← Back to context

Comment by bnchrch

5 hours ago

I truly believe our industry needs to elevate our own anti-awards, like others have (Razzies, Worst Game of the Year, etc.) to shame those responsible for building the regressive tech that corporations and governments push.

There's already the Big Brother Awards [0] and EFF's smattering of Worst Government and Worst Data Breach articles each year. [1]

But I think we need more.

Personally I would love to nominate:

- Mark Stefik and Brad Cox for their contributions to DRM

- Erick Lavoie for his work on Wildvine DRM

- Vern Paxson for his contributions to DPI (Deep Packet Inspection)

- Latanya Sweeney and Alexandre de Montjoye for their contributions to re-identification of anonymized data

- Steven J. Murdoch and George Danezis for their work on de-anonymization attacks

[0]http://www.bigbrotherawards.org/

[1]https://www.eff.org/deeplinks/2025/12/breachies-2025-worst-w...

26 comments

bnchrch

Reply
ghaff  5 hours ago

>- Latanya Sweeney and Alexandre de Montjoye for their contributions to re-identification of anonymized data

It seems like highlighting how anonymization is a lot harder than a lot of people assume is a really useful service. If researchers can do it, without any particular secret sauce, so can a lot of other people. (Unless I'm totally misunderstanding your comment.)

  • dlenski  5 hours ago

    Agreed. I truly don't understand including these researchers on this list.

    Some of Sweeney's most well-known work in this area is from the LATE 1990s. She was sounding the alarm about problems with anonymized data in medical datasets: https://en.wikipedia.org/wiki/Latanya_Sweeney#Medical_datase...

    Her work almost certainly contributed highly to awareness of these risks.

    More recently she has apparently worked on things like protecting voting rights in the US by notifying voters if their registration records change.

    • ghaff  5 hours ago

      I haven't followed what she's been working on recently.

      But, yeah, at some point in the 90s, Massachusetts decided to release some "anonymized" health records for research purposes (I think just state employees). One was governor William Weld who obviously had a lot of public information widely available. As I recall, Sweeney wrote the governor's office a bit later basically saying "I have your medical records."

      I used this as a slide or two in some AI presentations in the mid-2000s or so pre-LLMs when I had some peripheral involvement with some of the privacy-preserving research going on (differential privacy, multiparty computation, fully homomorphic encryption). Haven't really followed most of this for a while.

      2 replies →

dmantis  4 hours ago

Publicly reproducible attacks are great, because now we know where there the problem is and how to fix it.

You can be pretty sure some three-letter agency trash had been already using it around the world along with shady spyware startups.

cptaj  4 hours ago

Another thing that I think would help is to start introducing some ethics into our profession as programmers.

Most other professions have you take ethics classes, have ethics boards and even ethics legislation. We're severely lacking in this area as a community. It really shows when every year there's a new company building the Maximum Oppression Orb from the book Dont Build the Maximum Oppression Orb. Its like we're dealing with the moral equivalent of a mentally challenged person all the time

  • surgical_fire  3 hours ago

    Programmers are not really decision makers there.

    The requirements for this sort of stuff come from top down. Do you expect C-Level and and the top layers of sycophants beneath them to be ethical?

Ar-Curunir  5 hours ago

Calling out anonymity researchers for showing that "anonymization" schemes don't work well is a stupid and dumb idea.

If they hadn't done it, you can bet that bad guys would have done it instead (and maybe were already doing it). What the researchers did is publicly show that the existing schemes were broken, hence motivating the design of better schemes.

Like, you fundamentally misunderstand computer security research if you think that shitting on people publishing attacks is a good thing.

  • ghaff  4 hours ago

    You can argue about the timing of disclosing specific vulnerabilities vs. when fixes are available. But the idea that we should all be (shh) don't tell anyone that this broad practice is vulnerable to bad actors is idiotic.

gjsman-1000  4 hours ago

> for their contributions to DRM

You're assuming Hollywood studios would ever release their content without DRM of some kind. They were quite content to ignore computers entirely if they didn't bend.

The world where Widevine doesn't exist isn't a DRM free one; but a world where an iPad or Smart TV can stream and a PC can't. I would support giving them an award though for "most repeated invention that keeps failing."

lotsofpulp  5 hours ago

We are way past shame being an effective tool to regulate behavior.

  • scottyah  5 hours ago

    It just has to come from people they care about. These days random people will try to shame you for so many things it's just overload.

  • iugtmkbdfil834  5 hours ago

    Now.. that is not accurate at all. Some people simply respond differently do different stimuli. And those do change with age and experience. It is not a bad idea.

  • datsci_est_2015  5 hours ago

    Shame from the in-group still remains effective. Shame from the out-group wanes as an effective tool as polarization increases.

  • mahirsaid  5 hours ago

    its hard to argue a point where your autonomy trumps, the very thing giving you a salary. We freedom are you really expecting from an employment such as this. You are working for a big tech that is in the midst of layoffs and scrutiny from all angles. One being there is massive competition that at the sightless mishaps will give an advantage to your competitor and that all starts at the bottom meaning hierarchy. Don't expect shame from these companies either. That is ship sailed along ago.

  • shimman  5 hours ago

    I'm sorry but there is no shame in our industry, where are people protesting at conferences calling out devs working on instruments of oppression? Why isn't anyone harassing the devs that take it as a badge of honor to work at companies that profit from human misery?

    I don't see it anywhere.

gjsman-1000  4 hours ago

Devil's advocate here about the original post, about physical location: This would definitely have prevented the North Korean workers incident a few years back.

I also find it hard to get offended about because there is basically no job, outside of tech, which doesn't involve physical location. >95% of jobs require physical location. Do you think a concrete worker, a plumber, an electrician, or literally anyone who works with their hands, has a right to location privacy? What does that even mean? "I'm totally clocking in to work today and totally installing a light fixture for a client right now and I won't tell you which one"? "I'm totally making a cappuccino for an old lady right now at one of our 30,000 branches, but trust me, you don't need to know which one"? Whining about this is extremely hard for me to generate sympathies for.

  • bri3d  3 hours ago

    This is a really crappy tool for dealing with the North Korean Workers problem; it doesn't sound particularly fraud-resistant and that issue should already be handled by any competent corporate IT department with 10000 better and higher resolution ways to figure out where their assets are located.

    Overall it's just kind of a yucky and weird feature; when I worked in an office I really didn't really want my coworkers having a real-time automated feed about where I'm located and one of my chores as a manager was always picking a seating position where I could at least take the drive-by questions before my team got interrupted, which stuff like this bypasses. I could actually see it being useful for field-deployed employees but it's not part of the stated implementation and most people in that scenario already have a solution for that.

    I agree that the typical HN-meltdown isn't warranted here; the HN Meltdown Factor on anything related to privacy, cryptography, and security lately has gotten really out of hand (the post you're replying to is a perfect example, actually). But I also don't think these counterpoints are very strong; they're justifying other useful features and products that almost everyone already has. It's weird to me that Microsoft haven't either clarified or backed down on this one given how much press it's gotten vs. the seemingly tiny advantage the feature presents.