Comment by franciscop
3 years ago
> I recognize that there are many different kinds of google users. Some folks [...] need maximum security.
(un?)fortunately this is not exactly true. While it's true that some folks do need "extra security", the steps in discussion here are fortunately still applicable for the general population. We as a society have decided (correctly) that leaking your private photos, conversations and data is an unacceptable risk, and punish the companies strongly for it. So companies cannot just make it less secure.
Auth is a complex topic with many gotchas, and there is just no way around it. It's like saying you'd like to drive a car without a license, sure taking the license is "hard", but if you want to drive it's what you've got to do. But only there's a hundred cars actively trying to crash into you and steal your goods.
> We as a society have decided (correctly) that leaking your private photos, conversations and data is an unacceptable risk, and punish the companies strongly for it.
On what planet do companies get punished strongly for leaking PII? It happens to me multiple times per year and if I'm lucky I get a pittance from a class action suit years later. The executives who raked in huge bonuses cutting security don't get punished and the company stock price rarely suffers beyond a blip when the leak is first disclosed.
Punish companies is not the same as you getting compensated. It happens (at least in EU) harsher with the GDPR, so yes it's fairly recent, but so is security online (just 10 years ago not even half of the sites used HTTPS).
There's dozens of high-profile fines every year due to data mishandling from Europe, just a quick search:
> Data protection supervisory authorities across Europe have issued a total of nearly EUR1.1 billion (USD1.2 / GBP0.9 billion) in fines since 28 January 2021, according to international law firm DLA Piper.
"fined Facebook owner Meta META 265 million euros [...] for not better safeguarding more than half a billion users’ phone numbers and other information" - https://www.wsj.com/articles/facebook-parent-meta-fined-276-...
"European Union privacy fine related to data transfer of Facebook's EU users to U.S. servers" - https://www.reuters.com/technology/meta-face-record-eu-priva...
"Luxembourg DPA issues €746 Million GDPR Fine to Amazon" https://dataprivacymanager.net/luxembourg-dpa-issues-e746-mi...
"Manx Care faces £170k fine over patient data breach" - https://www.bbc.co.uk/news/world-europe-isle-of-man-62590514
etc
If you think those fines are strong punishments you are, frankly, delusional. Those figures are a drop in the bucket and are regarded by the companies in question as little more than the cost of doing business. Start putting CTOs in handcuffs and I'll consider it a strong punishment.
Edit: Also, just to be clear, the reason I brought up class action lawsuits is not because I think all punishment will result in remuneration for those affected, but because in those cases the class action lawsuits were the only consequence the companies in question faced.
1 reply →
Those fines are laughable. There should be another zero or two on them
1 reply →
This class of users is also some of the most easily scammed.
These folks, who need "less security", are the exact same who will tell a stranger their password over the phone simply because they said they worked for Google. Scammers can use data from an email account to write convincing fake communications that lead to folks losing their life savings.
Teaching folks that their data isn't important enough to turn on security, is teaching them to fall into scammer's traps.
aren't those two different issues?
security against leaks needs to happen at the backend. security to access an account doesn't protect against leaks of the database. it protects against personal data or identity theft, which is not something companies get punished for
They are unfortunately all related in multiple complex ways; for example password strength is important against leaks if the data is encrypted. Some times a leak happens through admin accounts, so if you have a single sign in system then security to access those is important.