
We’ve lost control of our personal data, including 33M NetProspex records - user7878
https://www.troyhunt.com/weve-lost-control-of-our-personal-data-including-33m-netprospex-records/
======
sathackr
I've stopped giving my information to entities that don't need it.

I use fake account information where it is legally permissible and the system
is requiring some input to proceed.

When I get asked for my phone number, zip code, email address's etc... At
checkout in stores, I give a polite "no thank you". Which usually results in a
huff and/or an eye roll from the cashier, as if I'm expected to give this info
for the privilege of shopping there.

If the information sources dry up or are of sufficiently low quality, the
market value is significantly reduced, as would be the incentive to collect
and store such information.

~~~
vijayr
There is this big electronics store in NYC - I bought something small
(batteries or something) and at the checkout, the cashier refused to bill me,
unless I gave my phone number or email. When I asked why he needs that info
his answer was "so we can verify when/if you return the product", and he had
no answer when I said "that is what the bill is for, isn't it?". Unwilling to
hold up the line, I left without purchasing anything.

Point is, _no one_ before me had issues with giving that info, no one bothered
to ask. Unless many people start asking questions, nothing will change, and I
don't think most people care.

At the high school level, kids should be taught topics like privacy, civil
rights etc - that might help at least a bit

~~~
freehunter
I had the same experience at Harbor Freight. They needed my zip code in case I
needed to make a return. I said "that's what the receipt is for...?" and she
persisted so I gave her the zip code for the part of town the store is in.

Zip codes are often associated with social and economic status and Harbor
Freight is in a _really_ bad zip code. I wasn't about to tell everyone
standing in line that I was getting in my $100k SUV and driving to my $500k
home in the suburbs after they hear my zip code (none of that is true but
that's what you'd expect from the city I live in compared to the city I was
shopping in).

~~~
ryandrake
Honest question: What could Joe Random, standing in line behind you wanting to
buy his crescent wrench, possibly do with your zip code?

I consider myself a privacy nut but zip code is not something I care to get
bent out of shape over. Give a fake one and move on with your life.

~~~
surge
Follow you to your car (because you're on the rich end of town), hit you with
the crescent wrench, take your stuff.

~~~
freehunter
Yup. Expensive zip code means a car with expensive stuff inside of it, and a
papers that show a house full of expensive stuff that has no one home right
now (because the rich owner is out shopping).

~~~
vkou
Why not just drive out to the expensive zip code, and rob the first house that
looks empty? Why rob the guy who just bought a thing at the store you're at?
What makes him a better target then his neighbor? Or any random house in the
area? Who actually burgles when they know people are home?

Are you really surrounded by thieves and killers, and the only thing keeping
you safe is that they don't know that you live in a rich part of town?

They know where the rich part of town is... Right?

~~~
kbenson
> Why not just drive out to the expensive zip code, and rob the first house
> that looks empty?

Presumably because police presence is less, or at least busy, in the less
expensive zip code. There isn't just more crime in less affluent areas, it's
rampant!

> Are you really surrounded by thieves and killers, and the only thing keeping
> you safe is that they don't know that you live in a rich part of town?

According to the news, yes, but even that expensive part of town is just a
"you won't believe where" teaser away from being right next to you!

In all seriousness, as rational as you consider yourself, it's still an uphill
battle against the signals we are bombarded with telling us about all the
crime and suffering around us. Humans are great at finding and internalizing
patterns from signals, and the pattern here isn't hard to see; the world is
getting scarier and scarier every year. Doesn't matter if its true or not,
that's still how it _feels_.

------
jacquesm
I am aware of one EU entity that sits on a mountain of such data (and much
worse, in fact) with very little in terms of security.

I'm simply waiting for the day when there will be a hack like this on the
European continent, it's scary what sits in lightly protected databases,
especially if you consider the probable sources of data like this and that -
at least in Europe - it would be illegal to create such a DB without the
consent of those whose information is stored in them.

We've lost control is the perfect way to describe things.

~~~
ransom1538
I am simply waiting for the github hack. This will be a disaster of epic
proportions. The crown jewel.

~~~
overcast
Yep, that will be the internet crusher.

~~~
estro
How so? I'm genuinely curious.

~~~
overcast
Access to all private Github repos??

~~~
JBiserkov
And all the keys/passwords stored there!

~~~
lsaferite
I was about to say "who in their right mind stores PW info in github?" before
I realized I've worked several projects that do just that. Crazy decisions,
but at least as a small mitigation, all that PW data needs access to a VPC to
be useful, and that access isn't part of GitHub. Still not good practice by
any means.

Having come up working on classified systems, it pains me greatly to see such
lax security.

------
inthewoods
Recognizing that my comment here is unrelated to the central question around
whether companies should have this data, the irony for NetPropex (and the
hundreds of other companies in the same business) of this kind of data
availability is that it results in a lot of cold emails and phone calls that
largely go ignored. Thus, as the data has become more widespread, it has
become less valuable. Buying a list of people to contact, in my experience, is
like throwing money in the trash.

~~~
grp
.. and is _good_ when you are the trash..

------
marktangotango
Awesome advertisement for netprospex, a lot of people would pay a lot of money
for that data. I'm sure their phones are ringing off the hook this week. I'm
sure this is unintended, but that's the reality as I see it.

~~~
ycombinete
I guess that _native advertising_ is effective regardless of intention.

~~~
freehunter
Native advertising is _very_ effective. I run a local lifestyle brand as a
side project and native advertising is the only type of advertising we have. I
even put " _Sponsored Content_ " and " _We were invited to eat at this
restaurant in exchange for a review_ " and I've still had people comment that
they don't know how we can afford to do all of this stuff and we don't even
sell anything or have ads! People don't make the connection between "sponsored
content" and "advertising", or catch on to the fact that we get basically all
of our stuff for free (at worst) or that we're actually paid to write about it
(at best).

But I'm happy because no one visiting my site is getting a virus from shitty
third-party ads.

~~~
username223
Do you say "in exchange for a review," or "in exchange for a positive review?"
There's a reason newspapers' editorial and advertising departments are
separate.

~~~
freehunter
My contracts with local businesses do not guarantee a positive review. Usually
the agreement is along the lines of "have to write so many words with so many
pictures and mention the article on X, Y, and Z social media outlets X number
of times over the course of Y many days", but I and my other writers reserve
the right to say whatever we want to say in that article.

Obviously it's bad for business to badmouth stuff we got for free, so we're
actually pretty picky about what we accept. If I don't like eating at a
restaurant, I won't accept free stuff from them on behalf of the business.
I've been offered services by a hair salon in town but it doesn't line up with
my demographic so I won't accept the contract because I wouldn't want to write
about them. I've turned down two offers from the local bowling alley because
I'm not going to have much nice to say about it.

But no one is guaranteed to get a good review. I've written some reviews I
would describe as "hopeful", in that "I'm hopeful they'll get better soon"
mostly with regards to brand new restaurants where the kitchen is still
finding its groove. Everything that I write is my opinion and is clearly
marked as such, even while it's also marked as something I was given for free
in exchange for my honest opinion.

~~~
username223
> I've turned down two offers from the local bowling alley because I'm not
> going to have much nice to say about it.

To maintain your credibility, you should review it pro bono; for bonus points,
note that they previously tried to pay you twice. Otherwise it would be honest
to clearly disclose that you mostly/only write positive reviews, albeit via
selection bias rather than outright lying.

I've written product reviews before, always either for stuff I bought or stuff
received via an intermediary (i.e. X sends me Y's thing, I send my review to
X). The whole "sponsored content" model makes me long for the days of flashing
banner ads.

~~~
freehunter
Oh don't worry I have a whole section linked in the header that lists out our
advertising policy so readers can see the same terms I offer to sponsors. It
even details my "anti-clickbait" policy where my headlines are guaranteed to
be descriptive. I also do a lot that I don't get paid for and is not marked as
sponsored content. Again on those I don't go negative, whether I'm being paid
or not, whether I've been asked to write something or not. There's just enough
negativity in the media that I don't want to contribute to that: what I'm
selling is the way I want my city to make people feel. You should be happy to
live here, let me show you how that's done. I'd link you to it so you could
see all the details but it's personally identifying right down to my first
name and the street I live on in my city, so I'm not comfortable linking my HN
name with that.

It's funny to me that whenever I mention this side project on HN it always
gets a lot of interest from people wondering if I'm being honest to my readers
and giving advice of how I can be more honest. Guess it goes to show that
there isn't a lot of honesty left in this world.

~~~
username223
> There's just enough negativity in the media that I don't want to contribute
> to that... I'd link you to it so you could see all the details but it's
> personally identifying

I respect that. But 90% of everything is crap, and this is a forum created to
worship shameless hustling. Negative reviews are important.

------
bambax
> _CSV file containing JSON data_

Wat?

~~~
BoorishBears
_JSON Object,JSON Object,..._

I guess? Maybe the records were exported one at a time and formatted for excel
vs in an array for programmatic access

~~~
madenine
That's usual context where I see it. Often ends up with csv's where you have
columns of the data people are interested in and one column containing all the
metadata bundled up in JSON as a string.

Its not great to work with.

------
Corrado
I got a warning this morning from HaveIBeenPwnd and this article was in the
breach email. Considering the current US political environment and the recent
article by Tim Berners Lee, this spam list is extra scary.

------
joshpadnick
I believe our current paradigm for how data is stored is fundamentally broken.
The author is right that when you choose to use a service you have no real
control over how they use your data. Frankly, companies aren't even
accountable to uphold their own privacy policies since no one actively
monitors them (except perhaps in the context of HIPAA, PCI, etc.)

What I'd love to see is a marketplace of "personal data banks" that would work
like this:

\- The bank maintains an isolated database of every major database vendor. The
databases are isolated to a single consumer.

\- The bank exposes API endpoints of every major database to companies like
Facebook or new SaaS startups. Those companies now agree -- when requested --
to write your data not to their private database but to the bank's database
that is private to you.

\- You, the consumer, pay the bank a modest monthly fee to control who can
access that data, and even optionally cut off access to the original
"generator" of data.

I guess this still suffers from the need to trust that Facebook is abiding by
your request that all data be written to the bank, and network latency becomes
a real issue. So maybe it's not the right business model, but it's an
important problem to solve.

~~~
hardwaresofton
Taking that one step further, maybe if someone wrote that kind of tool,
basically an API for your personal data that you can run locally, maybe they
could scale it up to what you're describing?

It would require a massive paradigm shift in how the internet works in
practice, but image a world where:

1\. You sign up for some new social network/thing that requires your data

2\. You point it at your own personal (or hosted) info server

3\. The service promises/or the use of the personal info server stipulates
states that the data should never be stored longer than the lifetime of a
relevant transaction

4\. The social network queries your data maybe once a day (or more depending
on whatever kind of work it does), announces itself, and can be cut off when
you want.

Of course, things don't sell these days with just privacy these days, but
there's some upside to a service like this ironically due to it's
centralization -- you could sell the user on "only enter your
address/personal/credit card info once, have it available everywhere with one
click, no long login forms"

------
dwightgunning
From a writing point of view, I found it an interesting choice to simply use
"author" instead of "Tim Berners-Lee" when attributing the quote in the
opening paragraph. Surely dropping TBL by name would give more immediate
credibility and encourage the reader to continue.

~~~
kitd
OTOH, leaving it til after encourages the reader to reassess their initial
reaction to the quote.

------
brazzledazzle
I think I've finally found the source of my constant influx of spam. It won't
fix the downstream sources like resellers but at least I can ask Netprospex to
remove me. But since they aren't the ones directly spamming me do they have to
comply?

------
jerianasmith
I too firmly believe that Privacy should score higher than business interest.
If you do not wish to share such information, a polite "NO, Thanks" is much
better.

------
EGreg
I wrote on this same topic a few years ago, might interest some:

[http://magarshak.com/blog/?p=169](http://magarshak.com/blog/?p=169)

------
jgalt212
I fail to see the difference between PII for expensive purchase (NetProspex)
and PII for cheap purchase (River City, and whoever else is using the stolen
data for gain).

~~~
josephcooney
The type of people that make expensive purchases (and therefore probably have
more money) might be a more attractive target to criminals.

------
devy
Pretty sure recruiters mining this kind of data as well.

------
shamaku
At some point we will have to trust our fellow men. The sooner the better for
all.

~~~
nilved
That is never going to happen

