Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

In a more general sense, what level or standard should advertised privacy claims be held to? How are "privacy" and "security" quantified? Are there any real-world tests they have to pass? Or is it simply: "Yup, our product is secure" (TM) And if it does get breached, should they release a statement correcting previous claims? Or need to hold off on running any privacy ads until it's fixed?

Actually, now that I re-watch an ad [0], they're not even making any claims about the iPhone's privacy. It's just showing a bunch of people doing private things, then posing a hypothetical question:

  "If privacy matters in your life"
  "It should matter to the phone your life is on"
  "Privacy. That's iPhone."
Notice "It should ..." How many rounds of legal do you think that text went through.

[0] https://www.youtube.com/watch?v=A_6uV9A12ok



I think Apple has been around long enough to know better than to make claims like "iOS is secure" or "macOS is secure".

Oracle, for example, apparently learned the hard way about claiming software is "unbreakable".

Everyone here on HN knows that pretty much nothing is "secure".


Apple makes these claims:

https://www.apple.com/business/docs/site/AAW_Platform_Securi...


What specific “claims” are you taking about, since everything in that link appears to be clearly true.


My idea is that a company should be allowed to claim any numerical value they want for "privacy" or "security" in advertising, but, if the "privacy" or "security" is breached they should be required to pay out the number claimed to the entity who breached it. In the case of mass consumer products, they should probably also be required to specify a per-unit value.

This scheme has many advantages. First, it prevents companies from overstating too much since if they claim a number much more than the cost to find a breach, then it becomes profitable for white-hats to demonstrate that (e.g. they say $1 Billion, but it only costs $1 Million). In fact, if they really overstate it they will be appropriately "fined" for their false advertising. This means that the number will probably be similar to or less than the true cost.

Second, it allows companies and users to choose their risk. If a user has uniquely valuable data or a specific use case with greater requirements, they can choose a service with the level they deem appropriate. If a company manages unimportant data or is too new to have high "security", they can specify a low number to properly reflect the value of data they can or will protect. This avoids the problem of a single fixed value that could prevent low "security"/importance systems from being created and could shield high "security"/importance systems from the liability they should have to manage.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: