> but in some cases, may have affected information such as name, contact and demographic information, date of birth, and
That's all you need to steal someone's identity. Major reason why I never give any website my real birthday, and use a password manager to remember all the various "birthdays" I've been required to provide for no ostensible reason.
If we wanted to hammer out a quick and effective privacy legislation, it would be: you need a demonstrable reason to ask for someone's birthday (e.g., legal reason to validate you're old enough to open a bank account or whatever), not "i want to send a happy birthday newsletter every year (and also sell it in a package to data brokers)"
I wish we could stop propagating the idea that it's possible to "steal someone's identity". No, you cannot take my identity from me, I am who I am, you are who you are.
What you can do however, with those details, is tricking companies and committing fraud. But it should not be up to me to make sure companies are not being defrauded, the burden is on them to prevent that.
Name, contact information and date of birth are so basic level of information, that if you can commit fraud with just those details, something is seriously wrong as the company you're performing the fraud against.
Some countries even have those details publicly for you to find via public websites. So again, if that's all it takes, the company is doing something seriously wrong.
> I wish we could stop propagating the idea that it's possible to "steal someone's identity"
Identity theft is a term that comes from the fact that you can use this information to open up a bank account or become someone digitally, not because they steal your personality.
It’s a great term because exemplifies the gross negligence and liability that comes with egregious misuse of personal data
There was a push a while back to call it bank fraud. Because the banks are the victims and should be responsible to protect/insure themselves.
By calling it identity theft, we are saying individuals are the victims and should protect the banks from someone pretending to be them.
Edit:
I also believe there was an argument that banks reporting to credit agencies based on fraudulent activity from a 3rd party should be treated as libel.
> I also believe there was an argument that banks reporting to credit agencies based on fraudulent activity from a 3rd party should be treated as libel.
This is interesting - do you know if it has ever been tested?
I don't know, and I don't even remember where I heard it, I think it was on here but I dont know. I think maybe I was wrong about 'bank fraud' and the term being pushed was 'bank libel' instead of identity theft. Because all the negative sides of supposed 'identity theft' were from the banks saying the individual did something they did not.
If a bank allows someone to open up a bank account with personal details that don't really belong to them, I'd call that fraud and a failure on the banks side. "Stealing someone's identity" sounds like I could and should have been able to prevent that, rather than putting the blame on the bank who accepted false personal details in the first place.
As I said, those details, including address and more, are public in some countries. Those countries have learned to live that just being able to say my name, date of birth, address and telephone number is not enough to open a bank account, why can other "modern" countries not adjust accordingly too?
You could take someone's identity details and use them to get a death certificate made.
This is very close to "stealing" your identity — in that you yourself don't have the ability to use your identity any more in any useful way, because your identity is now (legally) dead.
Then again, they don't possess it after that point, either. So maybe it's more like "identity destruction" or "identity defacement."
If someone does that- creates a fake 'death certificate' in my name via publicly accessible information and it actually goes through, how do you even go about trying to fix that? is this even fixable?
I have the feeling this is mostly a US thing, where a social security card with almost nil personal data is widely used for identification. In Europe you won't get very far with a birthday and a name - and you certainly won't get a credit card or anything close to it.
In slovenia, you have your name, surname and date of birth, but also unique citizen number (EMŠO) and your personal tax number.
They tell you not to tell anyone your EMŠO... but EMŠO is generated from your date of birth, gender, former yugoslav republic you were born in (slovenia=50) and the sequental number of your birth that day (0-499 boys, 500-999 girls)... plus a checksum. So if you were born in slovenia, are a boy, and were a third boy born on 20th december 1970 (970... because why waste numbers?!?!), your emšo would be 201297050003K (K=checksum, too lazy to calculate).
We also have a tax number, that they also tell you not to share... but then you open up an independent contractor business (technically, it's a not a seprate company, but "you" are the company), and your personal tax number is published in many many online systems, info pages, you have to put it on receipts, ads, you have to tell it when you're buying toilet paper for work use, etc.
But yeah... if you want to open a bank account, you need a government issued id card (or passport), and they check it very very throughly.
Polish PESEL has the same problem of only having 5 numbers per day, one of which is also checksum so limited.
Tax number NIP is relatively public, any relevant accountant will have it.
The remaining secret thing is indeed the ID card and/or the passport. That's why if it ever gets lost or stolen you're supposed to immediately file for a replacement. Theoretically at that point someone might impersonate you.
Several bank loans and store cards were taken out in my name using only my name, address and date of birth, in the UK. The same cynical business logic applies the world over: it's cheaper to clean up after the inevitable fraud than to implement proper identity checks. This calculus is of course aided by the fact that the detection of the fraud and the organising of the cleanup is taken care of entirely by the victim. "Victim", not "customer", because usually there is no business relationship between the company with the shitty identity checks and the person that has to live with the consequences.
I recommend contacting the credit rating agencies and getting them to place a note on your record with a password, eg. [1]. Don't wait until someone "steals your identity". It's the only way to get these companies to do something resembling an actual identity check. Doing it after they've lent in your name (as the rating agencies suggest) rather defeats the object.
The fact that the UK has this nasty concept of “credit history” helps with this, since now all that’s needed to take out credit is basic details to lookup the credit bureau profile and then they “vouch” for you.
In countries where this doesn’t exist, obtaining credit requires providing proof of income (payslip, etc) to the lender which they verify. A mere name/address/date of birth might be enough to open inconsequential accounts such as loyalty cards, but will absolutely not get you credit - therefore the damage to identity theft victims is greatly reduced or even nullified.
Bad payers are still penalised even without a credit bureau system by a register the government operates onto which a debtor is registered for a certain period after legal action by a lender (so this requires significant effort from the lender - you don’t get on this register because of a telecoms billing mishap for example).
With regards to setting a password, I wouldn’t trust CRAs to enforce this. What you can do however is pay for CIFAS protective registration - it’s usually for victims or those at high risk of identity theft but there’s no legal requirement so anyone can pay the admin fee and get added to the register. Lenders check this during credit applications and this puts an instant block on any kind of automated approval and requires them to do further verification.
You’d have to see it to believe it how easy and normal credit is over here in USA. Even coming from uk it surprised me. You can even buy tyres on tick.
> Bertil Thomas Andersson - 1929-07-08 (93 years old) - Address: Lyktgränd 2 lgh 1706, 183 36 Täby, phone number 070-208 35 86
The website also adds information about income:
> (machine translation) In Täby, Bertil Thomas Andersson's home municipality, there are 5218 income millionaires. The proportion of people with payment notes in his postcode 183 36 is 7.3% and the average income is 295 679 SEK ($27,378) per year.
If the person runs any companies, that would be visible as well.
All of this is public information, for each individual and company in Sweden (except the ones that have requested to not be visible, or are protected)
I think it's way more common in USA than in europe because here you can't just phone a bank and open an account with your tax agency code. Normally the first time you need to go and show your id.
SSN is certainly not enough. I just recently opened 4 accounts with US banks remotely. All four requested to send them pictures of both sides of my ID card + my selfie holding said ID card. And there were additional steps to confirm my identity before activating the accounts.
Shouldn't be a problem for a dedicated criminal, but not as easy as submitting SSN and date of birth into a web form, so can't be done cheaply in bulk.
Semantics. Nobody thinks your password being stolen means someone actually takes it from you or your device getting hacked means someone inflicted a physical blow with a sharp object. Someone illegitimately uses your personal information to claim your identity in recipt of goods and services. They stole your identification information to impersonate you.
"Semantics" is an extremely lazy way to dismiss an argument. Semantics is all that really matters in communication: what is the meaning of what is said?
There is more than a trivial semantic difference between "identity theft" and "bank fraud". The former very clearly identifies the victim as being the individual whose data was used, while the latter makes the victim the bank. There's a compelling argument to be made that it's unreasonable to expect any of the information that we have come to associate with "identity theft" to actually be private any more after repeated data leaks by Equifax et al. And if we cannot expect it to be private, is it fair to drag individuals through hell and back when someone successfully defrauds a bank using their details? That's the question being posed by OP, and the semantics of the terms we use are central to resolving it.
You're flubbing the scope of the argument. The second definiton of steal in Webster's is to appropriate (e. g. credit) without permission. Identity theft is when someone appropriates someone else's identifying information, without permission, to impersonate them in a transaction or contract. Full stop. There's no qualification that the appropriated thing must be secret or that it was suited to its its purpose. If you think that the term is misapplied to other financial crimes, that's an entirely different argument, and it doesn't render the actual term a misnomer.
I'm not, this is where OP scoped it to. OP is arguing that "identity theft" shouldn't be applied to any kind of crime, because stealing an identity isn't actually possible. What is possible is legally persuading a bank that you are someone else.
Calling it identity theft when all someone has to do is get on to one of the many public data leaks and find your information is weird. It's not some kind of heist, it's using publicly available information to trick gullible banks.
identity, n.
4. "the state or fact of being the same one as described."
Those companies aren't trying to verify that information for its intrinsic suitability, and their goal isn't to facilitate a transaction with someone who merely has all of someone else's personal information- they're trying to make sure the person engaging in that transaction is the person indicated on the form. If they switched to say, a finger print, voice sample, DNA, and an in-person interview with an ID check, they would still be trying to validate your identity.
> stealing an identity isn't actually possible. What is possible is legally persuading a bank that you are someone else.
That's like saying murdering someone with a gun is incredibly difficult because unless you actually beat them to death with the gun itself, you're just aiming and pulling a trigger, which isn't even illegal in many cases.
Theft:
steal, v.
2. "to appropriate (ideas, credit, words, etc.) without right or acknowledgment,"
Appropriating your identity for the duration of a transaction certainly fits.
> Calling it identity theft when all someone has to do is get on to one of the many public data leaks and find your information is weird. It's not some kind of heist, it's using publicly available information to trick gullible banks.
Nothing in that definition requires the thing in question was suitably protected or appropriate for the job. Nothing requires that it be permanently stolen or that anything be removed from anyone's possession.
---
I agree that the data and mechanisms used are not up to the task, but only using arbitrary definitions of theft and identity and looking at the mechanisms of theft while ignoring the purpose of those mechanisms doesn't mean the term is wrong or that people aren't, by definition, stealing people's identities. You don't get to decide that people can't use specific, existing dictionary definitions to evaluate whether a term makes sense. And that's just from a technical perspective-- English is a descriptive language and terms mean what popular usage dictates they mean.
So unless you have some convincing arguments that nothing, by any definition, was stolen, that personal data wasn't being used to determine identity, and that the colloquial usage of the term doesn't actually matter, then identity theft is undeniably the correct term. The heistiness of the acts, other non-applicable definitions of the words, and the suitability of the methods of verifying identity are entirely irrelevant.
If someone stole your idea, did you lose something tangible? Also, crimes generally consider cause and effect, including indirect effects if they're foreseeable. Is having to expend time, energy, and perhaps resources to protect the usage of information institutions use to identify you an unexpected side effect? Is it worth nothing?
Pretending the catalyst isn't culpable in the indirect effects of identity theft is every bit as wilfully obtuse as pretending the institutions aren't.
I don't spend much of my time worrying about this, but if you do:
Put credit freezes on yourself and maintain them that way as the default. This cuts your attack surface significantly. Plant your flag with any large government entities that are used for collecting benefits (IRS, your state's stuff, etc.)
Do I love the state of affairs? No, but if it were something I worried about, I'd at least make myself a hard target.
There are _a lot_ of credit reporting agencies to place freezes with. I put freezes at several credit reporting agencies. It took quite a bit of time to work through a small subset of this list:
I think GP means create your account on these sites before a fraudster does it for you. I.e., if you already have an account, they need your login credentials to access your account. But, if you have not established an account, they can often establish a new account using nothing but publicly available data like your birthday and street address for identity verification, then access your data (IRS experienced a lot of fraudulent accounts being created to steal peoples' tax refunds; their new verification system is less susceptible, but IMO too invasive [biometric data]).
That info is generally already public and easily accessible. Try googling yourself or a relative. You can find their date of birth, address, phone numbers, and neighbors in a couple of minutes.
This is a game of whack-a-mole, and no amount of regulation will help if the fundamental identity is founded up on bits of information like this. We should pass regulation for verification of identity using secure means, not giving out SSN + Birthday and call it a day.
There needs to be better laws protecting individuals that use aliases and what not for registration. Technically, there are certain federal laws that can make doing so illegal in certain circumstances.. while not enforced at a high rate, I do see them occasionally being applied unfairly and don't like knowing that by using aliases and what not that I could be opening myself to criminal prosecutions.
> If we wanted to hammer out a quick and effective privacy legislation, it would be: you need a demonstrable reason to ask for someone's birthday
Not much help for the American cousins, but this already exists throughout Europe and has done for years .... its called GDPR.
TL;DR : If it is or it is tied to PII (personally identifiable information) you have to:
(a) Justify collecting it in the first place
(b) Justify storing it, and storing it no longer than necessary
(c) Obey with the "right to be forgotten" and delete it on request
The GDPR has a massive enforcement problem though, so in practice, you have little recourse if a company breaches it and misuses your personal information.
You can report it sure, but does anyone actually follow up on those reports with penalties high enough to deter such behavior? At least in the UK, the answer is definitely no. Our DPA is absolutely useless and may as well not exist.
You somehow forgot to mention that most (probably all) EU countries have laws that require you to know the birthdays of your customers - that of course overrides GDPR, or more precisely, the law is the reason to store the information so there's no need to find other reasons.
Also, don't forget that these laws also have requirements on you keeping logs, most of the time 3, 5 or more years. So yeah you have to obey a deletion request when that time is up, not "on request" - that would be illegal in most cases.
In many EU countries birthdate (and more) is public information, btw - my own birthdate is made public by the state itself (on the business registry website), together with my name and residence address. Same for any owner of real estate - be it land, house or unit - names, residence addresses and birthdates are publicly available in the online cadastre.
Any online service thanks to DSA, for example: Anything that children might use (yes, so everything - intent doesn't count). Anything where users can upload content (writing comments is enough according to our lawyer).
You picked about the only remaining thing where it's not always a requirement. It's a requirement even there if the transaction is over certain threshold (varies by local law, usually around 10k EUR) or certain categories of items (drugs, alcohol, tobacco-related, sextoys, weapons etc).
This information is immediately available for anyone in the country, after they turn 18, via whitepages. This security via obscurity effort isn’t providing any meaningful protection.
Oh, Samsung. I just went through the most insane account recovery process I've ever seen. Tried to register a Samsung account, but my email was already taken. Guess I must have had an account at some point. If you forget your password, you have to provide your name and date of birth to reset it. If you fail to enter the correct details many times, which I somehow did, eventually they will send you the recovery email anyway. When I received it, it was in a language I'd never seen. Then I discovered that it was actually somebody else's account from Indonesia that was using my email address without me ever knowing. So I now have a Samsung account that was someone else's but it was using my email so it was really mine?
I've got a fairly common Gmail address as my primary.
I get all kinds of account sign-ups, and also home purchase paperwork and sheriff's office employment offers, from multiple states.
I used to feel bad, and spent a couple years trying to get in contact and correct whoever used my email.
Now? Fuck em. If you use my email, it's my account. I just deleted "my" Roku account and unsubscribed to the services attached to it (required to delete an account).
Me deleting "your" account is the least-abusive thing I could do if you sign up with my email address.
>Now? Fuck em. If you use my email, it's my account. I just deleted "my" Roku account and unsubscribed to the services attached to it (required to delete an account).
>Me deleting "your" account is the least-abusive thing I could do if you sign up with my email address.
This is illegal, CFAA of 1996.
Them signing up with your email is a mistake, you deliberately modifying data that isn't your own because of that is illegal.
It's not illegal per cfaa, the individual who signed up did not own the email or have a reasonable/any entitlement to it. Above poster deleting the account is accessed through fully legal and intended means by service provider. The law would treat poster's deletion as fraud protection, which arguably it is. That data you claim its not theirs isn't true.
In case law studies it is debated whether or not something that is erroneously made available to you can still be construed as fraud or theft when you take advantage of it.
Think of it like an ATM that suddenly thinks your balance is 5 quadrillion dollars, and you empty it because if their system says you have it, then it's your prerogative to appropriate those funds, according to your assertion. Unfortunately, this is not how the courts have decided this should be handled. In US v Auernheimer the question is whether publicly accessible and sequential (read: guessable) routes being accessed by those they're not intended for is criminal. The improper venue appeal has nothing to do with the essence and spirit of this segment of case law, it means that the suit was brought forward improperly. That act itself was deemed criminal, otherwise Auernheimer would have remained safely in Arkansas rather than absconding to the then-stateless Republic of Abkhazia.
Saying all of this, it is important to me that I communicate to you Ethbr0, that I'm responding objectively and not at all trying to tell you that I feel one way or the other, or that I am judging you as criminal. If that's how this was taken, I wholeheartedly apologize. You are free to do what you want, and you're granted the right to speak freely publicly. To me it doesn't seem like a good idea to say what you said, and I would not act similarly, but I will not judge you for doing what you feel is right.
I'm honestly curious, because my reading of US v Auernheimer was that the majority of the penalties were linked with sharing the records obtained.
Which stands to reason and is in line with my understanding of the CFAA: that circumventing and breaching security is a crime, but the severe penalties kick in when one shares the results of those actions.
What precedent? You linked a case where the defendant '...began to write a program that he called an “accountslurper” '. Hard disagree with your statements as protecting your identify is no where similar to maliciously accessing and manipulating data.
I'm not sure it is. The system you are accessing is not the user's, it's the company's. The company let you in with your own email address.
Discord was horrible about this. They kept sending automated emails about someone else's account, because the user signed up with my email address. I told them it wasn't mine and they should make the user fix their email address. Instead, they asked me to confirm I wanted to delete the account. I refused, telling them it wasn't mine. This all happened in Spanish, because the user spoke Spanish, even though my inquiry was originally in English.
So clearly, not all companies care all that much who you are and will freely let you take over other people's accounts.
What should be illegal is companies accepting an email address without verification. My email is my identity. It should be impossible to sign up with an email that you don't have access to.
And email verification has been around forever too! Even obscure forums have it. It's wild to think there's still companies out there allowing account creation without email verification.
Just got the email from Samsung saying I was part of the breach. At the end of this (extremely long and excuse-ridden) email they inform me that I'm entitled to a free credit check every year from credit reporting agencies.
Can't we just fast forward to the part where they send me a $5 check for the class action settlement? They'd save a ton on legal fees.
I find it insulting to offer a credit check. If I wanted, I would get 20 credit checks just this year. Credit checks are also (mostly) free. Everyone and their mother offers them.
Why would that do me any good for checking? How does it remediate or mitigate the loss I have?
They aren't even offering one, it's worse than that. They are providing info how to use your one annual free credit check that is gov mandated. They are not offering anything other than notice.
I'm pretty sure the US government offers them for free, and anyone else doing it "for free" is only using at a means to collect and sell your personal information. Using some random site like getmemyfreecreditcheck.com or whatever is pretty much asking for your privacy to be violated.
Just here to remind everyone that Samsung televisions take screenshots at regular intervals of what you watch and sends this to be stored with the same level of “security”.
> "Roughly twice per second, a Roku TV captures video “snapshots” in 4K resolution. These snapshots are scanned through a database of content and ads, which allows the exposure to be matched to what is airing. For example, if a streamer is watching an NFL football game and sees an ad for a hard seltzer, Roku’s ACR will know that the ad has appeared on the TV being watched at that time. In this way, the content on screen is automatically recognized, as the technology’s name indicates. The data then is paired with user profile data to link the account watching with the content they’re watching." (https://advertising.roku.com/resources/blog/insights-analysi...!)
This is insane. I can't even imagine being at the meeting where this was proposed
"Advertisers want to know when their ads are being viewed"
- "We could work with advertisers to have them add some metadata to the output signal, and detect that on the client"
"Nah, let's just record everything everyone watches, that way we can harvest the data and sell it to advertisers we haven't yet partnered with in the future"
- "Yes, that sounds like a perfectly reasonable thing to do and couldn't possibly have any negative consequences. That is unless consumers have a problem with it..."
AFAIK most such systems take greyscale screenshots, downsample them to basically not much more than a thumbnail, and compresses that with a lossy algorithm.
Still though, people watch home video of their kids on their televisions! Some people make home-made porn for their own enjoyment.
Meanwhile somewhere in a data centre in South Korea...
There doesn't seem any kind of smart device that's actually trust worthy.
I have an LG TV that I rooted using a vuln in the browser, I got ad-free YouTube, and supposedly less telemetry, but other than that I'm not sure there is a Better option.
I believe the keyword is "public display". The screens they install in shops and other places come without the "smart" bits and are optimised towards surviving an always-on cycle in suboptimal conditions. They're also significantly more expensive than smart tvs.
I love how they don't say how big the breach was, what systems were affected, or how to opt-out of them stealing your personal information and storing it on poorly secured servers:
> Why does Samsung have my data?
> We collect information necessary to help deliver the best experience possible with our products and services. We know how important privacy is to our customers, and we provide information about how we're planning to use customer data, in strict compliance with relevant privacy laws. You may visit the U.S. Privacy Policy section of our website for more details on how we may obtain data and for what purposes: https://www.samsung.com/us/account/privacy-policy/.
> We collect information necessary to help deliver the best experience possible with our products and services.
When I got my first Samsung phone, it came with Samsung's keyboard installed. I looked at the privacy policy and saw that it was sending every single keypress to some third party whose privacy policy said it was used for market research and to guess at things like the education level and intelligence of the user. Who needs malware when Samsung ships keyloggers. I uninstalled it then did the same with every other Samsung app I could. They obviously don't care at all about people's privacy. On the plus side, I found some great apps that way like simple gallery pro and markor.
> Information we may collect automatically includes information about
>· your device, including MAC address, IP address, log information, device model, hardware model, IMEI number, serial number, subscription information, device settings, connections to other devices, mobile network operator, web browser characteristics, app usage information, sales code, access code, current software version, MNC, subscription information, and randomized, non-persistent and resettable device identifiers, such as Personalized Service ID (or PSID), and advertising IDs, including Google Ad ID;
>· your use of the Services, including clickstream data, your interactions with the Services (such as the web pages you visit, search terms, and the apps, services and features you use, download, or purchase), the pages that lead or refer you to the Services, how you use the Services, and dates and times of use of the Services; and
>· your use of third-party websites, apps and features that are connected to certain Services.
So essentially, they're saying that they can log everything that you do on your device.
Mine was linked to my college email. I have no idea how that got linked as I have been out of school for more than 20 years. I may have used it to get a "student" discount at some point in the recent past but who knows?
Just got this email. I love how they don't even try to pay you off. They just show you where to get your free credit report where if you've already accessed it, you're screwed.
Came here to say this. The least they could have done is provide you with a free credit report, regardless of whether you previously used your freebie.
This ship kinda sailed after Equifax data breach, but I wish we could make data a real liability ( as in, if you store it, you are on an actual legal hook for it ). 2017 settlement[1] was largely a joke if not an insult to all the affected individuals. The company still operates, no one went to jail and the company got a hard cap on potential claim from affected people.
I don't know what the solution is exactly though ( I mean how to effect actual change instead of posting in this forum ).
I guess eventually everybody's data will be leaked (are we there yet?) and companies that would like to make loans will have to come up with some other way of verifying their customers.
The credit system is a scam anyway. Oh wow thanks Equifax, you think I should be allowed to go up to my eyeballs in debt. What an honor, I'm flattered.
Amateurs. Samsung's identity system was f*ed even before this. Only Lenovo/Motorola were worse. _Of course_ they got hacked: they were a big fat (in a purely metaphorical sense), stupid, target. The entire executive suite and board should be swept out and replaced. But that won't happen because those few have a lock on the majority of shares by either owning them outright or being golf partners with the like-minded idiot rest. Their main focus now, as always, is to deflect blame and preserve their positions. Does not inspire confidence in the future of anything. No wonder they can't get the simple things right, like providing clean water to Flint or Jackson. The clowns have taken over the bus and are driving it right over a cliff.
> At Firefighters, firefighting is our top priority. We recently discovered that our base of operations caught fire and, as the fire hydrants and fire extinguishers did not work, it was incinerated.
We know your stuff not catching on fire is important to you. That’s why we gather it up into large fpiles, then do the minimal we’re legally required to technically avoid committing arson. For more information on how we and our trusted partners douse our pile of your stuff with gasoline while using our warehouses to hotbox cigars, weed and crack, see our 1000 page “not stealing and then getting high and catching your stuff on fire policy”.
At Samsung, like at every other company, perception management is a top priority. And we will never understand why managing perceptions while ignoring reality always fails.
as a Chinese dissident, if CCP got the leaked data and tracked to my identity via my Samsung device and account information. I may be put into CCP's jail for my internet speech.
Samsung , your carelessness put many lives in danger!!
I would like to delete my Samsung account (which I was forced to create to access some feature of my phone). But I can't even access my profile because I'd need to accept some new user agreement which I won't do. I guess I could try sending them a letter.
No, I won't give them anything. They don't need to take this information. They shouldn't have it. I think they and everyone else collecting data should be held far more accountable than they are for the damage they do when that data leaks.
I feel stupid for ever giving Samsung this much info to begin with. But oh, they had such compelling reasons to do it. Like trading in my old phone to get a deep discount on a new one directly from Samsung, and bypassing all the carrier bullshit! Or locking down all of my devices, so that someone who steals my phone can't factory reset it without supplying my Samsung account credentials!
When I saw this thread I went and checked my inbox to see if I had received an email telling me I was caught by this breach. I haven't, but what I do have are like five emails from my carrier in the last two weeks desperately trying to get me to upgrade to the latest Samsung phone.
I have a Samsung from three years ago. I don't want to upgrade or replace it until it actually breaks, as constantly upgrading phones strikes me as wasteful. However, when I see this shit as well as all the Samsung apps they don't let you delete or disable from your phone, I am very tempted to just splash out on a Pixel to install GrapheneOS.
I've had the opposite experience. S8, S9 Plus, S22+, all of them for some reason cannot unlock the bootloader.
At this point I would recommend a Pixel of any variety. It's much much simpler to root and get GrapheneOS installed. Save yourself the headache (and the data leaks).
Most of that info is already public and easily searchable. There are data brokers that gather public records (like real estate) and resell them to marketers, sales people, other data brokers, etc. It's an enormous business. Privacy is, sadly, an illusion.
Yes. But it is becoming increasingly difficult with "smart" or "connected" devices. Sometimes you have to fill forms to access services or agree with EULA's with abusive terms. If you disagree with the terms, you become ostracized because everybody else from your circles accepted those terms and nobody is using your open-source/decentralized/federated network or services.
You can't expect common people to be reasonable and spontaneously boycott abusive vendors. Most people are not educated enough for that. Among those who are, most don't care.
We need laws to prevent this kind of abuse so vendors can't take advantage of people who are willing to share such information even if they are knowledgeable about its implications.
My favorite suggestion for a nationwide privacy law is simple:
Clarify that all EULAs are null and void unless they have been reviewed with counsel, signed, and notarized to ensure the user understands what they are agreeing to.
If the companies want to treat them like contracts, so should the other party. Otherwise, it all stinks of duress.
I wonder if the GP is saying that you don't necessarily have to provide your real dob etc. to vendors that coerce you in this manner. I mean, don't you want to imagine a world in which you were born on Feb-29 of some suitable leap year?
It's becoming more and more difficult to do so. I can't remember the last time I bought a piece of electronics that didn't have a EULA. At this point, I half expect my breakfast cereal to come with a T&C.
I am aware this does not fix the problem of the already stolen data, but it might make the data collection cost/benefit analysis in favor of discarding collection all-together. Maybe. Let me dream, would you?
Can someone explain to me what the purpose of date of birth collection is? If it’s to verify the person is an adult, anyone can just lie. And why not just ask for age or age range instead?
Samsung's disclosure doesn't meet statutory requirements of either jurisdiction I reside in, and Samsung's collection of my information doesn't meet statutory requirements in one of them. I did not set up a Samsung account on my phone or log in, despite constant harassment, and now I got a notice saying my information was compromised.
The whole paragraph suggests it more strongly. Specifically why would you say "affected" rather than exposed / accessed?:
> FAQ: Can you tell us more about what specifically happened? In late July 2022, an unauthorized third party acquired information from some of Samsung’s U.S. systems. On or around August 4, 2022, we determined through our ongoing investigation that personal information of certain customers was affected. We have taken action to secure the affected systems, and have engaged a leading outside cybersecurity firm and are coordinating with law enforcement.
Does this apply to those who use Samsung devices without having made explicitly registered for an "account" with samsung.com? They must be made to reveal the extent to which keylogging and other surreptitious means of data collection are being used on their devices.
> your device, including MAC address, IP address, log information, device model, hardware model, IMEI number, serial number, subscription information, device settings, connections to other devices, mobile network operator, web browser characteristics, app usage information, sales code, access code, current software version, MNC, subscription information, and randomized, non-persistent and resettable device identifiers, such as Personalized Service ID (or PSID), and advertising IDs, including Google Ad ID;
Regardless of how fake you think the information you gave them is, if you use your phone, there is more than enough information to attain a real identity and connect that to other identities.
IMEI alone will uniquely identify your device, and therefore you, and it will be connected to a phone company that is probably willing to sell your data.
TV's can probably scan your local network which means at the very minimum getting MAC addresses which can tell you the manufacturer and maybe more, of various devices on your network.
Supposedly amazon set up an AWS service to leverage 5G (https://aws.amazon.com/private5g/) allowing significantly more devices. The idea being that our fridges, TVs and other household devices could talk directly to a private service without having to be subject to your in home firewalls/DNS blocking/etc.
I beg to differ. I am using a Galaxy S8+, I've used it for years. I have never received any emails from Samsung. I never used the Samsung apps. Having never signed up for an account it is therefore unsurprising that I have not received an email from Samsung.
If they have collected any information from me, I never authorized the collection.
Tldr: whilst this incident is absolutely inappropriate; the big business behaviour will not change until users, too, recognise their accountability and responsibility. You purchased that product, accepted it’s usage terms, and supported this behaviour. Accept “some” responsibility in this outcome.
—
In regards to this security incident; users accepted the terms and conditions, which includes (usually in detail, or lack there of) their handling of the outcome, and impact to you.
It’s a horrible situation. Im not saying it’s acceptable. however; I demonstrate so by not supporting (advocating, purchasing, etc) and accepting these outrageous terms.
This is not isolated to Samsung…
Our home is (wherever possible) a “Samsung” free zone, primarily inspired by their handling of the health incidents in their South Korean factories. Workers sick and dying, directly linked to the workplace.
After years of persistent pressure from the families of these workers, the outcome was a payout and a typical “sorry we got caught” announcement.
There has also been ongoing large-scale corruption in the head/leaders of the organisation, tied closely to South Korea in it’s entirety. It seems the outcome here is; “you’re really bad, but also really good… we’ll meet somewhere in the middle..”.
Ps; am aware that Samsung parts are often included with other brand solutions. Hence “mostly” above. I proactively investigate, and avoid at all costs.
That's all you need to steal someone's identity. Major reason why I never give any website my real birthday, and use a password manager to remember all the various "birthdays" I've been required to provide for no ostensible reason.
If we wanted to hammer out a quick and effective privacy legislation, it would be: you need a demonstrable reason to ask for someone's birthday (e.g., legal reason to validate you're old enough to open a bank account or whatever), not "i want to send a happy birthday newsletter every year (and also sell it in a package to data brokers)"