At times I see people with visitor badges on lanyards designed to indicate their security clearance when visiting another department and which are absolutely not meant to be worn off-site.
It might seem pretty benign to the person wearing a green lanyard with a green badge bearing only the word "unescorted", but to those who know, it gives at the very least a security clearance level.
Coupled with their name and department on their usual badge, also being worn, against policy, visibly, in a public space, that information is not only careless but potentially dangerous.
At the very least. I could reproduce a close-enough badge that would likely fool everyone except the person who designed the original. I've done this twice successfully (failed once and almost got arrested) to fuck with my friend who runs opsec at mid-sized financial services companies.
One company he worked for had these stupid gates that you needed to scan your badge for (it gives you a green light), but there's no physical barrier. All you needed to do was pretend to scan a badge a couple times and say something like 'ugh stupid things' and the security guard just lets you on through.
Tell us the story
Employee badges often do have RFID, but some places just have you use a sign-in sheet if you're an employee and "forgot" yours (i.e., you don't have one), and sometimes security guards will just let you through if your badge is being "temperamental" (i.e., not working because it's fake).
Most corporate security is security theater (or only marginally useful after a crime) and rules are easily skirt-able because companies don't want to restrict employee access under zero-tolerance policies (which are difficult and time-consuming to enforce).
The company I mentioned previously that will just hand-waive you through a gate with no barriers actually goes as far to fingerprint all their employees and contractors. They also won't hire anyone with even a misdemeanor in their criminal record.
Also note that all of this stuff is markedly easier if you're a woman (less likely to be stereotyped as a criminal) and/or if you wear a suit (depending on the office, a suit can often mean "don't confront me because I'm above your pay grade").
The sad reality is that a lot of these people don't understand, or don't care about the repercussions of openly disclosing this information.
Just today, I overheard someone discussing that they have a significant number of meetings scheduled with a senior member of government over the next few weeks, in a public space.
I don't know if this really happened.
After the Nth time of him being hypocritical and leaving his own machine unlocked when he went out of the room I made a scheduled event that popped up with "update complete, rebooting" and then restarted his machine, set to run randomly once a day between 9-5.
People rarely leave their machines unlocked anymore :)
They're not to be worn outside, and the employee policies state that.
You can argue all you want with your superiors about who it's on while you're being escorted from the building for gross misconduct.
(which it does link to.)
As far as privacy is concerned, what should worry more about? A random stranger ID'ing me or my license plate being read all over town, and soon enough, my face being recognized. Because frankly I'm more worried about the state than a random stranger. And not even because I'm think I'll commit a crime, but more in the Brazil sense where the state makes a mistake and I somehow get associated with some other person's crime.
That's the dystopia I fear.
You know, my house isn't a fortess of security either, but I don't worry too much about it because mostly homes don't get burgled (at least in my neck of the woods) and should mine, well I have insurance. Similarly, most people aren't going around trying to ID the folks around them. (To what end anyway?)
Society only works because mostly people follow the rules and are basically good to each other most of the time. The golden rule applies here: would you want someone to ID you? No, then don't go around ID'ing other people.
I guess at the end of the day: don't be an idiot but you probably don't need to be paranoid about this either.
But that 'random stranger' could be working for the state, or your health insurance company, or just be a good old fashioned scammer.
I don't think I understand this.
A person says they don't need privacy because "they have nothing to hide". Then they are shown how easy it is to track / identify someone. Why should it affect their views on privacy? After all, they claim not to care about being tracked or identified in the first place.
Then you find out details about strangers, and you start judging them based on what you found out. (Oh, they don't exercise much -- they must be lazy).
Then it dawns on you: others will see the details of your boring life and will judge you and reach conclusions about you that are likely to be wrong. Because, guess what? They don't really know you. They are just using some datapoints they found on the Internet.
Because people often think one thing about abstract possibilities and then have their minds concentrated once presented with tangible examples that effect them.
Human error is still one of the most popular hacking techniques. By getting an e-mail address you can check haveibeenpwnd to see if there were any leaks related to that e-mail address and there's already a lot that you have on a person that you don't actually know. Recently there was an increase in phishing schemes where hackers obtained the passwords of really old leaks (from myspace, armorgames etc. etc.) and sent letters to people with legit passwords trying to extort money. This was a hugely successful campaign. I'm not saying don't mention your name in public but for sure use a password manager and a VPN if you're on public wi-fi a lot. And don't shout your cred card number while buying coffee.
My other thought is that people information has must have value for it to be relevant to both good and bad people in the world. Googles data caches on geographical - location and how they used that data to target mobile adds for example has more value.
This begs the question. Do people need more protection from data caching apps or the commomn human?
In the US, social security numbers were not intended as a unique or unguessable ID, especially since they used to be (still are?) given in ranges to facilities for births/etc, so knowing their birthdate and where they were born let you drop a bunch of possible values.
An even better example of uncontrolled information value, to me, is phone numbers. We used to, with few exceptions, list publicly people's land phone numbers in regional books, unless they opted out.
Now, increasing numbers of people don't have land lines, we don't have a public cell phone number <-> name mapping (though it often leaks through other public information sources), and worst of all...since we've started using phone numbers as both an "in case of emergency contact here" for account lockout, and as a 2FA source (either SMS or actual calls), and these networks were not designed with robust security guarantees in mind, just knowing your phone number can be sufficient to forge a SIM card to hijack the number. 
But not giving out your phone number defeats the entire point of having it, and we have not yet convinced most institutions to stop using phone numbers as reliable contact endpoints, so what's to be done?
 - https://motherboard.vice.com/en_us/article/vbqax3/hackers-si...
I think most people would be uncomfortable that I can often find them simply with the first name + city pairing.
How would you feel if you broke off a conversation on Tinder and someone moved over to LinkedIn to harass you? That's a real world example that has happened to female friends of mine.
Even if you use a different phone number, email, and photo, just first name + city alone can be enough to find someone on LinkedIn if you know what they look like.
Social networks cause context collapse: we live in multiple spheres, but technology allows those streams to cross, and the result is often unpleasant.
While on a phone call, at a coffee shop?!
The professor, the NY Times, and NPR, are all fools if they believe this way too convenient series of events. gauranteed if this "guy in a coffee shop" is even real, he has some connection to the student.
We both worked in an infosec related industry. He was a c-level exec of a direct competitor. I fully believe this story.