←back to thread

199 points billybuckwheat | 2 comments | | HN request time: 0.63s | source
Show context
kkfx ◴[] No.41214643[source]
The surveillance problem is a matter of balance problem: if we are all able to surveil all others or none is able to surveil essentially anyone else forces are balanced there are only marginal issues. If someone can surveil nearly all but nearly all can't surveil the small cohort who surveil them than forces are not balanced.

Surveillance per se might be useful, let's say you want to know how much live traffic is there in your planned trip, alerts for incidents, natural phenomenon and so on. The issue is just the balance of forces and what can be done in case of unbalanced forces those who hold the knife from the handle side.

replies(1): >>41214816 #
mylastattempt ◴[] No.41214816[source]
Balance is definately not _the_ problem. I am not willing to exchange my information for access to someone else's information. Both should be private.
replies(3): >>41214888 #>>41215131 #>>41215650 #
fsflover ◴[] No.41215131[source]
What if you could always find out who and why accessed your information? Also, all "private" information is leaking from time to time...
replies(1): >>41216840 #
kkfx ◴[] No.41216840[source]
Needed (partially) but far from being enough.

Let's say you are a big-edutech player, you have all infos collected by your platform on your infra. Even if children and families know what you have and "why" [1] they can't know you send an ads at a time small bits of information to drive the scholar path of talented children you plan to hire tomorrow or you try to push some students with political/philosophical ideas aside to avoid having them as active adults against you.

Long story short:

- we, of course, need personal ownership, the opposite of modern IT where most info are in third party "cloud" hands and users have just some modern dumb terminals "endpoints" to interact with third party services who own their digital lives;

- we of course need to know where our information go

but it's not enough, we need information fairness. OpenStreetMaps might have someone using data for certain business purpose, that's still fair, since anyone else can use and own the same data, it's a choice do it or not. Google Maps it's not. Google is the owner, others are customers.

If we share anything or nothing or anything else in between accessible to all or to no one, we are in a balanced situation, there will be some who takes better advantage than others because they understand how to do and they want to do so, but it's still a fair situation. Otherwise it's a recipe for a dictatorship witch we can more and more call "a corporatocracy".

--

[1] a small anecdote: a leading Italian bank years ago decide to ditch RSA physical OTP to access their services mandating a mobile crapplication, I file a formal protest asking for GDPR information and aside noticing they allow operation from mobile, de-facto nullifying the third factor witch is against EU laws (largely ignored the PSD2 norm mandating a separate device for auth and operation), they answer me after a significant amount of time politely that:

- they do ask camera permissions because the app allow to scan Qr codes form various payment systems and for live chat (see below), for similar reason they need gallery access;

- they do want speaker because in-app they offer live audio-video chat assistance so their operator can talk with their customers while being able to see and act on phone screen;

- they need to access filesystem because they allow their customer to pay some bills sent via pdfs by mail or downloaded anyway from some portals, their app need to allow the user select them to being automatically processed;

- they need precise position and phone sensors to being sure it's me acting on my device and not a remote attacker;

- ....

Long story short there are gazillion of plausible reasons for this and that, but I can't know if there are ONLY such legit use of my information or not. I can't be sure even with mandatory AGPL on all systems, because I might have the sources, but no way to be sure their are the very same actually running on their servers.

replies(1): >>41218603 #
1. fsflover ◴[] No.41218603[source]
> but I can't know if there are ONLY such legit use of my information or not

AFAIK even if the bank has "legitimate" use cases for your private info (and I'm not convinced that those you mentioned are), they aren't allowed to use it for something else without your consent, according to GDPR.

> I can't be sure even with mandatory AGPL on all systems, because I might have the sources, but no way to be sure their are the very same actually running on their servers.

With AGPL, they must share with you actual source code running on their servers.

replies(1): >>41220112 #
2. kkfx ◴[] No.41220112[source]
> they aren't allowed to use it for something else without your consent

But I can't prove they respect the law. That's the point.

> With AGPL, they must share with you actual source code running on their servers.

Same as above, they can share a nearly identical system I can see matching but I can't verify it's the same.

Go far, take a look at xz "backdooring".

That's still a balance problem, some have taken advantage on someone else mimicking something legit. As long as a NK project get equally backdoored we would be in balance. You spy on me, I spy on you. You can act behind my lines, I can do the same.

As long as there is enough balance there will be peace and prosperity because the personal advantage became the common one, we all evolve.