Slashdot Mirror
Ask Slashdot: Why Do Firms Leak Personal Details In Plain Text?
An anonymous reader writes "Having entered my personal details (full real name, home address) to websites with an 'https://' prefix in order to purchase goods, I am still being sent emails from companies (or their agents) which include, in plain text, those same details I have entered over a secure connection. These are often companies which are very keen to tell you how much they value your privacy and how they will not pass your details on to third parties. What recourse does one have to tell them to desist from such behaviour whilst still doing business with them if their products are otherwise desirable? I email the relevant IT team as a matter of course to tell them it's not appropriate (mostly to no avail), but is there any legislation — in any territory — which addresses this?"
It really comes down to what their privacy policy says, the country you are in and if they claim they do not share any information with 3rd parties and you were smart enough to use separate email addresses or unique identifying information so you can show the information had to originate with them then in many countries there definitely are legal avenues you can follow. But for the most part you are shit out of luck, find someone else to deal with. I started creating unqiue information that I can easily map to individual sites so I will know who is fucking me over whenever I register somewhere.
Gibberish. It has to do with the company not realizing that email is insecure.
I believe that his point was that the exact information that was sent encrypted is now being sent in plain-text over email. So, what's the point of using HTTPS to send private information if it's leaked right back through plain-text on port 25, and what can be done to tell companies to stop forwarding all those details through emails. Maybe they could email a link telling the user where to log-in to see his invoice instead of forwarding all his private information through email.
Why should they care?
There's no benefit to them keeping your information safe, it costs them time, money, and effort to do so, and there's no real consequences when they screw up. They will just put out a statement saying "all of our customer information was stolen, we recommend everyone change their password, and the hole is now patched - it can't happen again!".
Also, they can blame the thieves. "It wasn't our fault, it was that scoundrel who noticed that you can change the account number in the URL to get into someone else's account."
As to "we value your privacy", what does that actually mean? It means that companies have discovered that people trust companies that make that statement, and are more likely to purchase from such a company.
That's all it means, and no more. It doesn't mean that they care or that they abide by the statement, it means that they think they can get more business by using that phrase liberally in their public-facing documents.
You're living under the naive assumption that companies mean what they say and will do what they promise. They do what the consumer protection laws force them to do - any statement that reflects these laws is probably true, while the rest is simple puffing.
The thing that gets me is that when people give social security numbers, they always give the last four digits. The problem is that those are really the most sensitive for anyone who got one before the year 2011. I met a guy in college who could construct a whole SSN using your place of birth and birth date. The reason is that the first 3 represented geographic location and the middle 2 were given out in a certain order. The last four ticked up for each person assigned and where therefore the hardest to narrow down and guess. The reason is that they were not designed to be used the way we use them, and instead the government should come up with a ground up, randomly assigned number to actually identify people with or require that the ssn not be used that way.
Or we could just go with digital signatures aka RSA. It is 2013. Why the fuck are we still relying on a system that, each time you identify yourself to someone via SSN, you give them the non-revocable ability to impersonate you forever? It is earth-shatteringly stupid.
I am sure that the incredible fucktards at Air China who sent recently sent me a flight confirmation would like to know that.
It contained my full legal name, home address, and phone numbers. This does not bother me so much, as this is Sweden where most information of this sort is considered public knowledge. Want to know how much my flat is worth and what I paid for it? Did I pay taxes last year, and if so, how much? Feel free to hop on over to Skatteverket and file an info request.
The email also contained this:
Identifying document: US Passport
Identifying document number: #XXXXXX
Identifying document valid until: xxxx2020
Until 3 days ago, as I have not yet actually used this passport for travel, the only people on Earth who knew this number were me, the US Dept of State, and the Swedish Migration Bureau. Now who the fuck knows. Who THE FUCK knows.
And my girlfriend cannot understand why I threw a fit over this, or why I am talking about legal options.
Il n'y a pas de Planet B.
He's not claiming that the data is stored encrypted. All he is saying that the data he sends encrypted shouldn't be sent back to him unencrypted later.
The Government could fix the whole SSN issue by doing something direct and simple.
Publish all SSN's in a big directory.
They were never intended to be 'secret numbers' that would be used to validate anybody's identity. They were registration numbers for the Social Security System.
Publishing them ALL would force businesses and organizations to come up with real 'secure identifiers.'