> according to the VX team: "The database DOES NOT contain information from individuals who use data opt-out services. Every person who used some sort of data opt-out service was not present."
You're good, perhaps! The rest are opted-in for a data leak.
This is a great example of why everything should be opt-in given the risk the individuals incur, not to mention the company.
If society appropriately disincentivized data collection, we could even get to where companies don't see customer data as an asset instead more as a liability.
It seems hard to disincentivize "data" in the same way it's hard to disincentivize "cocaine", e.g. to most companies "10 kg of cocaine" is a liability but there exist certain companies generally staffed by more unpleasant people who make it their business to treat it as an asset.
Which means going to a different layer / structural solution maybe. How does the value of data go to zero?
Nothing meaningful should stored due to data leaks liability, period. Now if data really leaks out users should be able to sue and get compensated. If companies are made to pay they'll clean up their act fast.
It shouldn't be opt-either. It should be treated as radioactive waste that you don't want anywhere near you, your family, not in cold storage, not even in a mine in the Yucca mountains.
This is why I don't use those privacy services. An awful lot of companies use background checks as a decider on if they are going to offer you service, or to give discounts to low-risk customers.
I might end up paying extra because my insurance company decided I didn't fall into their 'lowest risk' bucket because my background check came back as "we have never heard of this gal" because I once used a data privacy protecting service or they can't find my facebook/linkedin/twitter.
There is easily a 10x difference in insurance prices between "known good customer" and "probably fraudulent customer" - and that difference is the difference between being able to own your own house (with mortgage to begin with) and renting for life.
Most people would value owning their own home over having some computer system using their data to select one ad over another.
While there might be such a difference in price, equating trying to avoid data collection through legitimate means with being flagged as a probable fraudster and having to pay 10x is not sound reasoning.
If people were routinely getting gauged like this for trying to opt out of something, there would be a pretty huge story in that and I doubt it would go unreported.
Would these people necessarily know? I mean, if I'm getting quoted $10,000 a year to insure my car and my neighbor pays $1,000 for a similar car, I'm going to notice. But if I'm getting quotes of $1,200 or $1,500 would I know my thin data file is costing me money rather than some other mystery factor?
Rinse. Repeat for loans a half percent to a full percent higher than my credit score should otherwise get me.
Caring about privacy puts you on a list. It's like responding to spam asking to be taken off the mailing list; you're just verifying that you're someone they should be paying attention to.
I'd much rather be in a list for exercising my rights and upholding my convictions that cowering in fear of imagined damage for not toeing an arbitrary line.
Sounds like a pretty awful way to live. Honestly I'm shocked to hear such a conformist and timid opinion uttered in a forum called Hacker News.
Even if you play the 'actually this is a VC connected corporate forum' what sort of entrepreneur lives by this sort of preemptive self censoring?
You think it is a certainty that if I care about privacy I will be put on a list (never mind what list or why does it matter), and you think it's a certainty you should appease the powers that be by pretending not to care?
This will continue until we make having a huge collection of personal data into a liability and not an asset for companies. Actual jail terms for CEOs for leaks would be a wonderful start. Or, at least, we should have fines that are not wrist-slaps. For example, a fine of $1000 paid to each individual per leak would be a good starting point. Then, companies will properly start minimizing the amount of data they store, in fear of a crippling loss.
Also, the money should go into an escrow account with a list of claimants. Some neutral third party should handle getting the checks to individuals.
That way, there's no financial incentive to make it hard to claim damages, and people won't need to bother filling out a form every few weeks to claim the cash.
Some people will still get some money. And spinning up a new company still has costs. However, this is precisely why this is the second-best option, after actual jail time for actual CEOs. Then they can fold whatever they want in their prison cells
At best the fees class action lawyers would charge would change that $1000 into $0.10.
I already pay taxes; why not have the government do their job and protect my digital information and fine the companies and their executives so they learn to care about it. The government allows the corporate barrier to be pierced if employee salaries are not paid.
Personal liability tends to get board members attention.
Stuffed down the memory hole. Before Reagan board members were liable for unpaid non exempt wages. If a company went bankrupt owing hourly workers back wages the bankruptcy court could liquidate the boards assets.
Agree with this. An insurance requirement would solve this problem. It would also incentivize robust security audits by the insurance companies and the data collectors.
'Crippling loss'? Haha. Look at the equifax debacle. They set aside some paltry amount of money for the class action, almost instantly ran out and then everyone collectively shrugged.
Regs are rarely ever meant to actually favor the average citizen over the corporation. Just look how quickly the consumer protection agency was killed.
I agree with your sentiment but I feel like that's an impossible expectation/standard to set for certain companies that don't have the luxury of dropping data whenever they see fit. For example consumer banks abide by the Bank Secrecy Act which mandates the banks to keep wire records that exceed $100 for at least 5 years.
Then those companies need to take out very expensive insurance policies that protect the individuals whose data they must hold. If they can't afford that then they can find a new line of business.
Would be nice, but wouldn't that limit the taxable set of data records to those that have enough info to route payment to? Either paid directly by the company, or enough information for the government to identify you.
While in this collective pipe dream, why not just make it a felony to have unauthorized possession or transmission of this data, make sentencing gravity based on attributes like unsecured, breached, willfully sold, etc?
Best metaphor I've heard is that personal data should be treated like toxic waste. If you're a company that works with it, it should only be because you have to, not because you want to. And then, you want to keep as little of it around as possible. You definitely don't want to leak it, because then the EPA will come down on you like a ton of bricks. All of your processes should be geared toward minimizing or eliminating exposure to it whenever possible.
Unfortunately, companies are incentivized to treat personal data like something to be aggressively gathered and hoarded instead... but not necessarily like something to be guarded against leakage.
How about just jail time for owners, executives, and management of companies/organizations who collect and store this information to begin with? That's what we do for Peeping Toms outside people's windows. I don't see why something more creepy, more invasive, more permanent, and more harmful should be treated less seriously.
Maybe as this becomes so ubiquitous, we will finally see 'identify theft' recognized as BS. If you allow someone who is not-me to pretend to be me and rip you off, this is not ever my problem; it's yours.
Cue the posts complaining about how impossible it is to do any transaction online because you have to provide so much proof (and the companies collecting even MORE data about us, to later be stolen).
Most transactions online use some kind of payment system, which is vulnerable to various forms of fraud and hackery but not "identity theft". "Identity theft" (and GP is right that this is a made up crime to discount corporate greed and laziness) occurs during an application for credit, which doesn't need to be a common and easy process.
And even that has been solved by more privacy forward societies. For instance PostIdent in Germany where you verify your identity with a trusted third party.
Honestly. Someone walks into a bank with a gun and takes the money, it's Bank robbery.
Why would them using false identities be any different? Why is it MY problem that someone else stole from a bank? If they wear a mask with my face on it during a physical robbery, does that mean I'm liable?
> If you are a California, Virginia, Colorado, Connecticut, or Utah resident, you have the right to request that we delete personal information that we collect about you, subject to certain exceptions.
I think it's time to require this on a national level. This is getting ridiculous.
That's a step forward, but not a solution. There are so many firms collecting data on everyone. There should be something similar to a "National no call list". If you register there, all firms should delete your information or face consequences.
Unfortunately this will be used to discriminate against people when applying for a loan or a job, so we must make it illegal to discriminate when these data brokers return nothing for a search because someone has opted-out.
If you’re going to make it illegal for anyone to use the data broker information to make decisions, you should just ban the data brokers from existing.
This is the crux of the issue. The ever evolving police apparatus would never give up such a thing. The people who write the laws and their spook handlers want to increase data collection, if anything.
Does anyone else feel like we are slipping into a Dark Mirror episode? I fear that nothing will be sacred soon.
so register in a central database to not be registered in a bunch more central databases? Then the one "do not collect data" list will be leaked over and over?
It's enlightening to see read comments from this forum when GDPR was being introduced. It was just seen as pesky legislation designed to trap people needlessly in red tape and not legit privacy protections. I think a lot of Americans are coming around to sense -- now seeing US companies consistently abuse their data. The US should have similar legislation to protect Americans.
Seems like you're putting words in my mouth. The Utah law is 14 pages, where the GDPR is 88 pages, with at least twice as many words per page. We don't need a sledgehammer here.
Given that the EU has already taken its licks for the ineffective "cookie law" and used that experience to draft the GDPR, I'm inclined to think that length is quite necessary. I'm sure it's possible to express the spirit in a much shorter law, but such a law would be likely to facilitate legitimate activity by simply creating loopholes that severely neuter or even nullify the whole thing (which is one of the common failure modes of US legislation).
Specifically, the EU's teasing out an effective definition of consent is paramount, otherwise the only thing a US privacy law would mean is a few more paragraphs in the bullshit legalese "terms" that nobody reads. Frankly I think Congress should just import the text of the GDPR wholesale and let the courts sort it out. I doubt the outcome could be any worse than what surveillance industry lobbyists end up doing to domestically crafted legislation.
The USA has a justice system where loophole-abuse is rampant, much more than any EU state, I'd venture to say a 14 pages long law for the country is not even close to sufficient to cover against that aspect.
Utah is a small state, the EU dictates how a free market should work across 27 different nations with a variety of laws, 88 pages doesn't seem much to cover for that.
IANAL but my feeling is that also European courts judge more on the spirit of the law, so the unavoidable loopholes (because nobody is perfect) cannot be abused to the same extent.
Or legislate these things have to be opt-in. I remember when politeness dictated you ask someone before even taking their photo.
I think the companies collecting personal information assume they have more entitlement to it they they actually do, and are on the wrong side of the law - especially when breaches like this result in real damage. I'd like to see a few really harsh class action lawsuits bite them in the ass and leave behind bad enough scars that other firms begin to see personal data as a liability not as asset.
Apropos of anything else, because these companies couldn't care where or who you are. The more data they can slurp up on more people, the better and more valuable their databases sound.
You've never done business with a company that has a US presence? You've never visited the US for work or holiday? There's lots of ways to get your data and once they have it, it gets sold repeatedly.
The thing I don't understand is how, with SOOO much leaking of nearly everyone's personal data who is a US citizen, can KYC requirements (that is, what is required to own a bank account in someone's name online) still be so low. In many (most?) cases all you need is full name, address, date of birth, social security number, possibly also phone and/or email. If those pieces of content correlate with each other, and there is no other suspicious information about the account opening request, the account is likely to be opened.
All that information is essentially semi-public these days for nearly all US citizens. How is this still allowed for KYC purposes?
For the uninitiated, can you elaborate on how a liveness check can be used to show that the human being who typed "John Doe" in the name field, "01/01/1970" in the birthday field, and "000-00-0000" in the SSN field is in fact John Doe who was born on 01/01/1970 and has the SSN 000-00-0000?
I get that we can determine if it was a human being with some acceptable level of accuracy, but what actually matters is that it's the right human being. How does a liveness check solve the problem of these numbers that are used as passwords being de facto public information?
A government-issued ID card that was actually designed to be an ID card (with all the security measures that entails) would be a great start.
For the first three decades of their existence social security cards expressly said they were "not for identification". All the way through 2011 the first three digits of an SSN were a geographical code and the other six were assigned in a predictable sequence, which means that for any SSN from before 2011 there's an entirely deterministic inc() and dec() function that can be used to derive new, valid social security numbers. This also means that any typo most likely ends up pointing at another valid SSN (no check digit).
My credit card has better security characteristics than the card that they used to identify me in order to sign me up for the card in the first place. That's absurd.
A state government issued REAL ID card is exactly that. The majority of US persons either already have one, or will the next time they renew at the DMV.
In a better world we would require someone to provide a piece of identification in person, and rather than blindly copying said identification the only information that is stored is who showed what identification, where, when, and to whom. Signed by all relevant parties.
Instead you've got governments requiring a mere copy of the document as proof, because fuck logic.
Or in the case of the U.S. such a document may very well not exist, because I'm pretty sure SSNs aren't remotely designed to be checked for authenticity.
> because I'm pretty sure SSNs aren't remotely designed to be checked for authenticity.
I haven't been on the verifier side of this, but I did have a neighbor participate in a passport verification system for a new remote hire job, as the verifier.
According to him, there was some basic information listed about how to verify it was an authentic US passport.
It'll be curious if we see a move to more forgery-resistant documentation being used for KYC (e.g. passport, RealID DL, etc), coupled with in-person verification (even if something like lawyer-drops-by or go-to-notary).
That's my point. The "validation" of that info basically says someone with this name and this birthday and this SSN lived at this address. But there is usually no additional proof required that the person signing up for an account is actually this person, and with soooo much leaked PII, there are reams and reams of that (valid) info available through breaches.
Imagine what could happen if someone starts tampering with leaked data... nobody ever thinks that the data might not be real. Pretty easy way to frame someone.
OK great, we are being leaked left and right. You know what, we should just demand $10 per collection. Collect and leak whatever you want, because I cannot stop you, but you need to pay me.
94 comments
[ 5.9 ms ] story [ 59.1 ms ] threadYou're good, perhaps! The rest are opted-in for a data leak.
If society appropriately disincentivized data collection, we could even get to where companies don't see customer data as an asset instead more as a liability.
Which means going to a different layer / structural solution maybe. How does the value of data go to zero?
I might end up paying extra because my insurance company decided I didn't fall into their 'lowest risk' bucket because my background check came back as "we have never heard of this gal" because I once used a data privacy protecting service or they can't find my facebook/linkedin/twitter.
There is easily a 10x difference in insurance prices between "known good customer" and "probably fraudulent customer" - and that difference is the difference between being able to own your own house (with mortgage to begin with) and renting for life.
Most people would value owning their own home over having some computer system using their data to select one ad over another.
If people were routinely getting gauged like this for trying to opt out of something, there would be a pretty huge story in that and I doubt it would go unreported.
Rinse. Repeat for loans a half percent to a full percent higher than my credit score should otherwise get me.
Sounds like a pretty awful way to live. Honestly I'm shocked to hear such a conformist and timid opinion uttered in a forum called Hacker News.
Even if you play the 'actually this is a VC connected corporate forum' what sort of entrepreneur lives by this sort of preemptive self censoring?
Sounds like capitalism is functioning as intended...
That way, there's no financial incentive to make it hard to claim damages, and people won't need to bother filling out a form every few weeks to claim the cash.
They would just fold the company and start another? Most data brokers do not have 3 trillion dollars.
I already pay taxes; why not have the government do their job and protect my digital information and fine the companies and their executives so they learn to care about it. The government allows the corporate barrier to be pierced if employee salaries are not paid.
Stuffed down the memory hole. Before Reagan board members were liable for unpaid non exempt wages. If a company went bankrupt owing hourly workers back wages the bankruptcy court could liquidate the boards assets.
Regs are rarely ever meant to actually favor the average citizen over the corporation. Just look how quickly the consumer protection agency was killed.
But... you had to supply a credit card to enroll.
And... after six/twelve months they'd automatically roll you over to their highest tier plan, and start billing you.
It might as well have been a promo scheme.
Unfortunately, companies are incentivized to treat personal data like something to be aggressively gathered and hoarded instead... but not necessarily like something to be guarded against leakage.
Why would them using false identities be any different? Why is it MY problem that someone else stole from a bank? If they wear a mask with my face on it during a physical robbery, does that mean I'm liable?
> If you are a California, Virginia, Colorado, Connecticut, or Utah resident, you have the right to request that we delete personal information that we collect about you, subject to certain exceptions.
I think it's time to require this on a national level. This is getting ridiculous.
Does anyone else feel like we are slipping into a Dark Mirror episode? I fear that nothing will be sacred soon.
Here's an example: https://news.ycombinator.com/item?id=17154971
Specifically, the EU's teasing out an effective definition of consent is paramount, otherwise the only thing a US privacy law would mean is a few more paragraphs in the bullshit legalese "terms" that nobody reads. Frankly I think Congress should just import the text of the GDPR wholesale and let the courts sort it out. I doubt the outcome could be any worse than what surveillance industry lobbyists end up doing to domestically crafted legislation.
Utah is a small state, the EU dictates how a free market should work across 27 different nations with a variety of laws, 88 pages doesn't seem much to cover for that.
I think the companies collecting personal information assume they have more entitlement to it they they actually do, and are on the wrong side of the law - especially when breaches like this result in real damage. I'd like to see a few really harsh class action lawsuits bite them in the ass and leave behind bad enough scars that other firms begin to see personal data as a liability not as asset.
Opt-in by default.
And then if I want me some spam, I'll ask for it.
How would you have known to opt out from your data being retained? Were you aware of this site before reading this article? I know I wasn't.
All that information is essentially semi-public these days for nearly all US citizens. How is this still allowed for KYC purposes?
KYC in an environment where all the data points are openly available looks very different.
I get that we can determine if it was a human being with some acceptable level of accuracy, but what actually matters is that it's the right human being. How does a liveness check solve the problem of these numbers that are used as passwords being de facto public information?
Fingerprints and iris scan in person?
Government issued smart card?
Accepting fraud as a cost of business?
Or just no service to person you don't personally know?
For the first three decades of their existence social security cards expressly said they were "not for identification". All the way through 2011 the first three digits of an SSN were a geographical code and the other six were assigned in a predictable sequence, which means that for any SSN from before 2011 there's an entirely deterministic inc() and dec() function that can be used to derive new, valid social security numbers. This also means that any typo most likely ends up pointing at another valid SSN (no check digit).
My credit card has better security characteristics than the card that they used to identify me in order to sign me up for the card in the first place. That's absurd.
https://www.dhs.gov/real-id
Instead you've got governments requiring a mere copy of the document as proof, because fuck logic.
Or in the case of the U.S. such a document may very well not exist, because I'm pretty sure SSNs aren't remotely designed to be checked for authenticity.
I haven't been on the verifier side of this, but I did have a neighbor participate in a passport verification system for a new remote hire job, as the verifier.
According to him, there was some basic information listed about how to verify it was an authentic US passport.
It'll be curious if we see a move to more forgery-resistant documentation being used for KYC (e.g. passport, RealID DL, etc), coupled with in-person verification (even if something like lawyer-drops-by or go-to-notary).