Hacker News new | past | comments | ask | show | jobs | submit login

The other day I made an eBay account, and in order to raise the maximum sale amount beyond $1000 eBay made me answer personal questions about my relatives, information that they had apparently found out from some commercial database, which I'm sure will then be fed back into that database. Not really sure how I feel about that.



It's called knowledge-based authentication, a kind of identity proofing. This could conceivably be implemented such that your personally identifiable information stayed with the third party (who already has it) and never crossed eBay's path, though I don't know if that's the case here.

Credit agencies already have this information about you, so it's perhaps no surprise Equifax is the first result for "identity proofing" on Google.


I've had to do that before when applying for a credit card, but the information wasn't very accurate. They were asking a bunch of questions about my mortgage, which I've never had. Eventually I realized they had somehow gotten my parents' mortgage attached to my name (possibly because I was on one of their credit card accounts years ago?), and once I realized that, I was able to answer the questions correctly by asking my parents what to answer. But, not too impressed.


Always happens to me too. Except I have the same name as my Dad so things are even more confusing. They tend to ask me the name of my brother and his birthdate etc... Except I don't have a brother. Usually if I enter the info of my Dad's brother it gets processed as correct.


Thats committed a criminal offence in the UK.

I'm assuming you're in the US. You need some sensible privacy laws.


Which part? The questions themselves or the commingling of credit histories?


Storing information insecurely, releasing someone else's data without their permission, etc.

EDIT: Here's the official guidance from the regulator: (http://www.ico.gov.uk/for_organisations/sector_guides/financ...)

(http://www.ico.gov.uk/for_the_public/topic_specific_guides/c...)

Page 12 of this document talks about "associations" (http://www.experian.co.uk/downloads/consumer/creditRefAgency...) - credit reference agencies cannot use data about one person at an address to rate a different person at that address, even if they have the same surname, unless there is some financial link.


Re: "associations," I doubt very much it's intentional; more likely a mixup in the data.


When entities with access to your credit history do that, they present a mixture of true and false questions. It's quite possible they were expecting you to say that, no, you didn't have that mortgage.


I've had a similar experience; despite repeated attempts to correct it, my dad's AmEx invariably shows up on my Equifax report. Apparently I've had quite a nice line with them since I turned 8.


You might want to check your credit report.


Really?! It's like a sneaky background check.

Can you clarify: Were you selling something for more than $1000 or buying something for more than $1000?

What were the questions exactly (not stating the personal data of course)? And how were you supposed to answer, i.e., did you have to type in names and addresses, or pick the answer from a multiple choice list, or what?


I was selling something for over $1000. The questions were something like:

"Which of these cities did [Grandmother's name] own property in."

"Which of these people are related to you?"

The questions themselves are relatively innocuous, but the entire situation of where the information comes from and how my answers get used is rather disconcerting on multiple levels, especially since there really isn't enough information to make an intelligent decision.


Also kind makes you realize how little protection those standard "secret questions" for password recovery offer. Mother's maiden name, father's middle name, where did you go to high school.... it's all in a database somewhere.


Sounds like you feel over $1000 about that. Yeah, creepy.


I'm not sure why you were downvoted. I read your comment to mean "it seems that the loss of privacy due to divulging/verifying the information was worth less than $1,000 to you."

This is a completely rational interpretation of this specific situation and the freemium/"your information is our product" business model.


It's actually not especially rational, because:

- There's no way to know what the actual ramifications are.

- There's no way to measure those against the other things that I'm already doing.

I already do Google searches and watch YouTube videos on my own computer from my own WiFi network, and I also use a debit card, have an EZ Pass, use a cell phone, etc. As I'm sure do most people reading this.

There's zero way for anyone to really know how our actions will effect us in the future. For all we know, opting out may be worse than opting in when it comes time to get insurance, get a loan, apply for a job, etc.

It's certainly creepy when you're actually confronted with all the information that's floating around about you head on, but it's not at all clear what it all means or how it actually effects you. And believe me, I've read several books on privacy, Internet privacy specifically.


I am really confused with your comment, in fact I am not really sure that you and I are talking about the same thing. Before we go any further down the rabbit hole lets make sure we are on the same page:

- There's no way to know what the actual ramifications are.

- There's no way to measure those against the other things that I'm already doing.

Huh? What role do those two statements have to do with the discussion?

I commented that the downvoted parent was a rational interpretation of the situation; you seem to be talking about the rationality of supplying the information to ebay. I did not comment on whether it was rational to supply the information to ebay because I have no concept of your utility schedule.

I am not sure what books you have read about privacy that have not exposed you to an economic analysis of privacy; especially books on Internet privacy. Seriously? What books are you reading?

There is a long history of economic analysis of privacy; Judge Posner published some seminal papers in the late 70s and early 80s [1][2]. A good place to do more research would be anyone of the ten or twelve proceedings from the Workshop on the Economics of Information Security [3] or one of the intro pages by the big professors in the field such as Acquisti[4], Anderson[5] or Ross[6]. Given that you "already do Google searches and watch YouTube videos on my own computer" Prof's Acquisti's introduction to the field seems prescient and especially apropos:

"Behind a privacy intrusion there is often an economic trade-off. The reduction of the cost of storing and manipulating information has led organizations to capture increasing amounts of data about individual behavior. The hunger for customization and usability has led individuals to reveal more about themselves to other parties. New trade-offs have emerged in which privacy, economics, and technology are inextricably linked: individuals want to avoid the misuse of the information they pass along to others, but they also want to share enough information to achieve satisfactory interactions; organizations want to know more about the parties with which they interact, but they do not want to alienate them with policies deemed as intrusive.

Is there a combination of economic incentives and technological solutions to privacy issues that is acceptable for the individual and beneficial to society? Is there a sweet spot that satisfies the interests of all parties? The papers, people, and conferences listed below try to address some of these issues."

[1] Richard Posner. An economic theory of privacy. Regulation, 19-26, 1978.

[2] Richard A. Posner. The economics of privacy. American Economic Review, 71 (2): 405- 409, 1981.

[3] http://weis2012.econinfosec.org/past.html

[4] http://www.heinz.cmu.edu/~acquisti/economics-privacy.htm

[5] http://www2.sims.berkeley.edu/resources/infoecon/

[6] http://www.cl.cam.ac.uk/~rja14/econsec.html


"Huh? What role do those two statements have to do with the discussion?"

Because it doesn't make any sense to say that I decided my privacy was worth less than $1000 dollars if there is no way for me to rationally quantify or put a value on whatever privacy I was giving up.

"Seriously? What books are you reading?"

Mostly Jeffrey Rosen and Daniel Solove, so I haven't read much about this kind of economic analysis. Sounds interesting though, I'll check out some of those links.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: