* Posts by AlexanderHanff

24 publicly visible posts • joined 3 Mar 2023

Meta says risk of account theft after phone number recycling isn't its problem to solve

AlexanderHanff

Re: > Hanff, in a LinkedIn post, argued this is unacceptable.

Nothing you said has any relevance - it is the law, Meta are obligated to follow it. They know this, they have chosen not to, they know the potential consequences for not complying and have decided they would rather take that route than obey the law. it is as simple as that, and your personal opinion has zero impact on these facts.

AlexanderHanff

Re: Well if Meta are going to get roasted for this one

None of this is relevant - none of it absolves Meta of their legal obligations and all of it completely fails to take into account the fact that there are multiple solutions available to resolve this issue. Meta created this problem through bad design, not through bad users.

AlexanderHanff

Re: My guess

You are not getting the point - phone numbers are not reliable identifiers - period - it doesn't matter how many there are or how long the delay before they are recycled, they are quite simply not suitable as reliable identifiers; so companies need to stop treating them as if they are and meet (at least in the EU) their legal obligations to design systems based on data protection by design and by default.

This is not optional, this is the law and no amount of excuses will change that very simple fact.

Meta are aware of this risk (they have admitted so) and as such they are legally obligated to design their services not to be susceptible to this risk - end of discussion.

By forcing Meta to comply with their legal obligations, it will set an example for other platforms to follow.

AlexanderHanff

Re: My guess

If you read the article it is clear that that case was not the UK (it was stated that this was in the US which has a lot more than 70m residents).

Also on your argument that even then there are plenty of numbers available - again this is short sighted and exactly why we have had issues in the past with things like IPV4.

I can give you another example, back in the day I used to work for ITSA in the UK (an executive agency of the Department of Work and Pensions) working on NUBBS2 (National Unemployment Benefit System 2) where some dude in Whitehall, when tasked with the question - "How much storage do we need for this system" and responded with "Well we will never go above 3.3m unemployed so lets go with that..." 3 years later I am tasked with working over the entire Christmas break (including Christmas day) to do regression testing on an emergency patch because we were rapidly approaching that magical figure at which point the entire system would collapse and 3.5 million giros would need to be hand written - leaving people with no money over the christmas/new year period.

Eventually your 700m numbers will be used up so what then, you go to 800m? 900m? Eventually these will all be used up as well - it is not future proof and as such it shouldn't even be considered - because short term fixes almost always end up becoming long term policy and to be utterly frank - the couple of hours of coding and deployment it would take Meta and other online platforms to simply not base security on something as fragile a damn phone number - is a lot cheaper and a lot faster than changing the entire international infrastructure for cellular network numbers.

AlexanderHanff

Re: Well if Meta are going to get roasted for this one

I have been using TOTP authenticator for years with zero issues - the problem you highlighted is a non-issue if the platforms themselves point users to an open source, safe authentication app.

But I do agree that actually it is perfectly viable for OS companies to include a TOTP app directly in the OS - I will mention this to Apple next time I meet with them - then we just have to watch the war where Company X sues OS Company Y because their TOTP app is the default and is therefore an abuse of market power impacting competing apps....

AlexanderHanff

Re: Call me old fashioned

You also need to keep in mind that phone number is one of the fields in Meta's many "lookalike" advertising products and even though they are not legally supposed to use phone numbers which are collected for "security" reasons (which is why they ask for the phone number) for other purposes (yet another breach of the GDPR) we know for a fact they do. You can verify this by simply setting up a Facebook business account and using their "Custom Audiences" product which will require you to provide them with a spreadsheet of data about your customers (which includes phone number) so that facebook/Instagram can then compare that data with the users they have (based on the same identifiers) and guarantee to the advertising customer that they are targeting the correct user or the user's social graph...

It is all one giant adtech con.

Meta would not be able to ask for phone number if they couldn't use the "security" argument as it would breach the data minimisation principle (yet another breach of Article 5 of the GDPR) and then they wouldn't be able claim that they can match your customer data with their users...

AlexanderHanff

Re: My guess

Your reasoning is flawed as numbers are not allocated on a 1:1 basis. For example, companies may have hundreds of numbers assigned to just a few dozen employees depending on different use cases and of course, anyone (including companies) can change their numbers at any time.

We all thought there would be more than enough IPV4 addresses at one point too but hey look where we are...

You also fail to recognise that whereas there might only be 70 million people in the UK, that doesn't account for the cumulative population variance, where people die (and thus no longer need a phone number) and people are born and eventually get a new number - so that 70m number is not actually 70m at all when it comes to phone numbers.

Then of course, the biggest flaw in your argument - UK phone numbers are not only provided to UK residents... anyone traveling to the UK can purchase a UK sim card or as many UK sim cards as they like and in fact from an EU perspective this might be a good choice for travellers given that UK carriers are no longer under the umbrella of EU law (see Brexit...) and thus are not obligated not to charge roaming fees for the many millions of people who visit the UK from the EU every year... let alone people who are from outside the EU and in most cases would buy a local sim upon arrival to keep costs down... so once again, that 70m population number becomes moot very quickly.

AlexanderHanff

Re: Call me old fashioned

The simple fact is, it has become increasingly difficult (and in many cases, impossible) to sign up to online platforms without providing your phone number. I am also a dinosaur but this is not 1995 any more when you can just sign up with an email address. This is data grab century and all these platforms want your phone number because then they can say to the people the sell your data to that they know exactly who you are because they have your phone number...

Get with the times man... ;)

AlexanderHanff

Re: How do users go from having a new number to knowing the account iD?

That is the entire point - you do not need to know this. The way Instagram and Facebook are currently setup you can login with phone number rather than name/username/email and you can have a link sent to reset the password directly to a phone number.

So basically anyone who gets a new phone number can go around all of the popular online platforms and just go down the password reset route using just the phone number. They then receive the link, go to the link, perform the password reset and login with the phone number and the new password.

That is why this is such a serious issue and it is trivial for Meta to fix, simply by not permitting phone number to be used for security purposes.

AlexanderHanff

Re: > Hanff, in a LinkedIn post, argued this is unacceptable.

The solution is simple - do not allow phone numbers to be used for security purposes - they are transient and should not be considered as unique to an individual. The most appropriate way to manage this is MFA via an app such as TOTP.

AlexanderHanff

Re: How *is* this Meta's problem?

The way Meta have designed the login and password resets opens them up to a security risk as a result of re-provisioning of cell phone numbers. That is why this is their issue to resolve - under the GDPR they are legally obligated to identify and resolve security risks where possible - clearly here it is possible to remove this risk by designing login and password resets in a way which is not open to this risk - they have failed to do that and as such are in breach of Article 5(1)(f) (the principle of security), Article 25 (data protection by *design* and by *default*) and Article 32(1)(b) and 32(2) (security of processing based on risks).

So whereas you think Meta shouldn't be responsible, the law disagrees with you. The fact that they are aware of these risks but have chosen not to do anything to counter them, is a breach of their legal obligations.

AlexanderHanff

Re: My guess

I am not even remotely interested in a bounty and if one was issued I would simply donate it to an NGO doing privacy work. As I explained to Tom, this was simply the easiest way to report this issue due to Meta's complete obstruction to users being able to contact them.

To be clear, they didn't even evaluate this (I am guessing the response was AI generated) as they literally closed the ticket within seconds of me submitting it - it would have taken longer than that for a human to even read the submission, let alone evaluate it.

That's not the web you're browsing, Microsoft. That's our data

AlexanderHanff

I don't use Windows but...

If Microsoft are indeed hijacking data from other Browser this would be a breach of Articles 5(1) and 5(3) of 2002/58/EC (also Regulation 6 of the UK's PECR and Section 3 of the UK's Investigatory Powers Act). So in the UK someone should file a criminal complaint for the breach of IPA and a complaint with ICO for the breach of PECR, in the EU someone would need to complain to the competent supervisory authority for 2002/58/EC which will either be the same Regulator responsible for GDPR or the Telecoms Regulator, depending which Member State the person is in.

Sadly, because I do not use Windows, I do not have standing to file the complaint myself.

Meta, YouTube face criminal spying complaints in Ireland

AlexanderHanff

Not quite right

For civil law (ePrivacy Directive/GDPR) no consent is enough, for criminal law you have to have actually told them, "No Entry", DNT is my "No Entry" sign and they can't say they didn't know about it because they were in the working group at W3C where it was developed.

AlexanderHanff

Re: Kickstarter option

There is very little cost associated with the complaint currently, just the time it takes me to file the complaint and travel to Dublin to give the statement and if the case is prosecuted it will prosecuted by the State not by me, so there will be little to no cost involved there either. If the State prosecutor refuses to take up the case, then I would need to apply for a private prosecution at which point it becomes very expensive. - so we will have to see. But at this time there is no need for me to seek any funding.

Privacy advocate challenges YouTube's ad blocking detection scripts under EU law

AlexanderHanff

Your conclusion makes no sense

If a user has subscribed to a service then the code required to take payment for the service would be considered as "strictly necessary" for the provision of the requested service and would therefore be exempt from the consent requirements.

Try and actually read the law - or at least read the relevant guidance issues by multiple Regulators on the applicability of the law - perhaps then you will stop talking rubbish.

AlexanderHanff
FAIL

Re: Not this guy again

Let me correct you...

I have not been "challenging adblock detection scripts via EU Privacy laws for 10+ years" - in 2016 I wrote to the Commission for a legal clarification which was provided and agreed with my position. Beyond that I did nothing further as I achieved what I wanted to achieve (legal clarification). In 2019 the Court of Justice re-iterated that clarification.

But despite your assertions, I actually have a lot more work that I do around privacy other than holding companies to account for their unlawful activities. I am a registered lobbyist in Brussels and have spent the last 3-4 years actively campaigning against the EU Commission's attempts to introduce a mass surveillance law (ChatControl aka the CSAM proposal) and I also have a day job of running my own company and working with my clients to assist them in their compliance work.

And yes - we DO have a legal right to block ads (there is even German case law specifically on this issue) and we also have a legal right to block access to our devices. Whether you think that is sleazy or not, whether you like that or not is moot - it is the law. If you don't like it lobby to change it (as is your democratic right) but good luck with the that because much bigger players (Microsoft, Meta, Alphabet and many more) have been trying to change that since 2009 and have failed consistently - but if you think you can present better legal arguments than their incredibly expensive lawyers - have at it.

And no, under current EU law a web site does not have a right to know you have blocked ads - this is explicit in the ePrivacy Directive not just under Article 5 (in relation to detection scripts stored on the device) but also under Article 6 (in relation to serverside processing of traffic data - for example to detect if your IP requested a specific ad or not) - again - whether or not you like that, is utterly irrelevant - it is the law.

Have a lovely weekend - perhaps use some of it to educate yourself on EU law...

AlexanderHanff
FAIL

Maybe read the article?

I made it clear in my interview that terms which interfere with EU fundamental rights (and other legal rights) are void under EU consumer protection and contract law. Furthermore, consent must be considered as freely given (not a condition of access to a service) and bundling of consents are not lawful under EU law (GDPR). Consent must be specific, informed, freely given and a result of an affirmative action - so hiding it in the ToS would meet none of those requirements.

So perhaps read the article before responding next time.

Why ChatGPT should be considered a malevolent AI – and be destroyed

AlexanderHanff

Re: Gross misunderstanding of the tool

Yes they are both me.

AlexanderHanff

Re: Gross misunderstanding of the tool

The Alexander Hanff in Poland was me (although I no longer live there) - there are no other Alexander Hanff in Poland.

AlexanderHanff

I never said I was...

I never said I was the only Alexander Hanff in the world, so your question is baseless.

The fact is there are very few Alexander Hanff's in the world (I know of just 2 - it is an incredibly rare surname) but I am without question the only one who is a well known privacy advocate who worked for Privacy International and various other details which ChatGPT got correct - also no Alexander Hanff died in 2019 that I can find and none of the online media sources cited by ChatGPT have ever reported in 2019 (or any other year that I have found) that Alexander Hanff died tragically leaving behind a legacy of privacy and human rights work...

However, as someone who has been reading, commenting on and even writing or being written about on popular news web sites - I am fully aware that there will never be an absence of trolls in the comments who post purely to try to antagonise the situation and haven't the mind to investigate these matters for themselves because they crave for attention and their purpose is to troll not to debate...

AlexanderHanff

Did you even read the article?

I explained in the article that this had been my *first* interaction with ChatGPT and that the question was the first question I had ever asked it. The entire conversation has been made available other than a couple of more attempts at trying to get it to tell me how Alexander Hanff died which I didn't include in the transcript because they were just repeating previous responses and had no further impact on the conversation and came *after* the initial questions and resulting misinformation.

AlexanderHanff

Seems quite a few of you are either not reading the entire article or are missing the point...

Some of you seem to see this article as an attack on AI - this is not the case (and the article is pretty clear on this if you read it in it's entirety).

I am a computer scientist, I have studied AI academically - I have a huge passion for technology which is why I work in #privacy - to ensure that technology is used for good. I even founded a company specifically to use generative AI for good (as a privacy enhancing tool).

The point is to illustrate the very real & significant risks to everyone of us/society, when we release such "tools" that are not ready (and when we are not ready for them).

The point of the article is to highlight the risks when these systems are embedded into decision support systems and we take their output as absolute truth.

As I explained in the piece, there are already unofficial APIs for ChatGPT (created by hackers) that many companies have tapped into with their decision support systems.

OpenAI just this week opened up their entire model with a full suite of APIs so they can start charging for it and make some money.

If you read any social media platform you will find 100s of millions of people raving about how awesome ChatGPT is and how everyone should be using it to do their work. This part really illustrates the "we are not ready for this yet" part - this is the absolute truth problem.

These are the points of the article. Reading it as a "luddite" piece just perfectly illustrates these points...

AlexanderHanff

Re: Why?

Because despite being the founder I had to give up significant equity to build out the Board and bring in investment; and as such I didn't have the voting weight to prevent a hostile takeover - so I did the only thing I could do, I left.