I've implemented self-serve analytics at three organizations successfully. It's important your data is well organized, well labeled/defined, and the BI tool needs to allow you to configure guardrails around how data is queried. I have used Looker as the BI tool at all three organizations. End users do not need to even define joins. They just select the grouping and aggregate columns they want to return and click run, then configure their visualization from the data. It is true that some users are not data literate and still will not run their own queries, but from my experience a lot of non-technical business users love being able to easily explore data themselves, and the business receives a lot of value from it.
I was always told it's because as you age a year becomes a smaller portion of your life. When you are 35 a year is 1/35th of your life, compared to 1/5th as a 5 year old.
In one fell move he demonstrated he had neither conviction nor any foresight, ouch. I'm starting to believe this was just a unthought out ego emotional reaction by Ilya. Dude is like Walter White, he just "had to be the man"
> It is important to note that the exposed details do not constitute personally identifiable information, so it wouldn't be possible to use this data leak to track individuals
The data included timestamped GPS data, which has been demonstrated to be easy to de-anonymize.
Yeah, companies seem to think that "personally identifiable information" is basically just your name. That's clearly wrong because GPS data and VIN make it extremely straightforward to figure out who a car owner is.
As far as I'm concerned, this is PII. That statement is a bald-faced lie and a state AG should bring charges over this - it's extraordinarily irresponsible for Toyota to collect this data and then leak it for TEN YEARS.
"Personally identifiable information" is a legal term with a legal definition[1], and location data is not PII. Companies think that PII is basically just your name because that's literally true: PII means name and government-issued ID number. That's it. Everything else is not PII.
Relatedly, PII sucks as a basis for privacy law. The laws enshrining PII were made in response to identity theft[2], and that's the "threat model" those laws are protecting against. They do a reasonable job protecting against that threat model, but are very narrowly-focused on that threat model.
Fine-grained location data is absolutely sensitive data, and any non-braindead privacy legislation would consider it as such. The US lacks such legislation. It would be considered Personal Data under GDPR, and Personal Information under CCPA.
[1] Actually like 400 definitions in 400 different laws, but there's a lot of similarity.
[2] Specifically, the first data breach notification law was made in response to lawmakers being the victims of identity theft. This is a common thread in US privacy laws. See also Robert Bork.
(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
GDPR accepts that person can potentially be identified with reference to location data.
Anyway, "Personally identifiable information" is a weird term. Person can be identifiable in various ways. Information is just information. GDPR doesn't use this term.
Personally identifiable information" is a legal term with a legal definition
In the U.S., the definition of PII varies depending in which federal department regulates your company.
My company's legal department recently sent down new PII rules, with links to the relevant federal agencies policies. Much purging of log files ensued.
I think most tech people would be shocked to see what very basic information some federal agencies consider PII.
But the VIN number was available, as it says right below that
I mean does anyone think there HASN'T been a leak of VIN numbers and owners that would be trivial to join with this?
It's also kind of staggering how long this was a problem
Toyota Motor Corporation disclosed a data breach on its cloud environment that exposed the car-location information of 2,150,000 customers for ten years, between November 6, 2013, and April 17, 2023.
In my state, anyway, vehicle registrations are public information. If you have a VIN or license plate #, you can get the identity and address of the person the car is registered to, and if you know the name and address of a person, you can get the VINs/plate #s of the vehicles registered to them.
I don't think it's any indicative of how long this problem has been here? Unless I misunderstood, because after re-reading I guess I see how you did read it.
I do the same thing, there's a small historic landmark several blocks from me but on the right streets to be useful for traffic scanning. I'm not really sure why I do it, it can't fool anyone, but it also amuses me slightly.
In this example there is enough evidence the suspect has been arrested by police, which is a public record. Not remotely the same as the Boston bomber reddit-misidentification case.
It is every bit the same and every bit as shitty a metric. Remember Richard Jewell?
The man's only crime was being the first person to find a live bomb and help people escape it before it then detonated and killed 100+ others. The fucker was a literal goddamn hero.
But then the media implied he was a sad loser rent-a-cop who planted a bomb so he could find it and pretend to be someone important for a day. It was absolutely depraved, and that's before the FBI started harassing him.
But hey, all's fair for anyone named as a suspect by law enforcement. They always get it right the first time around. Everyone who gets arrested is later convicted. They always kick down the right door before sending the SWAT team in.
I agree, but we can't only have this discussion when someone wealthy is implicated in a crime. On any other given day the SF carceral brigade is out for blood. Just recently a prominent person was talking about bringing back lynching. So when they suddenly start waxing on about the rights of the suspects, we should absolutely press them on their change of heart.
I agree with you too, but don't think holding politicians to their lies or fixating on class warfare is really the most pressing part of the situation. He's calling for lynchings because he knows there's a receptive audience for it.
That's the part you should be most worried about, because a mob so empowered could just as easily turn its gaze to you. Good luck trying to be a nuisance to that prominent person once the mob gets a taste for blood. Before participating in doxxing frenzies or lynch mobs, nobody ever stops and thinks "what if this guy didn't actually do it?"
No expansion of the carceral state required, we'll just deputize an angry mob to play the part of Executioner.
I guess, but I see this all as connected. The person (Michelle Tandler, if you’re wondering) wasn't calling for lynching because she knew she’d get clicks. She was doing it because she thinks police are breaking the social contract: she’s a wealthy white woman, cops exist to make her feel comfortable by violently subjugating poor Black and brown people, and they’re not doing it enough for her.
So yes, vigilante justice is bad, mobs are bad. But crime is also a social construct. We literally decide what is and is not illegal - aka what is and is not “vigilante justice” — and I don’t think it’s necessarily worse to find yourself in the crosshairs of an angry mob than the crosshairs of a cabal of bloodthirsty tech execs aiming the state’s monopoly on violence at you.
> I agree, but we can't only have this discussion when someone wealthy is implicated in a crime.
We don't.
If you're serious about this, you're also responsible for not pushing for doxing of random suspects. You can't argue that there are good witch hunts and bad witch hunts.
