Data breaches are one thing, but the pervasive use of trackers and profiling/fingerprinting is much scarier and has potentially much worse consequences if left unfettered. Or stuff like my smart car streaming data without my permission to my insurer about how I’m driving. It’s pervasive and gross and you have no recourse if the system is screwing you unfairly (which it will).
You shouldn’t need specifics about my device info or browser for your site to work. And you certainly should make it easy to opt out of whatever data you’re selling on me when I use your services, unfortunately we seem to be in a race to the bottom there.
I remember discussing insurance rates with an actuary in the 1980s. It was in relation to using your address to modify rates. His point was that it is his job to create attractive rates where possible, but to avoid unprofitable claims exposure. To do this he wanted all the data he could get. Nothing changes.
With regards to the car insurance: they could raise the prices without the data, right? Would car insurance getting more expensive be characterized as “screwing you”? That sounds valid, and you’re not a corporation that sells something people forced to buy, but it sounds like your problem is with auto insurance.
> Would car insurance getting more expensive be characterized as “screwing you”
Insurance is highly regulated in most places to prevent frivolous price increases, so.. yes. Absolutely it would be "screwing you", which is why it got regulated
You’re forced to buy car insurance in the US, and the insurance business is all kinds of fucked here. Fines for not having car insurance are massive, and driving without it can lead to jail time (idk the circumstances that trigger this).
I think the point is that a consumer’s insurance rate may go up based on an arbitrary KPI the insurance company chose, of which the consumer was not necessarily (made) aware, based on information the consumer never opted to share, information that comes with a considerable lack of context, no less. We’re not necessarily talking about accidents, or breaking laws, either. It’s determined by the insurance company using proprietary algorithms, and you have no recourse if your rates go up. It’s privatized tyranny.
I leased my 3rd Mazda in a row this past spring and you have no idea the battle I had with the salesperson over his insistence I install connected services on my phone.
Took less than a minute reading the TOS to know to stay the hell away from it and Mazda's ability to sell my data to 3rd parties. He tells me "you won't be able to remote start without it, warm your car up in the winter". He only gave up when I told him I'll just leave if forced to install.
I also turned off connected services from the cars infotainment screen but I get a prompt to turn back on every time I start the car.
Who knows if any of this actually makes a difference. They may still be collecting my driving data and selling it without my consent.
> Who knows if any of this actually makes a difference. They may still be collecting my driving data and selling it without my consent
One of the worst outcomes is going to be "if you don't let us collect your data then we have to set your insurance prices high because you're an unknown"
I think this is pretty likely to happen. The same way if hiring managers can't find your LinkedIn or Facebook they might think that's suspicious behavior instead of just privacy conscious
Yes. But I think they dislike both for different reasons. Suspicious employees/customers and privacy conscious employees/customers.
The former is understandable but the latter presents a risk because it's harder to fully know a closed book, harder to exploit a closed book. What's he/she thinking? It's sad having to treat every institution one deals with on a day to day basis as an adversary by default, but I think we have enough evidence to justify it.
I mentally pass on the security to the organizations who think SSNs and birthdays are good enough to give you loans. Their fault for not doing additional checks like water bills, face matching, etc...
Im more concerned that my writing style is the same as when I was a 13 year old Republikan lover and die hard believer posting on gamefaqs, reddit, facebook, etc.... I'm ~20 years older and those are some embarrassing things associated with an old username.
I'm sure AI will connect the dots using stories I posted and writing styles. I have a story about coke and mentos I posted for decades. THAT coke mentos story is going to be what unravels my US presidential campaign.
I recently moved and uHaul will now scan your ID and face with A.I to save it into their system. I took a selfie with the employee in my background who denied my requests to skip this verification step. They did not like that, wonder why.
Instead of fretting about every data breach we need companies to start adopting security models that assume all the data is public and not rely on using SSN or address history or such for authentication/ authorization.
I still can't believe the thing where in America you need to treat your social security number - a short identifier that never changes and is shared with hundreds of organizations - as private, because people who have access to it can do things like open loans in your name. Terrible way to design a society!
The reasoning is probably related to the kneejerk reaction to a national ID system, which is in turn related to(but not solely a result of) a kneejerk reaction to any sort of national firearms registry.
It's not knee-jerk when your nation's culture was formatively cemented by literally opposing everything about how Great Britain understood the relationship between citizen and state.
If you cannot understand why those things are dismissed without question, you have zero business being anywhere around them. Some systems just should not exist. Their mere existence, plus the temptation to abuse them, is basically irresistable to exploit once they do exist. Both of the systems you mention fall into that category.
Be that as it may, the US seems to have worked around the need in a suboptimal way.
I don't see how that can be improved without either 1) a national ID system seen in other countries or 2) beaming into average people's brains an understanding of unique cryptographic identities that they are in charge of maintaining and using.
Yes, it was designed to give plausible deniability. So it's not explicitly a "national ID system", it's just a system of uniform standards for identification cards across all the national territories with ubiquitous data sharing overseen by a federal agency... but it's "independently" implemented by the states, which could freely choose not to implement it at the cost of locking their citizens out of every federally-run program like, say, flying on a plane.
This is a thing that concerned people can largely address, though.
There are three reasons that a company wants your SSN. One is for tax-reporting reasons. For those, it's possible to get and provide a taxpayer ID number to use instead of the SSN.
Another is when they're going to need to file reports with Social Security itself. For those, they really do need your SSN.
A third is that they just want an ID number and are being lazy. I've found that in the majority of cases, just telling them that you don't provide your SSN for that purpose works. They'll generate their own number to use instead.
The real problem is not when you do any of these, it's when other people do it pretending to be you. That's the problem, it's used as an id and password and it's impossible to keep safe.
I've taken out loans using my taxpayer ID rather than SSN.
That said, perhaps I should have made it clear that this isn't my field of expertise. I'm assuming the downvotes I got are because someone knows I'm wrong? I very well could be! I'm just reporting what my personal experience has been.
Isn't taxpayer ID effectively just a second SSN (other than being used for the actual Social Security program)? I don't see how that improves anything. It just increases your attack surface because you now have two ids that can be used to take out loans.
You might be right, but I don't think it effectively addresses the problems. Even if I can convince every medical provider and bank and whatever else service I can't even remember that I refuse to provide my SSN, except when strictly needed, can I go back and make sure they all retroactively update their records? I hope there aren't any that slip through the cracks. Then, does that really make my SSN safe, or is it a bandaid? Even that isn't really clear to me.
Finally, how does that help the millions of SSN fraud victims who aren't me and have no idea they don't have to give their SSN to get medical care? Like, I can learn self-defense against any number of dangers I might encounter - that doesn't mean I'm ok with those dangers being proliferated by our biggest and most critical institutions. So those are probably the two main reasons people are downvoting.
I wish we could find a better way. I've had my info stolen via breaches so much that I just pay credit monitoring and keep my credit locked all the time now. At this point every hacker knows more about me than I do.
Rather than get into arguments with whatever bottom-tier employee is asking for my personal information, I just mention that the CIA's Top Secret computer database, of Top Secret Information about their Top Secret Secret Agents, was successfully hacked. Years ago.
Once given that "out", no employee has ever felt the need to argue that their company's computers are somehow secure.
You touch on an important point, in that the situation in which this happens is laden with all kinds of social pressures(holding up a line, explaining to a SO why you aren't just giving over what they asked for to get on with your day, etc etc).
It's deeply ironic that this webpage wants me to give it my email address and card details before letting me read the rest of the article. https://archive.is/Th5vB
Now, I don't expect a newspaper to go to such lengths, but it is nonetheless ironic for an article that tells me not to give up my information to ask for my information in the same breath.
There are many service and product vendors that accomplish this, depending on the exact things they sell. Mullvad being a premium example - you can maintain as much anonymity as you want; they get their money, retain only whatever they are legally required to based on the nature of the transaction, and it can even be entirely anonymous through cryptocurrency.
It is possible, and even admirable, for companies to do this. The only reason to hoover up as much identity data as possible is to maxmimize earnings, reselling harvested data to the highest bidder exclusively, or to the greatest number of purchasers.
It's not necessary or good to contribute to panopticon surveillance. The game being played is not anywhere close to informed consent or educated consumers making rational choices. It's universally deceptive and the underlying intent of the system is to maximize the amount of money being extracted from consumers while minimizing the cost, creating chains of middlemen and operators inflating the price of a good or service without adding value to the end-user.
It's not a valid free market tactic - it is not morally or ethically justifiable, despite the endless rationalization and dodginess muddying the water.
If it's not illegal, it will be done. If the penalty doesn't outweigh the profit, it will be done even if it's illegal.
We need some serious protections of consumer data, with c-suite decision makers going to prison, billion dollar companies shut down and liquidated, and a ruthless FAFO regulatory system put into place. Our current laws are oriented around 1980s notions of computer security and our data protections are rooted in quill and parchment era verbiage. We need to recalibrate and relegislate based on a modern understanding of personal data, with principles of ephemerality and cryptographic protections baked in that protect and support individual citizens first and foremost.
An email address is, at this point in time, a pretty permanent part of a person's identity.
It's also something that should be mutable for any given account (yeah, that is a direct contradiction of the above, but still), which a UID should not be.
You shouldn’t need specifics about my device info or browser for your site to work. And you certainly should make it easy to opt out of whatever data you’re selling on me when I use your services, unfortunately we seem to be in a race to the bottom there.