[adtac]

Did anyone else notice Mastercard's easily breakable captcha? It's just unmodified text with the same noise filter added to all codes.

Perhaps there's opportunity here for someone to be Robinhood here and improve the privacy of a lot of people...

[kbenson]

I'm pretty sure that's a good way to get the endpoint flagged as a target of abuse, and the page pulled until they can figure out what's going on, resulting in anyone who wants to opt-out after that point either running into a temporary or permanent problem, depending if they ever bother to put it back online.

How about instead of fraudulently providing someone else's credit card because "we know best", we just make sure to spread the pages as much as possible where appropriate, and let people make their own educated choices (and hopefully it opens their eyes to other places in their lives they can do so as well).

I understand the impetus to help, but it's important to consider that what one person views as helping another might view as terribly invasive in itself.

[mindslight]

> I understand the impetus to help, but it's important to consider that what one person views as helping another might view as terribly invasive in itself.

This is a sense of decency that the surveillance companies didn't share. People didn't make any sort of educated choice to be surveilled - the surveillance companies arrogantly "opted" them in. Opting them out is much lesser transgression onto their will.

I do agree from the practical perspective - surveillance companies will parry any legible bulk activity into an excuse to continue surveilling. Fine point white text at the bottom of the homepage: "Due to an attack from scary hackers, all opt out requests from 2019 have had to be discarded. If you had submitted a request during that time, please resubmit your request. To protect yourself in the future, buy our nonsensical "identity insurance" for only $10/mo."

[kbenson]

> Opting them out is much lesser transgression onto their will.

So, that makes it okay? They've been abused before, so what what's the big deal if we do it too? That's a troubling perspective to me. Two wrongs don't necessarily make a right.

I think this is very straightforward. You, as a third party, have no place making decisions for me without my consent in this case. If I have a relationship with Visa or MasterCard, please stay out of it. The appropriate way for this to change is for a) me or someone I've authorized to request it, b) the company in question deciding not to do it anymore, or c) a legislative body with jurisdiction mandating a change through law or regulation.

If you have access to my credit card number and I haven't given it to you, the only appropriate things you should do with it are to notify me, the company providing it, or the authorities that it's been exposed and should probably be changed. If I have given it to you to authorize a payment, you are authorized to use it for that payment (and possibly later payments that I agree to), not to keep it to use as you see fit later on without my consent.

If you have my card because I've given it to you and you show me a dialog letting me know you can opt me out and give me the choice, that's acceptable. But I view any action taken on my behalf without my consent with regard to this as a violation of my trust, privacy, and personal information. We are in a very scary place if we as random third partied think we're allowed to make decisions for people just because we think it's better for them.

[mindslight]

My main assertion was merely "This is a sense of decency that the surveillance companies didn't share".

It's okay to acknowledge this as a vulnerability of your personal paradigm but still hold yourself to it. Just don't act like it's the only permissible way to interpret the situation, when the present state of affairs has been created by the surveillance companies not following the same moral requirement - already "[making] decisions for [everyone] without [our] consent".

More generally, a sense of right and wrong cannot mean simply following low level axiomatic rules, but rather requires judging constructive behavior. I'd say an action that mainly undoes a wrong is a lot closer to being right than another wrong.

[kbenson]

The person in question has a relationship with the credit card company, in that they have requested and use the credit card (and if they aren't using it, nothing is being collected). I agree that opting into collection automatically is less than ideal, and I don't want it to happen, but this isn't some third party getting between some other nefarious third party and myself, it's them injecting themselves into an ongoing business relationship between two parties.

You can label them surveillance companies all you want, and in some contexts it might be the most fitting description. In this context, I would say it's more fitting to say they are contractual partners abusing the looseness of the contract for their own benefit.

Just in case you missed where this particular thread started, the top level comment is about the opt out forms for data collection at Visa and MasterCard, and the reply's (possibly somewhat in jest) suggestion that since the CAPTCHA is so simple, someone just use whatever card numbers they have access to to opt people out automatically. All my comments are specifically in that context, which is one of random third parties using card numbers they shouldn't have direct access to anyway to alter the business relationship of others without authorization.

[mindslight]

Due to the constraints on understanding, I believe "fine print" in contracts carries zero moral weight. In order for Visa and Mastercard to credibly claim people have opted in, there needs to be an overt choice (no default already-checked option) as part of the direct card relationship, as well as specific consideration for that specific aspect of the relationship to remove any incentive to downplay the choice.

Furthermore, I do not view a person's associating with Visa/MC in today's society to be in any way voluntary - opting out is only possible at significant personal expense. So the mere existence of a business relationship also cannot be a basis for general consent. (As an aside: people generally do not contract with Visa/MC directly)

Taken together, these put "abuse" of a "business relationship" is in the exact same category as interjected actions by "third" parties - unwanted transgressions. They only feel different because we've become fatigued to accepting these transgressions when they pad someone else's bottom line.

And yes I am aware of the context of the discussion. I wouldn't personally do such a thing, but that doesn't mean I wouldn't applaud someone who did.

[0x00000000]

Sometimes when I get debt collector calls or car warranty scams I find their website and they usually have an opt out form, never seen a captcha. I have been really tempted to just hammer the endpoint with every valid phone number. Probably won’t accomplish anything but will give someone a fun surprise.

[tomglynch]

Good spot. That system seems very clunky.