
Stop Saying, ‘We Take Your Privacy and Security Seriously’ - samaysharma
https://techcrunch.com/2019/02/17/we-take-your-privacy-and-security-seriously/
======
emilis_info
Also stop saying "Before you go further..." we need to share your data with
tens of corporations. /s

Note to non-EU users: Techcrunch is completely blocking the page with a popup
asking me to share my location and behavioral data (for advertising purposes)
with a probably very long list of companies (something called "Oath" family).

The logos shown are for Yahoo, Aol, Autoblog, Huffpost and Engadget.

Nah. I'll skip as always :D

~~~
jannes
Just disable 1st-party scripts and 3rd-party scripts in the uBlock Origin
popup for techcrunch.com and that modal should not appear anymore.

[https://prnt.sc/mo26b4](https://prnt.sc/mo26b4)

~~~
tonyedgecombe
Or even better, don't visit techcrunch.com.

------
atoav
Say it, when you do. Say: _We take your Privacy and Security seriously that is
why we won’t ever store a tracking cookie on your machine. If you still want
to support us by different means, click here_

Anybody who takes your privacy seriously won’t even have to ask for consent,
because there is nothing to ask for

~~~
vntok
Tracking cookies provide incommensurable value to site owners for improving
the quality of their web properties, which ultimately benefits users.

Example abound: finding out where people are the most frustrated (high exit
rates), what content drives the most interest (page views), what content is
missing or inaccurate (high bounce rate and low visit duration for visitors
coming from Google), how they are using the site (browsing patterns from page
to page), etc. etc.

Preventing all forms of tracking will definitely result in lower quality
websites across the board, so like with all things there has to be a middle-
ground found.

~~~
atoav
While I understand the need for reliable and granular information on your
users, it should technically possible to get most of that without selling your
users off to third party services whose practies you never checked for
yourself.

Furthermore it should be possible to sell ad space without directly embedding
potentially malicious stuff from foreign whose content might change on such a
granular level even you as the site owner cannot verify what is served to your
visitors.

It is possible to use webfonts without loading it from a foreign servers.

It is possible to verify real users without training the AI models of
monopolist webcompanies.

It is possible to link to your Facebook page without embedding a Facebook
tracker in an icon.

It is possible to get comments without giving these to other parties.

These are all decisions you take when you decide whether you _really_ value
your users privacy.

Of course sometimes you don’t have much of a choice, but I saw sites which
decided against all points raised above, and list about 30 trackers that are
enabled per default and _still_ claim they value their users privacy. So not
only do you not value my privacy, but you also lie to me.

I avoid sites like these like the pest and will close that tab before reading
anything.

~~~
majewsky
> It is possible to verify real users without training the AI models of
> monopolist webcompanies.

Honest question: How?

~~~
kilburn
I'm pretty sure that "verify real users" was about captchas. Solving that
problem in general is probably impossible, I grant you that. However, reaching
a good-enough solution for a particular site is often doable.

In increasing order of strictness and complexity:

\- Use hidden/visible field shenanigans

\- Ask questions your audience should be able to answer (chess-captchas,
maths-questions, etc.)

\- Require registration with e-mail validation

\- Require registration with SMS validation

\- Make that part of the site invitation-only

\- Use some kind of trust-based system ( _e.g._ : users can invite other
users)

\- Manually approve stuff

\- Ask for ID scans and manually check them

\- Combinations of the above

Unless you are a juicy enough target (not many sites are), just a few measures
will get you to that good-enough point. Of course, implementing any of the
above will be harder than slapping a recaptcha and calling it a day ;)

~~~
jimmy1
If you can think of it, someone can make a computer automate it.

~~~
atoav
Sure. On the other hand, I run a blog with a simple to answer question for
multiple years now and I didn’t receive a single Spam comment that wasn’t of
obvious human origin.

Once that stops to work I can bump it up a notch.

------
resonanttoe
This is slightly off topic and relatively minor, but man does it represent the
piss poor state of Tech writers and their articles.

"I was curious how often this go-to one liner was used. I scraped every
reported notification to the California attorney general, a requirement under
state law in the event of a breach or security lapse, stitched them together,
and converted it into machine-readable text.

About one-third of all 285 data breach notifications had some variation of the
line."

Don't bother providing a link to either you data source or your code, the
ability for someone to independently verify the validity of this claim and its
results isn't important, we'll just "trust" you.

~~~
Ensorceled
I don't know of any journalism source that would do better than what you just
quoted. They explained their source and their methodology. If you think they
are lying it's not extremely hard to prove it, but why are you assuming they
are lying?

~~~
TeMPOraL
If they cared about informing the reader, they would link to the source, so
that interested readers could explore the topic further. It's as simple as
that.

------
dalbasal
The ironies of reading articles about the pathologies of the 2019 digital
economy are... well...

The publications where you might read about the problem are likely
contributers to it.

From the EU, before you read about companies abusing your privacy you first go
through their "consent" page, maliciously designed to prevent readers from
preventing "the Oauth family" from giving whatever data they can get on you to
advertisers.

Then you get to read the article:

" _I’ve never understood exactly what it means when a company says it values
my privacy. If that were the case, data hungry companies like Google and
Facebook, which sell data about you to advertisers, wouldn’t even exist. "_

... TC's modus operandi & business model appears to be the same.

On many occasions I have read an article bemoaning fake news that was framed
by "native ads," pretending to be articles, and promoting fake science (one
wierd trick), apocalypse cults and worse.

~~~
foxes
ublock origin reports 13 blocked requests on the very same page. This includes
requests to facebook and google for tracking.

------
scotty79
‘We Take Your Privacy and Security. Seriously.’

~~~
tyfon
That statement has become my no. 1 cue to leave the site immediately, or
rather the "We value your privacy".

Yeah, you value it so much that you sell it on because it is actually
valuable.

I wonder what the tracking cookies show about bounce from those messages..
Probably not a lot but.

Edit: Oh I misread the OP.. We _take_ your privacy and security! _laughs_

------
kkm
Lot of companies are shooting themselves in their own foot by sharing critical
data with a plethora of third-parties.

They put sensitive information like username, orderid in the URL which is then
shared with all the third-parties on that page, simply because referrers are
not sanitized.

This happens:

\- Without user-consent

\- More dangerously without the companies knowing it too.

On reporting, the companies do not want to fix these issues.

Shameless plug: You can find some of such cases, which I've been trying to
highlight to the companies:

\- [https://medium.freecodecamp.org/how-airlines-dont-care-
about...](https://medium.freecodecamp.org/how-airlines-dont-care-about-your-
privacy-case-study-emirates-com-6271b3b8474b)

\- [https://threatpost.com/def-con-2018-telltale-urls-leak-
pii-t...](https://threatpost.com/def-con-2018-telltale-urls-leak-pii-to-
dozens-of-third-parties/134960/)

\- [https://cliqz.com/en/magazine/lufthansa-data-leak-what-a-
sin...](https://cliqz.com/en/magazine/lufthansa-data-leak-what-a-single-url-
can-reveal-about-you)

\-
[https://fosdem.org/2019/schedule/event/web_extensions_exposi...](https://fosdem.org/2019/schedule/event/web_extensions_exposing_privacy_leaks/)

------
lagadu
Ohh something related to my area! I work with security/data management and
often I get to have access to client organizations for a variety of reasons;
most of our clients are banks, pharmaceuticals and pension funds, among
others.

"We take your privacy and security seriously" from some rando company doesn't
even make me roll my eyes because of how desensitized I am to that whole
concept. It's genuinely appalling how often banks have no clue of who has
access to what data inside their organization: tons of people having accesses
they shouldn't and nobody keeps track of it? Of course. Database copies stored
in random hard drives sitting on tables? Why, naturally! Attestation
processes? What's that? We're not talking about small entities either. These
people would be years away from something not too hard like an iso27001
certification.

In short: all of our data is in an incredibly precarious situation and we're
fucked forever. I don't get outraged at leaks nowadays, I just laugh at it.

edit: interestingly enough, in my experience pharmas care far more about data
security than banks do (I assume that is because they have more shit to hide).

------
nightcracker
You enter a coffee shop. Before you can do anything, the owner takes a photo
of you, and grabs your hand to take your finger print. He quickly writes down
the date, time and what clothes you are wearing.

He gives you a smile as he starts his speech. "Before we continue, we at
Coffee City want you to know we deeply value your privacy. We need your
permission to store your information, improve your coffee experience,
personalize your coffee suggestions and share it with our partners. Do you
consent?"

You don't fucking value my privacy. I get some serious doublespeak vibes. If
you valued my privacy you'd leave me the fuck alone and stop saving
information about me.

IMO GDPR doesn't go far enough. Even these popups are wasting my valuable time
and invade my privacy due to the ease it is to accidentally consent to some
stupid bullshit while navigating the 20 windows needed to reject all consent.

We should outlaw even asking for consent to store personal information for any
user that didn't log into your site. If I do not have an account with you, I'm
not your user, we don't have an extended relationship and you have no business
storing information about me.

~~~
winchling
The next time you stroll in he'll ask for your cellphone number. For security
purposes. If you don't want to provide it now you'll have to tell him that
you'll do so another time.

~~~
mattkevan
As you start drinking your coffee, a little shutter slides shut across the lid
of your coffee cup.

It'll only open if you create an account, log in and agree to every sip you
take being recorded and measured.

Sure, it's possible to prise the lid off manually or use a special shutter-
blocker, but you often end up with a broken cup. And coffee shop owners call
you a thief and find ways to thwart your blocker.

~~~
Casseres
Any Black Mirror episode writers here?

------
ardfie
Troy Hunt wrote about this a few years ago, with the pithy headline '“We take
security seriously”, otherwise known as “We didn’t take it seriously enough”'

[https://www.troyhunt.com/we-take-security-seriously-
otherwis...](https://www.troyhunt.com/we-take-security-seriously-otherwise/)

------
OliverJones
I agree. The phrase "we take your privacy and security seriously" is an
inherent oxymoron; meaning the opposite of what it says.

I really like, and have copied, Tesla's note to security researchers.
[https://www.tesla.com/about/security](https://www.tesla.com/about/security)

I had to clean up one breach a few years ago. It was, gulp, a breach of HIPAA-
covered health info. We wrote to our customers saying

"We're sorry. We unintentionally sent your blahblah sheet to the wrong
hospital. We have spoken to the person at that hospital who received it and
confirmed that they erased your information. Again, we apologize. If you have
questions don't hesitate to call us at xxx-xxx-xxxx"

We could have blamed the the third-party vendor who actually made the mistake.
We could have spewed oxymorons. But this message was successful and true:
nobody sued us and the govt didn't write us up.

The breach, admittedly, was only a few dozen records. It could have been much
worse.

A lesson for tech people: when you have a breach DRAFT THE PUBLIC STATEMENT
RIGHT AWAY so you can hand it to your executives and crisis PR people. That
way your company has a chance of doing it right.

------
BucketSort
Or at least put a crying face emoji after saying it.

------
ausjke
I must chime in on this subject.

To take a community college course, the application online form is asking
pretty much every piece of your info, birthday, SSN, family income, ethnicity,
future plan, current situation, home address, many personal preference, phone,
email, immigration status, marriage status, gender, education background,
military background, job experience, you name it. Nearly all of them are
mandatory. Anyone can get hold of this record pretty much owns you.

Why do they need all this for just taking a course that I'm going to pay by
credit card?

This is not uncommon in other areas, in the future we may need provide our DNA
code as an attachment? talking about privacy protection is a joke these days.

~~~
apostacy
About 7 years ago, I wanted to take some online classes with a community
college to get a few credits I needed at another institution. I enrolled in
classes, but then changed my mind and never paid the tuition.

I assumed, like most colleges, I would just be de-enrolled before the semester
started. Instead, they kept me in and sold my info to a collection agency!

I never gave them my credit card number or checking account info, but they had
my contact info and social security number. They hounded me for months and
made all sorts of fancy threats. But luckily they never seemed to be able to
add an entry on my credit report. I dropped it because I was hoping that it
was just an oversight and didn't want to fight it, but maybe they wouldn't
have been able to prove I purchased anything anyway.

I can't believe that if someone knows just your SSN only, they can put you on
the hook for massive amounts of debt. I only gave them a temporary address not
associated with me, and clicked through an EULA. I honestly assumed that I had
not yet committed to going into debt, just by creating an account.

And this is a state-endowed community college.

Do these seem like reasonable terms? [1]

    
    
      - By Registering for classes at SUNY Broome Community
       College, I acknowledge and agree to:  
       - Pay prompty all charges owned to SUNY Broome Community
       College.
       - Take responsibility for all costs of collecting unpaid 
       charges, including but not limited to collection agency
       fees, attorney fees, and court costs.  
       - Permit SUNY Broome and/or its agents to contact
       me using any method available including but not
       limited to the use of email, text and automated dialer
       systems; also any information furnished to SUNY Broome
       Community Colege may be used to contact me including my
       cell phone number, home number or work number.
    

(Sorry, don't know how to format a bullet list with long lines)

As soon as you enroll in classes, you're on the hook for $4500 + fees? I could
understand maybe not refunding certain fees, but I have never heard of a
college that just advances you that much money immediately, and then tries
collecting on it.

So some 17 year old could just sign up for classes, without ever confirming
anything or giving any payment info, and they are instantly in debt for over
$5000?

This was NOT a student loan I signed up for. No entry was made on NSLDS, and
the government never got involved. And no pull was made on my credit report.
As far as I can tell, they seemed to just be accepting anyone who enters a
social security number to sign up for classes, and then selling it directly to
a collection agency.

If I ever admitted to the collection agency that I _was_ in debt, maybe that
would have been enough for them to actually amend my credit report. It seemed
strange that they were willing to talk to me for hours, but I think they were
just trying to get enough info out of me and convince me to more explicitly
admit that I owed them money.

I imagine that if someone knows your SSN and wanted to harass you, Broome
Community College would be very useful for that.

So, yeah, there are some scammers out there you might not expect. And I can
see how all of that extra info I gave them could have been used to collect on
a very dubious "debt".

I also one time had a Blue Apron sales person at my campus give me a free
month of service, with no credit card required. After the first month, this
company called me and said they needed me to update my credit card info, but I
never gave them a credit card.

After looking into it, it turned out that the salesman had given them a
temporary credit card in my name so that he could get the referral fee.
Luckily all I got was a free month of meals when he scammed the company. But
the one-time email at my vanity domain that I gave the salesman started
getting phishing emails. But I'm pretty sure the salesman had permission from
the college to solicit to students.

[1]:
[https://web.archive.org/web/20190221153507/http://www2.sunyb...](https://web.archive.org/web/20190221153507/http://www2.sunybroome.edu/financialaid/wp-
content/uploads/sites/9/2017/06/Agree-to-Pay-Screen.pdf)

------
nkkollaw
LOL, not only does TechCruch say that, but they also infest your session with
tracking cookies.

Hard pass.

~~~
Cypher
Reminds me when people say "It's not a pyramid scheme, its an honest multi
level marketing career"

------
bitwize
It's right up there with "your call is very important to us" and "best of luck
in your future endeavors".

------
formatkaka
A question:

What is privacy issue exactly about ? I see regular posts on HN about it. Is
it about storing user-data on my end or sharing the user-data with third party
or not taking the user consent.

P.S. - Trying to understand the root cause because I work with a startup
building SAAS and would like to avoid such mistakes.

~~~
claudius
All of these.

Do not store user data on your end unless you absolutely have to.

Do not give user data to third parties unless you absolutely have to.

Do not do anything without the user explicitly or implicitly consenting to it.

Example: You have to momentarily store the users IP address in order to serve
their request for a website. Remove the IP address as soon as you served their
request, because you don’t absolutely need it any more.

Example: You have to hand user data over to your ISP (and their ISP etc) in
order to serve their request for a website. Do not hand this data over to
Facebook, Google, your mum or anybody else, because you don’t absolutely need
to.

Example: If someone is visiting your website, it is fair to assume implicit
consent to the above two bits. However, if you provide a service where they
can store data on your server (e.g. Dropbox), you should inform the user on
how the data is stored so that they can sensibly consent to this (or not). So
if you’re storing data unencrypted, inform the user that this is the case. If
you’re storing data in your mum’s basement, inform the user that this is the
case. If you’re storing data in some country with strange laws, inform the
user that this is the case.

~~~
formatkaka
To make the product better, we require information about how the user
interacts with it.

What about if we:

1\. Save data anonymously. OR 2\. If we have to save some data, we give them
an option to access what we have saved. something like 'Data Settings'.

~~~
claudius
1) Ask the user if they consent. If they don’t, let them continue using the
product and do not collect any data. Make both the "Yes, I consent" and the
"No, I do not consent" buttons equally large.

2) If they do consent, consider every individual part of data you save. Do not
save complete user sessions, instead, before doing anything, decide what you
want to test, which information you require to do so and then save only this
information. E.g. (using the example elsewhere) if you want to check how long
people stay on individual pages, collect a signal on each page how long the
user stayed on this page (and nothing else).

3) Anonymize the data as quickly as possible. For the example above, do not
store data for each user how long they stayed on each page. Instead, have one
counter per page which is incremented by the time the user stayed on the page
(and the individual time subsequently immediately discarded). This way you can
still figure out which pages are left early but you cannot tie this data to
any individual user.

4) If you want to look at individual user sessions, pay people to use the
website while you stand behind them (physically), do not collect data from
random customers.

------
threatofrain
We take your privacy seriously is the kind of language you'd expect from a
company that doesn't want to make specific commitments. That company isn't
putting any skin in the game with that claim; every company claims that.

Therefore I am not surprised and won't be holding my breath.

------
cottsak
I just added security.txt to one of my sites. Great reminder!

------
jhallenworld
Weasel words. "That's a great question! Mistakes were made, it's a really hard
problem, but we're working on it."

------
arpinum
Spent 10 minutes trying to prevent TC / Oath from using my personal data. 5
clicks and proving I'm not a robot before reaching a privacy dashboard.
Except, to actually set my preferences to not track me I first need to agree
to tracking! And if I don't allow 3rd party cookies to track me I cannot
withdraw consent.

GDPR was meant to allow users to refuse consent without detriment, and to not
to force consent to use the service. Oath clearly violates GDPR, yet
regulators have done nothing in 10 months.

------
Cypher
Also stop saying "We understand players concerns with [AAA greed mechanic
here]"

------
jrockway
I read that as "we know you're mad" which seems accurate to me.

------
amelius
It's similar to "don't be evil".

