Hacker News new | past | comments | ask | show | jobs | submit login
If you lost your wallet at Outside Lands, your information is now public (plusbryan.com)
33 points by plusbryan on Aug 13, 2013 | hide | past | web | favorite | 33 comments



[deleted]


The issue is that this is easily enough information to easily perform social engineering attacks against a bank or Facebook or Google.


You could do that anyway. It would be much effective to exploit someone's lost cellphone.


You're right, it is a bit silly and it doesn't have to be made into a big deal. But it's also information they had no right to disclose, and furthermore is completely unnecessary. Why did they even need to put the person's name in the list? The owner certainly could write in with their name, and that could be used to identify the card easily.


If they weren't going to put names on the list, what would they put beyond a bunch of stats, such as "we found 455 California drivers licenses this year"?

Also, if you leave your data in a public place (such as Golden Gate Park), I don't think anyone should really expect privacy. Imagine if there was no lost and found service and all of the wallets were just left in the mud after Outside Lands (this is the control case). The posting of just some of the info in the wallet online preserves privacy compared to just leaving the wallet laying on the ground.

People who lose their wallets are afraid of their credit card info and cash getting stolen and don't want to have go through the process to get new documents such as a drivers license. This solution avoids all of those problems and makes it easy for people to claim their stuff. I'd much rather this site exist than not exist.


> Also, if you leave your data in a public place (such as Golden Gate Park), I don't think anyone should really expect privacy

Well, there's a difference between dropping your wallet, and having all of your info publicly accessible on the web...


"Your information is now public" ... as in, your full name and the fact that you went to Outside Lands and lost something? I don't see what the big deal here is. Coachella had a very similar practice when it came to trying to reunite owners w/ their IDs and credit cards. They are not posting credit card numbers, they are not posting cities... there is nothing identifying at all that would pose any danger to these people in real life that cannot be found on a public LinkedIn or Facebook profile.


I also want to add that your blog post exposes more information than OutsideLOAF does, Bryan Kennedy, Co-Founder of San Francisco-based Sincerely.


Yes, my personal blog does expose quite a lot about me. In a way that's the intention of one's blog. However, I don't think copying my personal information here is appropriate.


Why not? I't s already copied in numerous commercial databases by now. You did publish it, after all.


When I find your wallet, I do not own the contents really and I certainly do not have "broadcast rights". If I find your password to facebook on the web somewhere, does that give me any rights to your account? No. If I leave the front door of my house open by mistake, am I waiving my property rights if someone comes in and takes my property? No.


But do you know for sure that those people have public profiles? You are making quite an assumption by implying that this data is public.

I believe that exposing people's personal information without their knowledge or consent, however trivial or helpful as a means to an end, isn't the right thing to do.


It's interesting that they keep these considering it's a "well known fact" that you can drop a Driver's License in the mail and it will be returned to the owner at the address labeled (at no expense to the person putting it in the mail).

[1] http://lifehacker.com/return-a-lost-drivers-license-by-dropp...


Update: Outside Lands has taken the site down and will be fixing the issues. Apparently the information was added to the public site unintentionally.


Ditto to jnfr.

The information was added to site was no different than the information added to Coachella or EDC's lost and found site. It was in the spirit to help people reclaim their lost items. However, it appears one person's opinion is now forcing the volunteers who are managing the lost and found to add additional layers of security at the expense of time and effort.


It was added to the site to help quickly reunite owners with their lost belongings, but now things have to change because one guy thinks exposing someone's full name is a privacy concern.


Actually, they are addressing the issues and am told will be re-posting the site shortly. By the way, I (as the author of the original post) am a huge proponent of hackathons and think your Lost and Found site is a brilliant hack. I just think the use of it could have been thought through a little more.

My apologies if my bringing it to the attention of the festival organizers caused you any grief - this was certainly not my intention (I had not known this was even a hack!)


It would be a cool weekend project to scrape this data and do a search for these people's public profiles that have also mentioned the word "lost" or "OutsideLands" and send them a message


Scraping for good, how novel.


svbtle blog posts:

"Here's a random thought I had the other day but didn't really think through too thoroughly"

[Discuss on Hacker News]


It was nice of you to pixellate the image, but you might want to remove the link, too. "Here's a web site with a bunch of people's private information on it" isn't the kind of thing you generally want to post to a high-traffic web site.


Anyone curious enough to click can just as easily search for "OutsideLands Lost and Found"


Outside Lands actually tweeted out the link earlier, so it certainly wasn't a private site.


But the point is, if you were worried about the information going public, why not exercise some of that "great responsibility" and not push further traffic to it until the problem is fixed?


"For instance, using name matching alone, you can clearly identify the full name of a student at University of Central Oklahoma, what state she’s from, where she went to undergrad, and where she shops for gas."

You mean without using Facebook and/or LinkedIn?


I wonder why they included the owner names for the drivers licenses, but not for the passports.


Its a small enough data set to know exactly how much damage was caused by this disclosure. How many wallets were returned to scammers? Anybody? Zero? I'm thinking zero.

In that case this was a non-issue.


> For instance, using name matching alone, you can clearly identify the full name of a student at University of Central Oklahoma, what state she’s from, where she went to undergrad, and where she shops for gas.

...and do what, exactly?


My parents never used to let me use my real name on the internet, even for productive content that I'd choose to take credit for.

The fact that I exist doesn't expose me to pedophiles. Any idiot can buy a copy of the middle school phone directory and see my name, address, and phone number. A pedophile looking for children to molest would get more for his effort in a parked car a block away from school at 3:00 than in my WHOIS records.

I don't use my name on HN because I sometimes play devil's advocate in ways that could be used against me if taken out of context. That's a deliberate choice and specific to this forum. But why does biographical information (in isolation) deserve protection? Can't I go to the University of Central Oklahoma registrar's office and get the full names of thousands and thousands of people who went there, as well as what states they're from?

It's slightly weird for the fact that someone attended Outside Lands to be revealed, and I agree it'd be better to avoid disclosing that, but what exactly is so wrong about that?


> Can't I go to the University of Central Oklahoma registrar's office and get the full names of thousands and thousands of people who went there, as well as what states they're from?

I don't know about the University of Central Oklahoma, but this would be explicitly prohibited at the University of Waterloo.

There's a specific policy that covers access to student information: https://uwaterloo.ca/secretariat/policies-procedures-guideli...

Granted, you could figure these things out by scraping students' public Facebook profiles, but I think that says more about Facebook than it does about whether {full name, alta mater} is PII.


In the US, FERPA covers private information like grades and schedules, but biographical information and the fact that you attended is public record unless you submit a specific form.


FERPA may serve as a baseline for federally mandated privacy rights of students, but many schools have additionally protections that are remarkably strict.


It is not anyone's business to know what these people do with their time, unless they choose to willingly share. Yes the chance for actual harm is low (the only thing that immediately came to mind is something along the lines of "college student who promised their parents they were studying for the CPA that weekend but now helicopter mom found out the truth", etc). But it is the principle of the matter. We still have some principles, don't we?


What is this, "it's not anyone's business" bit? It's also not anyone's business what goes on outside of our solar system, or what goes on at the bottom of the ocean.




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: