18 comments

[ 2.4 ms ] story [ 37.7 ms ] thread
> This same university which promised a life access to email address which they did not honor, ...

A tangent, but I had the same thing with my university. I wonder how common this is, and if google is the common thread...

Reading investor reports is interesting as well, to see what companies think you're worth to them. Check out Roku's ARPU - it's something like $40 a year now per user in marketing.
What I thought was most interesting was the statement at the very end: "The poetic nature of writing in grievance in Arabic is much more effective than in English." Differences between languages are so interesting to me. Anyone here know Arabic and feel the same way as the author? What makes Arabic different in that sense?
It would be interesting to see what calculations went into arriving at the number. They must have started with a large number that should be distributed to all students. Where did that large number come from? Some fund allocated for this kind of purpose? Some ransom that was demanded by the attackers, putting a value on the data? Some psychological tests that determined $30 is enough to keep the young folks from rebellion while not affecting future prospects for the university?
> They will not take responsibility for their actions, and they will not compensate you for the damage they caused. They will just offer you a small amount of money and hope that you will forget about it.

Paying for a wrongful action is taking reponsibility and compensating. But also "for the damage they caused" - what's the damage if the info is already out there?

> The basic problem is that they do not care about us.

True, of course, but the basic problem is different - "apology" costs more due to the way the legal system is set up, "nothing more". Otherwise you'd get your empty apologies left and right, though strang that you value that more than compensation. Empty words cost even less than $30 (unless, of course, there is a system to make them legally potentially cost more)

The issue is, that your personal info is valuable to only you. It also doesn't reflect character worth or personal worth.

That's how people gave their privacy away to apps - they've realized this is the best deal they can get for it. Conversely, when the court tries to estimate what is the financial impact of such a leak, there's not much to base it off.

I've just finished The Age of Surveillance Capitalism and it's ridiculous how Google et Al were able to profit from these scraps we gave them. So maybe the value could be higher?

Rembered that time when Ford estimated human life to not be worth enough in case of lawsuit to add a $5 piece to prevent their cars from exploding on rear impact. I love faceless capitalism.

Edit: iirc that was about $750

I wonder how much more organizations would value PII if we could legally demand all of the PII of the executive officers for that same price.
The author thinks that $30 is an inappropriate amount, but does not suggest what he thinks the correct sum should be.

It is my opinion that, as with anything that can be copied infinitely for free, his (and my) personal information is worth $0.

I think if you look at what it costs to purchase your personal information you will find it is worth far less.
Class actions like this are opt in; by accepting the settlement you accepted the terms and lost your right to sue for a different (more appropriate to you) value.

Planet money did a a great segment on how these work and why America is set up this way. I learned a lot about it. You should definitely take a listen[1]. If you aren’t on Apple then search “What to do when you’re in a class action?” And find the podcast (not the summary article).

1: https://podcasts.apple.com/us/podcast/planet-money/id2907834...

Maybe my perspective on Universities is quite different, but I don't understand the complaints of the author.

This is a public University, they likely outsource some of their IT and somewhere a data breach happened. This data breach apparently affected all employees and students/former students. The faceless "they" the author is blaming in all likelihood was effected more drastically than him.

The 30 dollars is not a payment for the data. It is a compensation for the damages, something which the author admits are likely zero, as previous data breaches already impacted him more drastically.

What should the university have done? 30 dollars seem reasonable for the damage caused.

The settlement you get from a class action lawsuit has no relation to the value of the underlying tort. It is not, as an investor would say, a pricing event.

Everybody’s private information would be worth a different amount if you were talking sheer economic value. A poor persons would be very little, a rich person would be worth very much.

> But also realized that if I had written this in Arabic it would have been much more concise. The poetic nature of writing in grievance in Arabic is much more effective than in English. But I will leave that for another time.

You piqued my interest. I’d like to learn more about that.

The $30 settlement doesn't mean that's what the data is worth. For better estimation, we could look at how much discount various places are giving for information. For example my shopping data is apparently worth many hundreds a year. (So a few thousand in total by now) Which is silly considering it's basically the same things on rotation and anyone with even simplest data analysis could correlate all my shopping anyway. But PII isn't that interesting without any other activity attached. So... probably less than my shopping and it doesn't change so there's no need to refresh. Probably in the hundred dollars range then? Unless someone wanted to use it for impersonation where financial hacks, then maybe it goes up to thousands as well? (Large percentage will not convert)
What would an actual market price be for this PII?

Let's say someone offers $X, and in return they post on a public website your name, address, date of birth, Social Security number and employer. Not a lifetime feed, but a single snapshot of this information taken between 4 and 36 years ago, to match the details of this university leak. Maybe some additional info like what grades you got, but not your financial or health history. This offer is made to all adult Americans.

What would X need to be? I suspect the vast majority of Americans accept this at $10,000. And a very significant number take it at $100, or in return for access to a trendy new social network or a discounted television or similar.

I'd take this offer for some five figure sum, which would not be a life changing amount to me. It's a complicating factor that SSNs are traditionally a vector for fraud, but that would go away once people take this offer.

This is actual problem in general. As a rule, I never give my personal information online anywhere, always use fake info. However, there are a couple of cases when real info is necessary. If it's just my real name and phone number like for booking.com, that's maybe acceptable - just one weak point, little PII.

However, an institution like an university requires a bit more, like a copy my ID or a photo. And based on their attitude, I'm sure they'll get hacked sooner or later. Their IT is either outsourced or understaffed and of mediocre quality. The fact than noone broke in (?) is because nobody cared that much.