Wishbone breaks: massive leak of popular survey site reveals millions of teens' information

Originally published at: http://boingboing.net/2017/03/15/wanna-take-a-survey.html

Well good, I’ve been looking for a database of girls under 17.


What if it was against the law to store any user data in an unencrypted format?
What if CTOs or IT management could be held criminally and civilly liable for storing unencrypted user data?
What if (a la DMCA) there was a statutory per-user rate for damages? Say $5,000 per user?

These are laws which could exist.

Sure, data could be poorly encrypted, but I’ve often found that having any standard would motivate companies to think about this. They’d then find that it’s not ruinously difficult to encrypted data, it’s just a thing you have to do. It’s a cost of doing business. We require brick-and-mortars to do all kinds of consumer safety stuff, and sometimes it’s very complicated. For a restaurant a broken floor tile in a storage room or an exposed light fixture will get you a write-up from an inspector. If that happens a lot, they can literally put you out of business. Asking companies to not store personally identifiable information in an unencrypted form is literally the least we could ask of them.

You wouldn’t even need inspectors! The risk of a bankrupting criminal complaint against a startup would mean that VC’s would require startups to do this as part of being considered for funding. If Google or Apple agreed to perma-ban companies from app stores for this it would possibly even be more effective (no lawyering your way out of that).

The way these startups work, getting taken off an app store for a few weeks could tank them completely. Even if they don’t mind playing “fast and loose” with this rule it wouldn’t matter. VC’s would simply require this as part of their due-diligence.


What could possibli go wrong?!


Keyword: parenting.
Parents are responsible for their minor children’s actions, but many parents I know pay no attention to what their kids do on their phones. They either don’t want to make their kids mad at them (yes, this is real, and, unfortunately, common in our area) or have no idea you could do that (ditto). Kids have parents and teachers that don’t teach computer safety - and by extension, phone safety - and think nothing of clicking on everything and filling out anything, if they think they could win something.
I have to rethink “hacking” every time something like this happens, because when Ashley Madison or government bigwigs get hacked, I laugh. Teens info, or medical records? I cringe.


Teenagers have Yahoo email addresses in 2017?


You have to admit it would be pretty weird for a fifteen-year old to have signed up for a Yahoo address more than two decades ago.


Those two little words can lead to an accusation of “victim blaming” here on BB.

'Cos as you know, everyone is entitled to an expectation of airtight security every time they install an app, or connect some fifteen buck IOT gadget to their router. It’s in the ten commandments, or the Constitution, or something.

Even worse. People are responsible for their own safety?? That’s crazy talk.

You can’t teach what you don’t know.


OK, sure. I don’t think that anyone would disagree that parents and teachers have a role here. But the way the you arrive at

is when you ignore a glaring power imbalance. As you said, parents are just trying to mange their relationship to their children. But in doing so, they’re competing with a professional, predatory enemy. I don’t say that to (only) demonize these tech firms, but also to highlight the actual nature of the relationship. These companies feed of the weak, the tired, the inexperienced, and less knowledgeable. They use a workforce of hungry coders and leadership (to put it lightly) less interested in work-life balance than their consumers might be.

Yes, absolutely. The balance of keeping your kids comfortable talking to you about what they are doing, what they are feeling and restricting their freedom is a real one. Short of a complete internet/app ban, or aggressive whitelisting - which is the nuclear option that would surely destroy trust - what is the option for a parent? A thorough security audit of every app their children sign up for? Where do parents, or even overworked, underfunded teachers get this time? this expertise? to compete with tech entrepreneurs that lawmakers can’t even, or won’t even themselves keep up with?

There is a role for parents here, to be informed, to stay aware of what their children are up to. However, in a wild west industry, where is this information coming from for parents to educate themselves? Why not give them an ally and some support in the perpetual struggle with an advertising and data sucking industry that works around the clock to end-run them and shut them out to get at that sweet, juicy data/money?


Ohhhh… Now I see what you were saying. Reading comprehension fail on my part.

I protect my own privacy online as carefully as I can. I provide personal data only to the barest minimum of sites, and I use a dumb phone. So it’s not like I am asking my kids to do anything that I don’t do myself.


Would they avoid making their kids mad if the kids wanted access to the liquor cabinet? Or the gun safe? I don’t think it’s hyperbole to suggest that unrestricted access to anything you can do on a smartphone is starting to approach that level of risk.

My rugrats are grown and on their own now, but if I still had kids at home you can bet your ass I’d be shopping for something like this:


Unfortunately, yes. Many of the teen mass shooters are an extreme example of this.

Yep. I monitored the kids and kept the family computer in the living room.
Funny, that - the kid that I had read the entire Terms and Services of AOL* out loud, when I found out she was being an ignorant ass online, now has parental control software on her teen son’s laptop.

*14 pages, printed out.

This is the other part of the solution. Tech companies should be held responsible for their products and actions.

I know it’s probably silly to think everyone will start becoming responsible for what they do. Somehow I feel I have to keep pointing it out, crying into the digital wilderness, hoping that something will change because of it.
(Keywords: futility, everyone’s mama, bring back integrity)

1 Like

It might help but it’s a bit of a token gesture. This sort of hacking is about live, internet-connected servers, so the data might be encrypted on disk but it has to be available to whatever software is serving the website. If I compromise that, I’ve got access to whatever data is driving the website, at a minimum. If I gain root access then all bets are off. End-to-end encryption is only practical for certain applications, at least so far.

I agree with you in spirit though, I’m just saying I think you need to legislate for liability in the case of leaks and let them work out for themselves how to prevent that. Otherwise companies leak data and get away with it because their disks were encrypted.


Cross generational comparisons are often not useful.

The cost to you or me of using a dumb phone may be negligible to you or me, but may essentially be social death two generations down.

Or when I was a kid, there were those few parents that didn’t let their kids watch TV. No sacrifice to the parents, but it resulted in social isolation because TV was such a big part of our life back then.

In other words, us enduring similar restrictions does not mean we’re enduring similar impact.


Serious question: have you ever been a 17 year old?

1 Like

This topic was automatically closed after 5 days. New replies are no longer allowed.