I like these two posts -- yours and the one above. It makes me think: If gov't is going to add regulation for social media accounts (something that I support), should it be a requirement to identify yourself to the social media network owner? My point: Some kind of national ID tied to your name, but kept private, so the company can absolutely say if you do or do not own the account. I know, I know, there are all kinds of holes. However, consider the alternative: What if it was not required (real ID for your social media accounts)? How could these companies reliably tie the account back to a real person making a claim? Require 2FA via YubiKey? I have learned from HN that a mobile phone + SMS just isn't secure enough in many jurisdictions. It is too easy to use social engineering to takeover a mobile phone.
Edit: I have mentioned before in previous comments (not this post): After Dodd-Frank regulations in the US, global investment banks really changed their behavior when fines became massive. So massive, it was seriously altering quarterly revenues and hurting stock prices. I favour the same type of regulation for social media network companies. It is the only way to make them listen to the law.
Yeah personally I'd rather stick to letting the companies ban who they want and letting me do what I want. If there's any ID related law, I'd rather they be FORBIDDEN from collecting IDs.
You really want social media to have the same type of access to your personal information that banks have? A know your customer type of regulation?
It amazes me that on one hand, every law related to technology that the government passes in the US, HN is almost universally opposed to. But they trust the same lawmakers “this time to get it right”.
You wrote: <<You really want social media to have the same type of access to your personal information that banks have? A know your customer type of regulation?>>
Would you support if the data leak fines were similar? I would. To be clear, I am talking about global investment bank-style "know your customer" (KYC). If retail/commercial banks leak customer PI, the fines are _immense_ in 2022. Most of them now have enormous security teams, or they pay AWS/Azure/G to do they same via consulting / cloud fees.
My financial information is much more important to me than social media.
And they don’t pay cloud providers to ensure security. AWS [1] for instance always stresses the “Shared Responsibility Model”. AWS is responsible for security “of the cloud” the customer is responsible for security “in the cloud”.
There is no way in the world that any cloud provider would ever take responsible for customer workloads. If you make your S3 buckets world readable - which is really easy to do. That’s on you.
[1] I work in consulting at AWS, all opinions are my own.
World readable is not the default. You get scary warnings when you do it and you can set it up on the account and the organization level to block it. There is no “click a button to make it world readable”. You have to know the JSON policy.
However, you do not need to use custom policies - it's checkboxes on the S3 bucket creation page. And the wording on them is obtuse AF, and I know what I'm doing with AWS IAM.
Edit: I have mentioned before in previous comments (not this post): After Dodd-Frank regulations in the US, global investment banks really changed their behavior when fines became massive. So massive, it was seriously altering quarterly revenues and hurting stock prices. I favour the same type of regulation for social media network companies. It is the only way to make them listen to the law.