New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
No, it's unrelated because there's always The Good, The Bad, and The Ugly anywhere.
Has @Harzem or any company using FraudRecord consulted a lawyer in their jurisdiction prior to submitting hashed customer data to a centralized database? I wonder if there are any precedents in the US or EU about sharing such data. In the EU privacy laws are rather strict, I don't know about the US.
I suppose the answer would be found in this question: Is there any legal case where a hash was considered equal to data?
Personally I am unable to find any.
Theoretically, the laws in at least a few jurisdictions speak of "personally identifiable data".
A hash can be considered identifiable. While I'm unsure whether privacy laws apply to it, it's definitely not certain that they don't.
TRUSTe's blog had some comments on hashing last week
http://www.truste.com/blog/2013/04/16/data-anonymization/
The most important part of that article is probably this bit:
In other words, the hash is PII, and is probably subject to the same privacy laws as any unhashed piece of PII.
This demands a funny image post.
Well I guess at the end of the day opinions are like butts. Everybody has one. Better to run a business than talk about it. Nobody wins in the court of public opinion on management tactics.
This is a very long argument about the egg and the chicken.
You cannot trust any provider until you have some info about it. You cannot have any info before someone trusts enough to test it.
If the provider is tested, you should not give the real info. I never give the real info, my registration on prometeus is still fake, I do not trust any software on the internet to be hacker proof and I never trust the database cannot be leaked and decrypted if they bothered to encrypt it in the first place. WHMCS leaked theirs and they are very far from being the only ones.
Only my banks have the real info and if I do something wrong the money can be traced by police with a court order. I barely trust them enough, but they already have my data, so, no loss there.
In the end, I do not trust the government with my data, but there is no choice other than disappear in the woods some day and never come back, without phones and anything. I wouldnt go that far yet, but the thought has crossed my mind.
buhu...
That's not really true
tl;dr please?
CPU Abuser, warned, warned again, removed, user jumped on WHT and IRC and had a temper tantrum.
Host posted users name here which is fine as the user posted this info himself first.
Lots of crap and derailment, bedroom law specialists etc, no one actually quoted a single verse of law.
Lots of talk about storing details and further derailment.
Someone asked for tl;dr
I posted this.
tl;dr for above: Normal LEB flamewar.
tl;dr
popcorn
TLDR: guy violated ToS, complained in IRC, was asked for information enough to investigate and resolve, refused such information, started spamming LEB, johnston posted this thread, IANAL lawyers started conversing the merits of action, people start wondering what happened, this post.
http://www.lowendbox.com/blog/bluevm-2month-256mb-openvz-vps-in-san-jose-texas-chicago-kansas-buffalo-and-atlanta/#comment-112944
If anyone wants to read the ticket log as he posted them.
for the Europeans
, if your not sure read http://en.wikipedia.org/wiki/Data_Protection_Directive
buhu...
Here's a great example of how FraudRecord works well on its intended use:
https://www.fraudrecord.com/api/?showreport=ccdeca75046eea21
Without this system, I wouldn't be able to convey to other providers that this person has had their payment details stolen. The Fraudrecord-using provider would then only see this report if they had a client sign up with these details too.
And you contact them to see if you need to register as a web host, they ask 3 questions (actually a few but only 3 that apply)
Do you intend to store peoples financial information i.e. credit cards/bank details... No
Do you plan to use anyone's information for marketing services other than your own..No
Do you plan to share anyone's details on a regular basis with third parties...No
Then they say you are not required to register and are not required to have a DPO does the act in terms of requirement to register apply to you directly, in case of any breach of privacy it would then be a civil matter.
Source: experience first hand.(UK)
Anyhoo...
The answer would be yes if you used FraudRecord.
Nope, Fraudrecord does not share anything but a hash i.e. none identifiable information as per the example Damien gave.
Take a look for yourself: https://www.fraudrecord.com/api/?showreport=ccdeca75046eea21 that is an actual report.
The manner in which the hash is used by FraudRecord makes it personally identifiable information (at least according to TRUSTe who is probably a much better authority on privacy issues than the average LEB provider who can't even write a decent privacy policy
)
for anyone who missed it, here's the link to the TRUSTE article on hashes and why the manner in which FraudRecord is using them makes them personally identifiable information (which was also provided on page 5 of this thread but apparently some people didn't bother to read the article) http://www.truste.com/blog/2013/04/16/data-anonymization/
@DomanBop while technically correct, there is one problem. To turn that information back into PII you would need 2 or 3 super computers working in distributed function and would take still about 3 years to crack md5 that has not been salted. Salt it and guess what it becomes even more difficult. So most likley it is private as the chances of somebody owning 3 super computers being not in use to work on 1 persons fraud would take a total of 12 years to get all the information.
Actually the IP is probably identifiable since there are only 2^32 IP combinations to test. But this doesn't make it bad. Not much worse than sending queries to MaxMind or sending the information to the payment processor.
And yes, hosts ARE sending all user's details to paypal every time the user goes in WHMCS to view on invoice and pay it via paylal.
Just login in the billing area of some random host, click on an unpaid invoice and then view the page source. You will be surprised what information is sent to paypal - the custmer's name, address, phone number, zip code, etc. is all sent to paypal.
People just like to have something to freak out over. There's little more common on the Internet, from my perspective, than a bunch of armchair "experts" (educated by Wikipedia) taking "normal" or "common" practices and pretending to be shocked by uncovering this huge thing that amounts to a "slap in the face" for everyone involved.
I'd love to see any non-provider who feels that way start up a web hosting company and try to apply the principles that match their comments. Your attitude changes real quick. At the end of the day people like @DomainBop don't pay our Paypal chargeback fees or have to deal with abuse directly, they just complain on a forum when the node comes to a halt and jump to the next host.
Yes, IP, phone number probably. It would take a few weeks to bruteforce those on a decent desktop computer. If anyone wants to take those $5,000 from @Damian ...
Well this just got ridiculous, some people should think before typing.
^ This essentially sums it up, it is a hash it is not readily available identifiable information, simple as that I don't require anyone to agree with me on that feel free to take it up with the government authority in your country as I did.
Just login in the billing area of some random host, click on an unpaid invoice and then view the page source. You will be surprised what information is sent to paypal - the custmer's name, address, phone number, zip code, etc. is all sent to paypal.
Do you plan to share anyone's details on a regular basis with third parties...
@AnthonySmith?
Problem with this is that you're one of them - just like most LEB hosts and not just clients. Most of the time you defend your personal opinion instead state some facts which would hold a water on lets say court. But that's ok as long you're aware of this and don't call others armchair "experts" as you're one of them. Aren't you? Have you ever consulted any lawyer before you made own policies? And don't lie, please! :P
Did you? With whom exactly? Please share their answer with the rest of us. We may learn something new.
edit. I hope you checked also ICO Data sharing code of practise as you're from UK.
http://ico.org.uk/for_organisations/data_protection/topic_guides/~/media/documents/library/Data_Protection/Detailed_specialist_guides/data_sharing_code_of_practice.ashx - especially third part.