undefined | Better HN

0 pointsdylan6044y ago0 comments

Meh, that's why the CEO makes the big monies. "The buck stops here" kind of thing. Charge the CEO. Make it the CEO's problem to prove they were not responsible only by giving up the person that was. I do believe sometimes CEOs are not fully aware of what happens below them in the org tree, but they are accountable for their people. If the CEO can't handle that, then they shouldn't be accepting the roles. Clearly, this has to be understood as part of the job description

0 comments

12 comments · 2 top-level

J-Kuhn4y ago· 9 in thread

Here is a fictional timeline of events:

* Problem: Spammers automate creation of accounts. Solution: Reuse the MFA infrastructure as some kind of "CAPTCHA". The phone number is not stored.

* Problem: Spammers use a single phone number to unlock 1000's of accounts. Solution: Store the phone number - so those kinds of misuse can be detected.

* Problem: Ads-Team wants to sell more targeted ads. Solution: There is possibly a phone number stored in the user profile, use that.

Who is to blame here? The Ads team that didn't check if the number can be used?

jeffparsons4y ago

Solution #2 modified to be safer:

> Solution: Store A HASH OF the phone number - so those kinds of misuse can be detected.

If you don't need to store PII verbatim, don't store it verbatim.

> Who is to blame here? The Ads team that didn't check if the number can be used?

Yes. 100% yes. It's insane that we've normalized the idea that if you can physically get your hands on some data then that means you're allowed to do whatever you want with it. Anyone even remotely responsible working in advertising should be tracking provenance of the data they're using. I've heard all sorts of excuses about why this isn't practical, but with each year that passes I find them less convincing, and I've finally reached the point where I reject those excuses outright. If you don't _know_ you're allowed to use some PII for marketing, then you _can not_ use it for marketing. It's that simple.

j1elo4y ago

The person or team who gave green light to storing phone numbers without giving the data appropriate access controls and protections to avoid it being used for anything that is not strictly related with security and fraud control. A system such that if the Ads team tried to access it, they would get an access denied error, or maybe a red alert warning stating that this field cannot be used for marketing operations.

If a system to provide such protections didn't exist, then that system should have been implemented before agreeing on collecting phone numbers. Again, whoever didn't have that insight, should be the one to blame.

(all this is just wishful thinking on my part, of course)

ClumsyPilot4y ago

Problem: Bank wants to make more money. Solution: There is possibly some money stored in the customers bank account, use that

Do banks run like that? No. Do banks sell your details, your address, sign you up for random subscribtiona without your permission? No. Why should twitter get away with this

mikestew4y ago

Go to your U. S. bank and get a mortgage, and after a month of emptying buckets of junk from your new mailbox, come back and tell me with a straight face that the bank didn’t sell every scrap of data they had on you.

stolsvik4y ago

Huh? That’s pretty much exactly what banks do: They loan out the customers' money to someone else, taking an interest..

pornel4y ago

Yes! There are now privacy laws that explicitly require you to check if user has given consent for such use of the data.

wolpoli4y ago

The team responsible for regulatory compliance is responsible. If the team doesn't exist, then legals should advise management to establish one or provide trainings to every team, and then the teams are responsible.

pkulak4y ago

Ad team, 100%. There are all kinds of laws around advertising. GDPR, CCPA, etc. And all the ad teams I've ever interacted with are well accustomed to consulting with the attorneys before doing something like using a brand new piece of personal data to do a brand new thing.

lkschubert84y ago

How about the lowest common leader?

buck4roo4y ago· 1 in thread

Doesn't the Sarbanes-Oxley act (Sec 906) mandate that publicly listed companies' CEO&CFO assume at least some personal liability when they sign each required SEC statement (10-Q, annual report, etc)?

Something new for them: """ CEOs are required to personally attest that they are responsible for changes to privacy practices and written policies. """

1024core4y ago

> mandate that publicly listed companies' CEO&CFO assume at least some personal liability when they sign each required SEC statement

It isn't really a "personal liability" until there's a good amount of jail term involved.

Has any CxO been to jail inviolation of SOX? If "no", then there's your answer how useful it is.

j / k navigate · click thread line to collapse