Oh, man, another missed opportunity to make the average Joe Six-Pack become aware of data aggregation and privacy violations. If the researcher had downloaded the 2TB of data and published it as a torrent, then laymen might care. When someone can query the list and see his own personal information being broadcast, they will understand. When they realize that anyone can look up the address, phone, and all sorts of other info about their wife, husband, girlfriend, boyfriend, boss, children, or neighbor, they might get an inkling that privacy isn't such a stupid thing to worry about.
I realize that we all suffer if it gets made into a torrent, but sometimes pain is necessary to get action.
Within a week, this whole thing will be forgotten and nothing will have changed because privacy is too abstract for most people -- they need to see the personal information that's being collected. The researcher acted properly, but going full Snowden would have had much greater impact on getting better privacy-preserving laws and technology.
People can be stabbed in the back if they go into dark alleys without watching behind them. Let's stab a few people who go into these alleys so that everyone will be afraid to do so and we have an opportunity to prevent people being stabbed in future by making them aware.
Why would you possibly think this is a good idea? The idea is to prevent pain, not cause more pain in some bizarre attempt at making people afraid. There's enough privacy violations - we don't need to be making more of them ourselves.
For many people, the benefit of being able to look up information is greater than the cost of letting other people have this ability - most people still won't care too much even if they know their data is published in this way. (For example, most people were willing to have their home telephone number published in a phone book)
For some people, the cost of letting other people look up your information is overwhelmingly huge - this is why privacy should be regulated.
We don't really "all suffer" the same - some people suffer disproportionately (stalking, harassment, abuse).
Publishing the data as a torrent is unlikely to change people's opinion, but will almost certainly harm people.
You can already make the sort of nuanced queries you're talking about for any of the hundreds of millions of Americans whose records have been leaked in one of the state voter or B2C lead-gen databases. The dumps are all freely available on databases.today and various forums. Phone numbers, addresses, names, email addresses, relationships, members of household...it's all in there, even if paid searches like Intelius don't have it.
Unfortunately, anyone who tries to normalize the data and release a public frontend for querying it will probably be dropped by their hosting provider and ostracized by the security community. People don't tend to like the idea of what you're talking about and will blame the person hosting the information as much as the people who leak it; much like how Troy Hunt will never release the HIBP corpus of normalized password dumps, he'll only allow you to seen if you're in it.
The impact of searching your personal data with that kind of granularity would probably be more dramatic than seeing your compromised passwords online, but I bet it would be even more villified.
> If the researcher had downloaded the 2TB of data and published it as a torrent, then laymen might care
Nope. In fact, you couldn't be more wrong. The outcome Joe Six-Pack would get from it is not that "data aggregators are dangerous" but that "security researchers, privacy advocates and cyber-criminals are pretty much the same, they are doing the same thing - stealing your data from a honest hard-working marketers - and then hide behind 'privacy' and 'research' when they get caught". And most of the press will run with it gladly, it's an entertaining story.
You can't do your cause - whatever it is - worse disservice than to commit crime "to show them". That makes you a criminal - whose argument will be ignored because nobody wants to agree with a criminal - and your cause the one which is promoted by criminals. It's very hard to argue from this position. Sometimes there's no choice - i.e. if the whole enterprise is criminalized in advance, as is criticism of the power in totalitarian states. But nobody smart should put oneself in this position voluntarily.
> going full Snowden would have had much greater impact
Snowden revealed secrets of the NSA that did not hurt average citizen - on the contrary, in many cases were deployed against the average citizen. In this case, you would be the one directly hurting the average citizen. You wouldn't get the Snowden cape.
While I think it's the most effective to leak the data of the persons that are able to change the rules and pursue justice in this case, I do think that these exact people will try everything in their power to make an example out of you - the leaker - and you'll end up as a second Aaron Swartz.
Also I think it's interesting that people say it is "leaked" while what actually happened is that the price of this data got lowered to zero for a few lucky souls.
In light of my siblings' comments perhaps only lawmakers and their companions ought be exposed in this manner. I'm reminded of the swift enactment of restrictions on videotape rental records sparked by release of Judge Bork's rental records.
It's interesting that we consider this a leak only when the marketing firm loses the data. If we lived in a just society we would consider it a leak once the marketing firm got the data.
Make companies "super-liable" for any data beyond the data they (actually) need for the functioning of the service that is stolen in a data breach from their servers.
This would hopefully not just encourage more companies to believe that data is "toxic" [1] and treat it as a liability, not as an asset, but it would also encourage them to adopt end-to-end encryption in as many types of services as possible (and eventually stuff like homomorphic encryption or any form of encryption that doesn't give the company itself and hackers direct access to the data).
> It's interesting that we consider this a leak only when the marketing firm loses the data.
We don't consider this a leak when the marketing firm loses its data. It's only a leak when we find out that the marketing firm has lost control of its data.
With reasonable verification, anyone confirmed to be a part of this breach should be given access to the data, if only for good will. It's a sad state to see that the recklessness (or incompetence) of one entity, and at that a private one, can quickly become a domino in a chain that ends in toppling a person's privacy.
They advertise themselves as having the most accurate data (why wouldn't they advertise themselves this way?) If so, the people it affects have a right to know, and it seems that they have the means to contact them and let them know.
Much more than just personal privacy. When CEOs, politicians, judges and generals use the internet too do you really want to be the guy/a company that gives them that call? The incentives are all messed up.
The only real strategy is to totally pollute the information with false and erroneous information, while also setting up ways to prevent tracking and fingerprinting and associating. I am somewhat surprised that someone has not yet really emerged as having developed a business model around assuring privacy. It could be dedicated routers with firewalls and built in VPN that also mask device names, combined with browsers and extensions that intentionally pollute browsing history and fingerprinting data, and sends bogus queries and also allows you to set policies for cookies in a little more user friendly manner to only retain specific cookies of specific domains, etc.
“In order to be in line with Fair Information Practices we will take the following responsive action, should a data breach occur:
We will notify you via email
• Within 7 business days
We will notify the users via in-site notification
• Within 7 business days
We also agree to the Individual Redress Principle which requires that individuals have the right to legally pursue enforceable rights against data collectors and processors who fail to adhere to the law. This principle requires not only that individuals have enforceable rights against data users, but also that individuals have recourse to courts or government agencies to investigate and/or prosecute non-compliance by data processors.”
Information inequity. Whomever has access to this data had an advantage on 340M people, and opportunity to understand and influence them.
I think the antithesis of would be information redistribution. Everybody should be entitled to access all of this information if anyone has it. Just for fun lets say the only caveat is that all information access is also public and linked to each identity.
Do you think its better off in the hands of the highest bidders???
A lot of people complained that GDPR was too onerous on small firms and that they should be exempt. According to LinkedIn https://ie.linkedin.com/company/exactis-llc Exactis has just 10 employees (obviously some error possible. Call it 15-20?)
Now do you think small firms can’t hold large quantities of damaging data?
When will this stop? When's the last straw? If I gave a bank 100 dollars, and they lost it, I'd have avenues with which to pursue some sort of justice. If I give a company my data, and they lose it, oh well. I wish all personal data was treated like HIPAA, at a minimum.
Tell me about it. We need a government account that grants access to banks and utilities via oauth or some other cryptographic protocol that allows revocation at will.
It is obvious that selling customers' data gives more profit than not selling. No wonder that in countries with little regulation personal data are collected and sold in mass. It is the most profitable strategy for companies that have those data.
No, as a US citizen you have no such GDPR protection. If Exactis operates also in the EU, Eu citizens may request their data or erasure of their data from Exactis.
> "I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen"
> Each record contains entries that go far beyond contact information and public records to include more than 400 variables on a vast range of specific characteristics: whether the person smokes, their religion, whether they have dogs or cats, and interests as varied as scuba diving and plus-size apparel.
It might be "comprehensive" but is it comprehensive in a scary way? It's probably just 400 machine learning features that are estimating what people might like, so not necessarily super accurate?
Even worse. Many people say they “don’t have anything to hide” because they too haven’t considered the vast consequences regardless of having something to hide. For starters, when the data is inaccurate, you might have something to hide that even you didn’t know about, and it could be responsible for all sorts of events and opportunities in your life both public and private without you even knowing. Things that give you an different life experience than your friends to an unknown degree. This sort of lack of knowledge, control, deprivation of explanation or closure etc. would be the lived experience of chaos and it’s one of the most frightening parts.
More and more this just feels like the modern crisis of capitalism. The declining rate of profit is so extreme that we have to institute a corporate marketing panopticon designed to sell you shit you don't need, to the extent we're willing to risk that panopticon leaking dangerous information to non-state actors that could lead to theft, extortion, or worse.
I think that the right title should be "Marketing Firm Exactis Exposed a Personal Info Database with with 340M Records on Internet". This is not a leak, at least there is no evidence of it yet. While this does not downplay this security "mishap", there is still big difference between "someone rob a bank" and "bank left their vaults open".
OTOH, it would be interesting to know how did they get hold on such data.
Unusually for me I find your pedantry here too quibbling - even if the bank is left open taking the money is still theft (robbery is with threats/force in my jurisdiction, UK).
Without more information I can only assume they are scraping public records just like sites like Spokeo etc. Perhaps with some data analysis thrown in.
So I don't see much of a personal concern; especially since their business model appears to be selling this very data!
Will is a highly accomplished IT Executive designing and developing self-service software applications built on BIG Data, running in Cloud Infrastructure in highly secure environments, leveraging analytics and yielding high profits and rapid growth.
He is responsible for technology strategy which includes highly accurate and automated data processing, cloud infrastructure, MS Azure platform-as-a-service, Cloudera / Hadoop Data Management Platform, APIs, Marketing Automation Platform, Analytics, and Digital Marketing.
[+] [-] mysterypie|7 years ago|reply
I realize that we all suffer if it gets made into a torrent, but sometimes pain is necessary to get action.
Within a week, this whole thing will be forgotten and nothing will have changed because privacy is too abstract for most people -- they need to see the personal information that's being collected. The researcher acted properly, but going full Snowden would have had much greater impact on getting better privacy-preserving laws and technology.
[+] [-] RyanZAG|7 years ago|reply
People can be stabbed in the back if they go into dark alleys without watching behind them. Let's stab a few people who go into these alleys so that everyone will be afraid to do so and we have an opportunity to prevent people being stabbed in future by making them aware.
Why would you possibly think this is a good idea? The idea is to prevent pain, not cause more pain in some bizarre attempt at making people afraid. There's enough privacy violations - we don't need to be making more of them ourselves.
[+] [-] learnstats2|7 years ago|reply
For some people, the cost of letting other people look up your information is overwhelmingly huge - this is why privacy should be regulated.
We don't really "all suffer" the same - some people suffer disproportionately (stalking, harassment, abuse).
Publishing the data as a torrent is unlikely to change people's opinion, but will almost certainly harm people.
Don't take this approach.
[+] [-] throwawaymath|7 years ago|reply
Unfortunately, anyone who tries to normalize the data and release a public frontend for querying it will probably be dropped by their hosting provider and ostracized by the security community. People don't tend to like the idea of what you're talking about and will blame the person hosting the information as much as the people who leak it; much like how Troy Hunt will never release the HIBP corpus of normalized password dumps, he'll only allow you to seen if you're in it.
The impact of searching your personal data with that kind of granularity would probably be more dramatic than seeing your compromised passwords online, but I bet it would be even more villified.
[+] [-] smsm42|7 years ago|reply
Nope. In fact, you couldn't be more wrong. The outcome Joe Six-Pack would get from it is not that "data aggregators are dangerous" but that "security researchers, privacy advocates and cyber-criminals are pretty much the same, they are doing the same thing - stealing your data from a honest hard-working marketers - and then hide behind 'privacy' and 'research' when they get caught". And most of the press will run with it gladly, it's an entertaining story.
You can't do your cause - whatever it is - worse disservice than to commit crime "to show them". That makes you a criminal - whose argument will be ignored because nobody wants to agree with a criminal - and your cause the one which is promoted by criminals. It's very hard to argue from this position. Sometimes there's no choice - i.e. if the whole enterprise is criminalized in advance, as is criticism of the power in totalitarian states. But nobody smart should put oneself in this position voluntarily.
> going full Snowden would have had much greater impact
Snowden revealed secrets of the NSA that did not hurt average citizen - on the contrary, in many cases were deployed against the average citizen. In this case, you would be the one directly hurting the average citizen. You wouldn't get the Snowden cape.
[+] [-] hetspookjee|7 years ago|reply
Also I think it's interesting that people say it is "leaked" while what actually happened is that the price of this data got lowered to zero for a few lucky souls.
[+] [-] intralizee|7 years ago|reply
[+] [-] howard941|7 years ago|reply
[+] [-] pointytrees|7 years ago|reply
[+] [-] AndyMcConachie|7 years ago|reply
[+] [-] CiPHPerCoder|7 years ago|reply
[+] [-] dbllxr|7 years ago|reply
[+] [-] mtgx|7 years ago|reply
Make companies "super-liable" for any data beyond the data they (actually) need for the functioning of the service that is stolen in a data breach from their servers.
This would hopefully not just encourage more companies to believe that data is "toxic" [1] and treat it as a liability, not as an asset, but it would also encourage them to adopt end-to-end encryption in as many types of services as possible (and eventually stuff like homomorphic encryption or any form of encryption that doesn't give the company itself and hackers direct access to the data).
[1] - https://www.schneier.com/blog/archives/2016/03/data_is_a_tox...
[+] [-] un-devmox|7 years ago|reply
We don't consider this a leak when the marketing firm loses its data. It's only a leak when we find out that the marketing firm has lost control of its data.
[+] [-] JoeAltmaier|7 years ago|reply
[+] [-] hhh|7 years ago|reply
They advertise themselves as having the most accurate data (why wouldn't they advertise themselves this way?) If so, the people it affects have a right to know, and it seems that they have the means to contact them and let them know.
[+] [-] tjoff|7 years ago|reply
[+] [-] erickj|7 years ago|reply
but how would they ever get the contact information for all of those people? surely that's private information....
oh... right ಠ_ಠ
[+] [-] obelix_|7 years ago|reply
[+] [-] 39d3493I93|7 years ago|reply
[+] [-] mikehollinger|7 years ago|reply
“In order to be in line with Fair Information Practices we will take the following responsive action, should a data breach occur: We will notify you via email • Within 7 business days We will notify the users via in-site notification • Within 7 business days We also agree to the Individual Redress Principle which requires that individuals have the right to legally pursue enforceable rights against data collectors and processors who fail to adhere to the law. This principle requires not only that individuals have enforceable rights against data users, but also that individuals have recourse to courts or government agencies to investigate and/or prosecute non-compliance by data processors.”
[+] [-] reilly3000|7 years ago|reply
I think the antithesis of would be information redistribution. Everybody should be entitled to access all of this information if anyone has it. Just for fun lets say the only caveat is that all information access is also public and linked to each identity.
Do you think its better off in the hands of the highest bidders???
[+] [-] achillean|7 years ago|reply
https://www.shodan.io/report/yhaN9gje
[+] [-] mtremsal|7 years ago|reply
[+] [-] hopeless|7 years ago|reply
Now do you think small firms can’t hold large quantities of damaging data?
[+] [-] tbrock|7 years ago|reply
[+] [-] maaaats|7 years ago|reply
[+] [-] astura|7 years ago|reply
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] axaxs|7 years ago|reply
[+] [-] j16sdiz|7 years ago|reply
[+] [-] test6554|7 years ago|reply
[+] [-] Yokohiii|7 years ago|reply
[+] [-] codedokode|7 years ago|reply
[+] [-] mtully|7 years ago|reply
[+] [-] EuCitizen2018|7 years ago|reply
[+] [-] fouc|7 years ago|reply
> Each record contains entries that go far beyond contact information and public records to include more than 400 variables on a vast range of specific characteristics: whether the person smokes, their religion, whether they have dogs or cats, and interests as varied as scuba diving and plus-size apparel.
It might be "comprehensive" but is it comprehensive in a scary way? It's probably just 400 machine learning features that are estimating what people might like, so not necessarily super accurate?
[+] [-] extradego|7 years ago|reply
Even worse. Many people say they “don’t have anything to hide” because they too haven’t considered the vast consequences regardless of having something to hide. For starters, when the data is inaccurate, you might have something to hide that even you didn’t know about, and it could be responsible for all sorts of events and opportunities in your life both public and private without you even knowing. Things that give you an different life experience than your friends to an unknown degree. This sort of lack of knowledge, control, deprivation of explanation or closure etc. would be the lived experience of chaos and it’s one of the most frightening parts.
[+] [-] _oya8|7 years ago|reply
And we're not even beginning to think about what this can be used for by authoritarian regimes (cf. https://www.madamasr.com/en/2014/09/29/opinion/u/you-are-bei...)
[+] [-] wu-ikkyu|7 years ago|reply
"Big data" was crucial to the operational efficiency of the Holocaust
https://en.m.wikipedia.org/wiki/IBM_and_the_Holocaust
[+] [-] mic47|7 years ago|reply
OTOH, it would be interesting to know how did they get hold on such data.
[+] [-] pbhjpbhj|7 years ago|reply
[+] [-] empath75|7 years ago|reply
[+] [-] rishabhd|7 years ago|reply
edit: nope, this is infinitely worse.
[+] [-] astura|7 years ago|reply
Without more information I can only assume they are scraping public records just like sites like Spokeo etc. Perhaps with some data analysis thrown in.
So I don't see much of a personal concern; especially since their business model appears to be selling this very data!
[+] [-] greglindahl|7 years ago|reply
[+] [-] asimpletune|7 years ago|reply
[+] [-] sorokod|7 years ago|reply
CTO
Will is a highly accomplished IT Executive designing and developing self-service software applications built on BIG Data, running in Cloud Infrastructure in highly secure environments, leveraging analytics and yielding high profits and rapid growth.
He is responsible for technology strategy which includes highly accurate and automated data processing, cloud infrastructure, MS Azure platform-as-a-service, Cloudera / Hadoop Data Management Platform, APIs, Marketing Automation Platform, Analytics, and Digital Marketing.
( http://www.exactis.com/about-us/ )
highly ironic