
Forget Equifax. Facebook and Google Have the Data That Should Worry You - adventured
https://www.bloomberg.com/news/articles/2017-09-11/forget-equifax-facebook-and-google-have-the-data-that-should-worry-you
======
ams6110
I think what we're seeing are the same sorts of things that led to building
codes, fire codes, licensing of architects and civil engineers.

After so many building collapses, bridge collapses, or disastrous fires,
people finally demanded that "build whatever you want, however you want" is
not OK if you are making something for use by the general public.

I think ultimately we're going to see legislation requiring
licenses/certifications for software designers and software companies and
software service providers. Like a civil engineer is licensed and personally
liable for designs he approves.

It's coming. People will only tolerate the current shitshow that is our
industry for so long.

~~~
blfr
It might happen but I don't think it'll work. Codes work because they deal
with known, predictable, and repeated problems. You can keep improving the
fire code with each disastrous fire and fire will not actively try to outsmart
you next time.

Security OTOH is anti-inductive because you're dealing with intelligent
attackers adjusting their methods. In this environment, security code and
certifications will just become another pile of papers for bureaucrats to
verify after your data was leaked anyway.

But maybe it will at least force manufacturers to make their products'
software updateable.

~~~
romwell
I disagree.

The attackers can't get the data if you don't store that data to begin with.
Voila!

I think there should be legislation that simply restricts who can store which
data, as well as legislation that forces open-sourcing of critical
infrastructure software.

~~~
thanksgiving
We can't even agree on a very weak version: if you store personally
identifiable information about me, you MUST share it with me. It does not
matter if you're a local corner store or the CIA. You may not store personally
identifiable information about me without telling me all about what you're
storing.

I bring it up and conversation shuts down. Nobody likes it. Therefore, I
submit that what you're saying won't happen either.

------
bogomipz
As a natural-born American you still have the choice to not sign up for a
Google account or a Facebook account. You do not however have the option of
refusing to apply for a social security number when your child is born.

This piece looks likes little more than propaganda from the credit reporting
agencies. Shame on you Bloomberg.

~~~
Gracana
> you still have the choice to not sign up for a Google account or a Facebook
> account

Unless you're careful to guard against it, you're loading up Facebook and
Google's trackers on just about every site you visit. Registering for an
account is not a prerequisite for them to build a profile on you.

~~~
orthecreedence
Can someone open a bank account in my name or take out a loan based on data
google/facebook have on my browsing history? I kind of doubt it.

I saw this post and immediately thought "propaganda" as well.

~~~
pjc50
Not _yet_ , but it's the sort of thing I can imagine happening in a couple of
years. I think there have already been a couple of attempts at involving FB
profiles in credit ratings.

And of course you can be refused a job based on your social media profile, or
whatever comes up when people Google for your name.

~~~
magnetic
> And of course you can be refused a job based on your social media profile,
> or whatever comes up when people Google for your name.

I used to spend some time in some car enthusiast forum back in the early 2Ks
and after a few years I lost interest, so I stopped visiting. 10 years later,
I decided to visit again and noticed that many posts had been made in my name
(thankfully, just with my nickname), with horrible things being written "by
me". Of course I had no way of knowing that their servers had been hacked
years ago, and no recourse.

I can only imagine if there was my real name used on a random server somewhere
with some dirt written, uncovered by someone googling my name...

"If it's on the internet, it must be true" is a scary thought.

------
arkem
I'm not particularly worried, Google and Facebook have two of the best
security teams in the world and spend an amazing amount of money to protect
customer data.

The amount of convenience I get from Facebook and Google outweigh the risk I'm
exposed to in my opinion.

If Governments want to create data protection regulations I'll save my opinion
until I see whatever regulation is proposed but I think it'll be difficult to
create data protection regulation that is effective at protecting people
without imposing a large expensive burden on companies.

~~~
tryingagainbro
_I 'm not particularly worried, Google and Facebook have two of the best
security teams in the world and spend an amazing amount of money to protect
customer data._

NSA begs to differ, on both counts [https://www.theguardian.com/us-news/the-
nsa-files](https://www.theguardian.com/us-news/the-nsa-files)

CIA too [https://wikileaks.org/ciav7p1/](https://wikileaks.org/ciav7p1/)

~~~
arkem
I've read the reporting of Snowden's leaks and I have at least as much
exposure to the inner workings of the five eyes as Snowden did and I have come
to a different conclusion.

I do not believe that Google is voluntarily handing over any sensitive
customer data to the NSA without legal compulsion. I would not be surprised if
intelligence agencies around the world including US based ones target Google's
communications (probably in full accordance to each agency's authorization)
but that would not be with Google's cooperation.

I believe that Google is taking steps to protect customer data from all bad
actors, including Government agencies. One initiative that was underway around
the time I worked at Google was to encrypt all the data-center to data-center
traffic at Google in an attempt to frustrate anyone who was tapping Google's
backbone links.

~~~
CaptSpify
> I do not believe that Google is voluntarily handing over any sensitive
> customer data to the NSA without legal compulsion

Why does it matter if it's under legal compulsion or not. At the end of the
day they _are_ handing over your data. They could choose not to store it, thus
making it impossible to do, but they don't.

~~~
alexasmyths
"Why does it matter if it's under legal compulsion or not. "

Because we are all obliged to follow the law.

~~~
CaptSpify
A) No we aren't. Unjust laws should be fought. I realize that this is easier
said than done, but it's still true.

B) They could organize it so that even when the law comes asking, they _can
't_ comply, but they don't.

What matters is that they are acting insecurely, and providing data that they
shouldn't be storing/providing in the first place. The law is irrelevant here.

~~~
alexasmyths
"A) No we aren't. Unjust laws should be fought. "

In the court system, not by disobeying.

Your view of 'what is unjust' is likely completely different from the view of
others.

Particularly in this case, I don't have any problem with Google or FB handing
over data for individuals under investigation, wherein a Judge had provided a
warrant. This is 'legal' in every sense of the term and has been for some
time.

As for 'mass surveillance' \- well, this was a murkier area, and has been
cleared up by the Supreme Court, and I don't suspect they are doing it.

If Google does not want to hand over data to officials producing warrants,
they can take it up in court, and try to get an injunction against the process
of handing over. If a judge feels there is merit to the case, they will grant
the injunction while the case is being resolved.

"They could organize it so that even when the law comes asking, they can't
comply, but they don't."

Nope. They can organize all they want, but if the Government is well within
legal limits, Google et. al. would face some serious pain. Again for 'mass
surveillance' stuff (i.e. legal ambiguity a few years ago), they'd have some
legal footing to fight (i.e. try for injunctions), but for other things, not
so much.

~~~
shakna
> In the court system, not by disobeying.

Which cannot be done, when any issues with these laws are discussed in "secret
courts" [0], and where the individuals involved cannot reach out to experts in
the field, because their hands are tied by gag orders.

The strength of the warrant becomes less when you recognise that FISA approves
almost every request it gets. The warrant is little more than a proforma.

The structure of the current laws prevents a lawful answer to the situation.

I can't advocate breaking the law, that would be going against myself.

But neither can I advocate for the law, here, because it is failing to protect
the people of the nation, from the power of the nation.

[0] [http://edition.cnn.com/2017/03/08/politics/fisa-court-
explai...](http://edition.cnn.com/2017/03/08/politics/fisa-court-explainer-
trnd/index.html)

~~~
alexasmyths
The article you cited shows there is rather heavy oversight, and at a very
high level.

And that only about 1500 FISA requests are granted a year, which is a very
small number for 300 M people, relating to another 7 Billion.

A single case might yield 5 or 10 warrants, ergo, possibly as few as 150
serious cases.

That's small.

That 'they are almost always granted' is not so bad in and of itself. If
there's a 'known process' for getting warrants, and law enforcement knows what
will be approved and what won't - well - then there shouldn't be too many that
are denied.

Underlying the 'warrant' is not something 'pro forma' \- it's a set of
expectations and requirements upon the part of the overview system in place.
The 'form' requires that the applicant fulfills some very important criteria.

I do think it's fair to be suspicious and that we should be vigilant about it,
but I don't think that 1500 requests a year is too out of line.

I think the big concern is the 'mass surveillance' \- or when local cops are
making requests to do local-yocal small cases that don't have relevance to
things like actual terrorism.

~~~
shakna
> I do think it's fair to be suspicious and that we should be vigilant about
> it, but I don't think that 1500 requests a year is too out of line.

Those 1500 requests cover about 15 million people though, which skews the
weighting. That gives me concern.

> If there's a 'known process' for getting warrants, and law enforcement knows
> what will be approved and what won't

Either that, or there is a culture that rejecting a warrant needs extenuating
circumstances, in which case it becomes a large concern.

We can't know if the oversight is simply managerial, or actually effective.
It's done with the utmost secrecy, with many punishments awaiting any who
might speak out.

> I think the big concern is the 'mass surveillance' \- or when local cops are
> making requests to do local-yocal small cases that don't have relevance to
> things like actual terrorism.

Unfortunately FISA enables mass surveillance. And the checks and balances seem
heavily weighted against the individual, and in favour of a state they can't
oppose.

------
hodder
Yes they have immense amounts of personal data and that is worrying. It is
worrying they share this data with government agencies, marketing agencies
etc.

BUT, unlike Equifax they haven't been completely compromised by hackers.
Equifax is unique it's level of incompetence. I'm surprised the equity is
holding up as well as it is. The company is grossly negligent.

~~~
21
30 mil US accounts on FB were scraped using Mechanical Turk in an ingenious
way. No hacking was required.

I don't think that for many it matters if their data was obtained through
hacking or through legal means.

[https://theintercept.com/2017/03/30/facebook-failed-to-
prote...](https://theintercept.com/2017/03/30/facebook-failed-to-
protect-30-million-users-from-having-their-data-harvested-by-trump-campaign-
affiliate/)

~~~
ggggtez
You don't have your social security number and loans on your Facebook profile
(or maybe you do). However whatever you put on Facebook was your choice.
Nobody "posts" to Equifax.

~~~
21
I agree with you, but things are changing. Facebook can create a shadow
profile on you, friends can tag you into pictures without your consent, when
you delete data it will still remain in Google caches and you will need to
individually request removal for each URL, because it won't automatically
remove them if the original page from FB is gone.

------
traviscj
Seems like there's a (difficulty/physical file size)/(profit or
effort)*(likelihood of success) score that matters in these things: a terabyte
of credit card numbers (alone) would be 62.5 billion card numbers, but a
terabyte of facebook chat messages/private pictures is some small fraction of
data. It'd be much easier for O(20 mb) to move off the network than O(500 GB).
The former can be profitably resold, while the latter requires a careful
search to find high value data (e.g. pictures like the fappening, I guess?)
and no foolproof profit mechanism. And the sheer size brings other problems
like how to store it and how to exfiltrate it and deal with it without being
noticed. And of course, if you ARE good at all of the above, why not give in
to a chill life in SF instead of a "life of crime" and all the
volatility/violence/cloak-and-dagger that goes with it?

Not saying a Facebook/Google data breach isn't terrifying -- it certainly is,
and the privacy implications are indeed upsetting -- but the profitability
path is just not as clear.

The "Russian propagandists" angle from the article is interesting, but seems a
bit separate from the "FB has a shitload of data on people" problem. It's
basically using the ad/social aspects of the service as designed: changing
people's perspectives on something you want them to feel differently about.
(Albeit aimed at a different target!) Not sure how to solve that problem.

~~~
21
What's the value of a credit card number? It can quickly be changed and you
would be hard pressed to exploit a billion of them at the same time.

What's the value of a psychological profile built from FB data? People say
Trump won the election because Cambridge Analytica built a psychological
profile of most Americans and targeted them with customized propaganda.
Probably an exaggeration, but it's early days. This will only get better. Can
you make your psychological profile invalid the same way you can change your
credit card number?

~~~
ben_w
> you would be hard pressed to exploit a billion of them at the same time.

Really? A billion automated orders for something, followed by the banking
system having a metaphorical heart attack and either cancelling lots of/all
cards (breaking normal usage until the card printers can catch up), or few/no
cards (and risking further, directly exploitable, fraud)?

Sounds like a potent way to successful fight a nation-state from a coffee
shop.

------
solomatov
People don't understand why it's dangerous because such hacks are what Taleb
calls black swans. They are really rare, but their results might be
catastrophic in unforeseen way.

Those who thinks that Google and Facebook have harmless data compared to
Equifax, imagine what criminals might do with all your information located
there to target you. Add here AI technologies, like NLP and speech synthesis,
and it gets really scary. Think about massive but at the same time highly
targeted social engineering attack abusing all this information.

We should not allow this to happen and it's better to prevent it now, not
after the moment such attack happens. Markets won't solve this problem due to
rarity of such events. Only legislation can help here.

~~~
solomatov
Marc Goodman wrote a book on this: [http://www.futurecrimesbook.com/bios/marc-
goodman](http://www.futurecrimesbook.com/bios/marc-goodman)

He has a TED talk about the same topic:
[https://www.ted.com/talks/marc_goodman_a_vision_of_crimes_in...](https://www.ted.com/talks/marc_goodman_a_vision_of_crimes_in_the_future)

------
program_whiz
I think that the US gov has not yet realized the full potential danger of data
exposure. The best thing is to plan for these disaster scenarios like you
would pandemics, wars, and natural disasters. There should be strong
regulations, a set of protocols, a way to mitigate these situations.

Understandably, the government is way behind on this issue, still seeing the
digital information (especially on social media) as secondary or less
important.

I think its the type of thing with banks that slowly evolved, where security
got higher and higher, FDIC was established, bank vaults improved, alarming
improved, money tracing was implemented. We aren't there yet for cyber crimes.

~~~
singularity2001
I think the people have not yet realized the full potential danger of the US
gov abusing our data.

~~~
dsfyu404ed
The danger is basically a nonrepudiation problem.

Look at all the finger pointing after Trump was elected. It was Hillary's
fault. It was Bernie's fault. It was the Dem's fault. Trump was what people
wanted. It was the Russians. It was Facebook. It was the MSM. All this is just
for an election.

Assume someone does use the massive data stores of Google or FB to do
something bad. How can you even identify that that happened? How can you
identify malicious actors and the incompetent ones?

~~~
program_whiz
That's sortof like in the old days when someone robbed the bank, you had no
way to even identify them if they were masked. If they travelled far, you
couldn't find them, no cross-state warrants. Also, they would rip off the
traveling gold wagons and make off with untraceable gold they could melt and
split for money.

In those days, the idea of tracing or catching these criminals would have
seemed nigh impossible. I'm sure with enough brain power, lost billions,
corrupt elections, and casualties, we'll come up with something sooner or
later to mitigate the issues.

~~~
dsfyu404ed
Learn the history of the FBI.

Catching cross state criminals came with it's own set of trade-offs for
society.

------
mooman219
I don't understand why people villinize Facebook and Google so much. If
anything, they've done a fantastic job at data security. They explicitly hire
security engineers and even offer bug bounties for potential issues, treating
security as a priority.

I mention this all the time: What scares me is companies in the wild that
consider security as a burden rather than something core to their business. We
see companies even actively punishing people for finding issues in their
software and going through responsible disclosure. This sort of response
should be outlawed.

Equifax's breach is just a drop in the bucket compared to all the other
breaches less well known companies experienced in the past. Like hey, some
obscure pay system at Home Depot got hacked and someone stole my credit card,
but fuck Google for tracking me online. We have this "too small to care"
mentality about these business committing horrifying security transgressions
until it's too late.

------
eveningcoffee
No, both are bad and we should not forget none of them.

------
samfisher83
As far as I know google/Facebook doesn't have my SS number, dl license number
etc. I would be more worried if they hacked my bank account etc.

~~~
solomatov
Are you sure that you don't have your SS or DL number somewhere on google or
Facebook? You accountant might have sent you your tax return in pdf via email.
You might have took a picture of a document where your SSN appears.

------
didibus
The vast majority of people have nothing very precious to lose to text message
leaks, or even photo leaks, but they do have a lot to lose credit wise and
financially from identity theft.

Seriously, I'm open for arguments, but the data Google has on me is definitly
not as risky. Maybe I'd lose some pride, but not money and financial power.

And lets be real, the problem is that government and financial institutions
don't use secret passwords, but only ids to authenticate you. That's where the
change need to happen.

------
jayess
I'm becoming more and more convinced that Facebook is simply an _evil_
company, and Google isn't far behind.

------
wodahs02
Yes and no. FB and Goog dont have your most important data. Equifax has
EVERYTHING that is core to your being

~~~
ghughes
It's the other way around.

------
AzzieElbab
Oh man! Why google and not your government, bank or health care provider?

------
bukgoogle
Its more than terryfying me.. absolutely hate both

------
xtracerx
Why does it feel like there is a barrage of propaganda being published against
tech companies right now?

~~~
jacksmith21006
Think it is pretty clear there is. Now for what purpose and whom? Is it to
create more distrust in the US? Is it to try to get us to destroy ourselves
from within?

~~~
notacoward
Some of it might be related to partisan politics, in which these organization
play an increasingly important role. Some of it might be competitors or would-
be competitors. A pretty fair bit, especially here, is likely to be sour
grapes and tall poppy syndrome. Some people feel _they_ deserve those
billions, and are extremely bitter toward those who actually succeeded.

------
s73ver_
Do they? Cause Equifax has my financial info. Facebook and Google know that I
like cat videos.

~~~
SilasX
Google knows everything you searched for. Hope you never looked up an AIDS
test.

~~~
s73ver_
That's still not on the level of what Equifax has. Honestly, no one else is
going to care if I did do that. Evil hackers aren't going to be able to use
that info. Stuff in my credit report, however...

------
TheRealPomax
How about "Don't you dare forget Equifax, and Google and Facebook are even
worse"? Bloomberg's gotten really annoying with their clickbaity titles this
year.

