from the you-mean-sombody-hadn't-realised? dept.
The New York Times published an article on Sunday confirming what we've all assumed — that internet privacy policies are so full of loopholes as to be meaningless. They found that of the 100 top alexa-ranked english-language websites, 85 had privacy policies that permitted them to disclose users' personal information in cases of mergers, bankruptcy, asset sales and other business transactions.
When sites and apps get acquired or go bankrupt, the consumer data they have amassed may be among the companies' most valuable assets. And that has created an incentive for some online services to collect vast databases on people without giving them the power to decide which companies, or industries, may end up with their information.
"In effect, there's a race to the bottom as companies make representations that are weak and provide little actual privacy protection to consumers," said Marc Rotenberg, the executive director of the Electronic Privacy Information Center, a nonprofit research center in Washington.
Original Submission
Related Stories
We just talked about Personal Info being Private Unless the holder Decides to Sell It on SoylentNews. Today we were treated to yet another such a situation, and this time it hit close to home.
El Reg Reports that OpenDNS is in the process of being acquired by Cisco. And the OpenDNS founder's Blog confirms it.
Cisco will essentially take over total ownership, and the vague promises of continuance of OpenDNS. The blog to the contrary, no promises of terms of service after the acquisition can be believable.
OpenDNS managed to sneak in a Sales clause into their Privacy Policy somewhere along the way:
OpenDNS does not share, rent, trade or sell your Personal Information with third parties, except...
(4) it is necessary in connection with a sale of all or substantially all of the assets of OpenDNS or the merger of OpenDNS into another entity or any consolidation, share exchange, combination, reorganization, or like transaction in which OpenDNS is not the survivor; you will be notified via email and/or a prominent notice on our Web site of any change in ownership or uses of your Personal Information, as well as any choices you may have regarding your Personal Information.
That privacy policy has grown more permissive over the years, allowing OpenDNS to sell filter lists used by their customers, or just about anything else they might want to do.
Full Disclosure: In my day job we were a paying customer of OpenDNS. We had an ISP that ran unreliable DNS servers, injected ads in 404 pages, and generally was slow. We tried Google's DNS free service, and found it quite fast, but full of re-directs and other objectionable features. We switched to OpenDNS mostly for ad, and website filtering, phishing site blocking, and Speed. We were very happy with the fast service over the years. So reliable we never had to look at the web site.
But we were shocked at the extent of permissions creep in their Privacy Policy and Terms of Service. We thought we were avoiding Google's DNS mining service. Little did we know...
Original Submission
(Score: 4, Insightful) by PizzaRollPlinkett on Tuesday June 30 2015, @05:42PM
If you read a privacy policy - either online or the printed ones you sometimes get - they basically say in the most convoluted language possible that they can do anything they want with your personal information. They add so many loopholes and vague clauses about third parties and so on that whatever reassuring language comes ahead of it is completely overturned. Are any lawyers reading this site? Get one of these policies and parse it out for us. I'm not a lawyer, and had to breathe into a brown paper bag for weeks after trying to read one of those policies.
(E-mail me if you want a pizza roll!)
(Score: 2) by frojack on Tuesday June 30 2015, @06:20PM
Agreed.
The law only mandates that they tell you they will do with your data, it seems to place no limits on what they can actually DO with your data, as long as they tell you, in some way what use they will make of it (obfuscated or not).
Further, the rules about what use of the data a future acquirer of the company might make (such as in an eventual sale or merger) seems totally to just about anything.
The whole thing is based around the idea that as long as they tell you, anything goes.
You have to wonder if there is any rational way to do much of what we do on the web.
When I sign up with the gas company for service, and then they are bought out by a bigger gas company, do I have to negotiate service all over again, provide banking references etc, yet again?
When you sign up with company A, because you hate company B and their evil ways, you instantly have a business relation ship with company B, whether you want it or not. No time to get out, no way to deny them information. You're sold like taco on a street corner.
No, you are mistaken. I've always had this sig.
(Score: 2) by edIII on Wednesday July 01 2015, @12:32AM
Then perhaps we just put a blanket ban on all unilateral modifications of contracts by changing the principles involved? Either that, or just say the contract becomes null and void, or is considered breached, if one party attempts to contractually "offload" themselves from it. I seem to recall there being certain rules about how mortgages can be transferred to a new bank, and I'm suspecting we could pull of a modification of the same.
I think you nailed it on the head. A customer should get an opt-out period in which they can safely cancel service and their private information will be destroyed, or at least persona non grata on any server in the business for auditing purposes. As somebody who deals with those databases, I can tell you that I don't want to keep the information. The suits always want to keep it, but I can't ever see any value in it. You know, other than the value of annoying the shit out my customer by selling their information for more money in my pocket. Archive it for compliance, or legal, or just dump it. I can at most see a 90-120 day scheduled period in which I keep it, just in case the customer calls back to talk about something. Otherwise, I get to tell them that our systems literally don't remember them after that time. So yeah, you would need to provide banking references all over again when you come back. I'm betting that's not a terrible inconvenience in the light of the privacy I would offer.
Going further I would give the option to the customer to have all records destroyed *completely*, if an only if, they sign a full release. In which, I will agree to never acknowledge they were even a customer at all to any 3rd party. Ever. The relationship ends as it should, and the release being digital and *binding*, makes no difference who possesses it through transfer. The document itself enumerates the rights to distribute the data, which is, never off that page. Especially not for marketing purposes.
I'm not sure anything goes, but yes, change this in a way that supersedes contract law (making all privacy policies subject to it) and enables stiff penalties for specific kinds of disclosures. There should be laws that say how and when I can move customer information in and out from my business.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 1) by mr_bad_influence on Tuesday June 30 2015, @05:47PM
Because my personal information is sold, shared, or bartered, I am less inclined to use any website which collects it (or worse, demands 'real' information). This has a chilling effect for me and it is beginning to discourage me from visiting almost any website on the 'net. It is the primary reason I won't purchase any goods from an online retailer I can get from brick and mortar, mail order, or phone orders. I doubt the online sellers miss my business much, and I don't have much hope that many other folks feel the same.
(Score: 2) by kaszz on Tuesday June 30 2015, @06:01PM
Hey! I have nothing to hide. My real information is:
Address: Donald Duck, 124 Duckamnesia Blvd, Duckburg, DB 50184
Phone: +555 389211
SSN: 839-42-4892
CC: 9348 8248 5098 4091
It's true I promise! :D
PS, I have temporarily moved to my drop box so you can just send any physical objects there.
(Score: 5, Funny) by Anonymous Coward on Tuesday June 30 2015, @06:41PM
I think that's DavidMichaelCrawford's real info.
(Score: 0) by Anonymous Coward on Tuesday June 30 2015, @07:00PM
> Hey! I have nothing to hide. My real information is:
I use the identity of people who previously lived at my current address. Helps it blend in since they are already on the record as residents of the address. It can be problematic if they filed a change-of-address with the USPS and you actually need to receive anything through the USPS - fedex/ups/dhl are fine.
(Score: 2) by kaszz on Tuesday June 30 2015, @07:07PM
Use a delivery destination somewhere else than you live and pay using COD, debit cards, cash etc?
As long as you make good on payment on your orders and not bother anyone. I don't think mail order companies give a sh-t?
(Score: 0) by Anonymous Coward on Tuesday June 30 2015, @09:52PM
I use a private mailbox for correspondence for my real identity.
I use the masked-cards service from Abine for online purchases, they let you use any name on the masked card# that you want. Abine only gets my PO-box address (since they have my real CC#) but they never my residential address since that info stays with the merchant. So it acts as a firewall.
(Score: 2) by maxwell demon on Tuesday June 30 2015, @08:39PM
I hope you did some checks on them first. Otherwise you might one day have an unexpected visit from a debt collector …
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Tuesday June 30 2015, @09:48PM
I actually did get a visit. But not for the identity I had chosen. There is not much they could do anyway, if they were to serve me papers for the real person it would suck for the real person who is probably already in trouble anyway.
(Score: 4, Insightful) by frojack on Tuesday June 30 2015, @06:30PM
I won't purchase any goods from an online retailer I can get from brick and mortar, mail order, or phone orders
A distinction without a difference I'd say.
Mail/Phone orders gets keyed into the same database as on line sales.
Unless you spend your day walking from one brick store to another, and only paying with cash, and always powering down your cell phone before entering any store, you are deluding yourself. Oh, and be sure to wear your Guy Fawkes mask, because facial recognition is coming to the stores and street corners near you.
Personally, there is a limit to the amount of time I have in my day to engage in this level of paranoia. I don't like it, but I have better things to do than drive all over town for things I can have delivered with 6 mouse clicks.
No, you are mistaken. I've always had this sig.
(Score: 2) by MichaelDavidCrawford on Wednesday July 01 2015, @12:26AM
I like to chat with the people I meet in brick and mortar stores. That does not work well with amazon.
I always pay cash. I dont use store loyalty cards.
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by frojack on Wednesday July 01 2015, @12:36AM
Not really, I moved out of my parents basement many many decades ago.
I actually have a wife, offspring, grandkids, neighbors, guests, and friends. My problem is finding enough peace and quiet.
I don't walk/drive to a store just to accost some random person.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Tuesday June 30 2015, @10:55PM
Recently I had to get some medication from a pharmacy. I was so concerned about being followed home that I parked my car a long distance away. Then walked around the entire market in circles (inconspicuously) before entering the pharmacy (making sure there were no other customers in at that time. All of them could be spies for all I know). Then I tried to stay low key and kept an eye on everyone in the pharmacy and any cameras they may have. Then I spoke with the pharmacist like a regular dumb person and asked for the medication (while changing my voice and speech pattern slightly so it cannot be easily recognized by an algorithm). Then paid in cash the full amount, without getting back any change (I already had notes and coins for every final value) while taking care not to touch the cashier's hand. Then I got out and quickly put the medicines in my pocket and walked around in circles making sure no one follows me. I was still quite concerned about the pharmacist entering my description into a computer, so that a match can be made.
What a sad world we live in today.
(Score: 0) by Anonymous Coward on Tuesday June 30 2015, @06:05PM
I use a junk email address (Hotmail) and junk phone number (Google Voice) on every webform that requires an email & phone. It's nice not getting spam in my personal email or spam calls to my real phone.
(Score: 2) by ikanreed on Tuesday June 30 2015, @06:17PM
And here's the thing:
They still know it's you. Network evercookies, CDNs, identity resolution tables, whathave you.
They still have an approximate person who those junk numbers and addresses belong to. And when they resell whatever is personal to their site: the networks store it with your correct identity, usually plucked from places you can't lie, like paper forms, census data, ISPs, cell phone companies, ATMs, or brick and mortar stores.
What's more troubling is that they still get it wrong. Your giant marketeer file probably has 10% false information that they collated from best-guess sources. It's creepy-as-fuck and all I've got to defend me is browser extensions that barely work.
(Score: 0) by Anonymous Coward on Tuesday June 30 2015, @06:45PM
There's a difference between being cautious and wearing a tinfoil cap.
(Score: 2) by ikanreed on Tuesday June 30 2015, @06:59PM
I worked at a company that did the ATM to CRM data collection for retail companies. That part, at the very least, I can vouch for being totally real.
(Score: 2) by kaszz on Tuesday June 30 2015, @07:11PM
How did they get at the data? or make the connection..
(Score: 3, Interesting) by ikanreed on Tuesday June 30 2015, @07:18PM
Bank tracks your withdrawals, they track the serial numbers of the currency emitted by the machine, bigger chain stores take their cash register contents, scan them at end of the day.
A couple lookup tables later, and they have a pretty good idea of who bought what.
(Score: 3, Funny) by bob_super on Tuesday June 30 2015, @08:45PM
Or more precisely, whose hooker and dealer bought what.
(Score: 0) by Anonymous Coward on Tuesday June 30 2015, @10:06PM
So, you pull $100 out of the ATM, loan it to a friend, he spends it on condoms and a hooker, but you get tagged for it. I see no way this could be used in court and it's to easy to launder the money by buying a pack of gum at 7/11 and getting change. I call BS on the ATM to big brother tracking the cash. There's a better way to track each note... http://www.wheresgeorge.com/ [wheresgeorge.com]
(Score: 3, Interesting) by Bytram on Tuesday June 30 2015, @10:40PM
Separately, if cash serial numbers *are* tracked, what's a person to do so as to be able to make anonymous transactions?
(Score: 2) by ikanreed on Tuesday June 30 2015, @10:56PM
I don't know for sure.
Get change elsewhere first? Acquire your currency in person in a bank, since they can't scan the cashing leaving drawers the same way they do the dispensers?
I don't know about validating it. It was just in the tutorial literature for the CRM application I was working on a tiny piece of.
(Score: 2) by frojack on Tuesday June 30 2015, @11:41PM
since they can't scan the cashing leaving drawers the same way they do the dispensers
Says who? They could scan the packets placed into the drawer in the morning.
Most banks don't co-mingle deposits of cash with the content of the drawer. So deposits of cash never make it to the drawer to mess up the serial number order.
But Basically I've never heard one single case of serial number recording on dispensed cash from a cash-machine. Such would have found its way into news paper stories about catching crooks, or court testimony. I suspect its apocryphal.
Such a system would be useless in proving chain of transactions, because If you and I swap hundred dollars bills for street goods, and then someone swapped that money for a bar tab, or for a lap dance, nobody would be aware of those transactions.
No, you are mistaken. I've always had this sig.
(Score: 2) by ikanreed on Wednesday July 01 2015, @01:00PM
Right, and that's why bad data gets into these systems about people. They're imperfect.
(Score: 2) by frojack on Wednesday July 01 2015, @04:38PM
Yet, I challenge you to find one authoritative source that says Cash Machines record who gets which serial numbers.
No, you are mistaken. I've always had this sig.
(Score: 2) by ikanreed on Wednesday July 01 2015, @08:27PM
I cannot do this. I'm half considering revealing the name of my previous employer, and their product name, and half realizing that would be an impotent measure to impress internet strangers that hurts my professional ethics.
(Score: 2) by frojack on Wednesday July 01 2015, @10:32PM
Still, even without violating your employers NDA, there would be dozens of such references on the net if it were true.
It would have appeared in court testimony.
It would be in news papers.
There would be people moaning about it on privacy grounds.
But all you ever see is people speculating without a single on line reference.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Wednesday July 01 2015, @08:37AM
OK, so based on the serial number, you can say that I probably bought some stuff at the larger shop ("probably" because I could as well have given that same bank note to a taxi driver who used it to pay a hair cut at a small shop, where the same note was later given as change to some other guy who used it to pay a hooker who then gave that note to the pimp who finally used it to pay in that larger shop). There's no way to say whether I (or whoever got the bank note) bought cheese, socks, cooking equipment, a DVD, a computer keyboard, a computer magazine, a newspaper of some bicycle equipment (yes, all those items are sold in that same shop).
(Score: 0) by Anonymous Coward on Wednesday July 01 2015, @08:39AM
err ...
s/of some bicycle equipment/or some bicycle equipment/
(Score: 0) by Anonymous Coward on Tuesday June 30 2015, @07:40PM
(Score: 0) by Anonymous Coward on Tuesday June 30 2015, @08:03PM
Good idea if you carry a cellphone in your pocket, unless you want future politician kids.
(Score: 2) by maxwell demon on Tuesday June 30 2015, @08:41PM
Why would brick-and-mortar stores need your data? And why can't you lie to them?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Insightful) by kaszz on Tuesday June 30 2015, @06:16PM
Cardinal rules:
(1) Any information you give up for any purpose will be used for all purposes.
(2) Claims of trust without straight proof to back it up is bullshit.
(3) Safety comes in probability, it's not binary.
(4) The future will be like you think it would be and then a lot more that will wreck most of your predictions.
(5) You didn't think of this one.
(6) There's information and disinformation determining which is always a challenge for all parties.
(7) Knowing means capability to act efficiently.
(8) Policy makes things correct other approaches makes for opportunities to other parties.
(Score: 0) by Anonymous Coward on Tuesday June 30 2015, @07:44PM
Why do you have an account here? Don't leave a trail, opsec is not just for spies.
(Score: 0) by Anonymous Coward on Tuesday June 30 2015, @11:03PM
(9) Poison the well
(Score: 2) by frojack on Tuesday June 30 2015, @06:52PM
I suspect there is a business model here for someone (or several someones) who wants to set up an info-broker for all the information you typically need to provide just to order a bag of donuts delivered over the web. (Or what ever).
Something like a place you put all your info, and then when you click on Joe's Donuts Delivery, Joe can get only what you say he can get.
1) you visit Joe's site over a heavily filtered proxy, encrypted, and obscurely routed, choose your bag of heart-attacks of choice.
2)You get a screen showing what Joe wants, (name, address, personal favorites, weight, what sites you visit, age, gender, (Imaginary)girl friend's name, email, etc, etc), and you check only those things you are willing to give (delivery address).
3) Joe either accepts it, of not, (usually they will take the money)
4) Site pays with an untraceable credit card and bills your real card, plus very small service fee.
5) Donuts show up at door delivered by pimply faced kid driving beat up junker, (or drone).
6) Donuts include a personalized note from Joe: Hi Frojack, hope you enjoy, save some for Nancy's birthday tomorrow, hope your foot feel better, and Tully's next door to our store wants us to remind you about their coffee bean sale next week.
Google, Facebook, Disqus, etc and their Oath based info broker have a start on this, but they don't go far enough, and you can't trust them anyway. A real info broker would have to have stiff contractual penalties for each unapproved data release, full encryption, and all sorts of other vaguely safe sounding promises. It will work perfectly till the Chinese breach their data center or the sell out to Google.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Tuesday June 30 2015, @07:05PM
> I suspect there is a business model here
Sure there is a model. Unlikely to have much demand because most people can't afford to pay for something with no tangible results. The people who can afford it probably have assistants to already do all of that anyway.
(Score: 1, Informative) by Anonymous Coward on Tuesday June 30 2015, @06:52PM
"Subject to change without notice..."
(Score: 4, Insightful) by No Respect on Tuesday June 30 2015, @07:53PM
In a not-the-same but close-enough case, when Radio Shack was filing for bankruptcy last February they revealed that their famous customer phone number list was one of their most valuable remaining assets. They were going to sell it. This came after decades of Radio Shack employees routinely asking for your phone number every time you bought something at a RS store. Even if you paid cash. Of course, you were never obligated to tell them - I never did - but they never failed to ask for it. When questioned they always cheerfully answered that Radio Shack doesn't sell your information. Until they did.
If anyone was really surprised by anything in the NYT article, well, you're a moron.
(Score: 2) by bob_super on Tuesday June 30 2015, @08:49PM
Once again, company assets in the 21st century:
- cash and short-term investments
- patents and licensing agreements
- Customer databases
Everything else is a liability.
(Score: 3, Interesting) by maxwell demon on Tuesday June 30 2015, @08:55PM
Actually I was surprised to find this in the article:
No, I was not surprised that these terms are there. I was surprised that the article — which, after all, is published in the New York Times — contains that information.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Tuesday June 30 2015, @09:55PM
> I was surprised that the article — which, after all, is published in the New York Times — contains that information.
I would have been surprised if it was not mentioned in the article. Real journalism has rules about disclosing conflicts of interest and writing an article about industry practices when you are in the industry is an obvious conflict of interest. That's the kind of things you won't see from bloggers - except in very narrow cases where the FTC has made it illegal not to disclose.
(Score: 0) by Anonymous Coward on Tuesday June 30 2015, @09:58PM
> If anyone was really surprised by anything in the NYT article, well, you're a moron.
No, you are the moron for expecting everybody to be as focused on the same shit as you are. Seriously moronic. Real people are busying living their lives, articles like this in the ny times are about informing normal people not smug privacy freaks. This is the kind of article you send your relatives who think you are a paranoid kook every time you try to warn them.
(Score: 0) by Anonymous Coward on Wednesday July 01 2015, @04:26AM
Then those "real people" aren't doing their jobs as citizens and are part of the problem.
This is the kind of article you send your relatives who think you are a paranoid kook every time you try to warn them.
Paranoid people are focused on themselves and what others could do to them personally. A smart person looks at evidence and cares about more than just themselves, even if there is a slim chance they could be personally impacted.
It's not paranoia. Mass surveillance is a fact; both corporations and the government are doing it. There's nothing kooky about this; most people are just profoundly ignorant and dismiss those who pay attention as "kooks".
(Score: 0) by Anonymous Coward on Wednesday July 01 2015, @12:36PM
> Then those "real people" aren't doing their jobs as citizens and are part of the problem.
Kind of like how you didn't your job as a citizen and actually read the line of my post you quoted and went off on a strawman?
(Score: 0) by Anonymous Coward on Tuesday June 30 2015, @10:22PM
I'd swear we must be talking about an article from, like, 2003 or something.
(Score: 2) by acharax on Wednesday July 01 2015, @04:39AM
Once your data is stored on another entities' system it's your best guess what'll be done with it eventually. Even if they'll make themselves liable by violating their own privacy policy, how are you going to find out? Hell, even if you find out they can just claim it's a leak and you'd have no evidence to the contrary. Just don't provide websites with real information if you can help it.