From the consent agreement, in addition to a bunch of fuzzier stuff about standing up a security program, the FTC has demanded:
1. Technical measures to monitor all of Respondent’s networks and all systems and
assets within those networks to identify data security events, including unauthorized
attempts to exfiltrate Personal Information from those networks;
2. Policies and procedures to ensure that all code for web applications is reviewed for
the existence of common vulnerabilities;
3. Policies and procedures to minimize data collection, storage, and retention, including
data deletion or retention policies and procedures;
4. Encryption of all Social Security numbers on Respondent’s computer networks;
5. Data access controls for all databases storing Personal Information, including by, at a
minimum, (a) restricting inbound connections to approved IP addresses, (b) requiring
authentication to access them, and (c) limiting employee access to what is needed to
perform that employee’s job function;
6. Policies and procedures to ensure that all devices on Respondent’s network with
access to Personal Information are securely installed and inventoried at least once
every twelve (12) months, including policies and procedures to timely remediate
critical and high-risk security vulnerabilities and apply up-to-date security patches;
7. Replacing authentication measures based on the use of security questions and answers
to access accounts with multi-factor authentication methods that use a secure
authentication protocol, such as cryptographic software or devices, mobile
authenticator applications, or allowing the use of security keys; and
8. Training of all of Respondent’s employees, at least once every twelve (12) months,
on how to safeguard Personal Information;
#7 jumps out at me. The problem CafePress has is that they used security questions rather than the industry-standard practice of just sending password-reset emails, which meant the answers to those security questions were password-equivalent, and, of course, stolen in the SQLI attacks. But the simpler fix here is just to require password reset emails, not to mandate multi-factor authentication. Though I wonder if they'll just claim email resets are a second factor.
#1 sounds like a boondoggle for security companies, selling software that doesn't actually do much; but perhaps I'm out of the market too long to know what's the current standard.
I for one don't like how companies use email as a security crutch.
Ownership of an address at a particular point in time doesn't equate to proof of identity. One hacked email account and everything else falls like dominos.
I’d much rather have the option to disable password recovery processes. Don’t force me to answer questions with obvious answers. Don’t send a reset link over a possibly insecure channel. Give me a way to turn all of that off and let me be responsible for keeping my password.
> But the simpler fix here is just to require password reset emails, not to mandate multi-factor authentication.
Password resets lead to iterative passwords, which lead to password reuse, which lead to email compromise, which leads to it being pointless to use email as some ersatz second factor.
If we want to move towards a world where phishing attacks and password breaches are obsolete, then we need to press full-throttle to mandating hardware security keys for all accounts.
It is very much the FTC's place to require companies to live up to the commitments they've made to customers, and probably, more broadly, to make sure they live up to the implied commitments of universal industry best practices. It is less clear that FTC has the authority to turn random companies into test cases for the elimination of phishing attacks.
The practices CafePress had prior to its breach were clearly inadequate, and justifiably actionable. They authenticated users with password-equivalent "security questions", which they (of course) stored in clear text. Storing cleartext password reset secrets contravenes universal industry best practices, and, really, so does the use of "security questions" at all --- though many banks still do.
But requiring 2FA tokens is not a universal practice. Moreover, deployed over a whole userbase, it doesn't really address the concerns that lead to or were revealed by this breach. Managing 2FA for non-technical end users --- that's the kind CafePress serves --- is extraordinarily difficult. People lose tokens, 2FA codes are phishable, account recovery remains the most difficult problem in computer security, and so on.
So yes, it is weird to me to see the FTC suggest that the appropriate solution to a broken authentication system with security question is "make people use 2FA tokens". The universal best practice solution to the specific problem the security tokens solved is "password reset emails that prove custody of a trusted email account". The demand from the FTC exceeds that best practice. That's interesting, and so I called it out.
We don't know each other, so it probably bears saying that I am foursquare supportive of 2FA. I'm supportive of a lot of things the FTC would no doubt love to force companies to do (penetration testing in particular!)
> But requiring 2FA tokens is not a universal practice.
It is not universal practice, but it is industry-standard, so I don't particularly understand why it is surprising that the FTC is recommending that CafePress adhere to industry standards.
2FA is not in fact the industry standard process for account recovery (it's the industry standard problem that causes us to have to spend time on account recovery!), and account recovery is the problem this part of the consent agreement addresses.
> To maintain the integrity of the authentication factors, it is essential that it not be possible to leverage an authentication involving one factor to obtain an authenticator of a different factor. For example, a memorized secret must not be usable to obtain a new list of look-up secrets.
And further:
> Methods that do not prove possession of a specific device, such as voice-over-IP (VOIP) or email, SHALL NOT be used for out-of-band authentication.
That's the NIST standard definition for out-of-band authenticators. FTC didn't demand out-of-band authenticators, nor is anyone obligated to comply with NIST.
Yes. For obvious reasons, people are more prone to lose 2FA authenticators (be they code generators or hardware keys) than passwords. Both passwords and 2FA mechanisms are customers of account recovery, which is the process that kicks in when you can't log in. Security questions are a particularly bad account recovery system. Reset emails are somewhat better.
Again, 2FA isn't an account recovery process at all; it's a reason you need account recovery.
To get a general sense of where we're at as an industry with this, look at the process for what happens when you lose an AWS 2FA secret:
> Again, 2FA isn't an account recovery process at all; it's a reason you need account recovery.
Your reading of the FTC text seems to be that you think the FTC has conflated account recovery with 2FA, but I don't think that's the case. Instead, my read is that they're suggesting that password breaches can be rendered moot points by requiring 2FA for accounts, so that the compromise of a password would not require an account reset in the first place.
I'm reading the plain language of the agreement, which requires the replacement of security questions and answers, and is not in fact a manifesto about the insecurity of passwords writ large.
But technical language aside: a requirement that CafePress fully adopt 2FA also doesn't make sense, because its users will not fully adopt 2FA. The users that can't 2FA are the interesting case here, and the thing I'm calling out.
I think you think they mean password expiration, not password resets. I don't see how the existence of a "I forgot my password" (password reset) flow leads to reused passwords, though automatically expiring passwords certainly do
That whole sentence is even more interesting: "the FTC alleges that CafePress failed to implement reasonable security measures to protect sensitive information stored on its network, including plain text Social Security numbers, inadequately encrypted passwords, and answers to password reset questions." Why would CafePress have anyone's SSN? I suppose potentially a merchant selling on it might need to have provided banking details, but that still doesn't seem like it should include a SSN?
An individual can sell custom/branded merchandise on CafePress. If CafePress is sending more than $600 per year to an individual, they have to issue a 1099, which has to have a TIN, which is going to be an SSN for most individuals.
> You must show your individual name and you may also enter your
business or DBA name on the “Business name/disregarded entity”
name line. You may use either your SSN or EIN (if you have one), but the
IRS encourages you to use your SSN.
That's straight from the W-9 instructions. You _can_ use an EIN. In my opinion you _should_ use an EIN.
Now I'm even more confused, heh. From the previous page:
> If you are a single-member LLC that is disregarded as an entity
separate from its owner, enter the owner’s SSN (or EIN, if the owner has
one). *Do not enter the disregarded entity’s EIN*
Edit: I suppose the distinction is that you should have an EIN for your name
I was curious about what legal theory they were using to enforce this. It appears that 5/7 of the counts are just false or misleading statements - CafePress claimed to have good security but didn't. Another is just tangentially related to security. The interesting one is Count III:
> As described in Paragraph 11, Respondents’ failure to employ reasonable data security measures to protect Personal Information caused or is likely to cause substantial injury to consumers that is not outweighed by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers themselves. This practice is an unfair act or practice.
...
> in violation of Section 5(a) of the Federal Trade Commission Act.
If I'm reading this correctly, it is saying that the FTC interprets poor security of user's data to be in violation the FTC act even outside of any promises given to the customer. That seems like a big stretch IMO.
It's the legal theory of "agree to these things or we're going to publicly try to nail your assets to the wall" - even if they actually can't do it, do you want to pay the costs of fighting it, or give the FTC their little PR moment.
I'm a little nerd-sniped by the callout over using SHA-1; SHA-1 is broken in a way that has nothing to do with password storage security (they're not using a password KDF at all, so the thrust of the complaint isn't wrong, and no sane person would use SHA-1 to build a new password KDF in 2019, but still!)
I saw one darknet site where they didn't keep hashes, so they could go off and use all the various algos (sha, md5 etc) then see where else those users were members (by looking for password if they were dumb enough), I wonder how often that happens in the corporate world but absent a whistleblower or a helpful hacker no one would find out.
(I'm not clear if they were being run by the police when I showed up, or if that was an extortion technique, but it's been over two years since that adventure, so the CFAA has expired and if someone takes issue I tried to take down a den of hurtcore creeps because one of them obstructed my job search before the portmanteau had been popularized, form a line to my left so you don't interfere with the baristas taking orders, as I operate in the clear and I will not abide absolute scumbags who abuse their access.)
> they didn't keep hashes, so they could go off and use all the various algos (sha, md5 etc) then see where else those users were members (by looking for password if they were dumb enough), I wonder how often that happens in the corporate world
Oh yeah I know the re-use is common, I more meant the technique of purposefully not hashing or disabling hashing to compare hashes across services and connect users.
For all the apparent inaction and broken promises of the Biden administration, it's been very refreshing to see "technical" government agencies returning to basic competency, and in some cases apparently actively bucking long trends of regulatory capture. The bureaucrats seem surprisingly progressive this cycle (once again highlighting the fragility of a system that functions in spite of, rather than because of, the primary lawmaking body). It's a shame that they will probably be voted out next go around, possibly in favor of the prior Twitter User In Chief.
They're not going after them for that. They're going after them for that plus an incredibly long list of other basic security failures, failing to notify customers that their personal data was now in the wild, and other negligence
I submitted the link just after CafePress sent me an email with the information.
A lot of stress in "previous owners" and "before 2019". OK, fair enough. I asked them to remove my details from their DB, because I ordered something back in 2007 but I don't think I'll do it again.
The response was interesting:
"Thank you for contacting CafePress. Per your request, I will be happy to ensure that your information is no longer stored. However, I was not able to locate an account with the email address provided so it appears you do not have any information stored with us."
Yet, I got the email from them with the FTC settlement information.
The BCP is kind of a joke, they do these enforcements usually when a practice is widespread, it's like when they pull over one car on the highway and the rest slow down.
The GOP commissioners do not believe in the mission, and obstruct it, so you have the same issues with enforcement you saw play out on the SC recently -- GOP presidents stack the org with people who aim to destroy it.
Then to add insult to injury, they require you to have a JD (which entails not be able to operate a computer apparently, or when you do, needing to have 1 pagers on encryption from the 90s rewritten every two weeks to two years), and when they do hire anything remotely related to the liberal arts, they label them as "economists" and don't allow anyone who actually believes in sound economics in -- only Austrian bull crap, the usual Keyes neoliberlism, or, at best neoliberalish "behavioral economists" who rediscover concepts I learned in my cognitive psyc class in undergrad that date back decades.
(Dark patterns being a classic example -- we're gonna discover the lies that were explained in Consumer Reports for Kids in the 1990s at an exploratory workshop in 2020s? Stuff like that is why more and more people are leaving America permanently.)
I heard (here) that some California Community Colleges were willfully ignoring blatent fake accounts, due to $INCOME and $LIABILITY incentives and fines, respectively. Is it possible that this online retail company, feeling in corner financially, willfully turned a blind-eye to account activity for similar reasons?
Bullshit like this will continue happening en masse until there are mandatory prison sentences for C-suite executives for negligence and malice like this.
As much as we love to imprison people in the US... Maybe just make the expected value of cover up massively negative with fines as significant multiples of actual damage?
It's all Monopoly money to corporations. If there is no fear of an actual corporal punishment, then there is no personal skin in the game, so to speak. An executive who causes a corporation to be fined may worry about losing their job, but they'll be much more worried if the risk is going to prison.
And it's not that we love to imprison people in the US, it's that we love to imprison the wrong people.
>It's all Monopoly money to corporations. If there is no fear of an actual corporal punishment
The Swift Ban was as close to an economic death penalty as you can give a bank, we should do it more often to corporations, public or private, that act the fool
(Looking at you, China, with your manipulation of both CNH and CNY)
Surely you don't mean by this that they don't care about money. Isn't the cynical take normally that corporations are amoral money maximizing juggernauts? Why wouldn't they respond to adequate threats?
It's not that they don't care about money it's that they are less affected by loss.
Once someone earns about 10 million they can live for the rest of their life in a reasonable way without working again. So when you are an executive who has assets of 50 to 70 million and your stock, which was worth 10 mil is now worth 7 mil you aren't hurt that bad.
The company can they raise prices, cut quality, and fire people to reduce costs to make up for the fine. The stock might eventually even go higher than it was before.
What I mean is that executives value their personal livelihoods above money, though the two are often correlated. Therefore the punishment needs to strike at the core, their personal as opposed to financial freedom. "Big" fines for corporations have been around forever, I don't see them changing anything.
If someone makes a big deal out of never killing, and they do multiples of damage to that, some of which causes others to die of depression... then walk them out of their offices in handcuffs, one by one, until they're "nudged" to change their behavior.
I feel just as precarious as I did in 2008. (Moreso since I'm older, and don't have the clean slate young people do but don't have the savings others have on this site despite always trying to make the least wrong decisions I could... but if others don't opt in to giving me income, I can't invest it wisely, full stop.)
I dunno, we seem to issue fines a lot nowadays and the behavior doesn't change.
What even would the the expected value for a fine in this situation? It seems overly complex to calculate as I don't think even the FTC tried to put a value of the damages from the sale of the person information.
Fines or threat of jail time is just trying treating the symptoms. Bigger issue is that companies use SSN as a way to authenticate a user. Government should mandate only allowing SSN for tax identification purposes. Passwords need to go away and with webauth, we are almost there. The average person is re-using the same password across sites so it’s pointless protection.
An e-commerce store hack shouldn’t give hackers the data needed to access customers financial accounts.
It's not them who are the problem. Its financial institutions and other services that use SSN as way to verify a person. You should not be able to setup a cell phone plan by providing a name and a SSN. And credit reporting should not be tied to a SSN. It should just be used to submit tax information to the government and have no value beyond that.
> I dunno, we seem to issue fines a lot nowadays and the behavior doesn't change.
We issue fines, yes. We do not issue fines to an amount that would incentivize behavior change. Most fines from agencies like this, when I see them, tend to be in the <$10 range, when scaled to how "impactful" the fine would be against an average person's income. My father would call a fine that's less than $10 a "toll".
In this particular case, the fined entity is too small for me to know exactly, as I can't find their financials. But the amount doesn't smell large.
In some instances, I've seen agencies level $0 fines against corporations. Literally, all the agency demanded was "stop doing the bad thing, m'kay?"
>We issue fines, yes. We do not issue fines to an amount that would incentivize behavior change.
Who is we? The US?
I see many euros on HN tutting about lax regulation, but no one in the EU seem willing to actually enfore the GDPR and levy a corporate death penalty if their brothers across the pond won't do the needful.
(I'm eligible for an Italian passport Jus sanguinis, though I had intended not to look into it until late in life -- maybe I should abandon my American one, and immediately lobby for the above to my new elected representatives, since everyone I've met from the world of spooks seems to obstruct me out of fear I'll expose their illegal behavior rather than do their damn job well enough I wouldn't notice how they spend their free time.)
From the consent agreement, in addition to a bunch of fuzzier stuff about standing up a security program, the FTC has demanded:
#7 jumps out at me. The problem CafePress has is that they used security questions rather than the industry-standard practice of just sending password-reset emails, which meant the answers to those security questions were password-equivalent, and, of course, stolen in the SQLI attacks. But the simpler fix here is just to require password reset emails, not to mandate multi-factor authentication. Though I wonder if they'll just claim email resets are a second factor.#1 sounds like a boondoggle for security companies, selling software that doesn't actually do much; but perhaps I'm out of the market too long to know what's the current standard.
Truth is, #1 is pretty broad. At minimum they could almost just setup a NetFlow/IPFIX collector and call it a day.
just to require password reset emails
I for one don't like how companies use email as a security crutch.
Ownership of an address at a particular point in time doesn't equate to proof of identity. One hacked email account and everything else falls like dominos.
Fair—2FA for email is more important than ever.
I’d much rather have the option to disable password recovery processes. Don’t force me to answer questions with obvious answers. Don’t send a reset link over a possibly insecure channel. Give me a way to turn all of that off and let me be responsible for keeping my password.
> But the simpler fix here is just to require password reset emails, not to mandate multi-factor authentication.
Password resets lead to iterative passwords, which lead to password reuse, which lead to email compromise, which leads to it being pointless to use email as some ersatz second factor.
If we want to move towards a world where phishing attacks and password breaches are obsolete, then we need to press full-throttle to mandating hardware security keys for all accounts.
It is very much the FTC's place to require companies to live up to the commitments they've made to customers, and probably, more broadly, to make sure they live up to the implied commitments of universal industry best practices. It is less clear that FTC has the authority to turn random companies into test cases for the elimination of phishing attacks.
The practices CafePress had prior to its breach were clearly inadequate, and justifiably actionable. They authenticated users with password-equivalent "security questions", which they (of course) stored in clear text. Storing cleartext password reset secrets contravenes universal industry best practices, and, really, so does the use of "security questions" at all --- though many banks still do.
But requiring 2FA tokens is not a universal practice. Moreover, deployed over a whole userbase, it doesn't really address the concerns that lead to or were revealed by this breach. Managing 2FA for non-technical end users --- that's the kind CafePress serves --- is extraordinarily difficult. People lose tokens, 2FA codes are phishable, account recovery remains the most difficult problem in computer security, and so on.
So yes, it is weird to me to see the FTC suggest that the appropriate solution to a broken authentication system with security question is "make people use 2FA tokens". The universal best practice solution to the specific problem the security tokens solved is "password reset emails that prove custody of a trusted email account". The demand from the FTC exceeds that best practice. That's interesting, and so I called it out.
We don't know each other, so it probably bears saying that I am foursquare supportive of 2FA. I'm supportive of a lot of things the FTC would no doubt love to force companies to do (penetration testing in particular!)
> But requiring 2FA tokens is not a universal practice.
It is not universal practice, but it is industry-standard, so I don't particularly understand why it is surprising that the FTC is recommending that CafePress adhere to industry standards.
2FA is not in fact the industry standard process for account recovery (it's the industry standard problem that causes us to have to spend time on account recovery!), and account recovery is the problem this part of the consent agreement addresses.
As per NIST 800-63B:
> To maintain the integrity of the authentication factors, it is essential that it not be possible to leverage an authentication involving one factor to obtain an authenticator of a different factor. For example, a memorized secret must not be usable to obtain a new list of look-up secrets.
And further:
> Methods that do not prove possession of a specific device, such as voice-over-IP (VOIP) or email, SHALL NOT be used for out-of-band authentication.
That's the NIST standard definition for out-of-band authenticators. FTC didn't demand out-of-band authenticators, nor is anyone obligated to comply with NIST.
And the account/2FA reset procedure is always the weak point - most of my accounts with 2FA enabled let me reset it with access to email or SMS.
(Which is good for some of them, as they're notoriously flaky).
Yes. For obvious reasons, people are more prone to lose 2FA authenticators (be they code generators or hardware keys) than passwords. Both passwords and 2FA mechanisms are customers of account recovery, which is the process that kicks in when you can't log in. Security questions are a particularly bad account recovery system. Reset emails are somewhat better.
Again, 2FA isn't an account recovery process at all; it's a reason you need account recovery.
To get a general sense of where we're at as an industry with this, look at the process for what happens when you lose an AWS 2FA secret:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credenti...
> Again, 2FA isn't an account recovery process at all; it's a reason you need account recovery.
Your reading of the FTC text seems to be that you think the FTC has conflated account recovery with 2FA, but I don't think that's the case. Instead, my read is that they're suggesting that password breaches can be rendered moot points by requiring 2FA for accounts, so that the compromise of a password would not require an account reset in the first place.
I'm reading the plain language of the agreement, which requires the replacement of security questions and answers, and is not in fact a manifesto about the insecurity of passwords writ large.
But technical language aside: a requirement that CafePress fully adopt 2FA also doesn't make sense, because its users will not fully adopt 2FA. The users that can't 2FA are the interesting case here, and the thing I'm calling out.
I think you think they mean password expiration, not password resets. I don't see how the existence of a "I forgot my password" (password reset) flow leads to reused passwords, though automatically expiring passwords certainly do
One of the complaints was closing merchants who were breached and then charging them a $25 account closure fee. Wow.
> inadequately encrypted passwords,
Assuming this means unsalted hashes. Since when has the FTC been going after this?
That whole sentence is even more interesting: "the FTC alleges that CafePress failed to implement reasonable security measures to protect sensitive information stored on its network, including plain text Social Security numbers, inadequately encrypted passwords, and answers to password reset questions." Why would CafePress have anyone's SSN? I suppose potentially a merchant selling on it might need to have provided banking details, but that still doesn't seem like it should include a SSN?
An individual can sell custom/branded merchandise on CafePress. If CafePress is sending more than $600 per year to an individual, they have to issue a 1099, which has to have a TIN, which is going to be an SSN for most individuals.
Sole proprietors use their SSN for tax purposes. May also apply to single-member LLCs.
Can't Sole Proprietors obtain an EIN as well though? No way I'm using my SSN for stuff like that. I always used an LLC with an EIN.
They can. I assume DBAs (Doing business as) folks are the ones that use their SSN. Just real small-time shops.
I think the W9 form says to use SSN in case of a disregarded entity (such as a single member LLC).
> You must show your individual name and you may also enter your business or DBA name on the “Business name/disregarded entity” name line. You may use either your SSN or EIN (if you have one), but the IRS encourages you to use your SSN.
That's straight from the W-9 instructions. You _can_ use an EIN. In my opinion you _should_ use an EIN.
Now I'm even more confused, heh. From the previous page:
> If you are a single-member LLC that is disregarded as an entity separate from its owner, enter the owner’s SSN (or EIN, if the owner has one). *Do not enter the disregarded entity’s EIN*
Edit: I suppose the distinction is that you should have an EIN for your name
Many sole proprietors execute under their SSN. Most will not bother to acquire an EIN.
Income reporting? If you’re a non-business merchant? Or if you’re a business the businesses tax is?
This is me stabbing in the dark, no actual knowledge or anything :)
I was curious about what legal theory they were using to enforce this. It appears that 5/7 of the counts are just false or misleading statements - CafePress claimed to have good security but didn't. Another is just tangentially related to security. The interesting one is Count III:
> As described in Paragraph 11, Respondents’ failure to employ reasonable data security measures to protect Personal Information caused or is likely to cause substantial injury to consumers that is not outweighed by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers themselves. This practice is an unfair act or practice. ...
> in violation of Section 5(a) of the Federal Trade Commission Act.
If I'm reading this correctly, it is saying that the FTC interprets poor security of user's data to be in violation the FTC act even outside of any promises given to the customer. That seems like a big stretch IMO.
It's the legal theory of "agree to these things or we're going to publicly try to nail your assets to the wall" - even if they actually can't do it, do you want to pay the costs of fighting it, or give the FTC their little PR moment.
I'm a little nerd-sniped by the callout over using SHA-1; SHA-1 is broken in a way that has nothing to do with password storage security (they're not using a password KDF at all, so the thrust of the complaint isn't wrong, and no sane person would use SHA-1 to build a new password KDF in 2019, but still!)
I saw one darknet site where they didn't keep hashes, so they could go off and use all the various algos (sha, md5 etc) then see where else those users were members (by looking for password if they were dumb enough), I wonder how often that happens in the corporate world but absent a whistleblower or a helpful hacker no one would find out.
(I'm not clear if they were being run by the police when I showed up, or if that was an extortion technique, but it's been over two years since that adventure, so the CFAA has expired and if someone takes issue I tried to take down a den of hurtcore creeps because one of them obstructed my job search before the portmanteau had been popularized, form a line to my left so you don't interfere with the baristas taking orders, as I operate in the clear and I will not abide absolute scumbags who abuse their access.)
> they didn't keep hashes, so they could go off and use all the various algos (sha, md5 etc) then see where else those users were members (by looking for password if they were dumb enough), I wonder how often that happens in the corporate world
https://en.wikipedia.org/wiki/Credential_stuffing
Indeed, it's a major problem.
Oh yeah I know the re-use is common, I more meant the technique of purposefully not hashing or disabling hashing to compare hashes across services and connect users.
For all the apparent inaction and broken promises of the Biden administration, it's been very refreshing to see "technical" government agencies returning to basic competency, and in some cases apparently actively bucking long trends of regulatory capture. The bureaucrats seem surprisingly progressive this cycle (once again highlighting the fragility of a system that functions in spite of, rather than because of, the primary lawmaking body). It's a shame that they will probably be voted out next go around, possibly in favor of the prior Twitter User In Chief.
They're not going after them for that. They're going after them for that plus an incredibly long list of other basic security failures, failing to notify customers that their personal data was now in the wild, and other negligence
I submitted the link just after CafePress sent me an email with the information.
A lot of stress in "previous owners" and "before 2019". OK, fair enough. I asked them to remove my details from their DB, because I ordered something back in 2007 but I don't think I'll do it again.
The response was interesting:
"Thank you for contacting CafePress. Per your request, I will be happy to ensure that your information is no longer stored. However, I was not able to locate an account with the email address provided so it appears you do not have any information stored with us."
Yet, I got the email from them with the FTC settlement information.
It sounds like the concealing of it is (rightfully) a bigger part of things.
Which is okay if you're an Xfinity or other entity that frequently lobbies congress.
Yeah, except that seems to be true of /any/ crime, in any industry.
The BCP is kind of a joke, they do these enforcements usually when a practice is widespread, it's like when they pull over one car on the highway and the rest slow down.
The GOP commissioners do not believe in the mission, and obstruct it, so you have the same issues with enforcement you saw play out on the SC recently -- GOP presidents stack the org with people who aim to destroy it.
Then to add insult to injury, they require you to have a JD (which entails not be able to operate a computer apparently, or when you do, needing to have 1 pagers on encryption from the 90s rewritten every two weeks to two years), and when they do hire anything remotely related to the liberal arts, they label them as "economists" and don't allow anyone who actually believes in sound economics in -- only Austrian bull crap, the usual Keyes neoliberlism, or, at best neoliberalish "behavioral economists" who rediscover concepts I learned in my cognitive psyc class in undergrad that date back decades.
(Dark patterns being a classic example -- we're gonna discover the lies that were explained in Consumer Reports for Kids in the 1990s at an exploratory workshop in 2020s? Stuff like that is why more and more people are leaving America permanently.)
What they are requiring might be interesting when compared to the Whitehouse Zero Trust Architecture [1] that was announced last year.
[1] https://www.whitehouse.gov/briefing-room/presidential-action...
This explains why I had about 20 random transactions from cafe press last year. I wasn’t even aware I ever used them.
I heard (here) that some California Community Colleges were willfully ignoring blatent fake accounts, due to $INCOME and $LIABILITY incentives and fines, respectively. Is it possible that this online retail company, feeling in corner financially, willfully turned a blind-eye to account activity for similar reasons?
Bullshit like this will continue happening en masse until there are mandatory prison sentences for C-suite executives for negligence and malice like this.
As much as we love to imprison people in the US... Maybe just make the expected value of cover up massively negative with fines as significant multiples of actual damage?
It's all Monopoly money to corporations. If there is no fear of an actual corporal punishment, then there is no personal skin in the game, so to speak. An executive who causes a corporation to be fined may worry about losing their job, but they'll be much more worried if the risk is going to prison.
And it's not that we love to imprison people in the US, it's that we love to imprison the wrong people.
>It's all Monopoly money to corporations. If there is no fear of an actual corporal punishment
The Swift Ban was as close to an economic death penalty as you can give a bank, we should do it more often to corporations, public or private, that act the fool
(Looking at you, China, with your manipulation of both CNH and CNY)
https://en.wikipedia.org/wiki/SWIFT_ban_against_Russian_bank...
>It's all Monopoly money to corporations.
Surely you don't mean by this that they don't care about money. Isn't the cynical take normally that corporations are amoral money maximizing juggernauts? Why wouldn't they respond to adequate threats?
It's not that they don't care about money it's that they are less affected by loss.
Once someone earns about 10 million they can live for the rest of their life in a reasonable way without working again. So when you are an executive who has assets of 50 to 70 million and your stock, which was worth 10 mil is now worth 7 mil you aren't hurt that bad.
The company can they raise prices, cut quality, and fire people to reduce costs to make up for the fine. The stock might eventually even go higher than it was before.
What I mean is that executives value their personal livelihoods above money, though the two are often correlated. Therefore the punishment needs to strike at the core, their personal as opposed to financial freedom. "Big" fines for corporations have been around forever, I don't see them changing anything.
No, jail them, even if just overnight. It fixed Iceland's issues.
https://en.wikipedia.org/wiki/2008%E2%80%932011_Icelandic_fi...
Prison is for serious crimes, like murder, or financial losses so large they are akin to one.
A human life is worth about 10 million:
https://en.wikipedia.org/wiki/Value_of_life#United_States
If someone makes a big deal out of never killing, and they do multiples of damage to that, some of which causes others to die of depression... then walk them out of their offices in handcuffs, one by one, until they're "nudged" to change their behavior.
I feel just as precarious as I did in 2008. (Moreso since I'm older, and don't have the clean slate young people do but don't have the savings others have on this site despite always trying to make the least wrong decisions I could... but if others don't opt in to giving me income, I can't invest it wisely, full stop.)
I dunno, we seem to issue fines a lot nowadays and the behavior doesn't change.
What even would the the expected value for a fine in this situation? It seems overly complex to calculate as I don't think even the FTC tried to put a value of the damages from the sale of the person information.
Fines or threat of jail time is just trying treating the symptoms. Bigger issue is that companies use SSN as a way to authenticate a user. Government should mandate only allowing SSN for tax identification purposes. Passwords need to go away and with webauth, we are almost there. The average person is re-using the same password across sites so it’s pointless protection.
An e-commerce store hack shouldn’t give hackers the data needed to access customers financial accounts.
> Government should mandate only allowing SSN for tax identification purposes.
CafePress was presumably collecting SSNs precisely for tax identification purposes.
It's not them who are the problem. Its financial institutions and other services that use SSN as way to verify a person. You should not be able to setup a cell phone plan by providing a name and a SSN. And credit reporting should not be tied to a SSN. It should just be used to submit tax information to the government and have no value beyond that.
And when a company doesn't comply?
A law without a penalty isn't a law you need to follow.
> I dunno, we seem to issue fines a lot nowadays and the behavior doesn't change.
We issue fines, yes. We do not issue fines to an amount that would incentivize behavior change. Most fines from agencies like this, when I see them, tend to be in the <$10 range, when scaled to how "impactful" the fine would be against an average person's income. My father would call a fine that's less than $10 a "toll".
In this particular case, the fined entity is too small for me to know exactly, as I can't find their financials. But the amount doesn't smell large.
In some instances, I've seen agencies level $0 fines against corporations. Literally, all the agency demanded was "stop doing the bad thing, m'kay?"
>We issue fines, yes. We do not issue fines to an amount that would incentivize behavior change.
Who is we? The US?
I see many euros on HN tutting about lax regulation, but no one in the EU seem willing to actually enfore the GDPR and levy a corporate death penalty if their brothers across the pond won't do the needful.
(I'm eligible for an Italian passport Jus sanguinis, though I had intended not to look into it until late in life -- maybe I should abandon my American one, and immediately lobby for the above to my new elected representatives, since everyone I've met from the world of spooks seems to obstruct me out of fear I'll expose their illegal behavior rather than do their damn job well enough I wouldn't notice how they spend their free time.)