Posts by AlexanderHanff

Are you aware that when you go to University most of the time you will sign away the rights to your academic work to the institution itself? Most Universities I have attended or worked for have the same contractual clauses - so in essence - yes you already lose your rights to the derivative works you create from your education instruction.

Re: Who wins?

A cut doesn't have to be money - so your argument falls apart right there. By forcing the models into the public domain - everyone has access to the benefits, not just the lawbreakers who trained the model and benefits could be a whole host of different things depending on what the models are used for.

Re: Well if Meta are going to get roasted for this one

None of this is relevant - none of it absolves Meta of their legal obligations and all of it completely fails to take into account the fact that there are multiple solutions available to resolve this issue. Meta created this problem through bad design, not through bad users.

Re: My guess

You are not getting the point - phone numbers are not reliable identifiers - period - it doesn't matter how many there are or how long the delay before they are recycled, they are quite simply not suitable as reliable identifiers; so companies need to stop treating them as if they are and meet (at least in the EU) their legal obligations to design systems based on data protection by design and by default.

This is not optional, this is the law and no amount of excuses will change that very simple fact.

Meta are aware of this risk (they have admitted so) and as such they are legally obligated to design their services not to be susceptible to this risk - end of discussion.

By forcing Meta to comply with their legal obligations, it will set an example for other platforms to follow.

Re: My guess

If you read the article it is clear that that case was not the UK (it was stated that this was in the US which has a lot more than 70m residents).

Also on your argument that even then there are plenty of numbers available - again this is short sighted and exactly why we have had issues in the past with things like IPV4.

I can give you another example, back in the day I used to work for ITSA in the UK (an executive agency of the Department of Work and Pensions) working on NUBBS2 (National Unemployment Benefit System 2) where some dude in Whitehall, when tasked with the question - "How much storage do we need for this system" and responded with "Well we will never go above 3.3m unemployed so lets go with that..." 3 years later I am tasked with working over the entire Christmas break (including Christmas day) to do regression testing on an emergency patch because we were rapidly approaching that magical figure at which point the entire system would collapse and 3.5 million giros would need to be hand written - leaving people with no money over the christmas/new year period.

Eventually your 700m numbers will be used up so what then, you go to 800m? 900m? Eventually these will all be used up as well - it is not future proof and as such it shouldn't even be considered - because short term fixes almost always end up becoming long term policy and to be utterly frank - the couple of hours of coding and deployment it would take Meta and other online platforms to simply not base security on something as fragile a damn phone number - is a lot cheaper and a lot faster than changing the entire international infrastructure for cellular network numbers.

Re: Well if Meta are going to get roasted for this one

I have been using TOTP authenticator for years with zero issues - the problem you highlighted is a non-issue if the platforms themselves point users to an open source, safe authentication app.

But I do agree that actually it is perfectly viable for OS companies to include a TOTP app directly in the OS - I will mention this to Apple next time I meet with them - then we just have to watch the war where Company X sues OS Company Y because their TOTP app is the default and is therefore an abuse of market power impacting competing apps....

Re: Call me old fashioned

You also need to keep in mind that phone number is one of the fields in Meta's many "lookalike" advertising products and even though they are not legally supposed to use phone numbers which are collected for "security" reasons (which is why they ask for the phone number) for other purposes (yet another breach of the GDPR) we know for a fact they do. You can verify this by simply setting up a Facebook business account and using their "Custom Audiences" product which will require you to provide them with a spreadsheet of data about your customers (which includes phone number) so that facebook/Instagram can then compare that data with the users they have (based on the same identifiers) and guarantee to the advertising customer that they are targeting the correct user or the user's social graph...

It is all one giant adtech con.

Meta would not be able to ask for phone number if they couldn't use the "security" argument as it would breach the data minimisation principle (yet another breach of Article 5 of the GDPR) and then they wouldn't be able claim that they can match your customer data with their users...

Re: My guess

Your reasoning is flawed as numbers are not allocated on a 1:1 basis. For example, companies may have hundreds of numbers assigned to just a few dozen employees depending on different use cases and of course, anyone (including companies) can change their numbers at any time.

We all thought there would be more than enough IPV4 addresses at one point too but hey look where we are...

You also fail to recognise that whereas there might only be 70 million people in the UK, that doesn't account for the cumulative population variance, where people die (and thus no longer need a phone number) and people are born and eventually get a new number - so that 70m number is not actually 70m at all when it comes to phone numbers.

Then of course, the biggest flaw in your argument - UK phone numbers are not only provided to UK residents... anyone traveling to the UK can purchase a UK sim card or as many UK sim cards as they like and in fact from an EU perspective this might be a good choice for travellers given that UK carriers are no longer under the umbrella of EU law (see Brexit...) and thus are not obligated not to charge roaming fees for the many millions of people who visit the UK from the EU every year... let alone people who are from outside the EU and in most cases would buy a local sim upon arrival to keep costs down... so once again, that 70m population number becomes moot very quickly.

Re: Call me old fashioned

The simple fact is, it has become increasingly difficult (and in many cases, impossible) to sign up to online platforms without providing your phone number. I am also a dinosaur but this is not 1995 any more when you can just sign up with an email address. This is data grab century and all these platforms want your phone number because then they can say to the people the sell your data to that they know exactly who you are because they have your phone number...

Get with the times man... ;)

Re: How do users go from having a new number to knowing the account iD?

That is the entire point - you do not need to know this. The way Instagram and Facebook are currently setup you can login with phone number rather than name/username/email and you can have a link sent to reset the password directly to a phone number.

So basically anyone who gets a new phone number can go around all of the popular online platforms and just go down the password reset route using just the phone number. They then receive the link, go to the link, perform the password reset and login with the phone number and the new password.

That is why this is such a serious issue and it is trivial for Meta to fix, simply by not permitting phone number to be used for security purposes.

Re: > Hanff, in a LinkedIn post, argued this is unacceptable.

The solution is simple - do not allow phone numbers to be used for security purposes - they are transient and should not be considered as unique to an individual. The most appropriate way to manage this is MFA via an app such as TOTP.

Re: How *is* this Meta's problem?

The way Meta have designed the login and password resets opens them up to a security risk as a result of re-provisioning of cell phone numbers. That is why this is their issue to resolve - under the GDPR they are legally obligated to identify and resolve security risks where possible - clearly here it is possible to remove this risk by designing login and password resets in a way which is not open to this risk - they have failed to do that and as such are in breach of Article 5(1)(f) (the principle of security), Article 25 (data protection by *design* and by *default*) and Article 32(1)(b) and 32(2) (security of processing based on risks).

So whereas you think Meta shouldn't be responsible, the law disagrees with you. The fact that they are aware of these risks but have chosen not to do anything to counter them, is a breach of their legal obligations.

Re: My guess

I am not even remotely interested in a bounty and if one was issued I would simply donate it to an NGO doing privacy work. As I explained to Tom, this was simply the easiest way to report this issue due to Meta's complete obstruction to users being able to contact them.

To be clear, they didn't even evaluate this (I am guessing the response was AI generated) as they literally closed the ticket within seconds of me submitting it - it would have taken longer than that for a human to even read the submission, let alone evaluate it.

Re: Kickstarter option

There is very little cost associated with the complaint currently, just the time it takes me to file the complaint and travel to Dublin to give the statement and if the case is prosecuted it will prosecuted by the State not by me, so there will be little to no cost involved there either. If the State prosecutor refuses to take up the case, then I would need to apply for a private prosecution at which point it becomes very expensive. - so we will have to see. But at this time there is no need for me to seek any funding.

Re: Gross misunderstanding of the tool

The Alexander Hanff in Poland was me (although I no longer live there) - there are no other Alexander Hanff in Poland.

I never said I was...

I never said I was the only Alexander Hanff in the world, so your question is baseless.

The fact is there are very few Alexander Hanff's in the world (I know of just 2 - it is an incredibly rare surname) but I am without question the only one who is a well known privacy advocate who worked for Privacy International and various other details which ChatGPT got correct - also no Alexander Hanff died in 2019 that I can find and none of the online media sources cited by ChatGPT have ever reported in 2019 (or any other year that I have found) that Alexander Hanff died tragically leaving behind a legacy of privacy and human rights work...

However, as someone who has been reading, commenting on and even writing or being written about on popular news web sites - I am fully aware that there will never be an absence of trolls in the comments who post purely to try to antagonise the situation and haven't the mind to investigate these matters for themselves because they crave for attention and their purpose is to troll not to debate...

Did you even read the article?

I explained in the article that this had been my *first* interaction with ChatGPT and that the question was the first question I had ever asked it. The entire conversation has been made available other than a couple of more attempts at trying to get it to tell me how Alexander Hanff died which I didn't include in the transcript because they were just repeating previous responses and had no further impact on the conversation and came *after* the initial questions and resulting misinformation.

Re: Why?

Because despite being the founder I had to give up significant equity to build out the Board and bring in investment; and as such I didn't have the voting weight to prevent a hostile takeover - so I did the only thing I could do, I left.