top | item 31511865

(no title)

J-Kuhn | 3 years ago

Here is a fictional timeline of events:

* Problem: Spammers automate creation of accounts. Solution: Reuse the MFA infrastructure as some kind of "CAPTCHA". The phone number is not stored.

* Problem: Spammers use a single phone number to unlock 1000's of accounts. Solution: Store the phone number - so those kinds of misuse can be detected.

* Problem: Ads-Team wants to sell more targeted ads. Solution: There is possibly a phone number stored in the user profile, use that.

Who is to blame here? The Ads team that didn't check if the number can be used?

discuss

jeffparsons|3 years ago

Solution #2 modified to be safer:

> Solution: Store A HASH OF the phone number - so those kinds of misuse can be detected.

If you don't need to store PII verbatim, don't store it verbatim.

> Who is to blame here? The Ads team that didn't check if the number can be used?

Yes. 100% yes. It's insane that we've normalized the idea that if you can physically get your hands on some data then that means you're allowed to do whatever you want with it. Anyone even remotely responsible working in advertising should be tracking provenance of the data they're using. I've heard all sorts of excuses about why this isn't practical, but with each year that passes I find them less convincing, and I've finally reached the point where I reject those excuses outright. If you don't _know_ you're allowed to use some PII for marketing, then you _can not_ use it for marketing. It's that simple.

j1elo|3 years ago

The person or team who gave green light to storing phone numbers without giving the data appropriate access controls and protections to avoid it being used for anything that is not strictly related with security and fraud control. A system such that if the Ads team tried to access it, they would get an access denied error, or maybe a red alert warning stating that this field cannot be used for marketing operations.

If a system to provide such protections didn't exist, then that system should have been implemented before agreeing on collecting phone numbers. Again, whoever didn't have that insight, should be the one to blame.

(all this is just wishful thinking on my part, of course)

ClumsyPilot|3 years ago

Problem: Bank wants to make more money. Solution: There is possibly some money stored in the customers bank account, use that

Do banks run like that? No. Do banks sell your details, your address, sign you up for random subscribtiona without your permission? No. Why should twitter get away with this

mikestew|3 years ago

Go to your U. S. bank and get a mortgage, and after a month of emptying buckets of junk from your new mailbox, come back and tell me with a straight face that the bank didn’t sell every scrap of data they had on you.

stolsvik|3 years ago

Huh? That’s pretty much exactly what banks do: They loan out the customers' money to someone else, taking an interest..

unknown|3 years ago

[deleted]

pornel|3 years ago

Yes! There are now privacy laws that explicitly require you to check if user has given consent for such use of the data.

wolpoli|3 years ago

The team responsible for regulatory compliance is responsible. If the team doesn't exist, then legals should advise management to establish one or provide trainings to every team, and then the teams are responsible.

pkulak|3 years ago

Ad team, 100%. There are all kinds of laws around advertising. GDPR, CCPA, etc. And all the ad teams I've ever interacted with are well accustomed to consulting with the attorneys before doing something like using a brand new piece of personal data to do a brand new thing.

lkschubert8|3 years ago

How about the lowest common leader?