| |
| |
| ▲ | ethbr1 2 days ago | parent | next [-] | | > How is that achievable? The core ill is aggregated data, because that's what allows the mass in surveillance, data mining, etc. The collection actions are almost immaterial. Without persistence they must be re-performed for each request, which naturally provides a throughput bottleneck and makes "for everyone" untenable. If we agree the aggregated data at rest is the problem, then addressing it would look like this: 1. Classify all data holders at scale into a regulated group 2. Apply initial regulations - To respond to queries for copies of personal data held
- To update data or be liable in court for failing to do so
- To validate counterparties apply basic security due diligence before transferring data (or the transferer also faces liability)
- To maintain a *full* chain of custody of data (from originator through every intermediate party to holder) so that leaks / misuse can be traced
- To file yearly update on the types, amount of data, and counterparties it was transferred to with the federal government that are made public
The initial impediment to regulatory action is Google, Meta, Equifax, etc. saying "This problem is too complex and you don't understand it."It's not. But the first step is classifying and documenting the problem. | |
| ▲ | RHSeeger 2 days ago | parent | prev | next [-] | | Sorry, I was ambiguous in what I meant. It is not realistic to say that no person is allowed to keep track of another person; watch where they go, when, with who, etc. It should not be acceptable for a company to gather information on "everyone"; where they have been going, when, with who, how often, etc. And it should not be acceptable for them to sell that information (to government agencies OR private citizens). It's a matter of scale. - Making the first one illegal/impossible would be difficult/costly; and not doing so has a limited impact (to society, not to the single person affected). - Making the second one illegal is much easier, and it's much easier to shut down a large company doing it than it is 1,000 individual stalkers. The impact of making it illegal is much wider and better for society as a whole. We don't want anyone being stalked. But in a cost/benefit analysis, we can do something about one of them but not the other. | |
| ▲ | rdevilla 2 days ago | parent | prev | next [-] | | It's not achievable. The only way is through - everybody should get into the practice of stalking and gossiping about each other in a Molochian environment, where the people who do not do so suffer from the losing side of an information asymmetry. Expect AI, especially post-Mythos, to just enable this at even further scale. Consumer grade wireless networking gear as a whole is a very wide attack surface and is basically never updated. | |
| ▲ | buzer 2 days ago | parent | prev [-] | | If PIs can "legally" do it then it sounds like there is a law which allows them to do it. That law can be revoked (unless the power comes from Constitution which would make it effectively impossible to revoke). Note that PIs are effectively illegal under GDPR by default. They would generally need to provide Article 13 notice, i.e. you would become aware of them unless they were just asking around without actually following you. Member states can make them legal though (via Article 23) and likely in many cases they have done so. | | |
| ▲ | jojobas 2 days ago | parent [-] | | In the US, PI licensing is only about PIing for hire. The actual act of going through public records, following cars and whatnot do not require a license, you can spy on anyone without a license as long as you don't get paid for it. EU is more complicated, but Article 14.5.b allows withholding notice if it would impair/defeat the purpose of processing. The PI must however apply "safeguards", whatever it could mean. | | |
| ▲ | fc417fc802 2 days ago | parent | next [-] | | > following cars and whatnot do not require a license, you can spy on anyone without a license as long as you don't get paid for it. Pretty sure that would be considered stalking and is broadly illegal in the US, PIs being an exception. | |
| ▲ | buzer 2 days ago | parent | prev [-] | | Article 14(5)(b) does, but that only applies for Article 14 notice (personal data not directly obtained from data subject). Article 13 (personal data obtained directly from data subject) does not have such exception in GDPR itself. This becomes extremely relevant when you read it in the light of the C-422/24 decision. In that personal data collected via body worn cameras was determined to be "directly obtained". Paragraph 41 from the judgement: > If it were accepted that Article 14 of the GDPR applies where personal data are collected by means of a body camera, the data subject would not receive any information at the time of collection, even though he or she is the source of those data, which would allow the controller not to provide information to that data subject immediately. Therefore, such an interpretation would carry the risk of the collection of personal data escaping the knowledge of the data subject and giving rise to hidden surveillance practices. Such a consequence would be incompatible with the objective, referred to in the preceding paragraph, of ensuring a high level of protection of the fundamental rights and freedoms of natural persons. Given this it's very unlikely that PI observing (especially if they record) could be considered to be Article 14 instead of Article 13 type of collection as it's exactly "hidden surveillance practice" that the Court warned about. Member states do have a right to restrict the Article 13 disclosure obligations via Article 23 restriction, but that requires specific law in the member state & the law itself must fulfill the obligations that Article 23 requires. Article 23(2) essentially forbids leaving everything up to the controller. And as far as PI in the US goes, actions between stalking and PI "for self" tend to be so similar that I wouldn't necessarily recommend anyone to try it. |
|
|
|
