This is, of course, a serious breach and there will and should of course be consequences for the negligent parties
but
I am struggling to see the threat model being faced here.
biometric data is just a username. I flash my face around all day, and am careless as to where I leave my thumbprint.
The loss of so many photos and names is unlikely to have national level consequences (Compare this to say the Office Of Personnel management breach from some years back - that has horrible implications for US National security for decades) and the personal level consequences are ... hard to see
What this does underline is that we are outrageously careless as an industry with our data (comparable to early industrial "pollution" as Schneier points out). And it is not going to get better without a) career and business ending consequences b) new ways to store / secure data c) a new way of thinking about who owns and what is personal data
Personally I think we need a new form of intellectual property (just as we are trying to work out what kind of company FAANG are (not telcos, not newspapers, what is a platform?) we need to ask what is personal data
This comment is presumed under law to be my property, my copyright. I might license that property away (dunno never read HN T&Cs) but it is mine. But google and apple and others will track that I sat down at a certain time and place to write it, my ISP will see when I sent to which servers.
All of that data is also created by my conscious actions - should that data not also be my property. And if need be licensed - and compensated for its use?
And when (if) my data is held - then we should presume that it can be accessed by my agents for my benefit (from spending patterns to heart data). I would argue that Sometimes surveillance can be good for us - but only in ways similar to doctors knowing more about me can be good for me - the entire industry of medicine has individual interests at its heart and took a long time to get there.
We are heading in that direction (perhaps) but till we get there, carelessness will be the cheapest option, surveillance always bent agansit is (by state or other actors). We should rail against this stupid dumb breach, but punishing the "bad guys" is not even the first step on the road.
If I can make a bad analogy - It's not one incident that people got sick from one chef badly cooking chicken - it's we need to look at factory farming and meat consumption and healthy eating and marketing bias as a whole.
>I am struggling to see the threat model being faced here.
We don't really know the full details of the breach, but if the facial recognition database contained names in a column associated with pictures, that data can absolutely be leveraged and cross-referenced against other "fullz" for fraud that even passes a lot of online verification procedures.
I agree that we don't know what was lost, and it could easily be waaay worse than I imagine
But this kind of comes back to my point - why do we have online verification systems that rely on things like knowing my address in the last three years - Equifax breach should have meant we gave up on using a credit risk scoring system as an identity provider.
But we don't.
We need to rethink what is identity (start with web of trust) and who owns data that links to that identity.
I mean this could be the start of a positive identity provider - grab that downloaded database and provide a system that says this is a picture of Paul Brian's face, and his passport, and on the 20th August last year a official of the US government compared them
in real life and verified they matched (there may even be a hash of the digital images made at the time but I should not get my hopes up)
Now make that globally available. Is that useful and valuable - I think so. I would prefer if I had been able to upload my public key to that at the same time (I can always visit NYC again) but you get the idea. This leads to question like why does my passport not generate a key pair for me to use? Can I use facial recognition to match my gravatar / facebook / twitter ? Why is knowing a non-secret (mother's maiden name, passport or drivers license number, three digits on back of credit card) seen as security?
Why is it we use what we have to hand and not what is needed? Why don't american banks use chip and pin?
It's not bad that my online identity is clear and visible - as long as the legal and practical frameworks exist to support it - which they basically don't right now but we could make it happen
This is, of course, a serious breach and there will and should of course be consequences for the negligent parties
but
I am struggling to see the threat model being faced here.
biometric data is just a username. I flash my face around all day, and am careless as to where I leave my thumbprint.
The loss of so many photos and names is unlikely to have national level consequences (Compare this to say the Office Of Personnel management breach from some years back - that has horrible implications for US National security for decades) and the personal level consequences are ... hard to see
What this does underline is that we are outrageously careless as an industry with our data (comparable to early industrial "pollution" as Schneier points out). And it is not going to get better without a) career and business ending consequences b) new ways to store / secure data c) a new way of thinking about who owns and what is personal data
Personally I think we need a new form of intellectual property (just as we are trying to work out what kind of company FAANG are (not telcos, not newspapers, what is a platform?) we need to ask what is personal data
This comment is presumed under law to be my property, my copyright. I might license that property away (dunno never read HN T&Cs) but it is mine. But google and apple and others will track that I sat down at a certain time and place to write it, my ISP will see when I sent to which servers.
All of that data is also created by my conscious actions - should that data not also be my property. And if need be licensed - and compensated for its use?
And when (if) my data is held - then we should presume that it can be accessed by my agents for my benefit (from spending patterns to heart data). I would argue that Sometimes surveillance can be good for us - but only in ways similar to doctors knowing more about me can be good for me - the entire industry of medicine has individual interests at its heart and took a long time to get there.
We are heading in that direction (perhaps) but till we get there, carelessness will be the cheapest option, surveillance always bent agansit is (by state or other actors). We should rail against this stupid dumb breach, but punishing the "bad guys" is not even the first step on the road.
If I can make a bad analogy - It's not one incident that people got sick from one chef badly cooking chicken - it's we need to look at factory farming and meat consumption and healthy eating and marketing bias as a whole.