this post was submitted on 06 Feb 2024
620 points (98.9% liked)
Technology
59979 readers
2417 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
How can they know it's your data without first collecting your data to compare it?
"Give us your personal information so we can ask others to delete your personal information" just doesn't sound like a trustworthy offer.
I can also see the irony. But I can't imagine another way to do it at any scale. Do you know of another option?
Something akin to haveibeenpwned.com password hash partial match? Can that even be done with this data?
Edit: You goofs know you can calculate the hash locally and submit it for review without actually exposing your password to them right? That's how bitwarden does it's check. https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity
Ah, but Mozilla isn't even trying to do anything cool like that. They just use onereap and those fuckers look shady. Quotes from their privacy policy: https://onerep.com/privacy-policy#what-data-we-collect-and-how-we-do-that
The bastards
No. If your name is Dave Jones they have to look around those broker sites for Dave Jones. If those sites were using hashes then they could use hashes too.
This is no different than any credit or identity monitoring service. The need to give them basic information should be obvious, people have to decide if the company is trustworthy or not.
They could just look for names, then hash those names and compare them to your hashed name. So technically that don’t need to store your data, just hashes.
I'm all for privacy but worrying about giving one of the most trustworthy companies around your name seems a bit much.
You'd also have to give them your card details to pay for it.
This would also require searching and indexing the entire system as opposed to searching it.
Need a Moreno payment system
Tbf if someone logged that you were paying for this service that data would get removed anyway haha
The front page there is literally: "Give us your email, so we can find leaks of your email." It's exactly the same thing.
They are talking about the password lookup: https://haveibeenpwned.com/Passwords
But, it's the same deal. You have to trust they are actually doing what they say. Mozilla uses haveibeenpwned for their basic Monitor service too.
To be fair, you can check the code they run or just use the API.
The hash is calculated locally, cut-off and then send, the server returns all hashes it found which start with your one and then you can check if yours in in the list locally.
ah yes. type your password in here we totally wont steal it
Y'know that you can see the requests your browser makes, right? Mind putting in here a screenshot of HIBP uploading your password or any complete hash of it?
Failing to provide that grants you the "talking shit out of ya ass" award.
No, because you are asking the data broker to do something with your data that they possess. It is not possible for them to delete your data without knowing which are your data.
The only alternative is fully banning this kind of data collection. Which would be nice, but isn't happening anytime soon.
Unless you trust Mozilla. I'm unaware of another organization that is more trustworthy, despite the haters mad that CEOs make money.
The CEO is making an inordinate amount of money. $6.9 million is excessive.
You can argue that Mozilla should be held to the same low standard as every other corporation, but if you do that, you have to take into account that the Mozilla CEO got a huge pay raise in a year where other CEOs got less money.
$6.9MM is a perfectly reasonable compensation package for a $500MM organization and is probably low to attract a significant number of quality candidates.
Just no. My CEO runs a much larger organisation than Mozilla corp and her salary is 1m€ per year (public information), and that's perfectly adequate.
Perfectly adequate to never attract quality talent for the role.
Yeah I don’t think we should so directly equate quality of an expert with quantity of money.
A $2 million raise just made the CEO worse at running Mozilla. Honestly, if you think the company should hemorrhage money that rapidly, who's the one that hates it?
Likely you must provide Mozilla with basic identifying data like name and birth date. Which isn't all that radical since you're giving them quite a bit more by paying them.
It's better when it's in their hands, because:
It's ironic yeah, but if trust is the only way to implement something like this, then Mozilla is probably the one company I would trust considering they're a non-profit org.
There isn't a better company to do this than mozzila. I mean there literally are but in practice this is a good thing
The way I see it, if you're asking for data removal, it's because your identity is public online already, the company has nothing else to gain maybe other than the payment information and you can get a new card if they just happened to be untrustworthy.