Stop Saying, 'We Take Your Privacy and Security Seriously'

Security reporter Zack Whittaker writes: In my years covering cybersecurity, there's one variation of the same lie that floats above the rest. "We take your privacy and security seriously." You might have heard the phrase here and there. It's a common trope used by companies in the wake of a data breach -- either in a "mea culpa" email to their customers or a statement on their website to tell you that they care about your data, even though in the next sentence they all too often admit to misusing or losing it. The truth is, most companies don't care about the privacy or security of your data. They care about having to explain to their customers that their data was stolen.

I've never understood exactly what it means when a company says it values my privacy. If that were the case, data hungry companies like Google and Facebook, which sell data about you to advertisers, wouldn't even exist. I was curious how often this go-to one liner was used. I scraped every reported notification to the California attorney general, a requirement under state law in the event of a breach or security lapse, stitched them together, and converted it into machine-readable text. About one-third of all 285 data breach notifications had some variation of the line. It doesn't show that companies care about your data. It shows that they don't know what to do next.

Easy to tell whether they take it seriously...

[seebs]

I have a pretty simple test for whether people take a thing seriously. How does it compare to how they handle payments?

Consider:

I ask you to stop spamming me, and you say I need to allow you 30 days to stop.

I ask you to take $5 from my bank account, and in under 10 seconds you have successfully resolved a transaction in a thorough, secure, and traceable away, even if my bank isn't on the same continent as your bank.

Which of these do I think you "take seriously"?

The security to get the ads into the browser

[AHuxley]

Ads are customers who have to be taken very seriously.
The security to protect the ads all the way beep into the OS and browser.
The privacy to protect the ad tracking from any as blockers.

Re:And

[b0s0z0ku]

The ideal would be to make companies too afraid to retain ANY data and personal information -- to drive the cloudpushers out of business by strangling them with regulations.

Consumers need to take their Privacy seriously too

[Zombie+Ryushu]

Consumers need to take their Privacy seriously too. This means:

- Demand to buy Android Devices with unlockable Bootloaders that can run Lineage OS.
- Maps provided by Osmand on Android
- Self Host a Federated NextCloud/OwnCloud Service for Roaming Storage on a PC they own with a Dynamic DNS Provider.
- Handle Contacts, Calendaring,and Task related services on a Groupware service.
- Instant Messaging/Social Media done Via Libpurple based Spectrum2 Servers. (again, hosted on the same set of Devices as the NextCloud/Groupware Solution.)
This is so that if you have a Discord/FaceBook/Skype/etc account, It can't track you.

These are the only things that will really change the privacy game.

Re:No company takes security seriously

[SirAstral]

Taking is seriously is not the only problem. Actual security is also minunderstood. Most security methods are "theater" like the TSA. Things are done a certain way to make you "feel secure" not to actually make you secure.

Take the lowly password for example. For years everyone decided that there should be "complexity requirements". Pure security theater right there. Poor saps that though 1337 was where it was at.

Or how about interior corporate security... masses of firewalls installed between devices costs more in work and effort than being saved. The ports most malware is already going over are already open on the firewalls. People are not doing raw network scans much anymore, they are sending payload in specially crafted packets that are let through the FW and Zero Day and other vulnerabilities. Malware up a website or document and send it to HR.

Actual security is fundamentally misunderstood... and you see signs of it everywhere, to all the hacks being made, to all the data being stolen right down having to fucking install a video game as a fucking Administrator!

No one cares about security, not the developers, not the businesses hiring the developers, not the industry, not even Security Professionals take security seriously, instead they just get a bunch of requirements to make all sorts of changes that make no flipping sense in actuality. Stupid things like... Disable and Renaming Guest accounts... wait.. you just disabled it... what is renaming it going to do now? Waste of time and nothing but a BS checkbox people are looking to do for nothing other than just a bunch of busy work. Yes, some things are worth doing, but most of them... totally not worth doing... like UAC and that joke of a trash implementation.

Re:Why, so, serious(ly)?

[fred911]

"Interestingly enough, a credit to your bank account can take up to an order of magnitude more time to post than an instantaneous purchase."

  But your banker settles receipt of funds before the banking day is done. The longer they float funds they say are "in transit" the more cost free liquidity they have. They make a large percentage of their earnings from float.

Re:Consumers need to take their Privacy seriously

[Zombie+Ryushu]

My E-mail is free, but its IMAP4. There are no Ads with it.
Smart phones are only fine in the circumstance that you have Android, have a spin of Android with LineageOS, Root, Magisk, etc, and do NOT have GApps flashed to your device and largely rely on F-Droid and ApkPure.

Heads I Win, Tails You Lose

[Roger+W+Moore]

You have to admire Equifax's completely brazen approach to privacy and security though. They get paid to collect and curate a database of extremely private and sensitive data and then, when they screw up and it gets breached, people pay them even more money to lock their credit reports. That's why they do value our privacy and security: everytime it gets violated they make more money.

This win-win model is almost as good as the one the phone companies pull where they sell you a phone number and service, then sell your name and number to advertising services and finally sell you a call blocking service to prevent ads from reaching you: that's win-win-win!

Re:And

[AmiMoJo]

In the EU you can request that Equifax delete the data they have about you, and not collect any more. You have a legal right to do that.

The problem is that it buggers up your credit file. There are other credit rating agencies, but it depends if the bank you apply to for a loan happens to use them, or considers the lack of an Equifax file to be suspicious.

Broad brush

[sjbe]

And politicians don't really care about their constituents or the country.

Awfully broad brush you are painting with there. Yes that is too often true but there are people in positions of political power who actually do genuinely care about the people they were elected to lead/serve. Such people are to be treasured when found.

And SJWs really don't care about equality.

A) The term "SJW" is lazy nonsense catchall pejorative like "hipster" that means almost nothing and accurately describes almost no one. Including your use here.
B) Equality and equity are not the same thing. You're right they don't care about equality because equality isn't necessarily what's fair or necessary. You can charge a rich person and a poor person the same tax rate and that is equal but it isn't equitable because 20% of a poor person's income has a much bigger impact on their life than 20% of a rich person's. Just because something is the same for everyone doesn't mean it is fair or good.