Hacker News new | past | comments | ask | show | jobs | submit login
Googling Strangers: One Professor's Lesson on Privacy in Public Spaces (npr.org)
131 points by walterbell 8 days ago | hide | past | web | favorite | 71 comments





As someone that pays attention to things around me, it is interesting the number of people who's name badges I see on display in coffee shops and cafes, indicating, usually, not only their name but also their department, and usually their "rank".

At times I see people with visitor badges on lanyards designed to indicate their security clearance when visiting another department and which are absolutely not meant to be worn off-site.

It might seem pretty benign to the person wearing a green lanyard with a green badge bearing only the word "unescorted", but to those who know, it gives at the very least a security clearance level.

Coupled with their name and department on their usual badge, also being worn, against policy, visibly, in a public space, that information is not only careless but potentially dangerous.


>it gives at the very least a security clearance level.

At the very least. I could reproduce a close-enough badge that would likely fool everyone except the person who designed the original. I've done this twice successfully (failed once and almost got arrested) to fuck with my friend who runs opsec at mid-sized financial services companies.

One company he worked for had these stupid gates that you needed to scan your badge for (it gives you a green light), but there's no physical barrier. All you needed to do was pretend to scan a badge a couple times and say something like 'ugh stupid things' and the security guard just lets you on through.


> failed once and almost got arrested

Tell us the story


Not much of a story, I was being a fool and trying to go places I wasn't allowed and someone happened to be paying attention. Fortunately my friend working in security told them it was a planned test (it wasn't planned, but he knows I do this to him from time to time).

I thought everyone moved to some kind of RFID cards already.

Yes and no, visitor badges often don't use RFID. You can get most places if you have a visitor badge and know someone's name (which are all available on LinkedIn). If you get stopped with a badge you can just say "Oh I'm here with so-and-so in X Department" and usually no one follows through beyond that. Saying you're there for an interview will often drop someone's guard too.

Employee badges often do have RFID, but some places just have you use a sign-in sheet if you're an employee and "forgot" yours (i.e., you don't have one), and sometimes security guards will just let you through if your badge is being "temperamental" (i.e., not working because it's fake).

Most corporate security is security theater (or only marginally useful after a crime) and rules are easily skirt-able because companies don't want to restrict employee access under zero-tolerance policies (which are difficult and time-consuming to enforce).

The company I mentioned previously that will just hand-waive you through a gate with no barriers actually goes as far to fingerprint all their employees and contractors. They also won't hire anyone with even a misdemeanor in their criminal record.

Also note that all of this stuff is markedly easier if you're a woman (less likely to be stereotyped as a criminal) and/or if you wear a suit (depending on the office, a suit can often mean "don't confront me because I'm above your pay grade").


Out of habit, i put my badge into my pocket when i am outside of the office.

For many, it is policy to do so, and yet, I see people in management positions flagrantly disregarding this.

The sad reality is that a lot of these people don't understand, or don't care about the repercussions of openly disclosing this information.

Just today, I overheard someone discussing that they have a significant number of meetings scheduled with a senior member of government over the next few weeks, in a public space.


Disregard for such things is a great way to show off power and remind more junior employees of their place. Of course, you might rat them out, but then again that could undermine your own prospects.

Nothing is visible, no PII, no nothing is visible when my wallet is open. I mean nothing. No barcodes, no bank names, no numbers, etc. Security cameras in retail can pick up very fine details.

What's a representative camera (e.g. resolution, model number) that is used in retail?

Most of the cameras I've seen in new retail premises in the last few years are HikVision IP cameras, somewhere between 1080P and 5MP (2592 x 1944). YMMV though, and obviously you've got settings and NVR settings when considering quality of footage (and distance, lens etc.)

You live in a scary world.

So do you

Motorola (of old, in the 90s) used to have a policy of asking employees to remove name badges when going out for lunches and etc. It was a game between the team manager and the employees as to who admonished the other first when going out for team lunches.

My former employer had a game where if someone left their computer desktop unlocked, you could add their name to a wall of shame web page . Then management decided that was bad for morale so they took down the web page, and people stopped locking their desktops.

We had a version of this at college where if you left a computer logged in (this was the days before everyone had their own device) then you would send an email to the dean of the school making some or other outrageous request and cc'ing the whole school year mailing list. They were pretty funny!

Another workplace had a similar scheme: an unlocked machine was an invitation for the person's neighbors to send email on the person's behalf. It was all fun and games for a while (fake product announcements, silly questions posed on the internal mailing alias, fake resignation notices) until someone got really upset when it happened to them and then it sort of died down.

We do this at my office, but without email, if someone leaves their computer unlocked, we're allowed to give them a gentle reminder not to do it in the form of a new desktop wallpaper or reversing their mouse keys and/or scroll direction.

It supposedly was the tradition at Intel to, on finding a unlocked desktop, to fire up Outlook and send a message just reading "I love you" to the person's manager.

I don't know if this really happened.


Boss at my old company was hot on making people lock their machines. Used to leave notepad windows open saying "lock it" or similar, even when we had just gone to the other side of the room and could see him doing it.

After the Nth time of him being hypocritical and leaving his own machine unlocked when he went out of the room I made a scheduled event that popped up with "update complete, rebooting" and then restarted his machine, set to run randomly once a day between 9-5.


We did this, but to all of IT professing their love for all to see.

At my current company, it's an email to the team promising to bring in for donuts or pastries friday morning.

People rarely leave their machines unlocked anymore :)


Leaving your computer unlocked is a great way to discover you'd sent an email offering to buy lunch for everyone in the department.

I see you Google ;)

We do this in my office, but usually we send emails promising m&ms or croissants, it's pretty effective.

So? Dangerous how? Why is this against policy? I guess in my mind if someone is targeting a company, employees not wearing badges in public doesn't raise the security bar much if at all for an attacker. Meanwhile, the badge is of no value to a random criminal not targeting the company.

The badge is of enormous value to a random criminal who doesn't care which company office he steals a few laptops etc from. Even without an attempt to steal/imitate the badge, it gives you an entry point for social engineering.

Can't most of that information be found on LinkedIn?

Some of it, yes, but it shouldn't, you're not supposed to disclose above average security clearances, period, which is what the green badge indicates.

If above average security clearance is disclosed immediately by someone seeing my badge then thats on the company, not the person with the badge.

The badge exists to identify you and your access privileges, it's purpose is to be on display, and clearly indicate these things.

They're not to be worn outside, and the employee policies state that.

You can argue all you want with your superiors about who it's on while you're being escorted from the building for gross misconduct.


You really shouldn't... Only on your resume and don't just give that out to whomever expresses interest; make sure they're legitimate.

if you can get the name, yes.

That's a fault of the badge system then. You can't fix human and human is to wear the badge with some colors that BigCorp gave me and get lunch.

This article is re-reporting of:

https://www.nytimes.com/2019/03/08/opinion/google-privacy.ht...

(which it does link to.)

As far as privacy is concerned, what should worry more about? A random stranger ID'ing me or my license plate being read all over town, and soon enough, my face being recognized. Because frankly I'm more worried about the state than a random stranger. And not even because I'm think I'll commit a crime, but more in the Brazil sense where the state makes a mistake and I somehow get associated with some other person's crime.

That's the dystopia I fear.

You know, my house isn't a fortess of security either, but I don't worry too much about it because mostly homes don't get burgled (at least in my neck of the woods) and should mine, well I have insurance. Similarly, most people aren't going around trying to ID the folks around them. (To what end anyway?)

Society only works because mostly people follow the rules and are basically good to each other most of the time. The golden rule applies here: would you want someone to ID you? No, then don't go around ID'ing other people.

I guess at the end of the day: don't be an idiot but you probably don't need to be paranoid about this either.


> Because frankly I'm more worried about the state than a random stranger.

But that 'random stranger' could be working for the state, or your health insurance company, or just be a good old fashioned scammer.



I still liked that Russian app that lookedup people on social media account from their photo. https://en.wikipedia.org/wiki/FindFace. I'm sure it wont be long before that is just normal.

I took a look at their sales page and one of the examples given is about automatically building profiles of people in a casino and monitoring their emotions/habits as they win/lose/buy drinks.

Lol you can imagine the computer saying "that guy looks like he needs another drink"

It's more likely that the computer is saying "This guy has a history of spending a lot once he's drunk."

Combine that with the Chinese social credit system and the implications are pretty bleak.

Eh, or just with Western systems. Presumably when you contact a company through Twitter they already prioritise based on the amount of followers you have - if they do this in real-life interactions as well, I'm not too excited about it either.

They mention students identifying strangers based on just a few details, but not whether they verified the correctness of that identification. It's easy to think that you successfully doxxed a person, only to later find out e.g. that you misspelled their name and all the info you found was actually about someone else.

I guess finding a photograph of them, which is quite likely these days, is confirmation enough.

I think the object of the exercise was more to explore the possibilities.

If you're the kind of person who doxxes others, are you going to care if you clobber the wrong person occasionally?

A few years ago, one of my sons’ soccer team finished in the second to last spot and so they were relegated to a lower tier. I knew that the team above was “cheating” by playing too many players from out of their district. Our Club President said “prove” it to me and I’ll do something about it. Well, it’s amazing how much public information is out there such as where the boys attend school, phone numbers they tell people on unprotected Twitter and Facebook accounts, etc. I felt dirty knowing all this information about young adults. In the end, even though we had the proof, we didn’t do anything about it.

> Some of the most outspoken skeptics of privacy protections in her class — the ones who once suggested that they didn't need privacy because they had nothing to hide — were stunned at how quickly they'd found out details of the lives of strangers who happened to cross their paths.

I don't think I understand this.

A person says they don't need privacy because "they have nothing to hide". Then they are shown how easy it is to track / identify someone. Why should it affect their views on privacy? After all, they claim not to care about being tracked or identified in the first place.


Let's say you think you have nothing to hide, your life is boring.

Then you find out details about strangers, and you start judging them based on what you found out. (Oh, they don't exercise much -- they must be lazy).

Then it dawns on you: others will see the details of your boring life and will judge you and reach conclusions about you that are likely to be wrong. Because, guess what? They don't really know you. They are just using some datapoints they found on the Internet.


And then you stop judging people so much?

I'd love to see that but I don't have my hopes high :)

Ah yeah, this makes sense - thanks!

> Why should it affect their views on privacy?

Because people often think one thing about abstract possibilities and then have their minds concentrated once presented with tangible examples that effect them.


Social hacking is alive and well. During my studies in computer engineering we had lectures on cybersecurity and the person used the following example

https://www.youtube.com/watch?v=lc7scxvKQOo

Human error is still one of the most popular hacking techniques. By getting an e-mail address you can check haveibeenpwnd to see if there were any leaks related to that e-mail address and there's already a lot that you have on a person that you don't actually know. Recently there was an increase in phishing schemes where hackers obtained the passwords of really old leaks (from myspace, armorgames etc. etc.) and sent letters to people with legit passwords trying to extort money. This was a hugely successful campaign. I'm not saying don't mention your name in public but for sure use a password manager and a VPN if you're on public wi-fi a lot. And don't shout your cred card number while buying coffee.


From a tech standpoint there is not a lot of new information in this article.

My other thought is that people information has must have value for it to be relevant to both good and bad people in the world. Googles data caches on geographical - location and how they used that data to target mobile adds for example has more value.

This begs the question. Do people need more protection from data caching apps or the commomn human?


As the world has grown more interconnected, the actual value of people's identifying information has sharply risen (as has the availability of it), but we haven't figured out how to adjust our expectations for it. We still use a bunch of bits of fairly small data as high-value sources of information.

In the US, social security numbers were not intended as a unique or unguessable ID, especially since they used to be (still are?) given in ranges to facilities for births/etc, so knowing their birthdate and where they were born let you drop a bunch of possible values.

An even better example of uncontrolled information value, to me, is phone numbers. We used to, with few exceptions, list publicly people's land phone numbers in regional books, unless they opted out.

Now, increasing numbers of people don't have land lines, we don't have a public cell phone number <-> name mapping (though it often leaks through other public information sources), and worst of all...since we've started using phone numbers as both an "in case of emergency contact here" for account lockout, and as a 2FA source (either SMS or actual calls), and these networks were not designed with robust security guarantees in mind, just knowing your phone number can be sufficient to forge a SIM card to hijack the number. [1]

But not giving out your phone number defeats the entire point of having it, and we have not yet convinced most institutions to stop using phone numbers as reliable contact endpoints, so what's to be done?

[1] - https://motherboard.vice.com/en_us/article/vbqax3/hackers-si...


SSNs are no longer keyed to geographic assignment. Only changed a decade ago though.

This article reveals that the information is finally filtering beyond the tech standpoint, reaching the lives and common knowledge of non-experts.

Thanks to LinkedIn it’s shockingly easy to find people like this. I once searched for someone in 5 seconds because they had a uniquely identifying TShirt.

Isn’t that the point of LinkedIn? To be found? If you have someone’s name... used to be you could find out where they lived and their phone number, in a book that a private company sent to everyone’s house.

If you have someone's first and last name, yes, LinkedIn is intended to make them findable.

I think most people would be uncomfortable that I can often find them simply with the first name + city pairing.


Why would they be uncomfortable having their LinkedIn found by any method? Forgive me for sounding obtuse, but I just don’t know what the point of having a LinkedIn would be otherwise. It’s essentially a placeholder that says, “I exist and am employed in such and such industry and at so and so company.” It consists of information I would voluntarily give anyone who asked, sitting next to me on an airplane, standing in line for coffee... What malicious deeds should I be worried about being done based on someone finding my information on LinkedIn?

>Why would they be uncomfortable having their LinkedIn found by any method?

Harassment.

How would you feel if you broke off a conversation on Tinder and someone moved over to LinkedIn to harass you? That's a real world example that has happened to female friends of mine.

Even if you use a different phone number, email, and photo, just first name + city alone can be enough to find someone on LinkedIn if you know what they look like.

Social networks cause context collapse: we live in multiple spheres, but technology allows those streams to cross, and the result is often unpleasant.


I get that other people have risk factors that I don’t. Are these risks not mitigated by the privacy settings on LinkedIn? Full disclosure: I checked my privacy settings on LinkedIn and disabled some features I no longer value. Thanks for reminding me.

Correct. That's why I recommend people set the widest possible city and field pairing as possible.

Sorry, I dont believe this for one second. You mean to tell me that this person was given an assignment to "de-annonymize" someone in public, and then coincidentally runs into someone at a coffee shop who very loudly provides: 1. Name 2. Address 3. CC Number 4. PWD's to accounts

While on a phone call, at a coffee shop?!

The professor, the NY Times, and NPR, are all fools if they believe this way too convenient series of events. gauranteed if this "guy in a coffee shop" is even real, he has some connection to the student.


I sat behind someone in business class on the Eurostar who was a C-level exec at another company. He was on the phone with a client and reassuring them that they took data security seriously, used VPNs and safes and FDE etc. He left his laptop unlocked when he went to the toilet, with (what looked like, I didn't snoop) a fairly confidential spreadsheet open.

We both worked in an infosec related industry. He was a c-level exec of a direct competitor. I fully believe this story.


In my country I see quite often that people throw away documents which have their personal number (analogue to SSN), their name and address on it. Mostly people don't even bother tearing these documents into pieces. Using this data I could do anything I want with their lives - order stuff in their names, arrange/cancel appointments with officials, register/deregister their cars, phone subscriptions, even deregister them from their addresses.

I hear this sort of thing so often, the probability of it happening once during spring break (which I presume is several weeks) would be pretty high, if it were me.



Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: