Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: I'll mail Equifax your arbitration opt-out for free (unarbitrate.org)
431 points by paulgb on Sept 9, 2017 | hide | past | web | favorite | 87 comments

Kind of the guy to offer. I found it interesting thinking about the issue of trust, here. He's claimed to be a certain individual, linked to social media with a long history as a proof of identity, but still had to admit that you're basically hitting up a site to solve identity theft using a tool that might help cause you more privacy problems should the individual not be who he claims to be[0].

I hope the folks at Keybase notice this. It's a perfect use case. He's specifically pointed to his long social media history as a proof that should increase trust. Keybase would let him use their proofs feature to validate that he (well, his account) controls his twitter, that domain and web site[1], and his HN account. I can't think of a better way to reduce the "you can't really trust that I am who I say I am" problem he's struggling with.

Of course, this could be gamed just like every other method of authenticating identity, but it's a nice additional option.

[0] I'm not saying he's not or assuming he's malicious; I tend to err on the side of assuming the best in people.

[1] You can submit proofs for both.

What we lack, in my opinion, is a form of access control for static websites, such that they are disallowed from making any outgoing requests. The browser is in control of the site code; it should be possible to guarantee that no outgoing requests can take place. As far as I can see, it shouldn’t be difficult, but it’s possible I’m missing something — I assume the difficult part is just reaching agreement.

Perhaps it would be possible to permit outgoing requests where the URL is statically embedded in the HTML (such that the URL cannot depend on form data), thus allowing fetching e.g. remote CSS/JS resources.

Who would be the party who ensures the site is actually static and doesn't send data from backend?

The browser handles requests to the backend, and would thus be the one in charge of not allowing requests in case the site enables this proposed “offline mode”. So all the browser would allow would be the initial, user-initiated fetch of the static site, whereas subsequent requests — initiated by the site itself — would be disallowed.

Isn't that basically CORS?

CORS stops you from contacting an external service that doesn't opt in. It doesn't solve the problem of having private data in the browser that you don't want it to send out, since it could contact an evil site that opts in to receiving messages from other web pages.

To implement something like the suggestion would require two phases - one where the page was loading/updating its cache from the remote service, but was unable to look at locally stored data, and another phase, where the user is able to log in and allow access to locally stored data. Once transition has been made to the second phase network access would not be allowed. This sounds pretty involved.

Turn off Javascript

Something like uMatrix can be used by the client, and Content Security Policy combined with Subresource Integrity can be used by the publisher.

It's worth noting that the equifaxsecurity2017 website posted the following update yesterday:


In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident."

Note the statement by the New York State Attorney General: https://twitter.com/AGSchneiderman/status/906195350532304896. Not enforceable.

Was this in response to the update? Or the original terms?

As I understand it, the original terms.

Yep, I mention that in the "What's this all about" section. However, I don't know why anyone would want to give up their legal rights, especially to a company that has just proven that they can't keep your data secure.

Submitted. Thanks for the work on this paulgb!!

Late to the party so I wondered about: 1. To confirm whether you were a victim of their "cyber security incident" you have to enter (6) digits of your SSN. Uh ... no. 2. We CAN still sign up for their one year credit-monitoring service and retain the right to legal action. 3. We should think about freezing our credit per FCC:


Fortunately they publicly stated they would not apply these TOS in this case, and you can bet that will be held against them in court if they tried to mess about with this.

I don't know if thats legally binding.

NYS attorney general announced it was unenforceable yesterday [0]. Equifax is dead and buried at this point.

[0] https://twitter.com/AGSchneiderman/status/906195350532304896

Read later tweets...

But it's in CAPS...

It doesn't matter if it is, it will easily scare off a lot of people.

You could look at the alternate site: https://equifaxbreach2017.com

This is a great product if it provides consumers with peace of mind, but I think in hysteria most people haven't realized that the arbitration clause only applies to TrustedID, not to the breach itself. The clause as shown is just the standard terms for TrustedID and applies to nothing else. The New York State Attorney General has confirmed this through Equifax.

Why not offer this as a Chrome extension that detects any arbitration clause in any TOS and gives users options to opt-out, including the ability to mail an opt-out through an API?

>Why not offer this as a Chrome extension that detects any arbitration clause in any TOS and gives users options to opt-out, including the ability to mail an opt-out through an API?

probably because thats like a million times more work?

Not really... If I made a dirty version of the plugin for myself, I'd just do a DOM text search for "terms" and if found do another search for "arbitration", both case insensitive. If found, then highlight the words, pop a warning to the viewer, and scroll the window or modal to the spot.

The mailer API would be plausible through a third-party postcard/letter mailer API.

That's nice.

But you still don't know how the opt out has to be worded in a specific case and through which medium to which address it should be sent.

So, yes, you could build a TOS alert system of some kind.

And that might be a nice and popular plug in.

But an automatic opt-out button is very hard.

> probably because thats like a million times more work?

I assume you're referring to the "detection" part.

Perhaps in the early 2000s this was true, prior to the widespread application of natural language processing; when one had to pre-define the format of most everything. Now all that's required are a few niche terms and a structure to apply them.

I suspect (or at least would hope) this guy has an automatic letter folder and filler/stuffer[1], because doing this manually is... hard, and takes hours.

It would be critically if you were offering this for "any TOS" though. Depending on success, you may even need to lean on an external printing/mailing service to do the work.

In any case, it would be very very hard to offer a generalized service to do this, for free. Once-offs like this are the only viable way to make it free.

And I'm not even getting into the infra/maintenance work on the extension and API itself.

[1]: This happened to be the first result for a video search: https://www.youtube.com/watch?v=aJjagamqNCY

Yes, an automated mailing service like Lob (YC) would be necessary. Lob takes about 5 minutes to set up and handles all the dirty work of printing + mailing.

Ideally a user would pay a monthly fee for the extension and then the mailing costs.

I'm at home right now and showed my dad the equifax one year free thing. He happily signed up to that. But was very suspicious of paulgb. Looking through his resume and GitHub, no indication or shadiness. My dad ended up being fine with it.

Also in fact congrats on having multiple popular Github repos! I'm jealous. This entire thing is a great idea. Good job.

Thanks :) I'm well aware that people would be suspicious of providing this data to a stranger, especially after their data was hacked. I've been on HN for over a decade so I hope that eases worries a bit. I just really hate arbitration clauses.

I also give an option to print and mail the message yourself, in which case the data never leaves your browser.

If only there were some safe third party we could trust with reputational information, so that people could look you up there and see whether you were trustworthy.

We could have it include things like where you've lived, whether you've been sued, foreclosed, bankrupted, delinquent on loans, etc.

Hmm, but we wouldn't want that information disclosed. What if instead they gave some sort of a reputational analysis? Maybe put that data through a hash function. But then how would we compare it? Better use an algorithm to digest it to a number.

It would have to be an extremely secure system, of course, you wouldn't want it to lose the data you gave it. Maybe if it was a semi-authoritative company devoted solely to that purpose, we could call it a reputation department, or no, maybe a credit bureau.


(Parenthetically though it really does make me want someone to start one of these that operates in some open, verifiable fashion rather than "trust us lol")

Like keybase?

> Why should I trust you?

I can vouch for paulgb being one of the most trustworthy people I know. Kudos for doing this Paul!

Why should I trust you?

I can vouch for karanbhangui being one of the most trustworthy people I know.

I can vouch for seszett being one of the most trustworthy people I know....

Sorry, I don't have m3andros in any of my root certs...


I'll bite, and who vouches for you?


if you can show me a blockchain that says the same thing I'll have 100% faith in all of you with 1+ confirmations.

Only if the web of trust:

a) eventually links to someone you personally know and trust

b) has not been compromised, intentionally or carelessly

Even if those are the case, after enough hops in the trust graph trust gets pretty diluted.

I don't need to have faith, I have a smart contract for that.

How did this thread survive on HN? It's redditesque!

Thanks Karan, I owe you a beer for that :P

A smart move after being informed that your personal data has been breached is to give more personal data to a random dude on internet. After all your are only giving up your name, Address, Equifax id, and IP address. What could go wrong?

6817 karma, i trust this guy more than my mom.

Nothing worse than what Equifax already did...

That's a very altruistic thing of you to do. Good job. It's a real shame what happened and how they are handling it.

Thanks for this! What if I don't have an equifax user id? Never signed up for any of their services

Where are the lob.com guys?? This is a GREAT PR opportunity for them.

I'm on it

Love your service! -happy customer

Thanks for taking the time to do this!

Now if we could only have a service or an API to file against them in a small claims court. 143 million lawsuits would be kind of crazy but interesting to see.

I mentioned this the other day on a related thread and received 15 upvotes. Seems like there are many interested parties. I'd pay $20-99 for this service.

I posted this a few hours ago: https://news.ycombinator.com/item?id=15207727. Shows you the steps to sue Equifax in small claims.

Very helpful. Thanks!

Can we get a kickstarter for some sort of automailing service with an API that his site can hit? I would love to spam equifax with thousands of these letters.

you have a typo "the company has since clarified, under pressue"

Thanks, fixed!

> you can opt-out within 30 days of signing up

Within 30 days of signing up for what? Surely no one signs up for Equifax.

They have a identity theft protection and credit file monitoring program.

The wolf guardian the sheep.

According to https://www.equifaxsecurity2017.com/ they have removed the waiving of rights from their TOS.

I love this and you.

Thanks muchly, Paul - very appreciated!

Is an equifax username required?

Their ToS requires it, but doesn't specify what to do if you don't have one (since by my reading even submitting your info binds you to the arbitration clause). I've made it optional on the form.

Why not charging prople? If a lot of people use it, you might run off of money.

I'd rather maximize the number of people who can participate. I figure the ceiling on what I have to pay is a round trip flight to Atlanta to deliver it by hand, and if it comes to that I wouldn't mind a trip to Atlanta :)

Haha, right. Kudos on you to do that and good luck!

that's actually not that unlikely.

    You have: 140 million * 10 grams * 10% * 0.01%
    You want: 
            Definition: 14 kg
one standard US envelope is about 10 grams, and assume 10% of affected sign up for credit monitoring and 0.01% use your service to send the opt-out. you might even wind up with multiple bags!

140 million is a lot of SSNs.

Thank you so much!

how do i obtain my equifax user id?

It's given when you sign up for TrustedPremier. I have made it optional; the ToS says that it's required to opt out but doesn't indicate what to do if you don't have one (since the ToS still technically covers you if you enter your info)

143 million thanks!

Thanks paulgb!

Equifax's Chief Security Officer is a music major.


It paints a clear picture why this happened.

We've banned this account for repeatedly violating the site guidelines: https://news.ycombinator.com/newsguidelines.html. Doing this will eventually get your main account banned as well, so please stop.

So much this.

Whats the benefit of opt-out? Whats it about? I know Equifax was hacked but havent had the elusive free time to delve into it.

> Whats it about?

If you'd clicked the link, you would've seen the following on the home page.

> What's all this about?

> In light of Equifax's recent security breach, they are offering a year of complimentary credit monitoring services. The media have noticed that in their Terms of Service, they include a binding arbitration clause which means you give up your right to sue them in a regular court and must instead go through an arbitration process.

> While the company has since clarified, under pressue, that the security breach is excluded from these terms, binding arbitration clauses are a growing trend that remove legal remedies like class action lawsuits from consumers. It is especially reptillian that they would have consumers give up their legal rights in the aftermath of a breach, for a product we only need because of the breach.

> The arbitration clause has an out, in that you can opt-out within 30 days of signing up. However, opting-out requires sending a statement by mail, which is sure to dissuade a lot of people. In order to make opting-out as simple as opting-in, I created this site.

I tried to briefly summarize this in the "What's all this about?" section, let me know if anything is unclear. Essentially the benefit of opting out is you don't give up legal rights to a company that just proved incapable of handling your data.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact