Hacker News new | comments | ask | show | jobs | submit login
An Amateur Rap Crew Stole Surveillance Tech that Tracks Almost Every American (forbes.com)
313 points by kawera 4 months ago | hide | past | web | favorite | 111 comments

I remember a comment here on HN about how identity theft is the wrong name. Your wife and dog dont stop recognizing you. It is financial fraud and it really should be the entire responsibility of creditors to fix. The second you report it you should be able to have it sorted or be fully capable of suing them for defamation of your identity e.g. claiming you went on a credit card binge when you did not... We need an overhaul on privacy and our credit system. I am even much more concerned about the latter since it affects peoples lives much more dangerously.

> a surveillance technology that police and debt collectors use to track most of the United States’ 325 million inhabitants via their Social Security numbers, license plates, address histories, names and dates of birth. The mass-monitoring tech, called TLO, is a product of the Chicago-based credit reporting giant TransUnion, which last year had revenues of nearly $1.9 billion. One brochure for the service promises access to a startling amount of personal data drawn from myriad sources: more than 350 million Social Security numbers of dead and living Americans, 225 million employment histories and four billion address records. Add to that billions of vehicle registrations and call records and you have one of the largest commercial surveillance databases in existence.

> It’s used not just by cops but also by debt collectors and private companies carrying out background checks. Private investigators use it to track cheating spouses.

Honestly that this database exists at all is a serious problem in itself.

In my country such a database has existed for a long time. It's the national id database. It's controlled by national police. Everyone of us owns an eight digits number. As for me: identity is a right, not some secret that I want to hide. What doesn't make sense is that people are afraid of USA government having much needed data, while private organizations have them already.

How does your country handle authentication? The real problem is that in the United States, social security numbers and birthdates are used as private information for authorization with all the various financial and health institutions. I'm less afraid of them being public and mostly afraid of the fact that all these institutions treat that information as private.

In Germany, the combination (Name, Address, Date of Birth) is assumed to identify you uniquely.

For authentification you just show your ID card that contains both your name, date of birth, and your official address. If you move you have to notify authorities and get an official sticker on your ID card showing the new address. By law, everyone is required to own either an ID card or a passport to be able to identify yourself in front of police or a court.

Of course various governemnt agencies have their own identification numbers for you, for example you have a tax id that you will have to share with your bank, and another id for social security that you will have to share with your employer, etc. But those are just for reporting to various government databases and are never a form of authentification. You first prove who you are with your ID card, then you exchange id numbers for relevant systems.

(our IDs also have numbers, but you can get a new ID card as often as you want and nobody outside the government can do anything useful with it. We had some bad experiences with government databases, so it's now a number of unconnected smaller databases)

What about over the phone or online though? How do you show that you are you?

I'm in Czech Republic, but I guess the practice will be similar in Germany.

It depends on the degree of verification you need. You can just post a scan or a photo of your ID, you can send a small wire transfer because banks have to verify the account owner, there is an OpenID provider that offers authentication tied to the real world identity, a courier can come to your home to verify the ID or any combination of the methods.

Preface edit: I'm from Germany.

Usually in the same way it's done everywhere else: name, date of birth, registered/current address, sometimes an additional pin/security question/etc, depending on who you're calling.

If it's official business you might be required to send an actual letter, though I doubt they ever check your signature unless you're suing them.

If it's online and state business (portal for unemployment stuff, state employee pension details, etc.), you usually have to provide your name and address first, which they then check against your registered address. They'll then send you a letter with a one-time password you can use to register your account.

Edit: Modern E-Business companies often require you to "verify" your identify by ways of Postident (you present your ID to a post office) or IDnow (you present your ID to a random guy via webcam who asks you to move it around so he can see all holograms, data, etc.) and can compare it to your picture in the webcam.

This is considered to be enough for financial transactions according to our current money laundering laws, so it's about the most though version you can go through.

To add to this: a lot of stuff just can't be done over phone or internet unless you use postident or IDnow. For example your first interaction with any financial institution is either in person or involves you waving your id card in front of a webcam according to their instructions.

Different country, but similar system here. Every person gets assigned a 11 digit personal id number at birth. That id-code then gets used as a identifier. If you sign up for something, you just give them that number, and it will work as a unique identifier, they will know exactly that you are THAT John Smith, not that different John Smith For something simple, like signing up for the grocery store customer card, it is enough to just say your name and number, for bigger things, like opening a bank account, you have to show your ID-card or passport. For remote authentication, you use the ID-card for secure Internet banking, signing contracts digitally, voting, etc

Belgium, except AFAIK the internet banking.


Yes, Estonia. :) Was it the voting over the Internet that gave it away? I think that we and Switzerland are only countries that do that atm.

Authentication: Show your ID with the number, send a copy of your ID, etc.

Also companies don't treat your ID number as lavishly as in the US where you have them printing them gratuitously into easily stealable documents.

(I'm probably from another country, since my such number doesn't have eight digits.)

There are three ways to authenticate myself, none of which is knowing that magic number. Many institutions choose to do it simpler and more convenient, which is then their problem if anything untoward happens.

(BTW: None of the authentication mechanisms are available to minors, which fits in well with another aspect of the law: If an adult or a legal person enters into an agreement with a minor and something goes wrong, that's not the minor's problem.)

I'm not the poster, but:

Norway has a public number as well. It is used in part as identity, and for taxes and all that stuff. As far as identifacation goes:

1. Picture ID. For me, it is my passport or immigration card, and some folks have their pictures on their bank card as well, which works for ID.

2. For online transactions of various sorts and sometimes doing things at the bank, I have a little device that gives me numbers. This is issued from the bank, but is a national system. I use it along with my ID number and a password of my own choosing. This is done for things like purchases, banking, government websites that store my information (medical stuff, for example), the secure mailbox (government documents and things like that), and a doctor-patient thing.

3. Sometimes, a service will sent a SMS code as well as or instead of some of the above.

I think things like income and tax information are public here and I think your address is as well (I can't remember). There is also quite a bit more trust in the government as well.

How come no one has sued them (at least in small claims court) for gross negligence?

Anyhow, around here businesses request your consent to copy/scan/store your gov issued id card. So I guess defrauding them is about as hard as getting into a club with a fake id. (But there wasn't really a need for that, as few years ago enterprising individuals paid a homeless guy for his id card and managed to buy more than a hundred thousand SIM cards with it, so there are other issues when it comes to security.)

> What doesn't make sense is that people are afraid of USA government having much needed data,

You just need one "bad apple" or some technical hiccups and suddenly the personal data of almost all of your citizens can reach other governments' hands. After an event like this one (https://en.wikipedia.org/wiki/Office_of_Personnel_Management...) advocating for extensive data collection by a government entity is poor folly.

I'm not sure what makes you think commercial endeavours are less susceptible to human frailty than government.

The problem here is not which type of organisation holds the data; it's the fact that individual humans are involved in using it.

Please see my reply bellow, I didn’t say that I approve of private entities collecting data, it’s just that governments are a lot more powerful compared to companies. Just to give an easy example, an entity like the US government can have me extradited and imprisoned in the US even though I have never set foot on that side of the Atlantic while companies like FB or Google can’t, for the moment.

I'm not sure what makes you think commercial endeavours are less susceptible to human frailty than government.

Same reason you'd worry more about a 200-pound drunk guy than you would a toddler, if they both came at you with an axe.

It is equal folly to have it in commercial or gov control. The more people and more comprehensive it is, the more incentive to hack it or abuse it.

The bigger problem is that the TLO is an adversary database -- it is a record of information about the enemy, i.e. the debtor, the citizen. Automated licence plate readers are standardized on repo cars now. Of course, they are collecting location data about all cars. Police are also widely deploying ALPR. You don't really have location privacy in America any more, even if you don't have cell phone.

I didn’t say I approve of commercial data hoarding, quite the contrary, it’s just that, for the moment at least, those companies can’t put someone in jail (or worse) based on that collected data, the way a government can.

I think it might actually be worse, because the govt is constrained in collecting some data, but they can query company databases where it is collected (either on a fee basis or a third party record search). This is the case with the cell phone location database in the US.

> ...but they can query company databases...

my favorite example: a US person setting up their own personal account on the US Social Security Administration's website must provide sufficient authentication information.

and where Social Security get this authentication information about each person? Equifax!

[0] see https://www.ssa.gov/hlp/mySSA/df-idverification.html

Why are you afraid of other governments? Your government has a military to protect you from them.

I’m pretty much sure that if I were to do something that might be seen as illegal by the US government my country’s government (NATO and EU member) would do pretty much nothing and feed me to them, no questions asked.

Nah dude. They will prefer posting every cr*p on FB&IG and all their secrets, so everybody can see, but they don't trust the government.

Government is/will be the first/last institution that can defend you and your identity.

Vote the people you trust.

I'd say, "Vote for the people you distrust the least, and watch them like a hawk." You can't trust anyone with power, because they will use the power you give them to get more; why would we want to give them the tools to do that if they don't absolutely need them? Governments haven't needed to know all my purchases, my movements, my financial details, who I talk to, what news I read --- none of this is necessary to make and enforce sensible laws, provide for national defense, or coordinate international and intranational trade. They want this data so they have more control, i.e. power.

What doesn't make sense is that people are afraid of USA government having much needed data, while private organizations have them already.

History teaches us that governments have to be treated according to different rules. Private companies didn't murder 100,000,000+ of their own customers in the last century alone. It took governments to do that.

In Sweden all citizens get a unique 12 digit number at birth (where the last char is a checksum). It is used for identification and you can call the tax agency to find the ID of everyone. For the public sector it is a great value as a primary key but increasingly shops have started asking for it too. This means a lot of information is easy to aggregate from multiple sources and build profiles of people. I guess most people don't care.

We have the same thing here in the UK (national insurance numbers) but one key difference to the US seems to be that we rarely need to disclose ours. You use it for tax related activities and that's all. I'm pretty sure if a shop asked for it most people would say no, because no one knows their own without looking it up, but also because it'd be really weird.

Regarding @pkz comment about Swedish citizen numbers if you are in sweden and don't have one it is a nightmare getting anything accomplished - utilities, broadband etc, even if you are paying Swedish tax. Despite being EU members that federalization model fails if you don't have that number

This is true. Not having one makes regular life increasingly difficult. In many cases I am pretty sure it boils down to system designers actually not considering there could be customers without one. Software won't work without the ID number to connect data to.

In healthcare hospital staff typically works around this by using "Mr twelve" - 1212121212 - which is syntactically correct with the correct checksum, but not identifying an individual.

In my country all that is public information.

Mitchell and Webb offer the canonical spoof:


Exactly what I thought of reading the parent comment... what a brilliant bit of satire.

“I’m not clear why you think it’s my identity that was stolen, rather than your money.

M&W are one of those duos where the accuracy of some sketches is almost painful.

Very true.

It's not identity theft, it's financial fraud.

It's not stealing music, it's copying music.

It's not buying ebooks, it's leasing them.

It's crazy how easily we (and journalists above all) accept semantic distortions of reality, and forget what's actually going on.

> It's not buying ebooks, it's leasing them. I mostly agree, though in some cases you do own them in a format that is reasonable. In other cases some ebooks are open on github as well under Creative Commons.

I just wrote the same, now reading thread.

Infringement of or on the person.

It's definitely a brilliant smokescreen. The credit agencies/banks/insurance companies that fail to secure your personal data can blame you and call you a victim instead of admitting negligence...

They are still required to fix things and return your money.

If someone "steals" your identity, and then shows up at the bank and withdraws your money, the bank will be on the hook for that loss, not you.

It's not that simple.

There are superficial barriers and hoops in place which make the chances of you not getting your money back non-zero. Not to mention, it will at the very minimum inconvenience you and waste your time.

Credit cards are less problematic in this area, but when it's a bank account / debit card, there tend to be fairly agressive deadlines for identifying the fraudulent activity and contesting it as well as arbitrary processes, forms, and reviews unique to each the bank.

In the interim you don't have the funds - for many people living paycheck to paycheck this can be a catastrophic situation.

I recently had to go through this process with a debit card someone on the other side of the country had fraudulently charged $500 to. Due to my being in the midst of leaving for a long bout of travel, it was a nightmare to get the protest documented on time, and my bank suddenly required all sorts of exceptional identifying documents they never require in the course of regular business, requiring me to jump through a number of additional hoops like accessing my safe deposit box to retrieve my passport - when I wasn't even in the same state at the time. It all just added more delays to the process.

As far as I could tell, the bank was treating me as the potential criminal. They were operating under the assumption that I, the victim, am actually the perpetrator attempting to commit fraud. Through this lens, the process being frustrating and inconvenient to the customer appears advantageous, as it all increases the odds of them failing/giving up.

Your bank was just trying to figure out which of two internet strangers not in your home territory was the real you.

Someone using your card isn't the main problem with "identity" theft. That's a minor issue. If it's more than a few hundred bucks you'll notice immediately.

Someone getting a loan or a social security card benefits or health insurance or tax refund or committing a felony in your name is the major issue, which can run your life with you not even knowing for possibly years.

Did you even read the parent comment I was replying to?

I've had issues like this multiple times. But have never felt like I had to prove my innocence. I recommend using a smaller bank. It's a lot harder to mistreat your customers when you know their face.

Fraud? So the suggestion is the old state of law was preferable, from a public policy perspective? Before "identity theft" was created? Created by a process that was described, if I'm remembering the right bill correctly, as industry lobbyists standing in the hallway outside the Congressional committee room on their phones - stepping into the hall to call their clients back to ask what else they would like, and then cycling back through the room to add it? Hmm... could be. ;)

In other news, it seems the NYTimes has managed to use the phrase "regulatory capture" three whole times so far in 2018![1] Woo hoo! We'll be addressing this in no time at all. Right after rolling back copyright extension. And tech innovating better fora support for constructive public discussion. RSN. Maybe next week? :/ Sigh. [1] https://www.nytimes.com/search?endDate=20181031&query=%22reg... But yes, it is possible to push on these things. History is contingent. And no one ever promised bootstrapping a civilization was quick or easy or monotonic.

Theft is wrong in the same way copying a file as theft is wrong.

I just realized that upon reading your comment.

From the old world, the word infringement was used. People do or have a thing they are not supposed to, basically.

No theft occurred because no loss of property happened. Thus, the other word.

I would wonder about examples of infringement back when information was much less fluid. Identities are one such example.

This could be infringment of the person, again setting modern language and examples aside.

> No theft occurred because no loss of property happened. Thus, the other word.

Money was moved from the bank via fraudulent behavior.

"Though it was designed to hunt child predators"

it is amazing that people still fall for that.


I don't think anyone fits that description.

'Non Playable Characters' he meant procrastinators who do nothing about the ridiculousness of the law makers and law enforcement. People who think "well I'm not doing anything wrong, I got nothing to hide" yeah well, except they can't keep your private information PRIVATE... So when the wrong people get a hold of it, what then? Oh look, you have plenty to hide from all these criminals...

It's a 4chan meme.

This shouldn’t exist. The fact that some company I’d never do business with can have basically every single data-point about my life without my permission is the stuff of dystopian nightmare novels, but here we are.

Legislation signed in the late 90s that allowed companies to copyright and sell databases about things they did not own (i.e. Our personal data/habits) was a big death knell for common sense.

What's the name of that legislation? Just curious.

How so? In my country all that data is public information for anyone to access and HN normally sees the very same country as the role model.

I'm trying to understand what you mean. Can you give us some specific examples of information that is public about people in your country? I mean, are any of these things actually public in a government database about an individual:

    * a history of their past addresses?
    * the types and dates of medical treatment or surgery?
    * their grades in high school? 
    * the number of times the person has reported a crime to police? 
    * the cars they have owned?
    * the items they have purchased from a drug store?
    * their favorite type of restaurant?
    * etc

Weird framing as a “rap crew.” This was a sophisticated organized criminal enterprise whose members liked to record some music on the side.

Anything to make them look worse, I'd say. It's really a shame because they were definitely savvy there. How many people can claim to have taken out a fraudulent $30,000 loan and got away with it for a decent amount of time? Seems without the Google Nest cameras they might have gotten away with a few of these schemes, as well.

More likely a way to attract more attention to the article. I have to admit I don't know if I would have clicked it if the title was "How criminals stole surveillance tech..."

Yeah, I had the same thought reading this article. It's like they went out of their way to keep mentioning "rap crew".

>Weird framing as a “rap crew.”

Studio time is expensive. Puffy, 50cent, Jay-Z all used drug profits to kickstart their music careers.

I'm not sure it would've been mentioned quite so often if these guys had also been a barbershop quartet in their spare time.

They each talk extensively about it themselves. It’s not others belittling their careers.

> When I was talking Instagram, last thing you wanted was your picture snapped.

P-Diddy sold drugs for literally two days. http://hiphopdx.com/news/id.10271/title.diddy-opens-up-about...

We need more of this. People think privacy is not an issue because “they got nothing to hide”. But the real privacy problem is that data about you that falls into the wrong hands is very dangerous.

And it’s not only identity theft. It’s making burglary easier if someone knows when I’m on vacation. It’s making kidnapping easier if someone knows where my kids go to school. It’s easier to lure me into some scam if someone knows What I am into...

How quintessentially American, to persuade us to finally secure our industrial surveillance systems because "gangs" will steal them.

Just wait ‘til you hear about the rest of the world.

'There were warning signs that things were going to get real'...'rappers'...odd framing of an article that is essentially about theft of personal information from databases with inadequate security and oversight run by giant corporations who know everything about us

Blame it on the rappers

I think the contrast of these two passages are quite telling:

>"Barnett says she and Asher worked together to ensure there was no abuse of TLO. Onsite visits would be made to clients, who would undergo a strict vetting process. Only those who passed muster were given a login, Walters says. “We were very selective.”


>"It’s used not just by cops but also by debt collectors and private companies carrying out background checks. Private investigators use it to track cheating spouses."

So giving access to debt collectors and PIs investigating cheating spouses is selective? I'm guessing the selection criteria is simply whether the customer has the $1,500 a month.

The other interesting part I thought was the levels of data weaponization going on:

>"Just as the crooks turned the turbo-powered TLO software on its head, cops used the Nests against their owners. In June last year, Postal Service investigator Berkland obtained a warrant ordering Google to hand over all the data related to those cameras. The company complied, shipping surveillance footage back, along with personal details of its owners."

Both sides in this piece seem to be thugs. TLO just appears to be a gatekeeper, they get to decide which thugs are the "good guys."

> “He was, in my humble opinion, a technology genius, a computer math genius,” says Martha Walters Barnett, a former TLO chief privacy officer. “He was among the first to acknowledge … that insignificant, unrelated pieces of data, when put together in the right way, could become a powerful tool.”


David Burnham published The Rise of the Computer State (ISBN-10: 0394514378) in 1983. In the "Data Bases" chapter, he writes about how transactional data (when you swipe a credit card, when you pay a bill) that used to exist on paper only was then starting to be stored in databases by different companies which, with the rise of cheap and fast networking, could then be quickly and easily combined in previously unfeasible ways. He specifically calls out credit reporting agencies TRW and Equifax, and warns that "the astounding power of these records is not appreciated by the public, the courts or Congress."

It's a fantastic book, and I highly recommend it.

I wish the article weren’t so light on details about the purchasing of license plate reader data. Does anyone know who is supplying this data? I suppose it’s possible that they went to every 7-11 in the country and asked them if they can buy a feed of their external cameras, but that seems haphazard at best. Is there some central clearinghouse where private security camera feeds are being aggregated? I can’t think of an upside for any business to participate in such a thing.

I remember seeing it mentioned a few times that tow truck/repo operations collect license plate images in their area.

This was best article I could find talking about that: https://abc7.com/news/repo-industry-collecting-data-on-you/3...

> Is there some central clearinghouse where private security camera feeds are being aggregated? I can’t think of an upside for any business to participate in such a thing.

Given the current legal climate, the potential upsides are incredibly numerous and downsides few (for now at least). Which ones actually exist in practice will naturally vary based on information I don't have access to. A few that immediately come to mind:

* Direct compensation. Give us your data (which you already have to collect for security purposes) and we'll give you money.

* Access to a marketplace. Turn over your data, and you'll gain the privilege of purchasing other data that we have (or some variant on this).

* Access to generalized queries instead of raw data. Turn over your data, and we'll give you a discount or perhaps not even charge you for answers to various questions about the world that you might have.

The possible uses of (and thus temptation for) such data access are incredibly vast. I distinctly remember this being one of the business scenarios presented by a cubesat startup a few years ago. Consider:

* Information about your clients. What other interests do they appear to have, based on the other places they go? How much expendable income do you estimate them to have, based on the part of town they commute to for work every day? In light of such information, which new products should you consider stocking? What should you get rid of? What political stances on your part would be likely to please or offend them?

* Information about your competitors. Does the family that owns a particular vehicle also shop at your direct competitor? Do people who visit your competitor's storefronts spend more or less time there?

* Information about where to do business. Assume that you obtain a list of people (or cars, or other database entry) that utilize you or a competing business. Assume that you then query the routes these people typically travel to determine commonalities. Now you can make a very well educated guess about what future retail locations are most likely to be successful.

* Information critical to business strategy. Is your competitor struggling, or is their business booming? How full are their parking lots compared to yours? How is their supply chain doing - how frequently are deliveries being made to their stores? If your competitor is a middleman, who are their clients? That is to say, where are their vehicles regularly stopping off? If they're an online distributor, how many shipments do you estimate they're sending out each day?

This list could go on just about endlessly, so I'm going to get back to pretending to be productive now.

I’ve been through the process of signing up and acquiring access to TLO. I called them up and stated I wanted access, I’m a real estate developer and simply wanted to cold call landlords. They said they’d sign me up but I couldn’t specifically use it for unsolicited calls, I said ok and then still proceeded with my account creation.

Scheduled a required on site visit, where an very unfriendly Russian woman came into my apartment and checked that the following was in place 1) My computer had a password 2) I had a locking file cabinet 3) my office door locked 4) I had a business license 5) Paper shredder worked 6) dedicated office with no bed (I setup a mock office in my guest room and slide my guest bed into my master room moments before she arrived) also she didn’t catch that neither the lock on my file cabinet nor my office pocket door actually locked)

TLDR: Nearly anyone without a criminal record owns a computer, a business license and a bedroom can get an account.

We sat in the living room and signed some papers and that was it. I signed in and was amazed, TLO data is very accurate and up to date. It’ll even show people on various government watch lists, registered sex offenders, etc. The only thing it’s bad at were email addresses, at least for my target audience they were almost always wrong. Phone numbers have confidence percentages next to them. I would get very surprised calls when cold calling people like that. Some people run very profitable enterprises in that manner.

There are also FB groups of PI and ‘skip tracers’ and you can fairly easily befriend and ask to pull records for you for a price as to not have to sign up for TLO. Although this is expressly against their TOS.

This was inevitable. I don't think they're overly sophisticated, they were just att he right place at the right time.

Because when you have this "tool" that is used by anything from postal workers to private investigators to bring up info on millions of citizens then obviously it's a matter of time before it ends up in the wrong hands.

We should seek to reduce the asymmetry, currently only our masters and their minions get to watch us.

If networked dash cams and home security cameras become common there should be crowd sourced public tracking of every LEO, politician, etc.

Let's go a fit further. We know that power corrupts and therefore the powerful often cannot be trusted.

So the power a person/institution has should be be inversely proportional to the amount of privacy they enjoy. We can start by only voting in politicians that wear personal cameras a la 'The Circle'. (Some police already do this while on duty.)

Of course the irony is it would take a kind of power to make this happen.

C.f. Aeon Flux S03E01 "Utopia or Deuteranopia?" where our autocratic hero Trevor Goodchild institutes a program of radical transparency.

https://youtu.be/f5Au5Z_NbOY (Forgive the Content ID jamming.)

Well, elections resemble reality TV more and more, perhaps that is an angle that could work...

David Brin has a very interesting (non-fiction) book on this premise called The Transparent Society

Systems like this make it seem so futile to care about online privacy.

Not that I'll ever stop trying, but still. It's hard to compete with this level of power/surveillance/etc.

You have to concentrate on anonymity instead of privacy.

You have to live in the world and resist anonymously.

They briefly touched on how this company also buys up all the public images of license plates and sells it as a location log for any license plate you want to find.

We should outlaw all tracking for car licenses and cell phones. I am not naive enough to think this would pass Congress but it should. Otherwise there is basically ubiquitous surveillance of everyone available to everyone who looks.

It's not just tracking by cops. Private companies are installing license tracking cameras on their corporate facilities and tracking all cars that drive by them on public roads and are then reporting these activities back to city and state governments.

Municipalities are even requiring companies to do this.

Also, isn't it interesting how dark papantir went after all these things came to light. Notice you never see techs commuting on Bart or Caltrain any longer with palantir bags or shirts on any more.

Not for car plates, cars are killers and should be tracked everywhere. 40,000 people are killed due to cars every single year in the US, a million around the world. They are worse than guns.

Do you have any sort of evidence that tracking them prevented / reduced those deaths?

The headline reads exactly like the plotline of the last fast and furious movie

I expected them to have stolen physical stuff, like a GSM sniffer or stuff like that. This is more like Wannabee Gangstas Gained Illicit Access to Database that Tracks Almost Every American.

TIL the government can get access to nest cams.

Technically, and legally, speaking, the GUBment can get access to any data if it isn't air-gaped and encrypted.

I'm legitimately curious as to why you only learned this only today. We've known that governments have been taking data like this from companies for a long time. All access that Google has is pretty much up for the government to grab.

Anything "in the cloud" also known as other people's computers is fair game for the government right now.

Does this surprise you?

Is there any way to see what information TLO has collected on you similar to how some people search websites let you look yourself up and request removal of your personal information? I couldn't find anything on their site.

Probably not without signing up, I posted my process below.

In my experience if you’re in the US they have nearly every past address, licenses, license plates, social, credit history, name and phone number (landline and cell) that you’ve ever used and a list of mostly incorrect email addresses. You’re whole family tree living and deceased and all their data. All sorted by date and searchable off any one or more piece of data. It’s fairly frightening.

Plus a bunch of low confident guesses of data that ‘might’ be yours. And pictures of some people if they’re on certain lists iirc.

Suddenly GDPR is not so bad, eh?

This whole thing is a poster child for GDPR.

Step 1: hi TLO, what information do you have on me? Step 2: right, delete all of it.

And this is (close to) the crux of the issue. How can we prevent malicious actors from abusing our numerous and diverse surveillance technologies (law enforcement; ad-tech; pretty much every 'smart' device) whilst also allowing authorised, regulated, controlled, legitimate uses. (And is it worth it?).

What processes and assurances are enough? (Formal methods, I'm looking at you).

There were a few quotes in the article from EFF people, but I thought the EFF was more ambivalent about private companies like TransUnion selling access to data like this. Am I incorrect or are they only critical due to the potential for abuse by law enforcement?

The EFF is run by/employs/takes advice from a lot of people, who probably don't all agree with one another:




this is absolutely begging for regulation

Entertainingly, this is already regulated in an inconsistent manner in some states. In Virginia, for example, the government has some fairly broad restrictions on collection and retention of personal data, but to the best of my knowledge no civil counterpart exists. See this recent case on the matter:


In fact, they're so worried about government abuse there that another bill seeking to severely limit retention of license plate reader data passed both the house and senate before being vetoed by the governor over "public safety concerns".

Article about it: https://arstechnica.com/tech-policy/2015/03/virginia-passes-...

Bill details: http://lis.virginia.gov/cgi-bin/legp604.exe?151+sum+SB965

Best quote ever:

> Senator: "I wasn't a criminal suspect, so why are they taking pictures of me?"


Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact