Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stop Saying, 'We Take Your Privacy and Security Seriously' (techcrunch.com)

Posted by msmash on from the closer-look dept.

Security reporter Zack Whittaker writes: In my years covering cybersecurity, there's one variation of the same lie that floats above the rest. "We take your privacy and security seriously." You might have heard the phrase here and there. It's a common trope used by companies in the wake of a data breach -- either in a "mea culpa" email to their customers or a statement on their website to tell you that they care about your data, even though in the next sentence they all too often admit to misusing or losing it. The truth is, most companies don't care about the privacy or security of your data. They care about having to explain to their customers that their data was stolen.

I've never understood exactly what it means when a company says it values my privacy. If that were the case, data hungry companies like Google and Facebook, which sell data about you to advertisers, wouldn't even exist. I was curious how often this go-to one liner was used. I scraped every reported notification to the California attorney general, a requirement under state law in the event of a breach or security lapse, stitched them together, and converted it into machine-readable text. About one-third of all 285 data breach notifications had some variation of the line. It doesn't show that companies care about your data. It shows that they don't know what to do next.

36 of 192 comments (clear)

  1. And by 110010001000 · · Score: 5, Insightful

    And politicians don't really care about their constituents or the country. And SJWs really don't care about equality. The list is endless.

    1. Re:And by b0s0z0ku · · Score: 5, Insightful

      Which is why there should be laws penalizing invasion of privacy. If companies start getting fined for bad behavior and their assets start being taken, they'll listen -- money talks, BS walks.

    2. Re:And by b0s0z0ku · · Score: 3, Interesting

      The ideal would be to make companies too afraid to retain ANY data and personal information -- to drive the cloudpushers out of business by strangling them with regulations.

    3. Re:And by Anonymous Coward · · Score: 2, Insightful

      It is very hard to make something illegal when it benefits rich people.

    4. Re: And by justthinkit · · Score: 5, Funny

      We take your privacy and security. Seriously.

      --
      I come here for the love
    5. Re:And by ShanghaiBill · · Score: 4, Insightful

      Walk away from companies that abuse your data.

      How do you "walk away" from Equifax? The people exposed were their product, not their customers.

      In every one of the other breaches, no customer knew about the sloppy practices until it was too late. So saying that "customer choice" is the solution doesn't work. Even when customers do have a choice, they are not able to make an informed decision.

      TFA is written my someone who doesn't even understand the issues. He complains that Google "sells data about you to advertisers". No they don't. That is not how their business model works. They use your data to place ads on behalf of advertisers, but they do not, and never have, sold or transferred the data to the advertisers.

    6. Re:And by micheas · · Score: 2

      HIPAA fines are in the thousands per users data compromised.

      Anthem was still compromised.

      Personally, I lean towards having a robust plan for after the compromise. Defense in depth is highly underrated.

      --
      Work bio at MMWD
    7. Re:And by AmiMoJo · · Score: 4, Interesting

      In the EU you can request that Equifax delete the data they have about you, and not collect any more. You have a legal right to do that.

      The problem is that it buggers up your credit file. There are other credit rating agencies, but it depends if the bank you apply to for a loan happens to use them, or considers the lack of an Equifax file to be suspicious.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    8. Re:And by Opportunist · · Score: 3, Insightful

      The problem isn't "the cloud".

      The problem is twofold. One, that security did not keep up with the amount and severity of attacks, and that (personal) data is more valuable than ever before. Which of course is one of the things that drives the attacks.

      Moving out of the cloud and trying to do your own thing again won't solve this. It will probably even make matters worse because I do kinda expect Amazon and Google to have more resources and better people available to secure their stuff than the average company that might collect some data about you.

      What's needed is to make companies actually care about security. And that only works via punishment, unfortunately.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    9. Re:And by JaredOfEuropa · · Score: 2

      There’s a difference between anonymising and aggregating. For purely statistical stuff, aggregated data often is good enough. In quite a few cases it does mean that whoever stores the data has to run the reports, and that’s a feature rather than an issue. Anonymised data on the other hand is problematic. For example they take off your name and SSN, but date of birth + zip code is still a pretty good identifier. Combine enough data sets and you can often still tie anonymised data to an individual profile.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
  2. Easy to tell whether they take it seriously... by seebs · · Score: 5, Interesting

    I have a pretty simple test for whether people take a thing seriously. How does it compare to how they handle payments?

    Consider:

    I ask you to stop spamming me, and you say I need to allow you 30 days to stop.

    I ask you to take $5 from my bank account, and in under 10 seconds you have successfully resolved a transaction in a thorough, secure, and traceable away, even if my bank isn't on the same continent as your bank.

    Which of these do I think you "take seriously"?

    --
    My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
    1. Re:Easy to tell whether they take it seriously... by Anonymous Coward · · Score: 2, Funny

      Soooooo...pay them money to stop spamming you?

      What did we learn?

    2. Re: Easy to tell whether they take it seriously... by DingerX · · Score: 2

      "Take seriously" = "Have a legal team in place." As in "we take shoplifting seriously." The message isn't "we care about you", but rather "although we screwed up, any legal action against us regarding your privacy will be met with force."

  3. The only companies... by b0s0z0ku · · Score: 2

    The only companies that take data privacy seriously are those that DON'T nudge you towards their cloud, that sell software that encourages local storage, preferably in encrypted form.

  4. No, seriously. by stavrica · · Score: 5, Informative

    We took your privacy and security.

    It's gone.

    1. Re:No, seriously. by Anonymous Coward · · Score: 5, Funny

      'We Take Your Privacy and Security, Seriously'

  5. Missed Punctuation by Anonymous Coward · · Score: 5, Funny

    The problem is all these companies forgot a semicolon. Let me help.

    We take your privacy and security; seriously.

  6. The security to get the ads into the browser by AHuxley · · Score: 2, Interesting

    Ads are customers who have to be taken very seriously.
    The security to protect the ads all the way beep into the OS and browser.
    The privacy to protect the ad tracking from any as blockers.

    --
    Domestic spying is now "Benign Information Gathering"
  7. just like companies, monetize it by supernova87a · · Score: 4, Insightful

    I have a real easy way for companies to care about privacy when they say they "care about privacy":

    Penalties:
    -- $2 for each name + password
    -- $5 for credit card number
    -- $10 for social security number
    etc.

    And multiply for combinations of the above. You'll see companies start fixing their processes (or simply refusing to store unnecessary data, right quick.

    1. Re:just like companies, monetize it by Opportunist · · Score: 2

      No. Do it like with copyright. "We determine that by selling this information you could have netted a revenue of..."

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  8. No company takes security seriously by OneHundredAndTen · · Score: 5, Insightful

    They all pay lip service to security. That's all. They don't do what they should, because it is simpler, and most cost-effective, for them to do damage control when the inevitable security breach happens than really trying to prevent it. We have heard about huge security breaches in Equifax, Target, Visa etc. Those companies are still there, business as usual. They sure took a hit, but it probably impacted on their bottom line less than having to invest on minimizing the probability of such breaches in the first place.

    1. Re:No company takes security seriously by SirAstral · · Score: 3, Interesting

      Taking is seriously is not the only problem. Actual security is also minunderstood. Most security methods are "theater" like the TSA. Things are done a certain way to make you "feel secure" not to actually make you secure.

      Take the lowly password for example. For years everyone decided that there should be "complexity requirements". Pure security theater right there. Poor saps that though 1337 was where it was at.

      Or how about interior corporate security... masses of firewalls installed between devices costs more in work and effort than being saved. The ports most malware is already going over are already open on the firewalls. People are not doing raw network scans much anymore, they are sending payload in specially crafted packets that are let through the FW and Zero Day and other vulnerabilities. Malware up a website or document and send it to HR.

      Actual security is fundamentally misunderstood... and you see signs of it everywhere, to all the hacks being made, to all the data being stolen right down having to fucking install a video game as a fucking Administrator!

      No one cares about security, not the developers, not the businesses hiring the developers, not the industry, not even Security Professionals take security seriously, instead they just get a bunch of requirements to make all sorts of changes that make no flipping sense in actuality. Stupid things like... Disable and Renaming Guest accounts... wait.. you just disabled it... what is renaming it going to do now? Waste of time and nothing but a BS checkbox people are looking to do for nothing other than just a bunch of busy work. Yes, some things are worth doing, but most of them... totally not worth doing... like UAC and that joke of a trash implementation.

  9. "Thoughts and prayers" by sacrilicious · · Score: 4, Insightful

    About one-third of all 285 data breach notifications had some variation of the line. It doesn't show that companies care about your data. It shows that they don't know what to do next.

    "We take your privacy and security seriously" is the data tech equivalent of saying "We send out thoughts and prayers". It means nothing concrete, and is meant to end inquiry/discussion into what actions should in fact be taken (or should have been taken).

    --
    - First they ignore you, then they laugh at you, then ???, then profit.
  10. We value your call by sjames · · Score: 2

    It';s right up there with "we value your call, that's why we've been claiming unusual call volume and long hold times since 1982". "Speaking of holding since 1982, hang in there Betty, help is only days away".

  11. translation by schklerg · · Score: 2

    We were doing nothing for security that didn't happen accidentally before. We got caught. We now will do the absolute minimum required by a regulatory body. If we have no regulations, we're just saying this because we have to. We want money and couldn't care less about your privacy. Suckers.

    --
    Be Excellent To Each Other
  12. Consumers need to take their Privacy seriously too by Zombie+Ryushu · · Score: 4, Interesting

    Consumers need to take their Privacy seriously too. This means:

    - Demand to buy Android Devices with unlockable Bootloaders that can run Lineage OS.
    - Maps provided by Osmand on Android
    - Self Host a Federated NextCloud/OwnCloud Service for Roaming Storage on a PC they own with a Dynamic DNS Provider.
    - Handle Contacts, Calendaring,and Task related services on a Groupware service.
    - Instant Messaging/Social Media done Via Libpurple based Spectrum2 Servers. (again, hosted on the same set of Devices as the NextCloud/Groupware Solution.)
    This is so that if you have a Discord/FaceBook/Skype/etc account, It can't track you.

    These are the only things that will really change the privacy game.

  13. its all in how you "word" it by FudRucker · · Score: 2

    we "take" (stolen) your privacy and security, seriously

    --
    Politics is Treachery, Religion is Brainwashing
  14. Why, so, serious(ly)? by rmdingler · · Score: 4, Insightful

    I ask you to take $5 from my bank account, and in under 10 seconds you have successfully resolved a transaction in a thorough, secure, and traceable away, even if my bank isn't on the same continent as your bank. Which of these do I think you "take seriously"?

    Interestingly enough, a credit to your bank account can take up to an order of magnitude more time to post than an instantaneous purchase.

    Perhaps the banking powers that be are tipping their collective hand here... when it is in their financial interest to do so, they've developed the uncanny ability to be as fast as they need to be or as slow as necessary to maximize daily balance computations.

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

    1. Re:Why, so, serious(ly)? by fred911 · · Score: 3, Interesting

      "Interestingly enough, a credit to your bank account can take up to an order of magnitude more time to post than an instantaneous purchase."

        But your banker settles receipt of funds before the banking day is done. The longer they float funds they say are "in transit" the more cost free liquidity they have. They make a large percentage of their earnings from float.

      --
      09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  15. Re:Consumers need to take their Privacy seriously by DogDude · · Score: 2

    - Pay for your email - Don't use social media - Don't use a smartphone That gets you like 95% of the way there, but I don't know anybody other than myself who lives like this.

    --
    I don't respond to AC's.
  16. Re:Consumers need to take their Privacy seriously by Zombie+Ryushu · · Score: 3, Interesting

    My E-mail is free, but its IMAP4. There are no Ads with it.
    Smart phones are only fine in the circumstance that you have Android, have a spin of Android with LineageOS, Root, Magisk, etc, and do NOT have GApps flashed to your device and largely rely on F-Droid and ApkPure.

  17. We value your privacy by GrumpySteen · · Score: 3, Insightful

    Coincidentally, we value it exactly the same amount that the highest bidder does.

  18. Heads I Win, Tails You Lose by Roger+W+Moore · · Score: 4, Interesting

    You have to admire Equifax's completely brazen approach to privacy and security though. They get paid to collect and curate a database of extremely private and sensitive data and then, when they screw up and it gets breached, people pay them even more money to lock their credit reports. That's why they do value our privacy and security: everytime it gets violated they make more money.

    This win-win model is almost as good as the one the phone companies pull where they sell you a phone number and service, then sell your name and number to advertising services and finally sell you a call blocking service to prevent ads from reaching you: that's win-win-win!

  19. Re:Consumers need to take their Privacy seriously by thegarbz · · Score: 4, Insightful

    Let's break this down:

    - Demand to buy Android Devices with unlockable Bootloaders that can run Lineage OS.

    You just lose most consumers with this line.

    - Maps provided by Osmand on Android

    This is one of the few things you said that's doable.

    - Self Host a Federated NextCloud/OwnCloud Service for Roaming Storage on a PC they own with a Dynamic DNS Provider.

    You now lost a good chunk of the remaining technical crowd and narrowed your solution to only the top tier of nerds.

    - Handle Contacts, Calendaring,and Task related services on a Groupware service.

    What's a groupware service? Asking for a consumer.

    - Instant Messaging/Social Media done Via Libpurple based Spectrum2 Servers. (again, hosted on the same set of Devices as the NextCloud/Groupware Solution.

    That's good and all but I just checked and my friend's aren't on it. Regards, a consumer.

    These are the only things that will really change the privacy game.

    Consider your game lost before the users even got through the instructions for it.

  20. Broad brush by sjbe · · Score: 4, Interesting

    And politicians don't really care about their constituents or the country.

    Awfully broad brush you are painting with there. Yes that is too often true but there are people in positions of political power who actually do genuinely care about the people they were elected to lead/serve. Such people are to be treasured when found.

    And SJWs really don't care about equality.

    A) The term "SJW" is lazy nonsense catchall pejorative like "hipster" that means almost nothing and accurately describes almost no one. Including your use here.
    B) Equality and equity are not the same thing. You're right they don't care about equality because equality isn't necessarily what's fair or necessary. You can charge a rich person and a poor person the same tax rate and that is equal but it isn't equitable because 20% of a poor person's income has a much bigger impact on their life than 20% of a rich person's. Just because something is the same for everyone doesn't mean it is fair or good.

  21. No, Google does not sell your data. by bgarcia · · Score: 2

    If that were the case, data hungry companies like Google and Facebook, which sell data about you to advertisers, wouldn't even exist.

    And here's where it's shown that the submitter knows nothing.

    Google does NOT sell any information to advertisers. They keep the data to themselves. Google will USE that information to decide which ads are shown to which people. But the advertisers don't get to see any of this data.

    You may still not like the fact that Google gathers all of that personal data, and that's a legitimate concern, but you should make a basic attempt to understand exactly how they use that data before spouting this sort of misinformation.

    --
    I'm a leaf on the wind. Watch how I soar.