No need to invent new jurisprudence - if the location data can be used to identify an individual, it is personal data under the GDPR and enjoys all the rights and protections enabled by the regulation.
In the US it is actually a big deal because data is not a "creative work" so it is not covered by copyright protection.
Because of this, black market re-sellers can operate with relative impunity. Most data brokers have a TOS that prohibits the re-selling of their data, but there isn't any copyright protection.
For example, if a company has location data, the only way for them to be held liable is for a particular company to prove they obtained that data directly from them. Once the data has reached a minimum of two parties, everyone now has plausible deniability. If this data was under copyright, the original copyright owner would always have a claim and it would be each parties responsibility to prove they had a right to hold and distribute it.
The lack of a copyright style concept of original owner allows data to flow freely even if that transfer is violating a specific TOS.
As someone who has worked with a couple data aggregation startups, I find it surprising I am unaware of the laws that classify it as private info(or even the legal definition of what "private info" is).
With that said, I am certainly not a lawyer and was never directly involved. Which particular laws are you referring to?
Edit: I should mention I am aware of laws preventing the collection of certain types of data. But unaware of laws about possession of that data.
>As someone who has worked with a couple data aggregation startups, I find it surprising I am unaware of the laws that classify it as private info(or even the legal definition of what "private info" is).
As a European, I wasn't saying that you have laws that classify it as "private info".
I'm saying that you _should_ have (or get) some such laws.
Including laws about the "possession of that data" -- GDPR for example covers both collection and possession, and which cases either brushes against the law.
Ah, my apologies. I misunderstood that and thank you for clarifying. I absolutely agree. I hope we, in the US, come to a point where we treat personal info in a similar way. Best regards from across the pond.
Judging by the sentiment on HN when GDPR was coming into effect, if something like it came up for a vote in the US, a lot of HN users and other tech people would vote against it.
There was no shortage of angry geeks posting articles about their service turning away EU users rather than complying with GDPR.
If you work in tech or marketing your salary comes from eroding privacy. There is a lot of money at stake here and people don't vote against their interests.
Europeans aren't inherently better: if Facebook and Google were companies founded in Germany or France who knows if GDPR would exist.
Europeans aren't inherently better: if Facebook and Google were companies founded in Germany or France who knows if GDPR would exist.
The Data Protection Directive, which the GDPR merely extends and updates, is older than Google and almost as old as the web itself, and was an attempt to unify even older national laws regarding personal data. It's not a reaction to having "lost" the privacy-eroding race.
European politicians don’t have to spend 70% of their time begging corporations for campaign donation. I believe this is much more of a determining factor.
I don't know if I'd say that. "Tech" is a really big field, and most areas don't have anything to do with eroding privacy.
Unfortunately, many areas that would have been "safe" years ago, like games and standalone applications, are moving in the direction of violating privacy by phoning home and sending "telemetry" data, but there's still a lot of areas that are good.
I'm a sysad for a small company. We have an on-prem solution and a social media app.
We don't sell our data. We don't trade it. And we adhere to a fedramp medium (in spirit), even though the social media site wasn't checked for that.
Users have control over their profile, and we admins cant even read it (unless we read raw DB, and we dont). And deletion requests entail in zeroing out all user's data. The next day, zeroed data is then purged completely.
Seriously, companies can do this right. And I work for one that absolutely does this right.
Europe has had data protection laws long before Facebook and Google we’re a thing. The concept of GDPR wasn’t invented because the EU were angry at American companies; it exists because there is a need for it. Just as previous incarnations of data protection laws existed in the EU before the web was a thing too.
Also I resent being told that anyone who works in tech gets their salary from eroding peoples privacy. I can guarantee you that hasn’t been the case for any of the jobs I’ve had in my career.
Hi I work for a printing company as a full-stack developer. My work involves things like writing API wrappers to ingest order flow so our customers can print brochures, or building web UI tools to create and order print resources. The last algorithm I wrote was to generate 5000 unique BINGO cards. Please explain to me how my salary comes from eroding privacy.
I think we can agree that what you do and what your salary "come from" can be distinct and can be influenced by other things. There are engineers at FB whose sole job is maintaining REACT.js but they are paid from the money made from selling data.
Further, and I want to make it clear that I don't mean this as a value statement, but is a printing company what most of us really think of a the "tech" industry? and by extension does that really make you the subject of what you are replying to?
>If you work in tech or marketing, your salary comes from eroding privacy.
Your own inherent weakness in morality doesn't implicitly infer that this is the inherent truth for everyone else in the tech or marketing industry. (Perhaps, moreso for tech than marketing but I digress.)
Not everyone in either industry is inherently on the "I'm just in it for the money" bandwagon.
People living in Germany and France think differently, if Facebook had been invented there, there is IMO a good possibility it would be less privacy-invading.
That plus there are good historical reasons for our strong privacy laws.
This is a double edged sword...in the EU it doesn't matter because they didn't have a internet economy to begin with but here in the US a lot is at stake.
So if you want better privacy laws in the US then they have to be much more clever than GDPR to not destroy the economy and global competitiveness!
BTW: Personally I think it is possible to do better than GDPR here in the US.
Excluding the U.K. and Ireland (tax haven) the difference between the EU and U.S. is greater, but (eyeballing) only on the order of 30-50%--e.g. ~4% vs ~6%.
What's more surprising is how small the share of GDP is the digital economy in the U.S.
That said, "digital economy" may be a poor proxy for understanding the impact of privacy regulations. It's a superset of tech industries, including much more than those parts which broker private information and to that extent would overestimate the impact. OTOH, I presume "digital economy" excludes large parts of non-tech industries (i.e. traditional sales and marketing companies, TV and newspaper ads, etc) and thus underestimates the potential impact.
I guess it depends on your definition of digital economy...I was referring to companies of the size and influence like Apple, Amazon, Google, Facebook, Microsoft, Oracle, Airbnb, Tesla, SpaceX, etc
The subject’s location is necessary for the performance of the bond. As long as it’s clearly disclosed, there should be no problem signing over those rights as part of the contract. If there is, the bondsman can just make you wear a tracking anklet.
on a more serious note, even if such data is not resold commercially, and even if more detailled surveillance by a real human analyst only occurs when automated red flags are raised, and the system was designed to only allow the analyst access to the detailed data if enough or the right combination of red flags are raised there is a remaining problem: if your job consists of interpreting all day long the details surrounding red flags concerning an individual case by case, and an individual piques your interest (legitimately or not) and if your access to detailed surveillance on this individual expires when the red flags expire (in order to keep the analyst workforce focussed on their job, not their pet theories), then it becomes trivial for the analyst to "tag" an individuall of choice (out of curiousity, fascination) or a previous target (to prolong detailed surveillance): just arrange for an automated red flag concerning this individual to go off! you don't need to guess what types of automated red flags exist since you are constantly handling cases of individuals, and the red flags that were triggered!
(Oct 15) A few months back, my sister visited me in the city I live, and at one point she asked if I could use a prepaid sim card that was soon to get expired (16 days later or valid till including Oct 31), I said I don't really need it, but if she couldn't think of anyone else I would probably use it to call some of my more remote friends (I usually text). She remarked it was stupid that she had forgotten to bring the card. I remember asking why she bought it if she didn't use it?? But she said something along the lines of "I'm not really sure", I had the impression she didn't buy it, but in turn somebody had given her the card... I also said it's OK if she gave it to someone else. At that point I assumed that was what would happen, and simply forgot about her mentioning the SIM card.
Here in Belgium, the mail is delivered "D+1", so pretty quickly..
(Oct 24) Nine days after my sister visited me, I am staring out my living room out on the street, and I see the postman going through the street and crossing to enter the apartment building I am in. After a while I notice him at the end of the street, so he already passed.
I go down to check the mail, and there's a notification card, telling me about a letter with insufficient postage, that I wasn't home, and that I can go to the post office if I wish to pay and receive it nonetheless...
Here the weight for a single post stamp is 50 grams. So thats quite a letter. I had forgotten about the SIM card and started fantasizing about a (long) loveletter from N (a girl from the past).
Obviouly I go to the post office, I say I want to pay for the postage, and I ask who the letter was from. The employee looks at me as if I don't understand the postage system and says: "If it had a return adress, it would have gone straight back to the sender. So the envellope did not state a sender, in which case the recipient can elect to pay for sufficient postage." I suddenly had a flashback to elementary school, and these once-deeply-studied facts long ignored immediately sprang alive. "Of course!" I said...
I ask when I will receive it, and he says it depends if I want to go pick it up today at the main post depot, or if I wish to receive it by mail, and in that case in just a few days. I tell him they can send it by mail.
From then on, the first thing I do upon awaking, is run down to get "N's loveletter". However no letter marked with "insufficient postage" stamp arrives.
(Nov 1) The SIM card expires.
I distinctly remember one day noticing it had already been exactly 2 weeks and I still didn't get the letter. That same day (Nov 7) I read in the papers that the national postage system starts a strike, and mail already underway will be on tine, but new mail may get delayed.
The strike is still ongoing about 2 days later, when I finally receive the letter marked with the "insufficient postage" stamp. Immediate dissapointment: it's not from N but from my sister, and it's the SIM card.
Immediately more inconsistencies pop up: 1) my sister did of course as always state her name and return address on the letter 2) the whole envellope, greeting card, unopend prepaid SIM card weigh less than 20 grams, let alone 50 grams!
So I fire up my abductive reasoning skills.
Of the hundreds of letters I receive:
What is the probability or how often do I receive a letter that is insufficiently stamped? it was my very first such letter!
Moreover what is the probability that a letter is incorrectly marked with "insufficient postage"?
Moreover what is the probability that a letter with return address is sent on to the recipient if it has "insufficient postage" ?
Those co-incident probabilities are very low indeed. And it is also the first letter I receive that contains a prepaid SIM card. Bingo! obviously authorities do not want people mailing unused prepaid SIM cards! That may re-anonymize any over-the-counter de-anonymization, like paying with card!
Probably criminals (perhaps also investigative journalists) create demand for clean SIM cards, where the cleanliness to the buyer is illustrated by the prepaid SIM card package still being unopened...
So the motive to detect and intercept SIM cards in mail exists.
Now I obviously get curious, how did they detect this in the benign case of my sister sending me her almost expiring SIM card?
The actual SIM card is to be broken out of the larger card, which states the PIN and PUK code...
This larger card has the same dimensions as credit/smart cards...
They both contain a chip under the contacts...
Some credit cards contain RFID for contactless payments...
So I postulate abductively that the larger card with PIN and PUK code contains an RFID coil, and when breaking out the SIM card, it's connection to the coil is broken!
Are these RFID tags visible with off the shelf commercial RFID readers? or are their also "secret" tags that the readers refuse to identify by design? If so, and someone finds a way to detect this secret class of RFID tags, then we may find more of these in unexpected places/locations...
I will see my sister back in a few weeks, and she will obviously ask if I made use of the SIM card. Now I hate lying, and I also hate dissappointing people when something is not really my fault, since the unjustified inssuficient postage delay caused the card to expire. Then I will ask if she actually bought the card herself, was given the card, or if she somehow found the card, for example mysteriously in her mail box...
Everybody has their own SIM card, nobody really needs an extra one, and my sister is not very sociable, she wouldn't know who to give a surplus card about to expire.
So if an analyst wanted to tag me (or her), it is entirely predictable she would ask her younger brother if he perhaps could use it! And that she would send it by mail (since we live in different cities).
Any future analyst will come to believe this red flag in the record is genuine, and not a placed one! It is entirely conceivable that there are some very unlucky people with a boatload of flags on their record, which convince the new analyst that this individual needs more tracking even if the last flag expires... so they place a new flag! and after this analyst's second term of observing the individual, he gives up, ... until next time a new analyst observes the person's record, is amazed with the richly filled flags in the past, and perhaps does the same....
Now apart from being overzealous and having pet theories, what other motivation could the analyst have to bypass the agency focus mechanism by placing tags? What about pure boredom? The first time you investigate a bunch of neo-nazi scum you are all excited, and the first time you investigate some angry muslim lowlife, you are similarily excited... but after a few weeks/months/years you realize there is nothing exciting, just the endless stream of boring as hell hitler greetings, and the boring as hell angry muslim's communicating things like "the infidel whore!" etc... It's like working at the zoo, when you are small it seems awesome, and the public part of the zoo is nice, but when you actually work there, the non-public part of the zoo is just grim walls, and shovelling different kinds of excrement. Of course the analyst / zoo employee tries to make quick work of the shoveling part, so he can spend some time checking out the lizards or whatever kind of people really fascinate him in an entertaining way!!
a) the longest comment I’ve ever read all the way through on HN
b) an interesting anecdote
but c) most likely a coincidence.
I agree that the likelihood of such a thing happening is miniscule. However, I’ve had all sorts of strange postage-system-related issues in my time (granted, I’m in the US, which has likely a much worse system) and it doesn’t seem that far out to me that such a letter would have been mishandled by what is likely an automated system.
Maybe if you buy a SIM card and send it to someone else, you can get more conclusive evidence about whether prepaid SIMs are genuinely slowed in transit or if you were just very unlucky. One occurrence does not a trial make.
a) I didn't realize how long my post had gotten in the tiny entry box, until after I had posted it... but I will gladly accept the dubious Cup of "Longest readable HN comment in the Guinnes Book of Records"
b) Yes I also think it's very interesting. Initially before coming to these suspicions, I was pissed off about having to dissapoint my sister next time I see her, and the money that was lost buying the SIM card etc, ... but the longer I thought about it and noticed all the inconsistencies in what had happened, it's actually a nice puzzle/gift to receive! Turns out the journey really is the reward after all
c) I have also thought about possible mistakes, but really there is little that can go wrong with a strain gauge! And even if the strain gauge somehow broke, there would have been a long run of letters suddenly appearing for redirection, surely this would be noticed and the letters reweighted... And even if it is incorrectly marked with "insufficient postage" both the sorting which is supposed to redirect it to the return address, as the eventual post man who did not ring failed to see the return address! And with D+1, a delay of ~20 days is totally unheard of (counting up till Nov 7th when the strike was anounced)...
in my response to a sibling of your comment I describe we can simply dissolve a fresh prepaid SIM card to detect the presence of a possible RFID loop antenna
I already bought the acetone, but I did not yet dissolve the SIM card, I want to do this in front of my sister, so she understands why I attach importance to finding out the origin of the unused expired SIM card she sent.
The card is supposedly expired anyway (well to be honest the validity date is printed on a sticker on the outside of the plastic foil package, so in theory it may be a still valid card with a fake early expiration date to encourage my sister to hurry with giving it away...).
I did not yet dissolve the card, but I feel pretty certain there is an RFID coil inside, and that is how they detected and stalled the letter without opening it. Stalled to determine if it is OK or not to allow the card to be sent on or not. "insufficient postage" to increase the possibility of the recipient deciding not to want the letter.
If you can't wait a couple of weeks to hear back from me if there is an RFID tag inside, you can try buying a prepaid SIM card and dissolving in acetone yourself. If you or someone tries this before february, I would like to know the result.
The whole story got me thinking that the human analysts that process and interpret red flags can easily build a repertoire of tricks to arrange for a red flag concerning a person to go off.
If my sister provides me with a name (perhaps even an address) of whoever gave her the card, I could consider tagging the person back (by sending the SIM card to him).
However I think it is unwise:
1) the person who gave it to her would not necessarily be the analyst, it may be an informant (perhaps a criminal turned informant, in which case I am effectively tagging myself into association with a criminal!)
2) if the person who gave it to her was the analyst, and I addressed the letter to Mr [name] "The Tagging Spook" [surname], and possibly arrange for the letter to have insufficient postage, while hilarious that my case file would then contain a red flag associating me with the analyst called out as a spook, it's unclear how he would react. Any future analyst could notice the burnt name of a colleague. He might need to self-report his bypassing of the automated system raising supposedly spontaneous red flags... Also, I estimate it would not be wise of me to go and poke the hornets nest. So I think I will stay with just observing and learning...
Not sure whether your theories on there actually being an infrastructure for doing these sorts of things is correct, but even a 5 minute google search seems to suggest it is well within technical capabilities to do so.
Might do some more searching for ISO's and other Engineering standards related to them. Telephony is highly dependent on uniform technical standard adherence, so it's out there somewhere. I doubt that the RFID is in the plastic containg the card, it's probably in the card itself.
The unusual coincidences should be pretty easy to replicate with a P.O. Box, and could be consistent with holding times for information propagation or authorization.
Definitely seems like something to mess with if you are bored!
You'll be amazed the things you can find out when you start to peel back the layers, but don't be disappointed if it's just a coincidence.
>Not sure whether your theories on there actually being an infrastructure for doing these sorts of things is correct, but even a 5 minute google search seems to suggest it is well within technical capabilities to do so.
The infrastructure would just be an (perhaps surveillance grade) RFID reader and a small office or locker where the suspect letters end up at each post sorting facility, so a security officer or perhaps just the branch manager can store these until the surveillance state replies what to do with the letter.
I also believe it is probable the standards are visible somewhere, just like I remember the bulk of the surveillance state in Europe was/is visible pre-snowden in very high detail through the ETSI (european technology and standards institute) standards.
> I doubt that the RFID is in the plastic containg the card, it's probably in the card itself.
I may have used the incorrect word with "contain", so first the SIM card and the PIN and PUK card are one and the same card, before breaking out the SIM card. I mereley suspect the larger PIN/PUK card to contain the RFID coil, because the perforated C-shape around the SIM has the open part of the C directed at the closest edge. Of course it is possible that the RFID coil is in the smaller piece of SIM card itself, but I don't think so because: the contact pads would provide shielding to the coil, and to have the same total area as a 4 turns in a Credit Card size, the coil would need many more loops. As a designer I would prefer putting the RFID loop in the larger card.
So I did not mean to say that the coil is in the plastic wrap or anything, in case that was how you understood me.
It may seem weird that (if I am right) the surveillance state designed the SIM cards so the connection with the RFID coil breaks, why not design it monolithically such that you can also track used SIM cards in the mail? I simply predict that there is demand for clean SIM cards on the market, and unopened prepaid packages are considered clean, but then the coil is not broken yet... so used SIM card's may turn out safer (if the previous usage was clean)...
I agree the holding times would be roughly reproducible, but I don't want to cram my file full of red flags...
Yeah, spying involves lots of deceit, and as everyone (hopefully) rememmbers from kindergarten, the web of lies only grows (and the observable inconsistencies grow with them)
If it hadn't been stalled, I would probably have ended up calling some friends from university time, probably only spent 2/3's of the call credit before it expires, then simply went on with my life. It's their reckless tradecraft that betrayed them. I have no problem talking openly about what I suspect, I am pretty sure plenty of actual criminals have noticed this before me, but they probably don't talk about it in public fora...
Oh,no worries. I just think that SIM and handset manufacturer's are going the route of integrating NFC into handsets to support SIM stored payment credentials. I know for a fact it's a hot item in the FinTech industry.
Odds are, you could get a generic reader to get a chirp out of an RFID even without the PIN/PUK card that wouldn't be present in any other package.
IF I were an evil surveillance state taking an interest in mail borne SIM cards in ANY state (I mean think about this, if you could automate it, figuring out the networks of people who often send SIM's to each other in and of itself is a useful data point) I'd exploit using a small machine that can be innocuously placed on the sorting line to get that chirp.
Biggest problem I imagine would be possible tipping off through damage caused to EMF/RF sensitive packages, but I've not really looked up the math or engineering involved enough to make an educated guess.
Like I said. Interesting problem, and I seriously hope you're not right. That's levels of cyberpunk dystopia that just shouldn't be possible in anything remotely resembling a healthy society.
I don't think it's enough or sufficient to make "bad" actions against the law. It's better and more comprehensive to make it difficult to take "bad" actions and "easy" to take good ones.
People break the law all the time, and if you're high enough up the food chain Eric Holder will leave you be.
Because of this, black market re-sellers can operate with relative impunity. Most data brokers have a TOS that prohibits the re-selling of their data, but there isn't any copyright protection.
For example, if a company has location data, the only way for them to be held liable is for a particular company to prove they obtained that data directly from them. Once the data has reached a minimum of two parties, everyone now has plausible deniability. If this data was under copyright, the original copyright owner would always have a claim and it would be each parties responsibility to prove they had a right to hold and distribute it.
The lack of a copyright style concept of original owner allows data to flow freely even if that transfer is violating a specific TOS.