Newyana2 <Newyana2@invalid.nospam> wrote

> Actually, this subthread started with Carlos attacking
> Arlen for caring about privacy.

One of my degrees is in microbiology - where I happen to do minor kitchen
things that most people might think absurd, e.g., whenever I have extra
boiling water, I immerse the kitchen sponge or cutting boards in it, as
just one example of simple common daily kitchen hygiene activities.

Is that being paranoid?
Or is that simply understanding basic bacterial hygiene?

I also refrigerate cooked pasta and rice within an hour or two.
Instead of leaving it out for days, as many other people have done.
(Some of whom are now dead as a direct result, by the way.)

Why do I do those things when _they_ wouldn't even think of doing them.
a. One is rather minor (almost daily) kitchen hygiene, while
b. the other could be extremely deadly.

That's the range of kitchen hygiene - from minor to serious.

Would (or even could) anyone completely uneducated like Carlos is ever
have any understanding given his lack of background in bacteriology,
virology, mycology, parasitology, immunology, physiology, organic
chemistry, biochemistry, inorganic chemistry, physics, etc.?

To ignorant people, even the simplest of cautions, is "paranoid".
As it is with privacy and security.

Yet... they lock their phone with pins and fingerprints and faces.
WTF?

What's the threat model?
Is everyone out to get them who lives in their home & neighborhood?

Do they live in the slums of New York (ala 'da Bronx) such that every
person in close proximity is their biggest threat to their data?

Or is it something else?
Something on the Internet instead of in your own kitchen?

People who are both well educated & intelligent enjoy the luxury of
deciding what threats are minor and which are quite serious.

Those, like Carlos, who lack both, can never make that judgment call.
And yet, they do.

As with many to the left of the first D-K quartile, folks like Carlos have
extremely strong opinions based on absolutely no facts whatsoever.
--
BTW, I abhor 2FA/MFA for the same reasons as other knowledgeable people do.

Adults need to keep in mind those like Carlos & Rudy Wieser lack education.
More accurately, they lack intelligence which begat that lack of knowledge.

Those people (who lack intelligent & education) make their "decisions"
(like 2FA/MFA) because Google & Apple & Microsoft marketing told them to.

Marketing is very _happy_ to make those decisions for people like they are.
They don't own the intelligence or education to make their own decisions.

Hence, they dutifully implement exactly what marketing wants them to.
With nary a regret nor second thought about the ultimate consequences.

Like innocent sheep led by the nose to slaughter.

On 2023-11-24 18:36, Wally J wrote:
> Newyana2 <Newyana2@invalid.nospam> wrote
>
>> Actually, this subthread started with Carlos attacking
>> Arlen for caring about privacy.
>
> One of my degrees is in microbiology - where I happen to do minor kitchen
> things that most people might think absurd, e.g., whenever I have extra
> boiling water, I immerse the kitchen sponge or cutting boards in it, as
> just one example of simple common daily kitchen hygiene activities.
>
> Is that being paranoid?
> Or is that simply understanding basic bacterial hygiene?
>
> I also refrigerate cooked pasta and rice within an hour or two.
> Instead of leaving it out for days, as many other people have done.
> (Some of whom are now dead as a direct result, by the way.)
>
> Why do I do those things when _they_ wouldn't even think of doing them.
> a. One is rather minor (almost daily) kitchen hygiene, while
> b. the other could be extremely deadly.
>
> That's the range of kitchen hygiene - from minor to serious.
>
> Would (or even could) anyone completely uneducated like Carlos is ever
> have any understanding given his lack of background in bacteriology,
> virology, mycology, parasitology, immunology, physiology, organic
> chemistry, biochemistry, inorganic chemistry, physics, etc.?
>
> To ignorant people, even the simplest of cautions, is "paranoid".
> As it is with privacy and security.
>
> Yet... they lock their phone with pins and fingerprints and faces.
> WTF?
>
> What's the threat model?
> Is everyone out to get them who lives in their home & neighborhood?
>
> Do they live in the slums of New York (ala 'da Bronx) such that every
> person in close proximity is their biggest threat to their data?
>
> Or is it something else?
> Something on the Internet instead of in your own kitchen?
>
> People who are both well educated & intelligent enjoy the luxury of
> deciding what threats are minor and which are quite serious.
>
> Those, like Carlos, who lack both, can never make that judgment call.
> And yet, they do.
>
> As with many to the left of the first D-K quartile, folks like Carlos have
> extremely strong opinions based on absolutely no facts whatsoever.

Opinions totally unrelated.

--
Cheers,
Carlos E.R.

On Fri, 24 Nov 2023 11:54:51 +0100, "Carlos E. R." <robin_listas@es.invalid>
wrote:

>On 2023-11-23 03:40, Paul wrote:
>> On 11/22/2023 11:37 AM, John Hall wrote:
>>> In message <ks6666Fc3tjU1@mid.individual.net>, Carlos E. R. <robin_listas@es.invalid> writes
>>>> On 2023-11-22 09:30, Chris wrote:
>>>>> Frank Slootweg <this@ddress.is.invalid> wrote:
>>>>>> Chris <ithinkiam@gmail.com> wrote:
>>>>>>> Frank Slootweg <this@ddress.is.invalid> wrote:
>>>>>>>> Chris <ithinkiam@gmail.com> wrote:
>>>>>>>>
>>>>>>>> Yes, they do, but the point is that a bad actor - someone who has
>>>>>>>> stolen/found the card - can use the credit card for many purposes,
>>>>>>>> including online transactions, *without* having/knowing the PIN code. In
>>>>>>>> many situations, the PIN code is not needed.
>>>>>>>
>>>>>>> Not sure what you mean by many purposes? All online transactions also
>>>>>>> require the cardholder's address and for larger/random transactions 2FA.
>>>>>>
>>>>>>    Hmm!? Not sure about the requirement for the cardholder's address, but
>>>>>> I don't have data to dispute your argument.
>>>>>  Admittedly from memory, that's been my experience.
>>>>
>>>> I don't remember any merchant requiring my address when paying online.
>>>>
>>>> Of course, some of them do, for deliveries. But others don't, like a cinema. A request for the address could be contested under data protection laws.
>>>>
>>>
>>> It's normal - possibly universal - to ask for the billing address (ie the address of the cardholder) here in the UK, which is a welcome safeguard, as it prevents someone who has stolen your card from using it online if they don't know your address. (I'm assuming that if you enter the wrong address then the attempt to use the card will be rejected by the verification process, though I can't say for sure as I've never done that.) You also have to specify the delivery address if different from the billing address.
>>
>> We're asked for a billing address and a shipping address here.
>>
>> And of course, if the two don't match exactly, "it ain't going".
>> They don't accept orders where the two addresses are different.
>
>Right now, they don't match for me, yet Amazon delivers, no problem. I
>had Amazon do deliveries for me on three different cities, not a problem.
>
>I didn't try to use it during my stay in Canada, I should have, for
>kicks. :-)

I don't think Paul was referring to Amazon. They couldn't care less whether the
Bill To and Ship To names and addresses match.

Come to think of it, I don't know of an online vendor that does care. There must
be one, somewhere.

On 2023-11-24 19:46, Char Jackson wrote:
> On Fri, 24 Nov 2023 11:54:51 +0100, "Carlos E. R." <robin_listas@es.invalid>
> wrote:
>
>> On 2023-11-23 03:40, Paul wrote:
>>> On 11/22/2023 11:37 AM, John Hall wrote:
>>>> In message <ks6666Fc3tjU1@mid.individual.net>, Carlos E. R. <robin_listas@es.invalid> writes
>>>>> On 2023-11-22 09:30, Chris wrote:
>>>>>> Frank Slootweg <this@ddress.is.invalid> wrote:
>>>>>>> Chris <ithinkiam@gmail.com> wrote:
>>>>>>>> Frank Slootweg <this@ddress.is.invalid> wrote:
>>>>>>>>> Chris <ithinkiam@gmail.com> wrote:
>>>>>>>>>
>>>>>>>>> Yes, they do, but the point is that a bad actor - someone who has
>>>>>>>>> stolen/found the card - can use the credit card for many purposes,
>>>>>>>>> including online transactions, *without* having/knowing the PIN code. In
>>>>>>>>> many situations, the PIN code is not needed.
>>>>>>>>
>>>>>>>> Not sure what you mean by many purposes? All online transactions also
>>>>>>>> require the cardholder's address and for larger/random transactions 2FA.
>>>>>>>
>>>>>>>    Hmm!? Not sure about the requirement for the cardholder's address, but
>>>>>>> I don't have data to dispute your argument.
>>>>>>  Admittedly from memory, that's been my experience.
>>>>>
>>>>> I don't remember any merchant requiring my address when paying online.
>>>>>
>>>>> Of course, some of them do, for deliveries. But others don't, like a cinema. A request for the address could be contested under data protection laws.
>>>>>
>>>>
>>>> It's normal - possibly universal - to ask for the billing address (ie the address of the cardholder) here in the UK, which is a welcome safeguard, as it prevents someone who has stolen your card from using it online if they don't know your address. (I'm assuming that if you enter the wrong address then the attempt to use the card will be rejected by the verification process, though I can't say for sure as I've never done that.) You also have to specify the delivery address if different from the billing address.
>>>
>>> We're asked for a billing address and a shipping address here.
>>>
>>> And of course, if the two don't match exactly, "it ain't going".
>>> They don't accept orders where the two addresses are different.
>>
>> Right now, they don't match for me, yet Amazon delivers, no problem. I
>> had Amazon do deliveries for me on three different cities, not a problem.
>>
>> I didn't try to use it during my stay in Canada, I should have, for
>> kicks. :-)
>
> I don't think Paul was referring to Amazon. They couldn't care less whether the
> Bill To and Ship To names and addresses match.
>
> Come to think of it, I don't know of an online vendor that does care. There must
> be one, somewhere.

It would probably be illegal here to refuse delivery because they don't
match.

--
Cheers,
Carlos E.R.

Carlos E. R. <robin_listas@es.invalid> wrote:
> On 2023-11-23 19:45, Chris wrote:
>> Carlos E. R. <robin_listas@es.invalid> wrote:
>>> On 2023-11-22 19:32, Chris wrote:
>>>> Carlos E. R. <robin_listas@es.invalid> wrote:
>>>>> On 2023-11-22 09:30, Chris wrote:
>>>>>> Frank Slootweg <this@ddress.is.invalid> wrote:
>>>>>>> Chris <ithinkiam@gmail.com> wrote:
>>>>>>>> Frank Slootweg <this@ddress.is.invalid> wrote:
>>>>>>>>> Chris <ithinkiam@gmail.com> wrote:
>>>>>>>>>
>>>>>>>>> Yes, they do, but the point is that a bad actor - someone who has
>>>>>>>>> stolen/found the card - can use the credit card for many purposes,
>>>>>>>>> including online transactions, *without* having/knowing the PIN code. In
>>>>>>>>> many situations, the PIN code is not needed.
>>>>>>>>
>>>>>>>> Not sure what you mean by many purposes? All online transactions also
>>>>>>>> require the cardholder's address and for larger/random transactions 2FA.
>>>>>>>
>>>>>>> Hmm!? Not sure about the requirement for the cardholder's address, but
>>>>>>> I don't have data to dispute your argument.
>>>>>>
>>>>>> Admittedly from memory, that's been my experience.
>>>>>
>>>>> I don't remember any merchant requiring my address when paying online.
>>>>>
>>>>> Of course, some of them do, for deliveries. But others don't, like a
>>>>> cinema. A request for the address could be contested under data
>>>>> protection laws.
>>>>
>>>> How? Asking for additional personal information is common for verification
>>>> purposes.
>>>>
>>>
>>> If justified.
>>
>> Verifying your identity is justifying.
>>
>>> And they have to prove that they keep that information secure.
>>
>> Well yeah. That's basic GDPR.
>>
>>> Merchants are fined here for asking for too much information, that's a fact.
>>
>> How much is too much, for example?
>
> Making a photo of the ID card.

Wow. Really?

On 2023-11-24 22:48, Chris wrote:
> Carlos E. R. <robin_listas@es.invalid> wrote:
>> On 2023-11-23 19:45, Chris wrote:
>>> Carlos E. R. <robin_listas@es.invalid> wrote:
>>>> On 2023-11-22 19:32, Chris wrote:
>>>>> Carlos E. R. <robin_listas@es.invalid> wrote:
>>>>>> On 2023-11-22 09:30, Chris wrote:
>>>>>>> Frank Slootweg <this@ddress.is.invalid> wrote:
>>>>>>>> Chris <ithinkiam@gmail.com> wrote:
>>>>>>>>> Frank Slootweg <this@ddress.is.invalid> wrote:
>>>>>>>>>> Chris <ithinkiam@gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>> Yes, they do, but the point is that a bad actor - someone who has
>>>>>>>>>> stolen/found the card - can use the credit card for many purposes,
>>>>>>>>>> including online transactions, *without* having/knowing the PIN code. In
>>>>>>>>>> many situations, the PIN code is not needed.
>>>>>>>>>
>>>>>>>>> Not sure what you mean by many purposes? All online transactions also
>>>>>>>>> require the cardholder's address and for larger/random transactions 2FA.
>>>>>>>>
>>>>>>>> Hmm!? Not sure about the requirement for the cardholder's address, but
>>>>>>>> I don't have data to dispute your argument.
>>>>>>>
>>>>>>> Admittedly from memory, that's been my experience.
>>>>>>
>>>>>> I don't remember any merchant requiring my address when paying online.
>>>>>>
>>>>>> Of course, some of them do, for deliveries. But others don't, like a
>>>>>> cinema. A request for the address could be contested under data
>>>>>> protection laws.
>>>>>
>>>>> How? Asking for additional personal information is common for verification
>>>>> purposes.
>>>>>
>>>>
>>>> If justified.
>>>
>>> Verifying your identity is justifying.
>>>
>>>> And they have to prove that they keep that information secure.
>>>
>>> Well yeah. That's basic GDPR.
>>>
>>>> Merchants are fined here for asking for too much information, that's a fact.
>>>
>>> How much is too much, for example?
>>
>> Making a photo of the ID card.
>
> Wow. Really?
>

Absolutely. This is an EU regulation.

<https://eldiariocantabria.publico.es/articulo/espanha/hacer-foto-dni-puede-salir-muy-caro-100000-euros-multa/20230325120250132990.html>

Taking a DNI photo can be very expensive: 100,000 euros fine

25 March 2023, 12:02 am

The Spanish Data Protection Agency (AEPD) has fined Orange €100,000 for
ordering delivery drivers to photograph the DNI in full as a security
method since 2018.

This practice was carried out for the use of the IdentService system
when delivering parcels. However, the legality of this practice is not
guaranteed, so the AEPD intervened following a complaint from an Orange
customer who went with a delivery driver from General Logistics Systems
Spain (GLS) to a Civil Guard police station in Murcia to report that he
was required to take a photograph of his ID card as a condition for
delivering a mobile device he had purchased.

GLS explained that Orange requested this photograph to verify that the
order was delivered, according to the sanctioning resolution, and
confirmed that this method had been used for at least the last three
years as a requirement demanded by the telephone company with which it
had this clause established by contract.

For the purposes of out-of-court complaints, these photographs of his
customers' identity documents were kept for one year, and for a further
four years for proof of delivery as a commercial document. They were
stored on a server but not on the delivery person's terminal.

For its part, Orange stated that before sending the product, it sent the
customer an e-mail informing him that, for security reasons, the ID card
with which he had purchased the product could be digitised at the time
of delivery. They added that these conditions were detailed on the website.

The AEPD considered that there were clear indications that Orange had
violated Article 5 of the General Data Protection Regulation, which
refers to processing, by imposing a condition for delivery of the
photograph of their identity document. This was ruled to be an abusive
practice.

The Agency insists that there are procedures for identification when
delivering less aggressive products. The resolution adds that, according
to the General Data Protection Regulation (GDPR), "the processing of
personal data must be adjusted and proportionate to the purpose for
which it is intended, clearly determining the purposes for which the
data are collected and processed, and the processing of excessive data
must be restricted or the data must be deleted".

In view of this abusive practice, the authority imposed a fine of
100,000 euros, which is not final and may be appealed before the
Administrative Chamber of the National High Court.

<https://www.diariosur.es/economia/mibolsillo/aepd-multa-empresa-alquileres-turisticos-pedir-foto-dni-20230516202721-nt.html>

Tourist rental company fined for asking for ID photo and selfie of clients

Susana Zamora

Tuesday, May 16, 2023 | Updated 17/05/2023 12:42h.

The Spanish Data Protection Agency (AEPD) has fined a tourist rental
company 75,000 euros for requesting "unnecessary" data and not informing
the client correctly about the processing of the data. In this case,
during the booking process, the complainant was forced to check in
online and was asked to fill in a form with the postal address,
telephone number, email address, ID photographed on both sides and even
a selfie of the guests. The user was urged to send an email if she did
not wish to receive advertising offers, but was not given the option to
directly refuse to receive the offers.

The entity did not provide a clear reply and did not provide the
information in a transparent manner. For this reason, the interested
party filed a complaint with the AEPD, which sent a request for
information to the entity.

When the complainant expressed her dissatisfaction with the company's
excessive request for data, it replied that it only had the data it had
provided to Airbnb, the platform through which they had made contact.
The rest of the data, according to the company, had been collected
because, in Catalonia, they have to transfer travellers' data to the police.

Adequate, relevant and limited" data

According to the ruling, personal data must be "adequate, relevant and
limited to the need" for which they were collected, so that if the
objective pursued can be achieved without excessive data processing,
"this must be done in any case".

In the present case, the respondent processed various personal data such
as name, surname, telephone number, e-mail address, postal address,
image of the ID card on both sides. "And not all of them are necessary
either to provide the service of renting holiday flats or to comply with
the obligation to register persons staying in accommodation
establishments in Catalonia required by Article 2 of Order IRP/418/2010,
of 5 August, on the obligation to register and report to the Directorate
General of Police of persons staying in accommodation establishments
located in Catalonia," the agency concludes.

Following the complaint filed by the client, the company did not present
any allegations or evidence to refute the alleged facts. For this
reason, the Spanish Data Protection Agency has imposed a fine of 25,000
euros for infringing Article 5 of the GDPR and 50,000 euros for
violating Article 13 of the same regulation.

--
Cheers,
Carlos E.R.