I'm not interested in defending Verizon here, but your math is wrong. Comparing fines (or taxes, the other popular variation of this error) to revenue is meaningless. You need to compare them to profit. The amount of money that they handled but didn't benefit from is irrelevant.
Verizon's profits for 2015 were $4.22bn. That makes it a 0.03% fine.
But that's still not close enough, because this infraction was in "Verizon Wireless", not the entire company. So to really get a sense of its relevance, you need to figure out what the profit of that arm of the business was.
I can't find that number anywhere. Anybody got a hint?
You must also play out the game theory in time, not just an instant. Whatever the fine may be today, should they be caught doing this again, the fine will be (or so the theory goes) much larger. The fine is not just about the negative payment, it's also about the fact that if they do it again in the future, they'll pay out more, making doing it again in the future much less attractive, and also doing anything like the thing they just did much less attractive.
I realize it may emotionally feel good to demand larger fines, but I'm not sure it would have all that great an effect above and beyond what it already has. And the HN gestalt would be among the first to complain about what happens to the workers of Verizon if a fine that actually did greatly hurt them was issued, so "much larger fines" could well go to a negative value to the HN gestalt if a full accounting is done.
There was an interesting Economist article [0] a few years back that suggested a better option might be "penalties that offset the benefits of crime" rather than ones that try to arbitrarily 'punish' the offender. You'd see much larger fines, but they wouldn't be so large as to cause additional, unexpected consequences. The tricky part is improving detection rates, which increases the risk of the action even setting aside the question of fine size.
Compared to cartel price-fixing, Verizon's UIDH insertion is actually much easier to detect. In fact, anyone can do so just by looking at their access logs. I think that, more than fine size, will be the primary reason that they won't try this again. That's not to say they won't play other games, however.
Anyhow, if you really want to change a particular behavior, class action suits offer a much more attractive option where they're possible. They don't really benefit the class members financially (they're not supposed to), but they are one hell of a big stick. And historically, a very effective one at that. Even when companies prevail, they tend to take notice and often change the behavior in question.
Obviously though you'd need to fine a company enough to cover 1) the damages and 2) the risk-adjusted benefit of cheating and hoping to not be caught and 3) a hefty wallop to encourage compliance.
If you only fine for directly provable damages you encourage cheats who find new hidden areas, and if you don't punish all offenders a certain base amount you encourage those who cheat for indirect gain (hard to quantify at trial) such as market share.
And to actually change behavior, attack the leaders directly. Corporate fines mean nothing! They're usually not even relevant to the directors and officers compensation. Prove conspiracy, force the company to withdraw legal aid, and attack their personal assets.
The math is right, you just think the calculation should be based on profit not revenue.
That seems silly - it'd be a huge incentive to misstate profits. A "growth" company would claim zero profit - and probably a net loss. (Negative fine?)
Imagine if someone robbed a bank but argued they should only be forced to pay back a little because they spent most of it on the getaway car which was destroyed in the escape attempt, negating most of the profit.
The correct way to do it is to remove all the gross-profits that the company improperly collected - negate all benefits they got and then add a hefty fine on top.
And as for which piece of the business did the crime - image if I could blame just my hands for picking the lock, thus claiming my body should only be fined lightly... Obviously the fine should go all the way up the chain, multiplied at every level, because there's an expectation of due-diligence and if that's being intentionally ignored it's an affront to the state and the protections granted to legal corporations.
The fine should probably be quintupled at every level because the indiscretion was by a subsidiary and wasn't caught directly or in oversight.
That's not unreasonable in principle, but then it gets more complicated: do you propose to hold the entire company accountable for the actions of a small part of it? If not, then it devolves into the kind of accounting complexity that results in random internet outrage because it's beyond the understanding of most people.
If you do propose to hold the entire company accountable for any action taken in its name, then consider what you are enforcing: this would mean companies would be immediately obliged to disempower their entire staff from making decisions at any level, and require review and approval for all actions, to make sure that nobody ever makes a mistake that could be punitively expensive.
Neither of these is going to turn out to be a simple solution to a complex problem.
Worse, you can't even use a simple rule here, because what do you do about companies that aren't making a profit? Do they effectively have carte blanche to violate the law in order to improve their situation? That's probably not what you want, so you'd end up with some complicated mix of both systems.
That's not unreasonable in principle, but then it gets more complicated: do you propose to hold the entire company accountable for the actions of a small part of it?
Of course.
this would mean companies would be immediately obliged to disempower their entire staff
No.
Their entire staff is already "disempowered" to make decisions that could put the company in legal trouble. Also this is intended, not merely reckless. Do you really believe this was some nobody's idea? Come on!
Please, someone with real legal knowledge could you explain why this is not like Volkswagen.
I suspect that privacy violations are not quantified or else a "class action" would dry any and all the profits.
There's a big difference between "not authorised" (the current reality) and "disempowered". You are not authorised to send emails that place the company in legal jeopardy. You are disempowered from doing so if every email that you send has to be reviewed by a company officer first. The norm today is that you are trusted to not exceed the limits of your authority.
How about every line of code that you write being reviewed by legal to make sure it was within the bounds of the law?
There's plenty of scope here for a far more defensive position on ensuring compliance. That is what you would expect and desire from any attempt to massively increase the liability of errors, no?
In theory it would be great to if the fine was based on the extra profit generated from using the super cookie (compared to using a legal cookie). Next thing to take in to account is the degree/duration of the privacy violation and multiply this number by the number of users who have had their privacy violated.
Deciding this number is beyond my economics skills -- and quite beyond my point -- because I want to say that it is more reasonable to base the fine on the actual violation and not the business as a whole.
I think all fines should have to be handed over to the social security administration. Has two benefits one tends to dissuade law enforcement to go after people just because they have money. Two encourages law enforcement to toss people in jail. Right now larger corporations agree to pay fines in return for officers of the corporation not going to jail. That should change. Corporations not being able to pay a large bride in shareholder money would push things in the correct direction.
That's all well and good until that rich person/corporation has applied some creative accounting to create a net loss on the books, thus negating their fine.
Day-fines calculations here in Germany are calculated from monthly income after tax, with some fixed basic-living deductions. I do not think there is anything more you can deduct from it - but it is clearly intended for persons not corporations.
But with the usual limitation of a maximum of 360 days and the min/max limits being 5/30'000 EUR the absolute amount of a maximum 360-day fine can vary between EUR 1'800 and EUR 10'800'000.
Such systems can be made, they can work and I think they can be made loophole free.
The best numbers I can locate indicate Verizon Wireless is generating well over $20 billion per year in operating income.
Out of their nearly $18b in net income the last four quarters, wireless would pretty much have to be 75%-90% of that. The numbers before the Vodafone / VZ Wireless sale, indicated the wireless division was a huge share of their income.
Hey kid, I'm not interested in whose take is right, but your accusation that I'm wrong is wrong. It's arbitrary, and either pick is just someone's pick- there's no certain way to decide what to track against. Picking revenue or profits is meaningless, either is valid.
I would say, to my defense- if a company is in the red, would a violation mean they get a negative penalty? So is there a linear fee = rate * profit + base penalty, or is it not a linear fee structure you are supposing?
I don't see why a violation would be tied to performance, frankly, but I also would not try and argue that you are "wrong" either, it's just not how I would figure it. I'd also tend towards thinking the choice of a 0.0010% revenue fee, if we want to be accurate about it, rather indicates that it was indeed picked against revenue, rather than merely coincidence, but again I wouldn't claim to be right or that people who wanted to figure it differently were wrong.
Verizon's profits for 2015 were $4.22bn. That makes it a 0.03% fine.
But that's still not close enough, because this infraction was in "Verizon Wireless", not the entire company. So to really get a sense of its relevance, you need to figure out what the profit of that arm of the business was.
I can't find that number anywhere. Anybody got a hint?