1. 19

  2. 7

    Trying to absolve themselves of any culpability for any future exfiltration of data from their service is slimy and unethical. It shows that they’ve both acknowledged the security problems in their systems, and have decided the best course of action is to simply demand that you agree that it’s not their fault before using the service. Of course, so long as such a clause works (or is believed to work by companies in lieu of case law), it is likely in the best interest of companies to simply add a clause like this to their TOS rather than spend the time and energy necessary to create a secure system.

    1. 1

      Serious question, does anyone know how enforceable this really is? Maybe I’m optimistic, but if this ludicrous statement actually protects anyone I’d be a little surprised, and sad.

      1. 7

        At the moment, I’m not aware of a single case where a company has been held liable for a security breach of end-user data, even in the absence of any disclaimer. My vague understanding of the law is that users would have to not only have experienced some specific financial loss resulting from identity theft, but be able to prove the entire chain of criminals who had resold and eventually exploited their data, showing that the original harm resulted from this particular security breach. In a world where Target only learned they were hacked because security researchers saw credit cards for sale and did statistical analysis to figure out what those cards had in common, that is an impossible thing to prove.

        So, someday this disclaimer might actually meet an enforceability test, but not any time soon.

        1. 4

          Hopefully the EU data breach law goes through then.

        2. 1

          What we need is like a security BBB. One that rates and ranks businesses based on security.

          1. 1

            Only if whoever does it is prepared for the fact that almost all businesses will fail, and won’t give in to pressure to say most companies are more or less okay.

            1. 1

              You just need some rich ex-infosec dude who gets off on “correctness”

              1. 1

                I feel like advocacy organizations need to be run by someone who feels some anger, if they’re going to be effective. :)