FTC: Vast Surveillance of Users by Social Media and Video Streaming Companies

>Why is it everywhere I go management is always doing shady stuff.

Well here's a cynical take on this - management is playing the business game at a higher level than you. "Shady stuff" is the natural outcome of profit motivation. Our society is fundamentally corrupt. It is designed to use the power of coercive force to protect the rights and possessions of the rich against the threat of violence by the poor. The only way to engage with it AND keep your hands clean is to be in a position that lets you blind yourself to the problem. At the end of the day, we are all still complicit in enabling slave labor and are beneficiaries of policies that harm the poor and our environment in order to enrich our lives.

>unless I report it to PCI, which I would get no reward for.

You may be looking at that backwards. Unless you report it to PCI, you are still complicit in the mishandling of the breach, even though you resigned. You might have been better off reporting it over the owner's objections, then claiming whistleblower protections if they tried to terminate you.

This is not legal advice, I am not a lawyer, I am not your lawyer, etc.

The DOJ has just launched a corporate whistleblower program, you should look into it maybe it covers your case:

https://www.justice.gov/criminal/criminal-division-corporate...

>As described in more detail in the program guidance, the information must relate to one of the following areas: (1) certain crimes involving financial institutions, from traditional banks to cryptocurrency businesses; (2) foreign corruption involving misconduct by companies; (3) domestic corruption involving misconduct by companies; or (4) health care fraud schemes involving private insurance plans.

>If the information a whistleblower submits results in a successful prosecution that includes criminal or civil forfeiture, the whistleblower may be eligible to receive an award of a percentage of the forfeited assets, depending on considerations set out in the program guidance. If you have information to report, please fill out the intake form below and submit your information via CorporateWhistleblower@usdoj.gov. Submissions are confidential to the fullest extent of the law.

Why would you resign? You could have reported it yourself and then you would have whistleblower protections - if the company retaliated against you (e.g. fired you), you then would have had a strong lawsuit.

As in.. his actual Uber driver? He just handed his laptop over?

YMMV indeed.

Since moving overseas 15 years ago, I tried numerous times and it simply is not possible. All the forms require a U.S. mailing address to register. Same for online access to your Social Security account.

There are an estimated 10 million Americans living overseas. Taken together, we are the equivalent of the 11th largest state. All of us completely blind to what is happening with our credit record and Social Security account.

At this point I think the only way this gets fixed is massive fraud/exploitation by organized crime, so these organizations finally address the problem.

Unfortunately, that isn’t enough to mitigate identity theft. Someone leveraging the recent National Public Data breach opened a checking and savings account using my identity (no credit checks are performed in doing so) then committed wire fraud using accounts.

Ok, but this is something that shouldn't be my problem. And it's not just that; I have to go unfreeze it if someone needs to run a credit check.

>There could be a regulating body which could determine the risk to people's mental health for example from 'features' of tech companies etc.

I think ideas like this is why it's not going to happen.

Our understanding of mental health is garbage. Psychiatry used to be full of quackery and very well still might be. Treatment for something like depression boils down to "let's try drug in a random order until one works". It's a field where a coin-flip rivals the accuracy of studies. Therefore any regulating body on that will just be political. It will be all about the regulators "doing something" because somebody wrote enough articles (propaganda).

Problems like this are why people aren't interested in supporting such endeavors.

Through civil disobedience is the only way stuff like this happens in America. You're right about the incentives to those in power, but how do you think we got emancipation2, women's suffrage, organized labor rights, prohibition and the end to prohibition?

While I also worry about lobbying, we'll have to lobby harder.

I forgot where I saw this, but the US govt recently announced that they see mass PII theft as a legitimate national security issue.

It’s not just that you or I will be inconvenienced with a bit more fraud or email spam, but rather that large nation state adversaries having huge volumes of data on the whole population can be a significant strategic advantage

And so far we typically see email+password+ssn be the worst data leaked; I expect attackers will put in more effort to get better data where possible. Images, messages, gps locations, etc

They’d need a lot less security if they stopped spying on us and saving all of our most critical ID data, period.

Then instead of regulating the companies, make SSN easily revokable and unique per service. I don't understand why Americans are so oppposed to a national ID despite the fact that every KYC service use SSNs and driver licenses.

Nearly everyone's data has been leaked already. Any strong protections would only protect people who haven't been born yet imo.

"What fraction of the FBI and CIA do the Communists have blackmail material on?"

> [...] would be a tragic waste of it.

The first time would have been a tragedy, from then on it has been farce after farce.

Imagine a world where companies would have to prove the necessity of storing specific factoids. It would only take 1 security researcher to prove it being unnecessary, invalidating that class of "legitimate interests".

Today this value judgement happens in human brains, like the (correct) judgement in your comment. If we want to scale it objectively we would have to switch to formal verification. A whole industry of compliance checking could come to exist where a company wants to get its operations screened for compliance issues, so as not to suffer criminal negligence penalties.

[flagged]

This does nothing for them being able to continue with shadow profiles and inferences about you based on data they gather from others in your social network. It is well beyond "data you provide". Like waaaaay beyond.

I think I agree, but people will have very different views on where liability should fall, and whether there is a malicious / negligent / no-fault model?

Section 230? Is it the platform or the originating user that's liable?

Protection of personal data? Is there a standard of care beyond which liability lapses (e.g. a nation state supply chain attack exfiltrates encrypted data and keys are broken due to novel quantum attack)?

Minors viewing porn? Is it the parents, the ISP, the distributor, or the creator that's liable?

I'm not here to argue specific answers, just saying that everyone will agree liability would fix this, and few will agree on who should be liable for what.

The fact that my data can be stolen in the first place is already outrageous, because I neither consented to allowing these companies to have my data, nor benefit from them having my data.

It's like if you go to an AirBNB and the owner sneaks in at night and takes photos of you sleeping naked and keeps those photos in a folder on his bookshelf. Would you be okay with that? If you're not directly harmed, what liability would they have?

Personal data should be radioactive. Any company retaining it better have a damn good reason, and if not then their company should be burned to the ground and the owners clapped in irons. And before anyone asks, "personalized advertisements" is not a good reason.

Go ahead, post your phone number here. It's not directly harmful.

This is the traditional way of thinking, and a good question, but it is not the only way.

An able bodied person can fully make complaints against any business that fails their Americans with Disabilities Act obligation. In fact these complaints by able bodied well-doers is the de facto enforcement mechanism even though these people can never suffer damage from that failure.

The answer is simply to legislate the liability into existence.

That's the whole problem with "liability", isn't it? If the harms you do are diffuse enough then nobody can sue you!

The same way you can get ticketed for speeding in your car despite not actually hitting anyone or anything.

Surveillance apologist.

This is exactly why thinking of it in terms of individual cases of actual harm, as Americans have been conditioned to do by default, is precisely the wrong way to think about it. We're all familiar with the phrase "an ounce of prevention is worth a pound of cure", right?

It's better to to think of it in terms of prevention. This fits into a category of things where we know they create a disproportionate risk of harm, and we therefore decide that the behavior just shouldn't be allowed in the first place. This is why there are building codes that don't allow certain ways of doing the plumbing that tend to lead to increased risk of raw sewage flowing into living spaces. The point isn't to punish people for getting poop water all over someone's nice clean carpet; the point is to keep the poop water from soaking the carpet in the first place.

Snowden pointed and everyone looked at his finger. It was a huge shame, but a cultural sign that the US is descending into a surveillance hell hole and people are ok with that. As someone who was (and still is) vehemently against PRISM and NSLs and all that, it was hard to come to terms with. I'm going to keep building things that circumvent the "empire" and hope people start caring eventually.

Yep. It sucks. Zero consequences of any import for those companies as far as I'm aware too. Tiny fines end up being "cost of doing business". Then they get to externalize their failures onto us by using terms like "Identity Theft", which indicates something was stolen from ME and is now MY problem.

In actuality some not-well-maintained systems owned by <corp> were hacked or exposed or someone perpetrated fraud on a financial institution and happened to use information that identifies me. It's really backwards.

PSA: If you haven't already, go freeze your credit at Experian, TransUnion, Equifax and Innovis. It will make the perpetration of this type of fraud much more difficult for adversaries.

My pet solution has been to make the credit reporters liable for transmitting false information to the CRAs.

Chase tells Experian I opened a new line of credit with them, but it later is demonstrated that it was a scammer with my SSN? Congratulations, $5,000 fine.

Of course this all gets priced in to the cost and availability of consumer credit. Good! Now the lenders have an incentive to drive those costs down (cheaper, better identity verification) to compete.

For a while they were sending emails about my account that I was actually unable to unsubscribe from[1]. I knew it was illegal at the time, and when I finally noticed an unsubscribe button it was because the FTC finally intervened[2].

https://www.reddit.com/r/assholedesign/comments/udy8rz/exper...

https://www.ftc.gov/news-events/news/press-releases/2023/08/...

https://www.youtube.com/watch?v=CS9ptA3Ya9E

That's not an irrational reaction.

The consent you give to web services isn't much better than if an electrician said "hey, can you tap this button to give me consent to work on your house?" and then installed undetectable hidden microphones inside every surface in your apartment.

All of the UX of online consent forms exists to misinform, trick, and get users used to agreeing to sell their digital soul.

Facebook will create shadow profiles of you even if you've never signed up, never created a profile. They'll take your number from other people's contacts via WhatsApp. They'll do facial scans of you on photos other people upload.

Even if you've never visited their site.

Where's the consent there?

I wouldn't say that. If it meets our needs/wants and we are willing to pay for it, that represents value, no matter how silly it sounds. People pay money for plenty of nonsense: cosmetics, junk food, DLC. The fact that it's artificially derived (laws begetting paid workarounds) doesn't change the value proposition. For data gluttons the investment in data acquisition pays off. There are plenty of people paying money to work around laws, especially tax laws. Tax decisions have a scale from wisdom (an individual making prudent financial decisions) to deviance (a company playing shell games with businesses and bank accounts) but the line can be blurry.

I do think the situation is dystopian though. Sharing data without explicit case-by-case consent should be disallowed.

Agreed. Mid-sized/smaller players are the places which have very poor data & security practices. Especially when they require PII as part of their operations.

Meta, Google are much better stewards of their users data. One misconception I see is claiming these companies sell user data. I'd instead say that they sell user attention.

See also on this topic:

>Two billionaire Harris donors hope she will fire FTC Chair Lina Khan

https://www.reuters.com/world/us/two-billionaire-harris-dono...

>Kamala Harris’ Donors Privately Urge Firing of FTC’s Khan, SEC’s Gensler

https://www.bloomberg.com/news/articles/2024-09-06/kamala-ha...

She is friends with JD Vance apparently

Do you think this effort was somehow scaled back?

Sure it is: https://peergos.org/posts/decentralized-social-media

It is social media where only the end users' devices can decrypt the posts and comments. Then surveillance is not possible. Targeted ads are not possible.

HN is filled with folks that wrote the code in question, or want to create similar products. And they hate to have it pointed out that these tools may cause harm so they thrash around and make excuses and point fingers. A tale as old as this site.

>The cognitive dissonance is in the voters and users.

People really need to learn to say “NO” even if that means an inconvenience “Your personal information might be shared with our business partners for metrics and a customer tailored experience” no thanks, “what is your phone number? so I can give you 10% discount” no thanks, “cash or credit?” Cash, thanks, “login with google/ apple/ blood sample” no thanks

Anti-disclaimer: I'm not one of those folks.

However, that's not at all a cognitive dissonance. Fundamentally, there's a difference between governments and private companies, and it is fairly basic to have different rules for them. The government cannot impinge on free speech, but almost all companies do. The government cannot restrict religion, but to some extent, companies can. Etc.

Of course, in this case, it's understandable to argue that neither side should have that much data without consent. But it's also totally understandable to allow only the private company to do so.

There isn’t a single intellectually honest harm associated with the majority of app telemetry and for almost all ad data collection. Like go ahead and name one.

Once you say some vague demographic and bodily autonomy stuff: you know, if you’re going to invoke “voters,” I’ve got bad news for you. Some kinds of hate are popular. So you can’t pick and choose what popular stuff is good or what popular stuff is bad. It has to be by some objective criteria.

Anyway, I disagree with your assessment of the popular position anyway. I don’t think there is really that much cognitive dissonance among voters at all. People are sort of right to not care. The FTC’s position is really unpopular, when framed in the intellectually honest way as it is in the EU, “here is the price of the web service if you opt out of ads and targeting.”

You also have to decide if ad prices should go up or down, and think deeply: do you want a world where ad inventory is expensive? It is an escape valve for very powerful networks. Your favorite political causes like reducing fossil fuel use and bodily autonomy benefit from paid traffic all the same as selling junk. The young beloved members of Congress innovate in paid Meta campaign traffic. And maybe you run a startup or work for one, and you want to compete against the vast portfolio of products the network owners now sell. There’s a little bit of a chance with paid traffic but none if you expect to play by organic content creation rules: it’s the same thing, but you are transferring money via meaningless labor of making viral content instead of focusing on your cause or business. And anyway, TikTok could always choose to not show your video for any reason.

The intellectual framework against ad telemetry is really, really weak. The FTC saying it doesn’t change that.

And in Europe, everyone and their dog uses WhatsApp

The FTC is bipartisan, no more than three of the five commissioners can belong to the same party. The present report was unanimously voted by all five.

I don't know if you've been watching but the FTC has actually been extremely proactive during this cycle. Lina Khan is an excellent steward and has pushed for a lot of policy improvements that have been sorely needed - including the ban (currently suspended by a few judges) on non-competes.

It is disingenuous to accuse the FTC of election pandering when they've been doing stuff like this for the past four years consistently.

Begs the question of agency authority which is manifestly not resolved. You will find that the elections’ results will effect the eventual resolution of the question of the unitary executive quite dramatically.

The problem seems deeply fundamental to what it means to be a human.

On one hand, there's a lack of clear leadership, unifying the societal approach, on top of inherently different value systems held by those individuals.

It seems like increasingly, it's up to technologists, like ones who author our anti-surveillance tools, to create a free way forward.

this view presupposes the state as “just another actor” as opposed to a privileged one that can take actions that private actors can’t

The EU has multiple parts. One part keeps asking for chat control, and another part keeps saying no.

That does not even account for offline ads, such as billboards.

Although you have a valid point, I object to your calling it a community because communities don't have constitutions and cannot throw people in jail if they break the community's rules. Also, a community has much less control over who becomes a member of the community than a government has over who it employs.

Apologies I was unclear: I'm not criticizing this report, I'm criticizing the lack of action over the past decade or so.

Well put. Targeting and more specifically retargeting is the problem.

Most companies can't afford to not do this when their competitors are. Hence the need for regulation.

> What is the minimum level of privacy that a person should be entitled to, no matter their economic status?

This is an interesting question: maybe the truth is, very little.

I don't think that user-identified app telemetry is below that minimum level of privacy. Knowing what I know about ad tracking in Facebook before Apple removed app identifiers, I don't think any of that was below the minimum level.

This is a complex question for sort of historical reasons, like how privacy is meant to be a limit on government power as opposed to something like, what would be the impact if this piece of data were more widely known about me? We're talking about the latter but I think people feel very strongly about the former.

Anyway, I answered your questions. It's interesting that no one really wants to engage with the basic premise, do you want these services to be free or no? Is it easy to conceive that people never choose the paid version of the service? What proof do you need that normal people (1) understand the distinction between privacy as a barrier to government enforcement versus privacy as a notion of sensitive personal data (2) will almost always view themselves as safe from the government, probably rightly so, so they will almost always choose the free+ads version of any service, and just like they have been coming out ahead for the last 30 years, they are likely to keep coming out ahead, in this country?