I know of a local company that collected personal data for marketing including SSNs and there is no care given to how the data is stored. Most if not all of it was stored in plain text. You might have more faith in regulatory systems than you should.
> You might have more faith in regulatory systems than you should.
I don't. What I do have faith in us companies to have a profit motive and work in favor of self preservation. And that comes with reducing risk for the company.
An example of a local company with bad security practices due to negligence or malice is no evidence of a publicly traded big tech company wanting to do the same.
A local company with bad security practices does not, at its core, make money by collecting user data. The collection of that data and the security or insecurity of its storage is pretty much orthogonal to the central business of every company in the world except for tech companies that sell consumer data.
Hence, the dictum "don't ascribe malice where incompetence would suffice" doesn't carry across these two different classes of organizations.
You may want to look into the histories of equifax, transunion et al. Not local businesses and definitely repeatedly guilty of this flavor of transgression.
This subthread is about, or at least started out when I initially responded as - adtech using ssn as an user identifier. I responded to that. I didn't intend to make any claims about anything else. Equifax is not adtech and is explicitly in the business of collecting ssn and related data.
Equifax is absolutely adtech. Their data is sold used by advertisers all the time. You can make changes to elements of your credit report using techniques widely available on YouTube and watch the spam and junk mail you receive change.
"local company" being the problem. Local/small companies do not care at all about this kind of thing. Google's perniciousness is being about to follow the letter of the law while still getting what they want, not flagrantly ignoring it.
Literally no adtech company would accept or attempt to target based on SSN.
Maybe your local company was collecting it out of ignorance, but if they uploaded it to google adsense, alarm bells would go off, the data would be purged, and you'd seriously risk having your account shut down.
Bro, you're commenting on a story where SSNs were uploaded to Google Adsense, alarm bells didn't go off, data wasn't purged, and a journalist came in and discovered the problem later.
> But while tax-filing websites were quick to stop collecting data, nobody's sure how much information was collected. One unnamed company told Congress that "every single taxpayer who used their websites could have had at least some of their data shared."
There is literally no evidence what you said is true. There are no details what information was shared. Can you avoid making stuff up?
SSNs can’t really be anonymized by hashing since they’re essentially sequential numbers. I think the law is at least broad enough to consider a hashed SSN that can be easily reversed to be to equivalent to a real SSN.
I agree with others that adtech companies want to proactively avoid SSNs. Too much liability and not at all necessary.
To clarify, this is one of the must common and dangerous misconception regarding hashing: a SSN is a 9-digit number. Regardless of the strength of your hash, you can hash them all, and compute a lookup table, in a matter of minutes.
You don’t have to hash it so it’s not reversible only such that you don’t appear liable in the event of an incident. Technically compliant is good enough
My point is that hashing a 9 digit number is almost certainly not even technically compliant. I believe storing hashed SSNs would incur all the legal liability of storing raw SSNs. The laws are robust enough to at least handle such a trivially reversible hash. No way any expert witness could claim otherwise. Hashed emails on the other hand seem like more of a gray zone (some are reversible, but there's enough variety that not all are).
for a fun "challenge", here's my md5 hashed SSN: 46fdccf9acc38d13321b0c13cf541ec9 (spoiler: not my real SSN, but since they're sequential it could be someone's. And, hint, I'd be jealous of them.)
