I’ve said it before and I’ll say it again, unless and until, companies like Facebook are fined appropriate amounts they’ll never stop.
Quite literally, every business school on the fucking planet will tell you do something if it’s cheaper. It is cheaper for them to not give a fuck, than to give one. Unless they are fined upwards of $20-50bn it’ll never stop because it’s always going to benefit their bottom line. Full stop.
If you don’t take 10-15% from a company they won’t ever be incentivized to stop. This 5% or less bullshit has to stop if folks want change.
If customers do not care enough to stop using the product then there is no harm. Put in another way: the people you are trying to protect don't want your protection, because they don't care enough about the breach to stop using the product.
They shouldn't be learning about the breaches from the company that has been breached because that gives the company too much power. Instead we should empower watchdog organizations to be our source of news for data breaches.
Here in Mexico, in theory every person record that is leaked without the holder permission can get the company a $5000 fine. Given that this leak has at least 50,000 records from Mexicans, Facebook could be fined up to $250,000,000.
I don't understand why the government doesn't go for these type of things. On one side... it is easy money for the federation. On the other side, in a "personal" level for the bureaucrats, it is at least some good money they can keep corruptly.
If the value of data protection is that high then civil suit reform (lower overhead filing, improved class actions) should accomplish the same thing, and give the money to the owners of the data, without creating a massive defensive moat around the few companies that can afford the risk.
> every business school on the fucking planet will tell you do something if it’s cheaper. It is cheaper for them to not give a fuck, than to give one
But Governments rarely have a fine based on the entity's revenue, let alone calculating fine based on the impact of the negligence like this. I guess FB has decided even if GDPR fine is triggered, paying that is better than reminding half-billion users that using their platform is dangerous.
I've witnessed while literally getting sick due to the compliance burden when running the company as a single person i.e. in make sure I don't fall behind any of them; Large companies calculating the expenditure to 'fix the fine' if raised by the Govt. after several years and deciding NTGAF as the fine/fix is 'negligible' for them.
My only issues with this are that it's impractically hard to protect data to the extent necessary, and large fines become a lever for disgruntled employees to cause massive damage.
I have a strong suspicion that, if a government tried to fine a company in billions, that company would simply leave the country forever. I'm not saying that this is a good thing or a bad thing. It's just an intuition that I have.
Or just break them up? Both parties in the US have spoken about breaking the "Big Tech" monopolies for a while now. Maybe some grass roots activism could finally get it some traction?
We have a three strikes law in CA. I haven't done any research to find out how effective its been in reducing crime - but something similar for big companies like Facebook might be a way of dealing with this nonsense?
Its complicated. Some large companies make every effort, but are still plagued by lawsuits. Do everything to the best of your ability, still sometimes somebody will cut themselves shaving or whatever, and sue. I know of one that settles for anything under a quarter million without even determining merit. Because it never ends.
I know, Facebook has made an egregious error. But overreacting (kill them all!) is not a good solution?
You are advocating creating perverse incentives. A specific branch of government, a select agency, to become a profit center through continuous finding and fining of ever more wrongdoings. All morally excused because the victims are faceless multinational corps.
We all know how badly that goes with speed traps and red light cameras - instead of improving, the road conditions and sometimes even local rules are tweaked to maintain steady cashflow.
Say no to revolving doors of regulators, say no to moral hazard of what effectively amounts to vice tax. Apply criminal penalties when reasonable, don't make data leaks & privacy breaches just another cost of doing business.
-edit-
Clarification: a fine works well when it's expected to be a rare penatly enacted on a singular player - as it makes that player noncompetitive in the market. Conversely, when fines are expected to apply regularly and at proportional rate to most, or all, players in a market, the fine no longer makes the player noncompetitive - it merely shifts the market. Perhaps some alternative markets (print? radio & TV?) would pick up some of the advertising slack, but largely it'd be a regular money transfer from corps to the government. And a "vice tax" like that is a clear moral hazard, with no natural end in sight.
For years companies have been steadily asking, mandating or even trickling users to give them their phone numbers under the excuse of security (while the real reasons were different), now what?
How can they be trusted anymore?
This also strikes a great point about the data sharing between Facebook and WhatsApp. Linking data between services augments the dangers and the consequences are not obvious to the end user.
I think Facebook should offer their users the option to remove their phone numbers with a real deletion.
Further, I think sovereigns should mandate a class-action monetary compensation from F'book to each and every user affected, as a pre-req for further continued operation in each national jurisdiction.-
This, of course, due fines aside ...
Edit: See my further comment upthread on this, or other solutions.
Facebook should also offer complete opt out from any tracking. Their model where they offer their service for "free", but harvest tonnes of personal data and then use them for targeted advertising, should be regulated.
If your family is on Facebook and you want to maintain contact with them, it is next to impossible to move everyone on a platform that respects privacy.
I think an option where you pay monthly and in exchange your personal data is not being used should be mandated by law.
Certainly I cannot be the only one who finds phone numbers, email addresses, and many other things quite inconsequential compared to name and address.
In particular, there could easily be a postal system implemented where the sender would not need the actual physical address of the receiver. The receiver could easily ask the postal service to generate an arbitrary key which could either be single use, or multiple use, in order to deliver, so that one could receive mail and packages without having to surrender information regarding one's place of residence to the sending party.
Recently, I was hand delivered something from my sports club at my address as an apology for COVID. All quite considerable but I'm not so comfortable with that apparently my physical address is known to arbitrary members of said club, and that I was required to give it in order to sign up, which is necessary with modern technology.
There is no theoretical need to surrender one's physical address to join a sports club in theory, but physical addresses are exchanged everywhere as though there be no problem with this. They are of course the easiest way to stalk and harm someone.
Phone number is a primary second factor for most people, and either a phone number or an email address is required to authenticate the person logging in is really the owner of the account in many instances such as logging in from a different computer.
Google does the same, they've even published a paper showing just adding an email address is enough to eliminate 90+% of phishing attempts.
This huge leak has definitely killed the SMS text messaging service. Sender can be spoofed and spam/scam/phishing have reached an intolerable level. The fact that they can cross reference you and then produce a more personalized content is huge. Changing password is easy (ok less easy if you recycle it) but changing phone number is something that I am not even relaxed to do.
Can anyone on HN please explain why, why, WHY are we still using SMS/telephony which has exactly 0 encryption wh---I guess that's the reason?
It's insane. I've heard banks using SMS!!!! To send a code. We have TOTP for that! Or even perhaps a push notification or something better than bloody SMS.
I refuse to use the networking system altogether. No phones, no calls. Of course you do 'need' a number so I keep one handy, but I haven't read a text or made a phone call in a long while.
Is this worldwide or US? I for now trust the senderid and assume them to be valid if they are coming from bank etc. I also haven't heard of anyone spoofing SMS. Should I be more cautious?
Could someone elaborate on what the worst-case exploit would be for those number that got leaked? How would a scenario look like? Asking for a friend whose number got exposed...
> This huge leak has definitely killed the
> SMS text messaging service.
So with this breach, one now must use WhatsApp for messaging contacts? That is rather convenient for Facebook.
As someone who has much friction already convincing people to use SMS with me instead of the WhatsApp account that I've never had (nor a Facebook account), making SMS even more problematic is great for Facebook. Many people assume bad intentions or some other undesirable status when telling them that I don't have WhatsApp and that I'm not willing to install it.
What is truly damaging about this breach is that it allows for bidirectional mapping of phone
⭤ name (and often location, since the data can include town/employer).
The risk is much bigger than "I'm going to get more phone spam."
Examples:
- An abusive ex/stalker type can now search by name and find his ex's phone number and maybe even city/town.
- Have you ever dealt with an irate person via phone? (craigslist deal gone wrong/creepy, for example). This person can now know your name and even photo since the leak includes your fb id.
I am certain that both of these things will happen in the next few months or years. If privacy changes are to happen at the legislative/personal responsibility level, it would behoove an organization like the EFF to find one such case and use it to sue the living daylights out of FB. I think it's also worth mentioning these sorts of risks instead of focusing on "spam".
Unfortunately, even if that were to happen, we'd end up with a moral panic, which almost always ends up punishing the wrong people. What we really need is a change in the kinds of data that are allowed to be kept, and a change in data/identification infrastructure.
Things like:
- The creation of a standardized & subsidized token/OTP platform. In the US for example, you should be able to go to the post office and get a NIST approved token generator, which should be mandated to be used by all banks and replace SMS and SSN as authentication.
- A pseudonimity middle-layer (ie, Stripe for Privacy). For example, when I buy a t-shirt online, I should be able to simply give the merchant my pseudonym, and they shouldn't store my actual name & address. If they want to store that there should be much much higher data protection requirements.
This infrastructure should be free market but with a "public option" in order to prevent oligopolization of these services.
The "real names" myth was the biggest scam played against people in the past 15 years. The media are also wholesale responsible for perpetuating that damaging trend. Historians of the future will look at the past 2 decades with disbelief.
Because I would really like to know if I'm affected. According to "Have I Been Pwned" my phone number is not in the list, but about one or two weeks ago I noticed that my spam folder was unusually full, which led me to believe that something new must have happened. Shortly thereafter Facebook's leak hit the news.
From my point of view it is their obligation to notify all the affected users. It's morally the right thing to do, and legally, well, I don't know, but maybe the GDPR says that yes, that it's their obligation to do so.
And with notification I mean to send a notification email, since I haven't logged in for months and don't intend to this year.
Guess it's too hard to notify users that their information got leaked. I hope they reported to all the different institutions in Europe though. The article suggests they didn't even report it to the Ireland one!
> In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
Question: is it legal to download these files to see what data is leaked about yourself?
My issue with haveibeenpwned is that I don't know what's leaked. Note, I'm super happy with the fact that the service exist because I'm happy with the fact to know who of my social circle is in it, so I can notify them. But I don't know exactly what's leaked.
Are passwords leaked, for example? What about my social info is on there?
I love how the reasons to delete social media keep on growing.
With someone's number you can very easily get a rough idea of where they live. I can imagine the living hell this creates for Domestic Violence survivors and others escaping bad situations.
On the flipside I plan on spending my weekends phone free, only carrying a small FM radio to play music.
My twitter account got flagged as suspicious even though I haven't used it during the past few months and have a long random password. Now they want my mobile number to "verify" me in addition to a captcha. It is ridiculous and ovcoiolsly tech companies can't be trusted with personal data of that caliber. I have never used my real name with that twitter account and now they want to know it all, why? Greed is my guess.
It is a strange thing to consider how we view privacy these days. We share so many things and allow our privacy to be invaded in ways that would shock people 30 years ago.
On the other hand, everyone used to get a book delivered to their house every year with the information that is contained in this leak. I remember when you were considered a bit of a crank if you had your number as unlisted in the phone book.
The reaction here is why I start losing faith in humanity.
This "leak", has been blown way out of proportion. This leak, if anyone has actually bothered to look into it, will tell you there's very little available of value. For instance, there's no password.
There's about 2.5 mil emails that for all likelihood, it's already out in the wild. For the phone numbers, you can just robo-dial, (there aren't many to be found mind you). For everything else, they are data that the users have set public on their profiles, so they are meant to be seen, and you can readily search for them on Facebook already.
Thanks for posting the only useful addition to the thread. :)
So the authority is still looking into it. They could still reach an agreement with Facebook on what to do. Then Facebook would probably be shielded from whatever liability those actions would supposedly cause (their excuse "we might make mistakes"), because "we were told to".
[+] [-] petemir|5 years ago|reply
[+] [-] rubyn00bie|5 years ago|reply
Quite literally, every business school on the fucking planet will tell you do something if it’s cheaper. It is cheaper for them to not give a fuck, than to give one. Unless they are fined upwards of $20-50bn it’ll never stop because it’s always going to benefit their bottom line. Full stop.
If you don’t take 10-15% from a company they won’t ever be incentivized to stop. This 5% or less bullshit has to stop if folks want change.
Edit: small grammar fix.
[+] [-] qudat|5 years ago|reply
They shouldn't be learning about the breaches from the company that has been breached because that gives the company too much power. Instead we should empower watchdog organizations to be our source of news for data breaches.
[+] [-] xtracto|5 years ago|reply
I don't understand why the government doesn't go for these type of things. On one side... it is easy money for the federation. On the other side, in a "personal" level for the bureaucrats, it is at least some good money they can keep corruptly.
[+] [-] 1123581321|5 years ago|reply
[+] [-] SN76477|5 years ago|reply
This should be a 25 billion dollar fine.
For a business entity this is the only thing that will motivate them to try harder in the future.
[+] [-] Abishek_Muthian|5 years ago|reply
But Governments rarely have a fine based on the entity's revenue, let alone calculating fine based on the impact of the negligence like this. I guess FB has decided even if GDPR fine is triggered, paying that is better than reminding half-billion users that using their platform is dangerous.
I've witnessed while literally getting sick due to the compliance burden when running the company as a single person i.e. in make sure I don't fall behind any of them; Large companies calculating the expenditure to 'fix the fine' if raised by the Govt. after several years and deciding NTGAF as the fine/fix is 'negligible' for them.
[+] [-] worker767424|5 years ago|reply
[+] [-] haolez|5 years ago|reply
[+] [-] majani|5 years ago|reply
[+] [-] at-fates-hands|5 years ago|reply
We have a three strikes law in CA. I haven't done any research to find out how effective its been in reducing crime - but something similar for big companies like Facebook might be a way of dealing with this nonsense?
[+] [-] whywhywhywhy|5 years ago|reply
[+] [-] JoeAltmaier|5 years ago|reply
I know, Facebook has made an egregious error. But overreacting (kill them all!) is not a good solution?
[+] [-] dexen|5 years ago|reply
We all know how badly that goes with speed traps and red light cameras - instead of improving, the road conditions and sometimes even local rules are tweaked to maintain steady cashflow.
Say no to revolving doors of regulators, say no to moral hazard of what effectively amounts to vice tax. Apply criminal penalties when reasonable, don't make data leaks & privacy breaches just another cost of doing business.
-edit-
Clarification: a fine works well when it's expected to be a rare penatly enacted on a singular player - as it makes that player noncompetitive in the market. Conversely, when fines are expected to apply regularly and at proportional rate to most, or all, players in a market, the fine no longer makes the player noncompetitive - it merely shifts the market. Perhaps some alternative markets (print? radio & TV?) would pick up some of the advertising slack, but largely it'd be a regular money transfer from corps to the government. And a "vice tax" like that is a clear moral hazard, with no natural end in sight.
[+] [-] tacone|5 years ago|reply
How can they be trusted anymore?
This also strikes a great point about the data sharing between Facebook and WhatsApp. Linking data between services augments the dangers and the consequences are not obvious to the end user.
I think Facebook should offer their users the option to remove their phone numbers with a real deletion.
[+] [-] viro|5 years ago|reply
Man sometimes I think people forget phone books existed for a long time.
[+] [-] gameswithgo|5 years ago|reply
They never could be.
[+] [-] Bluestein|5 years ago|reply
This, of course, due fines aside ...
Edit: See my further comment upthread on this, or other solutions.
[+] [-] varispeed|5 years ago|reply
[+] [-] Blikkentrekker|5 years ago|reply
In particular, there could easily be a postal system implemented where the sender would not need the actual physical address of the receiver. The receiver could easily ask the postal service to generate an arbitrary key which could either be single use, or multiple use, in order to deliver, so that one could receive mail and packages without having to surrender information regarding one's place of residence to the sending party.
Recently, I was hand delivered something from my sports club at my address as an apology for COVID. All quite considerable but I'm not so comfortable with that apparently my physical address is known to arbitrary members of said club, and that I was required to give it in order to sign up, which is necessary with modern technology.
There is no theoretical need to surrender one's physical address to join a sports club in theory, but physical addresses are exchanged everywhere as though there be no problem with this. They are of course the easiest way to stalk and harm someone.
[+] [-] wyuenho|5 years ago|reply
Google does the same, they've even published a paper showing just adding an email address is enough to eliminate 90+% of phishing attempts.
[+] [-] uncletammy|5 years ago|reply
Or the end user's friends and family who's privacy was also affected by being in the user's contact list.
[+] [-] comeonseriously|5 years ago|reply
"People just submitted it. I don't know why. They 'trust me'. Dumb fucks." -Mark Zuckerberg
[+] [-] zapdrive|5 years ago|reply
Lol.
[+] [-] rpastuszak|5 years ago|reply
@Facebook here you go: https://haveibeenpwned.com
[+] [-] tuxone|5 years ago|reply
[+] [-] aboringusername|5 years ago|reply
It's insane. I've heard banks using SMS!!!! To send a code. We have TOTP for that! Or even perhaps a push notification or something better than bloody SMS.
I refuse to use the networking system altogether. No phones, no calls. Of course you do 'need' a number so I keep one handy, but I haven't read a text or made a phone call in a long while.
It needs to die. NOW. Outlaw SMS!
[+] [-] varispeed|5 years ago|reply
[+] [-] blackoil|5 years ago|reply
Is this worldwide or US? I for now trust the senderid and assume them to be valid if they are coming from bank etc. I also haven't heard of anyone spoofing SMS. Should I be more cautious?
[+] [-] wunderflix|5 years ago|reply
[+] [-] dotancohen|5 years ago|reply
As someone who has much friction already convincing people to use SMS with me instead of the WhatsApp account that I've never had (nor a Facebook account), making SMS even more problematic is great for Facebook. Many people assume bad intentions or some other undesirable status when telling them that I don't have WhatsApp and that I'm not willing to install it.
[+] [-] elbasti|5 years ago|reply
What is truly damaging about this breach is that it allows for bidirectional mapping of phone ⭤ name (and often location, since the data can include town/employer).
The risk is much bigger than "I'm going to get more phone spam."
Examples:
- An abusive ex/stalker type can now search by name and find his ex's phone number and maybe even city/town.
- Have you ever dealt with an irate person via phone? (craigslist deal gone wrong/creepy, for example). This person can now know your name and even photo since the leak includes your fb id.
I am certain that both of these things will happen in the next few months or years. If privacy changes are to happen at the legislative/personal responsibility level, it would behoove an organization like the EFF to find one such case and use it to sue the living daylights out of FB. I think it's also worth mentioning these sorts of risks instead of focusing on "spam".
Unfortunately, even if that were to happen, we'd end up with a moral panic, which almost always ends up punishing the wrong people. What we really need is a change in the kinds of data that are allowed to be kept, and a change in data/identification infrastructure.
Things like:
- The creation of a standardized & subsidized token/OTP platform. In the US for example, you should be able to go to the post office and get a NIST approved token generator, which should be mandated to be used by all banks and replace SMS and SSN as authentication.
- A pseudonimity middle-layer (ie, Stripe for Privacy). For example, when I buy a t-shirt online, I should be able to simply give the merchant my pseudonym, and they shouldn't store my actual name & address. If they want to store that there should be much much higher data protection requirements.
This infrastructure should be free market but with a "public option" in order to prevent oligopolization of these services.
[+] [-] cblconfederate|5 years ago|reply
[+] [-] progx|5 years ago|reply
[+] [-] qwertox|5 years ago|reply
From my point of view it is their obligation to notify all the affected users. It's morally the right thing to do, and legally, well, I don't know, but maybe the GDPR says that yes, that it's their obligation to do so.
And with notification I mean to send a notification email, since I haven't logged in for months and don't intend to this year.
[+] [-] wdb|5 years ago|reply
[+] [-] alephu5|5 years ago|reply
This is Facebook ffs, they almost have a monopoly on communication.
[+] [-] jeltz|5 years ago|reply
> In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
[+] [-] mettamage|5 years ago|reply
My issue with haveibeenpwned is that I don't know what's leaked. Note, I'm super happy with the fact that the service exist because I'm happy with the fact to know who of my social circle is in it, so I can notify them. But I don't know exactly what's leaked.
Are passwords leaked, for example? What about my social info is on there?
[+] [-] trissylegs|5 years ago|reply
[+] [-] villgax|5 years ago|reply
The amount of laxity they have shown in this matter is appalling!!
[+] [-] offtop5|5 years ago|reply
With someone's number you can very easily get a rough idea of where they live. I can imagine the living hell this creates for Domestic Violence survivors and others escaping bad situations.
On the flipside I plan on spending my weekends phone free, only carrying a small FM radio to play music.
[+] [-] Threeve303|5 years ago|reply
[+] [-] nickthemagicman|5 years ago|reply
[+] [-] brynjolf|5 years ago|reply
[+] [-] cortesoft|5 years ago|reply
On the other hand, everyone used to get a book delivered to their house every year with the information that is contained in this leak. I remember when you were considered a bit of a crank if you had your number as unlisted in the phone book.
[+] [-] wyuenho|5 years ago|reply
This "leak", has been blown way out of proportion. This leak, if anyone has actually bothered to look into it, will tell you there's very little available of value. For instance, there's no password.
There's about 2.5 mil emails that for all likelihood, it's already out in the wild. For the phone numbers, you can just robo-dial, (there aren't many to be found mind you). For everything else, they are data that the users have set public on their profiles, so they are meant to be seen, and you can readily search for them on Facebook already.
ALL THE LEAKED DATA WAS PUBLIC.
Do better HN.
[+] [-] pulkitsh1234|5 years ago|reply
[+] [-] po1nter|5 years ago|reply
From here https://www.dataprotection.ie/en/news-media/press-releases/d...
[+] [-] Nemo_bis|5 years ago|reply
So the authority is still looking into it. They could still reach an agreement with Facebook on what to do. Then Facebook would probably be shielded from whatever liability those actions would supposedly cause (their excuse "we might make mistakes"), because "we were told to".