Ask HN: GPT-3 reveals my full name – can I do anything?
I try to hide my real name whenever possible, out of an abundance of caution. You can still find it if you search carefully, but in today's hostile internet I see this kind of soft pseudonymity as my digital personal space, and expect to have it respected.
When playing around in GPT-3 I tried making sentences with my username. Imagine my surprise when I see it spitting out my (globally unique, unusual) full name!
Looking around, I found a paper that says language models spitting out personal information is a problem[1], a Google blog post that says there's not much that can be done[2], and an article that says OpenAI might automatically replace phone numbers in the future but other types of PII are harder to remove[3]. But nothing on what is actually being done.
If I had found my personal information on Google search results, or Facebook, I could ask the information to be removed, but GPT-3 seems to have no such support. Are we supposed to accept that large language models may reveal private information, with no recourse?
I don't care much about my name being public, but I don't know what else it might have memorized (political affiliations? Sexual preferences? Posts from 13-year old me?). In the age of GDPR this feels like an enormous regression in privacy.
EDIT: a small thank you for everybody commenting so far for not directly linking to specific results or actually writing my name, however easy it might be.
If my request for pseudonymity sounds strange given my lax infosec:
- I'm more worried about the consequences of language models in general than my own case, and
- people have done a lot more for a lot less name information[4].
[1]: https://arxiv.org/abs/2012.07805
[2]: https://ai.googleblog.com/2020/12/privacy-considerations-in-...
[3]: https://www.theregister.com/2021/03/18/openai_gpt3_data/
[4]: https://en.wikipedia.org/wiki/Slate_Star_Codex#New_York_Time...
362 comments
[ 3.0 ms ] story [ 312 ms ] thread> Exercising Your Rights: California residents can exercise the above privacy rights by emailing us at: support@openai.com.
If you happen to be in California (or even if you are not) it might be worth trying to go through their support channel.
I'm also not a California resident, but I am under GDPR, which I understand is similarly strong. I'll try emailing them and see where it goes.
[1] https://openai.com/privacy/
I didn’t anticipate the use case of GTP being used by debt collection agencies to tirelessly track down targets.
It will be a new type of debtors prison where any leaks of enough personally identifying facets to the internet will string together a mosaic of the target such that the AI sends them calls,sms,tinder dms, etc. until they pay and are released from the digital targeting system.
Specifically, the AI model has both stored the personal data, and arguably "formed opinions" about it.
The first step would be to contact the people who own the model, and ask them under what terms they're storing the personal data. Do they have an exemption? The answer is probably no.
Then, you make a GDPR Erasure Request - delete my data. At that point, given that the company is based in the US with no European branch, then it largely becomes a matter of politics. If your local information regulator feels like it's worth pursuing, they'd contact the company and ask them to sort it out. At that point it's a matter of realpolitik - OpenAI (or whoever have this particular dataset - I'm not sure) probably don't want this to become a talking point - the process would probably result in them deciding to remove your PII from the training set.
There are bunch of other ways it could go of course - the local regulator may decide to sit on it, or the people in charge of the model might decide to ignore EU rules.
> prompt: "Who was the first president of the United States?"
> response: "The first president of the United States was Aw@e%%t3R!35"
Sure, it'd make GPT less useful if it garbled all names, but that's a tradeoff made for the sake of ethics in the case of image generation. I don't see why this situation should be any different?
There’s also the issue of recognizing what a name is - is April a name? Joy? JFSmith1982? 542458?
And it's precisely the names that are most identifiable that are hardest to detect.
I'm afraid that we are going to see these kinds of issues proliferate rapidly. It's a consequence of the usage of machine learning with extensive amounts of data coming from "data lakes" and similar non-curated sources.
You found try something like "The full name of the person with username skywal_l is"
(the answer given is "Skyler Wall")
Even for OP it doesn't work, it just guesses "H* Boppre" (with a different name liks Hans, Horatio, etc. every time) which just so happens to be close enough to their actual name because their nickname is their real surname.
Also keep in mind even obvious / common things may not be indexed, but openai gpt3 will rather make something up than say it doesn't know. So if you get randomness, maybe it just doesn't know.
As a purely practical matter -- again, not going into whether this is how things should be, merely how they do be -- it is futile to want the internet as a whole to have a concept of privacy, or to respect the concept of a "digital personal space". If your phone number or other PII has ever been associated with your identity, that association will be in place indefinitely and is probably available on multiple data broker sites.
The best way to be anonymous on the internet is to be anonymous, which means posting without any name or identifier at all. If that isn't practical, then using a non-meaningful pseudonym and not posting anything personally identifiable is recommended.
Good luck with that.
It's another different thing for my name to be auto-completed by the most popular, publicly available language model. That I'm less ok with, and I'm sure other people will find absolutely despicable.
We have GDPR and Right to Be Forgotten for a reason.
There appears to be a name on a YouTube channel too that doesn't even need any additional steps (ie the jumping into repos and then licence files you mention above)
Putting that aside, why is this such a concern? it's just a label. It would be another thing if you had something more meaningful being revealed (eg current physical address) but username / real name alone is generally not that big a deal and it's plausibly deniable (ie there could be plenty of other username / real name pairings that are valid)
Anyway, this comes across rather like the Streisand Effect
…Not to reveal information here (counter to your goals) but there was no way this thread wouldn’t motivate people to see how hard it is to find your name. But I was surprised to see the username contained a word from your real name considering you’re concerned about revealing personal information.
Making a new online identity is pretty standard practice these days if you’re worried about this sort of this. Especially if you read Grugq’s stuff about modern opsec (just google his name).
If you find that so strange, read up on Scott Alexander[1], who deleted his entire blog when the New York Times threatened to publish the third and last part of his name.
I'm trying to keep basic hygiene, like not having *Hacker* News on the first page of results when somebody googles my real name.
[1] https://en.wikipedia.org/wiki/Slate_Star_Codex#New_York_Time...
this has nothing to do with AI or GDPR. the places you gave this information were public. when you do this there’s no way you “ try to hide my real name whenever possible, out of an abundance of caution.” you’re doing all the things any basic infosec lesson would tell you to not do
If there's a prompt out there that doesn't contain your username but does spit out your full name, that's a bigger concern.
EDIT: Oh, and as far as bots go: I really can't imagine someone coding their bots to rely on GPT-3 for personal info. GPT-3 doesn't have an "I don't know" answer. In your case it might turn up something useful, but for most people it would turn up nonsense that is indistinguishable from something useful. It's far more reliable and most likely cheaper in the long run to just buy the data.
Buying the data is quite possibly more cost effective but 'far more reliable' is, I suspect, an overestimate of the quality of the data available to buy.
Just take a look at Google Trends for your username: https://trends.google.com/trends/explore?date=now%201-d&q=Bo...
If I were you I'd do the following:
1. Email dang (hn@ycombinator.com) to ask how he can help with damage control.
2. Stop commenting under your now de-anonymized alias. Any future posts on this topic should be from a freshly minted HN account.
3. There are still quite a few open source repos under your GitHub handle that contains your full name in the LICENSE.txt, so you might want to strip those out as well.
Good luck with getting OpenAI to extricate your full name from their model.
The larger question I think is what happens with OpenAI when it comes to information specifically prevented from publication by a court order - for example the new name of Robert Thompson. How can an AI be held in contempt of court?
What about when AI puts an end to witness protection as it works out who the new identity is. Between behavioral and photo matching it should be quite easy. What happens when it gets it wrong?
I was hoping to create a conversation about privacy in language models and it's slippery slope, and in that it was partially successful.
It's hard to get worked up about privacy in language models when the big scary case in front of us is one where the person in question admits they never cared much about maintaining anonymity.
The language model is just a different way of organizing the information that is already out there. It doesn’t create or expose any new information, and it’s ability to correlate information with other information isn’t superior to the other, existing, ways. If someone is attempting to find out the real person behind your username, a google search still works better than typing your username into the language model.
The real lesson (and one that predates language models like GPT), is that we can no longer rely on the strategy of being ‘lost in the crowd’ to preserve our privacy. When you took all of those actions that connected your username to your real name, you probably thought, “this is just one little obscure thing, no one will ever find it.” Of course, Google finds everything.
This is completely unrelated to things like GPT.
At some previous logistics company this was something I questioned regarding a new tool for managers that could more easily track driver performance as opposed to digging in many old systems, taking notes and making inferences.
Because the new tool made it easier, even though the data is the same, the company's lawyers were very skeptical of this in relation to the driver's privacy.
There is something grey about this I think. Ease of access do matter to some extent, even though my engineering brain says the data is the same so it doesn't matter.
A lot of our historical privacy has been based on practicality. We don't worry about someone monitoring us all the time in public because it would be expensive and exhausting to follow us around all the time, and there is no way to follow everyone.
Computers change this. Computers are great at doing repetitive, boring, tasks forever. A person couldn't watch every camera 24 hours a day, but a computer can.
It is absolutely something we should think about.
I'm not convinced that's practically tenable these days, but on a moral basis I endorse it and would present Scott Alexander as an example of why.
(1) I seem to remember a court case somewhere on the planet in the last months where lack of resistance was deemed indicative of consensual intercourse. Which is not even remotely acceptable. But I digress.
Not for me. It took until page 3 for just my first name to appear. If somebody is looking at past Github commits, that's already a high enough barrier for me.
I only partially agree with your conclusion. Asking people to maintain total anonymity always, with any slips punishable by permanent publication of that PII, might be the current status quo, but is not where we as society want to head.
You can't "put the genie back in the bottle". It's out there, the Internet remembers forever.
There's no reason why language models should be immune from what is standard expected behavior in society.
I'm not raging against the sea, I'm raging against a bulldozer operator who has plugged their ears.
The papers you referred too in the top comment have been talking about the ability for AI to infer PII from anonymous data. But that’s not what happened here. You are complaining about AI returning non-anonymous data with easily findable results via other mechanisms. I’m not sure I understand why AI should be expected to understand and filter out information that is otherwise public?
So sue OpenAI then. That's your recourse if you believe you've been harmed. I don't think you'll be very successful, given that even people here aren't strongly on your side. I think normies on a jury trial are going to be even less sympathetic to your arguments than the HN crowd.
Another early result in DDG is a profile on deviantart, which you may not want linked to your professional identity (or maybe you do).
Your steam community page has a list of hundreds of games you own.
Fundamentally your problem isn't as much that your github account links to your name, it's that you use the same identifier across the web, one that isn't common like "neo", from "interesting" sites like deviantart to more normal ones like ubuntuforums.
You've removed your CV from your website, but it's still in internet archive. And do you really want your CV hidden? You've gota a good portfolio of work on the internet.
To me, the lack of separation of your names is far more of a challenge to your anonymity - especially when you call it out by posting something like this under that nome-de-plume. You have multiple aspects of your life that you can present in different ways, choosing a single unique nickname links those together, is that what you really want - even if your real name wasn't connected to it?
Again, I'm not too concerned about my name or what comes up on Google or GitHub because they follow GDPR.
Language Models are already as powerful as google searches in finding my name, but there's not recourse. What will this look like in 5, 10, 50 years?
Your problem is that you gave consent and chose to publish your PII and now want it revoked globally long after the fact. That is extremely problematic since it’s very very difficult to unpublish things once published, and there is little if any precedent for people being able to change their mind. Nobody expects to be able to unpublish a book such that it cannot be recovered or reprinted after copyrights expire, that’s just not a thing, right? This isn’t a problem with language models, this seems like more of a problem with exposing yourself and then changing your mind.
It would be great if there were tools to help manage this, but that’s not something that has ever existed nor is codified by GDPR or any other current laws. That said, your concept does present an opportunity for an idea that someone could implement and start a business or organization for.
GDPR Art 17:
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
[...] the data subject withdraws consent on which the processing is based [...] 2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take __reasonable steps__, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
> Nobody expects to be able to unpublish a book such that it cannot be recovered or reprinted after copyrights expire
Government do and it can be done: https://en.m.wikipedia.org/wiki/List_of_books_banned_by_gove...
“Where the controller has made the personal data public”
Again, GDPR does not protect you from yourself: it can’t! And we don’t want it to, we don’t want a surveillance state that bans public information and removes control, nor do we want people to censor history after the fact, right? As has always been the case, privacy needs to be considered before publishing information about yourself, not after.
Banning books is different from what I suggested, that’s the government deciding something is illegal, not the author changing their mind. Banning books also doesn’t cause them to be forgotten. It’s not a great example of what @BoppreH is wishing for, wouldn’t you agree?
How? 10 years ago one could not expect that all of the internet is used as training data for an AI model.
The processor has to have a legal basis for processing your data even if it is publicly available. One could argue that there is some kind of consent if the data is publicly available, but consent can be revoked.
https://en.m.wikipedia.org/wiki/Right_to_be_forgotten
> The right to privacy constitutes information that is not publicly known, whereas the right to be forgotten involves removing information that was publicly known at a certain time and not allowing third parties to access the information.
I think you could make a case under GDPR where making the model is data processing and the BoppreH could demand to be erased for the dataset. Why is he in the dataset in the first place? Why is anyone? Am I in it? Aren't this legitimate questions?
I’m not arguing that all publicly available information implies consent (it does not), I’m simply repeating what @BoppreH already said : that he gave the consent in this case. The reason we need GDPR and other privacy laws is primarily for cases when someone else decides to publish your PII. This is different, this is a case of the user publishing their own PII and allowing it to be public for a long time.
> How? 10 years ago one could not expect that all of the internet is used as training data for an AI model.
Hehe, are you joking? You must be young because people have been expecting this information explosion and archival for a hundred years and more, and people were talking about using the whole internet for AI training ever since the internet and neural networks were invented, complaining that we didn’t have the computational power yet, more than 50 years ago. Archive.org (saving the entire internet) and Google (indexing the entire internet) both launched almost thirty years ago. Ten years ago there were already debates that could stand in for this very thread.
The AI model is completely irrelevant here, and it has been from the very first comment. AI isn’t @BoppreH’s problem, his problem is that he willingly published his name on the internet and now doesn’t want people to know it, via Google or any search index. The AI did not glean any PII about him that Google and Bing and multiple other sites hadn’t already indexed.
As to how … Well, there are sayings out there older than dirt that clearly discuss how to keep your things private. The so-called “New York Times” rule is pretty well known, but is just one example in a class of such general advice that is probably as old as the printing press, and comes in many variations. Don’t do or write down anything you wouldn’t want printed on the front page of the New York Times. If it’s private, keep it private.
* BTW I’m sure you saw that above the WP sentence you quoted, there was a lot of text that broadly if indirectly supports what I’m trying to say. The right to be forgotten isn’t the right to be forgotten from all online existence, it’s not something you can use to force all published information about you for all time to disappear at everyone else’s expense, it’s a right that people can sometimes exercise to fix specific mistakes, and it gives specific examples such as revenge porn. And again, most of the examples involve someone else publishing your info without consent. Wishing the right to be forgotten gave us editorial power over history is extremely problematic, as was stated right on that Wikipedia page.
He consented and if this is the legal basis, he has the right to withdraw the consent at any time without reason. The data then has to be removed. This is done by search engines on regular bases, e.g. DMCA Takedowns.
> Hehe, are you joking? You must be young because people have been expecting this information explosion and archival for a hundred years and more, and people were talking about using the whole internet for AI training ever since the internet and neural networks were invented, complaining that we didn’t have the computational power yet, more than 50 years ago
To average Joe this is still something out of the realm of science fiction. They are still wondering if the phone is listening to them if they get ads of products that they are talking about.
I understand your point and I am ambivalent about both sides but in doubt I would opt for the strong privacy side. Ea-nasir for example could not have dreamed about what happened to the complaint letter [0] and this is not something New York Times worthy at the time the complaint was written.
[0] https://en.m.wikipedia.org/wiki/Complaint_tablet_to_Ea-nasir
From whom?
Your claim there is neither broadly true according to both articles you quoted, nor is it particularly practical. And the practical part is the part you are consistently ignoring here. Theoretical rights are useless if they can’t be realistically exercised. This is no longer something he can request of any one single company, the data is presumably all over the internet, with no reason to believe GDPR even applies since GDPR has no jurisdiction over non-EU sites that don’t target EU users and don’t do any specific business in the EU. You might be able to request something from Google maybe, but good luck and Godspeed with Baidu and Yandex and any site outside of EU jurisdiction.
DMCA takedowns target specific content, they are used by copyright holders to assert rights to a given video, song, image, etc. DMCA takedowns have not been used to erase years worth of random PII connected to someone’s username on the internet, nor has GDPR, nor has a right to be forgotten law. And, as everyone knowns, DMCA takedowns are sometimes completely ineffective because it’s hard to put the two million cats back in the bag.
The most troubling part of this thread to me is multiple people here asserting the existence of seemingly absolute rights without even a passing acknowledgment or thought to the ramifications and what negative consequences it would have if people started demanding editorial power over the entire internet over casual, consensual, and non-damaging PII. It might not be apparent from my comments yet, but I’m a firmly in the camp of privacy advocates, I think the GDPR has done wonderful things, and yet I see this argument as both lacking historical perspective and being completely unrealistic. I don’t want to live in a world where it’s illegal to record history and everyone can erase minor things they regret long after they explicitly agreed to publication. I’m perfectly fine with the existence of rights to undo certain mistakes and wrongdoings, but generally speaking I think it’s a mistake to even want the ability to revoke any non-threatening public information at any time, completely aside from the fact that that is not actually broadly available in any country today.
> The most troubling part of this thread to me is multiple people here asserting the existence of seemingly absolute rights without even a passing acknowledgment or thought to the ramifications and what negative consequences it would have [...]
There are absolute rights. Absolute human rights, everyone has them, practical or not. Even if you can't enforce them. Protection of personal data is such a right.
Sorry for all the pathos, but I firmly believe it. I think this is the core of our discussion. Maybe our fundamental disagreement. I understand your point of view but I weight other aspects stronger and you other aspects.
So yeah if you’re talking only abstractly and intentionally ignoring the practical then we’re definitely talking past each other a bit. It’s hard to discuss rights that can’t be enforced and aren’t part of a specific legal code; normally if it isn’t law and can’t be enforced, it’s more of an idealistic goal than a right. GDPR is entirely based on “reasonable” precautions, it does not and cannot demand anything impractical of companies that haven’t violated the law. Imagine you’re giving @BoppreH actual advice about what to do, and tell me what he can realistically do that won’t cause him months or years of work and frustration, or ultimate failure to revoke and protect his published PII.
I should be in charge of my PII. I am in charge of my PII. What does “in charge” actually mean though? There are two specific issues here in this case that make the question of who should be in charge a moot question. One is that @BoppreH was in charge of his PII and chose to publish it. That is control over his PII that he exercised. His actual stated wish was for GPT-3 to somehow guess that his PII found on Google should not be indexed by GPT-3. A human wouldn’t do that, so why should a machine? My issue here actually does go straight to your question: if someone revokes intentionally published PII, that can cause harm to others. Imagine you write a biography and in it in a chapter about your best friend BoppreH, who agrees in writing to be featured in your book. You publish the book and six months later your friend says, “no, wait, I don’t like that anymore, I revoke it and I want all mention of me retroactively erased: I have a right!” What can you actually do? This could cause loss of income for you and your publishing company, distress and loss of friendship, lawyer fees, reprinting, destruction of unsold stock, costly time spent editing and renegotiating and redistributing. I’m imagining just a few of the many bad things that could happen with a book, but there are many analogous issues, and some unique problems too, with deletion of data online.
Have you considered the possibility that @BoppreH may have in effect signed multiple contracts stating that he agrees to publish personal information and not hold the publisher liable for it, or demand that it be taken down? (This is not an abstract question, this is what GitHub’s license states, for example, and others here pointed out that some of his PII was on GitHub.) How do you reconcile a so-called right to revoke PII with consensual contractual agreement to publish this PII? You’re arguing that this right to revoke should be allowed to override signed contracts without cause? There are so many legal & practical problems with that idea, I don’t know where to begin.
The other issue is that once information goes public, it cannot be reasonably contained. The transition from private to public is a one way street, it always has been, and it has never gone the other way, by and large. This is in fact codified into law in many ways (securities laws, for example, specify actions to take when insider information is leaked), and the fact that the publishing of information can’t be taken back has been the default assumption for humanity for a very long time.
The idea that somehow you can revoke something that’s published and public is a very new idea. The idea that it can be for any reason at any time even if you previously agreed to it is a very naïve idea that doesn’t yet exist in practice. It’s a good thing that there are specific exceptions, but in general unpublishing on a whim isn’t realistic. We already know that media companies haven’t been able to stop movie or song piracy with DMCA nor copy protection schemes nor fines & lawsuits, why would we...
Publishing one name publicly gives no explicit nor implicit consent to third parties to handle such data.
You absolutely have the right to change your mind, and company need to delete your data on demand.
Gdpr absolutely codify the process to obtain, update and delete data from third parties.
And Gdpr definitely do not care how much hard is to unpublished data.
You’re also mistaken about the scope and reach of GDPR as it applies to what @BoppreH was asking for. The GDPR has been quite effective so far about making companies keep PII to themselves, stop selling it without consent, take reasonable precautions with it. It has done very good things for privacy. This thread isn’t about accidentally leaked medical records or purchase preferences. This thread appears to be about someone who wants to undo a decade of their own internet activity that has spread far and wide. That’s not a reasonable request.
Look, there are laws that help you with interactions with a specific company, or that can help unpublish libel, or help with a single event or an egregious mistake in the past. But there just aren’t laws that can let you change your mind about a wide swath of information that you leave online for years, information that exchanges many hands and no longer involves any one single company.
I suspect you're correct, but the point of the original post was, I believe, to link the moral concerns behind GDPR to moral concerns about language models.
For the record: I personally believe that (a) there is a morality issue here (b) the existence of the relevant technology means there's no going back anyway.
I’m curious to hear more about what the moral issue is from your perspective. There are legitimate privacy concerns surrounding PII and AI, and surrounding PII and the internet in general. There are legitimate concerns about ways that AI can infer non-public information. There are also legitimate concerns about humanity’s ability to record history and also about the legal and financial liabilities that might come about when recording publicly available information. Those are big general debates and are worthy of attention.
This particular case hasn’t convinced me yet, since the PII was knowingly posted, left online for some time, and since the AI is only regurgitating knowledge that Google also has.
I learned this, by setting up a Disqus ID. I wanted to comment on a blog post, and started to set up an account.
After I started the process, it came back, with a list of random posts, from around the Internet (and some, very old), and said "Are these yours? If so, would you like to associate them with your account?"
I freaked. Many of them were outright troll comments (I was not always the haloed saint that you see before you) that I had sworn were done anonymously. They came from many different places (including DejaNews). I have no idea how Disqus found them.
Every single one of them was mine. Many, were ones that I had sworn were dead and buried in a deep grave in the mountains.
Needless to say, I do not have a Disqus ID.
Being non-anonymous means that I need to behave myself, online. I come across as a bit of a stuffy bore, but I suspect my IRL persona is that way, as well.
That's OK.
Also, what impressed me about the Disqus incident, was how fast it came back with that list.
In the US, at least, true anonymity takes a lot of work. For example, if you own a house, people can use tax records to find out who you are, unless you do what rich people do, and use shell companies. I also own a couple of [small] companies. I maintain a UPS box, because they get a lot of junk mail (and some business junk mail comes to my home address, anyway).
That's just one of hundreds of ways we can be found. Many predate teh Internets Tubes. My mailbox gets stuffed with junk mail. Some of it is quite specific. They use these mechanisms, and have been, for decades. I have known folks in the collections industry. They can find people surprisingly easily. There was one guy who used to be a skip tracer, and he wrote a book called How to Disappear[0]. It's a fairly sobering read (and probably quaintly anachronistic, these days).
The Unabomber actually did it correctly. He only got nailed, once he posted something publicly.
[0] https://www.amazon.com/How-Disappear-Digital-Footprint-Witho...
https://old.reddit.com/r/fatFIRE/comments/l0wd5i/update_to_p...
(This is different than there being a law codified and not being enforced)
But I’m fine with one agency of the federal government having a private database, shareable for some investigations, which is the direction its going
I hope it gets handicapped or repealed
Once, my housemate got junk mail addressed to 'Mr. <firstname> Trout' as a result. He was a trifle annoyed by this but his partner found it hilarious.
That's okay, as long as you aren't a member of any persecuted minority, and as long as you don't have any interesting political views to share.
It’s fine, for me. I actually know folks that it would not be OK.
I am not giving advice; merely recounting what I have experienced, and the personal choices I have made, based on those experiences.
A small use of privilege but I hope a useful one overall.
So it might be something else, given the implied age of the comments.
Then if another user registers with the same fingerprint we link the accounts together.
In our case the whole thing is also requiring human moderator input to actually keep the whole thing going though.
There is also a premium verson: https://fingerprint.com/
(apologies for the level of vague here but I don't believe it's fair to anybody else involved to be less vague - including the user in question, who seemed relatively young and I hope has grown up since)
- cookies are temporary. Even 'ever-cookies' wouldn't have survived brower upgrades.
- email, tel : the parent insists having had privacy opsec so reusing those over time would not fit in this view
https://www.optery.com/
It’s a YC company. My only affiliation is that I’m a customer.
I have a discount code if anyone is interested. I wasn’t sure if I could just paste it in the comments
Maybe ping them?
https://news.ycombinator.com/item?id=30605010
Are you sure it’s not an issue on your end Cole?
https://news.ycombinator.com/user?id=beyondd
I’m assuming that YC frowns on their funded companies doing unsavory things?
There's a kind of YC culture where they believe nice guys do well [1]. And they're likely biased towards funding nice people. But after they're funded, they don't really have any control over the company.
[1] http://www.paulgraham.com/good.html
Only if it leads to unsavory revenue reports.
It’s not okay to be tracked so thoroughly that people stop feeling they can explore controversy online
Anonymity is certainly a tool that can be used in dire situations when there are real credible threats and the stakes are high. However it takes a certain type of courage to express oneself freely which would be really nice to see in the majority of all other situations. Instead of exploring controversy anonymously, we should aim as a society to explore it normally and simply build up the intellectual maturity and capacity to tolerate controversy like adults and not children…
You wear a name tag to the pub, or supermarket?
Being gratuitously anti-social online might also have consequences (your account gets banned), but if creating another anonymous account is free and easy, then the consequences are trivially ignored.
You could make a distinction between anonymity and ease-of-creating-new-accounts, but usually the two are tied together.
In meatspace, people use different modes of identification than just a name, so names aren't as important to figuring out who's who.
https://www.nytimes.com/interactive/2019/06/14/opinion/bluet...
Yes, but I don't realize it.
I'm glad that you feel secure enough in your position in life that you think you can weather such an attack, but not everyone is so lucky. Implying anyone who needs anonymity is simply holding an unreasonable position is simply not fair.
Neither of us did.
> If you can't stand by a position, maybe you shouldn't air it.
The implication of this is pretty clear.
But context is king. The context of that particular quote, is that it came immediately after this:
> I stand by what I say, though my views now may be different to those of previous me and I'm happy to debate that too.
They were clearly talking about themselves, and a rule they apply to themselves.
That said, one of my "cleanup routines" for writing and posting, is I look for instances of "you," and often change it to "I" or "me."
I would have probably written it like so:
> If I can't stand by a position, maybe I shouldn't air it.
BTW: I apply the same philosophy to my own posting.
There's a very valid argument for online (and offline) anonymity, and I don't like the specious "If you aren't doing anything wrong, then you shouldn't have anything to hide." argument.
I just find using that as a fig leaf for trolling and stalking people is rather annoying, as that behavior actually puts the people that really need it, at risk.
Standing up for my Principles can sometimes be quite scary. I've risked losing jobs, for refusing to carry out orders that were unethical, and I am routinely attacked, here (but politely -this is HN, after all), for holding some of the views I hold.
Yes, the context was a switch from first person to second person. The most reasonable and likely interpretation is not that it was an accident, but that the second person was intended to convey a statement about what people in general should do. E.I: "If one can't stand by a position maybe one shouldn't air it."
It is true that there is a trade off between anonymity and culpability, but that doesn't mean we don't need both. To my mind, we need anonymity to protect smaller scale participants and accountability for larger scale participants to limit abuse of power. I don't know how you achieve that in practice.
E.g., this is why true democracy needs secret ballots. Perhaps you and I aren't afraid to vote in public. But a democracy needs everyone to give their honest vote, not only those who have nothing to fear.
Definitely agree. I have my approach to life, the universe, and everything, and it is unreasonable to project my values and whatnot onto others.
Many times, the favor is not returned, though.
Yup :) (1)
Also an online privacy fan with (what probably amounts to) strict views. Eg.: privacy is a bit of a misnomer. It puts the focus on the person who can be wronged. In other crimes, we don't do that. A burglar is not the one whose house was burgled; a robber is not the one who was robbed.
Privacy isn't about me or my rights; it is about other people and limits on theirs. You're not allowed to take other people's money, why should you be allowed to take other people's data?
(1) Aside: I keep rereading the books. I found others that move me more, but I tend to move beyond them. Eddings writings manage to keep entertaining me. Not necessarily high-brow, but definitely entertaining and the entertainment doesn't peter out after the 3rd or so book (all too common in fantasy in my experience).
I tried the Elder Gods series, and it was ... awful. The Redemption of Althalus was readable, but couldn't hold a candle to the other books.
Last time I played a Rogue in an AD&D game I used Silk as an archetype, and it worked out very nicely.
In other words, stand by your position, but also learn when to admit you were wrong.
It's a fundamental tenet of my way of life. I promptly admit when I'm wrong.
I've found the best way to avoid having to make amends, is to not cause the offense, in the first place. I tend to be fairly careful about keeping it in the "I," all the time (but no good deed goes unpunished -I am often told that "I'm making it all about me").
I do find that I get attacked, sometimes, right out of the blue, for stating personal philosophies and/or experiences. My fave is when I am told that something that happened to me "didn't actually happen." I assume that is because it is an inconvenient truth, for others. My experience, dealing with tech industry ageism, is a common fulcrum for that kind of response.
Sometimes, though, I absolutely -do- intend to offend somebody, and in that case I own it.
That's the thing, there are a lot more positions these days that people seem to be unwilling to change.
Its not standing by a decision, its the unknown risk of an adversary using information you thought private against you. Whether its abortion clinics, or prospective employers vetting your background. You won't know which opportunities were missed as a result of something in your record that may have happened 20 years ago. You'll probably think it isn't happening, until it impacts you personally, and then its too late. That's exactly how it happened in East Germany with the wall.
https://www.stopspying.org/pregnancy-panopticon
I won't participate in them using my real name, because I once witnessed the mayor of the town doxx and lead a campaign to harass a single mother because she disagreed with the majority party that's run the town for the last 40 years. She got dogpiled on by hundreds of residents for participating in a discussion on Facebook.
It wasn't an isolated incident either, other people have had the same experience and even felt the need to move after it happened because some people took it to an extreme and felt the need to harass them for months afterwards.
Part of the chilling effect is the incentive against pursuing justice in cases like this. The single mother was already publicly targeted and made unsafe, chances are that the public targeting will get even worse if she pursued justice against her harassers.
These same people in power who led this campaign against her have sycophants in the local media who have no problem using their wide reach to smear dissenters like they do every election season, even for minor Board of Ed elections.
To bypass the sources of those chilling effects by remaining anonymous may in fact only allow them to grow stronger.
He worked for Kodak, at that time. I used to have his card, with his smiling mug on it (Kodak used to have picture business cards).
One advantage of having a fairly old and robust online (and offline) ID, is that it actually makes it harder for people to assume your ID, as there is so much "prior art," pointing to your real persona. It makes it fairly easy to short-circuit hijacks.
Of course, it all becomes problematic, if I decide to go around pissing everyone off, or poking bears.
But, if I piss off people that have the willingness and ability to do me harm, they'll find me, anyway.
I don't choose to live a life in a shack in the woods, typing manifestos. I want to be a part of Society, and reap the benefits of participation.
It also helps me to help others. A lot of my life, these days, is around helping others. Hard to do, if I'm hiding in a dumpster.
Happily for me everybody I've seen comment on it laughed it off as "I wonder what happened to make them that angry but I'm sure they deserved it" - with a few exceptions of people I've previously pissed off who basically said "nah, he's an asshole moderator but there's no way he's a paedo".
And, well, sometimes I -am- an asshole, and some of those times I deeply regret. But reputation can be useful in general.
I don’t foresee changing my stance, for myself. However, I’ve been around long enough to know that the way I see (and do) things does not apply to others.
I would not prescribe my way to others. I’m merely recounting my lived experience, and the personal decisions that I made, based on them.
If I'd need full privacy, I'd have to add many more levels of security in my daily life that I don't find necessary. I just don't want people (or a SWAT team) to show up at my door because I triggered someone on the internet. That's why I post from multiple different accounts on different platforms. Though, I'm sure, in the future some form of AI will be able to link them all based on writing style and similarity of content of my posts. Guess I'll have to find another way to remain somewhat anonymous then.
obviously it's a little paranoid and arrogant to assume that anyone cares enough to go through my comments, but occasionally, on websites like this and reddit, I will just outright lie about where I'm from, or what my age or gender or ethnicity or sexuality is
The sentences that stuck out to me are: “If your phone number or other PII has ever been associated with your identity, that association will be in place indefinitely and is probably available on multiple data broker sites.
The best way to be anonymous on the internet is to be anonymous, which means posting without any name or identifier at all. If that isn't practical, then using a non-meaningful pseudonym and not posting anything personally identifiable is recommended.”
https://www.optery.com/
I’m a satisfied customer
Of course this doesn’t account for “the crazies” that could potentially harass me into my physical life at an easier rate simply because they’re mad I won an online game or the like. Thankfully I haven’t had to deal with such a situation, but I also believe that may be a consequence of avoiding inflammatory back-and-forths or highly-political discussions since anonymity is reduced, which may invite those attacks.
A third approach is using a word that means something and thus is not unique at all.
Unique strings for usernames means lots of accurate hits. If you google mine, there will be lots of hits but none are me.
Going on a tangent here but I've started seeing more "do be" used lately. However, it doesn't seem right for some reason I can't pinpoint (English is not my first language).
Is it from a dialect?
It's an African American idiom which has bled into Gen Z vernacular, from what I've seen.
It's better to use a username you copied from someone else also, like that if people find links, they find someone else entirely.
I have to say playing with GPT3 has been a mind blowing experience this week and you should all try it.
The most striking point was discovering that if I give it texts from my own chats, or copy paste in RFPs, and ask it to write lines for me, it’s better at sounding like a normal person than I am.
If I can do this locally with some existing kit, I would love to hear your recommendation.
Except of course that those tools are at least somewhat dependable in what they output, because they were created to generate queries, not a roughly human-looking random text.
You could imagine a bot which takes your question, googles it, and then assembles the answer based on random pieces from millions of search results that happen to match the syntactical structure of the sentence - and you wouldn’t really be that far off.
Can you show me? As in, paste the question here?
I meet people that regurgitate what they’ve heard on Facebook all the time, are you suggesting there is no intelligent thought there either?
And ffmpeg, and qemu, and....
A stock example was “write a tag line for an ice cream shop”. We tried changing it a bit and I’ll give you some of what it’s punchlines.
“Write a tagline for an ice cream shop run by Bruce Wayne.” Result: “the only thing better than justice is ice cream”
“… run by an SCP”: “The SCP Ice Cream Shop: the only place where you can enjoy ice cream and fear for your life!”
„… run by Saddam Hussein”: “the best ice cream in the world, made by the worst man in the world!”
One thing to watch out for though is it is not self aware at all (at least in a practical sense) and can just make things up. For example, we tried giving it my daughters homework reading comprehension questions on the book “w pustyni i w puszczy” and it gave cogent, plausible and totally wrong answers that it made up on the spot. It would seem it hadn’t been given the book, and would have got an F.
And it can’t speak for itself. I can ask it directly “have you read Tractatus”, and it will insist “no, never”, but knows it front and back like a scholar.
So never blindly trust it ;)
With just a tiny bit of search, you can find a list of the fines levied by this 'impractical to enforce' legislation.
Not sure where the tsa reference fits in.
To me that doesn't sound better.
As you stated, this is publically available information. GDPR has nothing to do with it.
I have a stalker. I know her well enough to keep myself safe. I don't take measures which would deter a marketing company or a government, but enough to deter her. It's a lot easier to live with some "soft" measures than with "hard" measures.
When "public" information is aggregated and posted online, it does cause problems for people like me.
But what I am saying, is scraping the internet and displaying the data you gathered is not a breach of GDPR. If in doubt, go look at Google. Constantly fined billions by the EU. Not once have they been fined for displaying personal information in their Google search results.
Not liking something is fair enough. Not liking something and then saying it's breaching GDPR because they used public information isn't the same.
Google has tools: https://support.google.com/websearch/troubleshooter/3111061?...
GDPR grants a right-to-be-forgotten. It's not a proactive right; you need to make a request.
https://gdpr-info.eu/art-17-gdpr/: "Art. 17 GDPR Right to erasure ('right to be forgotten')"
...seems like it is?
And the main part is that it only affects data within the EU. Google can still process your data and even clearly tells you that they still have the data when they show you a link at the bottom of the search result that they removed results.
Edit:
Wikipedia has "The right to be forgotten was replaced by a more limited right to erasure in the version of the GDPR adopted by the European Parliament in March 2014."
Enforcement is sporadic, but that may change.
https://iapp.org/news/a/publicly-available-data-under-gdpr-m...
If I am not mistaken, this is one case:
"in line with Article 9, if the processing relates to personal data that are manifestly made public by the data subject, no explicit consent or other legal basis as enlisted in the Article 9 (mainly specific laws and regulations or establishment, exercise or defense of legal claims) is required."
If I personally had not had access to the internet/social media before 18, my life would be in a much _much_ worse place.
I don't disagree that we need to rethink how interacting with the internet is handled, but I don't think that's the way.
These threads show how little the US values privacy, but it does not necessarily apply to other countries.
Surely you can come up with a better example than that. Anyone who thinks HN is somehow related to criminal activity could be corrected by merely viewing the site once (or any number of third-party articles written about the site).
Meanwhile you had your full CV linked on your pseudonymous website, Streisanded yourself, and are disparaging the HN community repeatedly in your comments.
Depends when they visit. I can see someone uninformed arriving on the days of heartbleed, meltdown, defcon, CCC, the equifax hack, etc., and incorrectly drawing the conclusion that is for the criminal kind of hacking.
There's actually quite a bit of folklore suggesting that knowing a person's (or creature's) name gifts you with a kind of power over them.
And like most folklore, there's a grain of truth to that. It's a lot harder to gossip about someone in a way where they'd gain a reputation if you don't know their name.
People who do shady things don't come up with aliases because it's fun. In the same way, I doubt as many people would donate large sums of money to hospitals, universities, and other institutions if they didn't get buildings named after them in return.
How to manage all these identities though? How to make sure they don't leak into each other?
It's a lot easier if you share an IP with a hundred other people, such as with a VPN or CGNAT or many schools/businesses. Then you can just reset the cookies you want without it being able to fall back to another unique identifier.
This isn't even considering device fingerprints such as created using html5 canvas or audio APIs.
I don't do this myself, I'm just saying there's a lot more to it than picking a new HN name.
This is not always possible if one means not just daily use name but also legal name.
There is at least one state where the name change law allows residents to only change name once (except for marriage related last name changes).
Scrubbing AI output is not sufficient.
Perhaps in the future AI will actually be able to help us with this sort of problem (regulating, controlling data).
Are you in Europe?
If so you might have a GDPR track available to you for getting it removed. You may also want to do a DSAR.