Page 3 of 3 FirstFirst 123
Results 51 to 72 of 72
  1. #51
    Join Date
    Feb 2004
    Location
    Scotland
    Posts
    2,833
    Quote Originally Posted by nibb View Post
    So, no you are incorrect here. The HASH is not private data, its a hash, can be used to identify someone? Yes, and so can an IP address, a GUID in a software, a serial in a software, each unique Windows Installation, every single logging to some website, etc.
    You completely miss the point a few of us (including the person you replied to) were making. It's not hashing the data that is the problem, it's not the company in question reading or storing the hash that's the problem, the problem is that this hash is allocated to a specific person based on their details and anyone else searching this public database can get further details about this client just by matching the hash of their data.

    This isn't a hidden method to create this hash, it's publicly shared with everyone who uses this site. It's not even close to being the same as a serial for a software. It's really no different to searching for the phrase "John Doe" and "john@doe.xyz" and getting back that he is an abusive customer who makes chargebacks. The difference is being pointed to here as you are not searching for the name but instead a hash, but either way it is still a string that personally identifies this specific individual.

    I honestly don't know whether this would fall outside of the privacy laws of various countries or not, but most if not all of those dismissing it because it is "only a hash of data" are just using guesswork to run their businesses without actually checking with the proper people if it is allowed or not.

  2. #52
    Join Date
    Jun 2005
    Posts
    3,455
    Quote Originally Posted by Wullie View Post
    You completely miss the point a few of us (including the person you replied to) were making. It's not hashing the data that is the problem, it's not the company in question reading or storing the hash that's the problem, the problem is that this hash is allocated to a specific person based on their details and anyone else searching this public database can get further details about this client just by matching the hash of their data.

    This isn't a hidden method to create this hash, it's publicly shared with everyone who uses this site. It's not even close to being the same as a serial for a software. It's really no different to searching for the phrase "John Doe" and "john@doe.xyz" and getting back that he is an abusive customer who makes chargebacks. The difference is being pointed to here as you are not searching for the name but instead a hash, but either way it is still a string that personally identifies this specific individual.

    I honestly don't know whether this would fall outside of the privacy laws of various countries or not, but most if not all of those dismissing it because it is "only a hash of data" are just using guesswork to run their businesses without actually checking with the proper people if it is allowed or not.
    I think they are based in Turkey, so good luck trying to apply them the US laws even if you where right. Even in the US you would have a very hard time trying to prove this is illegal, as allot of other systems can be applied to the same rules, the whole Internet almost...even companies like Apple would be sued which make allot more than just identify a customer on each device, this is only personal identification, companies like Apple not only do that, but they even go as far as tracking usage and location !!!
    Last edited by nibb; 12-03-2012 at 05:02 PM.

  3. #53
    Join Date
    Feb 2004
    Location
    Scotland
    Posts
    2,833
    Quote Originally Posted by nibb View Post
    I think they are based in Turkey, so good luck trying to apply them the US laws to them even if you where right.
    I'm not trying to apply any laws to them, but the hosts who are using them need to abide by their own local laws and I personally think the argument that "it's hashed so it's fine to share, even though others can identify and get more details about the customer" is seriously flawed and some people could be operating outwith the laws/regulations they are required to follow.

  4. #54
    Join Date
    Jun 2009
    Posts
    74
    Anycomapny using a UUID for their own purposes has nothing to do with this. For this to be the same Apple for example would have to publish something like a list of browsing history for each UUID and their algorithm for generating the UUID.

    Thats really nowhere near the same as what FraudRecord is doing because they are publishing their hashes with reputation information and including how to generate the hash to create the connection when the same information is being used.

    Like I said even if they are not based in the US, US law could still apply depending on the circumstance. For example where is their server located, do they "do business" in the US, ect.

    Regardless as a US host US law applies to me. If I decline a client because of data obtained from a Consumer Reporting Agency I am required to notify them.

  5. #55
    Join Date
    Jun 2005
    Posts
    3,455
    How is this different from Apple having your name, address, credit card, devices activated, GPS location and even usage?

    How is this different from Google having a unique installation for their products and requiring you to log into Google account where most of your data is stored to use some services?

    How is this different from Facebook sharing all your data with almost everyone that makes a plugin or app for them not to mention almost every advertiser that publishes ads on Facebook?

    If the company puts this in the TOS, that the data of the customer will be hashed and send to a third party, this is no different than what Facebook does, which does not even hash data in the first place before sharing. If the customers signs up and accepts this in the TOS I donīt see a problem with it.

    If this would be illegal, even in the US, then Facebook would be the first one to go down. Any company can decline any customer if they choose so. Its done every single minute, in particular with hosting companies. Using information to decide if yes or no, is no different than using your own internal fraud methods.
    Last edited by nibb; 12-03-2012 at 05:38 PM.

  6. #56
    Join Date
    Jun 2009
    Posts
    74
    Quote Originally Posted by nibb View Post
    How is this different from Apple having your name, address, credit card, devices activated, GPS location and even usage?

    How is this different from Google having a unique installation for their products and requiring you to log into Google account where most of your data is stored to use some services?

    How is this different from Facebook sharing all your data with almost everyone that makes a plugin or app for them not to mention almost every advertiser that publishes ads on Facebook?
    In the case of Apple and Google that's all internal use, nowhere does it talk about sharing.

    In the case of Facebook you are opting in to the sharing by using the app and I am sure it says something to that effect in their privacy policy.

    The deal with FraudRecord is it is sharing information that may be regulated. In the case of being designated a Consumer Reporting Agency that's because the information they share is about someones reputation if US law would in fact apply which I stated in my first post I am not sure if it would, that was mentioned for completeness.

  7. #57
    Join Date
    Feb 2004
    Location
    Scotland
    Posts
    2,833
    Quote Originally Posted by nibb View Post
    How is this different from Apple having your name, address, credit card, devices activated, GPS location and even usage?

    How is this different from Google having a unique installation for their products and requiring you to log into Google account where most of your data is stored?
    You are comparing apples to oranges. (or googles )

    1) A public database where anyone just by knowing a few details about me can search for details and get results, which also gives them more details about me and what I did.

    2) A database that is not publicly shared, at least not in any way that can be tied to an actual individual. It doesn't matter if I know your details, I can't get your UUID or match anything else to you as an individual.

    If this record simply said "someone performed a chargeback" and wasn't tied to a specific person using their details then that is one thing, but this is basically taking details of a person and then coming back saying "This person performed a chargeback". That is specific to that individual, on a publicly accessible database which nobody verifies the authenticity of the submissions.

    How can you compare the 2?

  8. #58
    Join Date
    Jun 2005
    Posts
    3,455
    Quote Originally Posted by Ryan524 View Post
    In the case of Apple and Google that's all internal use, nowhere does it talk about sharing.

    In the case of Facebook you are opting in to the sharing by using the app and I am sure it says something to that effect in their privacy policy.

    The deal with FraudRecord is it is sharing information that may be regulated. In the case of being designated a Consumer Reporting Agency that's because the information they share is about someones reputation if US law would in fact apply which I stated in my first post I am not sure if it would, that was mentioned for completeness.
    Sure, but if the customers accept this info to be shared in the TOS, just like you do with Facebook, what defines what data is regulated and what no?

    As far as I see, Facebook data is not regulated either and they share it for "financial" reasons.

    This service shares it for screening purposes, or anti fraud.

  9. #59
    Join Date
    Jun 2005
    Posts
    3,455
    Quote Originally Posted by Wullie View Post
    You are comparing apples to oranges. (or googles )

    1) A public database where anyone just by knowing a few details about me can search for details and get results, which also gives them more details about me and what I did.

    2) A database that is not publicly shared, at least not in any way that can be tied to an actual individual. It doesn't matter if I know your details, I can't get your UUID or match anything else to you as an individual.

    If this record simply said "someone performed a chargeback" and wasn't tied to a specific person using their details then that is one thing, but this is basically taking details of a person and then coming back saying "This person performed a chargeback". That is specific to that individual, on a publicly accessible database which nobody verifies the authenticity of the submissions.

    How can you compare the 2?
    How exactly would you do the search if the data is hashed? You need something to match against it, which means you already know the customer data in the first place. Its not a public database where you search a name and get back results. You need the data in the fist place to try to match it to a specific hash.

  10. #60
    Join Date
    Sep 2012
    Location
    Estonia
    Posts
    164
    Quote Originally Posted by nibb View Post
    How exactly would you do the search if the data is hashed? You need something to match against it, which means you already know the customer data in the first place. Its not a public database where you search a name and get back results. You need the data in the fist place to try to match it to a specific hash.
    They use salted hashes so even public name database would be of no use.

  11. #61
    Join Date
    Jun 2009
    Posts
    74
    Well that's something you should consult with an attorney with as to what can be shared and when, and if the user has to opt in to letting it be shared. I am simply making the point that hashing IMO still constitutes share information and explained why. And yes they do hash it, with the same publicly known value, which means I can generate a table of equivalents or just do a live brute force if I want to. Regardless both hosts the reporting host and requesting host can know with a level of certainty they are talking about the same original value thus how is that different as if they shared the original value directly other than the middle man (Fraud Record) doesn't know the original value.

    When it comes to the internet and the fact that international boundaries are crossed things can get complicated quick. I am simply saying that since hashes are designed to to always result int he same hash from the same initial value and rarely (if ever) generate the same hashed value from different initial values is effectively the equivalent of the original data and likely to be subject to the same regulations again in my opinion.

    I am just stating you should consider it carefully before sharing information with such a service or even using information from such a service before just doing so because it MAY cause legal problems if you violate applicable regulations. The line the OP keeps using that says no information is being shared in in my opinion inaccurate because of the consistency of hashing, actually if hashing wasn't consistent you would keep getting false positives and negatives and such a service would be useless.

    And yes this would apply to use of a service like maxmind too. I personally authorize the charge only but don't complete the transaction until I have manually reviewed the signup and in many cases have even spoken with the customer on the phone.
    Last edited by Ryan524; 12-03-2012 at 05:56 PM.

  12. #62
    Join Date
    Feb 2004
    Location
    Scotland
    Posts
    2,833
    Quote Originally Posted by nibb View Post
    How exactly would you do the search if the data is hashed? You need something to match against it, which means you already know the customer data in the first place. Its not a public database where you search a name and get back results. You need the data in the fist place to try to match it to a specific hash.
    Just because you put something in your TOS does not mean you can do it legally.

    As for your need something to match it to comment, take the following:

    Company 1 phones company 2 and says:

    Look, we just had a signup from Joe Bloggs who lives down at 123 whatever street, know anything about them?

    Company 2 replies with "Yeah, terrible customer, charged back on their service with us and can you believe they even contacted our support? The cheek!"

    Now, by your reasoning the above is ok because Company 1 already knows the person's details so it can't be a breach of data regulations, even though personal data is being shared between 2 companies, right?

  13. #63
    Join Date
    Jun 2005
    Posts
    3,455
    Quote Originally Posted by incloudibly View Post
    They use salted hashes so even public name database would be of no use.
    Which was exactly my point.

  14. #64
    Join Date
    Jun 2005
    Posts
    3,455
    Quote Originally Posted by Wullie View Post
    Just because you put something in your TOS does not mean you can do it legally.

    As for your need something to match it to comment, take the following:

    Company 1 phones company 2 and says:

    Look, we just had a signup from Joe Bloggs who lives down at 123 whatever street, know anything about them?

    Company 2 replies with "Yeah, terrible customer, charged back on their service with us and can you believe they even contacted our support? The cheek!"

    Now, by your reasoning the above is ok because Company 1 already knows the person's details so it can't be a breach of data regulations, even though personal data is being shared between 2 companies, right?
    You are completely going off track with this... which is not fair for their service either. You are making up situations exactly where they break regulations on your "personal opinion" and this is not how the service works either in real life.

    But anyway I will try to reply to this anyway:

    Putting something in the TOS does not make it legal. But putting a clause that data will be hashed and send encrypted to a third party is by no way more illegal (in your sense of opinion) or in moral than what some companies are doing right now in their TOS while sharing data with third parties as well. Facebook does the same and does not even hash the data, actually its PUBLIC and everyone can access them, all they need is the customer to say "yes, we accept this". So how can you even consider sharing hashed data to be different than this....

    Someone mentioned, sure Google, Apple uses it for their own, use, Facebook does not. It shares them with anyone and thousands of companies. And that data is plain text, not even hashed...

    Also, your imaginary story of both companies talking in the phone and sharing data would be no different than Apple doing the same with Google, or Microsoft with Google, or anyone else in the planet earth.

    How is this fault of the service? Its the companies that are breaching the regulations and sharing data and you donīt even need a service like Fraudrecord for this either. I can also share or send customer data by email or via phone, in plain text or how I like. How exactly is this the fault of FraudRecord which is not even involved?

    How is this different from Hosting company 1, sending a private message here on WHT to company 2 about some customer as well? Its not. They are breaching the regulations by their own.

    You are really trying to prove such service is illegal while someone could argue what Facebook does is 1000 times more illegal and guess what? So far its not, because all they need is the customer to be informed in the TOS about this which they did.

    Find a lawyer that is willing to say this is breaching regulations and who is willing to say almost what every single major Internet company did or is doing is as we speak is also illegal. Sure anyone can, but they will ever win? Dream on.

    I just took Facebook as one example, I can probably put 1000 more examples of data sharing which is worst than this and done by major fortune companies worldwide.
    Last edited by nibb; 12-03-2012 at 06:16 PM.

  15. #65
    Join Date
    Feb 2004
    Location
    Scotland
    Posts
    2,833
    Quote Originally Posted by nibb View Post
    How is this different from Hosting company 1, sending a private message here on WHT to company 2 about some customer as well? Its not. They are breaching the regulations by their own.
    Just because it may happen does not mean it isn't a breach of data regulations or that somehow "well other do it, so it's ok".

    Quote Originally Posted by nibb View Post
    You are really trying to prove such a service is illegal while someone could argue what Facebook does is 1000 times more illegal and guess what? So far its not, because all they need is the customer to be informed in the TOS about this which they did.
    I never said it was illegal, at least not intentionally. I said it may not be allowed under certain laws and dismissing these claims on the basis that it's a hash so it's not personal details is pretty stupid without actual clarification of that.

    The problem I personally have was never the database in itself, it was the other things that go with it:

    1) Anyone can submit to it or read from it.

    2) Taking (1) into account, there is no sure fire way to remove yourself if you are wrongly listed. (It may be possible to argue your case, but like you said they are not required under our law to do anything. This in itself could potentially make it unusable in the UK for example)

    3) A lot of the hosts who I see claiming to use this do not list anywhere about sharing data with this company. Like I said previously, the argument being that it's a hash, so it's not data.

    4) There are no retention details published. If I commit a wrong, am I still going to be punished 20 years into the future? Even most criminal records are considered spent after a period of time and blips in my credit are only recorded for 6 years, so why should this be any different?

    5) How many people who get listed on this are actually innocent people? Got a chargeback? Report it to the database but oops, you just reported an innocent party who got their card stolen, not the offender.

    There are other potential problems I thought of previously, but this is all I can think of just now. Once again I am not saying nobody should use this or the database itself is a problem, it's all about how people use it and whether they are actually checking whether they are allowed to use it or not.

  16. #66
    Join Date
    Jun 2009
    Posts
    74
    You are getting into legalities of sharing data which is something an attorney should be consulted about.

    I am simple refuting the point the OP has made multiple times about it not sharing data because it uses hashes. I demonstrated that because of how hashes work they are virtually equivalant to the original data and then therefore (in my option) covered under the same laws and if they transmitted non hashed data.

    The OP has stated in this thread his option is that it is not the same, i am simply refuting that point. Again consult an attorney if you want a legally binding answer, I am simply refuting it so that people just don't blindly think the OP is right to to find out that maybe he is wrong and then find themselves in legal trouble.

  17. #67
    Join Date
    Jun 2005
    Posts
    3,455
    Quote Originally Posted by Ryan524 View Post
    You are getting into legalities of sharing data which is something an attorney should be consulted about.

    I am simple refuting the point the OP has made multiple times about it not sharing data because it uses hashes. I demonstrated that because of how hashes work they are virtually equivalant to the original data and then therefore (in my option) covered under the same laws and if they transmitted non hashed data.

    The OP has stated in this thread his option is that it is not the same, i am simply refuting that point. Again consult an attorney if you want a legally binding answer, I am simply refuting it so that people just don't blindly think the OP is right to to find out that maybe he is wrong and then find themselves in legal trouble.
    And so would SSL traffic, IPsec and VPN traffic. It DOES share data. The question is what data? Hashes, it can be considered anonymous data like GUID, not personal data.

    If we want to go the route that you can match this with personal data, like I said before, you could also do this with a unique identifier in the iPhone and Google Chrome and every other product out... If you have someone that works with you to match the data of have something to compare it, so this is true for every other anonymous data as well.

    The data shared is not personal. If you all here want to argue it is, because you can match it with personal information, so it can be done in iPad, Windows and every other identifier.
    Last edited by nibb; 12-03-2012 at 06:50 PM.

  18. #68
    Join Date
    Jun 2005
    Posts
    3,455
    Quote Originally Posted by Wullie View Post
    Just because it may happen does not mean it isn't a breach of data regulations or that somehow "well other do it, so it's ok".



    I never said it was illegal, at least not intentionally. I said it may not be allowed under certain laws and dismissing these claims on the basis that it's a hash so it's not personal details is pretty stupid without actual clarification of that.

    The problem I personally have was never the database in itself, it was the other things that go with it:

    1) Anyone can submit to it or read from it.

    2) Taking (1) into account, there is no sure fire way to remove yourself if you are wrongly listed. (It may be possible to argue your case, but like you said they are not required under our law to do anything. This in itself could potentially make it unusable in the UK for example)

    3) A lot of the hosts who I see claiming to use this do not list anywhere about sharing data with this company. Like I said previously, the argument being that it's a hash, so it's not data.

    4) There are no retention details published. If I commit a wrong, am I still going to be punished 20 years into the future? Even most criminal records are considered spent after a period of time and blips in my credit are only recorded for 6 years, so why should this be any different?

    5) How many people who get listed on this are actually innocent people? Got a chargeback? Report it to the database but oops, you just reported an innocent party who got their card stolen, not the offender.

    There are other potential problems I thought of previously, but this is all I can think of just now. Once again I am not saying nobody should use this or the database itself is a problem, it's all about how people use it and whether they are actually checking whether they are allowed to use it or not.
    1) Same today with Facebook

    2) Same with Facebook, you cannot remove your data or account, you delete it, log in and all the data is there again

    3) Allot of websites donīt claim either they send data to Facebook, just by having the like button on the website, facebook is actually tracking. Same again the same here is true for half of the internet.

    4) Not sure about that.

    5) Not sure, but is not a blacklisting site. Its a screeening site, the hosting and company can still decide to provide the service or not. Its no different than Maxmind saying your customers is logged from Chine, but his CC card is from the US. Its the host that decides if its fraud or not.

  19. #69
    Join Date
    Jun 2009
    Posts
    74
    Quote Originally Posted by nibb View Post
    And so would SSL traffic, IPsec and VPN traffic.
    If those technologies are being used to transmit data to third parties covered under applicable laws and regulations then I would say yes.

  20. #70
    Join Date
    Jun 2005
    Posts
    3,455
    Quote Originally Posted by Ryan524 View Post
    If those technologies are being used to transmit data to third parties covered under applicable laws and regulations then I would say yes.
    So what is your point, based on this the whole Internet should be regulated, as Internet is sharing data.

    Again, its sharing hashes, this is no different than any other data. Can you match it with personal information of a specific individual? Yes, and so you can with other data.

  21. #71
    Join Date
    Jun 2009
    Posts
    74
    Some data sharing is regulated. As I already mentioned I was refuting the OPs point that since the data is hashed it is not covered by regulation.

    I'm sorry but I don't know how to make that any clearer for you.

  22. #72
    Join Date
    Feb 2004
    Location
    Scotland
    Posts
    2,833
    Quote Originally Posted by nibb View Post
    1) Same today with Facebook

    2) Same with Facebook, you cannot remove your data or account, you delete it, log in and all the data is there again

    3) Allot of websites donīt claim either they send data to Facebook, just by having the like button on the website, facebook is actually tracking. Same again the same here is true for half of the internet.

    4) Not sure about that.

    5) Not sure, but is not a blacklisting site. Its a screeening site, the hosting and company can still decide to provide the service or not. Its no different than Maxmind saying your customers is logged from Chine, but his CC card is from the US. Its the host that decides if its fraud or not.
    You keep using Facebook or UUIDs as a comparison and they really aren't even similar.

    My details get on Facebook because I provide them to Facebook, they don't appear on Facebook because I signup with Google for a mail account. In this case, the details are going to a third party to be read by other third parties without my specific consent in a lot of cases.

    As for SSL etc, those again are not being passed to third parties. You really need to make the distinction here between sharing data between you and the client and sharing data between you, the client and a third party who then makes it available publicly to others.
    Last edited by Wullie; 12-03-2012 at 08:01 PM.

Page 3 of 3 FirstFirst 123

Similar Threads

  1. About 30% done -- thoughts?
    By David in forum Web Site Reviews
    Replies: 19
    Last Post: 09-10-2011, 04:28 PM
  2. Im having second thoughts lately ....
    By unity100 in forum Running a Web Hosting Business
    Replies: 20
    Last Post: 12-05-2009, 08:47 PM
  3. Your thoughts
    By freshjada in forum Ecommerce Hosting & Discussion
    Replies: 2
    Last Post: 12-19-2005, 02:28 PM
  4. Your thoughts please
    By JMD in forum Web Site Reviews
    Replies: 3
    Last Post: 07-08-2002, 09:39 PM
  5. Your thoughts please
    By JMD in forum Web Site Reviews
    Replies: 0
    Last Post: 07-07-2002, 02:11 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •