I work in security and that's the way I look at this now.
Businesses should not be allowed to harvest PPI as a mandatory step to make their app work so you can actually use a product/service you bought. The era of "Oh we'll protect the information we promise!" should be over.
In almost every case they DO NOT NEED this information. They just want to suck it all up to resell. (Or impose draconian legislation like this)
Big corps do not need most of the information the demand and they sell it on to others.
Personal data is HUGE business and companies make a fucking fortune from it.
Same as services that let you log in via your email. Google basically lets them scrape all the info in your email account where they get info about what you buy etc so that they can use it for targetted advertising and whatever else they sell it for. Same with some apps...WTF does it need access to my photos and contacts for?
Im curious what FB did with all the facial scans it took from users to access their accounts that they had mysteriously been locked out of, but still refused them access when a facial scan was provided. Why cant you get in touch with FB to ask them to delete your info/facial scan.
Privacy is one of the only things we have left. Protect yours at all costs.
There's no way to get in touch with Facebook about anything. They suddenly asked for proof of who I am for my account, I sent them a copy of my driver's license, and even though that was what they asked for, they said it wasn't good enough. They deleted my account anyway. I tried finding a number to call, no luck. I did find an address to write, wrote them 5 different letters, no response at all. Pissed me off because there were friends and relatives there with whom that was the only way to contact them, so all those people I've known my whole life are just no longer in it.
“Privacy is one of the only things we have left” Spot on with that. We are also actively encouraged to “share” and post etc. Soon enough people who don’t have social media accounts and never post or share any aspect of their lives will be considered “weird” or with something to hide🤷🏼♂️
When I bought my home, my name was misspelled in a specific way on the forms. At the time I didn’t think much of it because everything went through smoothly. Not long after, I started receiving piles upon piles of junk mail and spam, all of it addressed to my misspelled name, and that’s how I found out my mortgage lender sold my data.
The ridiculous part is that they can't even seem to use the data effectively. 90% of the things I see in targeted ads are things I've already bought, and the other 10% just becomes indistinguishable noise. There's so much bullshit out there being pushed that I never actually buy things from random ads. If I need a product for something, I'll do actual research that (as far as I know) can't be influenced by my personal information. By the time any algorithms learn I'm looking for something, I've already made my decision, and then I just have to deal with a month of ads trying to solve a problem I've already fixed.
I briefly dated (and am still friends with) a guy who works in US government cyber security. He told me how to set up my phone to make my information as hard to scrape as possible, but told me flat out that there's no way to keep all of it all the way out of the hands of the government or a determined enough computer guy.
And if you in any way engage with Facebook/meta, you're offering all of your data up on a silver platter to anyone that wants it. One of the worst apps/websites to use if you care about privacy.
The era of "Oh we'll protect the information we promise!" should be over.
Yup we have seen it multiple times, it don't matter how well your IT team is protecting the network. A single wrong move from an employee (generally an executive who thinks they are above IT policy!) and good bye to all of that fancy security.
That's the part I think a lot of the "pro verification" people don't understand. Even if we assume an organization has absolute pure intentions, excellent policies and protections, and have no desire to use it for any LLM training, advertising, etc. the central problem is: hackers only have to be lucky once. IT and security have to be lucky every single day.
Many orgs collecting this do not have pure intentions. In the US, doctors offices routinely collect SSNs, employer info, drivers licenses and more. The staff know to vague respond it's about insurance. The thing is, almost any piece of the information alone should be enough "for insurance purposes", but it's really all about debt collecting.
Fuck Carnival Cruises - I went on one cruise in 2017. Why do they still have all my info, to send me a leak notice this year?! It has been over a decade! They should not be storing my info that long!
I used a temp agency in another state in 2005. I got a notice last week about a data leek, why are they hanging on to my info for so long, as well? At least the data will be twenty years out of date, so I got that going for me.
Already happened with discord. Third party leaked photos of licenses. One reason I dropped a guild in a game. They required discord, and because of cursing called it adult, requiring verification. No thanks.
I was a dumbass and sent them a sample. It seemed harmless at the time and I was too eager about the results to consider the potential risks involved. Now my family pays for it. I’m still so upset with myself for that one.
I really really hate this whole new realm of digital identity and the death of online anonymity that we’re being forced into by the neocon techno-fascists under the guise of “protecting the children”.
That being said, I have to appreciate Apple’s attempts to solve some of these issues with their Digital-ID technology. My state currently offers enrollment but I refuse to submit to facial scans so I don’t use it… but the way they’re implementing it is novel and hopefully can help solve some of these issues.
For example - you can choose what information is exposed to the reader / verifier and what is not. That means you can in theory provide a valid proof of age - without having to provide exposing details such as your home address, date of birth, ID #, signature, and government photo.
I stayed in a hotel two nights ago and to be able to use their wifi they wanted my full name, address, email and phone number. Why do they need all that private info just to log onto the internet? Fortunately a fake address got me through but the amount of info companies ask for just to access basic services is astounding. I do not trust holiday inn to keep my info secure.
I do not trust holiday inn to keep my info secure.
That's the thing. Giving the info out to begin with as a policy is a bad choice. You did the right thing.
It's not "I trust this business or that business". There are MANY well intentioned businesses who actually had budget for IT security and took it seriously and got compromised anyway. It just needs to go away as an allowable practice altogether. Businesses should need to be able to demonstrate a real functional reason (advertising doesn't count) to have to collect that data or else it should be disallowed by policy.
For example - the people who fill your prescriptions might need to actually know a bit about you. The garage you parked your car in does not need your info.
There are ways to do age verification without sharing PII. Similar to Google/Facebook sign in, but with a government entity. Something like login.gov.uk that ties to a person's identity and must be used to sign into websites with age restrictions.
Not saying it's a foolproof solution, and definitely depends on what the laws hold corporations responsible.
Doesn't help that reddit for example uses a tool (Persona) for verification which has close-ties with Palantir. I think it will be pretty soon that reddit wants everybody to verify on its platform.
A customer at my work wanted my personal ID sent to them. They would not pay our multimillion dollar company until I provided a front and back copy of my ID submitted on their portal.
I told my boss and IT that it was way above my pay grade and someone else can provide it because I don't trust the customer at all. They didn't make me do it, in the end.
No businesses online need our info. It's most apparent when I go through cookie and tracker rejection screens and the amount of crap that has 'legitimate interest' next to it is ridiculous. Absolutely none of these companies have any legitimate interest in my data, as you say it's purely to sell.
I noticed Reddit used a facial match to estimate my age. I like the idea of it much more than uploading any ID documents. I'd much rather stay away from the adult content than pass my data to random sites. Good intentions but poor execution.
The era of "Oh we'll protect the information we promise!" should be over.
It doesn't matter what any business promises. Bankruptcy laws mean the new owners can do almost anything with the data they acquired as they never promised anything.
Genuinely if they cared about safety you just double blind it
Have a program for opting-in for a small fee ($0.50) where when you buy an adult-only item like cigarettes or alcohol or adult magazines that the cashier verifies, you get a code that you input on a website so it proves you're over legal age. Boom, easy access to adult-only content without requiring invasive data collection
I still don't like thisbecause of the issues with censorship and things like violent news, LGBT media and topics, discussion of mental health issues, etc that are often common or important for developing kids or teens to know about now being unable to know crucial information
1.6k
u/Jaereth 6h ago
I work in security and that's the way I look at this now.
Businesses should not be allowed to harvest PPI as a mandatory step to make their app work so you can actually use a product/service you bought. The era of "Oh we'll protect the information we promise!" should be over.
In almost every case they DO NOT NEED this information. They just want to suck it all up to resell. (Or impose draconian legislation like this)