Lauren WeinsteinSo let's be clear about this, we're being told that Musk ordered employees to give an outside reporter access to *everything* internally at #Twitter. Without exceptions. That would mean users' direct messages as well. Think about it.
Comrade Hound@lauren I"m pretty sure If I'm going to expect privacy on messages I send through another platform I'm going to use something cryptographical like Signal.
@skylos That is not always an option. For example, many firms now do their customer support through Twitter, including detailed account information. They link Twitter to their backend systems to verify customer identities, etc.
@lauren I'm puzzled that I am supposed to care about randos knowing about my customer service interactions... It seems realistic to understand those weren't private in the first place - just obscure an inconsequential.
@skylos That is sometimes the case. But in the course of those conversations, PII can easily be discussed, and often is.
@lauren if I toot or tweet, I've *already* PII'd myself right from the get-go, haven't I? Hmm. I guess its a distinction between what identity you're using at the time, but my social media identities I use for such things are irrevocably self-doxed since creation. Getting PII out of that would be redundant. Heh.
@skylos PII has specific definitions.
@lauren sure. "any information that permits the identity of an individual to be directly or indirectly inferred,"
the drymifolia collective@drymifolia @lauren is your phone number really secret? its disseminated fairly widely across many systems. Your home address? This also isn't actually very secret. approximately secret than your bank account number that's printed on every check. I have some doubts that these informations are nearly as 'private' or secret as the pearl clutching about privacy would indicate.
@skylos @drymifolia Having worked on privacy issues for decades, and still running my PRIVACY Forum mailing list on the Net for over 30 years continuously, I will assert that these issues are a bit more complex than you seem to be suggesting.
Summer Breeze@skylos @drymifolia @lauren Your phone number, combined with other information that a customer service person would normally ask, can allow someone to compromise your account, impersonate you, and steal your identity.
Which can be extremely expensive, disruptive, and time consuming to fix.
Which can be extremely expensive, disruptive, and time consuming to fix.
@SummerBreeze @drymifolia @lauren I wonder if the real solution to this is to fix the inadequate mechanisms we have to secure important accounts - rather than trying to pretend the not-really-secrets we're currently using are adequate so we just need to be more careful with them. They're all almost arbitrary and silly, security through obscurity.
@SummerBreeze @lauren Is the safety in numbers, like a herd of gazelle? like, 'if there are a billion possible identities to steal, any one identity is unlikely to be stolen?
@SummerBreeze @lauren By the logic the gazelle isn't safe because the entire herd is going to be eaten shortly. There aren't enough cheetahs. Same for identity thefts - each operation requires manual hand-action its not scalable like that.
@SummerBreeze @lauren I have not encountered or been made aware of any identity theft that happens without manual hand action. I couldn't make a decision or judgement based on that information. And now I know you say this is so.
@SummerBreeze @lauren human curation requirement - most people don't have identity worth stealing - wasting your viable access to identity stealing channels on useless identities would obviate the utility of doing it at all - you can't just file massive applications for credit or hack banka ccounts - there's heavy tarbitting and monitoring of those avenues.
eyajpng@jepyang @lauren Hm. One of the problems we deal with is that contexts *do* change - we don't get to arbitrarily freeze a context just because we used it, never shall it ever change. This effect happens in many situations both RL and virtual. Such matters should be a consideration but considering doesn't preclude a violating decision being made. of course, in the related directive, we know musk doesn't consider. :[
Max Riethmuller (TechLife)@skylos @jepyang @lauren I'm having trouble grasping exactly what you are saying. Are you saying users of twitter (or any type of online account), should expect that at any time the CEO of the company (or other agent of the company) should have the legal power to provide access to anyone they choose anything you have posted including in DM or added to your account profile? Correct me if I'm wrong.
Ana
Jake Mannix@pbrane @skylos Many of the services that most consumers depend on for email, including spam control and malware scanning -- and more -- cannot effectively function in a practical way with end-to-end encryption. And just as a point of interest, Google is organized in a way as to make a hostile takeover essentially impossible. And access to user data there is extremely strictly controlled on a tight need to know basis, with detailed logging. I've worked inside Google twice, they really do care about protecting user data.
@skylos @lauren my point is not about “Google” specifically. Pick any company which provides email. Or imagine Google had antitrust which forced them to divest of GMail. My point is that DMs shouldn’t be considered “unsafe, never put anything important” while e-mail we magically pretend is fundamentally different and will be protected
@pbrane @lauren email is not and has never been secure. Its used for time sensitive multifactor sometimes but that is a reflection that only by adding the time factor is its security relevant - all that expires and is useless to hackers after minutes or sometimes hours- so post hoc release has no danger regarding the security utility of email delivered security tokens.