
I Got Access to My Secret Consumer Score - pseudolus
https://www.nytimes.com/2019/11/04/business/secret-consumer-score-access.html
======
reggieband
There is a scene at the beginning of the movie Brazil [1] where a literal bug
falls into a tele-type, causes an error that starts a chain reaction that
frames the events of the movie. The bug is a metaphor in the movie, just some
nice visual story-telling to indicate how errors in automated processes can
have unintended consequences.

I honestly fear that entire lives will be ruined by AI systems mis-analyzing
some data and locking people out from education, work, credit and health
opportunities. For some reason, which will be mostly inexplicable to even the
engineers that trained the ML system, people will get denied or flagged for
spurious reasons.

As we automate everything this is inevitable. We're actively creating digital
gatekeepers. 99% of the time you won't even realize it has happened to you nor
would you have any recourse. It will be as innocent as an application you
don't get a response from, or a simple generic "sorry" email. Then the brick
wall of literal no customer service, or automated customer service that
refuses to escalate you to a human tier. Then maybe if you are lucky a
clueless customer service rep that compassionately explains there is nothing
they can do and they wish you the best with your continued search. Fair enough
their TOS likely allows them to deny service to anyone for any reason. Why
would they waste the effort to figure out why their multi-million dollar
system targeted you as an edge case? It works for 98% of cases which is
probably good enough for them.

Brazil is a fictionalization that imagines an extreme case and the events of
the movie get quite dark. The reality will be more mundane but IMO just as
insidious. In the not very distant future AI will be choosing who is healthy
and who is rich.

1\.
[https://www.youtube.com/watch?v=XGge4rj4v_Y](https://www.youtube.com/watch?v=XGge4rj4v_Y)

~~~
falcor84
But is this really about AI? Almost all aspects of our lives are already
controlled by the enormously complex soulless machines of bureaucracy we call
firms and governments. Is there any essential difference between a computer
bug and a clerical error? If anything, I would assume the former is easier to
fix.

~~~
ljm
But that’s not how it works, it’s not one in place of another; it’s one that
depends on another.

If your physical bureaucratic entity delegates decision making to an AI, you
have no hope of redress unless due process was mandated.

If you cut the bureaucratic middleman then you have to build an AI that can
question itself and correct errors.

AI will never do that. So what you get instead is negligence because a
computer makes a mathematical computation and the human element treats it as
infallble.

------
Cieplak
I’m curious what sort of due diligence these companies must do to authenticate
you as a person prior to satisfying an information retrieval request. Given
that the exchange is entirely digital, it seems plausible that there are bad
actors who would pose as someone else to gain access to their personal
information. What sort of liability does one of these data controllers bear
when they fail to properly authenticate a person prior to handing over all
their data? Is it limited to tort liability, in which there needs to be proof
that the transgression ultimately led to some particular damage? Given that
this data is being traded on the free market, what’s to stop abusive
employers, ex-spouses and criminals from exploiting this information?

~~~
Frost1x
I suspect we as a society need new legislation to deal with these sort of
issues. Before, much of this was incredibly difficult to impossible so
legislation and regulation was entirely avoidable and relatively rare
occurence could be dealt with on a case-by-case basis.

At this point, technology has enabled this sort of behavior at mass scale, now
revealing far more personal and useful information about individuals.

A feasible model to work from may be go look at the healthcare industry and
HIPPA requirements/liabilities and adapt as needed. Certainly not perfect but
it's a good starting point for widespread data laws.

The question is, will our representatives actually give teeth to real data
protection legislation (not a facade with no teeth only enacted by name) in
the US or are they too deeply in bed with industry that they'll protect
business rights over real people who suffer real direct damages.

~~~
dkonofalski
>will our representatives actually give teeth to real data protection
legislation

No. The majority of them don't even understand what data is being collected,
how it can be used, or the technology behind any of it. Until the people in
office change, the idea that our representatives can or will protect us is
toothless and spineless.

~~~
whatshisface
What trouble Congress is in! They have to be experts in law, warfare, every
industry from oil refining to adtech, science (at least as far as funding it
goes), ecology, economics, medicine...

In fact I would say that it's impossible to expect anyone to understand enough
to know what they're legislating. Aside from being a powerful libertarian
argument against the excessive involvement of government, I think it shows
that we have to figure out a way to work around the fact that congressmen
don't understand everything that they're in charge of, rather than trying to
remedy it.

~~~
vertex-four
Congress used to have an office which would inform them of how things work,
but unsurprisingly, proceeded to dismantle it.
[https://en.wikipedia.org/wiki/Office_of_Technology_Assessmen...](https://en.wikipedia.org/wiki/Office_of_Technology_Assessment)

------
CPLX
I am surprised these guys are able to operate outside the normal credit
reporting laws. He’s referencing things that happened in 2009, which is well
outside the usual 7 year limit for credit report data.

Clearly, these companies are going to make the argument that this is not
credit report data subject to consumer credit laws, but I’m curious if that
has been tested at all. I would think an enterprising lawyer could make that
argument.

~~~
lftl
Aren't the credit reporting laws pretty strictly scoped to making decisions
about loans? I imagine these companies are pretty explicit with their clients
that scores can't be used for those purposes.

~~~
CPLX
They’re definitely used for rental applications and tenant evaluations, which
seems like a very short hop to Airbnb.

~~~
astura
They are also used as a factor in determining car and homeowners insurance
premiums in most states. (People who pay their bills on time are less likely
to make insurance claims)

------
Simulacra
Two points: First, the very act of requesting your data is in a way confirming
and verifying the accuracy of the data.

Second: Every prescription you've ever filled with insurance - and even some
without - is recorded by companies like Milliman.[0] When you want to buy life
insurance, health insurance, etc. they can request to see what medications
you're on, have been on, etc.

[0]. [https://clark.com/insurance/how-to-see-your-secret-health-
cr...](https://clark.com/insurance/how-to-see-your-secret-health-credit-
report-files/)

~~~
zzzeek
how does that not violate HIPAA ? I see it talking about "you can proactively
opt out with hipaa" but everything I've ever seen about HIPAA is that all
"opting in" needs to be explicitly granted by the patient.

~~~
astura
If you want life insurance then you are required to give permission to view
this data about you. If you don't want to give permission, then you don't get
life insurance.

[https://www.rxhistories.com/irix/medical-
data/](https://www.rxhistories.com/irix/medical-data/)

>How It Works

>1 Applicants sign a HIPAA-compliant authorization, enabling insurers to
retrieve their medical information

>2 Insurers electronically query Milliman IntelliScript in real-time

>3 Milliman instantly gathers information from multiple data sources

>4 Irix interprets the data and generates automated decisions based on the
insurer's guidelines

~~~
SamBam
But I never gave _Milliman_ permission to hold this data, so didn't they
already violate HIPAA?

~~~
nosuchuser2
I think you misunderstand HIPAA. As long as they have a business associate
agreement with the pharmacies and serve some vaguely care-adjacent purpose,
the pharmacy can share your data with them without your knowledge or consent.

~~~
SamBam
I can't tell if you're being cynical or serious, but if the latter I can't see
how this is correct.

From "Pharmacy privacy Requirements here [1], I don't think "business
associate agreement [with] some vaguely care-adjacent purpose" meets the
standards for information-sharing. Rather the information must be being shared
as part of specific treatment for a patient (discussing actual care) or
payment.

[1] [https://www.uspharmacist.com/article/hipaa-privacy-
security-...](https://www.uspharmacist.com/article/hipaa-privacy-security-and-
pharmacy-information-technology)

~~~
rlucas
GP comment is being deadly serious and not at all cynical or sarcastic.

HIPAA is a fig leaf. Cardboard covers on clipboards to inconvenience the
nurses and receptionists, but a unencumbered infobahn for anyone who touches
the money to drive straight through.

For decades, every visit, test, procedure, and medication you've ever had paid
for by a health insurer in the US got dumped straight into MIB, where any
insurer could look at it. HIPAA functionally changed this not a whit.

------
ENOTTY
The fact that the data is being sold to third-parties (e.g., Sift) by their
collectors (e.g., Airbnb) is troubling. But what is even more troubling is
that we don't know how scoring companies (e.g., Sift) are using the data and
how they are generating scores.

Their models, if they are using ML, are opaque. Journalists haven't yet
cracked this nut, instead just reporting on the fact that company A has bought
personal data from company B. (That is likely to require anonymous leaks from
the scoring companies.)

I think the hacker ethos could be applied to this problem by viscerally
illustrating the threat. ('Hacker' used in the same way as the infosec
community.)

Hackers could request their own data, hypothesize what could be gleaned from
it, and use models (potentially academic ones trained on more general
datasets) to produce derivative information.

Then hackers should make tools to make this process easier for the average
journalist or consumer.

~~~
progval
> The fact that the data is being sold to third-parties (e.g., Sift) by their
> collectors (e.g., Airbnb) is troubling.

It looks like Airbnb & co paid Sift instead, in addition to sending it their
data: "Sift has this data because the company has been hired by Airbnb, Yelp,
and Coinbase"

~~~
dennisgorelik
My guess is that Airbnb will stop using Sift after this article is published,
because of bad press Sift generated for Airbnb by giving Airbnb messages back
to the original user (the author of that article).

~~~
phyzome
Imagine Airbnb changing their behavior because of bad press.

------
lisper
I just tried requesting my information from one of the links provided in the
article. As part of the process I had to upload an image of my government-
issued ID. After that, I was told to expect an email confirmation link that I
would have to click on before they could proceed. That was an hour ago and the
email has not yet arrived.

I don't really have any reason to suspect that this is a scam, but I can't
help but notice that _if_ one were to set up a phishing site for government
IDs the UX would likely be indistinguishable from what actually happened here.

~~~
prats226
To get this personal information, asking for government-issued ID gives them
one more data point on you and reinforcement of identity. So a win for them as
well I guess?

~~~
jjtheblunt
This might be entirely legit, and legally mandated.

[https://www.sec.gov/fast-answers/answersbd-
persinfohtm.html](https://www.sec.gov/fast-answers/answersbd-persinfohtm.html)

It sounds like "KYC", i.e., know your customer.

~~~
freen
KYC is only to prevent banking fraud, i.e. money laundering. The SEC is the
Securities and Exchange Comission, who govern banking, the trade of financial
securities (stocks, bonds), etc.

These data brokers do not handle your money, and therefore do not need to
"know their customers", i.e. have no legally mandated right to ask for your
identification, at least according to this statute.

For one, I think it's super weird that they need a government issued document
to know who I am, but are perfectly happy to sell my data, marketed as
accurate, to third parties.

------
brianpgordon
> When I told Mr. Tan that I was alarmed to see my Airbnb messages and Yelp
> orders in the hands of a company I’d never heard of before, he responded by
> saying that Sift doesn’t sell or share any of the data it has with third
> parties.

What a line to say with a straight face. They _are_ the third party that he's
uncomfortable sharing his data with!

~~~
llamataboot
With what we know about the likelihood of major data breaches, even if you
liked Sift, and thought their purposes were noble, you would have to admit
that they are one big sitting duck for a targeted hack that could provide you
with massive amounts of aggregated information on an individual.

~~~
Ambele
Could Sift be the next Equifax?

------
happytiger
We, in the US at least, need a privacy Bill of Rights.

Electronic transmission of personally identifiable information and the storage
and mining of that data has so many permutations, and technology is so far
ahead of legislation consistently, it seems like it’s time for a proper
governance framework that exceeds any particular industry, and that has to be
based around the individual (I think, there’s more to that).

------
Androider
The Sift report is based on your email address, among other things. My email
box is full of random people's insurance quotes, medical and electric bills,
birthday greetings, and welcome emails to services I've never heard of. We all
know the company is going to spend approximately zero time to sanity check or
sanitize that data firehose. Turns out the movie Brazil was a documentary.

~~~
0xffff2
Out of curiosity, do you have a particularly simple email address? Over the
years, my various email addresses have been some combination of my name and
separator characters and I've had exactly one time where I got someone else's
confirmation for an airline booking. For most people, I think email is a
reasonable identifier. For people whose email is "bob@gmail.com" or the like
(who are probably more common on HN than in the general population) not so
much, but I'm pretty sure they're the exception not the rule.

~~~
mdavidn
I have my first and last name at gmail.com, with no middle initial. There are
approximately 1,700 people in the United States with the same first and last
name. I receive e-mail intended for others daily—personal correspondence,
account-related messages, utility bills, quotes for work, messages from
schools to parents, minor league events, mortgage documents...

(Gmail ignores punctuation in the local part, so I receive e-mail sent to my
name both with and without punctuation.)

------
Ididntdothis
“I don’t really care that these data analytics companies know I made a return
to Victoria’s Secret in 2009, or that I had chicken kebabs delivered to my
apartment“

People really should care. There is so much data about us being sold without
our knowledge. A while ago there was a discussion here that your full salary
history is available to be bought.

All this stuff is super creepy and you may increasingly be outnegotiated or
rejected by companies that you don’t know that they have your info and that
you don’t know that info even exists. For example I find it scandalous that
Airbnb messages or order histories are being passed on. That’s just not ok.

------
rhegart
Dating apps too? Wtf, imagine if they knew your preferences were same sex and
you flew to Dubai or China and you’ve criticized them, they could sell that
data and get you arrested or honeypot you. Great way to get dissidents
overseas with other compromising information

~~~
papln
It's a fun game: Brainstorm hypothetical horrible abuses of private daat, and
then find a news article that confirm the abuse has already happened.

[http://theconversation.com/should-grindr-users-worry-
about-w...](http://theconversation.com/should-grindr-users-worry-about-what-
china-will-do-with-their-data-95972)

[https://www.nytimes.com/2018/04/03/technology/grindr-sets-
of...](https://www.nytimes.com/2018/04/03/technology/grindr-sets-off-privacy-
firestorm-after-sharing-users-hiv-status-data.html)

------
awinder
I was at a loss for why Sift was collecting data like this from companies like
airbnb / etc, I worked a project using them around curbing some pretty gnarly
levels of credit card fraud. I think it must be that these companies are
utilizing their user content fraud scanning (“content integrity”) systems. I
don’t know about calling this a consumer score though, but it is truly
frightening if that’s how companies are utilizing that technology. I really
enjoyed working with them — so I might be biased to see the good here — but
they totally pushed back on biz folks on our side when they tried to nudge on
things that the technology was not designed to do. So I would imagine / hope
that they would have done the same in the case of something like constructing
a “consumer score”, the tech is for flagging outright fraud, not for
relatively scoring how good a customer is...

~~~
maxerickson
A binary score is still a score.

~~~
ineedasername
There's absolutely a difference between a binary "fraud/not fraud" flag and a
continuous variable for quality of customer. They measure different things and
have very different use cases.

~~~
CPLX
Is there a perceptible difference to a consumer who has been flagged as
"fraud" when they are not, in fact, someone who has committed fraud?

If not, then there's no difference.

~~~
ineedasername
They are literally two very different types of data. This isn't an ambiguous
issue: One is a continuous variable, the other categorical. Whether or not one
or the other could erroneously flag someone doesn't change that, and doesn't
mean they're the same. Because the nature of those differences means the use
cases are different. A continuous score has much wider versatility than a
black & white binary value, and allows for more nuanced use. Even if it's just
in the realm of fraud detection, a continuous score allows for more
safeguards, e.g., if it's low but not too low then it triggers further review
rather than outright rejection.

~~~
CPLX
You were replying to a comment that said "a binary score is still a score"

The comment you appear to be arguing with, is completely true. A binary score
is of course a score, and in fact that's almost always how credit and trust
scores are actually perceived.

From the company's perspective many scores are continuous, but from the
_consumers_ perspective that's mostly a distinction without a difference.

Usually from the consumer side you're being told you got the job or didn't, or
got the credit card, or loan, or apartment, or didn't.

~~~
ineedasername
I never said it wasn't a score, my issue was the implications that, both being
scores, they were somehow equivalent. They are not. A continuous score may be
used with a threshold to perform the binary categorization. In fact that is
all but guaranteed. But the continuous score, as I stated, has more
possibilities for nuanced use. The binary score is derived from something
continuous.

And you aren't usually told you got the loan or not. That is one possibility,
but the more likely one is the continuous score of the credit rating
translates into a continuous score for the interest rate. This is why the
distinction between a binary and continuous score is important: t This
continuous assignment of interest rate isn't possible with a single binary
variable.

------
sailfast
Anyone know if:

1\. This information was shared in accordance with the privacy policies and
user agreements in place at the time the sharing started or were the policies
retroactively updated?

2\. Any company actually been prosecuted / sued successfully for violating
their terms of use sharing data with third parties? Have any users actually
received $$, or just regulators via fines?

This will be near impossible to answer of course unless you were actually
involved in the sharing with Sift, but it seems to me the more this happens
with all of our data, along with the total lack of enforcement of any lapses /
breaches these kind of problems / proxy scores will only get worse and more
difficult to reason about as a customer.

------
kombucha11
Just requested all of my data from the companies listed. I'm very curious to
see the data they return.

~~~
edoo
I'd frankly be surprised if your request for records doesn't become a juicy
data point on the record.

~~~
jlokier
I agree.

Similar companies are the credit reference agencies - Equifax, Experian,
TransUnion.

Every time you request your data from credit reference agencies, the request
is logged. My log has many such entries, due to repeated checking I did while
trying to get corrections sorted, and due to the third party companies I used
to help with this.

So I'd expect the same to be true for the customer rating agencies.

In the case of credit agencies, they say that information ("soft" enquiries)
is not used to assess credit risk - and that it's either not made available to
companies that process applications, or must not be used by those companies in
the assessmment.

To be honest, seeing the kinds of errors I've seen, as well as seeing the
inner workings when it is being corrected, some of it shows very shoddy, and
in some cases seriously unethical processes (that the companies know about).

So I simply don't believe that companies are diligent about following the
"must not be used" rule for data they "may" receive and are supposed to
ignore. To convince me, it would require a level of auditing, or quality of
audit, that companies plainly are not getting.

And these are companies I still do business with because they are good enough.
Goodness knows what to think of companies I wouldn't do business with, if I
knew about them and had any choice in the matter.

------
maxerickson
The data breaches from these companies are going to be an awful spectacle.

------
uptown
For all of these linkages there needs to be a key that associates data from
disparate services together. So what’s the key? Email address? IP addresses?
Credit cards? Is it implausible to try to take steps to circumvent these
firms’ abilities to connect our dots?

~~~
Cieplak
Quite possibly a composite key comprising name, gender, age and locale.

 _" 87% of the U.S. population is uniquely identified by date of birth,
gender, postal code."_ [0]

[0]
[https://dataprivacylab.org/projects/identifiability/paper1.p...](https://dataprivacylab.org/projects/identifiability/paper1.pdf)

~~~
0xffff2
I would expect it's more complicated than that. I doubt that they just start
over every time you move to a different city.

~~~
therealx
I seem to have slipped through these cracks easily. When I do anything that
involves pulling my credit, it's a hassle because I give my correct address
information, however the credit agencies have out of date information.

Tips to slip through the cracks: have a different mailing vs home address,
dont apply for new loans/update work info with existing creditors over more
than one job cycle, move frequently. When your credit card asks how much you
make, they are doing so because the agency doesnt have good info on you and
they are updating their files.

------
est
The next natural step is a unified score, social credit score, no?

~~~
milofeynman
Well it sure seems like we managed to have a social score, the American way!
Privatized.

------
bambax
I would be more interested in knowing how the companies scoring customers
operate. If their goal is to detect fraudsters they must be able to aggregate
accounts with a different name and/or email from different systems, as surely
a fraudster will use a different identity on each service?

~~~
close04
I think the point is exactly that fraudsters have no history. The system
probably starts with a low score that increases as more data is collected. And
then it can actually score you on the data rather than a "probably fraudulent
account" flag.

------
forgottenpass
>“We’re not looking at the data. It’s just machines and algorithms doing this
work,” said Mr. Tan.

That's still looking at it. When are we going to stop letting people get away
with this lie?

------
SilasX
So Airbnb was sharing all your messages to hosts with Sift? Food ordering apps
were sharing all information about every order with them?

~~~
edoo
Selling is probably the correct word... as in "They are selling the
information like facebook sold user's private messages."

~~~
chrischen
It says so in the article. Those companies actually pay Sift to do fraud
detection. So no, not selling.

------
blhack
The fact that coinbase is sharing this information with some third party is
absolutely infuriating. I almost don't believe that.

~~~
btc-100k
Looks like Coinbase is buying the data (Sift Score) to help them make better
decisions on account takeover vs. not account takeover, credit card fraud vs.
not credit card fraud, ACH fraud vs. not ACH fraud.

In this context it makes perfect sense. Unless they force 2FA for every login,
how else are the going to protect good users from account takeover. Same goes
for buying crypto, they need a tool to help determine if someone is using a
stolen payment method or not.

~~~
blhack
The article author claims that part of the information they got from sift was
information about one of their own logins. So it would appear that coinbase
_is_ sharing information.

The reason I'm so flabbergasted by this is that this seems to really, really
damage account security. Now there is one company that has a massive profile
on me, that also knows very specific details about when I log into my account,
from where, from what devices, etc.

Completely unjustifiable imo.

~~~
btc-100k
This should help everyone better understand if interested:
[https://sift.com/developers/docs/curl/apis-
overview/overview](https://sift.com/developers/docs/curl/apis-
overview/overview)

Sift makes risk predictions in real-time using your own data and data from the
100s of millions of users in Sift’s global network. Our machine learning
systems identify patterns of behavior across thousands of devices, user,
network, and transactional signals. These are often patterns that only a
machine learning system can spot. Using Sift, businesses have stopped 100s
billions of dollars of fraud worldwide.

There are many abuse use cases that Sift can stop:

Payment Protection - Reduce friction at checkout to increase revenue and stop
chargebacks before they hurt your business.

Account Abuse - Stop fake accounts from polluting your service and block bad
users before they harm your business.

Account Takeover - Stop bad actors from hijacking users accounts. Keep your
users safe and ensure that they always trust your service.

Content Integrity - Stop spammy and scammy posts from polluting your service.
Keep your users safe from malicious actors.

Promotion Abuse - Make sure you’re only rewarding real users by stopping
referral rings and repeated use of promotions.

 _Sending Data to Sift_

To use Sift, we need to know about your users, what they do with your service,
and what actions you take in response to your users. This includes:

How your users are interacting on your website and/or mobile apps (eg what
pages they are visiting, which devices they are using, how long they spend on
each page, etc). We automatically collect this data when you add our
JavaScript snippet to your website and our Mobile SDKs to your app.

What actions your users are taking, usually key user lifecycle events (eg
creating an account, placing an order, posting content to other users, etc.).
You will send this data from your application to Sift via our REST API.

What actions your business is taking in response to users (eg approve an
order, ban user due to fraud, cancel order due to chargeback, etc). You will
also send this data from your application to Sift via our Decisions API.

------
TheCraiggers
All this makes me wonder: How long until being a privacy-minded individual
screws you over in the same way that paying cash for everything screws over
your credit rating?

I shouldn't have to choose between privacy and being able to return a device
at Best Buy.

~~~
Ambele
If you don't have a credit score or a credit score of 0 due to a thin file,
you can get one by using a cash-secured loan of $500. The loan amount doesn't
really matter so you can pick the smallest loan they offer. Then you're
basically buying yourself a credit score for $50 or less. Don't use online
lenders because the one I used (selflender.com, name & shame) kept my $500
principal despite claiming over and over that they sent a check that never
arrives. If you do this, use a CU or bank branch instead so that after you pay
it off, you can stare them in their money-loving bankster eyes to politely
demand your $500 back.

------
Pick-A-Hill2019
I asked Mr. Tan how many people had requested their data from Sift since the
company introduced the option to get it.

“Honestly, we haven’t seen much of a response,” he said.

Me thinks that will soon change after hitting HN

------
jcranberry
_How to get your data

There are many companies in the business of scoring consumers. The challenge
is to identify them. Once you do, the instructions on getting your data will
probably be buried in their privacy policies. Ctrl-F “request” is a good way
to find it. Most of these companies will also require you to send a photo of
your driver’s license to verify your identity. Here are five that say they’ll
share the data they have on you.

Sift, which determines consumer trustworthiness, asks you to email
privacy@sift.com. You’ll then have to fill out a Google form.

Zeta Global, which identifies people with a lot of money to spend, lets you
request your data via an online form.

Retail Equation, which helps companies such as Best Buy and Sephora decide
whether to accept or reject a product return, will send you a report if you
email returnactivityreport@theretailequation.com.

Riskified, which develops fraud scores, will tell you what data it has
gathered on your possible crookedness if you contact privacy@riskified.com.

Kustomer, a database company that provides what it calls “unprecedented
insight into a customer’s past experiences and current sentiment,” tells
people to email privacy@kustomer.com.

Just because the companies say they’ll provide your data doesn’t mean they
actually will._

------
imnotlost
Make it illegal to aggregate data about a person.

------
aSplash0fDerp
"You're the product"

So if/when these companies get bought out, go out of business or liquidate
their assets in a downturn, then what?

Until they legislate some sort of data expiration date or "do not track lists
(similar to do not call lists), it looks like the onus is on the individual to
protect their interests/data.

------
gorgoiler
Having your drivers license fall into the hands of a bad actor must be a
complete nightmare.

Uploading a photo of government ID is also the backdoor to all sorts of
things. The one that worries me is my Facebook account, including all my
private messages.

A better idea: the data collectors should ask me for a notarized letter
confirming my identity (the notary has seen my government ID) which references
a unique support-ticket number from the data collector (avoid replay attacks).
The data collector would verify the letter out-of-band with the notary too?
I’d be a lot happier with that.

What else would such a pen and paper protocol need to work? The notary network
is a handy piece of national infra — it can be trusted in this way?
Legislation would be needed to force the data collectors to adhere to the
protocol.

~~~
papln
Notarization essentially puts a $30-$100 price tag on the operation, which
meets with a lot of resistance.

~~~
dheera
Considering how many people are notaries and how easy it is to become a
notary, I don't think it's any form of security. It's just an artificially
created market for people to make quick bucks signing documents.

~~~
skyyler
Notaries typically cannot notarize their own documents.

~~~
dheera
So get your friend to be the notary? It seems like an incredibly insecure
system to me for the 21st century world when we have much better ways, e.g.
signing keys.

------
johnjungles
[https://resources.sift.com/case-studies/](https://resources.sift.com/case-
studies/) Here are the list of companies. I don’t really use these services
often if at all. So, probably can delete them.

------
GeorgeGarland
I went from a 400 credit score to a 850 in a matter of Weeks, They helped me
get my credit back on track Hey people, These prevented me from getting a
mortgage until I sort for help here. if you plan on buying a house, a car, or
even getting approved for a credit card or loan, the first thing you need to
do is contact Claudbatemancreditexpert/AT/ Yahoo /Dot/ Com or text him (407)
337-9879. You having nothing to lose. Having a great credit score will get you
the best deal and interest rate on everything I’m very happy. God bless him.
he is reliable and efficient in his job.

------
bsanr2
As with many of these sorts of profiling mechanisms, I assume that racial bias
is baked into the process, yes? You know, like it is with credit, crime
sentencing, airport security checks, college admissions, and presumably retail
and residential investment decision-making. I can't wait to find out exactly
how this has been hurting people of color/poor white people.

------
aj7
Executive summary: Send an image of your driver’s license to a company you
never heard of, and hope. Yeah, right.

------
president
These types of personal data access repositories are just asking to be hacked.
If you're going to buy my personal data, at least try to protect it or else
you're just putting salt on an open wound.

------
bduerst
This seems like a great app idea. Kind of like haveibeenpwned but for checking
out what data vendors have on you. It would be pretty expensive though
considering a lot of this info needs to be purchased.

------
DGAP
Anyone who's ever worked with Sift knows this is an unfair characterization.
It reads like every other article in the NYT about tech or cybersecurity -
uneducated fear mongering.

------
uptown
I'd bet a huge amount that none of these places have adequate internal
controls to regulate and monitor what their employees do with the information
they manage.

------
dheera
> how long each of us waits on hold

What is this based on? A phone number? Probably doesn't help me that my
outgoing and incoming phone numbers are usually different.

------
freen
I wonder if any of the information they have about me is copyrighted? If they
are storing content that belongs to me, do I have DMCA takedown rights?

------
raybb
Does anyone know if there is a git repo or something of the sorts that lists
customer scoring companies and how to contact them for your data?

------
andeebe
At tapmydata.com we use two levels of verification when a user sends a data
rights request to an organisation.

We use 2factor auth on both email and mobile. In fact, you have to verify
these before sending a request. Problem is, most organisations want more
information from the individuals, such as ID in the form of a passport or
driving licence.

We're working on a solution where individuals don't have to give up more data
to receive their data. I mean it's not ideal sending a copy of your passport
in an email.

Not sure on anyone else's thoughts?

------
Keltullis
The best thing we can do is bombard them with requests of data disclosure. The
bureaucracy ensuing might put them out of business.

------
xivzgrev
Did the author actually get his “secret consumer score”? It says in article he
got raw data but there was no “score” at top.

------
neonate
[http://archive.is/CysGX](http://archive.is/CysGX)

------
freen
FYI, they only ask for a government issued ID. My fishing license is one of
those. ¯\\_(ツ)_/¯

------
bencollier49
God help these companies if they're collecting data on EU citizens. Contrary
to what is posted elsewhere here, GDPR applies to:

"a company established outside the EU and is offering goods/services (paid or
for free) or is monitoring the behaviour of individuals in the EU."

Enforcement might be difficult, but I'm sure that associated entities have
interests in Europe as well..

I'm sure it's been fully risk-assessed and they don't do it.

~~~
14
A quick DuckDuckGo search shows me that Coinbase has European customers for
sure. The article states that the information knew exactly when the person
opened the Coinbase app on their phone and the type of computer time and date
they changed their password for Coinbase. I have been thinking that the only
way they could have that information is if they were given it by Coinbase. I
guess sure they could stop and not log anything on European customers but
seeing how they are using this as a fraud detection system I feel it is likely
they are using it on European customers as well.

------
jacquesm
GDPR like legislation would have required any company holding a profile on you
to disclose that fact, would have allowed you to read it; would have been
required to correct it on request and would have allowed you to ask for
removal of your data. Scoring companies such as these will lobby like there is
no tomorrow against such legislation.

~~~
dexterdog
Not all. I work for a company that deals with all kind of data like this (but
not actual communications). We are building a system to honor all opt-outs and
deletions and will be online before the first of the year for CCPA. The
reality is that most people will not ask for this stuff because they don't
care. Requests for actual data are tricky because you have to fully validate
that the person is who they say they are.

------
corndoge
In case anyone wants to actually email them, the instructions for DataSift,
related to Sift, are on this page:

[https://community.datasift.com/t/datasift-gdpr-platform-
and-...](https://community.datasift.com/t/datasift-gdpr-platform-and-process-
compliance/4748)

Search for "Right of Access"

------
ktpsns
Here in Germany there's a popular company called SCHUFA
([https://en.wikipedia.org/wiki/Schufa](https://en.wikipedia.org/wiki/Schufa))
which collects (and sells) data about (non)solvent people since almost 100
years.

Thanks to law, one could already ask in the past about one's score. Thanks to
GDPR, nowadays, they have to publish a much more detailed report of what they
store about one. And it's really scary: It's written that I lost some scoring
because I moved from a smaller building to one with more then 8 tenant parties
(flats). So literally, I moved from a smaller house to a bigger one and now I
am less creditworthy.

~~~
megous
Yeah, I asked a similar collector of data in Czech Republic about the data
they held, and they refused to provide details they based their scoring on,
but provided me my historical scores, and it was basically a reverse of how my
financial situatuion was during the years they provided scores for. As I
gained savings my score worsened, and it was best when I had nothing.

One can only wonder, what that secret algorithm looks like. :D

It's sort of weird that some entity makes up some seemingly random scores
about you, and other companies/institutions use those to judge you. That's
quite a bit of power.

------
maxekman
I wonder how long it will be, if ever, until we’ll have a self service site
for GDPR that shows all holders of data with the ability for the user to
retrieve and/or delete their data? It would also be interesting if EU could
provide some kind of register with API that all online actors in the EU has to
report data collection to. I’m pretty sure regulating systems like these will
become standard eventually, as users are more and more aware of the crazy
situation.

------
robocat
What rights does the rest of the non-US/non-EU world have?

In New Zealand we have some data privacy laws, but they only have teeth for
New Zealand organisations; we don't have the political clout to have any
outcome similar to the impact of the GDPR regulations.

Meanwhile businesses in other countries have few regulations to restrict how
they treat me, because I am a foreigner.

I guess I should try and get a dual-citizenship in the EU so I can protect
myself a little...

------
MandieD
I wonder if I'd still get all my "American" data if I submitted my German
contact info.

I'm an American citizen, but a German legal resident, which should mean that
GDPR applies to me just as much as it does to German citizens.

------
alkonaut
How does the type of hoarding Sift does work with regulations like GDPR? The
type of data collected seems like one big violation.

Do they simply avoid operating in places with GDPR (or equivalent) laws? Is
that even possible?

------
tomaskafka
Tldr: American discovers that GDPR is actually useful (in this case for
requesting what companies know about you).

------
kofejnik
Thank God for GDPR

Also, I imagine any and all of this can and will be subpoenaed in any
litigation, such as divorce or debt collection

US needs its own GDPR, stat

~~~
dexterdog
We have CCPA (well we will shortly) and most companies that employ any kind of
lawyers will comply with it.

------
netsharc
I wonder if as an EUian I can say "say hello to my little friend GDPR"..

~~~
jacquesm
You can, but it would be a lot more powerful if you did it in writing in the
form of a properly formatted DSAR request.

~~~
netsharc
Of course I wouldn't formulate it like to that, fucking hell, downvoted, that
taught me, trying to make a joke...

------
throwGuardian
Can we please talk about AirBnB, Coinbase, et al selling personally
identifiable data to third parties?

Buried deep in their legalese, they may have the right to do this, but I was
NOT aware this was happening. This is not acceptable

------
ChaosDegenerate
Will these systems be prone to false data?

I.e. if an organization fighting for free speech would create software
generating false personas who create false messages, and other events, would
they know any better?

For example, it wouldn't be too hard to generate hundreds if not thousands of
fake Facebook, Instragram, Airbnb, Coinbase, Uber, Gmail, Amazon, etc.
accounts doing "stupid things". Like ordering stuff and canecelling orders
right away. Like generating fake emails en masse with "trigger words" in
millions a day. Like creating fake posts on Facebook warning of fake incidents
like "15% of Uber drivers have serious mental issues".

The whole thing could be scripted and run on bots worldwide in millions. After
some time, serious chunk of internet traffic would be fake. How would these
companies know any better?

~~~
jlokier
Credit reference agencies are already prone to false data, and that's without
anyone trying to game them.

When I checked this year, 2 out of the 3 major CRAs in my country (Equifax,
Experian) had:

\- An incorrect flag saying I was not registered to vote, and a note saying
this significantly affected my credit rating.

\- A bogus address that didn't correspond to any physical location. Nor did it
correspond with any address used by any business, that I know of. (If it does,
they won't be able to mail me!)

\- Three credit application searches (hard searches) in 3 days, for
applications I didn't make. (I complained to the relevant company, who agreed
they were added due to software errors on their side, and "resolved" the
complaint by agreeing to remove them; but in the end they didn't remove them,
so my history has unremovable entries for applications I've never made.)

\- An account with the largest telecoms provider (BT) in the country that I
didn't have (I'd left them 2 years earlier, account fully closed and settled).

\- Fictitious monthly entries on the above account showing _new_ amounts being
added each month, of seemingly random amounts (no obvious pattern), and
flagged as severe, overdue, late payer etc. Not a good look on a credit
record, and entirely fictitious. (Fixing this proved arduous, and I ended up
having to use three companies in a daisy-chain of each one passing along a
formal complaint to the next. I later learned from BT customer support that BT
does this to other former customers without their knowledge as well, so for
ethical reasons if I can muster the energy I'll be complaining about this to
the government regulator)

I could say so much more about the complaints process, terrible customer
service in every conceivable way from Equifax specifically, and more, but it
would be rather off-topic.

Remarkably, just complaining about the above caused the errors to be
acknowledged and correct data found magically by the companies involved,
without me needing to provide replacement data. It's as if the companies
involved had all the data they needed already, they just aren't using it until
a customer finds out and complains.

~~~
therealx
So common. Ive had all of these happen, too. I didn't know not being
registered to vote could hurt you, was that in the US? I assume not due to BT
being mentioned.

AT&T is currently doing the same thing BT did to you. I closed my account and
shipped back hardware a year ago. Since then, they have been reporting either
a bill with a random number from $100-3,000 or 0, and being either on time or
late or none. It's maddening.

~~~
jlokier
In the UK. I don't know how much not being registered to vote hurts, only that
CRA pretty websites highlight it as a significant negative, and advised me to
register. Which I already had, years prior, they just got it wrong until I
complained. Which took 10 minutes with Experian and several weeks with
Equifax.

I'll described what I had to do to fix the BT nonsense, in case it's useful
for your AT&T problem.

To fix the BT nonsense (after I'd done tedious detective work to figure out
which company it was, as it was under a company name I didn't recognise), I
was lucky to get a good BT customer service agent, who explained that they
could see it was BT, that it happened to other people as well, and the BT
Equifax-handling department would fix it as soon as they looked at it, but
that department wouldn't fix it on my request. To fix it I needed to complain
to Equifax myself as a data correction. Equifax could not change data, since
it merely aggregates data supplied by other companies and is not responsible
for the data, but it would contact the BT Equifax-handling department, who
would make the correction and submit it back to Equifax. In the end getting
Equifax to process a data correction complaint was excessively difficult, slow
and intrusive (requiring various documents I didn't care to send them), and I
found a third company who magically made Equifax process the complaint in days
rather than months; it went all the way along the chain to BT and back, and
was magically fixed.

------
badrabbit
Would someone with access mind saving us a click due to reg/pay wall?

~~~
philmcc
Sure, five companies you can reach out to and ask for your consumer
trustworthiness records

\- privacy@sift.com

\- returnactivityreport@theretailequation.com.

\- privacy@riskified.com.

\- privacy@kustomer.com.

\- [https://zetaglobal.com/](https://zetaglobal.com/) is a form.

~~~
high_derivative
So can Europeans send a GDRP right-to-be-forgotten request to all of these?

~~~
GoToRO
don't take my word for it, but I believe that you can only if they have opened
a subsidiary in EU. The fine is percent of global sales (not profit).

~~~
mattlondon
As far as I understand it, if they are processing EU citizens' data then they
are liable for GDPR regardless of where they run their business from.

[https://www.techrepublic.com/article/the-eu-general-data-
pro...](https://www.techrepublic.com/article/the-eu-general-data-protection-
regulation-gdpr-the-smart-persons-guide/)

~~~
GoToRO
Then I'm curious how do they enforce it. Maybe with US there are some treaties
signed, but what about a foreign country that has no treaties with the EU?

~~~
volkl48
To date, the answer to that question appears to be: Sternly worded letters,
which will be promptly ignored.

There's no actual enforcement mechanisms against an entity that does not exist
in the EU and has no financial exposure to it. That includes with the US, as
far as I can tell.

