by carride on 10/24/23, 6:35 PM with 79 comments
by bee_rider on 10/24/23, 7:18 PM
We have businesses that are explicitly built on violating privacy.
We have businesses provide services that require them to collect some private info. I’d put 23andme in this bucket.
We have businesses that have lax security, and actually get their systems broken into.
We have businesses that have fine security, but don’t force users to have good, unique passwords and 2FA. 23andme is in this bucket, right?
The first, we should be happy to run them out of business, like we should actively write laws that try to destroy them.
The third, we should fine them to the point where skimping on security is never a rational decision (and if that runs companies out of business, fine).
The second seems not too bad, every medical-field-related service is going to have some private info necessarily (for example), as long as they don’t exploit it that seems fine.
The fourth seems not so bad, there are all sorts of services that are not so important. I don’t have 2FA on, like, random forums and video games, who cares?
Combining two and four is pretty bad though.
by mnd999 on 10/24/23, 7:04 PM
by AlbertCory on 10/24/23, 7:08 PM
You can't control what your relatives do, unfortunately.
by michaelbuckbee on 10/24/23, 7:23 PM
User PII and especially sensitive data suddenly was viewed as "toxic" and that having it around was something that could only bring them hassle.
California's data privacy acts are similar (but much more narrowly focused).
Also, I always like to sum up what the intent of these acts typically are and what compliance means:
- Tell people what data you're going to collect and, what you do with it, who you share it with
- Keep their data reasonably secure
- Delete it if they ask
by Ajay-p on 10/24/23, 8:28 PM
by swarnie on 10/24/23, 7:22 PM
Nothing will change.
Its time for people to stop expecting things from their corpo-overlords or the governments they've purchased.
by andrewstuart on 10/24/23, 6:59 PM
Outside Europe privacy isn’t a priority for politicians.
by syndicatedjelly on 10/24/23, 7:31 PM
by TurkishPoptart on 10/24/23, 7:15 PM
by robbywashere_ on 10/24/23, 7:20 PM
by dvngnt_ on 10/24/23, 7:21 PM
but I agree with sensitive data 2fa should be mandatory
by ilamont on 10/24/23, 7:52 PM
Without the risk of a giant fine or, say, jail time, many tech giants can and do get away with managing their data security badly.
That's right. It's happened before, and will continue to happen as long as there are no consequences.
Note that 23andMe is not the first online genealogy service to get hacked:
- In 2017, MyHeritage had 92 million accounts hacked https://www.hackread.com/dna-testing-website-myheritage-hack....
- In 2020, MyHeritage users were targeted in a separate phishing scheme. https://blog.myheritage.com/2020/07/security-alert-malicious...
- GEDmatch admitted “all user permissions were reset” in a 2020 attack. https://www.buzzfeednews.com/article/peteraldhous/hackers-ge...
- Ancestry and Ancestry affiliated companies have had multiple security breaches over the past 10 years (https://www.hackread.com/software-firm-leaks-ancestry-com-us...)
- Ancestry has also destroyed people's archives when it decided it was no longer profitable or important enough to keep them. https://slate.com/technology/2015/04/myfamily-shuttered-ance...
- Last year, FamilySearch belatedly admitted a breach had exposed “users’ full names, genders, email addresses, birth dates, mailing addresses, phone numbers.” https://grahamcluley.com/seven-months-after-it-found-out-fam...
These are incidents that have been made public as required by law. There are surely thousands of other smaller incidents that are not reported, as well as major breaches that the companies themselves don’t even know about yet. And it will continue for years to come until lawsuits or brutal regulations with teeth are enacted.
by krunck on 10/24/23, 7:08 PM