Hacker News new | past | comments | ask | show | jobs | submit login
Twitter warns that private tweets were public for years (bbc.com)
282 points by LinuxBender 3 months ago | hide | past | web | favorite | 183 comments



Just my own opinion, but at this point I think it's prudent to assume that pretty much anything you send out into the digital network world is public. If it's not something you would want the world knowing you said, don't put it out there. Security breaches happen. Bugs happen. Sometimes law enforcement just comes by and says, "Give me everything that user X has ever done." In short, sh!t happens.

"Everything I do on the net can be authoritatively attributed to me personally."

That's the thought we should all have in our heads before we send any post, or send any text, or send any email, or send any photo, or etc etc etc. We shouldn't rely on some company, that's using us to make money, to protect our privacy.


This is what I have been teaching my kids and their cousins:

1) Everything you do on the internet is public

2) Everything you post on the internet is forever

3) Everything above can be traced back to you

I also showed them how easy it is to save private and public snaps without sending a screenshot notification (including video!) and how easy it is to fake.

It's hard to know if it's sinking in or not, but I hope so.

I wish I could show parents who are not tech saavy how to get these points across to their children.


> Everything you post on the internet is forever

I wish it was. Anything on social media maybe, but the broader internet dies in ~10 years.


A lot of my forum posts from 2004 are still around. Also web archive exists meaning that all those sites are being archived even if the site hosting that content disappears.


When I search for my name I get Usenet posts from 1991 :)


That's not the worst of it - some of my code is still around from circa 2000. It's kinda embarrassing to read now.


I honestly don't know how Snapchat ever was able to maintain the veneer that snaps are temporary and can't come back to haunt you after they disappear. Their own users often would take screenshots, so how did the story that snaps are temporary keep getting promoted?


All those lines would be better with ", except when you want it to" appended at the end.


The entire point of the post is that "what you want" doesn't apply to this.


GP's point was, I think, that if you wish for something to be permanent, then it won't be (have backups). Not exactly relevant but not contrary to the core concept we're discussing (being pessimistic about the quality of service).


Definitely agree.

I remember a long time ago Facebook profile pictures used to be private. And then one day without notice they became public. For some reason, I can't find any news articles about when this happened. Maybe I'm crazy or maybe the Internet is gaslighting me. Either way, I had friends who grew up in very conservative muslim families who no longer wore the Hijab but hadn't "come out" to their parents yet. Then one day they woke up to their facebook profile pictures being public where they weren't wearing a hijab and they haven't talked to their parents since.

Anything you put online has a non-zero probability that it will be 1) hacked 2) released as a bug or 3) released as a change in policy.


In 2007/2008 as I quit Facebook after this happened and a bunch of other settings would without notice.


I'm often surprised how much people share via Slack as if it's an impenetrable fortress: perfect for pasting admin passwords, keys, and incriminating opinions and business secrets... if that floodgate ever opens then it will be a crazy time for us devs!


Yeah, this drives me up a wall. I have a coworker who constantly champions the bull* static code analyzer we use catching "security" issues...and then sends around certs and keys via Slack and email. :/


Security is always a matter of cost vs. benefit, i.e. you need to weigh the cost of the risk (likelihood * impact) with the benefit of the action.

For example, I have shared credentials on Slack before, but that's because said credentials were for a non-critical system, and if hackers somehow a) hacked Slack and b) identified the information I shared and used it, the only thing they would get their hands on would be a curated collection of cat pictures with funny captions (and I don't re-use passwords).

Therefore, blanket rules like "don't share credentials on Slack" tend to miss the point. Obviously, don't share your bank account info on there. But you can totally talk about otherwise sensitive stuff if the risk profile is sufficiently negligible.


Sharing credentials is not a problem. The more critical ones are probably rotated regularly anyway. But it'll be fun to see all the dirty laundry getting aired publicly if and when Slack gets hacked.


Good time to remind that hacks notwithstanding, Slack private messages can in many occasions not be private by design (and so shouldn't be considered private to begin with): https://mashable.com/2017/10/26/slack-dms-private


Just as a heads up on this, slack doesn't even use HTTPS! Your employer can certainly read all private slacks on your work network, even if it's a non-work-slack workspace


Pretty sure it uses HTTPS, but if you're on a corporate network on corporate hardware, there is a real chance that there's a corporate MITM proxy that is capable of reading all of your HTTPS traffic.


Only if you have their root certificate trusted


From experience, if the org is doing https mitm then it almost certainly also has network device authentication (eg Cisco ICE) that would only allow corporate whitelisted devices. Usually with custom builds that would already have the corp root cert trusted.


You have to do that if you want to do any work.


    curl http://slack.com -v
    < HTTP/1.1 302 Found
    < location: https://slack.com/


This is absolutely not true, as a cursory examination of your browser's dev tools will reveal.


Do you have a source for this? That sounds very surprising if true.


Nevertheless, we can meaningfully make distinctions between sending a message via Riot or Signal vs. sending "private" messages on Facebook or Twitter.

It's a spectrum and not a binary condition.


I think there is a line between accepting that accidents happens, and assuming that it does.

Imagine assuming that every time you cross the street you’ll get hit by a car. Assuming every time you see someone it will be the last time ever. Assuming ever day you live might be the last one.

That’s no way to live, I find it incredibly mentally taxing and insane if actually followed.

Sure security breach can happen in any service, we should still treat most of them as reasonably private for any casual use.


Eric Schmidt: "If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place."

People have taken this different ways, but personally I think it's sage advice. We've lost our ability to keep secrets. Information wants to be free. We're terrible at digital security. Pretend everything you type into a computer is on the front page of the New York Times.


^^^ VikingCoder:

That's simultaneously an admirable ethical stance... ...and total BS.

Put your money where your mouth is. Post your full banking and personally identifying details immediately, without hesitation or regret.

If you;d rather not, maybe you actually agree that not all issues of privacy come down to ethics. Some details of a person's life really do deserve privacy.


I think everyone here is misinterpreting what I meant, and I take full responsibility for that.

I think we thought of computers and the internet as our allies in privacy. They are not. They are our enemies.

I think we should stop trusting computers, any computers, as much as we possibly can.

Especially if you're in a minority that your government may try to punish.

---

We all deserve privacy, and we are all almost completely denied privacy, by design, by hundreds of systems we use daily.

I highly recommend the novels "Daemon" and "Freedom" by Daniel Suarez, which explore just how vulnerable our digital infrastructure is.


The problem is with the initial line of reasoning: "If you don't like x, don't do x". It's the biggest load of crap that everyone buys into for some reason. It's like saying if you don't like air pollution, move to a different location. Like yes, true, but also I want to improve the situation in my current location, not abandon it.

That's how people feel on the internet, and you're asking them to throw in the towel completely and accept they'll never be able to share anything on the internet in private. You're even going as far as to say if they want something private they shouldn't be doing it. Both of these two things are untrue, but especially the idea that technology is inherently un-private and can never be so.


> Both of these two things are untrue, but especially the idea that technology is inherently un-private and can never be so.

I'm sorry, but I think you need to start with a list of ways you think people can use technology which has a high degree of certainty of being and remaining private.

Because I can't think of any.

Credit cards are an abomination. ISPs and wireless carriers know way too much metadata. Every social media company is a horror show. The ability to uniquely identify your browser across sites is terrifying. NSA's Carnivore. Keyloggers. Zero day exploits in the OS, in the browser, etc. Row hammer. Spectre and Meltdown. Elemental Technologies. SMS authentication and account recovery. Every online store knows way too much.

https://xkcd.com/538/

I mean, there is literally no way to even secure your IDENTITY:

https://www.wired.com/2010/05/lifelock-identity-theft/

And even if you do everything perfectly, Equifax might screw you, or Oklahoma:

https://www.forbes.com/sites/thomasbrewster/2019/01/16/massi...

So, can you list maybe one or two things in technology you think are strong-guarantee secure and private?

And I'm not saying to give up. This is the fight of our lives. But right now we've LOST. We need to think about how to start over, to try to win next time.


Furthermore, for Eric Schmidt (of all people) to be taken seriously when he says this kind of thing, he should publish all of his personal data too.


> Eric Schmidt

You forgot the second part of that quote that's much more relevant to this conversation:

> "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place, but if you really need that kind of privacy, the reality is that search engines including Google do retain this information for some time, and it's important, for example that we are all subject in the United States to the Patriot Act. It is possible that that information could be made available to the authorities."

Just need to add "we are all subject to buggy permissions APIs" :/


""If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.""

... Says the billionaire to the gay man in Nigeria who could be killed if this were public knowledge?

... Says the billionaire to the journalist with private sources doing legit work?

... Says the billionaire to the person who votes 'ABC' but works in company who votes 'XYZ' and hate those 'ABC voters' and who could lose their job due to blatant political discrimination?

I quite fundamentally disagree with this concept as it abnegates the very nature of privacy.

Different words, ideas, have utterly different meanings in different social contexts and in different cultures, different regimes.

It's a deeply cynical quote from him, I think, that facilitates his own 'bottom line' i.e. as someone who makes billions from the exchange of 'public' information.

"We've lost our ability to keep secrets."

It's true that privacy is harder but it's definitely not true that we can't keep secrets. We control technology and the internet, and we can definitely 'choose privacy', it's mostly a matter of will, and the pragmatic acceptance that it won't be perfect.

Privacy was taken for granted, but I believe we should recognize it as a basic right.

It'll be a little bit harder for example in the digital age, but we can absolutely have it, we just need to make the choice.


I think everyone here is misinterpreting what I meant, and I take full responsibility for that.

I think we thought of computers and the internet as our allies in privacy. They are not. They are our enemies.

I think we should stop trusting computers, any computers, as much as we possibly can.

Especially if you're in a minority that your government may try to punish.

---

I care deeply about all those people. I hate that computers have been weaponized against them. It's a tragedy to go from the optimism of improving the world with computers and networks, to where we are today.

I fundamentally disagree with you that we can achieve privacy.

Your ISP knows too much. Your phone carrier knows too much. Your DNS knows too much. The Credit Agencies know too much. Your CPU is too insecure. Your OS, browser, and other apps are, too. We keep turning decentralized / federated services into centralized ones. Every ad network knows too much. Your browser knows too much. It's too easy to identify you nearly uniquely from your browser, even if you try to stop it. TOR has a lot of problems, and exit nodes are the devil. Blockchain is too easy to track. Keyloggers are far too common. SMS verification and recovery are the worst things ever. Face Tracking is entirely too viable. License Plate tracking is entirely too viable. Credit Card companies know too much. Banks know too much. Employers know too much. Every online commerce site knows too much. Our phones know too much. Polling companies know too much. The political parties know too much. The NSA knows entirely too much. Google, Facebook, Twitter, Amazon, Microsoft, all know too much.

I think things like Kenton Varda's Sandstorm are a good step. I hope to see more things like them.

If you want something to be secret, don't let a computer know you're doing it. Any computer.

When you say "we just need to make the choice," I don't believe you any more. I think that's kind of like saying Communist Utopia, or Libertarian Utopia can exist. All that needs to happen is all of human nature needs to change. :(

I think tech folks like us need to work our asses off to create systems with real privacy that are just as good or better than the ones that destroy privacy. Because if they're remotely worse, in basically any way, they won't catch on.

Note that Facebook will be almost entirely impossible to replace. Because of the Network effect.


"All that needs to happen is all of human nature needs to change"

No, just some legislation, policies, some new architecture, possibly some technology changes.

If the government for example banned any org from collecting any personal information at all without specific explicit permission, and applied the same to sharing, it would quite fundamentally change the landscape.

In fact, just taking a 'closed' approach to privacy instead of 'open' in most systems, then most privacy problems would be addressed.

Obviously, a 'hacker' could steal stuff, but those are generally marginal cases, and there's no reason that we need to live with that either.

How often to hackers steal money from your regular banks? Not very often. If we treated personal information like private data then we'd be living in a new world, about the 1990's.


"Click here to surrender your privacy so you can see pictures of cats."

->click<-

People will click the button ever time.

I think human nature needs to change.

Or else we need to work our asses off to invent better technology, but we're nowhere close.


My favorite response to this is the one called out on the story a few months ago about Keybase's exploding message feature[1]:

> I have nothing to hide

> Because no one is trying to hurt you

[1] https://news.ycombinator.com/item?id=17357992


Better not be openly gay in Russia! Or openly gay 15 years ago and have them scrape old data and find out.


Or openly gay 15 years ago and have them scrape old data and find out.

Do you have any sources on this? This kind of retroactive censorship seems to be the latest fashion in the English-speaking world [1][2][3], and it's reasonable to expect such fashion to spread in Russia, but I haven't heard of any examples.

[1] https://news.vice.com/en_us/article/zmdwk3/here-are-the-homo...

[2] https://www.telegraph.co.uk/football/2018/01/10/everton-defe...

[3] http://www.thedrive.com/accelerator/23138/conor-dalys-nascar...


I think everyone here is misinterpreting what I meant, and I take full responsibility for that.

I think we thought of computers and the internet as our allies in privacy. They are not. They are our enemies.

I think we should stop trusting computers, any computers, as much as we possibly can.

Especially if you're in a minority that your government may try to punish.


I'm actually going to reply to you twice with a similar idea. You're blatantly telling people that technology can never be trusted to be private. I just don't see why such a cynical outlook on the situation is needed, especially when it's obviously not true and the odds are not necessarily stacked against people who want privacy online or on technology.


"obviously not true"

If you want privacy, you must first have security, and no system is secure.

I mean, just for starters, there are a constant stream of zero day exploits in OSes and Browsers that would allow me to install a keylogger on your computer, completely undetected.

So why are you so anti-cynical?

The situation is dire.

I highly recommend "Daemon" and "Freedom" by Daniel Suarez, who was a Security Consultant.

Privacy is literally life and death for people. I think trying to minimize the dangers is reckless.

Cheers.


> Privacy is literally life and death for people.

This is what loses most people, because they don't think it's a big deal if someone reads their Facebook messages.

Privacy is what prevents gay people from getting purged in Chechnya[1]. Privacy is what keeps political dissidents and religious minorities out of concentration camps[2]. Privacy is what keeps our spies from being executed.

And for those who scoff at the idea of a state-level actor coming after them: privacy is what prevents someone's abusive partner from murdering them when they choose to leave the relationship[3].

[1] https://www.npr.org/2019/01/14/685192372/https://www.npr.org...

[2] https://www.reuters.com/investigates/special-report/muslims-...

[3] https://www.theguardian.com/money/us-money-blog/2014/oct/20/...


I think you're right in principle but too binary and extreme. You sort of make it sound like people think the internet is completely secure, and you're encouraging them to assume it's completely insecure. In reality it's more like fairly skeptical people using a secure-ish internet. If you're pretty obscure and conservative you're secure enough in practice.


Once upon a time, a country started killing their own citizens. Because of some ancestry they had, or disease, or were a member of some religion, or they used their genitals in a certain way, or co-habitated with someone like that.

Oh wait, that's happened again, and again, and again.

Which specific kinds of people were the targets has changed repeatedly over the years. Literally no one has an absolute guarantee that either they, or their family or children, are without a shadow of doubt free from this concern ever happening to them.

We thought we were anonymous. We thought we were secure. We underestimated how easy it would be to track, correlate, and analyze us.

None of us are safe. None of us have the privacy or security we should.

> If you're pretty obscure and conservative you're secure enough in practice.

You're ignoring the black swans of politics, hackers, militias, etc.

Yes, sure, we're probably all 99.99% safe. But 3 billion people are online. That math alone says 300,000 of the people online are not safe.

Do you really think we're 99.99% safe?

I think we're already tagged and manipulated like cattle. I already think that mega-corporations know entirely too much. I think we're already not safe. Equifax leaks alone prove that to me.

Heck, later down the HN front page today:

https://www.zdnet.com/article/wifi-firmware-bug-affects-lapt...


Or openly conservative in the USA


I’m sorry, but what? Are you suggesting that being conservative in the United States is somehow equivalent to being gay in Russia?


Yep. Assuming you live in SV, would you like to disprove me by putting a TRUMP 2020 sign on your lawn?


Sure, because that won’t have me thrown in jail or possibly even killed.


Conservatives control our federal and most state governments. They recently had control of all three branches of the federal government.

The idea that conservatives are a disenfranchised or endangered group is absolutely ludicrous.


I disagree entirely. Being a young white male with some moderately conservative ideals in [West coast city] makes you entirely unlikable by most people who find out. This is my first hand experience.

Being conservative is the new taboo.


I don't doubt that such people experience friction, but the comment I was responding to made an analogy between being conservative in the US and being gay in Russia.

The former group is the ruling class in the US. The latter group is criminalized, shamed, and sometimes murdered.

Further, being gay can't harm someone else, while being conservative in a (theoretical) democracy certainly can hurt people.


Are you trying to make the claim that, since one instance of discrimination is worse than the other, then we shouldn't try to discuss and explore other controversial examples of the discrimination, simply because they're not as bad? Even if they are more relevant to us, the commenters? I didn't see the parent claiming that their version of bigotry was worse/equal to grandparent's version, that's something you falsely assumed.


Interestingly, the GP is making that exact claim: that being conservative in SV is the equivalent of being gay in Moscow.

> Are you suggesting that being conservative in the United States is somehow equivalent to being gay in Russia?

>> Yep. Assuming you live in SV, would you like to disprove me by putting a TRUMP 2020 sign on your lawn?[1]

[1] https://news.ycombinator.com/item?id=18944526


In Russia you can get to prison for being gay.

In West Coast US a few people might refuse to date you.

These don't seem like the same thing.



You can also Google for prostitution services in places in the US where they are illegal.

Pretty sure I don't need to link to the California Republican Party website.


I posted the link hoping to convince you that your claim is inconsistent with the existence of huge multi-storey gay clubs in the center of Moscow. Guess I was wrong.


Or openly racist


This advice works great if a person is in a majority. The problem happens when a person is in a minority.

Imagine if in America in the 1910's a person has a reasonable dissenting opinion like, "I think all citizens should have equal civil rights." If I was there I would be hesitant to attach to this opinion to my public identify. Especially if my employment relied on me voicing an opinion in agreement with the majority.

This seems to have a chilling effect that prevents anyone from voicing an opinion that is not already close to being in the majority.


> This advice works great if a person is in a majority

I think you mean “group with dominant social power”; that's often confused with majority because of the predominant pattern of race/ethnic/religious (but not economic class) oppression in Western Europe and North America, but consider apartheid South Africa.


That's a great point. It makes more sense to use "group with dominant social power" instead.


I think everyone here is misinterpreting what I meant, and I take full responsibility for that.

I think we thought of computers and the internet as our allies in privacy. They are not. They are our enemies.

I think we should stop trusting computers, any computers, as much as we possibly can.

Especially if you're in a minority that your government may try to punish or control.


A case of "do as I say and not as I do". Besides Eric Schmidt is powerful and rich enough to stop people from talking. Not exactly a level playing field there.

Maybe Eric should not have a private Instagram account which follows young models. Maybe Eric should not ask Google to delete results about his political donations.


This is an incredibly oppressive, totalitarian way to put things. This is literally Big Brother thinking, which says a lots about the core values of Google. You have to act exclusively in the way that society deems acceptable. Even in privacy, in places you seem safe, even in your own home, with friends or family, because someone, some device, may be watching you at any time, opening you to the judgment of others and the law.


I think everyone here is misinterpreting what I meant, and I take full responsibility for that.

I think we thought of computers and the internet as our allies in privacy. They are not. They are our enemies.

I think we should stop trusting computers, any computers, as much as we possibly can.

Especially if you're in a minority that your government may try to punish.

We ARE in an oppressive surveillance state. Our government is tracking us. Every business is tracking us.

I highly recommend the novel "Daemon" and sequel "Freedom" by Daniel Suarez. He's a former Security consultant, who wanted to wake people up to how fragile our digital infrastructure is.


He's making a powerful argument against... trade secrets? Or are only corporations allowed to zealously guard their secrets, and natural persons just have to assume those corporations will leak their petty ones?


> Eric Schmidt: "If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place."

Would he extend this idea to clandestince agencies?


Or Google's trade secrets...


Am I missing something? That seems to be equivalent to "the innocent have nothing to fear" in assuming that no one is ever persecuted who doesn't deserve it.


I think everyone here is misinterpreting what I meant, and I take full responsibility for that. I think we thought of computers and the internet as our allies in privacy. They are not. They are our enemies.

I think we should stop trusting computers, any computers, as much as we possibly can.

Especially if you're in a minority that your government may try to punish. (PS, that's anyone.)


Unfortunately we live in a world where authoritarian governments still exist.


how is that advice? if you have x maybe you shouldnt have x lol


> That's the thought we should all have in our heads before we send any post, or send any text, or send any email, or send any photo, or etc etc etc.

I worked for a large company that had gotten into trouble in the past, with written records used as evidence. All new employees were trained not to write anything down that we would not want to see on the front page of the WSJ. It was stressed that even content on personal devices could be subpoenaed and entered into the public record if issues arose.


> at this point I think it's prudent to assume that pretty much anything you send out into the digital network world is public

So....what?

I can't do my banking online?

I can't send private correspondence?

I can't file my taxes electronically?

I can't pay my medical bills online?

(Actually all my medical information are put online my insurance co.; I'm pretty sure I can't do anything about that.)

I'm not saying you're wrong; I just don't see how that prudence as leads to any practical conclusions or advice.


It leads to a very practical conclusion: don't be surprised when you find out that some or all of the above data is known by third parties.


With a couple exceptions perhaps, like Signal or iMessage? But I agree; unless the service is part of a very small whitelist, assume it's public.


except even those messages can become public, if one party makes them so, so even "secure" messaging should be considered compromised.


So at that point, you are basically saying "assume all communications over any medium is public", because this would apply to every form of communication.


That and most users aren't auditing each new version of the apps to make sure they're still doing what they say they're doing to protect data.


Modern secure messaging systems are typically OTR and have deniability: after the session ends, anybody can forge messages to make it look like they came from you. Sure the messages can become public, but they're no more "proof" than someone saying "X said Y".


Deniability is not the same as privacy and can't be used to replace it.


The problem is the "digital world" is not a separate world but an integral part of every day world.

I know what you say is true,but I still would behave as if some aspects of my digital behavior is private. Otherwise I'd be allowing this lack of privacy to shape and mold who I am as a person.


I don't think this is a healthy assumption to make. Even if you are not embarrassed by the possibility that any message you send could end up on the New York Times, things like industrial espionage (aided in large part by state actors), corporate politics, or even operational security (e.g. identity theft) could grind your life to a halt. The threat space is too large, and it'd be an eventuality that your life will grind to a halt.

You shouldn't rely on a company to look out for you. You have to have laws and official, proven avenues of redress for assured privacy. For example, I trust the USPS Inspector General to protect the privacy of my mail. Somebody might tamper with it and succeed once or twice, but I'm not going to have a paradigm shift and think my mail will always be broken into.


no, its worse than that. everything you do [period] will be available to the public.

the reason the twitter story is news is because they were private tweets. yes on an "internet service" but do you think your operating system is your own anymore? microsoft uses MS accounts for default windows installs, onedrive is installed automatically, icloud backup, etc etc. this is still in the purview of the "digital" world but the privacy concern is indeed larger than the "internet" world.

beyond this we have the IoT. your google home devices (or if not yours, someone elses) recording everything you do when not even digitally engaged.

we had best be ready for it. i really hope it doesnt turn into self-censorship. i hope it turns into more open mindedness and acceptance (oh, my neighbour isn't perfect either??)



As for caution, I agree.

As for advocacy and laws I'd like to see a lot more assurance that ... that isn't the case.

I'm kinda going both ways with it.


> it's prudent to assume that pretty much anything you send out into the digital network world is public

Interestingly enough, this is how I used to justify piracy when I was young. Since digital data almost seems liquid, if an artist doesn't want their content spread, better not make it digital in the first place.


This brings to mind the popular Blind app where co-workers feel safe enough about their anonymity to put things online that they never would have otherwise. https://www.teamblind.com


> That's the thought we should all have in our heads before we send any post, or send any text, or send any email, or send any photo, or etc etc etc. We shouldn't rely on some company, that's using us to make money, to protect our privacy.

So don't, but that doesn't mean that everything can be attributed to you personally - even attributing something to a relatively dissociated username is difficult. At best you'll get an IP and that IP could belong to one or many people.

Anything you idiotically attribute to yourself (including private messages on your accounts) is attributable to you personally - assume all cloud services are fully compromised or extremely willing to misbehave.

Act accordingly. Never provide real information online, use shared IPs, VPNs, Tor in cases where repercussions could be significant. If you want privacy, don't expect it to be provided, take personal responsibility for it.


So how do I send an email or private message if I consider it public? I think your point is almost right just you need to make it more fuzzy(in the sense of using probabilities).


One good thing about this is that it encourages me to write charitably if I would otherwise speak of someone critically. I write and do anything as if it might end up in court as evidence basically. Could be tiresome but I’d like to think that it motivates me to be more positive or careful.


So in other words, stop holding business accountable for data leaks?


The result of this is the attitude that we shouldn’t even bother trying to make services and products more secure. Why send tweets over HTTPS? It’s all public anyway. Why should WhatsApp use end-to-end encryption given Facebook’s hostility to user privacy?


While the parent has a valid point, I agree with you in the sense that such an attitude doesn't effectively convey the intended message. I think it's unrealistic to expect the average non-technical user to understand the distinction between HTTPS and something being "private".

That said, I don't really know of a better way to phrase it; describing this sort of stuff to non-technical users is a bit of a minefield, so I can certainly relate to the solution of "just assume the worst and nothing can go wrong", because if followed, it's unarguably the safest thing to do.

It's a solution in the same sense as "teaching abstinence to teenagers to avoid unwanted pregnancies" is, which is to say that it's largely ineffective at solving the problem, despite being the most effective of all options.


If you go down this line it won't take long for various actors to assume that you're ok with them knowing everything you do offline too.

Either we protect privacy or we don't. There's no middle ground.


Totally agree.

But where does that leave us with “The Cloud”?


You can use the cloud with confidence...

for anything that you don't mind being publicly associated with you.


I don't mind that myself.

I mind my data being available to someone else when I marked as only for me.


Not just the cloud. Any internet connected system, whether in the cloud or on-premises, is vulnerable to intrusion, data breaches, etc.

The only system that would be somewhat trustworthy would be a totally air-gapped internal system. This used to be the norm, pre-internet. Few businesses really have this today.


Yes I worked for a totally airgapped defence contractor many years ago. It was very boring :)



It was an RF tight triple wall secure engineering facility with no windows and power filtering. Vehicles and people searched on entry and exit. They knew very well of these risks a long time ago. To give you an idea, the building was designed in the 1950s where they even had dampers on the water pipes coming on site due to the use of typewriters historically.



'The cloud' is really just a bunch of computers owned and operated by other people.


"The Cloud" is like storing your data with skywriting, you can see it from many locations, but so can your neighbors


A very poor analogy when encryption exists


Who said skywriting can't use encryption?


What skywriting uses encryption? How is that a useful metaphor for describing the downsides of "cloud storage"?


For the average cloud platform it is totally insufficient to protect you from a bad actor or stupid programmer at the provider.

Imagine if IAM had a major vulnerability suddenly...


All our base are belong to them.


What you say !!


Someone set us up the data breach


I'm working on an app with some social collaboration features:

https://getpolarized.io/

These security breaches are really screwing me over.

Our user base is really really pissed at Facebook, Twitter, etc. and the pendulum has swung the other direction. I think they're borderline paranoid about sharing their data.

I mean whether they are justified or not is one thing but I definitely do not personally have any nefarious goals.

This is going to have a very chilling effect for the cloud industry for years go come. People are just going to refuse to share data with newer social platforms and only share it with platforms when they HAVE to because they have pre-established network effects.


Looking at your comment history, you link to your website in almost every comment you write. Don't you think that's a bit excessive?


Even a service without nefarious goals can have a breach. The biggest companies that devote huge teams of people to preventing them still have them. Can happen to anyone.


Oh certainly ... I agree. I think the point I'm trying to make is that most of the things we're storing aren't classified docs.


This headline/article are pretty misleading. It makes the issue sound like if you had "Protect My Tweets" enabled, your tweets were still public.

From reading the original notice [https://help.twitter.com/en/protected-tweets-android] it sounds like the setting would just be disabled, which then made your tweets public. But not that Twitter's app would continue to say they were protected. That's a pretty significant difference (also by the fact that such a huge thing was not noticed for 6 years I'm guessing not many people were actually impacted)

Also just for fun, I'd wager how it happened is that the developer had some "default request object" that had "true" as the default setting for this and merged it with the updated property values ;) a classic


If you don't check your settings before each tweet, there's not much difference for between your settings being changed and your settings not working correctly.


Private tweets and profiles show a padlock next to the user's name... You don't have to go to any obscure menu to find out whether your tweets are public or not.


Shouldn't this involve lots of penalties? This has the potential to change/ruin lives drastically. A prudent consumer never trusts what the companies say nowadays. However, that shouldn't absolve the company of falsely claiming private product when it isn't so.


A prudent consumer would read the terms of service.


When the Terms of Service cannot be understood, that burden is too high.


The GDPR is proof that terms of service isn't exactly a flawless legal barrier. You can't state in a contract that "If you use our service we get to sell your personal life away" because illegalities and rights infringements cannot be inside a contract to begin with.


A prudent consumer also doesn't send 'live-destroying' messages on a public, hosted messaging platform, regardless of a private setting...

Note that this isn't even about DMs.


If companies can't be trusted to act carefully and responsibly with users' data, then I think that's a problem with the companies.


It's not 'users' data anymore once its on their servers.


Of course it is. This is the essence of the GDPR.


GDPR is nice on paper, I'd like to see it actually enforced as its been written. Seems like strong words and weak teeth so far. However, most companies are more concerned with hockey stick charts and are willing to ask for forgiveness later in terms of all things privacy related. I wish it weren't that way, but Ive yet to see that happen successfully.


Did you not see millions of emails sent out by companies about their new data policy? How then is GDPR not being enforced?


It is about false advertisement and breach of contract, though.


I know this is a common disclaimer but this sounds like victim blaming. It says "private" it should mean private and not quote unquote private.


It's absolutely victim blaming.

It's true that it's a reasonably good practice to assume that databases will be leaked. That doesn't mean that when a company loses control of private data that the company holds no blame.


I know someone with a common name who was first on gmail with that name. He gets a lot of emails that are meant for different people of the same name.

One of those others was accused in the Lloyds bank libor scandal, and the email came from the law firm they had hired.

Non-software people don’t have the faintest idea how computers work, and more than non-lawyers the law or non-economists money.


Most consumers aren't prudent.

Source: see warnings on any American packaging.


American package warnings just show you how litigious the society is. Road signs. Government agency seals in front of home movies. Cookie popups on websites.

All of it gets filtered out by your brain and loses effectiveness immediately.


I mean, I hope you don't filter out road signs..?

But sure. It was a half-joke, I guess it wasn't even half-funny.


I'm pretty sure that cookie popups are EU regulation though.


Penalties for... what? Did you pay for the product? You are using a free service. You get what you pay for...


Damages. Just because I didn't pay for a product doesn't mean that disqualifies me from restitution when they mishandle my data.


One has nothing to do with the other. If I run a roof repair service and give you a free job that doesn't mean you cannot sue me for damages when rain starts pouring into your living room.



So basically, the issue was that the settings screen in the Android app would toggle the "account is private" setting off when updating unrelated settings; however, the setting itself, if turned on, worked fine.


I've noticed a hole in a lot of people's thinking where even if they thing to write automated testing or QA testing to ensure that a given thing is available to a certain user or role, there is often not a lot of thought given to writing tests to enure that users or roles that should not have access to the data can't get it.

I'm not sure I've ever found a permission system without explicit testing that the denials work that didn't turn out to have gaping holes in what could actually be done. Generally, the code that hides the UI for what you're not supposed to be able to do works, since that's visible, but on something like the Web where the user also has fairly direct access to the message bus the application is using to communicate to the web server, that's not enough.


Testing a negative is much more difficult. Testing the positive is “can this user access this private data using this procedure”. Testing the negative is “can any use access any private data using any procedure”. That’s almost impossible to verify.


At this point it should probably be illegal to call something "private" when there is no guarantee of protections.


Seems to have been a bug where some settings were reset accidentally.

Of course this shouldn't happen, but I can see how something like this could easily slip through.


twitter uses the word "protected", only the article's author ever used the word "private".


Was it really a good faith effort to make them protected?


Yes, it was a bug that revealed them.


Great site and a great thort as well I really get amazed to read this. It’s really fine.For USA Assignment Help visit our site Casestudyhelp.com. https://casestudyhelp.com/usa/


Great site and a great topic as well I really get amazed to read this. It’s really good.For Assignment Help visit our site AllAssignmentHelp. https://www.allassignmenthelp.com/


Sometimes, I'm sad I quit using Twitter. There are some neat people sharing content there.

But the more time goes by, the less sad I get. Their tech stack is and always has been a bit of a garbage fire.


Name one startup that grew quickly and organically into a massive company which doesn't have a "garbage fire" tech stack.


WhatsApp.


erlang is amazing


Instagram


Specific to Twitter for Android (not web or iOS device clients)


Too much to ask for the headline to include the word "Android", since it was only Android tweets that were affected?


The very first words I wrote online sometime around 91 were visible for over 15 years.

I pretty much don't put anything online I cannot live with.


This is a good principle in general but you didn't exactly put those words up on a site that promised "privacy/protection" did you? That's the difference here.


Spot on. Let's just say I knew better. Seriously.

There was absolutely no way these companies were not going to exploit the crap out of both their position and data.

None.

How were they all built? As fast as possible, growth first, etc... I expect these kinds of things to boil down to risks and costs, ideally paid after the enterprise is big enough to deal.

And a whole lot of us know it too. How else was it all going to go?

I am a realist. There is no real privacy online. One can get close, but doing that is a lot of work, takes understanding, and is still a bit of a risk.

Long ago I realized it is better to just not put things I can't live with online.

Frankly, I won't do that electronically, unless it is very worth it.

Edit: It is all still pretty new. We are leaving the honeymoon time. Bad things will happen, so will more regulation, and that crank will get turned a few times.

My expectations are super low right now. That could change, but not yet.


It most likely only take a bool in a DB to make something public.


This is why whenever you build software, you basically should encrypt any and all data and you should be extremely careful when it comes to permission checks. Especially if you are a company or startup, there's no excuse for not burning through a few thousand dollars more here and there to build more secure software that doesn't result in privacy blow-ups like this.

I wonder if GDPR affects Twitter in this case and what % of their revenue can be taken as a penalty for treating users like shit.


We really need regulation here.


Which government regulation would have prevented this, exactly?


Perhaps a regulation that fined previous companies where this had happened $1000 per affected user


10 000 USD seems better IMHO


Why stop there. Why not $1,000,000,000 per user? ;)


I had the pleasure of interviewing the anonymous developer of the fastest organically growing decentralized p2p app notabug.io I feel its relevant to this conversation. Why are we not switching to decentralized content sharing platforms? :S

https://electronicsforu.com/resources/cool-stuff-misc/future... https://electronicsforu.com/resources/cool-stuff-misc/future...


The top post on notabug right now is "Tampermonkey script for auto-voting on notabug, lets level the playing field". The site has like 10 users and it's already destroyed by bots. Anarchy isn't a good approach to running a site if you want anything useful to come out of it.


The way I see it, it looks like the original internet, remember 4chan? the rise of bulletin boards? We can't all be complaining about the current services being exploitative or broken without being a part of a solution. I'm all ears to move away from decentralization if there is a better solution. Currently, there are none.


Not having a solution for a hard problem doesn't disqualify people from pointing to an obviously bad one and calling it out. This jank old.reddit.com fork is not the solution.


> Why are we not switching to decentralized content sharing platforms?

Because that site looks like a phishing site for reddit accounts. How is 100% cloning another site's design acceptable at all?


> How is 100% cloning another site's design acceptable at all?

1. The design is open source under a CPAL license which notabug abides by

https://github.com/reddit-archive/reddit/tree/753b17407e9a9d...

2. a goal of notabug is to support existing reddit stylesheets with minimal/no modifications; this requires dom compatibility and minimal CSS changes in the base design.

3. reddit is abandoning this formerly open source design in favor of their new design by default.


Geez! It's a design that all are familiar with, UX 101 and facebook does it all the time! No one 'cloned a site' the whole backend infrastructure is different. Did you read it at all?


Facebook doesn't copy and paste the css of competitors. That site did. I didn't read any of the interview, I just went to the site like most users would.


Also HN looks like a clone of reddit!


No, it is 100% a clone. HN is similar to reddit, that site is literally identical.


Would you like to work on the UX and make something new? They are open source, volunteer-driven and open to new contributors :) We all start somewhere!


"In the year 2015, 4 years before the global explosion of privacy-awareness dialogues"

Really, what's happened in the last 3 weeks?

"starting in the wake of facebook’s Cambridge analytical scandal"

That was November 2017




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: