Hacker Neue

Preferences
GeekyBear parent
> we are concerned that SB2420 impacts the privacy of users by requiring the collection of sensitive, personally identifiable information to download any app, even if a user simply wants to check the weather or sports scores.

Avoiding the collection of user data in the first place (if it's possible) is exactly the correct approach to user privacy.

TimByte
Soo the strongest form of privacy protection isn't better storage or better policies, it's simply not creating the data in the first place
nine_k
Instead of fixing consequences, eliminate the cause? It sounds almost like common sense.

I think most laws should look reasonable from the common-sense viewpoint. And when they don't, there should be a serious explanation.

bigyabai
Privacy legislation and infrastructure are both designed to eschew common-sense. It's how the fed gets away installing backdoors in iOS and Android: https://arstechnica.com/tech-policy/2023/12/apple-admits-to-...
nine_k
Beautiful :-\ But it's not a backdoor on devices, it's eavesdropping push notifications when they pass Google's or Apple's servers.

Corollary: a secure notification should consist of a link with a random number token which opens the real message via an authenticated API on an encrypted channel. Would look a bit weird though. iOS at least has silent notifications for that.

GeekyBear OP
No company in the US has any choice when Federal, State, or local officials get a court warrant and want data on your server.

That's why the surveillance capitalism business model is so dangerous. If you horde user data to make ad sales more profitable, you put your users at risk.

If app developers want to pass customer data in notifications, the data they are passing should be encrypted so that Apple (or Google) doesn't have access.

You can't hand over what you can't access.

As they say in Apples developer docs:

> Important

Don’t include customer information or any sensitive data, like a credit card number, in a notification’s payload. If you must include customer information or sensitive data, encrypt it before adding it to the payload.

You can use a notification service app extension to decrypt the data on the user’s device.

https://developer.apple.com/documentation/usernotifications/...

bigyabai
"We kill people based on metadata"

- Former NSA General Michael Hayden

xgulfie
Yes. It's more secure to have your website simply not require the user's SSN than to implement the best security in the world to handle their SSN.

This item has no comments currently.

Keyboard Shortcuts

Story Lists

j
Next story
k
Previous story
Shift+j
Last story
Shift+k
First story
o Enter
Go to story URL
c
Go to comments
u
Go to author

Navigation

Shift+t
Go to top stories
Shift+n
Go to new stories
Shift+b
Go to best stories
Shift+a
Go to Ask HN
Shift+s
Go to Show HN

Miscellaneous

?
Show this modal