• 8 Posts
  • 13 Comments
Joined 1 year ago
cake
Cake day: August 10th, 2023

help-circle
  • But at some point to interact with any kind of large company … You could also consider not interacting with large companies at all

    Actually the large corps are more likely to hold the data in-house. Small companies cling to outsourcing. E.g. credit unions are the worst… outsource every service they offer to the same giant suppliers. Everyone thinks only a small company has the data (and consequently that the small dataset does not appeal to cyber criminals) but it’s actually worse because they outsource jobs even as small as printing bank statements to the same few giants most other credit unions use. Then they do the same for bill pay with another company. It’s getting hard to find a credit union that does not put Cloudflare in the loop. So in the end a dozen or so big corps have your data and it’s not even disclosed in the privacy statement.

    Of course it depends on the nature of the business. A large grocery chain is more likely to make sure your offline store purchase history reaches Amazon and Google than a mom & pop grocer who doesn’t even have a loyalty program.

    Whether businesses get copies of information is usually included in a site’s privacy policy,

    I have never seen a privacy policy that lists partners and recipients apart from Paypal, who lists the 600+ corps they share data with for some reason. Apart from bizarre exceptions privacy policies are always too vague to be useful. Even in the GDPR region. If you read them you can often find text that does not even make sense for their business because they just copied someone else’s sufficiently vague policy to use as a template.

    If you really want to limit your information exposure, you either have to audit everyone you do business with this way (because most large companies do this) or hire someone (or a service) to do it.

    The breach happened in a country where companies are not required to respond to audits. No company wants any avg joe’s business badly enough to answer questions about data practices. In the EU, sure, data controllers are obligated to disclose the list of parties they share with (on request, not automatically). And even then, some still refuse. Then you file an article 77 complaint with the DPA where it just sits for years with no enforcement action.

    My approach is a combination of avoiding business entirely, or supplying fake info, or less sensitive info (mailing address instead of residential, mission-specific email, phone number that just goes to a v/m or fax). This is where the battle needs to be fought – at data collection time. Countless banks needlessly demand residential address. That should be rejected by consumers. Data minimization is key.

    In the case at hand, I’m leaning toward opting out of the class action lawsuit and suing them directly in small claims court. I can usually get better compensation that way.





  • That all sounds accurate enough to me… but thought I should comment on this:

    However - in larger enterprises there’s so much more, you get the whole SDL maturity thing going - money is invested into raising the quality of the whole development lifecycle and you get things like code reviews, architects, product planning, external security testing etc. Things that cost time, money and resources.

    It should be mentioned that many see testing as a cost, but in fact testing is a cost savings. In most situations, you only spend some money on testing in order to dodge a bigger cost: customers getting burnt in a costly way that backfires on the supplier. Apart from safety-critical products, this is the only business justification to test. Yet when budgets get tightened, one of the first cuts many companies make is testing – which is foolish assuming they are doing testing right (in a way that saves money by catching bugs early).

    Since the common/general case with FOSS projects is there is no income that’s attached to a quality expectation (thus testing generates no cost savings) - the users are part of the QA process as free labor, in effect :)









  • I think this is a regression. IIRC, there was a time when a removal only removed it from the timeline. You could still reach it via the modlog. IIRC. But those days are gone. It’s a shame because it’s important for the community to be able to evaluate the mod’s decision making.

    I’ve even seen cases where an over-zealous mod gets embarrassed by the mod log and purges the mod log itself to remove traces of the censorship itself. I suppose that’s only possible if the mod is also an admin.