress wants us to be protected from everyone but congress. These people are almost collectively bipolar.

Re:Just an empty gesture (1)

trianglman (1024223) | more than 7 years ago | (#17935690)

I agree that asking the government to protect my privacy is like asking a thief to guard my jewelry. However, arguing that since it won't be completely enforced and won't completely stop the issue completely is intellectually dishonest.

The first problem is that Congress itself has no enforcement capabilities. Those duties fall completely under the executive branch. If this law, or CAN-SPAM, or any number of other laws aren't well enforced, it isn't the fault of the law itself but of those enforcing it.

Second, CAN-SPAM was a poorly worded law that created more loopholes than it closed. Now, I haven't read the full text of this law, but from the provisions I have read about so far, it seems to have some good premises. The final document (plus any of the random signing statements that POTUS will probably add) will doubtless be different. But we can make that argument when the final version of the law comes up between the Senate and House. Until then, support decent legislation when you see it.

Presumably... (0)

Anonymous Coward | more than 7 years ago | (#17933030)

it protects it from everyone but governmental agencies? Cause these days they can pretty much do whatever the fuck they like, right?

Hello mr senators... (0, Troll)

jonwil (467024) | more than 7 years ago | (#17933110)

This is bill from the BIAA (Banking Industry Association Of America).
If you drop support for this privacy bill thingo, we will make sure there is a "bank error in your favor"...

Request to Slashdot... (0)

Anonymous Coward | more than 7 years ago | (#17933378)

stop giving mod points to anyone with "senate.gov" or a "House.gov" domain address.

They have a problem with their campaign funding sources being leaked.

What a wash... (2, Insightful)

flajann (658201) | more than 7 years ago | (#17933134)

While I respect Patrick Leahy and what he's generally been doing for privacy and rights of speech in the past, I consider it a wash to think that a bill will "protect" our security.

Raising criminal penalties for those commiting the breaches will not prevent them from happening (duh). Also, if the breacher is not within the jurisdiction of the US, it's pointless in any case.

It will give all false sense of security without addressing the real problems and issues regarding data security. The real issue is that our information is not secure, period. It is also an issue that creating really secure systems is a hard thing to do. But more important, "security" many times is an afterthought or has not been well throught through.

Any database on a machine connected to the Internet is a big security issue right up and front and center. And even if the database is not connected to the Internet, the weakness still lies with the employees and bureaucrats themselves and their approach to security.

Encryption of the data can solve many of these problems. Doesn't totally eliminate it, of course, but can at least put another roadblock in the way of breachers. A public key apprach, for instance, where the data is encrypted with one key before it hits the hard drive, but decrypted with another key only at the client computer requesting the information would go a long way to making breached data virtually useless. I used this approach in one system containing sensitive credit card information, and it worked quite well.

Ultimately, it is not bills and laws that will protect us, but well considered security policy and practices that will. And really, I'd actually like to see some penalties for those who are lax on the security front. We know that breaches will still occur even with the best laid plans of mice and men. Holding the implementors of these systems at least partially responsible, at least if it can be shown they were not diligent, would do much more to protect our privacy than some idle threat to lock the breacher away!

It's not strong, esp. compared to Europe (2, Insightful)

Nicolas MONNET (4727) | more than 7 years ago | (#17933354)

It's extremely weak.

In Europe, basically, your personal information belongs to you. No one (with obvious *limited* exceptions for law enforcement and tax collection) can keep information about you without your knowledge & consent. You have a right to have your record erased / corrected. Infringers face jail time.

Re:It's not strong, esp. compared to Europe (1)

nbannerman (974715) | more than 7 years ago | (#17933440)

Normally, I'd agree.

But given that most airlines (at those in the UK) are freely dishing out our personal information to the US whenever we travel there, does this statement really hold true anymore?

Re:It's not strong, esp. compared to Europe (1)

Slithe (894946) | more than 7 years ago | (#17933620)

Are you sure about that?

Key features of the bipartisan legislation include increasing criminal penalties for identity theft involving electronic personal data and making it a crime to intentionally or willfully conceal a security breach involving personal data, giving individuals access to, and the opportunity to correct, any personal information held by commercial data brokers, requiring entities that maintain personal data to establish internal policies that protect the personal data of Americans, requiring entities that maintain personal data to give notice to individuals and law enforcement when they experience a breach involving sensitive personal data and requiring the government to establish rules protecting privacy and security when it uses information from commercial data brokers, to conduct audits of government contracts with data brokers and impose penalties on government contractors that fail to meet data privacy and security requirements.
That sounds pretty strong to me.

Re:It's not strong, esp. compared to Europe (1)

Ihlosi (895663) | more than 7 years ago | (#17933720)

Are you sure about that?



Yes. Positive. *nod*



That sounds pretty strong to me.



That's because you've not seen really strong privacy laws yet.


"You may not keep personal information except if required for legitimate business transactions, and then only as long as the transaction requires."

"You may not share personal information with anyone unless the person in question gives you permission to do so."

"You must report, and delete, any personal information you keep if the person requests it."



_That's_ strong.

Re:It's not strong, esp. compared to Europe (0)

Anonymous Coward | more than 7 years ago | (#17933880)

It's strong on paper, but due to an almost total lack of repercussions and a total lack of enforcement, data protection in Europe is just a bunch of feel-good laws and associated jobs for politicians who only preach to the choir every once in a while. Just one example: Airlines hand over personal passenger data to the US and that practice has been found to be against the law in Germany. Not only are there no punishments, the airlines continue to break the law without restraint.

In a nutshell: If the cat's out of the bag, no data protection law is going to put it back in, anywhere. Data protection starts and ends with the owner of the data.

Re:It's not strong, esp. compared to Europe (1)

Ihlosi (895663) | more than 7 years ago | (#17933962)

Airlines hand over personal passenger data to the US and that practice has been found to be against the law in Germany.

I guess this has more to do with the magnitude of the bullying power of the US than with the law being weak.

_REALLY_ hold companies accountable (1)

for_usenet (550217) | more than 7 years ago | (#17933400)

What I'd love to see, if it isn't already in the bill (and I didn't see confirmation of anything like that in the bill from the article) was to have companies and institutions that lose consumer data pay for something like 1-3 years of credit monitoring ....

Personal data is too cheap and easy to collect and warehouse these days, and hence, easy to steal in huge chunks. If companies and institutions want to use and profit from our personal data, we should not have to suffer for it if they can't take care of it. I would say an "incentive" like this makes personal data hoarding MUCH more expensive and risky, will make companies think twice about their data hoarding, and shifts the balance somewhat back to the consumers.

Thoughts anyone ?

Re:_REALLY_ hold companies accountable (1)

freedom_india (780002) | more than 7 years ago | (#17933650)

To supplement your good suggestions, i can add the following:
1. Automatically make private and personal data of an individual as a copyrighted piece of art with protection under DMCA.
2. Any waiver to this copyright would have to be approved by the person concerned.
3. Such waivers are mandatorily limited to the scope of the transaction OR 3 years (whichever is smaller), after which the copyright reverts to the person.
4. Misuse of this private copyrighted data including but not limited to publishing photos of my house taken from the street, etc., are punishable under the draconian DMCA laws which thankfully the corporates have paid for.
5. This becomes a constitutional amendment.
6. Any future AG or prez who would violate this amendment would automatically stand impeached and in addition become a convicted felon under the eyes of law. The courts only need to sentence the person.
7. Govt. monitoring programs that outsource their data collection to corporates are held responsible under DMCA.

Let's see how many AG's would risk becoming a felon under DMCA which has more punishments than homicide.

     

I don't want a new privacy law... (4, Interesting)

caudron (466327) | more than 7 years ago | (#17933418)

...I want a new Privacy Amendment.

Seriously, Privacy is a right (according to SCOTUS) but currently the right is in limbo. The limits and effects are mercurial and need to be codified.

Also, I'm far more worried about breaches of privacy by the government than by ID thieves. Shore up my Right to Privacy properly and I'll feel a little better about things. Adding sentencing recommendations to ID theft cases is like hate crime statutes. I'm not /opposed/ to an extra small smackdown for certain crimes (maybe...I admit to some uncertainty here) but I'd rather have a RIGHT to tell the phone company to play a game of Hide and Go Fsck Yourself when they ask for my SSN, for instance. Bonus points if I can get the right to do the same to the US Government when they don't /actually/ need it.

Tom Caudron
http://tom.digitalelite.com/ [digitalelite.com]

Re:I don't want a new privacy law... (3, Funny)

elrous0 (869638) | more than 7 years ago | (#17934490)

It's a sad day when the Attorney General of the United States can get up in public and openly proclaim [slashdot.org] that U.S. citizens don't have a right of Habeas Corpus. Forget the corporations, protect me from *HIM*!

-Eric

Re:I don't want a new privacy law... (0)

Anonymous Coward | more than 7 years ago | (#17935354)

Seriously, Privacy is a right

Well, is it? Larry Ellison said in 2001: "The privacy you're concerned about is largely an illusion." I think that was a prophetic statement. It's the continuation of the old hacker slogan "information wants to be free." What that means is that information is really hard to contain. It's hard to contain even if only you have it: People want to tell others about themselves. It's even harder once someone else knows it: You can't kill a rumor, can you?

The new dimension is not the availability of information. It's the longevity and searchability of information. I think we have to realize that an attempt to stop information at that stage is futile. It might be desirable, but it's not feasible.

I think the problem isn't that we have no privacy. I think it's that we expect privacy and consequently don't look for ways to deal with the problems that arise from living in a glas house. Privacy advocates often cite booze pictures on MySpace as something that is going to haunt the careless teens years down the road. Of course they're right, but isn't the problem really the way we treat these pictures as a bad thing? Nobody came into this world as an adult. We've all done foolish things and the real problem is that we're looking for perfection where there's only people. Privacy contributes to this skewed look on the world: By hiding the things that we deem inappropriate, we create an impression of a more perfect person, an impression that we can't live up to, so we rely on privacy to keep that image up, which in turn causes other people to think that they're not as good and need to hide their imperfections.

Posting as AC because we live in a superficial world.

intentionally or willfully? (1)

DoofusOfDeath (636671) | more than 7 years ago | (#17933520)

Is there a legal distinction between the terms "intentionally" and "willfully", or were two equivalent terms just used used for the sake of emphasis?

Re: intentionally or willfully? (1)

thorkyl (739500) | more than 7 years ago | (#17933656)

yes there is

intentionally = I did it on purpose

willfully = I knew it was happening and did nothing to stop it

Wow, yet again deterrence and punishment! (2, Insightful)

uradu (10768) | more than 7 years ago | (#17933558)

The cornerstones of American justice, which have reduced criminality in this country to practically zero. How about for a change doing something effective, like restricting the rights of companies from even OBTAINING data they don't need? If you don't have information to begin with, it's much harder to abuse. The level of unnecessary information collection in the US is mind boggling, yet you cannot usually question or refuse any such requests without being denied the service you're trying to obtain. European--in particular German--data privacy has historically been much, much more effective, because it approaches information on a need-to-know basis and empowers the citizen to refuse to provide information they deem unnecessary. Only recently have these systems started to weaken, primarily because they have been pressured into adopting some of the cavalier American attitudes towards data privacy, often under the guise of fighting terrorism or international crime (child pornography, money laundering, etc.)

different to Privacy Acts/Laws in other countries (1)

kinko (82040) | more than 7 years ago | (#17933598)

in many Western countries, the privacy laws are more to do with the collection of the data in the first place, rather than how to deal with privacy breaches.

For example, "data may only be used for the purpose for which it was collected". This means that a company can't sell your data to another company, unless that is one of the purposes for which it was collected (which means that they have to tell you that clearly when they collect it).
So if a company asks for your email address for a competition, they can *only* use it for as long as they need it for that competition, unless they tell you otherwise when you enter it. The blurb here makes it sound like this bill only protects your data from unauthorised access, where the access is unauthorised by the company holding the data, rather than unauthorised by *you*.

Personal data and storage (1)

thorkyl (739500) | more than 7 years ago | (#17933626)

Here in the States only those who report income or extend credit are allowed to request our SSN/Tax ID.

Now given that, every where you go they consider what you are buying to be an extension of credit.

What chaps my a$$ is when I go to the doctors and am paying cash for the visit they ask for my ssn

I tell them they do not have the legal right to ask for it, they say they do since they are extending me credit. I ask how much the bill will be and then hand them the cash. if they push hard I ask for the doctors SSN since I am extending him credit by paying for service up front. this usually shuts them up considering I say it loud enough for everyone in the lobby to hear.

When I close an account with a utility or credit card company I go to my local JP (justice of the peace) and file for an injunction against the company for certification that the account is closed and all personal data has been destroyed. Now if they "Loose/sell/release" my data they can go to jail for failing to comply with a court order. Our JP is very consumer friendly when it come to private data, he was a victim of identity theft a few years ago.

Commercial data brokers need to be reined in (1)

scruffy (29773) | more than 7 years ago | (#17933700)

The biggest loss of privacy comes from the commercial data brokers and credit agencies. Except for some restrictions on financial and medical data, they would like to gather up all the information they can about you and sell it to companies for mailing lists and to the government for fishing expeditions.

This bill doesn't do squat on this issue.

Re:Commercial data brokers need to be reined in (1)

gorbachev (512743) | more than 7 years ago | (#17935218)

You got that right. This bill does NOTHING to address the wholesale abuse of our privacy by the information brokers (Choicepoint, Acxiom, etc.)

If I were running an organized credit card fraud operation, rather than pay hackers or carders for the information, I'd just pay for a monthly report of US people with income over $150K and a credit card balance over $50K. And I would get the information completely legally. My marks list would be much higher quality, and I could probably even sell that to every Russian mobster out there for massive profit.

re: Senate Introduces Strong Privacy Bill (1)

g2ek (852570) | more than 7 years ago | (#17933706)

what about protecting our privacy by preventing companies like ChoicePoint [choicepoint.com] or LexisNexis" from collecting and selling our data?

"ChoicePoint aggregates personal data for sale to the government and the private sector. The firm maintains more than 17 billion records of individuals and businesses, which it sells to more than half of America's top 1,000 companies ... ChoicePoint database of personal information contains names, addresses, Social Security numbers, credit reports, and other sensitive data. In 2005, this database contained 250 terabytes of data on 220 million people. ... The CLUE database includes identification information on properties such as homes and automobiles, policy records (name, date of birth, policy number), and records of claims (date and type of loss, amounts paid)"
(source: Wikipedia [wikipedia.org] )

a recommendable book on this subject: No place to hide [noplacetohide.net] , by Robert O'Harrow, Jr

This doesn't address the real privacy issues (1)

MikeRT (947531) | more than 7 years ago | (#17933874)

Like data retention, online surveillance (Carnivore successor that hoovers up all data then processes it!) and things like that. I'm a lot less concerned about personal information than I am about a surveillance state. We already have remedies for identity theft, even if they are a bit of a pain to use. Where are the ones that firmly restrict what the government can do which is far more destructive of privacy?

Mutually exclusive laws (1)

Weaselmancer (533834) | more than 7 years ago | (#17934428)

...making it a crime to intentionally or willfully conceal a security breach involving personal data.

Let's say you're doing some work on some corporate database software. It's your job - maybe you work at Oracle or something. Or perhaps you're an admin for a website that takes customer data. The details don't matter much. But let's say you find a problem, something that could be exploited.

If you don't go public with it, you get nailed by this law. If you do, you get nailed with the DCMA.

You are guaranteed to break one or the other of those two laws.

Re:Mutually exclusive laws (1)

Ihlosi (895663) | more than 7 years ago | (#17934718)

But let's say you find a problem, something that could be exploited.



You only have to report actual breaches, not something that could be a problem. And the report probably has nothing to do with the exact technical details of the breach ... it's more important to document whose data and what exactly has been leaked.

HIPAA for consumer data? (2, Interesting)

thomn8r (635504) | more than 7 years ago | (#17934802)

Last week I had to sit through a HIPAA class ( http://en.wikipedia.org/wiki/Health_Insurance_Port ability_and_Accountability_Act [wikipedia.org] ) Granted, I was bored to tears, but I couldn't help but think that we need these same guidelines were applied to consumer data, including credit and financial info.

HIPAA is a set of rules, with some teeth, that governs how patient medical information must be handled. The banks, credit agencies, etc would squeal like pigs if such legislation were proposed, but I think that's what we really need.

How about protecting... (1)

Nom du Keyboard (633989) | more than 7 years ago | (#17934942)

How about protecting your personal browsing and usage information from the RIAA goons? Now that would actually be an improvement in privacy.

Prediction... (0)

Anonymous Coward | more than 7 years ago | (#17935596)

The part about 'willfully concealing a security breach' involving personal info will be removed before it becomes law. Too many businesses (and majority shareholders) will complain and may threaten to hold back campaign contributions.

Lawmakers will successfully remove this portion without political fallout by blaming trial lawyers and potential abuse of the legal system by crooks who use frivolous lawsuits to leech from businesses.

You heard it here first...
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?