Stop Saying, 'We Take Your Privacy and Security Seriously' (techcrunch.com) 192
Security reporter Zack Whittaker writes: In my years covering cybersecurity, there's one variation of the same lie that floats above the rest. "We take your privacy and security seriously." You might have heard the phrase here and there. It's a common trope used by companies in the wake of a data breach -- either in a "mea culpa" email to their customers or a statement on their website to tell you that they care about your data, even though in the next sentence they all too often admit to misusing or losing it. The truth is, most companies don't care about the privacy or security of your data. They care about having to explain to their customers that their data was stolen.
I've never understood exactly what it means when a company says it values my privacy. If that were the case, data hungry companies like Google and Facebook, which sell data about you to advertisers, wouldn't even exist. I was curious how often this go-to one liner was used. I scraped every reported notification to the California attorney general, a requirement under state law in the event of a breach or security lapse, stitched them together, and converted it into machine-readable text. About one-third of all 285 data breach notifications had some variation of the line. It doesn't show that companies care about your data. It shows that they don't know what to do next.
I've never understood exactly what it means when a company says it values my privacy. If that were the case, data hungry companies like Google and Facebook, which sell data about you to advertisers, wouldn't even exist. I was curious how often this go-to one liner was used. I scraped every reported notification to the California attorney general, a requirement under state law in the event of a breach or security lapse, stitched them together, and converted it into machine-readable text. About one-third of all 285 data breach notifications had some variation of the line. It doesn't show that companies care about your data. It shows that they don't know what to do next.
And (Score:5, Insightful)
Re: (Score:1)
... and people who hate on SJWs don't really care about rampant political correctness.
Re: (Score:1)
That doesn't make sense; SJWs and political correctness are nearly synonymous. Or is there a "good" SJW out there somewhere that isn't prepared to ruin someone's life for offending their "values?"
Re: (Score:1)
And politicians don't really care about their constituents or the country.
Apparently the constituents don't care either. They keep reelecting the same class of politicians over and over.
Re: (Score:2)
It is a very old form of manipulation: If you know your product/service/agenda/faith/etc. has a serious defect, state with force the exact opposite. Whether this is "now even stronger" after a tissue brand actually got weaker, "we take your privacy seriously" when the opposite is true or "thou shalt not kill" when these fuckers are the most prolific murders available does not matter. What matters is that this dishonest and despicable approach seems to work on many people.
Re: (Score:2)
But isn't the problem (especially in politician's case) that the constituents don't want to hear the truth? Here in Germany, we had a politician who said "it would cost about 1-2 Trillion EUROs to have a united Germany" (when the wall came down), "it will involve a lot of difficulties and we should not rush things, but think about it first". The other politician said "no worries, we will have 'blossoming fields', East Germany will be as rich as West Germany very quickly and it will cost no more than 100-200
Broad brush (Score:5, Interesting)
And politicians don't really care about their constituents or the country.
Awfully broad brush you are painting with there. Yes that is too often true but there are people in positions of political power who actually do genuinely care about the people they were elected to lead/serve. Such people are to be treasured when found.
And SJWs really don't care about equality.
A) The term "SJW" is lazy nonsense catchall pejorative like "hipster" that means almost nothing and accurately describes almost no one. Including your use here.
B) Equality and equity are not the same thing [everydayfeminism.com]. You're right they don't care about equality because equality isn't necessarily what's fair or necessary. You can charge a rich person and a poor person the same tax rate and that is equal but it isn't equitable because 20% of a poor person's income has a much bigger impact on their life than 20% of a rich person's. Just because something is the same for everyone doesn't mean it is fair or good.
Re: (Score:2)
Re:And (Score:5, Insightful)
Re: (Score:2, Insightful)
It is very hard to make something illegal when it benefits rich people.
Re: (Score:2)
Which is why there should be laws penalizing invasion of privacy.
That will not happen in the USA. The foundational laws of the land tell the government they can't collect that kind of data about its citizens. The un-elected officials are, at heart, dictators. That is a normal consequence of working in government and being lazy.
So how will these would-be dictators get all their data? Through businesses collecting it and then passing laws granting government access to it.
No. You will not get any serious privacy laws passed in the USA. The government wants control/informati
Re: (Score:2)
Re: (Score:2)
First you have to convince people to stop sharing their data. This did not start with Facebook and Google. Long before they ever came along banks and merchant associations started collecting data on people who were asking for credit. Customers wanted them to share the data, because when they went to get credit from a new store or business the only way they had to prove they were good for it was to point to the other people they did business with and say "Look I paid them back."
The local merchants associatio
Re: (Score:2)
Re:And (Score:4, Interesting)
Re: (Score:2)
Is that a desirable outcome?
People seem to have forgotten how expensive computing resources were before the cloud. They seem to have forgotten when sites were Slashdotted regularly, when a site from the other side of the world took 30 seconds to load, when free email accounts were limited to 20 MB, and when off-site backup was prohibitively pricey.
The cloud has been of great benefit to us, we just need to fix it so that it works better for us.
Re:And (Score:4, Insightful)
The problem isn't "the cloud".
The problem is twofold. One, that security did not keep up with the amount and severity of attacks, and that (personal) data is more valuable than ever before. Which of course is one of the things that drives the attacks.
Moving out of the cloud and trying to do your own thing again won't solve this. It will probably even make matters worse because I do kinda expect Amazon and Google to have more resources and better people available to secure their stuff than the average company that might collect some data about you.
What's needed is to make companies actually care about security. And that only works via punishment, unfortunately.
Re: (Score:2)
Is personal data more valuable than ever? Prices seem to be going down because there is so much of it. If you manage to grab a million records from somewhere, chances are a good proportion of them will be duplicates that someone else already sold from a different breech. Plus over-supply pushes prices down, and it keeps getting harder to translate that data into profit.
Re: (Score:2)
Re: (Score:2)
Not being able to trade anonymized data would be a severe hit to anyone trying to create statistics about anything. Countries rely on statistics to put the available resources to good use. How many car owners do we have and where do they drive? That allows us to know how much money to allocate to road construction, and where to build them. How do rents develop, so we know where to zone for more living space. How do people spend their pastime, so we know whether there are security or health issues coming our
Re: (Score:3)
Re: (Score:2)
That's great. So you just killed Google & Facebook. While I will experience no great loss over Facebook dying what do you think will replace all of the stuff people use Google for?
Let me make it clear. No Android, which means either using a flip phone or paying Apple, and believe me if they were a monopoly we'd be paying $2000 for an iphone.
No Google Maps. Which means out of date GPS, such as the auto manufacturers support where you get to pay $150 a year to update your maps.
No gmail. which means you ca
Re: (Score:2)
Re:And (Score:5, Insightful)
Walk away from companies that abuse your data.
How do you "walk away" from Equifax? The people exposed were their product, not their customers.
In every one of the other breaches, no customer knew about the sloppy practices until it was too late. So saying that "customer choice" is the solution doesn't work. Even when customers do have a choice, they are not able to make an informed decision.
TFA is written my someone who doesn't even understand the issues. He complains that Google "sells data about you to advertisers". No they don't. That is not how their business model works. They use your data to place ads on behalf of advertisers, but they do not, and never have, sold or transferred the data to the advertisers.
Heads I Win, Tails You Lose (Score:5, Interesting)
This win-win model is almost as good as the one the phone companies pull where they sell you a phone number and service, then sell your name and number to advertising services and finally sell you a call blocking service to prevent ads from reaching you: that's win-win-win!
Re:And (Score:5, Interesting)
In the EU you can request that Equifax delete the data they have about you, and not collect any more. You have a legal right to do that.
The problem is that it buggers up your credit file. There are other credit rating agencies, but it depends if the bank you apply to for a loan happens to use them, or considers the lack of an Equifax file to be suspicious.
Re: (Score:3)
HIPAA fines are in the thousands per users data compromised.
Anthem was still compromised.
Personally, I lean towards having a robust plan for after the compromise. Defense in depth is highly underrated.
Re: (Score:2)
It's just silly at this point.
Everyone has been compromised.
The problem is not a privacy problem. It is an identity problem. They are separate issues. Equifax, Target, Etc. getting compromised is a problem because it can allow someone to steal your identity. That is only a problem because it can screw up your ability to get credit, buy a house , etc. No one that I know of has ever had to pay for stuff bought with a stolen identity. If you notify a bank or credit card company your identity was stolen in the
Re: (Score:2)
In the US, a Social Security number is just fine as identification. It really, really sucks as authentication. The problem is not people seeing my SSN and associating that with me, but with people assuming that anyone with my SSN is in fact me.
Re: (Score:1)
SJW derangement syndrome is as bad as Trump derangement syndrome.
Re: And (Score:5, Funny)
We take your privacy and security. Seriously.
Re: (Score:2)
Why do you bury this gem in the pointless rubbish you respond to? This is the best summary of the problem possible!
Re: (Score:2)
You want the truth?
Re: (Score:2)
OK, I bite. Yes?
Re: (Score:1)
First of all, you are one of just two people who have ever friended me on Slashdot. In the 15 or so years I've been on the platform. You did this a long time ago, and I've remembered.
In the mean time I've filled up my foes page and moved on to the freaks page.
Slashdot is at once the greatest collection of smart people, and the greatest collection of the scum of the Earth.
It is, simply, NEVER worthwhile for me to post with my account name. The lunatics are running the asylum here.
That probably all sounds
Re: (Score:2)
Easy to tell whether they take it seriously... (Score:5, Interesting)
I have a pretty simple test for whether people take a thing seriously. How does it compare to how they handle payments?
Consider:
I ask you to stop spamming me, and you say I need to allow you 30 days to stop.
I ask you to take $5 from my bank account, and in under 10 seconds you have successfully resolved a transaction in a thorough, secure, and traceable away, even if my bank isn't on the same continent as your bank.
Which of these do I think you "take seriously"?
Re: (Score:2, Funny)
Soooooo...pay them money to stop spamming you?
What did we learn?
Re: (Score:2)
Out of modpoints.
Mod this up up up^^^^^^^^^
Why, so, serious(ly)? (Score:5, Insightful)
I ask you to take $5 from my bank account, and in under 10 seconds you have successfully resolved a transaction in a thorough, secure, and traceable away, even if my bank isn't on the same continent as your bank. Which of these do I think you "take seriously"?
Interestingly enough, a credit to your bank account can take up to an order of magnitude more time to post than an instantaneous purchase.
Perhaps the banking powers that be are tipping their collective hand here... when it is in their financial interest to do so, they've developed the uncanny ability to be as fast as they need to be or as slow as necessary to maximize daily balance computations.
Re:Why, so, serious(ly)? (Score:4, Interesting)
"Interestingly enough, a credit to your bank account can take up to an order of magnitude more time to post than an instantaneous purchase."
But your banker settles receipt of funds before the banking day is done. The longer they float funds they say are "in transit" the more cost free liquidity they have. They make a large percentage of their earnings from float.
Re: (Score:2)
In economics, float is duplicate money present in the banking system during the time between a deposit being made in the recipient's account and the money being deducted from the sender's account.
This is why you read /. kids...they're not slinging knowledge like this on the twitter.
Re: Why, so, serious(ly)? (Score:2)
An order of magnitude more than instantaneous? Please explain.
Re: (Score:2)
Re: (Score:2)
...they pull the plug on the computers during the weekend and holidays.
Good point. A Saturday transaction still pends electronically in seconds, but there is no posting until human oversight returns Monday, even though that posting typically happens at Midnight when human bankers are in short supply.
Why banks don't post transactions on weekends. [quora.com]
Bank credit is another instrument of profit for Banks. You either have the money at the time of the transaction or you don’t. The practice of “floating” a check is when the person writing a check knows they don’t have the money, but writes it anyway, hoping it’ll show up by the time the recipient cashes it. That worked back when The Good, The Bad and The Ugly first came out, but not today. Bank systems don’t work on paper, it’s all digital where things take seconds, not days, to “process”. In practice, checks “bounce” frequently. The consumer pays about $40 each time. It’s all avoidable. Banks should not be permitted to profit to this extent. What is the $40 for anyway? To fund their Cobol programmers’ pensions?
Transaction processing (Score:2)
Interestingly enough, a credit to your bank account can take up to an order of magnitude more time to post than an instantaneous purchase.
The settlement procedures are pretty much identical once the transaction is processed for purchases or refunds. You just don't notice because most of the time the cash flows are out of your account and not in to your account and because your bank hides some of the details. Many types of transactions don't actually close for some time (days) even if they show it posting immediately. My bank will post a transaction immediately because I'm considered a safe risk based on my banking history but it's technica
Re: Easy to tell whether they take it seriously... (Score:3)
Re: (Score:1)
Re: (Score:2)
Excellent point.
Re: (Score:2)
The only companies... (Score:3)
Re: (Score:1)
Also hardware that encourages local storage. I.e. a 'phone' (portable data terminal) that has an SD card slot, not one that forces your data to 'the cloud.'
Re: (Score:2)
No, seriously. (Score:5, Informative)
We took your privacy and security.
It's gone.
Re:No, seriously. (Score:5, Funny)
'We Take Your Privacy and Security, Seriously'
Re: (Score:2)
LMAO! And no mod points to give.
Missed Punctuation (Score:5, Funny)
The problem is all these companies forgot a semicolon. Let me help.
We take your privacy and security; seriously.
The security to get the ads into the browser (Score:3, Interesting)
The security to protect the ads all the way beep into the OS and browser.
The privacy to protect the ad tracking from any as blockers.
just like companies, monetize it (Score:5, Insightful)
Penalties:
-- $2 for each name + password
-- $5 for credit card number
-- $10 for social security number
etc.
And multiply for combinations of the above. You'll see companies start fixing their processes (or simply refusing to store unnecessary data, right quick.
Better Value (Score:2)
A better way would be to simply make companies liable for all "reasonable" costs resulting from a violation of a customers privacy and security. This will make them pay for the
Re: (Score:2)
Re: (Score:3)
No. Do it like with copyright. "We determine that by selling this information you could have netted a revenue of..."
Re: (Score:2)
The problem with the SSN is that it's treated like a unique, personally identifiable piece of information that only I know. For accessing way too many things, the SSN is the equivalent of both a username and a password.
Really, it should be treated like public information and only used for its intended purpose. I shouldn't have to worry about someone knowing my SSN because there should be absolutely nothing they could do with it.
Probably the best thing that could happen is the government saying at some dat
No company takes security seriously (Score:5, Insightful)
Re: (Score:3, Interesting)
Taking is seriously is not the only problem. Actual security is also minunderstood. Most security methods are "theater" like the TSA. Things are done a certain way to make you "feel secure" not to actually make you secure.
Take the lowly password for example. For years everyone decided that there should be "complexity requirements". Pure security theater right there. Poor saps that though 1337 was where it was at.
Or how about interior corporate security... masses of firewalls installed between devices
"Thoughts and prayers" (Score:5, Insightful)
About one-third of all 285 data breach notifications had some variation of the line. It doesn't show that companies care about your data. It shows that they don't know what to do next.
"We take your privacy and security seriously" is the data tech equivalent of saying "We send out thoughts and prayers". It means nothing concrete, and is meant to end inquiry/discussion into what actions should in fact be taken (or should have been taken).
Re: (Score:2)
About one-third of all 285 data breach notifications had some variation of the line. It doesn't show that companies care about your data. It shows that they don't know what to do next.
"We take your privacy and security seriously" is the data tech equivalent of saying "We send out thoughts and prayers". It means nothing concrete, and is meant to end inquiry/discussion into what actions should in fact be taken (or should have been taken).
Well said. There's been not enough stick for the most egregious offenders, and there's the tasty carrot up front in the form of budgets for security in the neighborhood of what you tip the homeless if you worked at 7-11.
Technically true (Score:2)
Re: (Score:2)
"We take your privacy and security seriously" is the data tech equivalent of saying "We send out thoughts and prayers".
Not quite. Thoughts and prayers are free cop-outs. Taking data and privacy seriously is usually said by companies who at least pay someone to be in charge of data security.
The fact that this person is incompetent is beside the point.
Actually sticking with your theme, maybe a better example would be "We're going to arm every teacher with guns, and every student with hockey pucks!" That sounds more on the theme of blowing money down a hole of incompetence.
We value your call (Score:3)
It';s right up there with "we value your call, that's why we've been claiming unusual call volume and long hold times since 1982". "Speaking of holding since 1982, hang in there Betty, help is only days away".
translation (Score:3)
Privacy & Internet Security are a myth in the (Score:1)
Consumers need to take their Privacy seriously too (Score:5, Interesting)
Consumers need to take their Privacy seriously too. This means:
- Demand to buy Android Devices with unlockable Bootloaders that can run Lineage OS.
- Maps provided by Osmand on Android
- Self Host a Federated NextCloud/OwnCloud Service for Roaming Storage on a PC they own with a Dynamic DNS Provider.
- Handle Contacts, Calendaring,and Task related services on a Groupware service.
- Instant Messaging/Social Media done Via Libpurple based Spectrum2 Servers. (again, hosted on the same set of Devices as the NextCloud/Groupware Solution.)
This is so that if you have a Discord/FaceBook/Skype/etc account, It can't track you.
These are the only things that will really change the privacy game.
Re: (Score:3)
Re:Consumers need to take their Privacy seriously (Score:4, Interesting)
My E-mail is free, but its IMAP4. There are no Ads with it.
Smart phones are only fine in the circumstance that you have Android, have a spin of Android with LineageOS, Root, Magisk, etc, and do NOT have GApps flashed to your device and largely rely on F-Droid and ApkPure.
Re: (Score:2)
My E-mail is free, but its IMAP4. There are no Ads with it.
That doesn't mean there isn't a privacy implication. Google also provides an IMAP4 server and you get your emails without Ads. So does Microsoft. Two companies which openly admit scanning your emails for marketing related reasons.
Re:Consumers need to take their Privacy seriously (Score:5, Insightful)
Let's break this down:
- Demand to buy Android Devices with unlockable Bootloaders that can run Lineage OS.
You just lose most consumers with this line.
- Maps provided by Osmand on Android
This is one of the few things you said that's doable.
- Self Host a Federated NextCloud/OwnCloud Service for Roaming Storage on a PC they own with a Dynamic DNS Provider.
You now lost a good chunk of the remaining technical crowd and narrowed your solution to only the top tier of nerds.
- Handle Contacts, Calendaring,and Task related services on a Groupware service.
What's a groupware service? Asking for a consumer.
- Instant Messaging/Social Media done Via Libpurple based Spectrum2 Servers. (again, hosted on the same set of Devices as the NextCloud/Groupware Solution.
That's good and all but I just checked and my friend's aren't on it. Regards, a consumer.
These are the only things that will really change the privacy game.
Consider your game lost before the users even got through the instructions for it.
We value your privacy and security... (Score:2)
Stop saying "Cyber" (Score:2)
Please. Poor Norbert is spinning in his grave.
it is obvious (Score:1)
They care about your privacy means that the unique data that you provide to them is more valuable than the data you give everyone. They care about your security means if you feel insecure about their offerings you won't engage with their site.
its all in how you "word" it (Score:3)
Old one.. (Score:2)
"...your call is very important to us. Please remain on the line and..."
If it's so important, why did you just make me navigate a 3 minute tree and then wait 5 more, only to hear this malarkey?
It's all lies, from all the corporations (and many small businesses, too, dishonests are everywhere)
Modification (Score:1)
"We take your privacy seriously, but profits even more seriously."
We Take Your Privacy and Security Seriously (Score:2)
Your call is important to us, please hold.
Our menu options have changed, please listen to them all again.
Elect me, and I'll
Order Now! Supplies are limited.
Thank you for holding -- so how can I make you hang up faster?
We value your privacy (Score:4, Insightful)
Coincidentally, we value it exactly the same amount that the highest bidder does.
so.. (Score:2)
Stop Saying (Score:2)
I suppose next I'll have to stop saying "I love you and I'll still respect you in the morning."
Big misunderstanding! (Score:1)
It's "We're taking your privacy, seriously."
Who takes security seriously? (Score:2)
That is what I'd like to know. :P
We value your contribution to Slashdot (Score:2)
What a worthless story.
It's right up there with "So sorry for your loss" (Score:1)
Wow. Talk about killing your career (Score:2)
If that were the case, data hungry companies like Google and Facebook, which sell data about you to advertisers, wouldn't even exist.
A security researcher who seems to know about data and privacy doesn't understand the business practice of the two biggest companies in the data and privacy related fields.
Congratulations Zack Whittaker, you've just shown the world that you're out of your depth. Maybe you should go make instructional videos of how to build computers for the Verge and leave the security, data and privacy related talk to someone who actually knows what is going on in their field.
Re: (Score:2)
It's more than that. Think about it: we take safety seriously, which is why it's illegal to ever leave your house and cars are banned from our society.
Risk. Everything is about risk.
Thoughts and Prayers! (Score:2)
Isn't this the technical equivalent of "thoughts and prayers"?
template wording (Score:2)
the title needs to be adjusted to;
Stop saying, 'We take your seriously'
it's just a template sentence that everybody uses when something goes wrong with their product/company.
car company has issues with airbags - we take your safety very seriously
tv broadcast company has outage - we take your leisure time very seriously
etc.
you can find the reason why in the legal department's extensive writing excuses guide.
No, Google does not sell your data. (Score:2)
And here's where it's shown that the submitter knows nothing.
Google does NOT sell any information to advertisers. They keep the data to themselves. Google will USE that information to decide which ads are shown to which people. But the advertisers don't get to see any of this data.
You may still not like the fact that Google gathers all of that personal data, and tha
Doublespeak (Score:2)
"We take your security and privacy seriously."
Is a synonym/lawyer speak for:
"We done fucked up. Please don't sue us."
-Miser
Sounds like gun violence ... (Score:2)
"Sorry about that, OK? We are with you. We are strong. We will not be intimidated."
"Thanks for coming. Coffee on the white table; tea on the blue."
"Till next time? ..."
What? But... (Score:2)
Feature vs. bug (Score:2)
Here's what a lot of people don't seem to understand: Apple's Facetime problem is a bug. Facebook's issue is a feature. Governments, particularly left-wing governments, get their jollies punishing people for being less-than-perfect. Perfection isn't a standard that's achievable. Ergo, Apple shouldn't be punished for a bug. Facebook, on the other hand, sold the data to a third party. It just happens that the third party that brought this issue to light was working for the right side of the American pol