Three thoughts from someone with no expertise.
1) If you make legal disclosure too hard, the only way you will find out is via criminals.
2) If other industries worked like this, you could sue an architect who discovered a flaw in a skyscraper. The difference is that knowledge of a bad foundation doesn’t inherently make a building more likely to collapse, while knowledge of a cyber vulnerability is an inherent risk.
3) Random audits by passers-by is way too haphazard. If a website can require my real PII, I should be able to require that PII is secure. I’m not sure what the full list of industries would be, but insurance companies should be categorically required to have an cyber audit, and laws those same laws should protect white hats from lawyers and allow class actions from all users. That would change the incentives so that the most basic vulnerabilities are gone, and software engineers become more economical than lawyers.
In other industries there are professional engineers. People who have a legal accountability. I wonder if the CS world will move that way, especially with AI. Since those engineers are the ones who sign things off.
For people unfamiliar, most engineers aren't professional engineers. There are more legal standards for your average engineer and they are legally obligated to push back against management when they think there's danger or ethics violations, but that's a high bar and very few ever get in legal trouble, only the most egregious cases. But professional engineers are the ones who check all the plans and the inspections. They're more like a supervisor. Someone who can look at the whole picture. And they get paid a lot more for their work but they're also essential to making sure things are safe. They also end up having a lot of power/authority, though at the cost of liability. Think like how in the military a doctor can overrule all others (I'm sure you've seen this in a movie). Your average military doctor or nurse can't do that but the senior ones can, though it's rare and very circumstantial.
You'd be surprised how many SE's would love for this to happen. The biggest reason, as you said, being able to push back.
Having worked in low-level embedded systems that could be considered "system critical", it's a horrible feeling knowing what's in that code and having no actual recourse other than quitting (which I have done on few occasions because I did not want to be tied to that disaster waiting to happen).
I actually started a legal framework and got some basic bills together (mostly wording) and presented this to many of my colleagues, all agreed it was needed and loved it, and a few lawyers said the bill/framework was sound .. even had some carve-outs for "mom-n-pops" and some other "obvious" things (like allowing for a transition into it).
Why didn't I push it through? 2 reasons:
1.) I'd likely be blackballed (if not outright killed) because "the powers that be" (e.g. large corp's in software) would absolutely -hate- this ... having actual accountability AND having to pay higher wages.
2.) Doing what I wanted would require federal intervention, and the climate has not been ripe for new regulations, let alone governing bodies, in well over a decade.
Hell, I even tried to get my PE in Software, but right as I was going to start the process, the PE for Software was removed from my state (and isn't likely to ever come back).
I 100% agree we should have even a PE for Software, but it's not likely to happen any time soon because Software without accountability and regulation makes WAY too much money ... :(
I worked as a physical engineer previously and I think the existence of PEs changes the nature of the game. I felt much more empowered to "talk back" to my boss and question them. It was natural to do that and even encouraged. If something is wrong everyone wants to know. It is worth disruption and even dealing with naive young engineers than it is to harm someone. It is also worth doing because it makes those engineers learn faster and it makes the products improve faster (insights can come from anywhere).
Part of the reason I don't associate my name with my account is so that I can talk more freely. I absolutely love software (and yes, even AI, despite what some might think given my comments) but I do really dislike how much deception there is in our industry. I do think it is on us as employees to steer the ship. If we don't think about what we're building and the consequences of them then our ship is beholden to the tides, not us. It is up to us to make the world a better place. It is up to us to make sure that our ship is headed towards utopia rather than dystopia (even if both are more of an idea than reality). I'd argue that if it were up to the tides then we'll end up crashing into the rocks. It's much easier to avoid that if we're managing the ship routinely than in a panic when we're headed in that direction. I think software has the capacity to make the world a far better place. That we can both do good and make money at the same time. But I also think the system naturally will disempower us. When we fight against the tides things are naturally harder and may even look like we're moving slower. But I think we often confuse speed and velocity, frankly, because direction is difficult to understand or predict. Still, it is best that we try our best and not just abdicate those decisions. The world is complex, so when things work they are in an unstable equilibrium. Which means small perturbations knock us off. Like one ship getting stuck shutting down a global economy. So it takes a million people and a billion tiny actions to make things go right and stay right (easier to stay than fix). But many of the problems we hate and are frustrated by are more stable states. Things like how wealth pools up, gathered by only a few. How power does the same. And so on. Obviously my feelings extend beyond software engineering, but my belief is that if we want the world to be a better place it takes all of us. The more that are willing to do something, the easier it gets. I'd also argue that most people don't need to do anything that difficult. The benefit and detriment of a complex machine is that small actions have larger consequences. Just because you're a small cog doesn't mean you have no power. You don't need to be a big cog to change the world, although you're unlikely to get recognition.
Regarding your 2), in other industries and engineering professions, the architect (or civil engineer, or electrical engineer) who signed off carries insurance, and often is licensed by the state.
I absolutely do not want to gatekeep beginners from being able to publish their work on the open internet, but I often wonder if we should require some sort of certification and insurance for large businesses sites that handle personal info or money. There'd be a Certified Professional Software Engineer that has to sign off on it, and thus maybe has the clout to push back on being forced to implement whatever dumb idea an MBA has to drive engagement or short-term sales.
Maybe. Its not like its worked very well lately for Boeing or Volkswagen.
It's kinda wild that you don't need to be a professional engineer to store PII. The GDPR and other frameworks for PII usually do have a minimum size (in # of users) before they apply, which would help hobbyists. The same could apply for the licensure requirement.
But also maybe hobbyists don't have any business storing PII at scale just like they have no business building public bridges or commercial aircraft.
I'm wary of centralizing the powers of the web like that.
Web is already mostly centralized, and corporations which should be scrutinized in way they handle security, PII and overall software issues are without oversight.
It is also a matter of respect towards professionals. If civil engineer says that something is illegal/dangerous/unfeasible their word is taken into the account and not dismissed - unlike in, broadly speaking, IT.
I just don't feel we want the overhead on software. I'm in an industry with PEs and I have beef with the way it works for physical things.
PII isn't nearly as big a deal as a life tbh. I'd rather not gatekeep PII handling behind degrees. I want more accoubtability, but PEs for software seems like it's ill-suited for the problem. Principally, software is ever evolving and distributed. A building or bridge is mostly done.
A PR is not evaluated in a vacuum
Oh there have been many cases where software engineers who are not professional engineers with the engineering mafia designation get sidelined by authorities for lacking standing. We absolutely should get rid of the engineering mafias and unions.
https://ij.org/press-release/oregon-engineer-makes-history-w...
There are jurisdictions (and cultures) where truth is not an absolute defence against defamation. In other words, it's one thing to disclose the issue to the authorities, it's another to go to the press and trumpet it on the internet. The nail that sticks out gets hammered down.
Given that this is Malta in particular, the author probably wants to avoid going there for a bit. It's a country full of organized crime and corruption where people like him would end up with convenient accidents.