I honestly fear that entire lives will be ruined by AI systems mis-analyzing some data and locking people out from education, work, credit and health opportunities. For some reason, which will be mostly inexplicable to even the engineers that trained the ML system, people will get denied or flagged for spurious reasons.
As we automate everything this is inevitable. We're actively creating digital gatekeepers. 99% of the time you won't even realize it has happened to you nor would you have any recourse. It will be as innocent as an application you don't get a response from, or a simple generic "sorry" email. Then the brick wall of literal no customer service, or automated customer service that refuses to escalate you to a human tier. Then maybe if you are lucky a clueless customer service rep that compassionately explains there is nothing they can do and they wish you the best with your continued search. Fair enough their TOS likely allows them to deny service to anyone for any reason. Why would they waste the effort to figure out why their multi-million dollar system targeted you as an edge case? It works for 98% of cases which is probably good enough for them.
Brazil is a fictionalization that imagines an extreme case and the events of the movie get quite dark. The reality will be more mundane but IMO just as insidious. In the not very distant future AI will be choosing who is healthy and who is rich.
College admissions? Resume screens? Mortgage applications?
We already have that at scale. There wouldn't be so much money in gaming those things if the AI wasn't doing such a poor job. You likely just happen to be someone that isn't on the wrong side of it.
This isn't true at all. When the process works well, those who it excludes often attempt to spend money to subvert it. There's no reason that interfering with the process should only happen when it's working poorly.
A simple example is the recent college admissions scandal. You often hear this scandal demonstrates that college admissions are just a way to let in rich people, but actually it demonstrates the opposite -- that the normal admissions process had (presumably correctly?) kept these people out and so they had to pay to subvert it.
Of course, you're not claiming that these things are just ways of separating the rich from the rest; just that they're messed up in some way or another. Which, if not very specific, seems broadly accurate. But the following claim isn't -- people on the losing end of a judgment are going to do their best to subvert that judgment whether it's correct or not, so one cannot infer much of anything about the judgment's correctness based on whether there's then an attempt at subverting it.
Garbage in, garbage out.
If your physical bureaucratic entity delegates decision making to an AI, you have no hope of redress unless due process was mandated.
If you cut the bureaucratic middleman then you have to build an AI that can question itself and correct errors.
AI will never do that. So what you get instead is negligence because a computer makes a mathematical computation and the human element treats it as infallble.
I do not mean this to be about finite resources and our planet. I am referring to the way that organizations require more layers of bureaucracy as they grow. A rule of thumb is for every 10x in people, you have another layer of management. So what will this extra layer of management be for people, not just from a government perspective but also a capitalistic corporation perspective? How do Google, Facebook, Apple, Stripe, Amazon, and all of those other companies handle so many customers? How much do they use automation, how many of their rules are archaic, how hard is it to challenge the system if you think there was an error?
I am not convinced AI can solve many of the fundamental problems humanity are facing - and I think overpopulation might actually be the problem. Modern capitalism has conditioned us to believe "growth is good" but growth for the sake of growth is no different from cancer.
As an example I had to drop out of education (in the US) due to mental health issues. 6-7 years later, I'm still having problems getting back in as I wasn't able to get the problems documented in time. I also am unable to get any money as most of my classmates were despite my far above average performance pre-uni.
Which is why it's important to ask the question "should we" instead of just "can we".
Even more important is not dividing people into groups that we treat differently. Everyone should have the same education, work, credit and health opportunities. If we can free ourselves from the desire to segregate and separate people in the name of progress, whether or not an "AI" guesses wrong about you is irrelevant.
It comes down to ego... people have to accept that no one can predict someone's potential or value to the world with enough certainty to make restricting people's opportunities worth it.
Algorithms can be bad as well, but at least you can look into them to understand the reasons.
And that's just basic algorithms and regular human-written code.
Then you've got ML systems which are a whole 'nother level of inscrutable.
At this point, technology has enabled this sort of behavior at mass scale, now revealing far more personal and useful information about individuals.
A feasible model to work from may be go look at the healthcare industry and HIPPA requirements/liabilities and adapt as needed. Certainly not perfect but it's a good starting point for widespread data laws.
The question is, will our representatives actually give teeth to real data protection legislation (not a facade with no teeth only enacted by name) in the US or are they too deeply in bed with industry that they'll protect business rights over real people who suffer real direct damages.
For software, it feels like we're only at the beginning of understanding the dangers and consequences of the software, business models, and technology our industry has created. Unfortunately, if it follows the same path as other engineering disciplines, we likely will experience decades or centuries of bloodshed before it is regulated appropriately.
Methinks you're projecting more than a little bit. Also your comment is some of the most toxic I've seen on HN in a little while, and I'm not exactly a ray of sunshine on here...
Definitely getting a flag from me, and I think that might be a first.
There is a difference between "This specific regulation fails to take X into account" or even "This is a complex issue which requires carefully crafted regulation" and your stance which seems to be that regulation is impossible or undesirable due to the complexity of the issue or because it might be annoying to change later. That very much suggests your problem is with regulation itself.
Just out of curiosity, if you think regulating this is a bad idea, what do you propose to fix the problem? Appealing to the good will of companies who would gladly exploit us to make money?
I acknowledge that you may have just worded things poorly, or intended your words to mean something else which is why I prefaced by question with "If".
If you actually do think the US government should regulate this, how should that be done given your concerns of their inability to understand the issue and taking into account the fact that any mistakes they make will take effort to correct once it's been put into law?
To try and contribute to this conversation a small amount, it makes the most sense to me to establish a Professional Engineer like system for the software industry. I don't know all of the details about how these systems work, but a friend of mine is a structural engineer and as he's described it to me it creates a personal ethical obligation that currently feels entirely absent from the software industry.
This ties the regulation to the industry, lets the experts decide what is and isn't okay, while also involving personal ethics and keeping individuals accountable for their decisions.
Keep getting called by a spam bot? A licensed engineer can be tied to that system, and can be punished.
A self driving car had a bug that couldn't tell the difference between a plastic bag and a child, forcing the vehicle into a concrete barrier? Someone stamped that code, and is now accountable.
Is a company using your tracking data to raise your medical bills based on your online food order history? That company's engineers are liable, you can sue them personally.
Again, not sure of the details about how this works in the construction industry, but when you put professionals at personal risk, they tend to care more about the outcomes, and it doesn't end up forcing the US government (specifically legislators) to understand all the details.
I wouldn't mind seeing that kind of system applied to some software companies. I'm not sure that fully solves the problem, but I really do like the idea of having someone willing to be held accountable for problems.
I think one issue with this would be that companies who keep their activity opaque enough are highly unlikely to be caught by users. A major data leak or a hacked system might be detectable, but a backroom deal to share data with a medical or insurance company would likely go undetected without a whistleblower to expose what was happening. If a bridge collapses, or a fire starts, or a floor sinks, it's a little easier to see when building/fire codes weren't followed.
I think a system like this would be best used when some rules are already in place for what a company can and cannot do. Then a company's certified security/privacy person would be responsible for making sure everything was done in full compliance with whatever guidelines were established. This would probably be needed anyway if you tried to sue the company's engineers later. If nothing they do with your data is actually illegal those lawsuits won't get very far.
I do agree that compliance checking and having that level of accountability could help developers rein in marketing teams, greedy shareholders, and stupid managers who put pressure on them to add tracking and anti-consumer code to their products.
I do worry about what it would mean for small startups, volunteer/personal projects, and single developers. It might be a more secure world if anyone who wants to write an app can't just slap a boilerplate notice that they aren't responsible for anything if you choose to use it, but my guess is that there might also be a lot fewer apps.
My point is that if someone has to do it, I would A) want the industry to police itself (let me finish) and B) would want individuals to be unable to hide behind corporations, to the extent that is reasonably possible. These together could, I believe, make more of a dent in the problems in the software industry today than any one specific topic of legislation (e.g. privacy laws or digital advertising laws) could.
Imagine if you could lose your software license for writing adware! Would it stop everyone/everything? No, definitely not. Would it give your average corporate software engineer a leg to stand on when they try to say no to their bosses when the business wants to start selling customer data unethically? Hell yes!
"I could lose my license if I add that feature." <- huge impact.
And no, nobody else has ever interpreted "regulations are written in blood" in that fashion, nor is that a valid interpretation of that saying. That is in fact the opposite of what the saying means.
There are wrong answers to questions, I understand that it may be uncomfortable to be told that but it doesn't change the fact that nobody else ever interpreted that saying that way, nor does it really make any sense to interpret that way.
Your jumping into semantic arguments about well I said it therefore it's a viewpoint is especially unproductive to the overall discussion. Like sure, but (a) that's not relevant, and (b) not all viewpoints are good, it's not a valid viewpoint just because it's a viewpoint. It's also where you start seriously leaning off into sealioning/tone argument instead of, you know, discussing why regulations are written in blood.
Hope this helps, I'm trying to keep this as even-keeled and matter-of-fact as possible - which certainly poses a challenge once you've poisoned the well by throwing around accusations of toxicity. That's a burden on me, everything I argue now has to be sugarcoated lest it further reinforce you as being the victim, which is of course the whole reason you dove into tone arguments.
That is part of the problem with "no offending anybody" type rules - it becomes very easy to cry "toxic" and play the victim and that lowers the quality of discourse, because nobody's opinion can ever be wrong lest they get offended.
Take care, have a good day!
No. The majority of them don't even understand what data is being collected, how it can be used, or the technology behind any of it. Until the people in office change, the idea that our representatives can or will protect us is toothless and spineless.
The only way to make these chameleons (pretend to) care about an issue is to make the general public (aka voters, source of their wellbeing) care about the issue.
In fact I would say that it's impossible to expect anyone to understand enough to know what they're legislating. Aside from being a powerful libertarian argument against the excessive involvement of government, I think it shows that we have to figure out a way to work around the fact that congressmen don't understand everything that they're in charge of, rather than trying to remedy it.
I'll leave you to find your own references to get a detailed picture, but in short two basic forms of organizing do a lot of the work: big teams/staff for each congressman to help out, and special interest committees and caucuses. On top of that at least some take the idea of "representation" somewhat seriously, so if they need to know about a topic they're not experienced in, they tend to meet with supposed experts in those topics (which can come from a dedicated pool, lobbyists, state university department, and occasionally private industry owners or high level employees) for information and sometimes policy recommendations.
Why not ban targeted advertising altogether?
Targeted advertising is like the difference between spam and spear phising. The person being advertised to rarely (if ever) benefits.
Instagram has gotten so good at targeting me that I probably click on at least 1/2 the ads because I find them interesting. I've purchased things because of those clicks too, and have enjoyed the purchases. Things I would have never known about were it not for the ads.
Of course the abuses are also plentiful and dangerous. We probably do need a lot of regulation. But in general targeted advertisement is a useful thing to have.
This, like TV, doesn't require tracking of individual people who haven't consented to such.
That's a stretch. How do you think they determine any information about the "known" audience? Obviously, they do all sorts of research to determine more about the audiences watching certain shows and channels, likely by sifting through social media, show reviews (IMDB, etc), and elsewhere to determine who's watching what shows, then looking into their profiles to determine their interests. Aggregate that data, find what they all have mostly in common, and cater to those interests. It's just a more generalized and difficult process of the same thing, and eventually it's going to become more narrowed and specific to individual targets.
I can also have a discussion with my friends about My Little Pony and how amazing the last episode was without an algorithm picking that up, unless I publish it to the world or explicitly send it to the advertiser.
Ads targeted to an individual without that individual's consent should probably be banned. In addition, the law should make it clear that when a company does hold data about individuals, the individual should have some rights to that data including the ability to block the sharing or transfer of that data.
So, when Google buys FitBit, every user of FitBit should have to explicitly opt-in to their data being transferred to Google.
And so targeting didn't work!
Yes, "targeting" can put stuff in front of your eyeballs that may occasionally have marginal utility, but for sales? Nu uh.
In the baby/bathwater metaphor, you saw some ads for strollers. Still no baby.
If you want to inform me, just give me a website I can visit where I can enter my needs and provide perhaps some context information, and which deletes/forgets this information when I leave. There is no need AT ALL to figure this info out behind my back.
I believe US govt will always be at the mercy of corporations.
Now some things are great. Like CCPA, California’s version of GDPR. But getting it accepted throughout the US is a mammoth task.
I have hope though.
I mean, I already request credit reports for my husband without issue, for example (with his permission! - he finds it much easier to just ask me to do those things for him rather than doing them himself).
In this case, since email address is part of the report they could only send the report to the email address on file for "security," which would be a big improvement over what the big three CRAs are doing with annualcreditreport.com.
A bank makes a lot of money, but in theory, it's doing an important job which benefits society. That job is independently assessing creditworthiness. Of course, it's hard to assess creditworthiness if you don't know if someone is making a lot of loans at different places. So, there needs to be a system for credit monitoring. But credit monitoring is not credit rating. Credit rating is the one job a bank is supposed to do. Letting someone else do it undermines the whole purposes of the independent financial system. We might as well just dissolve the banks and move to a centralized planned economy if that's what we're doing, so that at least the centralized rating agencies will be democratically controlled.
So, to begin with, CRAs shouldn't exist and undermine the basic purpose of the financial system. On top of that, they are incredibly incompetent and corrupt as seen by the Equifax breach. It was clear in the early 2000s that the old system in which people would present a few pieces of relatively obscure personal identity to open a line of credit was no longer workable because the data was now subject to trivial duplication. Instead of fixing this, the industry created the concept of "identity theft" in order to falsely shift blame onto an unrelated third party.
I "had my identity stolen" a few years ago. The event had nothing to do with me, so all of the language around this is wrong. What actually happened was first a criminal learned some information about me, then Verizon chose to give the criminal a line of credit on a cellphone, then the CRAs reported that I was profligate to anyone who asked. Saying "my identity" was stolen makes it seem like I was somehow a party to any of this. "My identity" is not a property of mine; it is a property of the reliability of the CRAs' data. What actually happened was the CRAs had their data polluted by the combination of a criminal and lax identity checking at Verizon, and then the various guilty parties forced me to do their data cleanup for them.
What should have happened in the mid-00s was that the credit monitoring agencies, created systems where you can prove your identity to a notary public and get some sort of signed certificate gizmo that you can use to get a cellphone or make a car loan. But because the whole US financial system is corrupt, it instead outsourced all of the liability onto consumers.
Say you open a credit card, then try to say it wasn't you..... what would a bank need to do to prove it was you? The things they would provide are already the things they have... your signature, your information, etc. What EXTRA bit would they start collecting that would prevent fraud?
Currently, banks ARE on the hook for fraud.... if you dispute fraudulent credit opened on your behalf, they have to eat the cost.
I don't quite see what the difference would be in this alternative world... currently, someone applies for credit, the credit issuer decides it is legit, and issues the credit. That would still be the same. Say it was fraudulent; the fraudster doesn't pay it off, so the issuer tries to collect... at that point, you say "hey, I didn't open this credit!"
Well, the issuer is going to say "yes you did, here is the information I have saying it was you"... how would that be different in your alternative world? Maybe you would require more verification steps... but what? Picture of you holding a sign saying you signed up for the credit? Video? What could you possibly provide that couldn't be faked for fraud? What could the issuer require?
At this point, things are no different than now. The issuer says it was you, you say it wasn't, and then someone has to arbitrate and decide who was correct.
I guess I just don't see how we can do it better (although I would LOVE to do it better!)
A) you have money to keep a lawyer on it; No problem.
B) you don't have money for a lawyer; Tough shit.
Nothing beyond real unilateral enforcement of the system already in place is required.
Right -- and really, that should be some class of negligent libel on behalf of the CRAs.
In the history of central planned economies, never have they been “democratically controlled.” Despite the name, places like the Democratic Peoples Republic of Where-ever are never democratic nor are they republics.
> because the whole US financial system is corrupt
Is that actually true or just hyperbole?
Note that I never joined the club, so my theory of the unwritten rules is pure speculation. No one ever sat me down and said, "Look, son, this is how it is..." But I did spend ten years of my life on this, and during that time I accumulated a lot of evidence that I have a very hard time explaining in any other way. It eventually led me to a serious existential crisis.
BTW, it's not just the financial system. Academia is corrupt in much the same way, and in that case I did join the club so I can speak to that with some authority. That experience is one of the things that allowed me to recognize what I was seeing in the financial industry. But both academia and finance are centuries-old industries. They have become very skilled at hiding their corruption from prying eyes, and a big part of the strategy is making it appear that anyone who accuses them of corruption is a crackpot. (Which is, of course, exactly what a crackpot would say, and that, too, is part of the strategy. It's a horrible catch-22.)
So you have to decide whether to believe me or not, whether you think I'm a crackpot or not. Before you jump to a conclusion I invite you to look up my record. My life is pretty well documented on the web.
It is so hard to put into words how these systems are corrupt, because these systems create an enculturation / religion around themselves. By the time you see how the entire system works, you are powerless to simplify the mechnications that make that system corrupt (if you even choose to recognize the corruption). You can't "just start an alternative," because the system exists at a local maxima and will crush your alternative or assimilate it into the existing system.
When people are taken advantage of by these secular religions, it is so normal and engrained in the societal fabric that we almost don't have the language to expose the fundamental dishonesty and fraud of these systems. Victims will say that there may be some bad actors at the edges, but on the whole, "this is the way it's supposed to be."
How would you define it?
Order a Big Mac - does it look like the ad? Probably not. Drink a Cola, does it feel like your life has turned around, probably not. is advertising dishonest - of course, but we all know that and we learned to deal with it. Is advertising corrupt, I would not say that.
Thus for something to be truly corrupt it needs to go beyond a certain level of illegality.
There are plenty of small banks and credit unions out there thus the point that you cannot open a bank is not quite valid. Are some of the rules onerous, probably. Are some of the rules unfair and ridiculous, probably ... does it mean it is corrupt I don't think so.
The cost to consumers of financial corruption runs into the many billions of dollars.
> There are plenty of small banks and credit unions out there thus the point that you cannot open a bank is not quite valid.
I did not say that you couldn't open a bank. I said that if you tried you would see firsthand evidence of the corruption of the system.
The problem is not that the rules are onerous. The problem is that the rules are not applied evenly and transparently.
Of course not. Never are, again you are not saying much here. Also with the billions of wasted dollars. Of course, but that is a natural consequence of dealing with immense scope - it is going to be very inefficient and stupid. Still a far cry from actual corruption.
I feel that people tossing around the word corruption don't really understand what it means and it is a hyperbole - only undercuts the message.
A bit like the Soup Nazi in Seinfeld - he is not really a nazi in any shape or form - don't even mention real nazis in the same context.
I see. So your position is: I "don't really understand what [corruption] means" -- but you do. And because you possess the true understanding and I don't, nothing in my personal experience can possibly be evidence of corruption because you alone possess the true understanding.
Have I got that right?
> > The problem is that the rules are not applied evenly and transparently.
> Of course not. Never are
This is normalization of deviance. It might be true that the rules are never applied evenly and transparently anywhere and never have been, but it is one thing to posit this as a fact, and quite another to dismiss it as being inevitable (and hence acceptable) by saying, "Of course it's that way." No, it's not "of course." It's corruption, not just because the rules are not applied evenly and transparently, but because this is done by a group of powerful people for their own benefit at the expense of everyone else. Its inevitability is a self-fulfilling prophecy. By accepting it, you have made yourself part of the problem.
hence the logical and reasonable assumption that the poster is misusing the term, obviously I can only comment on what is stated here,
Even small regional banks have their own internal credit rating algorithms. Credit ratings from CRAs are generally consumed either in aggregates (a buyer on the secondary markets wants a traunch with an average credit rating of X) or by less sophisticated parties such as landlords.
I don't have a business relationship with any CRA. If they have my e-mail it isn't because I gave it to them intentionally. Nor is it guaranteed that they have a valid email that I still control.
The situation has gotten slightly better recently because of the widespread deployment of chip cards, but these only protect POS transactions. They don't help with e-commerce or non-financial transactions like credit report requests.
One requested a copy of a photo ID or passport and were happy to accept a partly redacted copy with 'FOR PROOF OF ID ONLY - (company), (date)' over-typed on the scan in red.
Another requested I email them from an email address they had in their records, or log in to change it and resubmit the request.
Most of the others sent the data without any ID checks whatsoever.
Curiously the one who did the most ID checking used an exemption (I forget the specific GDPR Article number) to redact nearly everything which wasn't shown on their web portal. Their position was that "revealing this data (specifically messages on trouble-tickets and their staff's internal notes) would adversely affect the privacy of our staff".
Amusingly I could just log into their portal and view the trouble-ticket history (but of course, not the internal notes). I can only assume their refusal was because there were comments in the internal notes (on my or other tickets) they weren't comfortable disclosing.
Wow. They didn't mail it and require confirmation of receipt, they just required a (trivially forged) mail with that email address in From?
more likely just following an established policy that applies to all such information, to take personal judgement out of the equation. almost certainly absolutely nothing to do with your “file” in particular.
so our email providers can get all this data? They can DKIM sign such a mail and simply never have the relevant emails show up in your emails.
My goal was to make certain that if it leaked, the overtyped expiry date should make it useless after a certain point, and the company name should make any company other than that one question the source.
As a side effect, it'd also clearly identify the source of any leaks - but that wasn't my primary goal.
I moved the text so the name and address (which they already had) and date of birth (which isn't really a secret) were clearly readable.
>As a side effect, it'd also clearly identify the source of any leaks - but that wasn't my primary goal.
Wouldn't a malicious actor just add block text over your text saying "only for identity verification for SomeOtherCompany" ?
They could do the same for the expiration date, although I wonder if any company actually bothers to check the expiration date
* Scan of ID
* WebID - video call where they take screenshots of ID and your face
* Cookie - kind of makes sense since 3rd party web trackers Quantcast rely on cookies to identify
The victim might be able to sue for damages incurred by the identity theft.
In my experience, some companies place high dilligence on the process. A bank I requested information from sent a postal letter containing a code to my mailing address. The Germany Postal Service has a special service to allow identifying people, so the letter contained the code and then I had to bring part of the letter back to the next postal station along with my ID card.
Once they got the confirmation of the ID card along with the code sent to me, they sent a CD-ROM with the information encrypted and the password via mail.
Clearly, these companies are going to make the argument that this is not credit report data subject to consumer credit laws, but I’m curious if that has been tested at all. I would think an enterprising lawyer could make that argument.
Usually a closed account will stop being reported to credit bureaus 10 years after the last activity on that account. I don't know if that's due to law or custom. My own credit report contains accounts closed more than seven years ago but less than 10 years ago and it does NOT include the one account closed 13 years ago.
Something like 80% of customers have issued a chargeback, 86% of chargebacks are "friendly fraud", increasing at a rate of 41% every two years. The dollar figure I've heard is $20+ Billion in friendly fraud.
So, obviously there's an altruistic nature to why a company like Sift has this data. But, I'm of the opinion that they saw the dollar value in this type of scoring and collection system.
Fundamentally what they are doing seems like the same thing. They're keeping a file on people that corporations are using to decide if they're trustworthy.
We decided a long time ago that consumers need to have the right to see and challenge that data for accuracy, as well as to have limits on how long it can be held against them. I see absolutely no reason why those principals should not apply here as well.
And it seems at least arguable that they already do. Clearly there's arguments on both sides, but reading the basic definitions here on what comprises a credit report and a credit reporting agency, and the prohibition on reports more than seven years old, it seems like a non-frivolous case could be made:
Absolutely not. The Fair Credit Reporting Act is one of the laws governing background checks for hiring (in addition to credit reporting), for example.
(and if it comes out that the reports referenced in the article were used by someone somewhere to reach a hiring decision, I expect lawsuits will quickly follow)
Second: Every prescription you've ever filled with insurance - and even some without - is recorded by companies like Milliman. When you want to buy life insurance, health insurance, etc. they can request to see what medications you're on, have been on, etc.
>How It Works
>1 Applicants sign a HIPAA-compliant authorization, enabling insurers to retrieve their medical information
>2 Insurers electronically query Milliman IntelliScript in real-time
>3 Milliman instantly gathers information from multiple data sources
>4 Irix interprets the data and generates automated decisions based on the insurer's guidelines
From "Pharmacy privacy Requirements here , I don't think "business associate agreement [with] some vaguely care-adjacent purpose" meets the standards for information-sharing. Rather the information must be being shared as part of specific treatment for a patient (discussing actual care) or payment.
HIPAA is a fig leaf. Cardboard covers on clipboards to inconvenience the nurses and receptionists, but a unencumbered infobahn for anyone who touches the money to drive straight through.
For decades, every visit, test, procedure, and medication you've ever had paid for by a health insurer in the US got dumped straight into MIB, where any insurer could look at it. HIPAA functionally changed this not a whit.
I think this is what the GP was referring to. It's not just for care but for payment and operations too. A few operational examples, in the case of pharmacies, they must make sure that a patient doesn't fill the same prescription twice. Health insurance companies receive clinical data from health care providers for the purposes of HEDIS reporting.
Don't forget, the second P in HIPPA is portability.
Could you explain what you mean by that? And also hypothesize some implications of 'confirming and verifying the accuracy of the data'?
In the sense of confirming the data, it seems likely to at least attest to the identity being a genuine one associated with that data. Rather than something like a burner phone setup with a bunch of random stuff. Of course people can also have a fake photo ID, but it seems unlikely someone using a totally fabricated existence would be querying for this information and exposing them potentially to closer scrutiny.
Same dilemma as hitting the "unsubscribe" link on spam: when doing so you confirm them you have a valid email address. It's a pure act of faith, you hope that they will comply and not take advantage of you even more.
Their models, if they are using ML, are opaque. Journalists haven't yet cracked this nut, instead just reporting on the fact that company A has bought personal data from company B. (That is likely to require anonymous leaks from the scoring companies.)
I think the hacker ethos could be applied to this problem by viscerally illustrating the threat. ('Hacker' used in the same way as the infosec community.)
Hackers could request their own data, hypothesize what could be gleaned from it, and use models (potentially academic ones trained on more general datasets) to produce derivative information.
Then hackers should make tools to make this process easier for the average journalist or consumer.
It looks like Airbnb & co paid Sift instead, in addition to sending it their data: "Sift has this data because the company has been hired by Airbnb, Yelp, and Coinbase"
I'm starting to feel like these PII databases are the superfund sites of the electronic world. Even after the company goes out of business, we're dealing with the damage decades later.
I don't really have any reason to suspect that this is a scam, but I can't help but notice that if one were to set up a phishing site for government IDs the UX would likely be indistinguishable from what actually happened here.
It sounds like "KYC", i.e., know your customer.
These data brokers do not handle your money, and therefore do not need to "know their customers", i.e. have no legally mandated right to ask for your identification, at least according to this statute.
For one, I think it's super weird that they need a government issued document to know who I am, but are perfectly happy to sell my data, marketed as accurate, to third parties.
Ideally you'd verify your identity to your government and they'd provide a limited time verification ID you could use for this sort of thing.
Yes, but the mere fact that I possess a photocopy of my drivers license does not prove that I'm me. That is manifestly true because they now possess a photocopy of my drivers license and they are not me.
[UPDATE] If the heavily redacted version was good enough to convince them that you are you, then it will almost certainly be enough for them to convince someone else that they are you should they choose to do.
The watermark is what (hopefully) limits the usefulness of the image, by stating when, who and why the image was furnished in a way that is relatively difficult to manipulate.
It’s appalling to me how much we depend on easily photoshopped pictures to prove identity. I want a smart card photo ID in my country.
What a line to say with a straight face. They are the third party that he's uncomfortable sharing his data with!
At least, it will take a while for our radio transmissions to reach that far. By the time it does reach another galaxy it will be a part of history.
Electronic transmission of personally identifiable information and the storage and mining of that data has so many permutations, and technology is so far ahead of legislation consistently, it seems like it’s time for a proper governance framework that exceeds any particular industry, and that has to be based around the individual (I think, there’s more to that).
Buried deep in their legalese, they may have the right to do this, but I was NOT aware this was happening. This is not acceptable
So many services fail to implement validation loops, and their customer support teams have no process when I call. The presumption everywhere is that a provided e-mail address is correct. Even after I explain the situation, some representatives will refuse to help because I couldn't validate a birthday or last-four of a credit card.
(Gmail ignores punctuation in the local part, so I receive e-mail sent to my name both with and without punctuation.)
People really should care. There is so much data about us being sold without our knowledge. A while ago there was a discussion here that your full salary history is available to be bought.
All this stuff is super creepy and you may increasingly be outnegotiated or rejected by companies that you don’t know that they have your info and that you don’t know that info even exists. For example I find it scandalous that Airbnb messages or order histories are being passed on. That’s just not ok.
(On that matter though, how hard is it to fake a convincing scan of a government ID? Do any GDPR data controllers actually verify with the authorities that John Example has a passport with number soandso that expires on soandso?)
If not, then there's no difference.
The comment you appear to be arguing with, is completely true. A binary score is of course a score, and in fact that's almost always how credit and trust scores are actually perceived.
From the company's perspective many scores are continuous, but from the consumers perspective that's mostly a distinction without a difference.
Usually from the consumer side you're being told you got the job or didn't, or got the credit card, or loan, or apartment, or didn't.
And you aren't usually told you got the loan or not. That is one possibility, but the more likely one is the continuous score of the credit rating translates into a continuous score for the interest rate. This is why the distinction between a binary and continuous score is important: t
This continuous assignment of interest rate isn't possible with a single binary variable.
I wasn't explaining some basic aspect of statistical variables for it's own sake, in this context it is not some pedantic hair splitting, it's a relevant aspect of the types of things that can be done with this data.
I would say that's absolutely not true at all. And to the extent that it is true, via credit reporting agencies, it's extremely aggressively regulated to allow consumers to see and challenge how that data is used, as well as to completely opt out of that system.
Anyways -- this is all massively orthogonal to what I originally wrote, which was around Sift being used as a consumer scoring system. I shouldn't have "taken the bait" so that's my bad.
I.e. if an organization fighting for free speech would create software generating false personas who create false messages, and other events, would they know any better?
For example, it wouldn't be too hard to generate hundreds if not thousands of fake Facebook, Instragram, Airbnb, Coinbase, Uber, Gmail, Amazon, etc. accounts doing "stupid things". Like ordering stuff and canecelling orders right away. Like generating fake emails en masse with "trigger words" in millions a day. Like creating fake posts on Facebook warning of fake incidents like "15% of Uber drivers have serious mental issues".
The whole thing could be scripted and run on bots worldwide in millions. After some time, serious chunk of internet traffic would be fake. How would these companies know any better?
When I checked this year, 2 out of the 3 major CRAs in my country (Equifax, Experian) had:
- An incorrect flag saying I was not registered to vote, and a note saying this significantly affected my credit rating.
- A bogus address that didn't correspond to any physical location. Nor did it correspond with any address used by any business, that I know of. (If it does, they won't be able to mail me!)
- Three credit application searches (hard searches) in 3 days, for applications I didn't make. (I complained to the relevant company, who agreed they were added due to software errors on their side, and "resolved" the complaint by agreeing to remove them; but in the end they didn't remove them, so my history has unremovable entries for applications I've never made.)
- An account with the largest telecoms provider (BT) in the country that I didn't have (I'd left them 2 years earlier, account fully closed and settled).
- Fictitious monthly entries on the above account showing new amounts being added each month, of seemingly random amounts (no obvious pattern), and flagged as severe, overdue, late payer etc. Not a good look on a credit record, and entirely fictitious. (Fixing this proved arduous, and I ended up having to use three companies in a daisy-chain of each one passing along a formal complaint to the next. I later learned from BT customer support that BT does this to other former customers without their knowledge as well, so for ethical reasons if I can muster the energy I'll be complaining about this to the government regulator)
I could say so much more about the complaints process, terrible customer service in every conceivable way from Equifax specifically, and more, but it would be rather off-topic.
Remarkably, just complaining about the above caused the errors to be acknowledged and correct data found magically by the companies involved, without me needing to provide replacement data. It's as if the companies involved had all the data they needed already, they just aren't using it until a customer finds out and complains.
The only thing definitely wrong on mine is it lists an address that I've never lived at (and there is actually a decent reason for this mistake ). I looked at getting it fixed, but it looked like that would be a bit of a hassle, so I haven't bothered. I just have to remember if some site does one of those "which of these 5 address did you once live at?" kinds of test as part of identity verification, I need to pick that wrong address if it shows up.
. (Names and addresses made up) A single women, Ms. Johnson, owned and lived in a house at 567 Fake Street. At some point, Ms. Johnson married Mr. Brown, and they lived together at 567 Fake Street as Mr. and Mrs. Brown. At some point another Mr. Brown, no relation to the Browns at 567 Fake Street, bought and moved into 527 Fake Street.
The Browns at 567 decided to move, and submitted a change of address form to the USPS. Someone processing that at the post office noticed that 567 was listed in their records as belonging to Ms. Johnson, but that there was a Brown at 527, and apparently concluded that it was probably the Brown at 527 who was moving and that he had just botched the address on the form, and so they processed this as a change of address for 527 Brown. Credit reporting agencies get change of address data, so they picked it up too.
AT&T is currently doing the same thing BT did to you. I closed my account and shipped back hardware a year ago. Since then, they have been reporting either a bill with a random number from $100-3,000 or 0, and being either on time or late or none. It's maddening.
I'll described what I had to do to fix the BT nonsense, in case it's useful for your AT&T problem.
To fix the BT nonsense (after I'd done tedious detective work to figure out which company it was, as it was under a company name I didn't recognise), I was lucky to get a good BT customer service agent, who explained that they could see it was BT, that it happened to other people as well, and the BT Equifax-handling department would fix it as soon as they looked at it, but that department wouldn't fix it on my request. To fix it I needed to complain to Equifax myself as a data correction. Equifax could not change data, since it merely aggregates data supplied by other companies and is not responsible for the data, but it would contact the BT Equifax-handling department, who would make the correction and submit it back to Equifax. In the end getting Equifax to process a data correction complaint was excessively difficult, slow and intrusive (requiring various documents I didn't care to send them), and I found a third company who magically made Equifax process the complaint in days rather than months; it went all the way along the chain to BT and back, and was magically fixed.
Without very careful system design, that itself could be used to corrupt data.
Suppose a thousand obviously fake accounts are made and use the phrase "giraffe-eater" (to coin something random-looking) in messages.
If the system is designed as a fancy nonlinear regressor, then it doesn't have to obey causality -- observing P("giraffe-eater"|fake) = 100% will increase the modeled prediction of P(fake|"giraffe-eater").
Worse yet, if the system is in fact being built in a non-interpretable way (throwing everything into a random forest or deep neural network), then it will be impossible to prove anything about how the system makes its judgement. Ultimately, these models are at risk from anti-discrimination statutes if (for example) they can key on use of dialect or other protected-ground-correlates.
What is stopping these actors from doing just that?
I have wondered about this for long time and I'm just curious. If the whole 'terrorism threat' thing is real, we would see counter-actions like this done by terrorism sponsoring organizations or states. No?
1. This information was shared in accordance with the privacy policies and user agreements in place at the time the sharing started or were the policies retroactively updated?
This will be near impossible to answer of course unless you were actually involved in the sharing with Sift, but it seems to me the more this happens with all of our data, along with the total lack of enforcement of any lapses / breaches these kind of problems / proxy scores will only get worse and more difficult to reason about as a customer.
Similar companies are the credit reference agencies - Equifax, Experian, TransUnion.
Every time you request your data from credit reference agencies, the request is logged. My log has many such entries, due to repeated checking I did while trying to get corrections sorted, and due to the third party companies I used to help with this.
So I'd expect the same to be true for the customer rating agencies.
In the case of credit agencies, they say that information ("soft" enquiries) is not used to assess credit risk - and that it's either not made available to companies that process applications, or must not be used by those companies in the assessmment.
To be honest, seeing the kinds of errors I've seen, as well as seeing the inner workings when it is being corrected, some of it shows very shoddy, and in some cases seriously unethical processes (that the companies know about).
So I simply don't believe that companies are diligent about following the "must not be used" rule for data they "may" receive and are supposed to ignore. To convince me, it would require a level of auditing, or quality of audit, that companies plainly are not getting.
And these are companies I still do business with because they are good enough. Goodness knows what to think of companies I wouldn't do business with, if I knew about them and had any choice in the matter.
"In order to process your rights request, Sift’s Privacy Team needs to collect the below information about you. We are unable to process your request without complete submission of this form and a copy of your valid government ID for verification purposes."
"87% of the U.S. population is uniquely identified by date of birth, gender, postal code." 
Tips to slip through the cracks: have a different mailing vs home address, dont apply for new loans/update work info with existing creditors over more than one job cycle, move frequently. When your credit card asks how much you make, they are doing so because the agency doesnt have good info on you and they are updating their files.
That's still looking at it. When are we going to stop letting people get away with this lie?
Since I didn't provide the relevant context in my last post, here's the quote from the article:
>As of this summer, though, Sift does have a file on you, which it can produce upon request. I got mine, and I found it shocking: More than 400 pages long, it contained all the messages I’d ever sent to hosts on Airbnb; years of Yelp delivery orders; a log of every time I’d opened the Coinbase app on my iPhone. Many entries included detailed information about the device I used to do these things, including my IP address at the time.
In this context it makes perfect sense. Unless they force 2FA for every login, how else are the going to protect good users from account takeover. Same goes for buying crypto, they need a tool to help determine if someone is using a stolen payment method or not.
The reason I'm so flabbergasted by this is that this seems to really, really damage account security. Now there is one company that has a massive profile on me, that also knows very specific details about when I log into my account, from where, from what devices, etc.
Completely unjustifiable imo.
Sift makes risk predictions in real-time using your own data and data from the 100s of millions of users in Sift’s global network. Our machine learning systems identify patterns of behavior across thousands of devices, user, network, and transactional signals. These are often patterns that only a machine learning system can spot. Using Sift, businesses have stopped 100s billions of dollars of fraud worldwide.
There are many abuse use cases that Sift can stop:
Payment Protection - Reduce friction at checkout to increase revenue and stop chargebacks before they hurt your business.
Account Abuse - Stop fake accounts from polluting your service and block bad users before they harm your business.
Account Takeover - Stop bad actors from hijacking users accounts. Keep your users safe and ensure that they always trust your service.
Content Integrity - Stop spammy and scammy posts from polluting your service. Keep your users safe from malicious actors.
Promotion Abuse - Make sure you’re only rewarding real users by stopping referral rings and repeated use of promotions.
Sending Data to Sift
To use Sift, we need to know about your users, what they do with your service, and what actions you take in response to your users. This includes:
What actions your users are taking, usually key user lifecycle events (eg creating an account, placing an order, posting content to other users, etc.). You will send this data from your application to Sift via our REST API.
What actions your business is taking in response to users (eg approve an order, ban user due to fraud, cancel order due to chargeback, etc). You will also send this data from your application to Sift via our Decisions API.