If I understand correctly sigstore can guarantee that the software is what the the author intended to, but it cannot guarantee that it is was built from a specific source code. It is somewhat like web site certificates, you can register and have a valid certificate for "facenook.com" (someone actually did) but that doesn't mean that the web site is credible.
It is really hard to verify that a binary is based on the same source code, in addition libraries and build environment are not always included in the repository itself.
If you build the binary locally chances are that the binary will be slightly different, due to changes in the build environment for example. You will need to do a binary comparison and understand the reason and meaning of each change.
> Michael Smith was charged with fraud for this type of activity last year
Why was he charged with "wire fraud conspiracy, wire fraud and money laundering conspiracy"? would he get the same severe charges if it was in a European or another country?
Not a lawyer, only an engineer starting to assess our AI models.
Your comparison to GDPR seems to be correct in a way, both are quite vague and wide. The implementation of GDPR is still unclear in certain situations and it was even worse when it was launched, the EU AI act have very little references to work with and except for very obvious area it is still a lot of a guesswork
When a law is “vague” in that it intentionally tries to be overly broad in protecting the average citizen from corporations, that’s a good thing. GDPR is very much meant to scare the facebooks of the world whose default modus operandi is: your privacy means nothing, I have a revenue number to hit and I don’t care if it ruins your life in the future.
I WANT it to be difficult for AI companies to steal other people’s hard work just like I WANT Facebook to have to spend millions of dollars on lawyers to make sure whatever data they’re collecting and sharing about me doesn’t violate my rights.
The problem is that the GDPR has been largely a failure protecting citizens from corporations, but it has hurt everyone else.
- Nothing has changed in Facebook and Google data collection practices, who with other bug corps account for > 90% of data collection
- Many mid tier competitors lost market share, focusing power to Google
- EU small software companies pay estimated extra 400 EUR/year to satisfy GDPR compliance with little tangible benefits to the EU citizens.
It's called unintended consequences. We all want Zuckerberg to collect less data, but how GDPR was implemented is that it mostly hurt small businesses disproportionately. E.g. you now need to hire a lawyer to analyse if you can collect an IP address and for what purposes, as discussed here.
I will be honest, I am always very skeptical of these claims that the big tech companies are fine but small business is hurting. Many of them seem to originate with the big tech companies themselves and I highly doubt they really have the interests of small business in mind. Plus, I'm old enough to remember when everyone claimed EU tech law was about to ban memes, which didn't happen...
>
The main burden falls on SMEs, which experienced an average decline in profits of 8.5 percent. In the IT sector, profits of small firms fell by 12.5 percent on average. Large firms, too, are affected, with profits declining by 7.9 percent on average. Curiously, large firms in the IT sector saw the smallest decline in profits, of “only” 4.6 percent. Specifically, the authors find “no significant impacts on large tech companies, like Facebook, Apple and Google, on either profits or sales,” putting to bed the myth that U.S. technology firms are the enemy of regulation because it hits their bottom lines.
that's right, although that isn't quite the same concept. Regulatory capture implies the large companies have helped draft the regulations to their own advantage (and SME's disadvantage in this case).
You can be skeptical but I’ve worked at multiple small businesses since GDPR and CCPA came to be, and each of them has zero interest in “selling your data” - everyone just wants to run ads and track which ones work. And yet complying with GDPR has been onerous and costly in every one of them. And did nothing to benefit our customers or website visitors. The only winners are the lawyers and firms that specialize in selling “compliance as a service” basically.
zackly right.
two words ,in this case "unacceptable risk", which is absolutely impossible to define, so then, ha ha!, there needs to be deciders, whole heaping flocks of deciders, who them imediatly throw up a paper screen of "privacy concerns", and with luck the holey grail of beurocrats "national security"
and then they can get to work destroying there budget, so they can seek further grants, and invent internal auditing procedures that have ancient bizantines crawling from there graves to
see such wonders.
smaller sub beurocracys can be built on one word, such as "saftey", and of course there is no upper limit, but two well placed words, and zam!, your in!
The ever biggest GDPR fine was against Facebook, and it was less than 0.3% of their revenue. That is just a let us ignore GDPR tax. I don't know about small businesses, but big tech from US is fine.
> I'm old enough to remember when everyone claimed EU tech law was about to ban memes, which didn't happen...
AFAIK those parts of that law was changed somewhat
We saw a bunch of small side project type of sites from the EU close down all over HN after GDPR became a thing. The risk for someone small is too high. The minimum fines are in the millions.
Something has gone horribly wrong with your governance when you can 1. get fined a million euro under GDPR and 2. arrested for hate crimes, for 1. hosting a default Apache server with logs and 2. putting a joke video of your dog doing a "Hitler salute" on it.
Hey, Count Dankula is funny, maybe its not for everyone, but he really should not have been arrested for what his dog did. His youtube has really fascinating content on it.
No, the minimum fines are in the hundreds, and that’s on the unlikely event where you actually get a fine. Fines over a million are definitely not the norm. See GDPR article 83 and https://www.enforcementtracker.com/
> The problem is that the GDPR has been largely a failure protecting citizens from corporations, but it has hurt everyone else.
This is just laughably incorrect. Literally every Fortune 500 that I work with who has operations in Europe has an entire team that owns GDPR compliance. It is one of the most successful projects to curtail businesses treating private data like poker chips since HIPAA.
It would really hard to believe that Google and Facebook do comply with the (spirit of the) GDPR and deletes all personal data when it is no longer necessary. That would simply go against their business model.
Anyways, GDPR doesn't protect your data, it just specifies how companies can use it. So all my name, address, phone number, etc. will still be stored by every webshop for 10 years or so just waiting to be breached (because some tax laws).
Facebook and Google got sued, paid fines, and changed their behavior. I can do an easy export of all of my FB and G data, thanks to the GDPR.
"EU small software companies pay estimated extra 400 EUR/year to satisfy GDPR compliance"
WTF? no! I work with several small companies and it's super easy to just NOT store anyone's birthday (why would you need that for e-commerce?) and to anonymize IPs (Google provides a plugin for GA). And, basically, that's it. Right now, I can't even find an example of how the GDPR has created any costs. It's more like people changed their behavior and procedures once GDPR was announced and that's "good enough" to comply.
400 Eur is pretty small, it rings true to me. Maybe not in literal costs, but 400 Euro of employee salaries is pretty low. Figuring out how to not store IPs but also be able to block malicious IPs probably costs at least 400 Euro in employee salaries.
At 40k EUR / year in salary, that's about 1.6 hours a month dealing with GDPR. That sounds about right; it's like 5 hours a quarter deploying anonymizers or updating code to export the data you have on people. I honestly expected it to be higher; I would have thought it was in the realm of 40 hours a quarter just doing mundane things. Auditing to make sure PII didn't sneak in somewhere, updating anonymizer code/deployments and reviewing the same.
I agree with this. It is horrendously vague, like GDPR. This creates a large "wariness zone" which law-abiding people avoid, while large multinationals can steamroller through until the point of direct confrontation. And even then you get things like Microsoft Safe Harbour.
On the other hand, if you're concerned about AI risk, I don't see how it could be otherwise. We don't have a clear grasp about what the real limits of capabilities are. Some people are promising "AGI" "just around the corner". Other people are spinning tales about gray goo. The risk of automated discrimination looms large since IBM sold Hollerith collation machines to the Holocaust.
If it delays AI "innovation" by forcing only the deployment of solutions which have had at least some check by legal to at least try to avoid harming citizens, that's ... good?
So in essence, it disallows logging IP address for any purpose, be it security, debugging, rate-limiting etc. because you can't give consent in advance for this, and no other sentence in Art. 6.1 applies.
Moreover, to reason about this, one also needs to take into account Art 6.2 which means there might be an additional 27 laws you need to find and understand.
Note, however, that recital 30 which you quoted is explicitly NOT referenced by Art. 6, at least according to this inofficial site: https://gdpr-info.eu/art-6-gdpr/
This particular case might be solved through hashing, but then there are only 4.2bn IPs so easy to try out all hashes. Or maybe it's only OK with IPv6?
I find this vague or at least hard to reconcile with technical everyday reality, and doing it well can take enormous amounts of time and money that are not spent on advancing anything of value.
That's not true. IP addresses might be processed in regards to article 6.1 c) or 6.1 f) but only for these very narrowly defined use cases and in accordance with article 5. So, purge your logs after 14/30 days and don't use the ip address for anything else and you will be fine.
There are rulings that access providers are/were allowed to save full IP addresses for up to 7 days to handle misuse of services etc. and any longer storage seems unnecessary and unlawful.
In other cases there were recommendations of up to 30 days, ideally with anonymized addresses where the last one or two triplets are automatically being removed. I've also seen 30 days as kind of the default setting for automatic log purging with shared webhosters.
Our lawyer told us that he estimates that saving full IP addresses for 14 days in logfiles would be fine in regards of preventing/tracking misuse of services or attacks against the infrastructure.
If this would ever come to court it would most probably be up to the judge to see whether this is really fine or already too much. Therefore we had to document the process and why we think 14 days is reasonable and so on.
The GDPR lacks a specific time frame and I think that's okay. There's always some "wiggle room" in European laws, it's about not misusing that room and sincerely acting in the best interest of everybody.
> So in essence, it disallows logging IP address for any purpose, be it security, debugging, rate-limiting etc. because you can't give consent in advance for this, and no other sentence in Art. 6.1 applies.
In addition to the other answers, I want to point out that recital 49 says that it is possible under legitimate interest (6(1)f).
> So in essence, it disallows logging IP address for any purpose, be it security, debugging, rate-limiting etc. because you can't give consent in advance for this, and no other sentence in Art. 6.1 applies.
No, it doesn't. Subsections b, c, and f roughly cover this. On top of that, no one is going to come at you with fines for doing regular business things as long as you don't store this data indefinitely long, sell it to third parties, or use it for tracking. As laid out in Article 1.1.
On top of that, for many businesses existing laws override GDPR. E.g. banks have to keep personal records around for many years.
That being said: it is extremely strict, a lot of lawyers like to make it stricter (because for them it means safer) and a lot of lawyers have to back of under business constraint (that push to sometimes got below legal requirements). My experience is that no two companies have the same understanding of GDPR.
Right after Musk bought twitter, the code for the algorithm was open sourced and I took a look at it. I don't know if it's still open today but anyways, there was some ML stuff in it at the time. I guess it would depend on what constitutes "AI" to European legislators.
> I don't know if it's still open today but anyways
I am p sure that they made like major major changes after they code dumped it. Considering "verified boosts" and "elon boosts" are very noticable, with the first being an confirmed "feature", I doubt the algorithm would even remotely work with data from nowadays.
Anyway, what I wanna say is that the last commit was over 2 years ago.
Yes, the AI behind X's "algorithm" has been heavily skewed towards favoring far right content. That much is obvious to anyone taking a look at the X front page. This should give some more grounds to a continent-wide ban on this platform, threatening our democracies with relentless propaganda.
This bring old memories back, I implemented something similar on a motorola 68360 ages ago. Since the size of the buffer I used was not huge I skipped the pointers and simply enumerated each chunk, it was remarkably efficient and stable.
