[HN Gopher] You can't leak users' data if you don't hold it
___________________________________________________________________
You can't leak users' data if you don't hold it
Author : todsacerdoti
Score : 118 points
Date : 2024-03-28 21:19 UTC (1 hours ago)
(HTM) web link (seancoates.com)
(TXT) w3m dump (seancoates.com)
| okeuro49 wrote:
| > Our first product is an iOS app designed to help you capture
| the best moments in your life
|
| I have increasingly come to the belief that mediating our life
| experiences and social interactions through apps isn't good for
| us.
|
| Your website "Matter" [1], to be honest, seems completely
| dystopian to me and an indication of all that's wrong with the
| relationship between technology and society.
|
| [1] https://matter.xyz/
| hn_throwaway_99 wrote:
| While I actually liked the primary point of the author
| regarding privacy controls, and I feel some of the commenters
| here are being a bit harsh regarding tangential issues or
| missing some of the crux of what he wrote, I also so strongly
| agree with your point that I couldn't let it go.
|
| Apps aren't going to make you happier. If you want to be
| happier, go for a walk outside and go hang out with your
| friends, in person.
| Retric wrote:
| That assumes quite a bit of freedom that may not exist for
| many people.
|
| An Uber driver waiting for their next passenger isn't able to
| go hang out with friends, but they can play on their phone,
| or read a book.
| josephg wrote:
| Sure; but it's probably true for most of us most of the
| time.
|
| I'm on HN right now instead of playing piano or going for a
| walk. I think I need the reminder sometimes.
| djbusby wrote:
| Go for a walk right now!
| gremlinunderway wrote:
| Yeah but saying "you ought to go outside / relax / rest /
| spend time with family" and then saying "not everyone can
| because shit sucks" is missing the point. Shit does suck,
| for a lot of people, in a lot of ways. Acknowledging that
| is good, but then saying the alternative for that is people
| to play on their phones? How about advocating for people to
| be able to make a wage or living and have time to hang out
| with friends?
| dylan604 wrote:
| Before devices, people were able to find ways to kill time
| at work just fine. As a human, we're perfectly capable of
| surviving without the device. I know that seems
| antithetical to zillenials, but it will be more than okay
| to look away from the screen for an extended period of
| time.
|
| Personally, having a driver sit their counting the number
| of red cars or counting the number of different state
| license plates is equally purpose serving as doom
| scrolling. In fact, it's probably much less detrimental to
| their mental health.
|
| It saddens me a wee bit that people think that the devices
| much be attended to to this extent.
| throwawaysleep wrote:
| Users didn't consider them just fine, as they immediately
| abandoned them when given the chance.
| numbers wrote:
| I am more interested in the author's blog navigation, so cool!
| scoates wrote:
| Hello. Thanks! This old blog design is showing its age,
| certainly, but I appreciate the nod to URL Sentences:
| https://shiflett.org/blog/2010/url-sentences
| forgotmyinfo wrote:
| What happens when Matter gets acquired? I'm sorry, but all this
| self back-patting is a bit too little too late for this jaded
| guy, especially because a thousand other companies have made the
| same promises in cheery blog posts, before something happens and
| my social security number winds up on a sticky note on some
| hacker's monitor in Belarus. Hell, I've worked for companies
| where I was forced to break users' trust because some executive
| critter told me to when it was clear the profit faucet wasn't
| opened nearly enough.
|
| So thanks, but this isn't enough anymore. We need laws that will
| guarantee that _every_ company that handles our data will do it
| thoughtfully and safely. In the meantime, I 'm not expecting
| much.
| scoates wrote:
| Hello. Agreed that we need comprehensive privacy reform.
|
| You should probably read the article, though. (-;
|
| I have access to everything (on the tech side) at Matter, and
| if you put your social security number into the app, I wouldn't
| be able to access it to write it on a sticky note. That's the
| whole point.
|
| PS I'm also old and jaded. (-;
| travisjungroth wrote:
| I don't think the article really answers this. All these
| decisions you've made to not store data are decisions that
| you could unmake.
|
| To put it concretely: if everyone at Matter tomorrow became
| malevolent and _wanted_ user data, what happens? For example,
| if you push an app that sends home my private text, how would
| I know? Could you?
| tschwimmer wrote:
| Hey, no need to cast aspersions on the infosec practices of
| Belorussian hackers, I bet they store their stolen credentials
| in an encrypted SQLite database as per industry best practice.
| defen wrote:
| > What happens when Matter gets acquired
|
| That's a major point that's addressed in the blog post, did you
| read it?
| abound wrote:
| Not sure about GP, but I did read the post. If they get
| acquired, I don't see anything stopping the acquirer from
| pushing an update that decrypts stuff and sends the plaintext
| to the servers.
| ndr wrote:
| This. And how likely is it that if their users value their
| app's data then there's an acquirer willing to wipe out all
| the users' data from the phones before they take over?
| hn_throwaway_99 wrote:
| While I agree with your sentiment, after re-reading the post
| and looking at some of the blog posts, I think you missed a
| major point, that being:
|
| 1. You can't leak what you don't have.
|
| That is, even if the company gets bought out or is hacked, if
| they don't have the data, there is nothing to leak. This point
| is also at least partially enforced by another point from the
| post:
|
| 2. Advanced app users can audit their network traffic from the
| app
|
| Now, granted, I wouldn't expect many users to do this, but
| highlighting it at least serves as a warning that it should be
| harder for the app to _surreptitiously_ change what is sent to
| the server (and to emphasize, I know this can be worked /hacked
| around, but I don't think working around this could ever be
| done with plausible deniability).
|
| Given the fact that companies and products jettison their high-
| minded policies as soon as it becomes economically
| inconvenient, the only other thing I'd recommend for the author
| is to have a good, simple export tool, e.g. something that
| dumps all the "memories" to a directory or PDF file. The post
| talks about backup and restore, but if I were a potential user
| I'd like to know that if the company does kick their privacy
| policy to the curb at some point that I could get all of the
| investment and data out of the app without needing to continue
| to rely on the app for at least the base data I put into it.
| nicksloan wrote:
| Hi, I also work at Matter. Our current backup/restore
| implementation exports a zip file of complete JSON data. We
| will improve backups in the future, but no pull request will
| be merged to remove the existing implementation for at least
| as long as I'm leading the app team.
| jacurtis wrote:
| > before something happens and my social security number winds
| up on a sticky note on some hacker's monitor in Belarus
|
| Isn't the point of the article that they can't leak something
| they don't have?
|
| So if I never get your social security number from you, then I
| have zero risk of leaking it or exposing it to hackers. I can't
| give them (intentionally or unintentionally) something that I
| don't possess.
|
| The author says:
|
| > Given these criteria and extremes, we decided that our best
| course of action is to just never have our users' private data.
|
| ---
|
| To your next question on what happens if Matter is acquired.
| Well the app might stop working or change how it works or have
| new logo in the corner, but your data never left your device,
| so you don't really have to worry about it being leaked to
| Belarus.
| ndr wrote:
| > Well the app might [...] change how it works [...] but your
| data never left your device, so you don't really have to
| worry about it being leaked to Belarus.
|
| You're one update away from having an app that has access to
| all its data and can ship it anywhere. Do you keep updates
| off?
| montereynack wrote:
| I sympathize a lot with the headline statement; it boggles my
| mind on a lot of the data residency/integrity/confidentiality
| measures taken around massive data silos (as well as the infra
| teams companies bring to bear to manage, scale and then
| inevitably publish gospel articles on the web about) when
| companies could just opt... NOT to collect that data? I really
| like the model of "It stays on your device, we never see it. At
| most we get bare-minimum location statistics." Although I
| question the assertion that their metrics system won't be turned
| against them; seems obvious that anything programmed can be
| reprogrammed or updated, especially in the modern update-focused
| age. I don't think they addressed that beyond a general statement
| that they took pains to assure that their users won't ever be
| spied on. Would be interested in a technical article on that.
|
| Side note, we at Sentinel Devices are taking exactly this "we
| don't hold your data" approach for industrial machinery. Think
| automated AI pipelines that are air-gapped. And we're hiring! If
| you're interested, reach out to hello@sentineldevices.com
| jmward01 wrote:
| I agree with the core idea, avoid saving info so you can't ever
| leak it. I personally think our legal framework should be based
| on consequences to encourage this mentality more. If you are
| hacked I don't care even a little that you did everything right,
| I just care that my information got taken. You should be held
| liable even if you did what the industry thought was right.
| Terr_ wrote:
| Disclosure liability insurance, low premiums if there was
| nothing to leak.
|
| Of course, that assumes a different world where companies
| actually pay for screwing up in the first place.
| A4ET8a8uTh0 wrote:
| Obviously, IANAL
|
| In a sense, that gradation is present for other offenses. You
| kill a man by accident? It may end up being involuntary
| manslaughter. You kill that same man with malice and planning?
| It charge will move to aggravated and premeditated murder.
|
| At the end of the day, a life was taken and some level of
| judicial review should take place. That does not appear to
| happen for 'hack' events.
| Nextgrid wrote:
| The root cause behind the proliferation of privacy breaches is
| that the legal framework against spying/hacking turns out to
| have a massive vulnerability.
|
| Developing & spreading spyware that collects people's personal
| data without permission is illegal (you don't even need to leak
| the collected data for it to be illegal), but wrap it in some
| flashy marketing, dozens of pages of unscrutable ToS and
| "privacy" policy, and suddenly not only your spyware operation
| became legal but you can even leak or sell the data in total
| impunity.
|
| This is valid in Europe as much as the US. Keep in mind that
| even before the GDPR, most countries had some sort of
| legislation around personal data processing, use and storage,
| but none of it was enforced. The GDPR is no better in terms of
| enforcement, which is why you see tons of (non-compliant)
| "consent" flows and spying continues as usual for the most
| part.
| erehweb wrote:
| The thing I wonder is - how will Matter make money? Is the plan
| to just get this via subscriptions?
| Almondsetat wrote:
| >how will Matter make money?
|
| it won't, Matter
| ChrisMarshallNY wrote:
| This aligns pretty well, with my own PoV.
|
| I can tell you that it has not made me popular with my coworkers.
| This whole blasted industry has become completely drenched in PID
| harvesting, and incredibly casual treatment of said PID. My
| solitaire apps are constantly trying to get me to sign up for
| leaderboards and challenges.
|
| I have been denying pig-butchering (most likely) signups for our
| new app, at about a 30% rate. It's pretty damn sobering (each
| signup is manually vetted. We don't really care about quantity).
| We are restricted to US, Canada, and India, and have barely made
| any efforts to promote the app, but the scammers jumped all over
| it.
|
| Right now, they are primitive (we have a specific demographic
| that is hard to fake), but I expect that to change.
|
| I have just come to accept that baddies will get in, so it's
| important that the liquor cabinet be empty, if they try raiding
| it.
| Terretta wrote:
| This is why B2B SaaS should stop charging enterprise price for
| SSO, and just REQUIRE an IdP or the Oauth/OIDC/whatever flow:
|
| https://vaultvision.com/blog/what-is-oidc
|
| The user experience is these "continue with" buttons:
|
| - https://id.atlassian.com/login
|
| - https://www.xsplit.com/user/auth
|
| Then you don't have their account creds to lose.
|
| Personal data, PII, etc. is risk debt.
| 3pm wrote:
| Related concept is Datensparsamkeit:
| https://martinfowler.com/bliki/Datensparsamkeit.html
| stpn wrote:
| I really love this sentiment.
|
| Unfortunately, it also seems really hard to build many kinds of
| applications in a way that follows this line of thinking. I've
| been building a personal finance app with privacy in mind, but
| there are some places where you might begrudgingly "hold" a
| users' data that are just unavoidable. For instance, if we want
| to be a serious competitor and have bank integrations, then plaid
| etc. will require you to run a server that can see the data, even
| if you don't want it.
|
| We also don't collect names in our app, just an email, but good
| luck collecting payments, avoiding fraud or reporting taxes
| without collecting name and address.
|
| We've built our system to be as minimally invasive (e.g. in the
| above, financial data is only proxied to the user's device, never
| stored on the server), but that's only the "intention" part -
| there's just not a way to take the full measure.
___________________________________________________________________
(page generated 2024-03-28 23:00 UTC)