> I don't think I agree with Facebook getting a bigger fone than Equifax.

The issue is Equifax not being fined adequately. Let's maybe not use that as the bar?

I don't disagree and didn't mean to imply that.

Are you assuming here that Equifax could absorb any size of fine?

Also, you seem to be OK with the idea that any company that gets hacked could be fined $5 billion. As being unhackable is an unachievable standard, that effectively means the FTC could bankrupt almost any company on a whim. That would be huge power in their hands and would not magically stop exploits from happening.

I think there's a big question about whether Equifax should have been fined at all. It would appear to either require mass inconsistency by regulators, or would put most US companies that rely on IT out of business.

I think you have a tendency of assuming a little bit too much about what others think based on 1 sentence.

> Are you assuming here that Equifax could absorb any size of fine?

Who said any size of fine would be appropriate? There is a lot of possible fine size between 500M$ and the max they could absorb.

> Also, you seem to be OK with the idea that any company that gets hacked could be fined $5 billion

Where did I say that? I am OK with facebook getting fined 5B$ in this context, that doesn't tell you anything about other hacks and other companies. I am also a little bit reluctant to call facebook's case a "hack".

> I think there's a big question about whether Equifax should have been fined at all. It would appear to either require mass inconsistency by regulators, or would put most US companies that rely on IT out of business.

You should maybe think outside of the tech bubble for one second? What you find apparently unthinkable is already in place in many other industries. Do you think there will be no repercussion for Boeing's crashes if it was caused by their carelessness? What do you think happen if an engineering company builds a bridge and it collapses because of a design mistake? Yet mistakes are human right?

Private data is something that should be protected. It is not as important as human lives, but it is very important. If you build a business around handling user's private data, but can't be bothered to properly protect them, then yes you should get fined heavily or even put out of business.

And just like in engineering there should be investigations into what happened to determine how much of it was pure carelessness and how much could not have been realistically prevented. In the case of Equifax, they didn't even bother applying security patches to their external facing software.

The airline industry is heavily regulated and the software industry isn't. Will Boeing be punished if they're found to have made a mistake - politically it's an absolute certainty, legally I presume it'd depend on whether there was an element of knowing to it, or whether all parties genuinely believed they were doing the best thing for safety.

But despite how tempting it is to punish people who make mistakes, it's generally understood that incompetence is not illegal and should not be. Criminalising incompetence just makes everyone a criminal and hands absolute power to prosecutors and regulators: a scenario warned against many times by students of history.

> Who did worse, the friend sharing the data I gave to them, or the stranger who got it without permission?

I honestly don't know which answer here is supposed to be the obviously correct one.

I feel like the patent is suggesting the theft is the worse one. But I feel like almost everyone would agree that the friend, who you willingly gave the picture to, is the worse person because they betrayed your trust.

I just don't get the analogy.

I think the idea is supposed to be that you have some agency when you share your data with a friend. You can choose whether you want to entrust your data to this friend or not, and the onus is on you to properly vet them for transparency and trustworthiness. Conversely, if a stranger leaks your data, that isn't on you at all (beyond you allowing the stranger access to your data, but that's stretching the metaphor a bit). I don't find this argument particularly compelling though, because the typical Facebook user definitely didn't know what they were getting into when they signed up years ago. I find it hard to fault people for improperly vetting entities that are beyond their area of expertise, and I don't think this mistake on the user's part makes Facebook's practices any less egregious.

There's a real question about consent here. I know a lot of techies that don't understand ML that well (not even better than the general public). I saw a comment in another form "ML is like QM, if you think you understand it you don't.", And I think that's fairly accurate and Feynman would have loved it. So

1) how can you give proper consent if it takes a great deal of expertise to understand what you're getting yourself into (never mind that complexity doesn't come across, but that's a good question too. About conveying complexity).

2) can consent even be given if we can't be fully informed? Or rather how informed do you need to be to give consent?

Facebook also tracks and keeps profiles of people that are not users of the service, have not given their consent, and have not willingly intended to provide any information to Facebook.

Consider also that Facebook's current market cap (the value of the company according to the stock market) is approximately 34 times the current market cap of Equifax ($575 billion vs $17 billion).

As a Canadian I'm frustrated our agencies aren't seeking compensation on behalf of affected consumers or taking more aggressive steps to hold Equifax accountable.

Frankly, I'm surprised and disappointed nobody here has started a class action to go after both Equifax, as well as the companies who shared my data with them without my explicit consent.

I think regrettably, y'all aren't big enough to make it happen, and doubly so with a protectionist president in the US. Being part of the EU I think is a big win for European countries on this front -- always stronger as part of a gang.

Facebook generates a shadow profile on you without your consent.

All credit agreements I have read contain sections specifically allowing reporting of information to credit agencies, so you have in fact explicitly allowed collection of your information.

That's irrelevant. Facebook's stuff is their TOS also. The point is that at some point the TOS is unconscionable.

> Equifax compiled information on me without my explicit consent

I'm not disagreeing with this, but my understanding is that in the UK I'm always asked explicitly before sharing my data with credit agencies, and have been as long as I can remember?

Even if you are protected by a regulation that requires that permission, would anyone be surprised to discover that firms like Equifax have failed to obey that regulation? They constantly fail to do required things that don't happen to contribute to profits.

> I put my own information on FB. Equifax compiled information on me without my explicit consent.

Equifax compiled that information from vendors very similar to Facebook.