
Googling Strangers: One Professor's Lesson on Privacy in Public Spaces - walterbell
https://www.npr.org/2019/03/10/702028545/googling-strangers-one-professors-lesson-on-privacy-in-public-spaces
======
alias_neo
As someone that pays attention to things around me, it is interesting the
number of people who's name badges I see on display in coffee shops and cafes,
indicating, usually, not only their name but also their department, and
usually their "rank".

At times I see people with visitor badges on lanyards designed to indicate
their security clearance when visiting another department and which are
absolutely not meant to be worn off-site.

It might seem pretty benign to the person wearing a green lanyard with a green
badge bearing only the word "unescorted", but to those who know, it gives at
the very least a security clearance level.

Coupled with their name and department on their usual badge, also being worn,
against policy, visibly, in a public space, that information is not only
careless but potentially dangerous.

~~~
ip26
Can't most of that information be found on LinkedIn?

~~~
alias_neo
Some of it, yes, but it shouldn't, you're not supposed to disclose above
average security clearances, period, which is what the green badge indicates.

~~~
TooCleverByHalf
If above average security clearance is disclosed immediately by someone seeing
my badge then thats on the company, not the person with the badge.

~~~
alias_neo
The badge exists to identify you and your access privileges, it's purpose is
to be on display, and clearly indicate these things.

They're not to be worn outside, and the employee policies state that.

You can argue all you want with your superiors about who it's on while you're
being escorted from the building for gross misconduct.

------
js2
This article is re-reporting of:

[https://www.nytimes.com/2019/03/08/opinion/google-
privacy.ht...](https://www.nytimes.com/2019/03/08/opinion/google-privacy.html)

(which it does link to.)

As far as privacy is concerned, what should worry more about? A random
stranger ID'ing me or my license plate being read all over town, and soon
enough, my face being recognized. Because frankly I'm more worried about the
state than a random stranger. And not even because I'm think I'll commit a
crime, but more in the Brazil sense where the state makes a mistake and I
somehow get associated with some other person's crime.

That's the dystopia I fear.

You know, my house isn't a fortess of security either, but I don't worry too
much about it because mostly homes don't get burgled (at least in my neck of
the woods) and should mine, well I have insurance. Similarly, most people
aren't going around trying to ID the folks around them. (To what end anyway?)

Society only works because mostly people follow the rules and are basically
good to each other most of the time. The golden rule applies here: would you
want someone to ID you? No, then don't go around ID'ing other people.

I guess at the end of the day: don't be an idiot but you probably don't need
to be paranoid about this either.

~~~
Angostura
> Because frankly I'm more worried about the state than a random stranger.

But that 'random stranger' could be working for the state, or your health
insurance company, or just be a good old fashioned scammer.

------
rb808
I still liked that Russian app that lookedup people on social media account
from their photo.
[https://en.wikipedia.org/wiki/FindFace](https://en.wikipedia.org/wiki/FindFace).
I'm sure it wont be long before that is just normal.

~~~
randycupertino
Combine that with the Chinese social credit system and the implications are
pretty bleak.

~~~
Vinnl
Eh, or just with Western systems. Presumably when you contact a company
through Twitter they already prioritise based on the amount of followers you
have - if they do this in real-life interactions as well, I'm not too excited
about it either.

------
yorwba
They mention students identifying strangers based on just a few details, but
not whether they verified the correctness of that identification. It's easy to
think that you successfully doxxed a person, only to later find out e.g. that
you misspelled their name and all the info you found was actually about
someone else.

~~~
alias_neo
I guess finding a photograph of them, which is quite likely these days, is
confirmation enough.

------
HoochieKoo
A few years ago, one of my sons’ soccer team finished in the second to last
spot and so they were relegated to a lower tier. I knew that the team above
was “cheating” by playing too many players from out of their district. Our
Club President said “prove” it to me and I’ll do something about it. Well,
it’s amazing how much public information is out there such as where the boys
attend school, phone numbers they tell people on unprotected Twitter and
Facebook accounts, etc. I felt dirty knowing all this information about young
adults. In the end, even though we had the proof, we didn’t do anything about
it.

------
_cs2017_
> Some of the most outspoken skeptics of privacy protections in her class —
> the ones who once suggested that they didn't need privacy because they had
> nothing to hide — were stunned at how quickly they'd found out details of
> the lives of strangers who happened to cross their paths.

I don't think I understand this.

A person says they don't need privacy because "they have nothing to hide".
Then they are shown how easy it is to track / identify someone. Why should it
affect their views on privacy? After all, they claim not to care about being
tracked or identified in the first place.

~~~
alain94040
Let's say you think you have nothing to hide, your life is boring.

Then you find out details about strangers, and you start judging them based on
what you found out. (Oh, they don't exercise much -- they must be lazy).

Then it dawns on you: others will see the details of your boring life and will
judge you and reach conclusions about you that are likely to be wrong.
Because, guess what? They don't really know you. They are just using some
datapoints they found on the Internet.

~~~
AnIdiotOnTheNet
And then you stop judging people so much?

~~~
_cs2017_
I'd love to see that but I don't have my hopes high :)

------
Derelicts
Social hacking is alive and well. During my studies in computer engineering we
had lectures on cybersecurity and the person used the following example

[https://www.youtube.com/watch?v=lc7scxvKQOo](https://www.youtube.com/watch?v=lc7scxvKQOo)

Human error is still one of the most popular hacking techniques. By getting an
e-mail address you can check haveibeenpwnd to see if there were any leaks
related to that e-mail address and there's already a lot that you have on a
person that you don't actually know. Recently there was an increase in
phishing schemes where hackers obtained the passwords of really old leaks
(from myspace, armorgames etc. etc.) and sent letters to people with legit
passwords trying to extort money. This was a hugely successful campaign. I'm
not saying don't mention your name in public but for sure use a password
manager and a VPN if you're on public wi-fi a lot. And don't shout your cred
card number while buying coffee.

------
0000011111
From a tech standpoint there is not a lot of new information in this article.

My other thought is that people information has must have value for it to be
relevant to both good and bad people in the world. Googles data caches on
geographical - location and how they used that data to target mobile adds for
example has more value.

This begs the question. Do people need more protection from data caching apps
or the commomn human?

~~~
rincebrain
As the world has grown more interconnected, the actual value of people's
identifying information has sharply risen (as has the availability of it), but
we haven't figured out how to adjust our expectations for it. We still use a
bunch of bits of fairly small data as high-value sources of information.

In the US, social security numbers were not intended as a unique or
unguessable ID, especially since they used to be (still are?) given in ranges
to facilities for births/etc, so knowing their birthdate and where they were
born let you drop a bunch of possible values.

An even better example of uncontrolled information value, to me, is phone
numbers. We used to, with few exceptions, list publicly people's land phone
numbers in regional books, unless they opted out.

Now, increasing numbers of people don't have land lines, we don't have a
public cell phone number <-> name mapping (though it often leaks through other
public information sources), and worst of all...since we've started using
phone numbers as both an "in case of emergency contact here" for account
lockout, and as a 2FA source (either SMS or actual calls), and these networks
were not designed with robust security guarantees in mind, just knowing your
phone number can be sufficient to forge a SIM card to hijack the number. [1]

But not giving out your phone number defeats the entire point of having it,
and we have not yet convinced most institutions to stop using phone numbers as
reliable contact endpoints, so what's to be done?

[1] - [https://motherboard.vice.com/en_us/article/vbqax3/hackers-
si...](https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-
steal-phone-numbers-instagram-bitcoin)

~~~
jstarfish
SSNs are no longer keyed to geographic assignment. Only changed a decade ago
though.

------
akhilcacharya
Thanks to LinkedIn it’s shockingly easy to find people like this. I once
searched for someone in 5 seconds because they had a uniquely identifying
TShirt.

~~~
intopieces
Isn’t that the point of LinkedIn? To be found? If you have someone’s name...
used to be you could find out where they lived and their phone number, in a
book that a private company sent to everyone’s house.

~~~
dontbenebby
If you have someone's _first and last name_ , yes, LinkedIn is intended to
make them findable.

I think most people would be uncomfortable that I can often find them simply
with the first name + city pairing.

~~~
intopieces
Why would they be uncomfortable having their LinkedIn found by any method?
Forgive me for sounding obtuse, but I just don’t know what the point of having
a LinkedIn would be otherwise. It’s essentially a placeholder that says, “I
exist and am employed in such and such industry and at so and so company.” It
consists of information I would voluntarily give anyone who asked, sitting
next to me on an airplane, standing in line for coffee... What malicious deeds
should I be worried about being done based on someone finding my information
on LinkedIn?

~~~
dontbenebby
> _Why would they be uncomfortable having their LinkedIn found by any method?_

Harassment.

How would you feel if you broke off a conversation on Tinder and someone moved
over to LinkedIn to harass you? That's a real world example that has happened
to female friends of mine.

Even if you use a different phone number, email, and photo, just first name +
city alone can be enough to find someone on LinkedIn if you know what they
look like.

Social networks cause context collapse: we live in multiple spheres, but
technology allows those streams to cross, and the result is often unpleasant.

~~~
intopieces
I get that other people have risk factors that I don’t. Are these risks not
mitigated by the privacy settings on LinkedIn? Full disclosure: I checked my
privacy settings on LinkedIn and disabled some features I no longer value.
Thanks for reminding me.

------
jamisteven
Sorry, I dont believe this for one second. You mean to tell me that this
person was given an assignment to "de-annonymize" someone in public, and then
coincidentally runs into someone at a coffee shop who very loudly provides:
1\. Name 2\. Address 3\. CC Number 4\. PWD's to accounts

While on a phone call, at a coffee shop?!

The professor, the NY Times, and NPR, are all fools if they believe this way
too convenient series of events. gauranteed if this "guy in a coffee shop" is
even real, he has some connection to the student.

~~~
mayniac
I sat behind someone in business class on the Eurostar who was a C-level exec
at another company. He was on the phone with a client and reassuring them that
they took data security seriously, used VPNs and safes and FDE etc. He left
his laptop unlocked when he went to the toilet, with (what looked like, I
didn't snoop) a fairly confidential spreadsheet open.

We both worked in an infosec related industry. He was a c-level exec of a
direct competitor. I fully believe this story.

