Ahh, cool, pour the corpus through GPTs and start tweeting Congressional rep personal info at them until they pass a law to outlaw data brokers (in keeping with historical precedent [1] [2]).
[1] https://en.wikipedia.org/wiki/Video_Privacy_Protection_Act
[2] https://jolt.law.harvard.edu/digest/dodging-the-thought-poli...
Troy mentions "data opt-out services. Every person who used some sort of data opt-out service was not present."
Anyone have experience with these sort of services? A search brings up a lot of scammy looking results. But if services exist to reduce my profile id be interested.
Anyone have experience with these sort of services?
Quite a bit. Often if you request removal or opt-out, you'll reappear in a matter of a few months in their system, regardless of whether you use a professional service as a proxy or do it yourself. The data brokers usually go out of their way to be annoying about it and will claim they can't do anything about you showing up in their aggregated sources later on. They'll never tell you what these sources are. A lot of them will share data with each other, stuff that's not public. It's entirely hostile and should be illegal. I am trying to craft a lawsuit angle at the moment but they feel totally unassailable.
I'm extremely skeptical of any services that claim they can guarantee 100% removal after any length of time of longer than 6 months. From my technical viewpoint and experience, it is very much an unsolved problem.
my understanding is that there's a bit of a catch-22 with data removal - if you request that a data broker remove ALL of your information, it's impossible for them to keep you from reappearing in their sources later on because that would require them to retain your information (so they can filter you out if you appear again).
I’ve heard this claim, but they could use some sort of bloom filter pr cryptographic hashing to block profiles that contain previously-removed records.
There could also be a shared, trusted opt-out service that accepted information and returned a boolean saying “opt-out” or “opt-in”.
Ideally, it’d return “opt-out” in the no-information case.
Hash-based solutions aren't as easy as we might hope.
You store a hashed version of my SSN, or my phone number, to represent my opt-out? Someone can just hash every number from 000-00-0000 to 999-99-9999 and figure out mine from that.
You hash the entire contents of the profile - name+address+phone+e-mail+DOB+SSN - and the moment a data source provides them with a profile only containing name+address+email - the missing fields mean the hashes won't match.
A trusted third party will work a lot better IMHO.
And of course none of the data brokers have much reason to make opt-outs work well, in the absence of legislation and strict enforcement - it's in their commercial interests to say they "can't stop your data reappearing"
Someone can just hash every number from 000-00-0000 to 999-99-9999 and figure out mine from that.
That's what salts are for, right? It wouldn't be too hard to issue a very large, known, public salt alongside each SSN.
And of course none of the data brokers have much reason to make opt-outs work well, in the absence of legislation and strict enforcement - it's in their commercial interests to say they "can't stop your data reappearing"
This is the actual reason, IMHO.
If the salt is public, what’s the point, then you can get all the salts, and combine them with every possible ssn, and you’re back where you were before.
No, that is kind of the point of a salt is that it doesn't need to be hidden - it's designed for a scenario where e.g. your database is hacked and they're visible as plaintext: https://en.wikipedia.org/wiki/Salt_(cryptography)
Since the salts are random, unique to each SSN and long: a) you'll find no existing rainbow table that contains the correct plaintext for your SSN hash and b) each SSN now requires its own bruteforcing that is unhelpful for any of the other SSNs
Combine that with a very expensive hashing method like PBKDF2 (I'm sure there's something better by now) and you've made it pretty dang hard for non state actors to bruteforce a significant chunk of SSNs. There's also peppers that involve storing some more global secrets on HSMs.
I'm sure the crypto nerds have like a dozen better methods than what I can come up with but the point is this is not a feasibility issue.
A salt works by altering altering the encrypted output. It's not a secret (though it's often kept secret for an added layer of obscurity).
So for a perfect match they'd need to have some sort of unique identifier that's present in the first set of data you ask them to remove, as well as being present in any subsequent "acquisitions" or "scrapes" of your data.
If these devs that scrape/dump/collate all this info are anything like the ones I've seen, and they're functioning in countries like the US and UK whereby you don't have individual identifiers that are pretty unique, then I'd say the chance of them being able to get such a "unique" key on you to remove you perpetually, is next to impossible. And if it's even close to being "hard", they'll not even bother. Doubley-so if this service/people/data is anything like the credit-score companies, which are notoriously bad at data de duplication and sanitation.
Likewise, if you want them to do some sort of removal using things other than a unique identifier, then you have to have some sort of function that determines closeness between the two records. From what I've heard, places like Interpol, countries' border-control and police agencies usually use name, surname and dob as a combination to match. Amazingly unique and unchanging combination, that one! /s
Yup, it would be trivial to create a one way hash of various attributes to perma ‘opt out’ someone.
But how would they keep making money that way?
They could store a hash.
Which would never work because real life data is messy so the hashes would not match. Even something as simple as SSN + DOB runs into loads of potential formatting and data entry issues you'll have to perfectly solve before such a system could work, and even that makes assumptions as to what data will be available from each dataset. Some may be only name and address. Some may include DoB, but the person might have lied about their DoB when filling out the form. The people entering it might have misspelled their name. It might be a person who put in a fake SSN because they're an illegal immigrant without a real one. Data correlation in the real world is a nightmare.
When you tell a data broker to delete all of the data about you, how can you be sure they get ALL of the data about you, including the ones where your name is misspelled or the DoB is wrong or it lists and old address or something? Even worse if someone comes around later and discovers the orphan data when adding new data about you and fixes the glitch, effectively undoing the data delete.
It's a catch-22 that if you want them to not collect data about you they need a full profile on you in order to be able to reject new data. A profile that they will need to keep up-to-date, which is what they were doing already.
Even something as simple as SSN + DOB runs into loads of potential formatting and data entry issues you'll have to perfectly solve
You don’t have to solve it perfectly to be an improvement.
Also this is BS. Not every bit of data is perfectly formatted and structured but both of your examples are structured data. You can 100% reliably and deterministically hash this data.
There’s so much in your argument that can be replied with “imperfect is better than status quo”. If you give someone the wrong DOB, it’s “not you” anyways, at least let me scrub my real data even if the entry is imperfect for some people or some records.
You don’t have to solve it perfectly to be an improvement.
They don't want to solve your problem. You aren't their customer. They want to comply with the letter of the request in as much as it covers their own butt in terms of regulatory requirements and/or political optics.
You don’t have to solve it perfectly to be an improvement.
There's a trivial way to not re-add data that was removed: don't do it without user opt-in, whom admittedly you have access to ask at the moment of data collection. If you don't have the ability to ask users to opt in, you probably shouldn't be collecting the data anyway, with very few exceptions like criminal records.
edit for clarity: by criminal records, I mean for the official management of them, not for scraping their content.
Sorry, I value my legal rights over the viability of the data broker industry. If they can’t figure out a way for lawfully not collecting my data, they should not collect data period.
I mean, if we’re not allowed to know that we’re not allowed to surveil the shit out of you, it seems like something we can’t worry about
1. They could be required to store a private copy of the removal requests, data that they can't sell (not ideal)
2. Sounds like "data brokers" that sell private information just shouldn't exist...
It's hard to make collection, aggregation, and sharing of facts illegal.
Not to minimize the harm that can be done by such collections, but the law is justifiably looking for a scalpel treatment here to address the specific problem without putting the quest to understand reality on the wrong side of the line.
It's hard to make collection, aggregation, and sharing of facts illegal.
Sure, but the US has a precedent in HIPAA. Not saying it's copy-paste, but... maybe it should be.
I would prefer the law be more restrictive than less, because I don't believe this is true:
law is justifiably looking for a scalpel treatment here to address the specific problem without putting the quest to understand reality on the wrong side of the line.
I believe the law may use that noble goal as cover for the actual goal: restrict the ability of capital holders to accumulate capital as little as possible. Data sharing isn't a public good in any way. It's mostly not even useful for the targeting purposes it claims. It's extremely reckless rent-seeking that knowingly allows innocent people to have their lives wrecked by identity theft.
As someone who helps care for elderly relatives with widely-dispersed out-of-state families, I can point to HIPAA as an excellent example of why crafting this kind of law is difficult.
I think we are going to discover, once people do the research, that HIPAA has done net harm by delaying flow of information for critical-care patients resulting in lack of patient compliance, confusion, and treatment error.
Yes, there is harm potential in insurance companies denying coverage or claims because they are privy to too much information about clients (a scenario that, I'd note, we could address directly by law via a national healthcare system or banning denial of coverage for various reasons) or by employers or hostile actors (including family) discovering medical facts about a patient. I have to weigh that harm potential against my day-to-day of having to fight uphill to get quality care because every specialist, every facility, and every department needs a properly-updated HIPAA directive for a patient (and the divisions between these categories aren't clear to the average non-medical observer).
HIPAA has done net harm by delaying flow of information for critical-care patients resulting in lack of patient compliance, confusion, and treatment error.
You won't find any disagreement from me that HIPAA is very complicated. However there's a certain level of whining and foot dragging that happens in the industry that we should take with a massive grain of salt. There's so many HIPAA compliant and still convenient ways these days to have patient communications, but the industry doesn't want to invest and doesn't care about patience experience enough, and then go "sorry, HIPAA :-(((" every time.
With GDPR, after Schrems II happened and it became clearer that the EU-US Privacy Shield was no longer a valid workaround, I personally observed companies (including the one I was in) suddenly moving mountains to complete migration projects and privacy upgrades in just a few months that the industry previously deemed was technically unfeasible or impossible, cost prohibitive, business destroying, etc. And they still remained massively profitable and growing. If they had just done the right thing early on it wouldn't have been on such a tight deadline either.
That was the final straw for me in terms of being very firmly convinced that we should be telling companies to shut up and comply a lot more because they will never do the right thing on their own even if it wasn't /that/ hard. Another approach here is to start holding them liable for the personal costs of data breaches etc and let the incentives take care of themselves. In fact, why not a bit of both?
Huh, I wasn't aware of such a viewpoint. I've never had or heard of problems with HIPAA preventing timely or accurate care, even with my father going in and out of hospice toward the end of his fight with cancer. I'm really sorry to hear it. At the same time, I do have to wonder if that kind of problem genuinely outweighs the protection HIPAA has given millions of people against harms small and large. (I guess with the state of data privacy today, HIPAA may be basically useless, but that isn't exactly HIPAA's fault.)
Europe figured it out.
Sure, I should probably have clarified "In the United States," where there's a First Amendment that most attempts to make fact-sharing illegal immediately fall afoul of.
There are definitely exceptions, but it puts strict scrutiny on any novel prior constraint of speech.
Instead of making it illegal, we could simply make the people who aggregate the data liable for making people whole if the data is misused.
this is true and nothing new.. mass "gray market" personal information services lept into markets since VISA and Mastercard fifty years ago, and somewhat before that with driving records, in the USA. The "pure land" of democracy in North America was never pure, and the Bad Old Ways have crept into the corners since the beginning.
The "pure land" of democracy in North America was never pure
don't mix your pet grievances together, having full public knowledge of every person in your country is democratizing, frankly, an aid to democracy, not a hindrance. Not saying I want to live in that world, but it's not an impure democracy.
Norway (and others?) already publishes everybody's income statements. Not healthy imo but I guess would aid more accurate snitching (and envious resentment).
The difference now though is an attempt to legislate personal data collection, such as the CCPA. I strongly believe they are violating the law, and that if I opt-out or request removal, an answer of "oh well nuthin we can do" is not acceptable when my data re-appears either on their platform or on another platform they provided data aggregation services to.
I've had a very bad experience with Liberty Mutual following a data opt-out from another service. They sent me on a runaround, ending with an email saying to follow "this link" to verify myself. (There was no link, only sketch.) I ended up getting a human on a phone through special means, and they sent me a fixed email with a working link.
I should be hearing back from them in the next 32 days, as this was 13 days ago.
I got a quote from them and immediately initiated a data removal request. It seems like it went through, got a link in the email. Thanks for the reminder that I might need to follow up to make sure they followed through.
If you're willing to tempt fait, the best way to 'opt-out' is to tell people, when they call asking to speak to 'your name', that 'your name' sadly passed away recently.
Could cause you to be listed as deceased in some database sending your life into a Kafka story.
"How do you know he's dead?"
"I called him on the phone and he told me!"
Called on the phone - and the person who picked it up said the dude was dead.
Which is how it plays out when someone dies, generally, and the family is there dealing with the aftermath. FYI.
I knew someone falsely declared dead (probably a paperwork mixed up around pensions when his ex-spouse died). Without warning, he lost all of his pensions, social security, medicare, etc, along with most financial institutions freezing accounts and canceling credit cards. Many long phone calls, letters, and lawyers eventually resolve most, but that never fully purged the public and private death records so there would be random issue for the rest of his life (failing fraud checks, brief interruptions to pensions, trouble with the cable company).
You'd think something like that would require a death certificate to actually happen
most places do. though often a poor quality faxed copy is sufficient
I have tried that, with a particular caller. They always call back.
that sounds very traumatizing, next explain that you have,
filed for injunctive relief from emotional duress due to actions of defendant.
and cant speak any further as instructed by legal cousel
Data brokers don’t care. Whoever calls you will move on but that’s it.
I prefer to just never answer a phone call unless I know who is calling and it's someone I know personally and want to speak to. Even then, those people know I'd rather they text anyway so when they do call it's more likely to be really important.
Permission Slip by Consumer Reports (automated):
Simple Opt Out (manual list):
I use permission slip and I am not in the breach as far as I can tell
"Not available in your region" bloody hell.
Did you use a grep command? The file is too large for me to open and I have not used grep before to have confidence with it.
Edit: nvm, ``` findstr /i /r ".000000000." ssn.txt ``` did the trick in powershell, with the zeros replaced with the ssn. Also there is a star after each period that HN has changed to italicize the text instead of showing it.
I have used (free trials) and currently use (discounted annual) a service called incogni. It's hard to really verify what's going on, but they at least show the brokers they are contacting on your behalf, and I've directly received confirmations from some.
Anecdotally, searching my name on Google pretty much no longer returns those scummy "People Finder" pages that just scrap any public records they can find.
That said, I hope incogni is happy enough with my money that they themselves don't do anything scummy.
Also, freeze your credit at the big three. do it now.
And turn on the Global Privacy Control header in your browser:
In the past I have just searched for my own name. And when I found a match, I would go to that site and request to be removed. It is a lot of work, but thus far it has been successful.
And I say this, because I was on a TV show years ago, so my real name is all over the internet from an entertainment point of view. But, if you search my real name, there are little to none pointing back to "public record" websites and the such.
A lot of the data opt-out services are operated by or have the same owners as data brokers. So at the very least they are selling both the poison and the cure.
Since it is Troy I assume it is legit, and I haven't read the link yet. But... How does he know that?
Has the opt-out services leaked as well? Or is noone using them? How would we know?
Many seem scammy, and I went through the search before and gave up.
Then, as fate would have it, a HNer(tjames7000) mentioned he made EasyOptOuts for this reason, so I signed up. Cheap, seems effective, absolutely no complaints.
Consumer Reports just published (as in last week) a report[1] surveying a number of these services and found almost all of them to be a little bit effective, none of them to be highly effective, and the cheapest of the lot to be the most effective (EasyOptOuts).
Of note, opting out of a service by yourself by hand was only 70% effective ($0). Using EasyOptOuts was around 65% effective ($20) and using Confidently was only 6% effective ($120).
[1] https://innovation.consumerreports.org/wp-content/uploads/20...
> While the specifics of the data breach remain unclear, the trove of data was put up for sale on the dark web for $3.5 million in April, the complaint reads.
I guess they failed to sell it because links to the leaked data on usdod.io have been available on Breachforum/Leakbase for over a week now. Someone created a magnet link yesterday and it's fully seeded so speeds are fast.
The data in the breach is irreversibly public now.
Someone created a magnet link yesterday
Are you against simply sharing the infohash here? I'd like to download the leak to see what information it has on myself and my family, but I don't really relish the idea of signing up for a breachforums account and sifting though its posts if I can avoid it.
Here is a strongly encrypted base64 version to keep hackers out:
bWFnbmV0Oj94dD11cm46YnRpaDozY2FhNzFmM2VjOGNiY2NjNmZjYTRmZWI3MTg1ZGEyYmFiMTQ5YmE3JmRuPU5QRCZ0cj11ZHA6Ly90cmFja2VyLm9wZW5iaXR0b3JyZW50LmNvbTo4MCZ0cj11ZHA6Ly90cmFja2VyLm9wZW50cmFja3Iub3JnOjEzMzcvYW5ub3VuY2U=
Allegedly, the password (also base64 encrypted) is:
aHR0cHM6Ly91c2RvZC5pby8=
Has anyone been able to reverse this base64 encryption? Whatever am I going to do with this?
I hope this helps you
Wasn't it a joke?
I just knew someone was going to take it seriously xD
It was a joke, but thank you. The internet needs more helpful people.
It can't be reversed, unfortunately. base64 has been peer proven as mathematically unhackable.
Same for base16. That's why those pesky hash digests always use it.
Username checks out.
I dug into this a little and one of the files is 164GB. How do you even work with these files? That is, how would I search for my SSN on my windows box?
That's not even that big? `cat big_file | grep -v my_term` would go line-by-line and show any lines matching your query. If you're doing a lot of queries, you'd probably want to index it, so you throw it into a sqlite database with the usual SQL utils.
Edit: I missed you said Windows. Probably Powershell have similar utilities, so you can do `ReadFileLineByLine \r \d big_file | ReturnHitBySearchTerm \v \t \s my_term` or something similar.
I get it now, but I have so much imposter syndrome that I wasn't sure if this was ACTUALLY something I needed to figure out -__-
fyi that is likely to be a crime, at the very least has been cases of websites being punished for linking to illegally distributed IP (even if not hosting it).
I'd be worried about legal repercussions if we were talking about the latest Disney movie, but this is merely the private information of a billion people. Never seen IP law give much of a crap about that before.
Private information on people is Equifax's IP.
A collection of facts is not and can not be copyrightable, especially when it was mechanically derived/collected (no human creativity). So, no, it is absolutely not "Equifax's IP".
Only in the US. In the EU and other jurisdictions is does have protection [1].
[1] https://en.wikipedia.org/wiki/Copyright_law_of_the_European_...
So I could copyright my SSN in the EU and sue Equifax et al.?
Not on an individual basis. If you collected a large number of them and someone copied them from you, then you could have a database right claim, which is sort of similar to copyright, but much less powerful. https://en.wikipedia.org/wiki/Database_right
Yeah, in the EU it does have Palantir's protection. /s
which has yet to leak. as far as we know, the equifax data never became public.
1 pirated Disney movie is a tragedy.
3,000,000,000 leaked Social Security Numbers is a statistic.
-Joseph "Social Credit" Stalin
...Is it obvious I, as an American who can confirm my SSN (and whatever else) was leaked by this, sincerely couldn't care less because this is leak incident number 897165176548795647564576415671?
That $10 UberEats gift card from CrowdStrike would be more valuable than another batch of Free Credit Monitoring(tm).
Is this NPD's "IP" though? Is my personal information that company scraped, now that company's intellectual property?
BitTorrent uses something called a "distributed hash table", for which there exist services to search it (btdig, etc). You can use one of those alongside the torrent name (NPD) to find it.
I haven't downloaded it, but my understanding is that the data comes compressed and with a (weak) password.
Now everyone just needs to send their email addresses to HIBP, i.e., email HIBP, so he can connect these identities with IP addresses and working email accounts. For peoples' protection of course.
After everyone "has been pwned" then there is no need for HIBP. The answer is always "yes". Yet I am certain sites like "HIBP" will never go away. Something about email marketing.
Some HN commenter(s) will inevitably try to defend HIBP. But this comment also refers to sites "like HIBP" that use data breach dumps opportunistically to generate web traffic, collect IP and email addresses. Some folks just do not see what is wrong with the idea.
After everyone "has been pwned" then there is no need for HIBP.
You can be repeatedly pwned with updated/different information. It is not a one and done thing.
And people are born and die
Allegedly /s
There is trust involved here. And people trust Troy Hunt.
And of course you can download SHA ranges and do lookup offline: https://www.troyhunt.com/ive-just-launched-pwned-passwords-v...
He even previously encouraged to download via torrent, but now it seems there is a custom tool to download that data.
The offline lookup is just for passwords (the pwned passwords service) and is used to prevent people from using known breached passwords.
There is no offline availability for the Have I Been Pwned data on which emails were present in which breaches. Access to thus data is rate limited and paid API keys are needed for bulk access.
HIBP has been audited by independent 3rd parties.
Using data breach dumps to get web traffic and IP/email addresses under the guise of "helping" is lame. Then partnering with so-called "tech" companies that collect data as a "business". Data collection is the cause of the problem not the solution.
Do you know if the Rhysida ones get torrented?
Nobody's gonna pay that much money for it when you can get it from ad companies for pennies
For non-Americans (and Americans) that don't quite understand what SSN is and why it's a problem, CGP Grey [1] has a great (and short) video about the history and why it's not technically an identifier, but has become one.
The video doesn't quite get into the problem of identity theft, which is when someone uses your stolen creds to claim they are you, and then go on a shopping spree which may include buying a car under your name. You shouldn't be liable for debts incurred after having your identity stolen but proving that is a lot of work.
I never really understood why the onus is on any person to prove they didn’t do something. Shouldn’t the shaggy defence be sufficient?
e.g. You get hauled into court for a lawsuit demanding the loan repayment, for a loan someone else used your name to get?
- It wasn’t me.
The reason the Shaggy defense doesn't work is the default assumption of the courts is that you're a deadbeat trying to game the system. This assumption comes about because in the majority of cases it is the truth. The system would be a lot nicer if there weren't people trying to scam it every hour of every day of the week.
The reason the Shaggy defense doesn't work is the default assumption of the courts is that you're a deadbeat trying to game the system
Isn't that the opposite of innocent until proven guilty?
When I was in the Boy Scouts, a local judge came to speak with us about the legal system. I asked a similar question and he admonished me that innocent people never wind up in court. He explained that every person who is in a trial (criminal or civil) is guilty of something. A judge's job was merely to determine if the prosecution or plantiff was correct about what the defendant was guilty of. He was very annoyed that ignorant people, who had never been to law school, kept spreading this nonsense that some defendants were innocent.
a deadbeat trying to game the system.
The problem with putting a value judgement on this is that it will precondition people to assume good faith or bad faith on the validity of the assessment based on how they interpret the fairness of the court system.
Instead, we could just say that the majority of the cases are people trying to get out of legitimate debts. If we wanted to go farther, we could say that's because some people just don't feel responsible for their own debts and some people make a choice that a last ditch effort to get out of a debt they know they should pay rather is the lesser of two evils when the alternative is to continue to fail to provide adequately for their family given their circumstances, and how different people may draw that line at different points.
That's harder to articulate and a larger discussion that may be a tangent people aren't interested in discussing though, so it's probably just simpler to keep the value judgements out of it if the intent is to keep the discussion productive.
Instead, we could just say that the majority of the cases are people trying to get out of legitimate debts.
There's another discussion which could be had about just how legitimate even "legitimate debts" actually are in some cases but that's even more in the woods.
Doesn't that violate innocent until proven guilty?
Welcome to the legal system in the real world. Pro tip: for the best outcomes for you be sure to be rich before engaging.
This assumption comes about because in the majority of cases it is the truth.
Are we saying that if you can show you have enough income / assets, it'll be that much more likely that you'll be fine in those cases?
When someone named adamomada comes to the bank for a loan, the presumption is that adamomada will repay the loan.
If they knew it wasn't you, they wouldn't have written the loan in the first place. They're asking you to repay it because they really do think it was you.
If "it wasn't me" was all anyone had to do to get out of paying a loan, many people would do it.
It's much more subtle, fraud is accepted and part of the business. Even if you are not 100% certain of the identity of the person, what matters is how likely you are going to get paid back.
For example, when you purchase online, some merchants do not check who is the owner of the card, or the address. It's done on purpose, because some people borrow the card of the others, some people don't want to use their card, etc. And overall it's all about risk management, but if the holder is really the one in front of you is just one factor among others.
It’s not “accepted” as much as it is just simply impossible to completely avoid at any kind of scale.
Even if online payments were eliminated, and you had to show up in person with a birth certificate and passport to perform a transaction, fraud would be non-zero.
To have a functioning business, people need to be able to use the system.
Is that even a Shaggy defense? The whole point of the Shaggy defense was that it's saying it wasn't you despite overwhelming evidence ("She even caught me on camera - it wasn't me")
But in this scenario, there is basically zero evidence it was you
I thought it was, they would have to have some sort of evidence of your name, dob, ssn, blood type, etc. But in the end it was just your information used fraudulently; you the person did not authorize the loan and therefore it really isn’t your loan.
"Identity Fraud" is institutionalized victim blaming. The claim is that the person who's identity was stolen was defrauded (and they should protect themselves or fight back), but in reality it was the creditor that got defrauded.
And in turn libeled the person who they thought had borrowed from them.
"Identity theft" is just fraud, rephrased to make us the victims instead of the defrauded companies.
That's why SSNs are still such a big deal. Why fix the problem when you can just make it someone else's problem?
As brilliantly satirized by the mitchell & web sketch https://www.youtube.com/watch?v=CS9ptA3Ya9E
You shouldn't be liable for debts incurred after having your identity stolen but proving that is a lot of work.
The first step is to call it what it is: fraud by misrepresentation. The owner wasn't deprived access to their identity (a key component of theft), they weren't even involved in the transaction. Companies want to have their cake and eat it - have low barriers to making sales/offering loans without rigorously verifying the identity of the person benefiting and be shielded from losses when their low-friction on-boarding fails lets in fraudsters.
If a home buyer is duped into transferring deposit into a fraudsters account, they don't blame it on corporate "identity theft" and put the escrow agent on the hook by default.
In many other places SSNs are non-sensitive data. There is not much one can do just knowing a SSN. Usually one has to do some kind of verification (eg using some sort of authentication app, if online). Which is why it is so confusing.
Not only an identifier, many places use it as a secret.
Which is dumb.
One could argue criminal.
Feel like it’s kinda like my bank using my email as the password or something.
You're not wrong.
Plenty of places also use mother's maiden name as a password/secret too.
DBA at my previous job wanted to use SSN as a primary key. I felt like I’m talking to a child trying to convince him not to do that.
It's so interesting how Australia went the other way and actually banned the use of any government-issued ID number as a primary identifier by any organisation other than the government department which issued that ID number.
In the 80s, the very popular Aussie prime minister, Bob Hawke wanted to introduce a National ID card, complete with a unique number, that would then be used for everything from Medicare to tax filing. The government however did not have the numbers to pass it through the Senate. Hawke called a double dissolution (dissolving both lower and upper houses of parliament) over the issue. He was returned to power after the election but still without a majority to get the bill through.
There were then attempts to use "other" government issued ID cards like the Medicare number, for this purpose. To prevent this, a few years later, a bill was passed that would prevent any such use.
In reality, this means businesses can ask for government issued numbers but it has to be optional and voluntary, and never used as a primary ID. When I go to my doctor for example, I can provide them with my medicare number, in which case they will claim the Medicare rebate on my behalf automatically, or I can refuse to provide them this number, pay the doctor's fee in full, and claim the rebate from medicare myself separately. Similarly I can provide my bank with my tax file number, in which case they will automatically tax my interests earned according to my income band. Or I can not provide them my tax file number, in which case they'll tax my interest rate at the highest income band, and I can then get the money back from the tax office when I file my tax returns at the end of the year.
In Australia we don't have a Bill of Rights. We don't even have a right to freedom of speech. The police can ask us to unlock our phones without a warrant; etc etc. Yet when it comes to privacy, our laws are very clear. For a country with such a history of protecting individual liberties, it always amazes me that the United States takes such a laissez faire approach to privacy.
Shorten announced details yesterday of another attempt at an Australian digital id that actually seems informed by Optus and Medibank
https://www.abc.net.au/news/2024-08-13/trust-exchange-digita...
It’s both a username and a password
For years I've said the entire SSN database just needs to be published alongside legislation strictly assigning liability to any company who defrauded as a result of using the SSN as a "secret". That would fix the problem with SSN's and "identity theft" quickly.
Part 1 has been accomplished. Let's get part 2 going!
Aside: It amazes me how the American public has allowed defrauded companies to assign the company's loss as a liability to innocent individuals (in the form of "identity theft"). It would be great if we could get that changed in the minds of the public. A well-informed public could collectively turn "identity theft" into the "bank's problem" (from the old adage "If you owe the bank a billion dollars they have a problem..."). The insurance industry would swoop in as the defrauded parties start making claims and shoddy security practices would get tightened-up.
(Edit: I fear insurance companies coming in to "fix this" to some extent-- citing my experiences with PCI DSS compliance auditing and Customers who have had 'cyber insurance' policies coming with ridiculous security theatre requirements. Maybe we can end up with something like a 'cyber' Underwriters Labs in the end.)
(Also: Yikes! I hate that I just typed 'cyber' un-ironically.)
Identity theft is a very clever term to shift blame from the company to the consumer.
It’s a comedy bit but I take its point seriously: if the bank gives away money, it’s the bank’s job to make sure it is repaid. Not mine, unless I was actually a party to the agreement.
Well then you're up against the wall of digital verification.
I know there's a fuck load of situations where the banks are 100% screwing the customer to their benefit, but there's a legit conversation about people who give out their passwords, or claim they did, when money gets wiped out.
If you meet all the requirements to identify yourself to the bank, at what point does the bank have to say "this is that person, and that transaction is legal".
Now granted:
1. With passkeys and biometrics and 2FA we've got a lot of better ways to make these accounts secure, and hopefully more idiot proof. I'm hoping we start getting rid of email/phone for 2FA as a valid option though.
2. The moment the police are treating it as an identity theft case, the bank should be required to pony up. I don't know if that's the case (and wouldn't be surprised if they fight it tooth and nail), but at that point you have a state or federal entity acknowledging this is not a legit transaction, and therefore you should be compensated by the bank, and they can get their money back from the insurance companies that insure against this kind of thing.
If you meet all the requirements to identify yourself to the bank, at what point does the bank have to say "this is that person, and that transaction is legal".
Our current system is entirely built on ridiculous levels of trust, mostly for convenience / cost saving reasons. I've made payments over the phone with nothing more than the information found on the bottom of every check I've ever sent. I routinely hand my credit card to waitstaff making 7.25 an hour and in that moment I'm handing every last one of them the ability to snap a photo of my card on their phones and go on a shopping spree at my expense.
As insane as our system is, it's mostly worked. Even though I've been made to pass around my account info countless times, I've never once had my accounts cleaned out. If a single mother with less than 1k in her account gets robbed, I have a hard time blaming her. She had zero say in the design of this system, and she's the person least able to deal with the cost of the consequences of it.
On the other hand, I have very little problem putting the blame on the banks which do control much of the system and who can more than afford to cover the costs of such incidents. This puts a small amount of financial pressure on them to improve the systems they've created and forced the rest of us to use in order to participate in society.
There are all kinds of things they could be doing to reduce fraud, but they don't. Mostly for convenience / cost saving reasons. I consider their refusal to take even simple steps to improve the security of their systems as their implied consent to continue accepting the responsibility for the still rare instances where criminals take advantage of their inaction.
Financial transactions are premised on 1) the ability to detect fraudulent activity in realtime --- rather than solidly establish identity, payment processors are looking for indicators of fraud, and 2) reversibility of transactions --- if fraud does occur, funds can be clawed back, usually with the vendor holding the bag / taking the hit, rather than either the bank or account-holder.
Our current system is entirely built on ridiculous levels of trust, mostly for convenience / cost saving reasons.
Paging patio11: https://www.bitsaboutmoney.com/archive/optimal-amount-of-fra...
IME the system uses increasing authentication rigidity as payment sum grows.
How do you feel about the recent case where a caretaker for a disabled person who was given permission and access to use the person's cards, banking app, etc ended up stealing from the person. The banks response - they had given the caretaker access so it was their fault.
Even if you have all the passwords and bioinformatics, passkeys, 2FA, etc - how can you prevent theft like this?
Just because the bank didn't reverse the transaction doesn't mean the disabled person can't sue the caretaker and doesn't mean a prosecutor can't charge the caretaker.
Doesn’t mean the victimized party is super unlikely to get their money back, and any they do get will be months or years after the fact
Banks should get insurance to cover their negligence. They weren't careful.
See how credit cards work (at least where I have lived). Someone fraudulently cloned my card after a petrol station visit and I got it fixed as soon as I noticed the weird transactions. The bank or VISA footed that cost. UK has statutory law on this. Probably because of how CCs used to work with that carbon copy crap.
In the US merchants are the ones footing that cost, either in merchant fees (which they then pass on to the Customer in the form of higher prices) or directly (by the credit card company refusing to pay the merchant).
It might be different now, but in the late 90s I sold some laptops to a buyer using a stolen credit card. The cardholders had no fraud liability but my company ended-up having to eat the cost of the stolen laptops. The credit card company simply didn't pay the amount of the fraud in their settlement with us.
The Google Authenticator app (just as a mainstream example) was released 14 years ago. When we're still waiting for a lot of banks to even support TOTP, consider me unimpressed with the level of effort banks are putting into securing my accounts.
Good news loyal customer, we now support 2-factor authentication!
... over SMS!
I had phone number stolen (sim swap) two months ago and am still dealing with random things.
2FA over SMS is not a valid form of 2FA and I will die on that hill.
Well then you're up against the wall of digital verification.
That's whole point, they should use standardized authentication process. The problem is that they don't use any authentication at all. They just give money away because they can extort them back from unsuspecting victim like some gangsters.
US law does generally make fraud the bank's problem. Identity theft isn't loophole in this, it is a situation in which there is a logical ambiguity in differentiating one fraud from another. If they just believed everyone who said "it wasn't me that spent that money!" that would just be opening another vulnerability.
I think we've got liability pretty well buttoned-up in the banking industry. I'm more concerned about the non-bank businesses. (I recently obtained utilities at a new house. All three utilities-- electrical, gas, and water/sewer-- use my SSN as an authenticator for my account. In 2024.)
It isn't great, but I don't think there's much risk there. There's not really much of a motivation for some random person to get into my utility account. The balance is never positive. Utilities are physically bolted to my house. They're pretty heavily regulated too. If someone wanted to steal electricity from my house, they can use the outlet on my patio that has zero authentication whatsoever.
You should read some fraudster diaries. Having the SSN as authentication, means you can con the utilities employee into handing over all of your other personal information. Date of birth, current and past adresses, spouse or roommates, parents if they are with the same utility company. They can then turn around and use that information to apply for a credit card. Now all they need is to wait by your mailbox or pay the postal worker $100 to not deliver the card and letter.
That info is, in fact, already easily obtained trough leaks, but I just wanted to give your "utilities" case some clarity. Now the fraudster can apply for a creditcard in your name, and before the month has passed you are on the hook for $3000 in cc charges/debt which cost the fraudster a mere 12 minute phone call and 10 minutes skimming trough the leaked records from this HN post to find your SSN.
Yeah, I’m aware that any data that can be used to obtain more data is an issue. But I figure if someone knows my utility company and SSN, they probably already have an address. And with an address it’s easy to get the rest of that information through people search and public records.
When I obtained utilities for my house, none of them required my SSN. The water company asked, but I declined, so they asked for a fax of my DL (which I could have probably photoshopped, but didn't).
Just because people ask for something, doesn't mean you have to give it to them. I leave fields blank all the time on different (paper) forms (including when they ask for SSN), virtually no one hassles me.
I maintain my utilities account by email.
The obligatory Mitchell & Webb sketch
YES!
I couldn't remember their names and absolutely was thinking of this.
As crazy as it is… kinda smart lol
It's not even necessary to publish the database. Pass a law, or even possibly a regulation or court instruction, that SSN is not a sufficient basis to establish identity, and that any unauthorised financial transaction, legal document, commercial transaction, or other use relying on SSN is considered prima facie uninsurable fraud.
Use would likely diminish markedly.
Ever since the Equifax breach I’ve been a proponent of a new national ID program to replace the SSN, that can be designed for what the SSN has become and tolerant to these never ending data breaches.
Maybe this will give a second chance at a conversation around that, but I’m not too hopeful.
"there were no email addresses in the social security number files. If you find yourself in this data breach via HIBP, there's no evidence your SSN was leaked, and if you're in the same boat as me, the data next to your record may not even be correct. "
Seems like Troy is skeptical about this being a real full breach?
A lot of these data brokers hold wildly inaccurate information.
You too can be a data broker!
for (i = 0; i < 900000000; i++)
insert(first: random_firstname(), last: random_lastname(), ssn: i);
You probably are posting this as a joke, but without a clear technical solution to this problem, flooding the industry with bullshit data seems like a great avenue.
that was the idea behind certain applications and add-ons that would browse around to popular websites and randomly click ads so that marketers couldn't tell your actual interests from fake ones.
Unfortunately that strategy is deeply flawed and dangerous because nobody cares if the data they have on you is accurate or not. They still can, and still will, use it against you at every opportunity. Every scrap of data they have, accurate or not, can be used to hurt you.
The only way to flood data brokers with garbage data that can't hurt anyone is to fill it with entirely fictitious people who somehow can't be mistaken for any actual people. Even that runs the risk of hurting real people though. For example, an insurance company might go to a data broker and ask for the number of people within a certain neighborhood or zip code who bought fast food more than once a week in the last year and how many have a gym membership. If the number of frequent fast food buyers is higher than it was last year and/or the number of gym members is lower the insurance company might decide to raise the rates of every single member within that neighborhood or zip code. Even fake people could skew those numbers if their fake data said they lived in those zip codes or neighborhood and ate out a lot or didn't have a gym membership. Indirectly, the fact person is mistaken for being a real one in that community.
The best way to deal with data brokers is to regulate them with strong data protection laws. Anything you give them risks hurting someone and gives them another data point to sell.
Isn't something like regulation with strong data protection laws a bit late at this point? It seems fair to say that most people alive are already scooped up in 1 large data breach or another.
And that data has been made public likely in some form, and is probably replicated to dark corners of the planet.
Don't get me wrong, regulation on these industries seems like a no-brainer, but it seems unlikely to remediate the damage already done.
That's kind of true. Preventing the sale of it will make it harder for it to be used against you. Even if scammers can still buy or download your data from the darkweb your future employers and the companies you interact with are a lot less likely to go that far to get their hands on it, so all that data being out there will impact your life less and less. Even better, fewer places will be collecting new data about you. Your social security number and date of birth don't really change, but your income, medical conditions, home address, spending habits, sex life, and location history do.
Every scrap of data they have, accurate or not, can be used to hurt you.
What are some examples of inaccurate data, as in completely false data, being able to hurt me?
You can never know what might prejudice someone else against you. Maybe you get flagged as being gay when you aren't, or as holding certain religious or political views that you don't. Extremists, activists, and protestors can go to a data broker and buy up lists of people to harass or attack. Data brokers have already been caught collecting data on people who visited Planned Parenthood locations and selling that data to anti-abortion groups.
You could be incorrectly flagged as having more money than you do, causing companies to charge you more than they charge your neighbors for the exact same items. Discriminatory pricing has been happening for a very long time. Just using a different browser can cause prices for some online services to change. (https://www.bostonglobe.com/business/2014/10/22/online-shopp...) For example, Apple users might be seen as having/spending more money and so the prices they get for hotels and airfare can be higher. Increasingly, brick and mortar stores have been trying to get in on the action too. (https://link.springer.com/article/10.1057/s41272-019-00224-3)
If you have a browser extension that randomly visits sites and clicks on ads. Maybe it clicks a bunch of ads for alcohol or marijuana. Maybe it clicks on ads for mental health services, addiction/recovery services, or suicide hotlines. That data can be used against you in court during a divorce/child custody case. It might make a company less likely to hire you. It might cause your health insurance company to charge you more.
Maybe it clicks on ads for DUI attorneys and suddenly your auto insurance rates go up. The company isn't going to tell that's why. They might not even know why. their algorithm just decided you were more high risk than before.
Every data broker is creating a dossier with your name on it, and they are stuffing it with every scrap of data they can get their hands on. That data can cost you a job or a rental contract (see https://nypost.com/2022/12/20/how-employers-spy-on-your-sear... and https://themarkup.org/locked-out/2020/05/28/access-denied-fa...).
The data being collected on you can get you arrested or questioned by police. (see for example https://www.nbcnews.com/news/us-news/police-google-reverse-k... and worse https://www.nbcnews.com/news/us-news/google-tracked-his-bike...)
Any data for sale, accurate or not, is going to be used against you. The people paying data brokers for information about you aren't doing it because they want to help you. They want to help themselves at your expense. And its insane how many people are buying up that data and using it whenever they feel it might give them even the smallest advantage. Companies are using that data to decide things like how long to leave you on hold when you call them. (https://www.nytimes.com/2019/11/04/business/secret-consumer-...)
might decide to raise the rates of every single member within that neighborhood or zip code
Wouldn't that be against redlining laws? https://en.wikipedia.org/wiki/Redlining
I doubt it, since nobody is being denied housing or services. Health insurance companies have plenty of data to back up their practice. Your zip code might be the single most important predictor for longevity (https://time.com/5608268/zip-code-health/).
More importantly, your insurance company is never going to tell you that that's why they raised your rates. You're just going to see a high bill. Same way that a potential employer isn't going to tell you that you didn't get the job because of something you said on social media 14 years ago, or because the information they got from a data broker says you drink a lot. You just get ghosted.
That's the problem with surveillance capitalism. Even as all that data increasingly impacts your life you're almost never aware that it's happening and have no ability to appeal or correct the record.
I have a silly standup joke along these lines, about how I'd Google things crazy things like "circus lawyer" or "giraffe mitigation tactics" to throw the algorithm off every now and then.
My friend is a thriller writer and is convinced he’s on some FBI list. He’s googling stuff such as “how to dissolve a body with quicklime” and all sorts of other fun stuff while researching for his books.
The quicklime method shouldn't be particularly fast, at least that's what my chemical intuition says (CaOH2 is barely soluble in water). What a bad name!
That has been my strategy for the last decade or so, Unless I have a solid reason to I never use my real name when placing orders and generally never the same fake name twice, always use a virtual credit card, if it's a non-physical product I don't even use my real address. I have some old phones I throw pre-paid sim cards into when I need to do number confirmation. The goal is to create a little consistent linkable data to me and at least generate some noise in all these data broker collection processes.
In fact there are far fewer valid Socials. They follow a system where guessing a number of digits is fairly determined based on year and state of birth
This is not exactly true; the system _used_ to have a geographic component but SSNs issued since 2011 are random.
(Granted, most people here with an SSN should be older than that.)
I don't think it's a "full" breach because I assume that would include many tera/petabytes of original source documents rather than just a CSV of PII, but it's definitely a real breach.
I looked up several family members and although most of the phone numbers and addresses were out of date, they were accurate as were the listed social security numbers. However, it didn't include any of the more recent immigrants in the family or myself, possibly because I take opsec seriously.
Funny enough it looks like it has data for Tom Brady, former FBI director James Comey, Barack Obama, and Donald Trump (just some of the names that popped into my mind to look up).
I'm in the UK so I have no Social Security Number, and I still got the HIBP e-mail.
When I looked into it, it turns out the "original" breach is comprised of files named ssn.txt and ssn2.txt which only contains Americans details, and doesn't contain any e-mail addresses.
It seems what happened is there was one leak of US SSNs which the leakers attributed to NPD, then some people bundled that leak up with a bunch of other data (including e-mail addresses and details of non-americans) and who knows if the latter data actually came from NPD?
the data next to your record may not even be correct. "
American Express by way of Experian alerted me to my SSN having been leaked precisely by this incident.
The number was seemingly correct, but everything else associated with it such as name and address were nonsense.
So assuming we're talking about the same thing... can confirm?
I am just dreading the day when a near simultaneous cyberattack on a high number of(more vulnerable like middle-lower income individuals) start in a DDoS fashion:
1. Credit histories will be(unlocked) used to file multiple credit applications and tax credits will be applied for.
2. Multiple Cell phones will be hijacked through Sim Hijacking or other zeroday attacks to make it very difficult to get back in.
3. A person's profile will be used to attack the most vulnerable things: - Their families will get fake calls to create confusion. - Their financial services will be frozen or worst weak 2fac auth ones will be compromised.
4. Deep fake image and videos will be created from compromised accounts to sow further mayhem.
This already happens in targeted and one startegy of teh other fashion. Imagine what one could do with a bit more compute and completed profiles and orchestrate this kind of terrible vengeance.
In the US, the government could help alot if they simply moved to a national ID system and dismantled social security numbers.
The national ID systems I've seen proposed have alot more security from the ground up, and could replace the passport system.
The US has done itself a disservice with their actions because few people trust the government. A national ID system means a database of all Americans that would very likely be used for surveillance and monitoring. I'm saying this as someone who has Global Entry so it's not like I'm afraid of being in a US database but I see the concerns.
Pretty sure the FBI and equivalent agencies already have access to every state’s DMV records so it’s sort of a distinction without a difference.
Correct
That surveillance already exists with insignificant additional work on the part of the government. The cost of not establishing a best ID system has been clearly more costly. That's why the Real ID system was pushed onto state governments.
That survail
"Wow, the government is so catastrophically bad at managing IDs; what should we do?"
"Hmmm. I know! Lets get the government to manage a mandatory ID system, and require it for all aspects of citizen's lives! In fact, lets centralize all of their medical, financial and personal data using this ID, and ensure that it can all be accessed using this ID! What could possibly go wrong?"
I wonder if you could create a national or federated ID system that takes advantage of blind signatures/ZKP to improve privacy. For example, you could create an unlimited number of identities to hand out to different buisnesses, and they could use ZKP to prove that you are above 18, a non-felon, or an organ donor etc. Dunno how something like photo ID would work.
The US doesn't need a national ID. It needs a national PKI.
The US Postal Service is in a great position to be the one who executes it. They have access to delivery physical goods to the entire country. They have the staff and procedures to do identity verification for their current products that could be extended to a PKI offering.
It'll never fly, politically.
I am wondering what the numbers are like for this to be realistic.
I am not too sure of the end goal other than general chaos. Let’s say it’s 2 days of an attack, (that’s about how long any co-ordinated response would need at minimum).
So attackers need to sow chaos across the USA. They apply for a million unsecured loans of say 20k each. That’s 20 billion.
I honestly don’t know what the daily personal loan application rate is, but america has about 150M adults, 1% of them applying on the same day will not only raise flags but would basically grind the system to a halt - each loan office would have daily maximums and a massive spike coukd not be handled. And once the massive crowd is noticed and made public then the financial immune system comes into play.
I can imagine taking out the cell network through a sort of SS7 ddos, but I suspect that cell towers might have a dose more vulnerabilities (probably not as basic as all the admin passwords are ComC4astSux but close)
In general Chaos seems to come from attacking the limited services that act as our safety net (ambulance, police, sewage, electricity). We know these are vulnerable in non obvious ways - crowdstrike for example.
Making otherwise fit and healthy citizens have a shitty day is less impactful than we might think - it will be the “blip” day - as I say 48 hours later the Treasury secretary goes on TV and announces all personal loans that day got cancelled or some other fix - finance has a fairly good immune system when it sees the need.
But overall, if we are going to worry about some attacks, let’s look at the ones that attack our freshwater supplies - and that might not mean some terrorist - in the UK our sewage handling has been under attack by Private Equity for decades and SWAT teams are not allowed to shoot people in Belgravia
You’d need to pick a day of importance to launch the chaos-sowing attack against information and social services. I’m sure there’s a useful one in early November.
Thanksgiving is at the end of the month though
They're alluding to the U.S. presidential election.
I wonder how many governments have this capability right now? I would guess at least three.
As far as I know, most of the developed and in development countries have this kind of database, I also know some poor countries does too, but they often lack security measures
Luckily, there aren't multiple hostile nation states capable of this. /s
All that I can see preventing it is deniability and eco-political risk.
SSNs can be used to disconnect utility service, too. Doing some amount of that would surely add to the "fog of war". It often takes phone calls but the tools have been created to automate that on a massive scale.
Can't the SSA just issue 330 million new social security numbers, and tell people to be more careful with them from this point forward?
The SSA specifically told people not to misuse SSNs this way and it seems like a poor use of taxpayer funding to spend billions bailing out businesses’ bad decisions, even if that was legal (Congress would have to specifically authorize it), since we’d be back to the same problem with five years.
If we were going to do something, we’d make government ID include an NFC token for PKI purposes since public keys can’t be compromised in the same way, but nobody is jumping to pay for that, especially in a country where you have so many people prone to wild conspiracy theories (I am especially amazed by the guys who freak about a national ID as big brother but never say a word about the credit reporting industry) and the enduring “Mark of The Beast” religious fears.
If we were going to do something, we’d make government ID include an NFC token for PKI purposes since public keys can’t be compromised in the same way, but nobody is jumping to pay for that, especially in a country where you have so many people prone to wild conspiracy theories (I am especially amazed by the guys who freak about a national ID as big brother but never say a word about the credit reporting industry) and the enduring “Mark of The Beast” religious fears.
Login.gov gets us pretty far until NFC can get baked into credentials. Would love to see passport cards evolve into this [2], but again, lots of work and political will to make that happen. In the meantime, remote and in person proofing to bind IRL gov credentials to digital identity must do.
(As of December 31, 2023, over 111 million people have signed up to use Login.gov to date, with over 324 million sign-ins in 2023; this is ~1/3rd US population; no affiliation)
[2] https://travel.state.gov/content/travel/en/passports/need-pa...
I still don't get why people are calling these "religious fears". The parable from the book is because the problem is very old, but the problem is exactly the same as it ever was: If a central authority gives everyone a serial number then it will be used to track them by powerful institutions, which is a tool of oppression. This is the massive mistake we made with social security numbers, and their inherent insecurity is actually mitigating the damage there because it makes people much more hesitant to divulge it.
You do not want to make it easier for every carnivorous for-profit corporation and wannabe apparatchik to pressure every citizen to cough up an identifier that can be used to track their every move.
I still don't get why people are calling these "religious fears".
People are calling these "religious fears" because they are fears very often based on religion. People who fear the Mark of the Beast aren't simply worried about being tracked by powerful institutions, they're looking for prophetic signs of the antichrist and Satanic one world government that their holy book says will lead to the second coming of Christ and Armageddon. Even though it was really talking about Nero Caesar. You can't separate the fear from the religion.
You do not want to make it easy for every rapacious for-profit corporation to pressure every citizen to cough up an identifier that can be used to track their every move.
Then ban cellphones. Those are far more useful as a means of surveillance and control than any serial number in a database. They're also held in the hand and to the head, and used to buy and sell goods, which conforms far more closely to the mark of the beast than, say, RFID chips or SSNs or serial numbers on currency. Which the mark of the beast people were all against, in their time.
Unless you want to go full Kaczynski and run off into the woods to live off the grid, you can't avoid having identifiers attached to you. Your birth certificate, vaccination history, criminal record, credit score, address and phone number, the license plate on your car. Even the cookie that leaves you logged in to Hacker News. Governments and corporations already know who you are and where you are. Are there massive negative externalities to having our identities controlled by forces we have no agency over? Absolutely. But fearing every number as a slippery slope to a global satanic dystopian hellscape isn't reasonable. Unfortunately that's the context in which many people have this conversation, and that needs to be recognized.
People who fear the Mark of the Beast aren't simply worried about being tracked by powerful institutions, they're looking for prophetic signs of the antichrist and Satanic one world government that their holy book says will lead to the second coming of Christ and Armageddon.
This is the "weak man" version of the argument. It goes in the book because the (relatively wise and experienced) authors wanted to warn people of the dangers of a real problem. Nutters read metaphors as literal and then people who want to discredit the argument point to the least credible of the nutters as the proponents. But you don't have to believe in The Devil to believe that authoritarians exist and have provably caused great pain and oppression throughout history.
Isaac Newton was a Christian but you don't have to believe in God to believe in gravity.
Then ban cellphones.
The problem here isn't so much "cellphones" the abstract concept in which you have a portable computer with a network connection, as the current implementation of cellphones which are in actual fact implemented as tracking devices. Which, okay, let's also make cellphones that are actually controlled by their owners and don't act as mass surveillance devices. Sounds good.
Unless you want to go full Kaczynski and run off into the woods to live off the grid, you can't avoid having identifiers attached to you.
There is a difference between "you have a social security number which the social security administration uses exclusively for social security and no one else uses for anything" and "you have a social security number which every corporation and bureaucracy uses as the primary key in a database to correlate everything you do in your entire life". The kind of ID systems people keep proposing are the ones that do the second one, and that's the bad one.
The problem with login.gov is that nobody can use it outside of the US government. I can't use my login.gov account to attest my identity to my bank.
So my bank will continue to use my SSN as proof of identity for loans.
Not yet, but we’ll get there.
https://beeckcenter.georgetown.edu/wp-content/uploads/2021/1...
Yeah, I love login.gov and especially how they embraced things like WebAuthn faster than entire industries like finance but I can only imagine how much screaming there would be if usage became a requirement outside of government.
Painting those of us concerned with privacy as "people prone to wild conspiracy theories" is a very bad faith take.
Please do not give the government any more power over me than they already have, thanks.
Painting those of us concerned with privacy as "people prone to wild conspiracy theories" is a very bad faith take.
Fortunately that’s not what I’m doing. I suggest reading more carefully and trying to come up with a scenario where the government having standard identifiers meaningfully harms your privacy but a mess of identifiers and a huge private industry linking them does not.
If we were going to do something, we’d make government ID include an NFC token for PKI purposes
Another alternative would be to go the other way: Pass a law prohibiting the use of social security numbers for any purpose other than social security. Don't provide any globally unique identifier for companies to use.
Instead each institution would issue their own identifier which would have no value outside of that institution. If they get breached or you lose your ID, they mail a new one to the address they have on file or some similar recovery method and you don't have to worry about someone using your ID somewhere else because the breached one gets disabled and you get a replacement.
The obvious advantage here is that companies can't use it to correlate your activity across institutions without your knowledge or consent.
The SSA has shown absolutely no urgency on this issue. Their existing policy is that having your SSN compromised is not enough to issue a new number. You have to actually be a victim of a financial or identity crime that abused your SSN for them to consider a new number. In reality what they should be doing is giving everyone accounts that can generate tokens for use with each transaction, to maintain a trail of where leaks originate and also to expire these temporary tokens. Instead they’ve stuck to this archaic system.
They can't issue new numbers in bulk without revamping the system because they'd run out. The urgent fix wouldn't work.
If the system needs to be revamped, then step one should be pressure/force so that companies stop treating the numbers as secret. And if we do that we don't need new numbers anymore.
Time for services everywhere to stop using SSNs for identification and for the US to move on to a more advanced form of identification.
And lock your credit.
What can an attacker who knows your SSN still do with that information nowadays? Genuinely curious, as the SSN is just this strange in distinct password thingy the Europeans like me hear about on HN but have no actual parallels with.
If they have your address; birthday; and SSN a whole lot. Generally, they could apply for credit cards; loans; set something to bill to you; etc...
Fortunately, it's getting harder without previous addresses or other verification methods.
For non-Americans that don't know, our Social Security number is generally assigned at birth or when you become a citizen by the Social Security Administration. Social Security is a disabled or elderly benefit we all pay into (roughly 7.5% employee and 7.5% employer - ~15% total). It's the only number we all get, since not everyone gets a driver's license; ID; passport; or other identifier. Unfortunately, it's been used to identify us for everything, and until recently was typically in plaintext on most forms (medical; tax; student; etc...).
CGP Grey has a good summary of how it came about and why it's become a problem: https://www.youtube.com/watch?v=Erp8IAUouus
It's the only number we all get, since not everyone gets a driver's license; ID; passport; or other identifier. Unfortunately, it's been used to identify us for everything, and until recently was typically in plaintext on most forms (medical; tax; student; etc...).
I fail to see the problem with that. As you said, it's an identifier, like an username or your full name. There should be no issue with everyone knowing your full name, or your username; why there should be an issue with everyone knowing your SSN, or it being in plaintext everywhere?
I heard there was a similar problem with the bank account number in the US - that you could use it to withdraw money without an actual password or strong identification. Hence the popularity of cheques, PayPal and similar services that weren't needed that much in Europe.
You're right that bank account numbers in the US are insecure, but you're wrong that this is why checks are popular here.
Checks are actually the source of the problem. If you have access to blank check stock and MICR laser toner (both readily available on Amazon, since business accounting departments will routinely print their own checks for payroll / bills), you can make seemingly valid checks to withdraw funds from any account number. This is still a problem.
The reason why checks are popular is because until recently there hasn't been a cheap + accessible + official + unencumbered way to do electronic transfers between personal accounts. The infrastructure existed (ACH), but only businesses could actually initiate deposits/withdrawals. Individuals could initiate full-service wire transfers, but those are risky (there's no way to reverse one done in error) and banks typically charge $25/transfer - which is far too expensive to use for anything routine.
PayPal came into existence so people could purchase goods online (on eBay, specifically) and have the option of performing a chargeback if the goods weren't delivered as advertised.
(Checks will probably still persist for some time, since all the online payment services want to charge percentage fees if they think you're acting as a business. The beauty of checks is that they just work and don't insist on taking a cut of the payment.)
why there should be an issue with everyone knowing your SSN, or it being in plaintext everywhere
Because far too many businesses, esp. financial ones (banks/credit unions/etc.) have also incorrectly used it as a password to authenticate that "voice on phone" is really John Q. Public and/or that "grifter in chair across desk" is really John Q. Public. I.e., they used the fact that "person X" knew number Y as proof that person X was really person X.
We can argue that it was never intended to be used this way (a true statement), that knowledge of it provides no such proof (also true), and that using it as such was always wrong on the part of these businesses (also true), but the fact is, many did use it this way, and, sadly, many still do use it this way. And it is this misuse that is the "issue" with everyone knowing everyone's SSN.
username
Think of it as being the username and password. That's how many institutions have treated it for a long time.
Because it was used as BOTH an identifier AND proof of identity, for a long time. If it were used properly as simply an identifier, you'd be right, but there are still many cases where knowledge of the number is used as proof (or partial proof, along with birthdate/address/etc) of identity.
Do you need SSN for voting? I heard that you don't need an ID (at least in some states) which was very weird for me but if they ask SSN instead, that is at least something I guess?
No, SSN is not used for voting.
Voting requirements and eligibility are set individually by each state, sometimes even in finer detail, New York City wanted to give immigrants the right to vote in local school board elections for example.
SSN are administered by the federal government and are opt-in(however most people apply for one) so it is not something a state can really use as a voting requirement.
State I currently live in(GA), you need to bring a photo ID for in person voting: - Drivers License(from any state or federal government) - State ID card - Student ID card - ID badge from any state or federal workplace - Passport - Military ID - Tribal ID Data was cross check to an online voter registration database.
Prior state (NC), I think the ID requirements were similar(possibly more relaxed) but at that time the data was checked to the voter roll, a book with the name and address of all the people in the precinct. When you went to vote, you signed by your name and then it was crossed off the list.
The SSN is used as a way to genuinely identify someone, unfortunately - it’s like having to give out your password each time you rent an apartment or buy a car or obtain medical care or any number of other transactions. Having this info (along with other basic info like name/address/date of birth) lets you effectively pretend you are them. You can take loans out in their name or call some service to do a password reset (since you have all the info to verify you are them) or whatever else. But it’s not like there is one particular way in which the information can be used - it’s dependent on what businesses LET you do with that info. In 2024, NO business should use SSN to verify identity or authorize sensitive transactions but many do, and what they let you do varies significantly.
I think it’s important to distinguish between identification and authentication. As a unique database primary key, they’re fine. The problem was when a bunch of businesses decided it’d be too expensive to check things like government ID and started using them for authentication purposes. Nobody blinks an eye at using a phone number or email address on an application, but we should treat using your SSN or past addresses for authentication the same way we would if someone says they could approve a loan if you know your phone number and zip code.
Time for the US credit bureaus to lock everyone by default.
Does anyone else just not give a fuck at this point about their SSN? I feel like maybe early 00s this would be scary but it's clear that everyone's SSN is out there already or waiting to get breached from a shady private data broker.
The problem lies in how institutions treat the SSN, not the number itself.
if you know place of birth, and place of ssn application, you can determine most of the ssn. the final 4 are supposed to be random, but are blurted out to rooms full of people and tech, during service.
the integrity of SSN security, was lost a long time ago
as of 2011 they are fully random instead of being based on geographical region and groups
yeah its too bad it took so long for that to happen.
Yes, but 100% of adults today were born before 2011, and that will continue to be (ever so slowly less and less true as we die out) true for decades. It's good and all, but.
the integrity of SSN security, was lost a long time ago
The security never existed, since they were never intended to be secrets. At best it was theater.
Yes. 99% of the time “identity theft” means a huge company cut corners on their security policies and wants us to subsidize their negligence. Every so often there are cases like that guy who pretended to be his former coworker for decades but they’re rare enough that they make the news internationally. Most of the time it used to be things like instant credit applications where they didn’t “slow” purchases with ID checks.
The good news is that companies have lost the presumption of competence there. In the 80s if a company said they’d confirmed that an applicant was you using your SSN, a lot of people would falsely believe that was sufficient but by now they’re not going to get far if they sue you unless they can provide better evidence because everyone knows huge breaches have happened many times.
Not good news. Doesn't matter if the business is presumed competent. What matters is that the business can steal your assets to pay for their losses.
Are there any ways to check the breach to see if my information is there, other than downloading it myself? I’m not sure of the legality of doing so.
I've seen https://npd.pentester.com/ floating around
The data seems to be at least 15 years old.
For me, it matches (DOB, last 2 of SSN) and seems fresh (has newest address, as well as older ones).
There is a free service call Have I Been Pwned which uses your email address to see what data breaches you are part of (https://haveibeenpwned.com/).
While it uses your email to check (not SSN) odds are if they have your SSN in the dataset they also have your email.
The OP post says that emails in this breach are paired with random names and SSNs, so it's not a good indicator.
It is crazy to me that data brokers are even a legal form of business. All of these services should be opt in at minimum. If they are obtaining publicly available information and making it easier to access, they should have to maintain insurance or a deposit with the government to compensate victims of cybersecurity incidents. Telling people to get credit monitoring is in NO WAY an acceptable way to make us whole. They need to pay for a lifetime of monitoring and INSURANCE up to the net worth of affected individuals. This needs to become law ASAP.
We're two decades into "The Digital Millennium" and our laws are still stuck in 1999 (except for the ones that ya know, allow dragnet spying).
I'd wholeheartedly support any candidates that push for a data/privacy "Bill of rights".
I’m optimistic for Harris, not just because she’s so much younger and less beholden to industry, but because she created an entire unit for privacy protection when she was the California AG:
https://oag.ca.gov/news/press-releases/attorney-general-kama...
There has never been a US president that had anything close to ethical behaviour (to wit: the ones that existed after drone strikes became a thing all signed off on drone strikes. Those hit a lot of innocent people. The US has never stopped having slavery. I could go on). It is really the height of fanciful thinking to believe that the flavour of the month US leader will be any different.
Good news, the Fifth Circuit court just ruled that Geo-fenced warrants are illegal!
https://arstechnica.com/tech-policy/2024/08/5th-circuit-rule...
Since this is in conflict with a Fourth Circuit ruling, we will probably see it in front of the Supreme Court.
> It is crazy to me that data brokers are even a legal form of business.
Ah, yes, but they're businesses, you see - the most important class of entity in America. We the people can evidently go fuck ourselves if it means some scumbag gets to make a buck.
The problem with verifying breaches sourced from data aggregators is that nobody willingly - knowingly - provides their data to them
This is a bit of a tangent but I feel like if we can prove this statement then these data aggregators should be made illegal. How can you consent to something that you don’t know you’re consenting to? Likewise why do these entities have the right to collect detailed personal information like SSN without your explicit, beyond reasonable doubt, consent? To me this is the most obvious failure of the legal system, it clearly goes against well established legal principles that a basic requirement of an agreement is that all parties know what they are agreeing to.
Obviously there is some leeway with agreements where it’s not possible to clarify every eventuality but lets say if you’re applying to rent a place through an online form and that form shares your SSN to a data aggregator, it should be extremely clear about that, and possible to out out while still allowing you to complete the rental application without discrimination.
It’s like, it should be possible to show that no one, with in reason, consented to sharing their data with this aggregator because no one is able to confirm that they did. Sure one person could forget, or lie, but 100s of millions of people? No. Clearly almost zero people knowingly consents.
I have been using a different site@mydomain email address for every service I've used for the past 15 years. I can point to exactly which site breach furnished my email address to the aggregators.
Care to call out some bad actors so others know to avoid business with them?
I recently started using unique emails for everything I sign up for. Thankfully I haven’t seen anything yet, but I have little hope it will stay that way.
I second this request of releasing the results of this “digital tracer dye” experiment. If their respect for your personal data is that low, they deserve to be named and shamed. And more.
I like email forwarding services, like ddg, mozilla’s relay, iCloud’s hide my email and simple login. Unique password and email address for every website, plus, like you said if your unique email shows up somewhere it’s a smoking gun.
It's worth remembering that the main reason this kind of data breach is a real problem is mostly due to the incompetence of the IRS. For any serious financial organization, knowing a person's SSN, name, address, etc doesn't allow you to access or withdraw that person's finances.
But the stupidity of the IRS means that people are easily targeted by false tax return attacks. File a fake tax return for someone, using their SSN/name/address, but tell the IRS you changed address. Then the IRS sends your tax refund to the new address, and boom, you just collected some poor sod's refund. To add insult to injury, the IRS is probably going to audit the person whose refund you stole.
This comment is shockingly misguided.
The IRS doesn't have the authority to mandate the creation of a secure national ID system and enforce it's use by the financial system. Only congress has the ability to really do that. The IRS collects revenue.
Even if it did have that authority, it doesn't have the budget to accomplish that goal.
isn't it funny how no government service is ever at fault, it's always just a problem of funding? The IRS is good, just under funded. Public schools are good, just under funded. The NHS is good, just under funded. The roads are good, just under funded
except then funding is raised, and it's still a problem of funding. and inevitably, it's the evil side of the government (you know the one) that is to blame, even if there is no money to spend.
how does a public service determine when they have enough funding?
But not just the IRS; the banking system, most healthcare providers, states for most of a century, and the credit bureaus for REusing SSN as unique identifier "passwords".
I agree. The IRS should be better funded so they can afford to update their systems and hire more tech experts.
And where is this information that this random group supposedly has? I have yet to see proof of that being real
BreachForums I believe.
I was able to get a hand on it, and I was able to confirm that some records of loved ones are indeed present (although mine was not.)
It's real. A few people I know are in the dataset. The SSN is problematic, but personally to me, the more troubling data is a seemingly complete, or at least complete enough, address history for the people I checked for. It doesn't have dates, but just having the addresses could cause major problems for spear phishing attempts.
Anything the average SSN holder should be doing proactively?
You could freeze your credit, it you wanted to be careful. Realistically though, you should have already been monitoring to check if unexpected things were being done in your name. I’ve presumed that all our SSNs have been out there for years now due to one hack or another, that this hack just makes it indisputable doesn’t change much.
What's required to freeze/unfreeze your credit? Your SSN and address info? All of that is in the breach for millions of people.
Just like a lock on the door, it raises the barrier to a non trivial level. It does not give you a ft Knox level impenetrable fortress.
I recently froze my credit with the big 3 and it was easier than I pictured. I don't know if they slow you down if you try to unfreeze it immediately after clicking "forgot password".
Downloaded the torrent, and it's a 164GB text file.
What's a quick way to search if my SSN is in the file? I ask before diving in, it's currently extracting and ETA is 40 minutes.
Hey, if I give you my SSN can you check to see if it is in there for me?
Use grep with some optimizations:
LC_ALL=C fgrep 'ssn' file.txt
From the NPD website:
Please be advised that we will not collect, use, disclose, sell, or share the sensitive personal information or sensitive data of California, Virginia, Colorado, or Connecticut residents as those terms are defined by the CCPA/CPRA, VCDPA, CPA, or CTDPA, respectively.
We need more laws like this, then. Federal ones.
You think this stopped them from aggregation? It didn't...
I sure wish the US had a version of GDPR.
I get a data breach notice at least a few times a year. I got one for my kids two months ago for their medical data. I thought HIPPA had huge penalties but I guess not.
Doesn’t California have a similar set of regulations?
What if we just made all this data free , some AI is going to compile them anyway (and probably already has). Deterrence is the best defense, right ?
It depends on the country. Where I live now even if I leak my name, date of birth, bank details, national id number, etc. you couldn't do much. We have a country wide 2FA system that all important businesses use (bank, utilities, health, government) to authenticate users.
I'm from the UK though, and previously was a 'victim' of identify theft where a few years ago someone walked into a phone store, and walked out with a new iPhone and contract in my name.
This sort of stuff will continue happening until the regulatory framework acknowledges a fundamental consumer right to privacy.
If a data broker collects data without the consent of the consumer, then their only real risk is a class action lawsuit which drags on for six years, gets settled for a few days profit, and the consumer gets $13.50 after the legal fees. This massive skew in the risk reward calculus of data brokers is why we have the problem. Because there's little to no real downside, the trend is automatically collect as much data on as many people as possible.
Fixing this means big, mandatory, cash penalties in the law code - say $5k per consumer data leak, directly to the affected consumer, with added penalties if the company lies about the leak or delays payment. The fine must be big, mandatory, and paid directly to the consumer. Only that changes the risk reward ratio.
In that new world, companies would have to re assess their risks. They'd either build invulnerable systems and hire a lot more people reading HN to protect their golden goose, or better still they'd decide to exit the business entirely. That sounds bad, but the only reason the industry exists is because regulators failed to foresee massive leaks like this happening every three months.
We need a consumer data privacy law, with massive fines, to force companies to change their behavior. What we're doing now clearly does not work.
They should tax companies so that operating data centers become more expensive. Increase price of electricity or property tax. That will inherently force companies to collect and store less data, hence less damage from breaches.
off topic
does HIBP automatically cover plus addressing variants of an email
example I submit johndoe@example.com
but a breach had johndoe+verizon@example.com
will it match
Even before this, anyone operating a service who isn't treating SSNs as public knowledge in 2024 needs to be, well, shamed or penalized or something.
I’ve finally figured out the play: war of attrition.
Eventually enough data will be leaked to make moot the benefits of securing any personal data. At that point everyone stops trying and moves on to more financially rewarding activities.
I mean even if I’m an elephant, and data breaches are blind men, eventually enough blind men will draw a true comprehensive picture.
Discussion from last week: https://news.ycombinator.com/item?id=41184420
Several other commenters have brought about the sneaky wordplay involved in saying "identity theft" instead of simply calling it "fraud on the bank", and somehow turning the person into the victim rather than the bank that has been defrauded.
Has anyone tried to argue this point in court? Has this survived / how did this terminology shift survive judicial scrutiny?
the government should have put out honey pots or something, or maybe it’s time to get new numbers and just invalidate all the stolen data, there is clearly money for fixing this kind of thing but they’re using it to spy on us and do who knows what else instead
TL;DR:
an intriguing story that doesn't require any further action.
Extreme Privacy by Michael Bazzell is a great resource to learn how to limit exposure to these aggregator services.
I worked incident response for years, logging thousands of hours of actual on site work with impacted clients.
No on cares.
Clients see this as the cost of doing business and have no incentive to do better. Even after Equifax and OPM.
Until we have a GDPR style law in the U.S. it will continue to be status quo.
Why are data aggregators legal? In California can we create a proposition to shut them down in the state?
I was wondering why Google suddenly turned on "prompt authentication" on zero-security feature accounts yesterday. Now I "must" have a phone nearby to use Gmail... Tap to authenticate every time you want to look at ... ad spam.
With this, Ticketmaster, and the CDK Global car theft, is there anybody on Earth who doesn't need data protection? Poor people in Somalia need data breach notices. People who are not even on the WWW need data breach notices...
“The database DOES NOT contain information from individuals who use data opt-out services. Every person who used some sort of data opt-out service was not present.”
Like what?
For argument sake, instead of outlawing data brokers wouldn’t it be better to design a better ID system that renders one’s name, dob, and SSN as harmless information?
I don’t know what that would look like but if I had congresses attention I’d like them to fix the problem rather than playing whack-a-mole with banning data sources. I don’t think any actual solutions come from that.
In many countries in Europe, your ID card contains a chip with a cryptographic key, much like chip&pin on a debit or credit card.
Those bits of information are worthless when you need to create a cryptographic signature with your ID card to do almost anything important.
If the card is lost or stolen they can just remove your old one from the keyserver. It's literally just public key crypto.
Identity theft is rampant in the countries that don't have such a system and basically require you give them increasing amounts of private information to prove who you are. In the UK that's every address you've lived in for 5 years, your council tax bill, your energy bill, your bank statement for a month... all because British people think an ID card means you'll get stopped on the street to show your papers.
The US has three dumb points pushing back on this.
The first is religious nuts who think it would be a "mark of the beast"
The second is anti-government types who are, well, anti-government anything.
The third is many business owners, because it would become much harder/risky to hire illegal immigrants to work.
The "mark of the beast" types are pretty much fine with cards that have chips in them, but they really hate it when you threaten to implant those chips into people and they want cash to remain an option - same as the anti-government types. I don't share their apocalyptic or anti-government concerns, but I'm actually kind of grateful for their passionate opposition to both of those things anyway. I don't really want an implant and the option of using cash is a very good thing.
The anti-government types do hate the idea of a national ID, but they're already forced to carry a drivers license/state ID, and SS card so they've pretty much lost the battle already.
I'm afraid that it's the business owners who are our biggest hurdle.
Eh, depending on the flavor, the mark of the beast types don’t even really like barcodes. Allegedly Hobby Lobby does not use a barcode inventory system for this reason.
Hobby Lobby's CEO provided a handy list of reasons why they do not use bar codes, none of which have anything to do with them being marks of beasts
https://www.snopes.com/fact-check/hobby-lobby-mark-of-the-be...
I will say that their list of reasons is deeply flawed.
- they can, and more importantly they almost never have to
- They can be added at the store/warehouse level, not every product needs one, and I've never seen a store that worked entirely on bar codes 100% of the time anyway.
- This assumes what I think, and it only needs to be more accurate than your current method. If it actually weren't more accurate, I don't think they'd have to fall back on "as you think" in their argument.
- this doesn't even make sense.
- questionable, but not impossible to support
- possible, but time savings at checkout is only one benefit.
- Reprogramming the computer for sales would take a huge effort in our case, because we put so many individual items on sale each week.
- It would take effort, but stores with much more inventory manage it just fine, even when new products are constantly coming in and sales are weekly.
- I have no idea from the article what this is in reference to. Maybe the amount it would take for them to make the the switch? It's hard to say how much money it would save them so it's fair to say cost is a concern. I will say that over a long enough time period, it'd probably save more than it costs.
None of this means that concern over "the mark of the beast" is really the reason, but the reasons they gave don't make a lot of sense either. It could just as easily be that poor record keeping and manual entry at the register allow them commit fraud or something.
I suspect that if the mark of the beast plays any role at all, it's that no having barcodes panders to the christian customer base they've always heavily pandered to. Even just the rumor is basically viral marketing for them to that crowd.
How about this: without barcodes, you can't replace your clerks with self-checkout machines
I'm not sure that's true, but it would make it more difficult since it'd be easier for customers to cheat. You'd need more monitoring than most stores at the very least.
Decathlon has RFID tags.
Personally, Hobby Lobby's poor inventory management is a major frustration for me as a customer. Unlike other stores, they don't have any way for me to check online whether the product that I want is at their store. Granted, I avoid shopping at Hobby Lobby in general due to their owners regressive views; but at those times when I couldn't find something at a competitor it would have been helpful to be able to see if I could get it from them.
It doesn't need to be a national ID, it could just operate on a state-level like drivers licenses currently do.
Correct. But not insurmountable.
Make the ID card optional, so that it simplifies things if you have it, but still allows operation without it. If 80% of law-abiding population has the card, only the stubborn deniers will remain targets of easy identity theft and fraud based on it. Partly it will stop being worth the effort, partly it will serve as a good control group.
Allow but do not require to use the card for employee identification. Whoever insists on hiring undocumented immigrants, could continue. Most industries don't do that, and would reap the benefits of a more secure identification.
Don't make the card universal. A bank card with a chip does not identify you for governmental agencies, but prevents a lot of PoS fraud. It could prevent credit fraud if banks allowed me to require the card to take a loan in my name, or to make a transfer larger than $10, and provided the card identity check service to each other and to credit unions. Phones with NFC can read bank cards, so it's a good way to say "it's me, I confirm" in a secure way.
Evolutionary, opt-in, piecemeal solutions often have higher chances to succeed than abrupt all-at-once changes.
Kind of like RealID[0]? It exists right now in the US.
[0] https://en.wikipedia.org/wiki/Real_ID_Act
Yes, this is a step in a right direction.
If it's optional, then one would need to be able to have a central database of people who have IDs and want providers to require them.
Otherwise there's no protection against impersonation if IDs aren't mandatory.
Indeed. But a federated database is fine, too; this is how Visa and MasterCard work.
Imagine having a bunch of ID cards in you wallet, like you already have (driver's license, library card, office access card, store loyalty card) that all have interoperable smartcard interface, and a QR code of their built-in public key.
They would be much like contactless bank cards you also keep in your wallet.
Banks and phone network operators are uniquely positioned to sell a validation service for such cards, being highly connected and already having data about their existing customers, which would be an easy initial audience pool.
They absolutely do, but most of the immigrants have a form of ID that gives the companies some measure of deniability. As long as the I-9 goes through, not my problem. If it doesn't, well that's where contractors come in. Official numbers say around 14 million illegal immigrants. Reasonable estimates are closer to 22 and some non-hyperbolic estimates go as high as 40 million.
Governments murdered hundreds of millions of their own people during the 20th century, and the 21st is shaping up to tell the 20th to hold its beer.
Any proposal for modern ID needs to have Constitutional protections, checks, and balances or it will eventually devolve into a digital police state.
How?
Everyone's like "a government went on and extermination campaign" and for some reason what would've stopped them is the difficulty in identifying who to exterminate?
As though genocides much care about accuracy.
The big secret of Nazi Germany that isn't a secret at all I is that they put a lot more then just Jews in those camps.
A lack of national ID cards would not have hindered the Nazis in carrying out mass murder one bit.
There is another group: those of us who think the trend of requiring ID to transact is a dangerous one.
One doesn’t need to be anti-government to fear governmental intrusion on one’s rights without due process. Our current government does that now.
agree and second -- history shows that this sort of thing goes badly due to "humans"
Big one, but even though employing illegal immigrants is a crime, it's almost never prosecuted.
It's trivial as an immigrant to get a (stolen) SSN. Business owners are not responsible for checking if the SSN is stolen or not.
You're forgetting the entire political left, who claim only whites are intelligent enough to get IDs.
That's probably because all of the anti-immigration and anti-foreigner people who are asking the government to stop people and ask them for their papers... this is not unique the the UK, Canada, or the United States either, and some of the countries plan to do more than just deport people.
Strong identity is increasingly a meaningful technical requirement, but glossing over the human impact of strong identity controls by the government is not going to have good outcomes either.
Not really in Britain. Labour tried to introduce some national id in early 2000s, the right wingers were the ones who objected the most. The same right wingers who are most anti-immigration
I think most of those right wingers are against illegal immigration. There's a big distinction here.
I think very few of those so-called right-wingers are -say- against doctors immigrating to one's country if there's a doctor shortage. As long as immigration is all done using legal means. And with proper checks and balances.
I'm a right winger (but not born and raised in the UK). And I am very much against illegal immigration. I also don't want to be required to wear an identity card / passport with me at all times.
Actually, with proper immigration policies in place, the state can be sure that most people inside the state are legal, law-abiding citizens. I don't think in such cases it does make sense to require people to wear an id card with them at all times.
There were just a series of mass race riots by right-wingers across the UK, in which they went around smashing up shops owned by immigrants and beating up people who don't look white. This isn't about illegal immigration. It's about racism.
conveniently emitting the fact that this is a reaction to immigrants going around randomly attacking birtish people. If you aren't already consider workong for MSM.
That doesn't make it any less racist!
But please give some more details on that. The only case I've heard about was a single attacker who was incorrectly called an immigrant.
It adds context which people who manipulate the overtone window for political games and name calling like to exclude.
The person was a immigrants child. Considering there obvious (violent) refusal to integrate they are too an immigrant.
It's completely bonkers to have retaliation like that against a single attack that isn't part of a pattern.
Like, that context arguably makes it worse than if there was no inciting incident, because it's so blatantly blaming a huge group for one person.
To bring up more things in the broader context, were there not several "grooming gangs" that were active in Britain recently and the police were reluctant to investigate/prosecute them as it might appear racist?
Yes they are against all immigrants.
Yeah, id cards aren't mandatory in France either because the precedent when they were comes from literal Nazis. (At least theoretically, in practice you will face a lot of pressure...)
That depends on the type of attack you're protecting against. It might prevent an attacker from filing your taxes for you, but many companies are still going to use this kind of information as primary key. But it's not going to stop an attacker from pretending to be a bank employee, calling a genuine bank employee via a secret internal-only number, and claiming they've got Mr. Doe in their branch trying to do a critical transaction but their phone broke so they can't use the bank app. Yeah, the Mr. Doe living at 987 Main Street, that one. See, you even verified their ID, and it has a SSN of 123456 printed on it - just compare that to our customer database to make sure it's legit!
It also opens up a whole new type of attack. The problem with those smart cards is that there isn't really a way for the user to know what operation is actually happening. You're using a regular PC or smartphone to interface between the smart card and whatever entity you're trying to communicate with. But that could just as well be a phishing website pretending to be that entity, or malware doing a MitM. Or even just a random website pretending to need a signature for "age verification" when it's actually applying for a loan behind the scenes.
There's no "Do you really want to sign over your house to XYZ?" message on the card itself. And suddenly the government/bank/whatever is getting a request with a cryptographic signature which can obviously only be made by you - why would they have to double-check it if it cannot possible be fraudulent?
I agree that we should be moving to more secure systems, but those ID smart cards aren't a one-size-fits-all solution.
That seems entirely like an implementation detail that doesn't have anything to do with the smart card interface itself.
It's not like it's rocket science to have the reader application detail what the request is used for, and encoding it in the request/response, verified when used, so that it can't be used for anything but the approved purpose.
Why do you trust the reader though? It could display one thing and send another. Although I guess this also happens with payment card terminals. Who's to say the €3 displayed is not charged as €300...
This is a solved problem.
If the ID is on your phone, you can make it so that the transaction details have to be digitally signed by the person authorizing them in order to be valid. Then, if 3€ shows up on your phone, that's what you're authorizing, not 300€.
Sure, given an advanced enough device anything is possible. But I think here we are still discussing a "card" form factor for ID? (Being an "unperson" simply because you don't have a smartphone or have a rooted one would be "interesting").
The reader application can, sure, but what ensures that that "reader application" is genuine and can't be subverted? The card's own processor is supposedly tamperproof, but all the display etc. is in the reader which is probably owned and controlled by whatever third-party you're identifying yourself to, or at best it's a random application running on your PC/phone with whatever malware you have.
As a potential Mr. Doe, I'd love to have an ability to opt in to a stricter mode of banking. I would voluntarily ask my bank to refuse certain types of transactions in my name unless my identity can be confirmed by secure machine-readable means at my presence; internal phone calls should not qualify. It could be a bank card, or a passport — yes, both can be physically stolen, but it's much harder to pull off, and I would immediately warn my bank when I notice.
My country's version uses separate mechanisms with separate passwords for "identify me, revealing my name/DoB/number" and "sign something". Obviously not impossible to pretend that you're signing an innocuous document and have you sign something else, but it at least removes some of the low-hanging fruit.
The US has infrastructure, but it's only issued to military and federal employees.
https://en.m.wikipedia.org/wiki/Common_Access_Card https://en.m.wikipedia.org/wiki/FIPS_201
How is key revocation authenticated?
Funny you should say that. Australia is trying to launch TEx -designed on open-source models to do this kind of thing. It's hitting the usual roadblocks of public acceptance of government mandated ID, in an economy which trashed the "australia card" idea back in the 80s. We're wiser now, we've been frogs boiled slowly: the downsides of central safe ID/auth are outweighed by the risks of loss of info giving everyone 100 points information.
The government now knows what we do most of the time anyway: layer-2 logs on our phones are constant. We lost any privacy some time ago. So now, getting security back might be a net win.
https://www.abc.net.au/news/2024-08-13/trust-exchange-digita...
Except it's being implemented by the people who brought you robodebt.
So i imagine the "Number of people driven to suicide" KPI is going to be pretty high. They're not going to want to ship something that performs worse.
Yes. There is that. But it's only true to the extent all government things are brought to you by the government. If the underlying IMS system used for datamatching by ATO and Centerlink is the product of the same s/w development group I'd be a bit surprised. It's different code.
But I am by tendency an optimist, and the open-source part (if they do that) means we can have eyes on their crypto assumptions behind the protocol and whats on the device.
MyGovID, which I think they're baking into it has been pretty solid. thats distinct from your mygov account, many of which have been hacked, in part because so few people used MyGovID.
(if you've got better info always happy to see it)
Huh?
https://news.ycombinator.com/item?id=41249568
https://news.ycombinator.com/item?id=40961834
TLDR Login.gov, and publishing a circular to allow businesses to use it to identity proof. Push all liability onto the business for losses if this method is not used to identity proof. ID card as ljm mentions, such as a passport card. Very similar to credit card EMV chips and the liability shift from magstripe.
Aggregating data means it can be lost. You must therefore make aggregating and storing data toxic, and impossible to be leaked through eventual mismanagement.
We should fix the problem and ban the data-sources. Whack-a-mole makes it sound like we're talking about a ban on one company, but what clearly needs to be done is a categorical ban on super sketchy business practices, and that seems simple enough. Data-brokers, if they are going to exist at all, need to accept the burden of proof to establish that every single row involves consent, and they need to acquire new consent for every single resale of the information. If that makes the whole industry unprofitable, too fucking bad. And if this looks bad for business, it gets even worse: good luck getting consent for reselling what is mine without offering me a cut.
Since the above kind of common sense looks crazy these days, let's throw in something even more radical. For anyone looking to fund UBI, ^ here's a start. The trouble with the often-mentioned idea of "tax the data" as a solution for privacy concerns is that these taxes are just redistributing wealth from corporations to governments, while all of profit is made with our information. Who wants the monetized details of their personal life to pay for the next unjust war, or even the roads in some place they don't live. If we are so valuable, put some of that money back in our hands, and if the price doesn't sound fair to us, then let us opt out of the sale.
It's politically a non-starter in the US. US states have a lot of power that is derived from their ability to maintain their own ID systems. The states have fought for almost 20 years on requirements as simple as REAL ID.
I’d replace “instead of” with “in addition to”.
Going after data brokers seems like low hanging fruit, and necessary even if the ID system needs to be replaced. This is a top level issue that need to be addressed regardless.
While I think it’d be great to design a system where the information you mention is harmless (I’m curious how this would work without just shifting the problem to whatever new identifier is established), the reality is that this information is not harmless, and will continue to be dangerous to leak for the foreseeable future due to the myriad of systems that use this data in its current form. Any theoretical project to replace this would likely be a long and drawn out undertaking. Addressing the information environment in the meantime seems like a good idea.
We should be doing both, for different reasons. Ban data brokers because they allow anyone with a credit card to stalk people, more or less legally. Fix the SSN identity system because even if you ban data broker businesses, dark web brokers don't abide by the laws anyways.
The uneven availability of information means that no, it's not better to just design a better ID system. Data brokers give corporations far more advantages than a normal person could ever protect themselves against, because even if the data broke doesn't have your government issued credentials they can still easily designate who you are buy collating all the data from other means such as purchasing habits, cellular, and service guest lists.
Plenty of countries have smart cards with chips and RSA keys that can be used to verify ID with much higher level of certainty, but then they usually don't use it.
Even just name, DOD and last 4 of the SS number and you are done.
It's ridiculous.
We detached this subthread from https://news.ycombinator.com/item?id=41249125.
I thought it was a legitimate proposal to the problem at hand, but respect and understand the decision. My apologies for taking the conversation potentially off topic.
https://paulgraham.com/founders.html
While scoped to founders, I think it broadly applies to a subset of curious people who are wired to solve problems, imho.
Err, why do you need a GPT for this stunt? For a quarter of the price of a 2010s mid-range HP laptop, I have a Python script for you.