[cfiggers]

So at the risk of sounding incredibly apathetic toward something that I'm sure is probably a massive headache for some people somewhere...

I'm a millennial and I've been told probably hundreds of times by this point in my life that my data has been breached. Not a single one of those times was there a) anything truly actionable for me to do about it[0] or b) a single negative impact to my actual life. In anyway. At all.

People were talking about the Equifax breach a decade ago like identity theft was going to become an absolutely routine part of daily life for +90% of people. That didn't happen, at least not for me.

My point is: I understand that this is a topic that nerd communities like HN are well-aligned on—data collection bad, data breach bad, I get it. But does it actually matter?

Every single one of us have had our data harvested by tech giants every second of every day for absolutely decades and neither I nor a single person I know in real life have ever had any negative consequences, either because of the collection itself or from the inevitable and seemingly continuous breaching of that data. Every single website, from the random indie shoe website I purchased from one time to multiple health insurance companies, have breached my data, over the span of decades, and from all appearances it has had absolutely zero effect that I can actually point to in real actual life.

So I'm becoming a bit of a skeptic on this item of quasi-religious dogma that y'all all seem to recite the same position on. Does the emperor perhaps have no clothes? Do we all just fear "data breaches" because we've been told to fear them by people who sounded smarter than us?

I need y'all to hit me with some scary anecdata about what happened to your hairdresser's cousin's ex-husband's dog—anecdata with no citation that I obviously can't even verify isn't hallucinated by a GPT, but should clearly accept as valid because "ooooh data breach bad"—because without that the propaganda patina on my brain is wearing a little thin.

[0] (I use a password manager to guarantee that I'm not sharing passwords between logins, so really the only thing I could do in response to a data breach disclosure is rotate the password on the breached account. But that only matters if they were storing my password in plaintext right? I certainly can't do anything about my data being out there, and it's too late for closing that account out to prevent anything.)

[thewebguyd]

> I use a password manager to guarantee that I'm not sharing passwords between logins

This already makes your digital hygiene better than at least 70% of the population if not more. I don't have the link off the top of my head but I vaguely recall some survey or article put out by bitwarden that nearly 70% of folks re-use the same password for everything.

A surprising number of those little services do store passwords in plain text, and that's where the risk comes from. So you're right, you and anyone else remotely tech savvy that is smart enough to not re-use passwords is unlikely to face any real hardship over a data breach, but the rest of the population that puts in the same email and re-uses "password123" across every service gets into trouble.

As for anecdata about the hairdresser's cousin - my wife, before I met her, had nearly all of main online services compromised from a plain text password data breach because she also re-used the same email & pass everywhere. Netflix, spotify, her email, and amazon account all taken over and did have fraudulent purchases as a result. Now she has 2FA on everything and uses a password manager :) So I don't doubt that there are real people that suffer financial consequences from data breaches due to poor password hygiene.

Even knowing all of that though, I'd still put phishing as a much bigger threat than most data breaches.

[hnthrow0287345]

>But does it actually matter?

Probably not, because most of us are boring. Most of us don't have stalkers. Most of us don't have government clearances. Most of us aren't politically adjacent, significant, or know someone who is. Most of us are not wealthy. Most of us will not be a target by the relatively small pool of humans who could actually do anything with that data.

I might have a few chains where I do connect to someone important (degrees of connection to Kevin Bacon), but that isn't directly useful here.

The point is it's still private information and it must be protected, if only out of common sense or respect for your fellow humans. We don't need damages to defend this point.

[toast0]

> Not a single one of those times was there a) anything truly actionable for me to do about it[0] or b) a single negative impact to my actual life. In anyway. At all.

My wife has had someone rent an apartment in Oakland and open bank accounts with her name and social. Other than getting the bank accounts cancelled, and locking credit, there's nothing to do. The apartment management said they weren't able to evict based on stolen identity; and Oakland PD did nothing. Reporting identity theft to the FTC like they want you to do is a joke.

Unfortunately, the Oakland address has been showing up in KYC questionaires so it's probably in some minor credit bureau file as true.

Thankfully AMEX called her to notify when the fraudster tried to open a new AMEX with the wrong address.

There's no accountability for the people that collect this data and allow it to be copied. There's no accountability for those who use it for fraud. There's no accountability when credit bureaux distribute inaccurate data. It's a big mess.

Thankfully, most of the haveibeenpwned breaches I'm involved in are like name and email which big deal. But when at&t allowed their records to be copied, someone tried to open a bank of america account with my info. At&t didn't really need my ssn, but they required it as a condition of service, so they had data people wanted.

[BoxFour]

I feel you're correct, and it's why it's a losing battle. It's a spectrum of consequences. The worst outcomes are serious but rare. For most people the most severe outcome they'll deal with are unauthorized credit card charges, which are an annoyance at worst.

The most severe consequences just aren't common enough to elicit any kind of change, and even when they are the response is about cleaning up the damage instead of fixing the upstream problem (how that fraud was allowed to occur in the first place).

[kalaksi]

Personally, I haven't had any serious leaks that I know of so I've mostly suffered from increased spam and scam attempts (I know they were a result of a leak).

One time there was a leak from a university database and as a result there were a few news articles over the years about people that had their identity stolen likely due to that leak. It's not just credit card charges. They have had loans taken in their names, stuff bought on store credit or something (nowadays that's not so easy), stuff stolen from library in their name...

They had to deal with the fallout for years, always fearing that there's a new letter waiting at home regarding some unpaid expense or from debt enforcement agency that they have to contact and try to make it go away. It shouldn't be too hard if you have an open case with the police but it's not always that easy.

Also, if the leaked data is sensitive (e.g. private conversations, records about mental health etc.), you can face extortion or the data may get published.

One other thing that I know of personally is that victims of harassment very much don't like to have their contact info leaked to the harasser.

[cfiggers]

If we conceive of civilization as being like a biological system, then perhaps there are certain maladies that just are not worth dedicating resources to. Cells die all the time, of a trillion different causes. Few are worth rewriting an immune system for.

If the most severe consequences of this pattern are sufficiently uncommon—uncommon enough that even by your own admission the system as a whole fails to notice them, much less feel any pain over it—then maybe it's a waste of the organism's resources to attempt a systemic resolution. Maybe the "losing battle" as you call it is not with individual organizations or even with broader data security culture per se. It might not even be with the legal system to finally inflict some, any consequence on anyone for letting this repeatedly happen. Perhaps the battle we're losing is, at some deeper level, with the very physics of civilizational energy distribution and consumption, aka, with societal entropy. In which case... Yeah, that battle seems pretty heckin' losing to me. Good thing identity theft only seems to happen to "other people."

I know this argument is going to ring pretty hollow and the irony will bite me pretty hard if I get my SSN highjacked literally tomorrow. Which, thanks to Equifax in 2017, could theoretically happen any minute now! Just like it could've happened any minute now for the last 9 years!

But then again, even if and just because I suddenly personally care a lot more about this issue because I'm suddenly affected by it, that doesn't obligate you or anyone else to feel the same way.

A certain kind of indifference toward the suffering of others might be civilizationally efficient. In which case it might be absurd and maybe even ethically problematic to care in aggregate any more than we happen to do.

Literally, who's to say?

[cfiggers]

(Just for anyone who struggles with reading comprehension: I'm being incredibly sarcastic here. I think it sucks enormously that we broadly ignore the plight of the few just because most people skate by fine. My top level post is also intended satirically. I do care about this stuff and hate that on balance big companies do not. I'm shouting my protest into the void in the form of irony-laced nihilism, aka, the song of my people, aka, burned-out and disenfranchised millenials tired of hoping for the better world we came up believing would some day exist.)

[nk91]

My anecdote story about this is as someone with all of their credit frozen and generally best practices for password security (password manager, no reuse, offline only vault for important things) I ended up getting caught up in a ghost student loan scam. More info/background here https://www.equifax.com/business/blog/-/insight/article/ghos...

I failed to realize that I needed to secure a studentaid .gov account someone was able to open in my name with data breach information.

Thankfully my credit was frozen so I didn’t need to untangle an actual loan, but it would have been a huge legal mess otherwise.

I guess my fear is what account am I going to miss securing next that leads to a giant life ruining problem? If I didn’t setup credit freezes someone else could have with the info in the breaches. I didn’t even think to secure a studentaid account I didn’t know existed. In theory having those credit bureau accounts frozen should be enough, but anyone with enough information on you can likely recover them regardless.

To me the whole experience really drives home how much of a joke the security on a lot of this is. Anyone who seriously sets their eyes on you can just totally ruin your life if they’re dedicated enough.

Though most people doing this its much more effective to take advantage of people who don’t know any better. Credit not frozen, loan accounts not made or secured, etc. Pwning 20 people doing nothing will always be better ROI than trying to PWN one person with their stuff in order. Until you piss the wrong person or they think you’re worth the effort.

I guess I can see how you can view it as not your problem. But there are only so many grandmas to scam. The whole problem space to me metaphorically is everyone’s door is wide open, grandmas is just a straight shot to get in. Mine? Well I have some ball bearings, calipers, and a moat but the doors still open. It’s not like someone is going to rob my open house instead of grandma. I only have to dodge all the traps when I leave and come back but that’s whatever.

The whole thing is absurd. We have doors and locks and better ways to do this and instead we just live like this?

[dubcanada]

Because nothing bad happened to you, therefore nothing bad happens?

[cfiggers]

I see your reductio ad absurdum and counter you with its exact inverse:

Because something bad has happened at some point to someone somewhere, you personally must take precautions against it happening to you?

Do you intend to modify your behavior, spending habits, or thought patterns to reduce the risk of catching mad cow disease? Oh, no? So you're saying mad cow disease doesn't exist?

But mad cow disease has a documented casualty count and data breaches do not. So actually, you're being irrational if you care about and take measures to mitigate the one but not the other.

Now that we've established that you are rationally obligated to mitigate the risk of mad cow disease, I have some guaranteed Definitely Not Placebo[^TM]-brand pills to sell you.

---

If you find this counterargument spurious, absurd, or unfair, then I have a proposal for you: let's both agree that reduction to absurdity benefits no one, and try to talk reasonably in the middle ground between extremes.

[pixl97]

> you personally must take precautions against it happening to you?

Well, yes, in the sense I vote for rational politicians rather than raving single issue lunatics.

The problem here is you latch on to the most absurd example, where the actual farmers raising cattle are the ones expected to avoid mad cow disease because there is an actual cost to them (slaughtering their entire herd). The analogy here would be businesses having to protect their customers data or suffer consequences, which they generally don't.

Now, if you're a deer hunter the responsibility now returns to you. If you shoot some janky ass deer and eat it you might find your brain full of holes in a decade. Again, the analogy here would be using some sketch ass card reader, or hell, using an ATM in a part of town where you get mugged.

[cfiggers]

Agreed on all points. I was presenting a deliberately bad argument in order to make the meta-point that arguments like it are unhelpful.

[itake]

I don’t know the leak, but I had someone take out multiple credit cards by phones on loan with my Social Security card. I had to freeze my credit score on all the providers (which I think is ridiculous that I have to like. Tell another company that I didn’t even sign up for to pause the account that they created for me)

And then go to each company and bag them to except that this was a fraudulent situation and not me. If they didn’t accept my request, then I would basically be out of luck, owing them the money.

These data leaks are great opportunities for doxing. You can look up all the people that have died from swatters.

[makeitdouble]

> a single negative impact to my actual life. In anyway. At all.

This is missing the broader perspective of identity becoming less reliable, and that results is millions of paper cuts in everyday life.

The reason you need to scan your face with your phone to access a government site or your bank is hugely because asking people personal questions or a password has become useless.

There is an argument that the old security models wouldn't have survived for long either way, but if we see it as an arms race, racing at a slower pace is still better than running like there's no tomorrow towards the bitter end.

[rawgabbit]

Because we are talking about it and raising awareness of it, we are slowly changing industry practices. You are benefiting from changes adopted due to what happened to previous victims. The change is far from complete.

From a personal example, about ten years ago, my tax return was rejected by the IRS. It turned out someone stole my identity which had been leaked/ breached multiple times. At that time it was trivial to file the paperwork and get the tax return sent to someone else.

[crefiz]

Indeed I feel the same all the time:

I do the more less the same as you, the bare minimum of protecting my data that would actually have any impact at all (banks, whatsapp, etc.) and nothing bad has ever happened -- I'm yet to see what will happen if my email gets leaked someday (if not already!) by any EvilCorp

But there are still people (eg, the main comment, as of this writing, by @kleiba) telling you about WHY we you must deGoogle ASAP, avoid using any social network to cross-login, etc.

Go touch some grass mate, life is too short to worry about what your local ISP will or will not do with your "data" (we do are a number in the end in this society)