Hacker News new | past | comments | ask | show | jobs | submit login
Stop Saying, ‘We Take Your Privacy and Security Seriously’ (techcrunch.com)
242 points by samaysharma 25 days ago | hide | past | web | favorite | 107 comments

Also stop saying "Before you go further..." we need to share your data with tens of corporations. /s

Note to non-EU users: Techcrunch is completely blocking the page with a popup asking me to share my location and behavioral data (for advertising purposes) with a probably very long list of companies (something called "Oath" family).

The logos shown are for Yahoo, Aol, Autoblog, Huffpost and Engadget.

Nah. I'll skip as always :D

The Oath websites and Medium are on my mental blacklists of sites I simply don’t bother with. The content isn’t good enough to care. It does mean I hit comment threads like this and can’t read the article. Oh well, I’m trying to reduce my internet time anyway.

Outline.com is great if you stumble upon some article you do want to read. Just put in the URL and it’ll strip away everything but the text and images. Here’s an example for the article for this thread: https://outline.com/RThZjn

There's a browser extension for it too. Outline has been super convenient when dealing with bloated news sites. Now I'm just thinking about how I'll get my browser to do this automatically for certain sites without having to click the outline button every time

Firefox has a built-in reader view that I like to use on particularly offensive websites.

Yes, I could do with a plugin to strip links to Medium articles.

Yeah, I was actually trying to find something like this too... maybe its time I looked into how to write browser plugins myself, but I have too many other projects right now.

I have a HN filter userscript for this purpose:

If you filter most of the news websites, and other pointless crap, HN gets pretty technical again.

Thank you!

I've just tried it out, works great. I'm not using quite as strict a filter as you are, basically Oath sites, medium and known paywalled sites. I will add to it as I go :)

If I get these redirect popups (not just popups over the content, which I can remove with Nuke Anything [1] or use Firefox's distraction free mode), I either just don't visit the site if I don't care that much about its content, or I open a private browser window, accept whatever popups they present, read the article then close the window to purge all their tracking shit.

[1] https://addons.mozilla.org/en-GB/firefox/addon/nuke-anything...

I just clicked through the links of that banner and I landed on https://www.oath.com/de/my-data/#protectingdata anyways, I will not read the article because I am sure these dialogs are built in a way to gain "consent" by trickery.

The dialogs are really confusing.

1st popup page: Some text about Oath with big "OK" button and same size "Manage Options" link. By clicking OK you agree to everything.

2nd popup page when clicking "Manage Options" link: Some more text about Oath with big "OK" button and tiny "Manage Options" link next to a headline. I have no idea what happens when I click OK here. Is the same as the "OK" button on the first page? I didn't manage anything here yet so I guess it could mean agree to everything again. On the other hand there are some settings you can change on the next screen (you don't know that at this point though), so maybe "OK" now means continue and use these settings? You have to trust that they are opt-in rather than opt-out, otherwise you need to check the settings.

3rd popup page when clicking manage "Manage Options" link: Some text about Oath partners with links within the text. The big button is called "Done" now but at this point it is not clear what exactly that means because there was nothing to manage yet. Clicking the link to show partners displays a list of 10 essential partners (Amazon, Google, ebay etc.) with links to 10 data privacy policies that you apparently automatically have to agree with. A bit hard to notice but there's another tab for IAB partner with 224 more partners. At least they aren't enabled by default.

I guess "Done" means use these options and it brings you back to the 2nd popup. I actually have no idea at which point I disagreed or disabled something, I just got trained to click a bunch of "OK" buttons with unclear meaning.

To give that dark pattern some context, Oath has recently been rebranded Verizon Media.

I went through the same process and I have no idea what I agreed to.

...and after landing on that page, you have to click through to the privacy Dashboard, where you can supposedly opt-out of individual partners.

I say "supposedly", because the first partner I clicked on led me to the "I'm not a robot" captcha.

After which I just closed the window. Guess I'll not read the article after all.

How on earth they expect this to fly under the GDPR, expecially considering that "[t]hese partners may access your device to collect data for ad selection, delivery and measurement", is beyond me.

I did the captcha, and the page greeted me with "an error occurred". Next click lead me back to the captcha step.

Just disable 1st-party scripts and 3rd-party scripts in the uBlock Origin popup for techcrunch.com and that modal should not appear anymore.


Or even better, don't visit techcrunch.com.

If you disable everything except CSS and Images, you get an infinitely nicer site.

It's the bottom right button </> to disable all JavaScript on a site. (it took me a while to find).

I have uMatrix set similarly.

I just realised I had been reading "Oath" as "OAuth" - not that I am aware of visiting the site but I wonder if they chose that name to get some additional credibility?

Probably not directly tied to its similarity to OAuth, but I'm sure the name Oath came from thousands of man hours of brand psychology assessment and audience testing. Oath is the stapled together corpses of the adtech of Verizon and AOL and was/is ridiculed for being a poor name choice, but branding decisions at corporations of that size go through so many committees and data points and marketing schlubs, who knows how it came out as Oath.

  Oath, noun - profane or obscene expression usually of surprise or anger.
It's an apt name, because it describes exactly what I say whenever I land on one of their sites.

Not only that, they also keep asking you on every repeat visit but click 'ok' once accidentally and they will file that forever and never present you with the option to withdraw your consent.

I skipped the article when I saw it was TechCrunch. Their new web site is absolutely atrocious. I can't believe this is what web developers get paid to do. Just awful.

Anyway, I'll just read the comments here and that'll be enough for me.

Yeah, they're about the worst I've encountered. Good luck finding any privacy controls, or opting out of anything. Clicking into the pages that claim to contain these just sends you down a warren of links, mostly taking you to the parent website where there's another warren of links.

I hope their practices come under fire from the EU before long.

Oath has one of the more nagging GDPR pop-ups. I like Slashdot, they at least give an opt-out option to access the content. On TC you are either opting-in or forbidden to access. And it's not like a technical necessity either. My company, ProcessOne, has a Wordpress blog that doesn't set any cookies or local storage. It uses Google Analytics and internal WP stats. But they are properly configured to not track, just measure.

> On TC you are either opting-in or forbidden to access.

And it remains to be seen whether that is legal.

I don't think there is any "remains to be seen" about it. It's illegal.

Tweakers.net had their lawyer take a look at it, and they claim it is legal. I'd love to see it on trial.

My take on it is it is BS and a cost/benefit analysis.

According to the GDPR, it is not legal. What remains to be seen is whether the EU will enforce or not.

Complaints can be brought through ankle-biters like https://noyb.eu/projects-2/

OAuth is the definition of dark pattern.

The way they set up their pop up is plain evil, trying to deceive the user. In the end, it is almost impossible to find the opt-out options, and you have to agree to share your data with the largest ad-networks anyway, otherwise you can not use the website. The privacy "dash board" doesn't even work without error.

Even if you are not in a country where you are presented with that these pop-ups, the way this is handled should really make you think long and hard about the ethics of the companies behind oauth and techncrunch!

The company I founded helps companies increase transparency and controls for their end-users, make it more clear where your data is going and making it easier for you to actually make a decision on whether you want your data going to third parties


Yep. Frustratingly, the content pops in momentarily before the cookie popup system removes it all

Occasionally Safari’s reader mode can be used to show the content. I know other browsers now have a similar feature.

For those who don't know, Oath is Verizon.

Say it, when you do. Say: We take your Privacy and Security seriously that is why we won’t ever store a tracking cookie on your machine. If you still want to support us by different means, click here

Anybody who takes your privacy seriously won’t even have to ask for consent, because there is nothing to ask for

Tracking cookies provide incommensurable value to site owners for improving the quality of their web properties, which ultimately benefits users.

Example abound: finding out where people are the most frustrated (high exit rates), what content drives the most interest (page views), what content is missing or inaccurate (high bounce rate and low visit duration for visitors coming from Google), how they are using the site (browsing patterns from page to page), etc. etc.

Preventing all forms of tracking will definitely result in lower quality websites across the board, so like with all things there has to be a middle-ground found.

While I understand the need for reliable and granular information on your users, it should technically possible to get most of that without selling your users off to third party services whose practies you never checked for yourself.

Furthermore it should be possible to sell ad space without directly embedding potentially malicious stuff from foreign whose content might change on such a granular level even you as the site owner cannot verify what is served to your visitors.

It is possible to use webfonts without loading it from a foreign servers.

It is possible to verify real users without training the AI models of monopolist webcompanies.

It is possible to link to your Facebook page without embedding a Facebook tracker in an icon.

It is possible to get comments without giving these to other parties.

These are all decisions you take when you decide whether you really value your users privacy.

Of course sometimes you don’t have much of a choice, but I saw sites which decided against all points raised above, and list about 30 trackers that are enabled per default and still claim they value their users privacy. So not only do you not value my privacy, but you also lie to me.

I avoid sites like these like the pest and will close that tab before reading anything.

> It is possible to verify real users without training the AI models of monopolist webcompanies.

Honest question: How?

I'm pretty sure that "verify real users" was about captchas. Solving that problem in general is probably impossible, I grant you that. However, reaching a good-enough solution for a particular site is often doable.

In increasing order of strictness and complexity:

- Use hidden/visible field shenanigans

- Ask questions your audience should be able to answer (chess-captchas, maths-questions, etc.)

- Require registration with e-mail validation

- Require registration with SMS validation

- Make that part of the site invitation-only

- Use some kind of trust-based system (e.g.: users can invite other users)

- Manually approve stuff

- Ask for ID scans and manually check them

- Combinations of the above

Unless you are a juicy enough target (not many sites are), just a few measures will get you to that good-enough point. Of course, implementing any of the above will be harder than slapping a recaptcha and calling it a day ;)

If you can think of it, someone can make a computer automate it.

Sure. On the other hand, I run a blog with a simple to answer question for multiple years now and I didn’t receive a single Spam comment that wasn’t of obvious human origin.

Once that stops to work I can bump it up a notch.

"To prove you're human, read this source code and determine whether the program will halt" :)

They can, but unless you're a big and juicy target, they probably won't - because why bother?

I find it interesting that the proposed solution to "How do I not use a CAPTCHA?" is "Reinvent a CAPTCHA".

Although "Handle very private information instead" is an uncommon twist.

You misrepresented the problem. The problem was “How do I not use a CAPTCHA that grabs your user’s data and is a blackbox to you”.

There are multiple solutions to this: - find a CAPTCHA solution you trust and host it yourself - build your own

If you say you trust google, you should write: We value your security and privacy, but seriously we have no idea what parts of our page really do

Even ignoring the privacy issues, I'm not sure that it would lead to lower quality websites. Websites don't feel very high quality these days, especially the kinds of websites I know are probably doing the most tracking.

It might lead to lower-engagement websites, but that's a different thing. It might improve the quality of your website to stop trying to optimise my engagement with it.

> Tracking cookies provide incommensurable value to site owners for improving the quality of their web properties, which ultimately benefits users.

That can certainly be argued.

It can also be argued that websites optimizing for “engagement”, blindly, in a completely data-driven way, end up implementing tons of dark UX patterns.

And that’s certainly no benefit to the user.

Or you could, you know, ask.

I feel like people have some kind of allergic reaction to sitting down with people and actually getting a person's perspective. It's slow. It takes time. It costs money. But you know, UX professionals do this. In fact, product designers do this.

I think the model where we'll just watch everyone all the time and treat them like lab rats and that somehow the "data" is going to give us insights is a) creepy b) misleading and c) lazy.

Can you imagine if your toaster (company) watched your entire daily routine in order to "optimize" it? Fffuuu....

>I feel like people have some kind of allergic reaction to sitting down with people and actually getting a person's perspective. It's slow. It takes time. It costs money.

They may also tell you things that you don't want to hear: that your website doesn't have good content, your navigation sucks in the following ways, etc. This sort of feedback makes you look incompetent when you collate it and then send it in a report to a manager.

Easily solved:

- sketch out the new design

- add the UX interview report as supporting evidence to the design

- send the design (rather than the report) to the manager.

Total reversal of the situation. You have documented evidence of your proactive approach.

(edited for formatting)

Not all of us want to engage with every web page/app.

In fact I don't want to engage with most of them.

If google search takes me to the site and I find info that I need in 5 seconds, tats a good thing not a bad one.

You can get most of this by analyzing server logs with IP addresses. No cookies required. You might need some JavaScript tracking for more detailed analytics, but there is absolutely no need for external tracking by Google or the likes.

Examples for self-hosted analytics include GoAccess (server log analyzer) [0] or Matomo (JavaScript tracking, formerly Piwik) , although I think it uses tracking cookies by default [1]

0: https://github.com/allinurl/goaccess

1: https://matomo.org

That's still tracking, though. There's no real difference between using a cookie or an IP address. In fact, a cookie may be preferable, because you can make it expire in a relatively short time, making it much harder to link your logs to the user.

Wait, exit points, page views, bounces… Can't you measure these just from the server's log? I don't think you need to track an individual's navigation pattern and store a cookie on their machine to crunch these stats.

An exit point or a bounce is inherently a property of an individual’s navigation pattern.

It is, but you can save just the fact that it happened, without the whole interaction history leading up to it, and without details of who was navigating.

As long as the cookie does not track the visitor across different sites?

I'm way more radical, I just look at what I'm making.

It's kinda like if someone were to survey their audience before a concert on what they should play, that wouldn't lead to better art. Have you ever seen a youtuber talk about how they would prefer to make videos about X, but the audience wants Y, so they're half-assing this other thing instead? Not only does this not lead to improvement, I think the major improvement would be to remove all things produced in such a extrinsicially motivated way, and replace them with nothing.

> Your stuff will start to puff up. Your paragraphs will start to get rotund with all the things you could say if you really wanted, but you can only hint. That's bad. It's bad intellectually and I think it's bad morally. It means that you become.. your contract is no longer with your readers. What I try and do, and the reason I write in longhand and write in isolation, is to say "The only person I have a deal with is the person who might read this. And I'll give them my best, and I don't care what the editor thinks, the advertising department thinks, friends and colleagues think." You try and live, as it were, as if none of these people counted. "What's the best account I can give for customers of this." Most of Washington punditry is nothing of the kind, it's... private letters written to other pundits and appearing in public space.

-- Christopher Hitchens, https://www.youtube.com/watch?v=bsvq4PYdt40&t=35m46s

Say what you would say even if the whole world was against it. I don't live by that all the time either, but I'd rather fall short of that motto than live up to something easy and pointless.

Sure, when I see a page has a lot of hits, and I look at it and think I was being a bit lazy and people who search for that deserve better, I work on it some. If someone told me that the site doesn't work in a certain browser, I would try to fix it if easily possible, and so on. Just like an artist wouldn't say "I don't care, I only care about my music" when the venue they're playing at has no roads leading to it, and no electricity. But that goes without saying, for me that's like a painter making sure their canvas is okay.

This idea that I need to know much more, stuff like which path on the site most people are taking... no. I'm all for other people doing it, as long as privacy basics are respected, but the idea that everybody needs this to make something of quality, that I absolutely protest.

Show me one great thing that was produced that way, by someone or a group just following what people want (which is not the same as people working together as thinking individuals), just one? I can probably easily find you lots that were produced against the violent resistance of contemporaries, or even discovered as treasures of humanity posthumously.

Going just by what is the most popular, I would have ended up a Harry Potter fan rather than an Hannah Arendt fan. I would be watching SNL, instead of missing Bill Hicks. I would probably still care about movies and games instead of reading books and listening to music of the 20th century and realizing just how little value and depth what we currently accept as state of the art even has. I can't even imagine what a wasteland my mind would be if I had followed the masses rather than my instincts at every turn.

The biggest sites we know that currenly optimize for people staying long on pages prove my point so much, I had to avoid that to even get any opportunity to rant. Google search results that get worse, or Youtube and Facebook which are infamous for promoting low-quality or outright toxic and deceptive things that increase engagement. Or Amazon with fake reviews, and so on. It's not working. Just like the idea of ranking comments by clicking buttons to improve the quality of discussions doesn't really work and is much more useful for abuse than use.

Last but not least, I'd rather see a website where I hate every aspect of it, but that was made by a real person with real thoughts in their head, than anything else. Play from your heart, not from your analytics package and what you think the numbers mean.

Beautiful sentiment. I'd love if more people applied some basic thought to their lives, instead of just wandering into the melting pot of dystopia. Not too long ago, people had the freedom to speak their minds without being crushed by the cookie-cutter opinions espoused by virtue signalers. I long for that, I long for when we relished intellectual stimulus, instead of just reaching for what's easy, and fits inside our comfort zone.

> Anyone who doesn't want to belong to the mass need only cease to go easy on themselves; let them follow their conscience, which cries out to them "Be yourself! You are none of those things that you now do, think, and desire." Every young soul hears this call night and day and trembles, for when it thinks of its true liberation, it has an inkling of the measure of happiness for which it is destined from eternity. As long as it is shackled by the chains of opinion and fear, nothing can help it attain this happiness. And how bleak and senseless this life can become without this liberation!

-- Friedrich Nietzsche

> Do not preach the straight and narrow way while going joyously upon the wide one. Preach the wide one, or do not preach at all; but do not fool yourself by saying you would like to help usher in a free society, but you cannot sacrifice an armchair for it. Say honestly, "I love arm-chairs better than free men, and pursue them because I choose; not because circumstances make me. I love hats, large, large hats, with many feathers and great bows; and I would rather have those hats than trouble myself about social dreams that will never be accomplished in my day. The world worships hats, and I wish to worship with them."

> But if you choose the liberty and pride and strength of the single soul, and the free fraternization of men, as the purpose which your life is to make manifest then do not sell it for tinsel. Think that your soul is strong and will hold its way; and slowly, through bitter struggle perhaps the strength will grow. And the foregoing of possessions for which others barter the last possibility of freedom will become easy.

> At the end of life you may close your eyes saying: "I have not been dominated by the Dominant Idea of my Age; I have chosen mine own allegiance, and served it. I have proved by a lifetime that there is that in man which saves him from the absolute tyranny of Circumstance, which in the end conquers and remoulds Circumstance, the immortal fire of Individual Will, which is the salvation of the Future."

-- Voltairine de Cleyre

I once read a story in our school text book, I wish I knew the author. It was about some new kind of prison without walls, but instead prisoners had an implant that gave them increasing shocks up to incapacitating them if they moved too far away from the prison. This one prisoner kept trying to escape, at one point getting so far that a truck driver brought him to a doctor, who then called the police IIRC, and at the end, the prison director was talking to the prisoner, asking why do you keep trying, you know it's absolutely impossible, why not just accept it? And the prisoner said, because when I accept it, you won. Right now, I win. We never read that story in class, but it impressed the fuck out of me. Life is short and fickle either way, might as well live it as me, right? And if everybody saved themselves, maybe the world would be saved, but even if the world goes to shit, I can still save myself. That is, only I can ruin myself. I can be shut up, but I can't be made to say "yes". I can't say that's good enough, but that's a good start.

> Finally, it is the act itself that matters. When instrumental reason is the sole guide to action, the acts it justifies are robbed of their inherent meanings and thus exist in an ethical vacuum. I recently heard an officer of a great university publicly defend an important policy decision he had made, one that many of the university's students and faculty opposed on moral grounds, with the words: "We could have taken a moral stand, but what good would that have done?" But the moral good of a moral act inheres in the act itself. That is why an act can itself ennoble or corrupt the person who performs it. The victory of instrumental reason in our time has brought about the virtual disappearance of this insight and thus perforce the delegitimation of the very idea of nobility.

-- Joseph Weizenbaum, "Computer Power and Human Reason: From Judgment To Calculation" (1976)

And while punk may be generally dead, as long as it still exists in China, nobody is allowed to give up! https://www.youtube.com/watch?v=Bk4EspwLpzc

Godspeed to you. Or as that one scroller text in an Amiga demo said: grab life by the balls, like a ninja!

This is slightly off topic and relatively minor, but man does it represent the piss poor state of Tech writers and their articles.

"I was curious how often this go-to one liner was used. I scraped every reported notification to the California attorney general, a requirement under state law in the event of a breach or security lapse, stitched them together, and converted it into machine-readable text.

About one-third of all 285 data breach notifications had some variation of the line."

Don't bother providing a link to either you data source or your code, the ability for someone to independently verify the validity of this claim and its results isn't important, we'll just "trust" you.

I don't know of any journalism source that would do better than what you just quoted. They explained their source and their methodology. If you think they are lying it's not extremely hard to prove it, but why are you assuming they are lying?

If they cared about informing the reader, they would link to the source, so that interested readers could explore the topic further. It's as simple as that.

It's not up to me as a reader to prove whether they are lying or not. As a writer you either have integrity and assume your audience is knowledgeable and skeptical of unverifiable claims or you can exploit the fact that they aren't. There is a clear line between good writing and not. I'm not assuming they're lying but they've given me no reason to trust that they aren't.

But lets be clear, they explained nothing and hand waved around what they did.

In an article that is indirectly about bugs in software, I want to be sure that the "simple" methodology doesn't have bugs. This is easily shown by the author by just providing the scripts and methods they used. Choosing not to is lazy.

Here's some simple questions that that "sourced" passage doesn't answer.

1. Where/how exactly did you get the info from the CA Attorney General?

I searched and found this https://oag.ca.gov/privacy/databreach/list which extends back to 2012. Did you just download and parse the PDFs because some have two notifications listed, some have one. Some could probably have more. Are they counted as one entity or multiple?

2. "Stitched them together" Well that can just mean anything. Considering that PDF Parsing is still seen to be painful to most (https://stackoverflow.com/questions/22675690/if-identifying-...) there are errors that can be introduced here.

3. How did you handle string repetitions in the same document? If I put "We take your privacy seriously" at the start and the end, is that n = 1 or n = 2?

4. Assuming that 285 (of 1559 line entries) of the ones you parsed are single line entries (That sometimes contain multiple breaches and notifications) the author stopped at the 20th of January 2018 for some reason.... Why then?

I could go on and yes these are pretty pedantic questions. None of which are design to accusatory or suggest anything untoward about the author and what they wrote.

But you know what, all of this is answerable if they post their source and their source code. I can take a look and get a better picture of the full-arsed or half-arsed effort that went in to this article. (Sometimes half-arsed is okay, sometimes it's not)

If a tech website can't "do better than what [I]sic just quoted", then I circle back to the initial statement.

"Man does it represent the piss poor state of Tech writers and their articles."

Why are you attempting to equate tech writers with journalistic integrity. TechCrunch is basically a blog.

Well, regular bloggers have higher standards than journalists because they actually link to their sources. News sites do their damnest to avoid linking or even mentioning things by name if the article isn't explicitly trying to promote them.

When tech writers do that it's one thing, but this is unfortunately also the status quo among publicly funded researchers...

The ironies of reading articles about the pathologies of the 2019 digital economy are... well...

The publications where you might read about the problem are likely contributers to it.

From the EU, before you read about companies abusing your privacy you first go through their "consent" page, maliciously designed to prevent readers from preventing "the Oauth family" from giving whatever data they can get on you to advertisers.

Then you get to read the article:

"I’ve never understood exactly what it means when a company says it values my privacy. If that were the case, data hungry companies like Google and Facebook, which sell data about you to advertisers, wouldn’t even exist."

... TC's modus operandi & business model appears to be the same.

On many occasions I have read an article bemoaning fake news that was framed by "native ads," pretending to be articles, and promoting fake science (one wierd trick), apocalypse cults and worse.

ublock origin reports 13 blocked requests on the very same page. This includes requests to facebook and google for tracking.

‘We Take Your Privacy and Security. Seriously.’

That statement has become my no. 1 cue to leave the site immediately, or rather the "We value your privacy".

Yeah, you value it so much that you sell it on because it is actually valuable.

I wonder what the tracking cookies show about bounce from those messages.. Probably not a lot but.

Edit: Oh I misread the OP.. We _take_ your privacy and security! laughs

Lot of companies are shooting themselves in their own foot by sharing critical data with a plethora of third-parties.

They put sensitive information like username, orderid in the URL which is then shared with all the third-parties on that page, simply because referrers are not sanitized.

This happens:

- Without user-consent

- More dangerously without the companies knowing it too.

On reporting, the companies do not want to fix these issues.

Shameless plug: You can find some of such cases, which I've been trying to highlight to the companies:

- https://medium.freecodecamp.org/how-airlines-dont-care-about...

- https://threatpost.com/def-con-2018-telltale-urls-leak-pii-t...

- https://cliqz.com/en/magazine/lufthansa-data-leak-what-a-sin...

- https://fosdem.org/2019/schedule/event/web_extensions_exposi...

Ohh something related to my area! I work with security/data management and often I get to have access to client organizations for a variety of reasons; most of our clients are banks, pharmaceuticals and pension funds, among others.

"We take your privacy and security seriously" from some rando company doesn't even make me roll my eyes because of how desensitized I am to that whole concept. It's genuinely appalling how often banks have no clue of who has access to what data inside their organization: tons of people having accesses they shouldn't and nobody keeps track of it? Of course. Database copies stored in random hard drives sitting on tables? Why, naturally! Attestation processes? What's that? We're not talking about small entities either. These people would be years away from something not too hard like an iso27001 certification.

In short: all of our data is in an incredibly precarious situation and we're fucked forever. I don't get outraged at leaks nowadays, I just laugh at it.

edit: interestingly enough, in my experience pharmas care far more about data security than banks do (I assume that is because they have more shit to hide).

You enter a coffee shop. Before you can do anything, the owner takes a photo of you, and grabs your hand to take your finger print. He quickly writes down the date, time and what clothes you are wearing.

He gives you a smile as he starts his speech. "Before we continue, we at Coffee City want you to know we deeply value your privacy. We need your permission to store your information, improve your coffee experience, personalize your coffee suggestions and share it with our partners. Do you consent?"

You don't fucking value my privacy. I get some serious doublespeak vibes. If you valued my privacy you'd leave me the fuck alone and stop saving information about me.

IMO GDPR doesn't go far enough. Even these popups are wasting my valuable time and invade my privacy due to the ease it is to accidentally consent to some stupid bullshit while navigating the 20 windows needed to reject all consent.

We should outlaw even asking for consent to store personal information for any user that didn't log into your site. If I do not have an account with you, I'm not your user, we don't have an extended relationship and you have no business storing information about me.

But, see, this falls apart because at a coffee shop, you're actually buying something. Most services people use (FB, GMail, etc), are "free"[0].

[0] Your personal data is a currency, spend wisely.

The next time you stroll in he'll ask for your cellphone number. For security purposes. If you don't want to provide it now you'll have to tell him that you'll do so another time.

As you start drinking your coffee, a little shutter slides shut across the lid of your coffee cup.

It'll only open if you create an account, log in and agree to every sip you take being recorded and measured.

Sure, it's possible to prise the lid off manually or use a special shutter-blocker, but you often end up with a broken cup. And coffee shop owners call you a thief and find ways to thwart your blocker.

Any Black Mirror episode writers here?

>while navigating the 20 windows needed to reject all consent.

I think that actually is a violation of GDPR, not that it's any less common to encounter.

Troy Hunt wrote about this a few years ago, with the pithy headline '“We take security seriously”, otherwise known as “We didn’t take it seriously enough”'


I agree. The phrase "we take your privacy and security seriously" is an inherent oxymoron; meaning the opposite of what it says.

I really like, and have copied, Tesla's note to security researchers. https://www.tesla.com/about/security

I had to clean up one breach a few years ago. It was, gulp, a breach of HIPAA-covered health info. We wrote to our customers saying

"We're sorry. We unintentionally sent your blahblah sheet to the wrong hospital. We have spoken to the person at that hospital who received it and confirmed that they erased your information. Again, we apologize. If you have questions don't hesitate to call us at xxx-xxx-xxxx"

We could have blamed the the third-party vendor who actually made the mistake. We could have spewed oxymorons. But this message was successful and true: nobody sued us and the govt didn't write us up.

The breach, admittedly, was only a few dozen records. It could have been much worse.

A lesson for tech people: when you have a breach DRAFT THE PUBLIC STATEMENT RIGHT AWAY so you can hand it to your executives and crisis PR people. That way your company has a chance of doing it right.

Or at least put a crying face emoji after saying it.

I must chime in on this subject.

To take a community college course, the application online form is asking pretty much every piece of your info, birthday, SSN, family income, ethnicity, future plan, current situation, home address, many personal preference, phone, email, immigration status, marriage status, gender, education background, military background, job experience, you name it. Nearly all of them are mandatory. Anyone can get hold of this record pretty much owns you.

Why do they need all this for just taking a course that I'm going to pay by credit card?

This is not uncommon in other areas, in the future we may need provide our DNA code as an attachment? talking about privacy protection is a joke these days.

About 7 years ago, I wanted to take some online classes with a community college to get a few credits I needed at another institution. I enrolled in classes, but then changed my mind and never paid the tuition.

I assumed, like most colleges, I would just be de-enrolled before the semester started. Instead, they kept me in and sold my info to a collection agency!

I never gave them my credit card number or checking account info, but they had my contact info and social security number. They hounded me for months and made all sorts of fancy threats. But luckily they never seemed to be able to add an entry on my credit report. I dropped it because I was hoping that it was just an oversight and didn't want to fight it, but maybe they wouldn't have been able to prove I purchased anything anyway.

I can't believe that if someone knows just your SSN only, they can put you on the hook for massive amounts of debt. I only gave them a temporary address not associated with me, and clicked through an EULA. I honestly assumed that I had not yet committed to going into debt, just by creating an account.

And this is a state-endowed community college.

Do these seem like reasonable terms? [1]

  - By Registering for classes at SUNY Broome Community
   College, I acknowledge and agree to:  
   - Pay prompty all charges owned to SUNY Broome Community
   - Take responsibility for all costs of collecting unpaid 
   charges, including but not limited to collection agency
   fees, attorney fees, and court costs.  
   - Permit SUNY Broome and/or its agents to contact
   me using any method available including but not
   limited to the use of email, text and automated dialer
   systems; also any information furnished to SUNY Broome
   Community Colege may be used to contact me including my
   cell phone number, home number or work number.
(Sorry, don't know how to format a bullet list with long lines)

As soon as you enroll in classes, you're on the hook for $4500 + fees? I could understand maybe not refunding certain fees, but I have never heard of a college that just advances you that much money immediately, and then tries collecting on it.

So some 17 year old could just sign up for classes, without ever confirming anything or giving any payment info, and they are instantly in debt for over $5000?

This was NOT a student loan I signed up for. No entry was made on NSLDS, and the government never got involved. And no pull was made on my credit report. As far as I can tell, they seemed to just be accepting anyone who enters a social security number to sign up for classes, and then selling it directly to a collection agency.

If I ever admitted to the collection agency that I was in debt, maybe that would have been enough for them to actually amend my credit report. It seemed strange that they were willing to talk to me for hours, but I think they were just trying to get enough info out of me and convince me to more explicitly admit that I owed them money.

I imagine that if someone knows your SSN and wanted to harass you, Broome Community College would be very useful for that.

So, yeah, there are some scammers out there you might not expect. And I can see how all of that extra info I gave them could have been used to collect on a very dubious "debt".

I also one time had a Blue Apron sales person at my campus give me a free month of service, with no credit card required. After the first month, this company called me and said they needed me to update my credit card info, but I never gave them a credit card.

After looking into it, it turned out that the salesman had given them a temporary credit card in my name so that he could get the referral fee. Luckily all I got was a free month of meals when he scammed the company. But the one-time email at my vanity domain that I gave the salesman started getting phishing emails. But I'm pretty sure the salesman had permission from the college to solicit to students.

[1]: https://web.archive.org/web/20190221153507/http://www2.sunyb...

LOL, not only does TechCruch say that, but they also infest your session with tracking cookies.

Hard pass.

Reminds me when people say "It's not a pyramid scheme, its an honest multi level marketing career"

It's right up there with "your call is very important to us" and "best of luck in your future endeavors".

A question:

What is privacy issue exactly about ? I see regular posts on HN about it. Is it about storing user-data on my end or sharing the user-data with third party or not taking the user consent.

P.S. - Trying to understand the root cause because I work with a startup building SAAS and would like to avoid such mistakes.

All of these.

Do not store user data on your end unless you absolutely have to.

Do not give user data to third parties unless you absolutely have to.

Do not do anything without the user explicitly or implicitly consenting to it.

Example: You have to momentarily store the users IP address in order to serve their request for a website. Remove the IP address as soon as you served their request, because you don’t absolutely need it any more.

Example: You have to hand user data over to your ISP (and their ISP etc) in order to serve their request for a website. Do not hand this data over to Facebook, Google, your mum or anybody else, because you don’t absolutely need to.

Example: If someone is visiting your website, it is fair to assume implicit consent to the above two bits. However, if you provide a service where they can store data on your server (e.g. Dropbox), you should inform the user on how the data is stored so that they can sensibly consent to this (or not). So if you’re storing data unencrypted, inform the user that this is the case. If you’re storing data in your mum’s basement, inform the user that this is the case. If you’re storing data in some country with strange laws, inform the user that this is the case.

To make the product better, we require information about how the user interacts with it.

What about if we:

1. Save data anonymously. OR 2. If we have to save some data, we give them an option to access what we have saved. something like 'Data Settings'.

1) Ask the user if they consent. If they don’t, let them continue using the product and do not collect any data. Make both the "Yes, I consent" and the "No, I do not consent" buttons equally large.

2) If they do consent, consider every individual part of data you save. Do not save complete user sessions, instead, before doing anything, decide what you want to test, which information you require to do so and then save only this information. E.g. (using the example elsewhere) if you want to check how long people stay on individual pages, collect a signal on each page how long the user stayed on this page (and nothing else).

3) Anonymize the data as quickly as possible. For the example above, do not store data for each user how long they stayed on each page. Instead, have one counter per page which is incremented by the time the user stayed on the page (and the individual time subsequently immediately discarded). This way you can still figure out which pages are left early but you cannot tie this data to any individual user.

4) If you want to look at individual user sessions, pay people to use the website while you stand behind them (physically), do not collect data from random customers.

3. Ask

Mostly its because of what they (as in advertisers and platforms that display ads and take data) can do with that data once they have it. They can figure out if you're moving house, suddenly interested in a new hobby, pregnant, or emotionally unstable and thus more vulnerable to suggestion. Once they have statistically guessed at these possibilities, "advertisers" can target you through social media platforms and google ads. They can try and nudge you at just the right moment, many people will be unaffected, but the advertiser hopes enough will be nudged into buying something, voting differently, or otherwise changing behaviour to get good bang for their buck.

Privacy is a question of agency. Who is in control of a person's intimate data? Who gets to determine which data is intimate? Who gets to determine which personal data is shared with whom? So far, the industry's response to these questions has always been an implicit "we, the masters". The current debate about online privacy is a (much overdue) challenge to those implicit assumptions.

So in principle, it is not about storing user-data nor is it about sharing that data. It is about determining who has the moral right to act on what data. And in order to have that debate on those moral rights, people need to know what happens wuth their online traces. As long as what really happens is shrouded in secrecy, legalese, or click-through patterns, there can be no meaningful debate.

We take your privacy seriously is the kind of language you'd expect from a company that doesn't want to make specific commitments. That company isn't putting any skin in the game with that claim; every company claims that.

Therefore I am not surprised and won't be holding my breath.

I just added security.txt to one of my sites. Great reminder!

Weasel words. "That's a great question! Mistakes were made, it's a really hard problem, but we're working on it."

Spent 10 minutes trying to prevent TC / Oath from using my personal data. 5 clicks and proving I'm not a robot before reaching a privacy dashboard. Except, to actually set my preferences to not track me I first need to agree to tracking! And if I don't allow 3rd party cookies to track me I cannot withdraw consent.

GDPR was meant to allow users to refuse consent without detriment, and to not to force consent to use the service. Oath clearly violates GDPR, yet regulators have done nothing in 10 months.

Also stop saying "We understand players concerns with [AAA greed mechanic here]"

I read that as "we know you're mad" which seems accurate to me.

It's similar to "don't be evil".

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact