Kind of the guy to offer. I found it interesting thinking about the issue of trust, here. He's claimed to be a certain individual, linked to social media with a long history as a proof of identity, but still had to admit that you're basically hitting up a site to solve identity theft using a tool that might help cause you more privacy problems should the individual not be who he claims to be[0].
I hope the folks at Keybase notice this. It's a perfect use case. He's specifically pointed to his long social media history as a proof that should increase trust. Keybase would let him use their proofs feature to validate that he (well, his account) controls his twitter, that domain and web site[1], and his HN account. I can't think of a better way to reduce the "you can't really trust that I am who I say I am" problem he's struggling with.
Of course, this could be gamed just like every other method of authenticating identity, but it's a nice additional option.
[0] I'm not saying he's not or assuming he's malicious; I tend to err on the side of assuming the best in people.
What we lack, in my opinion, is a form of access control for static websites, such that they are disallowed from making any outgoing requests. The browser is in control of the site code; it should be possible to guarantee that no outgoing requests can take place. As far as I can see, it shouldn’t be difficult, but it’s possible I’m missing something — I assume the difficult part is just reaching agreement.
Perhaps it would be possible to permit outgoing requests where the URL is statically embedded in the HTML (such that the URL cannot depend on form data), thus allowing fetching e.g. remote CSS/JS resources.
The browser handles requests to the backend, and would thus be the one in charge of not allowing requests in case the site enables this proposed “offline mode”. So all the browser would allow would be the initial, user-initiated fetch of the static site, whereas subsequent requests — initiated by the site itself — would be disallowed.
CORS stops you from contacting an external service that doesn't opt in. It doesn't solve the problem of having private data in the browser that you don't want it to send out, since it could contact an evil site that opts in to receiving messages from other web pages.
To implement something like the suggestion would require two phases - one where the page was loading/updating its cache from the remote service, but was unable to look at locally stored data, and another phase, where the user is able to log in and allow access to locally stored data. Once transition has been made to the second phase network access would not be allowed. This sounds pretty involved.
It's worth noting that the equifaxsecurity2017 website posted the following update yesterday:
"NO WAIVER OF RIGHTS FOR THIS CYBER SECURITY INCIDENT
In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident."
Yep, I mention that in the "What's this all about" section. However, I don't know why anyone would want to give up their legal rights, especially to a company that has just proven that they can't keep your data secure.
Late to the party so I wondered about:
1. To confirm whether you were a victim of their "cyber security incident" you have to enter (6) digits of your SSN. Uh ... no.
2. We CAN still sign up for their one year credit-monitoring service and retain the right to legal action.
3. We should think about freezing our credit per FCC:
Fortunately they publicly stated they would not apply these TOS in this case, and you can bet that will be held against them in court if they tried to mess about with this.
This is a great product if it provides consumers with peace of mind, but I think in hysteria most people haven't realized that the arbitration clause only applies to TrustedID, not to the breach itself. The clause as shown is just the standard terms for TrustedID and applies to nothing else. The New York State Attorney General has confirmed this through Equifax.
Why not offer this as a Chrome extension that detects any arbitration clause in any TOS and gives users options to opt-out, including the ability to mail an opt-out through an API?
>Why not offer this as a Chrome extension that detects any arbitration clause in any TOS and gives users options to opt-out, including the ability to mail an opt-out through an API?
probably because thats like a million times more work?
Not really... If I made a dirty version of the plugin for myself, I'd just do a DOM text search for "terms" and if found do another search for "arbitration", both case insensitive. If found, then highlight the words, pop a warning to the viewer, and scroll the window or modal to the spot.
The mailer API would be plausible through a third-party postcard/letter mailer API.
> probably because thats like a million times more work?
I assume you're referring to the "detection" part.
Perhaps in the early 2000s this was true, prior to the widespread application of natural language processing; when one had to pre-define the format of most everything. Now all that's required are a few niche terms and a structure to apply them.
I suspect (or at least would hope) this guy has an automatic letter folder and filler/stuffer[1], because doing this manually is... hard, and takes hours.
It would be critically if you were offering this for "any TOS" though. Depending on success, you may even need to lean on an external printing/mailing service to do the work.
In any case, it would be very very hard to offer a generalized service to do this, for free. Once-offs like this are the only viable way to make it free.
And I'm not even getting into the infra/maintenance work on the extension and API itself.
Yes, an automated mailing service like Lob (YC) would be necessary. Lob takes about 5 minutes to set up and handles all the dirty work of printing + mailing.
Ideally a user would pay a monthly fee for the extension and then the mailing costs.
I'm at home right now and showed my dad the equifax one year free thing. He happily signed up to that. But was very suspicious of paulgb. Looking through his resume and GitHub, no indication or shadiness. My dad ended up being fine with it.
Also in fact congrats on having multiple popular Github repos! I'm jealous. This entire thing is a great idea. Good job.
Thanks :) I'm well aware that people would be suspicious of providing this data to a stranger, especially after their data was hacked. I've been on HN for over a decade so I hope that eases worries a bit. I just really hate arbitration clauses.
I also give an option to print and mail the message yourself, in which case the data never leaves your browser.
If only there were some safe third party we could trust with reputational information, so that people could look you up there and see whether you were trustworthy.
We could have it include things like where you've lived, whether you've been sued, foreclosed, bankrupted, delinquent on loans, etc.
Hmm, but we wouldn't want that information disclosed. What if instead they gave some sort of a reputational analysis? Maybe put that data through a hash function. But then how would we compare it? Better use an algorithm to digest it to a number.
It would have to be an extremely secure system, of course, you wouldn't want it to lose the data you gave it. Maybe if it was a semi-authoritative company devoted solely to that purpose, we could call it a reputation department, or no, maybe a credit bureau.
/s
(Parenthetically though it really does make me want someone to start one of these that operates in some open, verifiable fashion rather than "trust us lol")
A smart move after being informed that your personal data has been breached is to give more personal data to a random dude on internet. After all your are only giving up your name, Address, Equifax id, and IP address. What could go wrong?
Now if we could only have a service or an API to file against them in a small claims court. 143 million lawsuits would be kind of crazy but interesting to see.
I mentioned this the other day on a related thread and received 15 upvotes. Seems like there are many interested parties. I'd pay $20-99 for this service.
Can we get a kickstarter for some sort of automailing service with an API that his site can hit?
I would love to spam equifax with thousands of these letters.
Their ToS requires it, but doesn't specify what to do if you don't have one (since by my reading even submitting your info binds you to the arbitration clause). I've made it optional on the form.
I'd rather maximize the number of people who can participate. I figure the ceiling on what I have to pay is a round trip flight to Atlanta to deliver it by hand, and if it comes to that I wouldn't mind a trip to Atlanta :)
You have: 140 million * 10 grams * 10% * 0.01%
You want:
Definition: 14 kg
one standard US envelope is about 10 grams, and assume 10% of affected sign up for credit monitoring and 0.01% use your service to send the opt-out. you might even wind up with multiple bags!
It's given when you sign up for TrustedPremier. I have made it optional; the ToS says that it's required to opt out but doesn't indicate what to do if you don't have one (since the ToS still technically covers you if you enter your info)
We've banned this account for repeatedly violating the site guidelines: https://news.ycombinator.com/newsguidelines.html. Doing this will eventually get your main account banned as well, so please stop.
If you'd clicked the link, you would've seen the following on the home page.
> What's all this about?
> In light of Equifax's recent security breach, they are offering a year of complimentary credit monitoring services. The media have noticed that in their Terms of Service, they include a binding arbitration clause which means you give up your right to sue them in a regular court and must instead go through an arbitration process.
> While the company has since clarified, under pressue, that the security breach is excluded from these terms, binding arbitration clauses are a growing trend that remove legal remedies like class action lawsuits from consumers. It is especially reptillian that they would have consumers give up their legal rights in the aftermath of a breach, for a product we only need because of the breach.
> The arbitration clause has an out, in that you can opt-out within 30 days of signing up. However, opting-out requires sending a statement by mail, which is sure to dissuade a lot of people. In order to make opting-out as simple as opting-in, I created this site.
I tried to briefly summarize this in the "What's all this about?" section, let me know if anything is unclear. Essentially the benefit of opting out is you don't give up legal rights to a company that just proved incapable of handling your data.
I hope the folks at Keybase notice this. It's a perfect use case. He's specifically pointed to his long social media history as a proof that should increase trust. Keybase would let him use their proofs feature to validate that he (well, his account) controls his twitter, that domain and web site[1], and his HN account. I can't think of a better way to reduce the "you can't really trust that I am who I say I am" problem he's struggling with.
Of course, this could be gamed just like every other method of authenticating identity, but it's a nice additional option.
[0] I'm not saying he's not or assuming he's malicious; I tend to err on the side of assuming the best in people.
[1] You can submit proofs for both.