From my observations, for data vendors "anonymization" generally just involves replacing a name or credit card number with some other identifier. That's the reality and that's all they are required to do by regulators. People on both sides of the market know and leverage this. There are legitimate use cases that people are after that can only be achieved by having the ability to correlate pseudonymous entities with some kind of history. Lots of data sets would be significantly less valuable, and lots of industry standard analyses unachievable with those identifiers out of the picture. As long as there is no Personally Identifiable Information (which, no, metadata, location history, medical claims, transaction details, don't count). I would imagine that this is something regulators are aware of and that the privacy tradeoff has just been shrugged off so that the market can carry on and do its thing.
> "anonymization" generally just involves replacing a name or credit card number with some other identifier.
DJB's description of "anonymization" while talking[1] about his job as the man in the middle at Verizon:
>> Hashing is magic crypto pixie-dust, which takes personally identifiable information and makes it incomprehensible to the marketing department. When a marketing person looks at random letters and numbers they have no idea what it means. They can't imagine that anybody could possibly understand the information, reverse the hash, correlate the hashes, track them, save them, record them.
> lots of industry standard analyses unachievable with those identifiers out of the picture.
Calling something "standard" doesn't mean it's ethical. If someone wants use that type of identifier, they need to get explicit informed consent from everyone involved, and they need to be liable for any damages that derive from their database of identified records.
>Lots of data sets would be significantly less valuable, and lots of industry standard analyses unachievable with those identifiers out of the picture.
I'm fine with this.
>As long as there is no Personally Identifiable Information (which, no, metadata, location history, medical claims, transaction details, don't count).
Currently. Hopefully the stroke of a pen will eventually change this, and soon.
The only antidote to this kind of profiteering is a cultural shift. And if starts with us, the developers who are building this tech.
Unfortunately most of us are quite powerless to stop it otherwise. As time passes I'm only more convinced that this is an evil which will inevitably be abused by governments in the near future to target dissidents. And possibly other groups - you don't need much information from spending habits and location history to trivially build a profile consisting of religious affiliation, political affiliation, sexual orientation, and general interests. This maliciousness is putting us all at risk in the name of greed.
The US learned in 2016 that information is a tool of war. Defending oneself against the encroachment of zero privacy operators is going to have to be fought with information as well. Laws have no teeth, which will continue to be the case indefinitely due to Citizen's United.
>The US learned in 2016 that information is a tool of war
Uh, people have understood the usefulness of information and information control for probably hundreds of years - at the very least since the cold war.
What do you think the CIA, KGB, CCP have been doing all this time?
I swear people just stopped thinking critically when Trump was elected. Things were broken long before 2016.
I respectfully disagree. People will always choose free and lazy. It will take legislation and that is much much harder here than in the EU. I'm not sure what the required cultural shift that would push for these laws would take to get started and gain traction.
I don't think people will always choose free and lazy - although I do think legislation is needed for being part of the solution,
The only time I get a shift in thinking is when I mention what we can do with the data that thier daughter / granddaughter doesn't know she is sharing..
Most older people don't care if I can see the sites they visit, their purchase history, pics on their phone.. but when you start to explain the things you can do with the data their daughter / granddaughter is creating - they get quiet. The NTYtimes article about the teen who was pregnant and Target knew it before her dad and the baby daddy.. that was the start of some eye opening - but most have not read it.
>>Unfortunately most of us are quite powerless to stop it otherwise.
I apologize in advance for the slaughter of some sacred cows.
We are not powerless, we are just being practical. But our short term interests are getting in the way of our long term interests at the moment.
Take for example patio11's failed startup which tried to help companies hire software engineers. Now, I don't really know all the reasons it failed, nor do I care. But I will definitely note that right around the same time, he was also explaining how every software developer was a sucker if they didn't go and work for one of the big tech companies. (I am sure it was more nuanced, but my point is directionally correct). The saying goes that "the road to hell is paved with good intentions", and I don't for a minute doubt patio11's intentions. But the weird side effect of his own advice was that developers were simply preferring to spend extra time trying to clear the big tech interviews rather than cracking some kind of CTF game. In other words, he was doing everything in his power to make sure potential clients of his company were going to find it much harder to hire said engineers. If patio11's goal is to actually increase the GDP of the internet, he can start by educating everyone about the major problems being caused by the tech monopolies.
Let me also address pg's intentions. Take a look at the "successful" YCombinator startups. Is there any company in there which isn't trying to grow at the expense of doing what is right by their customers? Now take the peripheral side effects of the existence of the YCombinator ecosystem. Overhyping of Silicon Valley. Talent cluster formation, to the absolute detriment of local tech companies in other regions. Capital is basically gushing into a very small geographic region, distorting anything and everything in sight (e.g. real estate prices).
Last but not least, I would say that Big Tech got much stronger because of the 2008 financial crisis (easy access to cheap capital to the survivors), plus the stock buyback policies of Trump (it is easier to buy back stock than to actually innovate). Whether or not you agree with the macro-economic policies, the general observation is very true. Big Tech profited enormously because of the financial crisis, and were "bailed out" as a side effect. Here I refer to "bailed out" as a simple metaphor for having the ability to buy out competition very easily (instead of having to actually compete). Have you noticed that none of the Big Tech companies are actually going after the already consolidated markets of other Big Tech companies anymore? That is, Microsoft isn't going after YouTube. Google isn't really going after Windows. Facebook isn't going after search. Amazon isn't trying to build a social network. The oligopoly not only suits them just fine, it also prevents unnecessary bleeding of capital which can instead be preserved for the next financial crisis, so they can repeat the same playbook.
Yesterday, a fellow customer of one of the big US wireless telecom carriers received a spoofed call from my mobile number. He called me up thinking I had called him, and we started talking, and turns out he’s a Data Broker from the East Coast (I’m on the West Coast). He was very friendly and discussed specifics for how the mobile phone anonymous token works and how it’s supposedly a secure, anonymous arrangement.
I discussed with this gentleman the concerns from this article and he wasn’t too happy, naturally, given my disagreement with the practice of sharing such data due to such deanonymization concerns.
As I’m a bit of an activist regarding E2EE and voyeuristically supportive of certain disliked politicians, and against the described data sharing, I have to wonder if someone chose my number to play a prank. Of course, it could simply be an odd coincidence, which is the most reasonable base assumption. Still, I wonder why my number specifically was chosen to target this individual, who said he was the victim of substantial identity theft and yet has refused to change his phone number, likely due to the complexities in doing so.
I have a habit of consistently following up on such matters, and so perhaps someone was knowingly demonstrating to me that this wireless carrier can’t even stop in-network spoofed calls, aware that I would investigate it. Of course that’s a bit far fetched but who knows? If the offending party was able to cover their tracks then that says something about the absurd age we are in.
At the least, and unrelated to the original article, it’s clear that this major wireless carrier doesn’t even have the ability to prevent spoofed calls from within their own nationwide network from numbers associated with their own customers. I called their support and pointed out that, at least conceptually, it should be trivial to build a security feature to prevent this. And presumably shaken/stirred ss7 cert authentication for did’s should already cover in-network did authentication and prevent in-network spoofing. Is this a reasonable assumption? Have all the major carriers built these protocol upgrades to prevent spoofed calls?
There’s the outside possibility this gentleman lied to me about his carrier, dialed back the wrong number, or lied to me about the spoofed call but I gained the sense that he was being truthful to me.
Overall it seems that the cyber world is really quite a mess, whether with data sharing malfeasance per the article, insecure wireless networks, globally enabled ransomware, and ever-increasing data in the hands of private global entities that will exist beyond our lifetimes.
SHAKEN/STIR is rolling out very, very, very slowly. Interoperability is poorly defined and carriers seem to be sharing on an ad-hoc basis.
Anyone with a prepaid credit card can spoof numbers, make calls for < $0.005/minute, just by running apt-get install asterisk with a minimal configuration.
I use Google Opinion Rewards and I feel like some of their questions are meant to see if they can deanonymize identities from credit card data and a few location data point.
Oh yeah that can definitely be from Google Ads too, but I remember some question quite surprising. I forgot to install it on my new phone that I got in December, so I don't remember much theses questions, but it's now installed, so I'll see. I know that they asked me for receipts a few time.
Incidentally, this story and practice are a partial refutation of the "if you're not paying for the product, you're the customer" trope. In the sense that very often when you are paying, you're still the product.
All the more so when payment data are detailed and reliable, as in the case of credit- and debit-card spending.
Effectively: if there are no practical limits on data gathering, aggregation, correlation, and sales, you are the product.
There are exceptions to this in both the free and non-free spaces. Much free software, for example, does not turn users into products. And there are cases of paid transactions (often using more anonymous mechanisms such as cash) in which privacy is preserved.
Those are becoming the exceptions however. And barring regulatory and legal changes, with both civil and criminal penalties having teeth, this will not change.
I always want to ask... does this mean people living in the US or US citizens? because the meaning sounds like its limited to citizens but I'm almost positive any stats that say 'Americans' means 'people in America'.
No, it isn't because of privacy. It is because they get a cut of the total volume processed on the cards and, as a bonus, they get details about where you spend your money.
They aren't operating a charity. You also left our hotels, airlines, etc. United Airlines makes $$ by signing up members for the United Cards by Chase.
Starbucks has one of the most seamless payment and ordering systems I use on a day-to-day basis. I'm not sure why it's surprising they would have their own credit card to make that even easier. Heck, every big box store seems to have their own card too. They cut down on the transaction fees if it's their own card, plus extra data for them.
At one point Starbucks' digital payment system was ahead of Apple Pay in dollar volume and doing double the volume of all of google pay. I didn't know Starbucks had a credit card but it doesn't surprise me.
Interest income, plus a cut of every transaction (even if not at Starbucks). Plus added spend at Starbucks - having a Starbucks card may entice more spend at Starbucks.
Who do they sell data to ? The phrase 'selling data' always seemed handwavy to me. What products/services can you make from that data ? Forecasting ? Customer tracking ? Wouldn't deanonymization make the service illegal or is that a grey area ?
Banks and marketing organisations are a major customer. So are skip-tracers, collections agencies, and scammers (who can build impressive profiles of gullible marks based on purchasing / spending habits).
You don’t need leaks, you just need to read the marketing materials of these firms. They sell your data. They are ten times worse than what Google does in the worst fever dreams of the most tiresome DDG/Brave user on HN.
Ironically, while Google buys credit card data (and likely other data), and advertisers give them data, I'm pretty sure they don't leak personal data like that.
This has been mentioned many times about [insert large news website here] about how they're article talks about why tracking is bad yet the article is on a website with paywalls, anti-ad blockers, tracking etc.
The reason is the same: the people who write the articles are different from those who choose the poor tracking decisions.
And leaked documents will also show how VICE exploits users by exploiting their privacy through ad trackers. Gosh I wonder what could be worst? LOL!! Lets NOT quickly forget how Mr. Joe Biden's presidential campaign has been financed through credit card companies.
