Who exactly should go to jail, and what would that help?
For all the do-something-ism in the world, doing "something" often amounts to making things worse, while allowing actual avenues for improvement to fester.
Find a way to use the unique position of the operators of this database to assist those affected in preventing identity theft and other threats which are worsened by the leak. Maybe figure out if there is money out there to account for the cost of that.
If jail time was a real concern for owning data like this maybe fewer companies would exist owning such data. The he potential for people to use this to steal identities is too high I think
With reasonable verification, anyone confirmed to be a part of this breach should be given access to the data, if only for good will. It's a sad state to see that the recklessness (or incompetence) of one entity, and at that a private one, can quickly become a domino in a chain that ends in toppling a person's privacy.
They advertise themselves as having the most accurate data (why wouldn't they advertise themselves this way?) If so, the people it affects have a right to know, and it seems that they have the means to contact them and let them know.
It's not considering you a resident. The GDPR reads much closer to a declaration of a human right. For example:
Recital 14 - "The processing of personal data is designed to serve man; the principles and rules on the protection of individuals with regard to the processing of their personal data should, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably their right to the protection of personal data"
Article 3 (2) - "This Regulation applies to the processing of personal data of data subjects who are in the Union"
This hasn't been tested, and each member state could prosecute differently, but it was certainly discussed and then structured in such a way to be a fundamental truth, and in my non-legal opinion (based mainly just on having read the majority of it) it would be interpreted as such by EU courts (ie, not member state courts)
Much more than just personal privacy. When CEOs, politicians, judges and generals use the internet too do you really want to be the guy/a company that gives them that call? The incentives are all messed up.
The only real strategy is to totally pollute the information with false and erroneous information, while also setting up ways to prevent tracking and fingerprinting and associating. I am somewhat surprised that someone has not yet really emerged as having developed a business model around assuring privacy. It could be dedicated routers with firewalls and built in VPN that also mask device names, combined with browsers and extensions that intentionally pollute browsing history and fingerprinting data, and sends bogus queries and also allows you to set policies for cookies in a little more user friendly manner to only retain specific cookies of specific domains, etc.
I don't think it's so much that software devs take it "lightly". In my experience as a infosec consultant, the bigger problem is that most software devs are too cocky when it comes to security. Most think that security is just a subdomain of computer science (it is not!), and that because they took a crypto class in college, they are 100% qualified to handle the security themselves. They think they are taking it seriously, but they don't understand that knowing how to write software does not make you an expert in securing software.
Most devs don't seem to acknowledge that good security requires having a separate, dedicated person/team to handle it, just like how you would hire a lawyer rather than having your software devs handle legal issues.
I once posted on HN that every company that deals with sensitive data, big or small, must have a dedicated security person/team. My comment was downvoted/flagged, and I was bombarded with responses like "why would we waste the money on a security person? my dev team already knows to encrypt passwords".
This. I worked with an end-to-end encrypted communications company for 5 years, and learned a vast amount more about crypto, attack vectors, and security holes than I did in the previous decade or two, but I would never claim to be a security or crypto expert, or even competent at it.
In fact, I almost certainly know only a tiny fraction of what the actual experts in that company knew, but a number of people have told me that I know a lot more about it than the average developer.
That scares me, and if people flame someone for recommending that a dedicated security expert be hired by companies that handle sensitive data, I can only conclude it is out of ignorance - of what's out there, and what's possible.
On the other hand, there are economic realities to consider, especially in early-stage, underfunded startups. What do they do about this?
Erm, not opening up this fucking Elasticsearch instance to the entire internet would be a pretty easy way to get like 90% of the way there. I do operations. I can tell you exactly how not to make rookie mistakes like this. But security isn’t sexy, and it isn’t profitable, so it falls by the wayside.
The problem isn’t that these people are incompetent at network security (they are), the problem is that these people had your data to begin with. Data security is impossible because there is a massive shadow market for your entire life history and no amount of privacy setting theater will make up for the fact that your personal data is currently the target of an insatiable feeding frenzy.
> I do operations. I can tell you exactly how not to make rookie mistakes like this
But you guys are expensive and management can't tell what you do, so we invented devops to make the developers do it. It worked perfectly until it didn't.
Seriously though, as a dev with script kiddie levels of pen-testing skills it's amazing the amount of potential exploits out there. Even where I work with sensitive data it's assumed that the only attack vector is external.
In all seriousness, what law (in the US) has this company broken? I'm assuming all the data they got was somehow obtained through legal channels in the first place?
People may be up in arms about this being a "breach", but think about it: they're a "data brokerage" company. Consider this breach a sale price of $0. My point is what should be scary is that all of this data is bought and sold about all of us, all the time, in the first place.
Sadly, I think you're right. And in the end, this may just end up being great marketing for the data their selling.
Reminds me a startup that I used to work for a while back. We had hired a new hot-shot marketing VP. First thing he does is to purchase 'qualified leads' from some dubious data broker and trumpet how he had generated more leads in his first week than the company had over it's existence. Then the new hot-shot VP of sales hires a couple of inside-sales guys to call through this massive list with a script (which they probably bought from somewhere too since I don't recall recognizing our product from it) provided by new marketing VP.
This was a time when people still answered when someone called from unknown number. I remember chatting with the poor inside-sales guys who had to do the calling, and oh boy were they frustrated, but that was nothing compared to how badly the calling was received by people who got the calls.
I am pretty sure company got exactly zero sales out of that exercise and probably killed a few future deals too. But I am sure at least marketing VP met his KPIs.
Moral of the story: there are shady people out there that are more than happy to pay for all kinds of data sets.
I believe that as a society we should exert more control over our data, and companies selling it should be scrutinized, regulated and taxed for doing so.
Just because it’s legal doesn’t make it right. No, there is no law against this. That’s a problem, and it will continue to be a problem until it either affects enough CEOs or some Congressman’s kid gets screwed over by it. Until then we’re all going to be forced to clean up the messes ourselves.
I'm not saying it's right, but the original comment was basically complaining that no one will go to jail for this. People shouldn't go to jail for things that are subjectively "wrong" if they're not illegal.
I was calling attention to the vast difference between what the status quo security industry considers white hat and what free individuals should consider white hat - low corporate pain versus actually closing the hole.
As I and others have said elsewhere, the data was leaked the moment it was collected and priced for selling to attackers. Forgoing full disclosure is really just blunting the truth, giving corporate whitewash a leg up, and delaying society learning the lesson of what we're up against. As (presumably) individuals and not owners of surveillance companies, we shouldn't bless this behavior as being in the public interest.
This is pretty silly, you're going to publish something everyone already knows? What do you think that's going to accomplish? Most of these companies are publicly traded and finding top people in the private companies is just a Google search away. This business is all done out in the open.
You can even force the companies subjected to the FCRA[1] to give you a report on exactly what they have on you.
[1] They are subject to the FCRA if the data is sold to companies who make use of it in credit, employment, and housing decisions.
It's not all that silly actually. Politicians and corporate CEOs make the decision but rarely are on the receiving end of the fall-out. By concentrating on them and by distilling out that information from a much larger body of data enough of an embarrassment could be put together that they might start to pay attention.
As long as all those needles are safe in the haystack they can be ignored, a stack of needles on the other hand is not so easily ignored.
It's not mud if you send them an email from a donotreply address saying "my privacy policy has changed, and now I will freely publish your previously private data"
When will this stop? When's the last straw? If I gave a bank 100 dollars, and they lost it, I'd have avenues with which to pursue some sort of justice. If I give a company my data, and they lose it, oh well. I wish all personal data was treated like HIPAA, at a minimum.
When the top folks in the US government are personally affected. Until then, "congressional hearings" and presidential ambivalence is the most action we'll get out of them. Most people don't really understand what the significance of these events are.
I hate the fact that I feel so small and insignificant because of the futility of speaking to a representative. I did try to contact Rand Paul last year. He never bothered to reply, but did add me to his mailing list. Great.
Not only that, but the Russian site exposed[dot]su has published personal information, including SSNs, about a lot of powerful people, including Michelle Obama, Robert Mueller, Eric Holder, and Hillary Clinton.
Indeed, however, the impact of such breaches has yet to be made explicit. It seems only a massive cyber attack would show the public what is possible with such information
Since some percentage of Congressmen and Senators were almost certainly part of the breach, all we need to do is search for them once the data becomes available and post hand-curated lists of Senator McConnell's Shopping Habits.
Remember, we only got the Video Privacy Protection Act after someone published Bork's rental history during his supreme court nomination[0]. I had to say that public shaming works, but, public shaming works.
That's the depressing part. I usually shop at Meijer because they were the last grocery left without annoying loyalty cards. As of this year, I've began receiving in the mail coupons for specific items I'd bought there. So either my credit card company has sold my data, or it was 'stolen' when they scanned my license to buy beer at some point(they require scanning the license, not DOB entry). I'm tired of this.
The credit card info is called "level 3 data" and they in some cases have line item by line item detail. Not just "spend $24.89 at Meijer store #349" but each individual thing, e.g. you bought 2 avocados.
From what I know, it started a few years ago; but not all big stores had the equipment in place to send it (the cc processors give them a discount for sending the line-item level 3 data).
With the advent of the chip and pin cards in the USA, it seems logical that just about everyone upgraded to equipment that does support it; which might explain why you are only seeing this in the past year.
So, this seems a little opposite of what I meant. Naive me always assumed I pay with a card, the store gets my cc info to charge and we part ways. I'm getting in the mail ads from Meijer, for items I buy frequently. This tells me they were able to extract my home address and name from my credit card. Is that accurate?
I noticed that now when my employees buy from staples.com, my AmEx statement will show everything they bought. From a manager's perspective, it's kind of awesome because you don't need to keep track of little receipts.
Mastercard and Visa [1] sell this data in aggregate to firms via brokers like Bluekai, to allow for ad-targeting.
I don't believe it'll be feasible to purchase just one person's purchase data [easily], but if you knew who you wanted to get to, it should be possible to narrow the targeting to get to them
Well, they have to provide it digital, if they already have it digital. So yeah. Anyone wanna integrate the format they can deliver with e.g. GNUCash or so?
Wondered about that too. Apparently Apple Pay does use the same artificial CC number with each payment (maybe only with the same merchant?) so it's still possible to have your purchases tracked over time, even if they don't know who you are.
usually there is only space for group ids of items rather than individual item details.
but i guess it might be different for different acquirers.
the purpose of loyalty cards is that the messages are usually acquired or processed on non-bank systems so they can go into much greater detail and include individual sale item details
I have no problem with loyalty cards. It helps the store work more efficiently and sell me more relevant products. I have a problem when the loyalty card is tied to my identity and any data from anywhere else.
I usually shop at Meijer because they were the last grocery left without annoying loyalty cards.
(quizzical look)
Are you aware of their MPerks program? Tied to your phone number and an email address, electronic receipts, tracking of your savings, online/in-app clipping of coupons auto-applied at checkout time, automatic "rewards" of $2-3 for every $150 you spend.
The only part of a traditional loyalty card program it doesn't have is making their sale prices apply only with card, but it definitely gives you measurable (and measured) discounts both passively through those "rewards" and actively via the in-app coupons.
Yeah I'm aware. I am not signed up for them. That's the reason I don't like Kroger, their stuff is way marked up without a card. That said, I figured out a 'trick' of just asking for a card and saying you'll fill out the application at home. Doesn't seem like such a trick now since they're all just tracking me by my payment methods. Oh well.
I just signed a rental agreement for an apartment in the US and in the fine print it says that they can share your data with whoever they want. You can't even opt out. Pretty fucked up.
I wonder, do they then just enter your data into their database and sell it all anyway? Is there some way for you to ensure it's not included in all the other tenant data they share?
I bought a car earlier this year. Exciting purchase. We had got to the final bit before they hand over the keys and there was some paperwork to sign. On page 3 was the small print about us agreeing to give our data to everyone.
So I refused and made it clear I would walk away. The sales guy went though the whole ‘it’s not a problem, I’ve bought cars from here and haven’t got spammed’. In the end he had to get a manager and it turned out that the option could be removed from the contract, three menus down in the system.
Sounds like no one had ever asked before. I imagine GDPR will have changed this to opt-in.
Why do you think this can be stopped ? Think it through.
You can't stop data loss until you can guarantee platform security. You can't do that until you prevent developers from creating bugs and security flaws in the first place. You can only do that unless you have either perfect tools to catch all the issues or a perfect testing regime.
That's a defeatist attitude. If you make companies liable for this, they'll start paying more attention to security. I'm not a trained security expert, but did have to explain this year why not to store plain text passwords in a database. Security is seen as secondary to product across the board. We need penalties to change this.
We can't prevent builders and architects from making mistakes either, but they are required to comply with regulations, and take out insurance to cover their customers in the event of human failure.
If the problem is inevitable on some level, then why isn't insurance to cover that eventuality required?
It's definitely solvable. You pass laws that make it very costly for businesses to expose personal data. Businesses are rational actors (for the most part) and will adjust accordingly, for example by not collecting the data in the first place.
Let's discuss how we can fix this. I'm actually considering leaving my job of 8 years for a probably to be doomed privacy startup. Either way, I'm interested in solutions and more importantly working towards them, even for free.
Legislation. We need legal repercussions for people who wantonly mishandle our personal information. Sorry, but the market can’t help us. This kind of shit needs to be illegal yesterday. It’s just impossible because we have a Congress that is so remarkably out of touch that they won’t do anything about it.
Practically everyone knows about the second world war, but nothing is being done about rising fascism. It has nothing to do with not knowing, it's just stupidity.
If you need a good example, look at Germany. They have very strict laws about it and while there are still fascists there (as there are everywhere), they do not run the country.
Edit: On a more practical note, it's always baffled me how normalised it is. People who defend fascists in the US media are still respected and hired. They might be prominent political figures. Somehow calling attention to someone who is fascist is confused by anyone doing something as simple as saying "liberals are evil!", as if the two party system there has anything to do with racial supremacy. As an outsider, you look at it and think "This is the country that helped liberate Europe from the Nazis. How are they not ashamed?". Maybe I think the first step is allowing shame to enter into things when you think about your nation, instead of a quasi-religious patriotism.
There is no rising fascism in America, if people really knew anything about the Wiemar Republic, Republican Spain, or March on Rome they would know that the left always loses when it tried to be humane and gain power. The only time the left gains power is when 'tankies' are the ones leading the resistance.
As an uninformed observer, one of the biggest issues I see is the US two party system. Do you think government funding would help with that? I've always seen it more as a weakness of the general US electoral FPTP system.
Congress grilled Equifax and nothing. Average person saw Equifax commercial on “hey be smart we will keep your info safe with alerts” and thought “wow this company cares about my data” when its precisely opposite.
If the congress is unable or doesnt want to draft a bill to stop predators from milking money off of your data, then that money probably ends up in their pocket some way. Or at least some of it.
Please dont quit your job for the sake of your security - food, shelter, etc. Move these assholes out with next election. Vote in young people that are probably as angry about this shit as you are, in hope they won’t sell out their soul.
In my ideal mind, I'd keep my job, it's pretty lax as long as I deliver. But I want to fix privacy. I'm working with a guy I respect, who is also all about privacy, but I just don't think his model works. Ideally I'll donate some dev time for free, but if I saw even a glimmer of hope, I'd go all in. We can't trust congress, we need a private sector movement. I'm offering my services for free to anyone in the space, generally speaking.
You should reach out to a venture called Equifax. They are providing customer alerts for data breaches and a premiere data protection service.
Your imagination is working against you here. The obvious and well-known reason that congress is ineffective is they work for the private sector, who is the disease; not the cure.
Do you have any data to support your claim about what the average person thought about Equifax and Congress? I have a lot of strong opinions about privacy, but I'm also resigned to the fact that most people don't care about it as much as I do. So I don't guess what they're thinking.
> Average person saw Equifax commercial on “hey be smart we will keep your info safe with alerts” and thought “wow this company cares about my data” when its precisely opposite.
The result you cite is a general consumer favorability rating for Equifax, which is different than this particular claim. People who didn't hear anything about Equifax and Congress are included in the general consumer poll. I'm not trying to nitpick, I'm just pointing at a lack of data for this particular claim.
Figure out a way to make the data collected useless. You can't hide and block every attempt to track, collect and generally have your privacy invaded. But it may be possible to throw a wrench in the gears by making so much noise the data is low quality.
That is what would be needed in the United States of Anarchy, but everyone is so busy trying to pull off their own scandle that I don’t think this could be done at an effective scale.
It's almost as if the issue is more complicated than the solution represented by the GDPR.
I mean, I'm a "tin hat" privacy nut in the USA, but that doesn't mean that I'm a fan of 100% of the GDPR. It has plusses and minuses. It'd be nice to have a conversation about them.
The question though is what's the alternative? The IT industry has failed spectacularly in protecting citizens' personal data. I'm not a fan of EU bureaucracy, but it looks as if they are on the right side of history on this one.
Absolute liability for data losses. Exactis lost 360 million peoples' data. They should be able to (a) form a class and (b) extract money damages from Exactis without having to prove specific harm, which is difficult to do with data loss.
A good model is Illinois' Biometric Information Privacy Act [1]. Broaden the the definition from "biometric identifier" to a longer--but still specific--list. If you want to get fancy, create a regulator who can add things to the list after a public hearing. (The specificity avoids GDPR's "what's personal data?" mess. The public input mitigates the risk of unintended consequences and corruption.)
That's basically what GDPR does. It broadens the scope of what is considered sensitive info and slaps a fine on people PRIOR to a breach. If a breach is found, then any breach of GDPR means EU can come after that company and hurt them seriously.
A fine and a lawsuit are very different things, especially with 340M people involved [even a $340M fine would only be $1/person]; fines don't usually go to the people injured by it, which would make sense with personal data being leaked. A fine also misses companies who are "doing what the law says" but still have some horrible flaw anyways. If you are _genuinely_ responsible for the data, meaning if something happens to it you are liable for it, then you often take more care of it above and beyond, than for simply complying with rules.
Many european countries (including Germany) have no class action lawsuits, so unless you want 340 million separate lawsuits, you’ll have to either use fines, or accept that this will go unpunished.
Just because there are no class action lawsuits doesn't mean you can't take collective legal action. It's been a long time since I lived in Germany, so I can't cite any recent examples, but 20 years ago there were lawsuits in Germany of broad groups.
> fines don't usually go to the people injured by it,
Well they do. Our government takes money through fines and taxes and uses it to build infrastructure and provide services.
> which would make sense with personal data being leaked.
My preference would be that personal data not be leaked at all. Ideally the warnings and fines kick in long before that happens.
> A fine also misses companies who are "doing what the law says" but still have some horrible flaw anyways.
What example are you thinking of?
The GDPR is quite broad and open to interpretation by both sides.
> If you are _genuinely_ responsible for the data, meaning if something happens to it you are liable for it, then you often take more care of it above and beyond, than for simply complying with rules.
That's what the GDPR does.
Requiring people to lawyer up to make the company responsible is far weaker.
> My preference would be that personal data not be leaked at all
Me too! But not at any cost. This discussion involves thinking about scope (both in who and what is regulated), penalties (both in frequency and magnitude) and pre-emptive enforcement, if any. The trade-offs are far-reaching. A conservative approach is prudent. (It's also politically resilient.)
> GDPR is quite broad and open to interpretation by both sides
That's a sin and a virtue.
> Requiring people to lawyer up to make the company responsible is far weaker
This, too, is a sin and a virtue. The sin is it may allow bad deeds to go unpunished. But presently, everything is going unpunished. The virtue is in its prudence. It's unlikely to cause systemic harm, and we can observe its case law to more-precisely draft the next wave of rules.
Well, this certainly happens at small scales: Police who issue speeding tickets in the US to fund the police force; but it's not clear it happens at large scales.
> > fines don't usually go to the people injured by it,
> Well they do. Our government takes money through fines and taxes and uses it to build infrastructure and provide services.
That's only true if you consider the public at large to be equivalent to any individual member of the public, or if you believe only the government is "injured" by a data breach.
If I stole all your money and repaid it in fines to the government instead of directly to you, would you consider the matter settled?
> If I stole all your money and repaid it in fines to the government instead of directly to you, would you consider the matter settled?
I mean, that's typically how it works.
People get robbed by people who don't have the ability to directly restore what they've taken, so the state takes them into custody and makes them a productive member of society.
Would I consider the matter settled? Gee, I've seen some really stupid arguments on the Internet that have made me wish I could punch someone over TCP/IP, but while I'm wishing I'm not going to wish for that either.
> How is a regular person supposed to even know if their data was in this particular leak?
Reporting requirements. If you find out you're breached, you have to notify everyone involved--plus their states' attorneys general--within N days. If you find out you're breached and fail to notify at least one attorney general, that becomes a criminal liability for those who knew but didn't act.
I was working with Albany on a law in this form (notice only) after the Equifax breach. It was tabled due to lack of Equifax-related outreach from voters.
It was tabled due to lack of Equifax-related outreach from voters.
I suspect this is because the very people who would be the most vocal about this issue are also the most politically cynical, and would never think to reach out to their representatives. That's a damn shame, if true.
It seems like the biggest issue with GDPR is that it’s comes from Europe and not the US? Historically speaking, Europe has in many issues come to agreement on technically solutions and industrial standards many years ahead of the US.
For example, Europe was first on texting on the mobile network while the US (single country) took years to come to a standard.
I think it will be the same with regards to GDPR. You (US) will discuss this for years and come up with a different law.
That's not the biggest issue that I have with the GDPR. In fact, I'm totally OK with someone doing a better job than the US at regulating privacy. However, I have some complaints about the GDPR, and there isn't very much discussion about the details; most people appear to think about it as "all or nothing" or "Europe good, USA bad" or "everything looks clear to me so what's the problem?" instead of discussing the details. You can see all of these opinions in this very discussion.
You're creating or contributing to the problem you say exists, parent above was not refusing discussion and literally asked you what alternative you have in mind, so he was open to them.
But after going several answers deep you still haven't listed any specific complaints and instead complain that nobody discuss them. This really make no sense.
So, feel free to explain what specific things you dislike, why, and how else you would have done it, and then people would be able to discuss them with you and exchange opinion.
Saying "it's not possible to talk about x" when you don't even try to really isn't the way.
The issue isn't complicated at all. Regardless of any country's laws. Don't use my personal information for anything other than verifying my identity or record keeping. Don't give it to anyone, don't sell it to anyone, don't use it for marketing bullshit, dont analyze it to find out how to sell me things, or how to trap me in targetted advertising (which I block anyway because you have no right to spam me with them or waste my bandwidth) or filter bubbles. If you can't do that when fuck off, there's no reason I should do business with you.
A rather irrelevant nitpick to this discussion. Let's not pretend we didn't know what lost meant in this context. And of course it's the process of making a copy that's the issue.
Actual I think it's worth picking that nit because it emphasises that the company who leaked the data, allowed its exfiltration, still have the data.
That emphasis is twofold: 1) they can do it again, because 2) they didn't lose anything.
The corollaries being that their incentives aren't aligned with the people whose data is leaked, the company don't need to spend on avoiding leaks because they're not harmed beyond a little (bad) PR.
You could do business with places in the EU, where you are covered by EU's stronger data protection law. If an EU based company do stuff with the personal data of US citizens in the US, then the GDPR (etc) applies to that EU company.
I think it can be explained with game theory. Right now customer data is massively valuable to a company for all sorts of reasons. A data breach is unlikely to occur and if it does occur then the financial loses to the company are much less (on a risk-adjusted basis) compared to the benefits. Every company has every incentive to collect as much consumer data as possible.
It will only change when consumers demand it to change or outright refuse to give their personal information away. I think everyone should adopt pseudonyms for everything and to be constantly changing their pseudonyms regularly.
Without more information I can only assume they are scraping public records just like sites like Spokeo etc. Perhaps with some data analysis thrown in.
So I don't see much of a personal concern; especially since their business model appears to be selling this very data!
If this data comes from just scraping other sources that are freely and publicly available and applying some shitty data analysis on it, why should I be particularly concerned? The data itself is already out there for someone to find if they wanted to or even buy it from this company if they are too lazy to scrape themselves.
However, the source of the data wasn't in the article.
Every American's DNA was leaked and a malicious AI bot is making a customized oncovirus for each if they visit Washington, D.C. "Oops, our bad. Here's a coupon half-off Tamiflu."
Dick is my middle (nick)name, but my name isn't Philip K. Dick. I'd be turgidly-pressed to write anything comprehensible, much less worth reading. And I'm already starving, I'd have to lop off more than my ears to be a proper starving artist... oh wait, that didn't come out right. Nothing to see here, carry on.
All i'm saying is that i liked your short vision of a possible reality, and i'd love to read even a short story about it. Hell, i'd _write_ a short story about it, although i doubt my english is good enough for anything beyond simple small talk; i envy people with more imagination than i have. That being said, why are you starving, man? I've gone through some of your comments, and it seems you are having some sort of trouble with the mind parasites. I have no idea whether it is possible to pm on hn, but, should you need an anonymous ear, i've been told i am a good listener. Otherwise, i just want to tell you that if you put your mind to it, you will find the source of power inside of you with some help or without, and things are going to work out. Oh, and read mind parasites if you can - it has helped me with my depression quite a bit.
> "I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen"
> Each record contains entries that go far beyond contact information and public records to include more than 400 variables on a vast range of specific characteristics: whether the person smokes, their religion, whether they have dogs or cats, and interests as varied as scuba diving and plus-size apparel.
It might be "comprehensive" but is it comprehensive in a scary way? It's probably just 400 machine learning features that are estimating what people might like, so not necessarily super accurate?
Even worse. Many people say they “don’t have anything to hide” because they too haven’t considered the vast consequences regardless of having something to hide. For starters, when the data is inaccurate, you might have something to hide that even you didn’t know about, and it could be responsible for all sorts of events and opportunities in your life both public and private without you even knowing. Things that give you an different life experience than your friends to an unknown degree. This sort of lack of knowledge, control, deprivation of explanation or closure etc. would be the lived experience of chaos and it’s one of the most frightening parts.
False or misleading information can also be harmful, if widely disseminated.
Birth certificates. Creditworthiness.
At the age of 54, Sigmund Arywitz was a healthy American success story. He was making $30,000 a year as executive secretary and treasurer of the Los Angeles County Federation of Labor, AFL-CIO, his family was sound, his reputation high on all counts, and he had just finished eight prestigious years in Sacramento as state labor commissioner under Gov. Edmund G. (Pat) Brown. But something was awry. In the space of one year, five Los Angeles department stores refused Sig Arywitz charge accounts, and a major car-leasing company turned him down for credit -- even though he had a walletful of oil-company and other credit cards and had always paid his bills on time....
Exactly! The only thing a "breach" changes is allowing us to actually see the files that Stasi 2.0 are keeping!
I'm much more worried about the persistent legally-blessed attacks against our decision making (eg advertising) and financial independence (eg price discrimination), than about receiving backscatter from uncoordinated randos defrauding banks et al. Banks who are responsible for much of this surveillance infrastructure in the first place.
>That assumes they would sell to absolutely any group including terrorists, hate groups and sanctioned countries.
Shell companies and fronts are a great workaround for that.
How do you know who they sell to? And then, after it's been sold the first time, how do you know where the copies of that data are being sold to by the buyer?
Tell me about it. We need a government account that grants access to banks and utilities via oauth or some other cryptographic protocol that allows revocation at will.
Except that's a political nonstarter in the US.
The military has a 2FA smartcard authentication system that works really well, so it's not like it's infeasible.
A number of of very different groups are very opposed to the very idea: libertarians, (some) Christians, and (many) civil rights activist being the most vocal.
Information inequity. Whomever has access to this data had an advantage on 340M people, and opportunity to understand and influence them.
I think the antithesis of would be information redistribution. Everybody should be entitled to access all of this information if anyone has it. Just for fun lets say the only caveat is that all information access is also public and linked to each identity.
Do you think its better off in the hands of the highest bidders???
Companies are in some cases (in many cases actually) perfectly allowed to collect user information and from a business perspective would be stupid not to do.
Every time you use a loyalty card that information is collected and yes it's used to understand you and perhaps even influence you, to buy certain products. Buying diapers? Have a look at these baby toys. Most people will throw their personal information out there for a price reduction.
The problem here is the leak, not the fact that it exists.
When did I buy diapers from Exactis? I’ve never even heard of them.
I know exactly what my Safeway card is used for. I also deliberately do not register my phone number or other information to it. Of course they can probably associate it with my credit card but these things are easy to reason about.
The real problem is combining all these datasets in one place for the purpose of perpetuating information asymmetry as a product.
So actually yes, the problem is that this dataset of every single American exists.
Safeway may outsource the collection and management of this data to a third party and that company may have a lot of clients and hence records of a lot of people.
I have no idea if that's what Exactis is / does and people may not be aware of this, but it's the reality.
EDIT looks like Exactis gets information on users through cookies, which is not the scenario I wanted to highlight.
You seem to believe you can ward off information collection efforts by controlling yourself what you do and do not communicate to the rest of the world.
While I sincerely admire the quixotic effort, I suspect you are fighting a losing battle.
There are countless situations in daily life where you have no choice but to leak some tiny bit of information about yourself to an external database, and from there on, it's just a matter of cobbling the bits back together.
> and from there on, it's just a matter of cobbling the bits back together
Maybe it shouldn't be. The bit of info I gave about myself I gave (even if implicitly) to a specific entity for a specific purpose. To sell or give that bit to another unrelated, unknown to me entity for an entirely different purpose is a violation.
You have misunderstood my comment. I realize I have no control over what Safeway does with my information or if they or someone else correlates it with other datasets. The data Safeway has is fine by me until it is correlated with other datasets.
That leakage may be inevitable but the correlation is not. We just allow it today. GP claimed that the existence of the Exactis dataset was not a problem. I disagree. That dataset exists only because many disparate sets were linked with that inevitable leakage.
In your example does Safeway need to do all the data analysis on their own? Why can’t they contract out to others to analyze the rewards card data. Rarely do I know every subcontractor a business I interact with is using at the time.
I think people are worried about their data being sold, not some limited chain of custody where the data is only being used for the original merchant's analytics.
>The real problem is combining all these datasets in one place for the purpose of perpetuating information asymmetry as a product.
Rephrased, the real problem is (currently) what happens once it gets combined with that wealth of other data (that's been purchased, shared, snooped and swindled) belonging to our data overlords like Google.
>Of course they can probably associate it with my credit card
Or if you've ever furnished an ID for some age restricted purchase while also using the loyalty card. Then of course theres location data from Android/smartphone, vehicle telemetry (mfg, finance company, mobile data service, OnStar, anti-theft service, insurance co 'safe-driver' tracking device), members of the Telco mafia (VZW,AT&T, etc.), video surveillance providers running facial & license plate recognition, et cetera.
>Personal information is like hazardous chemicals.
Big data is munitions, ammunition that is loaded into algorithms which are like machineguns that can fire at the speed of light millions of times across the world in under a minute.
Just like with weapons of a more physical nature, the problem is that they exist. The fact that they exist means that over time they/it will fall into the wrong hands. The obvious and natural solution to this is to not have them exist, or in this case to not have this database exist.
Yes, I understand companies are allowed to do it. That's beside the point - just because they are allowed to right now doesn't make it right.
So what are the odds someone at Exactis was paid off to loosen the access controls and provide relevant access info to the buyer?
A lot of people would probably do that for a chunk of money.
Starting to think that with databases like this, any configuration change that involves exposure to the internet should involve two company officers turning keys like in a nuclear missile launch.
An exposed elasticsearch server does not equal personal data though. It can be used for anything really. I have two systems that use ES and none of them for personal data.
It is obvious that selling customers' data gives more profit than not selling. No wonder that in countries with little regulation personal data are collected and sold in mass. It is the most profitable strategy for companies that have those data.
I think that the right title should be "Marketing Firm Exactis Exposed a Personal Info Database with with 340M Records on Internet". This is not a leak, at least there is no evidence of it yet. While this does not downplay this security "mishap", there is still big difference between "someone rob a bank" and "bank left their vaults open".
OTOH, it would be interesting to know how did they get hold on such data.
Unusually for me I find your pedantry here too quibbling - even if the bank is left open taking the money is still theft (robbery is with threats/force in my jurisdiction, UK).
The point is there's no evidence a robbery occurred. Someone phoned the bank and told them they saw the vault was left open and that they had better count the money. Nobody knows whether anything was taken yet.
What is messed up is if the firm doesn't have sufficient visibility/logging, they can claim "no evidence" the data was accessed (purely because they Had their eyes closed). IMHO that is negligent - but sadly the various laws tend to support it.
The problem here is it may be impossible to know if anything was taken.
If theft occurs at a bank, the money is gone. If I steal information, the information is still there. Knowledge of theft is completely dependent on a logging system capturing the correct information.
306 comments
[ 3.0 ms ] story [ 281 ms ] threadFor all the do-something-ism in the world, doing "something" often amounts to making things worse, while allowing actual avenues for improvement to fester.
"Hey, you can get sent to jail for collecting and exposing personal information" would make a lot of people rethink their business models.
They advertise themselves as having the most accurate data (why wouldn't they advertise themselves this way?) If so, the people it affects have a right to know, and it seems that they have the means to contact them and let them know.
"The sights of Paris and a personal information purge from the 100 largest US collectors"
Recital 14 - "The processing of personal data is designed to serve man; the principles and rules on the protection of individuals with regard to the processing of their personal data should, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably their right to the protection of personal data"
Article 3 (2) - "This Regulation applies to the processing of personal data of data subjects who are in the Union"
This hasn't been tested, and each member state could prosecute differently, but it was certainly discussed and then structured in such a way to be a fundamental truth, and in my non-legal opinion (based mainly just on having read the majority of it) it would be interpreted as such by EU courts (ie, not member state courts)
but how would they ever get the contact information for all of those people? surely that's private information....
oh... right ಠ_ಠ
Most devs don't seem to acknowledge that good security requires having a separate, dedicated person/team to handle it, just like how you would hire a lawyer rather than having your software devs handle legal issues.
I once posted on HN that every company that deals with sensitive data, big or small, must have a dedicated security person/team. My comment was downvoted/flagged, and I was bombarded with responses like "why would we waste the money on a security person? my dev team already knows to encrypt passwords".
In fact, I almost certainly know only a tiny fraction of what the actual experts in that company knew, but a number of people have told me that I know a lot more about it than the average developer.
That scares me, and if people flame someone for recommending that a dedicated security expert be hired by companies that handle sensitive data, I can only conclude it is out of ignorance - of what's out there, and what's possible.
On the other hand, there are economic realities to consider, especially in early-stage, underfunded startups. What do they do about this?
Its hard to even think about these things for those of us working at low levels, firmware, embedded, etc...
Your comment got me to thinking about what I don't know. Which is a whole lot.
But you guys are expensive and management can't tell what you do, so we invented devops to make the developers do it. It worked perfectly until it didn't.
Seriously though, as a dev with script kiddie levels of pen-testing skills it's amazing the amount of potential exploits out there. Even where I work with sensitive data it's assumed that the only attack vector is external.
To be fair, I'm not sure they made the wrong choice.
People may be up in arms about this being a "breach", but think about it: they're a "data brokerage" company. Consider this breach a sale price of $0. My point is what should be scary is that all of this data is bought and sold about all of us, all the time, in the first place.
Reminds me a startup that I used to work for a while back. We had hired a new hot-shot marketing VP. First thing he does is to purchase 'qualified leads' from some dubious data broker and trumpet how he had generated more leads in his first week than the company had over it's existence. Then the new hot-shot VP of sales hires a couple of inside-sales guys to call through this massive list with a script (which they probably bought from somewhere too since I don't recall recognizing our product from it) provided by new marketing VP.
This was a time when people still answered when someone called from unknown number. I remember chatting with the poor inside-sales guys who had to do the calling, and oh boy were they frustrated, but that was nothing compared to how badly the calling was received by people who got the calls.
I am pretty sure company got exactly zero sales out of that exercise and probably killed a few future deals too. But I am sure at least marketing VP met his KPIs.
Moral of the story: there are shady people out there that are more than happy to pay for all kinds of data sets.
I believe that as a society we should exert more control over our data, and companies selling it should be scrutinized, regulated and taxed for doing so.
A white hat, in the context of these surveillance companies, would be Tyler Durden.
As I and others have said elsewhere, the data was leaked the moment it was collected and priced for selling to attackers. Forgoing full disclosure is really just blunting the truth, giving corporate whitewash a leg up, and delaying society learning the lesson of what we're up against. As (presumably) individuals and not owners of surveillance companies, we shouldn't bless this behavior as being in the public interest.
I’d love to search this database for the details of top people at privacy-violating companies and publish them.
Who defines "privacy-violating"? Jumping into the mud because you feel aggrieved just makes you look like a pig.
Basically anyone who profits off user data and makes it difficult/impossible to opt-out.
You can even force the companies subjected to the FCRA[1] to give you a report on exactly what they have on you.
[1] They are subject to the FCRA if the data is sold to companies who make use of it in credit, employment, and housing decisions.
As long as all those needles are safe in the haystack they can be ignored, a stack of needles on the other hand is not so easily ignored.
I'm talking about revealing the same kind of data their companies collect on us, which is way more personal and could contain embarrassing stuff.
When the top folks in the US government are personally affected. Until then, "congressional hearings" and presidential ambivalence is the most action we'll get out of them. Most people don't really understand what the significance of these events are.
The OPM breach covered a lot of powerful senior people.
https://krebsonsecurity.com/2014/03/who-built-the-id-theft-s...
Remember, we only got the Video Privacy Protection Act after someone published Bork's rental history during his supreme court nomination[0]. I had to say that public shaming works, but, public shaming works.
[0]https://en.wikipedia.org/wiki/Video_Privacy_Protection_Act
In some cases you're not knowingly giving them your data either.
With the advent of the chip and pin cards in the USA, it seems logical that just about everyone upgraded to equipment that does support it; which might explain why you are only seeing this in the past year.
I don't believe it'll be feasible to purchase just one person's purchase data [easily], but if you knew who you wanted to get to, it should be possible to narrow the targeting to get to them
[1] http://www.oracle.com/us/solutions/cloud/data-directory-2810... [ctrl+F + mastercard]
but i guess it might be different for different acquirers.
the purpose of loyalty cards is that the messages are usually acquired or processed on non-bank systems so they can go into much greater detail and include individual sale item details
(quizzical look)
Are you aware of their MPerks program? Tied to your phone number and an email address, electronic receipts, tracking of your savings, online/in-app clipping of coupons auto-applied at checkout time, automatic "rewards" of $2-3 for every $150 you spend.
The only part of a traditional loyalty card program it doesn't have is making their sale prices apply only with card, but it definitely gives you measurable (and measured) discounts both passively through those "rewards" and actively via the in-app coupons.
I scratched that, and other lines, out of my rental agreement when I rented my New York apartment. The landlord agreed.
So I refused and made it clear I would walk away. The sales guy went though the whole ‘it’s not a problem, I’ve bought cars from here and haven’t got spammed’. In the end he had to get a manager and it turned out that the option could be removed from the contract, three menus down in the system.
Sounds like no one had ever asked before. I imagine GDPR will have changed this to opt-in.
You can't stop data loss until you can guarantee platform security. You can't do that until you prevent developers from creating bugs and security flaws in the first place. You can only do that unless you have either perfect tools to catch all the issues or a perfect testing regime.
It's basically an unsolvable problem.
If the problem is inevitable on some level, then why isn't insurance to cover that eventuality required?
Edit: On a more practical note, it's always baffled me how normalised it is. People who defend fascists in the US media are still respected and hired. They might be prominent political figures. Somehow calling attention to someone who is fascist is confused by anyone doing something as simple as saying "liberals are evil!", as if the two party system there has anything to do with racial supremacy. As an outsider, you look at it and think "This is the country that helped liberate Europe from the Nazis. How are they not ashamed?". Maybe I think the first step is allowing shame to enter into things when you think about your nation, instead of a quasi-religious patriotism.
There is no rising fascism in America, if people really knew anything about the Wiemar Republic, Republican Spain, or March on Rome they would know that the left always loses when it tried to be humane and gain power. The only time the left gains power is when 'tankies' are the ones leading the resistance.
But, remember the left chooses the hard road, not because they can but because it is moral.
Regardless, Trump is absolutely a fascist. It seems a bit futile to disagree.
And of course we can’t make honest claims to democracy until then either.
With corporate interests.
If the congress is unable or doesnt want to draft a bill to stop predators from milking money off of your data, then that money probably ends up in their pocket some way. Or at least some of it.
Please dont quit your job for the sake of your security - food, shelter, etc. Move these assholes out with next election. Vote in young people that are probably as angry about this shit as you are, in hope they won’t sell out their soul.
You should reach out to a venture called Equifax. They are providing customer alerts for data breaches and a premiere data protection service.
Your imagination is working against you here. The obvious and well-known reason that congress is ineffective is they work for the private sector, who is the disease; not the cure.
Here you go, first result in Google:
https://morningconsult.com/2018/01/16/months-after-data-brea...
> Average person saw Equifax commercial on “hey be smart we will keep your info safe with alerts” and thought “wow this company cares about my data” when its precisely opposite.
The result you cite is a general consumer favorability rating for Equifax, which is different than this particular claim. People who didn't hear anything about Equifax and Congress are included in the general consumer poll. I'm not trying to nitpick, I'm just pointing at a lack of data for this particular claim.
And yet, when GDPR tries to address the issue, HN is full of "blocking the damned EU users completely" and "stop stifling honest companies".
I mean, I'm a "tin hat" privacy nut in the USA, but that doesn't mean that I'm a fan of 100% of the GDPR. It has plusses and minuses. It'd be nice to have a conversation about them.
Absolute liability for data losses. Exactis lost 360 million peoples' data. They should be able to (a) form a class and (b) extract money damages from Exactis without having to prove specific harm, which is difficult to do with data loss.
A good model is Illinois' Biometric Information Privacy Act [1]. Broaden the the definition from "biometric identifier" to a longer--but still specific--list. If you want to get fancy, create a regulator who can add things to the list after a public hearing. (The specificity avoids GDPR's "what's personal data?" mess. The public input mitigates the risk of unintended consequences and corruption.)
[1] http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004
Well they do. Our government takes money through fines and taxes and uses it to build infrastructure and provide services.
> which would make sense with personal data being leaked.
My preference would be that personal data not be leaked at all. Ideally the warnings and fines kick in long before that happens.
> A fine also misses companies who are "doing what the law says" but still have some horrible flaw anyways.
What example are you thinking of?
The GDPR is quite broad and open to interpretation by both sides.
> If you are _genuinely_ responsible for the data, meaning if something happens to it you are liable for it, then you often take more care of it above and beyond, than for simply complying with rules.
That's what the GDPR does.
Requiring people to lawyer up to make the company responsible is far weaker.
Me too! But not at any cost. This discussion involves thinking about scope (both in who and what is regulated), penalties (both in frequency and magnitude) and pre-emptive enforcement, if any. The trade-offs are far-reaching. A conservative approach is prudent. (It's also politically resilient.)
> GDPR is quite broad and open to interpretation by both sides
That's a sin and a virtue.
> Requiring people to lawyer up to make the company responsible is far weaker
This, too, is a sin and a virtue. The sin is it may allow bad deeds to go unpunished. But presently, everything is going unpunished. The virtue is in its prudence. It's unlikely to cause systemic harm, and we can observe its case law to more-precisely draft the next wave of rules.
And what is this "any cost" rubbish?
Using fines to fund public services creates perverse incentives though, especially where the fines go directly to the agency that brings the case.
> Well they do. Our government takes money through fines and taxes and uses it to build infrastructure and provide services.
That's only true if you consider the public at large to be equivalent to any individual member of the public, or if you believe only the government is "injured" by a data breach.
If I stole all your money and repaid it in fines to the government instead of directly to you, would you consider the matter settled?
Nonsense.
> If I stole all your money and repaid it in fines to the government instead of directly to you, would you consider the matter settled?
I mean, that's typically how it works.
People get robbed by people who don't have the ability to directly restore what they've taken, so the state takes them into custody and makes them a productive member of society.
Would I consider the matter settled? Gee, I've seen some really stupid arguments on the Internet that have made me wish I could punch someone over TCP/IP, but while I'm wishing I'm not going to wish for that either.
Can you please detail why paying a fine to the government is the same thing as paying a fine to the people injured by a crime?
Replace EU by "the data/privacy regulator of the country in question"
Of course, "responsible" and "data aggregation company" rarely belong in the same sentence...
Reporting requirements. If you find out you're breached, you have to notify everyone involved--plus their states' attorneys general--within N days. If you find out you're breached and fail to notify at least one attorney general, that becomes a criminal liability for those who knew but didn't act.
I was working with Albany on a law in this form (notice only) after the Equifax breach. It was tabled due to lack of Equifax-related outreach from voters.
I suspect this is because the very people who would be the most vocal about this issue are also the most politically cynical, and would never think to reach out to their representatives. That's a damn shame, if true.
For example, Europe was first on texting on the mobile network while the US (single country) took years to come to a standard.
I think it will be the same with regards to GDPR. You (US) will discuss this for years and come up with a different law.
There has been an enormous amount of discussion. It's been law for years and it's the amalgamation of various European countries individual DPR.
What exactly is your snowflake complaint that you think hasn't been discussed yet?
But after going several answers deep you still haven't listed any specific complaints and instead complain that nobody discuss them. This really make no sense.
So, feel free to explain what specific things you dislike, why, and how else you would have done it, and then people would be able to discuss them with you and exchange opinion.
Saying "it's not possible to talk about x" when you don't even try to really isn't the way.
The work sucked, but I was more than happy to help our customers get their data from us.
No one lost your data, they still have it, but someone else made a copy.
That emphasis is twofold: 1) they can do it again, because 2) they didn't lose anything.
The corollaries being that their incentives aren't aligned with the people whose data is leaked, the company don't need to spend on avoiding leaks because they're not harmed beyond a little (bad) PR.
The pedantism is unhelpful.
Data are facts, money is a repository of value. With a bank, you are the customer. With marketing, you are the product.
It will only change when consumers demand it to change or outright refuse to give their personal information away. I think everyone should adopt pseudonyms for everything and to be constantly changing their pseudonyms regularly.
Data about you is not (necessarily) data you own.
I'm not saying it's right, but any reasonable discussion has to take this legal landscape into account.
Without more information I can only assume they are scraping public records just like sites like Spokeo etc. Perhaps with some data analysis thrown in.
So I don't see much of a personal concern; especially since their business model appears to be selling this very data!
If this data comes from just scraping other sources that are freely and publicly available and applying some shitty data analysis on it, why should I be particularly concerned? The data itself is already out there for someone to find if they wanted to or even buy it from this company if they are too lazy to scrape themselves.
However, the source of the data wasn't in the article.
Externalities of data breaches keep increasing.
> Each record contains entries that go far beyond contact information and public records to include more than 400 variables on a vast range of specific characteristics: whether the person smokes, their religion, whether they have dogs or cats, and interests as varied as scuba diving and plus-size apparel.
It might be "comprehensive" but is it comprehensive in a scary way? It's probably just 400 machine learning features that are estimating what people might like, so not necessarily super accurate?
Imagine you're a pastor at a church and a datadump claims you're an atheist. Maybe you can convince people it's a mistake, maybe you can't.
Even worse. Many people say they “don’t have anything to hide” because they too haven’t considered the vast consequences regardless of having something to hide. For starters, when the data is inaccurate, you might have something to hide that even you didn’t know about, and it could be responsible for all sorts of events and opportunities in your life both public and private without you even knowing. Things that give you an different life experience than your friends to an unknown degree. This sort of lack of knowledge, control, deprivation of explanation or closure etc. would be the lived experience of chaos and it’s one of the most frightening parts.
Birth certificates. Creditworthiness.
At the age of 54, Sigmund Arywitz was a healthy American success story. He was making $30,000 a year as executive secretary and treasurer of the Los Angeles County Federation of Labor, AFL-CIO, his family was sound, his reputation high on all counts, and he had just finished eight prestigious years in Sacramento as state labor commissioner under Gov. Edmund G. (Pat) Brown. But something was awry. In the space of one year, five Los Angeles department stores refused Sig Arywitz charge accounts, and a major car-leasing company turned him down for credit -- even though he had a walletful of oil-company and other credit cards and had always paid his bills on time....
1970
http://www.thedailybeast.com/articles/2013/06/11/is-privacy-...
See also: Cardinal Richelieu.
Context on the reference: https://history.stackexchange.com/questions/23785/what-did-r...
The only difference is that it was briefly available without a price tag.
I'm much more worried about the persistent legally-blessed attacks against our decision making (eg advertising) and financial independence (eg price discrimination), than about receiving backscatter from uncoordinated randos defrauding banks et al. Banks who are responsible for much of this surveillance infrastructure in the first place.
At least without the leak they have the option to refuse.
Shell companies and fronts are a great workaround for that.
How do you know who they sell to? And then, after it's been sold the first time, how do you know where the copies of that data are being sold to by the buyer?
Turtles all the way down.
edit: nope, this is infinitely worse.
https://news.ycombinator.com/item?id=17420849
A number of of very different groups are very opposed to the very idea: libertarians, (some) Christians, and (many) civil rights activist being the most vocal.
I think the antithesis of would be information redistribution. Everybody should be entitled to access all of this information if anyone has it. Just for fun lets say the only caveat is that all information access is also public and linked to each identity.
Do you think its better off in the hands of the highest bidders???
Every time you use a loyalty card that information is collected and yes it's used to understand you and perhaps even influence you, to buy certain products. Buying diapers? Have a look at these baby toys. Most people will throw their personal information out there for a price reduction.
The problem here is the leak, not the fact that it exists.
I know exactly what my Safeway card is used for. I also deliberately do not register my phone number or other information to it. Of course they can probably associate it with my credit card but these things are easy to reason about.
The real problem is combining all these datasets in one place for the purpose of perpetuating information asymmetry as a product.
So actually yes, the problem is that this dataset of every single American exists.
I have no idea if that's what Exactis is / does and people may not be aware of this, but it's the reality.
EDIT looks like Exactis gets information on users through cookies, which is not the scenario I wanted to highlight.
While I sincerely admire the quixotic effort, I suspect you are fighting a losing battle.
There are countless situations in daily life where you have no choice but to leak some tiny bit of information about yourself to an external database, and from there on, it's just a matter of cobbling the bits back together.
Maybe it shouldn't be. The bit of info I gave about myself I gave (even if implicitly) to a specific entity for a specific purpose. To sell or give that bit to another unrelated, unknown to me entity for an entirely different purpose is a violation.
But there's unfortunately no regulation in place to insure that.
And if there were, GDPR style, there would still be the matter of:
That leakage may be inevitable but the correlation is not. We just allow it today. GP claimed that the existence of the Exactis dataset was not a problem. I disagree. That dataset exists only because many disparate sets were linked with that inevitable leakage.
Rephrased, the real problem is (currently) what happens once it gets combined with that wealth of other data (that's been purchased, shared, snooped and swindled) belonging to our data overlords like Google.
>Of course they can probably associate it with my credit card
Or if you've ever furnished an ID for some age restricted purchase while also using the loyalty card. Then of course theres location data from Android/smartphone, vehicle telemetry (mfg, finance company, mobile data service, OnStar, anti-theft service, insurance co 'safe-driver' tracking device), members of the Telco mafia (VZW,AT&T, etc.), video surveillance providers running facial & license plate recognition, et cetera.
[1]https://www.washingtonpost.com/news/the-switch/wp/2017/05/23...
The fact that the information exists guarantees that it will leak. If not from one company, from the next.
Personal information is like hazardous chemicals.
Big data is munitions, ammunition that is loaded into algorithms which are like machineguns that can fire at the speed of light millions of times across the world in under a minute.
Yes, I understand companies are allowed to do it. That's beside the point - just because they are allowed to right now doesn't make it right.
A lot of people would probably do that for a chunk of money.
Starting to think that with databases like this, any configuration change that involves exposure to the internet should involve two company officers turning keys like in a nuclear missile launch.
https://www.shodan.io/report/yhaN9gje
death's too good for them.
OTOH, it would be interesting to know how did they get hold on such data.
If theft occurs at a bank, the money is gone. If I steal information, the information is still there. Knowledge of theft is completely dependent on a logging system capturing the correct information.