My mind is blown. Reflecting on a lifetime of getting declined filling web forms in with a wrong CC number, billing address, expiration or CCV, I...don’t think I’ve ever misspelled my name.
Fun fact (from 2012): some credit cards had more than one CCV. You could find out by simply trying all 1000 combinations on some web shops. Back then, I did security consulting and we knew a shop or two where it was possible to enumerate the CCVs without submitting an order and without being blocked.
Not sure if this is still valid nowadays, but it blew my mind as well.
Many do validate the address or at least postal code, however, although American Express doesn’t appear to in my experience. I assume it also depends on the issuer for Visa/Mastercard considering many have their own two-factor verification portal.
Note - AMEX does verify cardholder name. In my original comment I am referring only to VISA/MC. They do not verify cardholder name. They do, however, verify other things related to address, etc.
When I requested this back in August, it took 5 days to get the results.
You get a long list of links that each triggers a download. It's a bit annoying to bulk download by clicking each link one by one, so I made a Browserflow flow that clicks all the links and downloads everything automatically: https://browserflow.app/shared/61e979ed-47f4-4c94-b5a5-3ade0...
It was requesting my personal information from Amazon that made me decide to dump all my Alexa smart devices.
We had bought one for my in-laws and the Echo had picked up entire conversations between them even though the wake word had not been said. They were categorised under "Not intended for Alexa". My father in-law is at the end of his life, and I really hated the fact that deeply private and incredibly poignant conversations would probably be listened to by a human somewhere to better calibrate the device.
Wow, that's bad. It seems obvious that something like Alexa would transmit some amount of data not intended for it and that would be listened to by someone for training purposes. And probably enough data that someone remotely privacy conscious would not voluntarily install some 24/7 listening device into their inner sanctum.
But what on earth would posses Alexa to record entire conversations without either piping up ("sorry, I did not understand this request") or figuring out after a few seconds that this was probably a false alarm and turning itself off? How would this be remotely excusable?
How long was the longest recording not really intended for Alexa?
I've switched off all voice-activated devices in my home.
I'm not sure how long the longest recording was...I'll go back over the data to have a look, but the one that really broke my heart was about 20 seconds during which my mother in-law was upset because my father in-law was not waking up.
"We’ve received and are processing your request to access your personal data.
We will provide your information to you as soon as we can.
Usually, this should not take more than a *month*.
In exceptional cases, for example if a request is more complex or if we are processing a high volume of requests, it might take longer, but if so we will notify you that there will be a delay."
I built a system just like this at another company whose products or services you likely use often or everyday.
This pessimistic view assumes the worst about people like me who build these kinds of systems, as if we’re evil or corrupt or somehow doing this to take something from you.
In reality, data is stored in disparate systems, under the custodianship of different organizations. Once you can find everything and account for it, you need to query every single system - many systems which aren’t built for this kind of “on demand” workload. Then you need to parse the data, turn it into some kind of useful values, especially if the internal representation contains flags, enums, or other magic or pseudo values that wouldn’t be meaningful to anyone but the logic or programmer who wrote it. Systems go down. Things break. Pipelines get clogged. It’s one thing to build a god system that can decrypt, read, and perform etl on every application, table, db, or whatever storage used anywhere in your entire company. It’s exponentially harder to solve this problem when it’s all legacy integrations with shit that’s duct taped together and will easily tip over.
Now you have to do this at scale - except these systems have millions of lines of code and can’t just be rewritten into a solution that can handle hundreds or thousands or even tens of thousands of queries per second… not without a Herculean effort not even accounting for all the tribal knowledge that’s been lost on how the system is expected to work.
If 30 days is too long for you, essentially you’re wanting these companies to spend potentially hundreds of millions of dollars to rearchitect a significant chunk of their systems that were built prior to all these privacy laws coming online.
Honestly, the legal landscape changes often. Some of the law is open to interpretation. My own experience working in this are require working closely with a team of lawyers. Honestly, even the Staff Engineers in my larger org getting paid $700k a year would have preferred any other project but this.
I imagine there's also some manual steps going on.
Making sure it's not an account compromise(also just waiting to give the actual owner a chance to notice), checking with compliance, manually getting all the data that's not been automated yet, getting data out of cold storage, checking over the final data set, etc. Many of which would be sequential
Stories like this are what keep me using strong passwords (in Keepass) instead of MFA. I'd love to hear more details as I'm finding more and more services push the MFA aspect, and I don't use a smartphone. Thanks.
Most password managers can also store TOTP tokens. A few services support registering redundant Yubikeys. Failing that, they usually give you a recovery code with which you can restore access to an account you're locked out of.
> We’ve received and are processing your request to access your personal data.
We will provide your information to you as soon as we can. Usually, this should not take more than a month. In exceptional cases, for example if a request is more complex or if we are processing a high volume of requests, it might take longer, but if so we will notify you that there will be a delay.
I wonder what the formats are.
Also, is there a team of poor souls navigating internal bureaucracy to manually fulfill these requests? Is it a black hole?
A nice policy would be to decree "Every [property] in Amazon must provide an internally registered [endpoint] that speaks [protocol] serving requests consistent with [schema]. Request volume will be limited to at most [limit]." Require it for new stuff, and add it to the backlog for existing stuff.
Ah, but it wouldn't increase revenue, and everything is existing stuff. Still, I like the idea.
I requested my Amazon data a year ago or so and it was a few different Excel files. One file for orders, one for digital orders, one for returns, etc. They included everything back to my first order in ‘99. Took a few days to process, but certainly less than a week.
I think there are two sides to a service like that: on the one hand it provides more transparency to the individual customer (good), on the other hand, any external or internal malicious actor now has a very convenient tool to gain access to lot of very personal information about a single individual (bad). It was probably not even possible without a tool like that, not even for jeff bezos.
Readit News
Amazon has a pseudonym with a dedicated Twilio number that delivers to a private postal box.
I burn the pseudonym every few years. Which reminds me ...
This is simple because VISA/MC do not validate cardholder name. Everyone thinks they do and most merchants believe that they do but ... they do not.
You can use your card with "Mickey Mouse" and it will work just fine.
Trying this out on my next purchase for sure.
Not sure if this is still valid nowadays, but it blew my mind as well.
However, some services go out of their way to check if the address you entered exists and is valid, but that has nothing to do with Visa or MC.
You get a long list of links that each triggers a download. It's a bit annoying to bulk download by clicking each link one by one, so I made a Browserflow flow that clicks all the links and downloads everything automatically: https://browserflow.app/shared/61e979ed-47f4-4c94-b5a5-3ade0...
``` javascript:(function() {var x = document.querySelectorAll("a");var myarray = [];function dox(){for (var i=0; i<x.length; i++){ var nametext = x[i].textContent; var cleantext = nametext.replace(/\s+/g, ' ').trim(); var cleanlink = x[i].href; myarray.push([cleantext,cleanlink]);};}function make_table() { var table = '<table><thead><th>Name</th><th>Links</th></thead><tbody>'; for (var i=0; i<myarray.length; i++) { table += '<td>'+myarray[i][1]+'</td></tr>'; }; var w = window.open("");w.document.write(table); }dox();make_table();})()
```
Deleted Comment
We had bought one for my in-laws and the Echo had picked up entire conversations between them even though the wake word had not been said. They were categorised under "Not intended for Alexa". My father in-law is at the end of his life, and I really hated the fact that deeply private and incredibly poignant conversations would probably be listened to by a human somewhere to better calibrate the device.
But what on earth would posses Alexa to record entire conversations without either piping up ("sorry, I did not understand this request") or figuring out after a few seconds that this was probably a false alarm and turning itself off? How would this be remotely excusable?
How long was the longest recording not really intended for Alexa?
I'm not sure how long the longest recording was...I'll go back over the data to have a look, but the one that really broke my heart was about 20 seconds during which my mother in-law was upset because my father in-law was not waking up.
Usually, this should not take more than a *month*.
In exceptional cases, for example if a request is more complex or if we are processing a high volume of requests, it might take longer, but if so we will notify you that there will be a delay."
This pessimistic view assumes the worst about people like me who build these kinds of systems, as if we’re evil or corrupt or somehow doing this to take something from you.
In reality, data is stored in disparate systems, under the custodianship of different organizations. Once you can find everything and account for it, you need to query every single system - many systems which aren’t built for this kind of “on demand” workload. Then you need to parse the data, turn it into some kind of useful values, especially if the internal representation contains flags, enums, or other magic or pseudo values that wouldn’t be meaningful to anyone but the logic or programmer who wrote it. Systems go down. Things break. Pipelines get clogged. It’s one thing to build a god system that can decrypt, read, and perform etl on every application, table, db, or whatever storage used anywhere in your entire company. It’s exponentially harder to solve this problem when it’s all legacy integrations with shit that’s duct taped together and will easily tip over.
Now you have to do this at scale - except these systems have millions of lines of code and can’t just be rewritten into a solution that can handle hundreds or thousands or even tens of thousands of queries per second… not without a Herculean effort not even accounting for all the tribal knowledge that’s been lost on how the system is expected to work.
If 30 days is too long for you, essentially you’re wanting these companies to spend potentially hundreds of millions of dollars to rearchitect a significant chunk of their systems that were built prior to all these privacy laws coming online.
Honestly, the legal landscape changes often. Some of the law is open to interpretation. My own experience working in this are require working closely with a team of lawyers. Honestly, even the Staff Engineers in my larger org getting paid $700k a year would have preferred any other project but this.
Making sure it's not an account compromise(also just waiting to give the actual owner a chance to notice), checking with compliance, manually getting all the data that's not been automated yet, getting data out of cold storage, checking over the final data set, etc. Many of which would be sequential
Disclaimer: I work at amazon, but not on this
What is really weird is that AWS account is tied to a very old (1998?) Amazon account. I wonder what this request will reveal.
I wonder what the formats are.
Also, is there a team of poor souls navigating internal bureaucracy to manually fulfill these requests? Is it a black hole?
A nice policy would be to decree "Every [property] in Amazon must provide an internally registered [endpoint] that speaks [protocol] serving requests consistent with [schema]. Request volume will be limited to at most [limit]." Require it for new stuff, and add it to the backlog for existing stuff.
Ah, but it wouldn't increase revenue, and everything is existing stuff. Still, I like the idea.
Dead Comment