Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4
kiwifidget
"Cookie"
3423 posts

Uber Geek

Lifetime subscriber

  #3305796 6-Nov-2024 10:18
Send private message

freitasm:

 

Ruphus:

 

To see the lists you've been included on with Facebook advertisers:

 

     

  1. After logging into Facebook, click on your profile picture and go to Setting & Privacy > Settings
  2. Click on Accounts Centre
  3. Click on Your information and permissions > Access your information
  4. Click on Ads information > Advertisers who've uploaded a contact list with your information

 

 

Good stuff Facebook presents a huge list NOT IN ANY ORDER. Just to make it harder for you.

 

 

Crikey, thats quite a list for me.

 

And no way to remove things from said list????





Delete cookies?! Are you insane?!




ezbee
2406 posts

Uber Geek


  #3305799 6-Nov-2024 10:47
Send private message

It may be my speedreading, but I have not seen mention on when this happened.
Just a new thing this year, or for years?


ANglEAUT
2325 posts

Uber Geek

Trusted
Lifetime subscriber

  #3305802 6-Nov-2024 10:58
Send private message

kiwifidget:

 

Crikey, thats quite a list for me.

 

And no way to remove things from said list????

 

 

Can you imagine the list for non-GZ folks that click on every link & install every app? 😨😮😰

 

For each org that uploaded one or multiple list, you can drill down into the list & "ask FB nicely" not to use that list for marketing purposes targeted at you.





Please keep this GZ community vibrant by contributing in a constructive & respectful manner.




ezbee
2406 posts

Uber Geek


  #3305803 6-Nov-2024 11:02
Send private message

Kinda answering my own question.
Perhaps a one off in Feb this year when full details releveled in one data drop?
Though part of a decades old practice of supplying some 'more anonymized?' information when using Facebook etc services?
Maybe 

 


Ok RNZ had more info today.
https://www.rnz.co.nz/news/national/532986/inland-revenue-s-apology-for-privacy-breach-of-people-s-details-questioned-by-taxpayers

 


""
In the apologies RNZ has seen, IRD said an individual's name, email addresses, phone numbers, date of birth, age, country and city of residence were shared with Facebook's parent Meta on 8 February 8 2024.

 

'The [unencrypted] information was shared directly with Meta support because we were trying to fix a problem with a custom audience file," the apology said.

 

"This is a file of people that we needed to reach to inform that they may have a tax bill due.

 

"We incorrectly emailed an unprotected copy of the file to Meta support," deputy commissioner of enterprise service, Mike Cunnington, said.

 

Afterwards, IRD asked Meta to delete the file.

 

"They confirmed the information was securely deleted once the problem had been fixed. The file was not used for any other purpose."
""


Behodar
10508 posts

Uber Geek

Trusted
Lifetime subscriber

  #3305804 6-Nov-2024 11:07
Send private message

Ruphus:

 

To see the lists you've been included on with Facebook advertisers:

 

     

  1. After logging into Facebook, click on your profile picture and go to Setting & Privacy > Settings
  2. Click on Accounts Centre
  3. Click on Your information and permissions > Access your information
  4. Click on Ads information > Advertisers who've uploaded a contact list with your information

 

 

Given Facebook's track record, I assume that if you don't have a Facebook account then they've still held onto the data instead of deleting it...


nova
250 posts

Master Geek

Trusted

  #3305805 6-Nov-2024 11:11
Send private message

wellygary:

 

What I find truly baffling is the IRD believe ( or have been convinced) that Socials gets more cut through to taxpayers, than standard communication channels.

 

I mean IRD have your Address, phone number, and in most cases email. and they have the power of the State to prosecute you if you don't pay them,,,

 

But they think popping up "targeted" messages to you on FB is a better delivery medium, 

 

TBH it sounds like they are just lazy... 

 

 

Exactly this. It is unbelievable that they were doing this. And the lack of controls is staggering, what safeguards does IRD have to protect "customer" data? (As an aside customer is in quotes as that is IRD's language and I'm wondering how I can stop being a customer?) How many employees have access to export this data? There is a bit of detail on what they are doing on the IRD website and it is not pretty:

 

https://www.ird.govt.nz/-/media/project/ir/home/documents/about-us/social-media/review-and-analysis-of-social-media-for-custom-audiences.pdf?modified=20241104230919&modified=20241104230919

 

Not withstanding the main breach, where they send 268K names, address, phone numbers etc on the 8th of Feb, it appears that they have been following a highly insecure process for ten years, by sending customer audience lists to facebook and others. I've highlighted a few quotes below, but given more time there is a lot more that could be said about this

 

This information is hashed locally within an Inland Revenue managed internet browser,before being sent to the platforms through a secured channel.

 

Ok so you used an internet browser that you didn't write, running javascript code that you didn't write, and you trusted that the javascript code was securely hashing the plaintext data that you submitted to it before uploading it? And elsewhere the doc describes the process as "machine to machine with no human intervention", if that is the case why was an internet browser being used?

 

 

Hashing is a commonly used way of sharing de-identified data. In the context of social media usage, the platforms used by Inland Revenue implement the SHA-256 hashing algorithm for custom audience list hashing. This meets the standards and guidance set by Government Communications Security Bureau (GCSB).
As of now, SHA-256 remains secure against quantum attacks. While it is possible to apply a rainbow attack to hashed data under certain limited conditions, the hashed data must first be accessed.

 

 

Elsewhere in the doc it confirms that no salt was used with the hash, and unfortunately the types of information they are sending have a small keyspace. It is trivial to obtain a list of every single address in NZ, and the compute cost to build a rainbow table of every single address is also trivial. Probably less than a cent of compute from cloud computing vendors.


Ruphus
465 posts

Ultimate Geek


  #3305808 6-Nov-2024 11:14
Send private message

I got a notification from IRD this morning that my information was included in data that was sent to Meta.

 

 

 

"We are writing to inform you of, and apologise for, a recent privacy incident involving your personal information. You do not need to take any action.

 

The incident

 

On 8 February 2024, a file containing some of your details was shared with a Meta (Facebook) support employee without our appropriate levels of data protection applied. The information in the file related to a number of individuals and contained the following fields; first name, last name, email addresses, mobile numbers, date of birth, age, country, city and postcode.

 

The information was shared directly with Meta support because we were trying to fix a problem with a customer audience file. This is a file of people that we needed to reach to inform that they may have a tax bill due. The file, which had earlier been uploaded using our standard data protections, was not matching correctly, so we asked Meta support if they could help fix the problem. Meta support asked us to send the file so they could find the issue at their end. We incorrectly emailed an unprotected copy of the file to Meta support. This was a one-off incident, and is outside of our normal process.

 

Actions taken

 

After the file was sent, we asked Meta support to delete it and they confirmed the information was securely deleted once the problem had been fixed. The file was not used for any other purpose.

 

We discovered this incident during the internal review of our use of custom audience lists on social media. The incident is not a notifiable privacy breach under the Privacy Act as there is no risk of serious harm. However, we want to be transparent which is why we are contacting you. We have also notified the Privacy Commissioner of this incident.

 

Next steps

 

We value your privacy and are disappointed this incident has occurred. We sincerely apologise.

 

We have stopped the use of customer audience lists. This means we are no longer provide customer information to social media platforms.

 

You have the right to make a complaint to the Privacy Commissioner about this incident. There is information on how to do this on the Privacy Commissioner's website privacy.org.nz.

 

You can find out more about custom audience lists and read the Review and Analysis of Social Media Usage for Custom Audience report and ird.govt.nz/customaudiencelists"

 

 

 

Edit: Fixed typos.


 
 
 

Trade NZ and US shares and funds with Sharesies (affiliate link).
Ge0rge
2055 posts

Uber Geek

Trusted
Lifetime subscriber

  #3305858 6-Nov-2024 11:19
Send private message

Did that even get proof-read before sending?

SirHumphreyAppleby
2847 posts

Uber Geek


  #3305859 6-Nov-2024 11:24
Send private message

Ge0rge: Did that even get proof-read before sending?

 

Apparently not.

 

Also note they are only referring to data that was sent to 'Meta support'. Based on this and the original linked article specifically referring to raw "unencrypted" (sic) data, it doesn't look to me like they are acknowledging any fault with their disclosure of SHA-256 hashed data.

 

Those who actually receive notice are probably just the tip of the iceberg.


Ruphus
465 posts

Ultimate Geek


  #3305874 6-Nov-2024 12:01
Send private message

@Ge0rge, @SirHumphreyAppleby - Sorry guys. I had to manually type the letter as it's only an image in MyIR without the ability to copy the text. I didn't want to upload an image of the letter.


cddt
1561 posts

Uber Geek


  #3305875 6-Nov-2024 12:01
Send private message

SirHumphreyAppleby:

 

it doesn't look to me like they are acknowledging any fault with their disclosure of SHA-256 hashed data.

 

 

Correct. The report was obviously written by someone with enough knowledge to understand the reasons they should not have done it, yet has been paid enough to write this drivel in an effort to deflect attention from the real shortcomings and failures in their treatment of our PII data. 





My referral links: BigPipeMercury


Ruphus
465 posts

Ultimate Geek


  #3305877 6-Nov-2024 12:04
Send private message

Here's a copy of the letter for transparency.

 


wellygary

8328 posts

Uber Geek


  #3305881 6-Nov-2024 12:14
Send private message

SirHumphreyAppleby:

 

 it doesn't look to me like they are acknowledging any fault with their disclosure of SHA-256 hashed data.

 

 

No, and that's the issue that this should be about, IRD (and the Privacy commissioner) appear to be OK with giving out Hashed Data, on the basis that Global Social media companies say "Trust us" not to do anything nefarious with it.......

 

Now, from Briscoes, or Whitcoulls or high street retailers I could understand this, 

 

BUT THIS IS IRD... THE Freaking TAX DEPARTMENT,

 

if they want trust from taxpayers, they need to the Whiter than White, and getting into bed with Zuck et al is a pretty low bar if you ask me....


cshwone
1070 posts

Uber Geek


  #3305896 6-Nov-2024 12:57
Send private message

wellygary:

 

SirHumphreyAppleby:

 

 it doesn't look to me like they are acknowledging any fault with their disclosure of SHA-256 hashed data.

 

 

No, and that's the issue that this should be about, IRD (and the Privacy commissioner) appear to be OK with giving out Hashed Data, on the basis that Global Social media companies say "Trust us" not to do anything nefarious with it.......

 

Now, from Briscoes, or Whitcoulls or high street retailers I could understand this, 

 

BUT THIS IS IRD... THE Freaking TAX DEPARTMENT,

 

if they want trust from taxpayers, they need to the Whiter than White, and getting into bed with Zuck et al is a pretty low bar if you ask me....

 

 

And we have absolutely no choice in the matter of the provision of personal data to IRD. We are not "customers" we are taxpayers.


rugrat
3107 posts

Uber Geek

Lifetime subscriber

  #3305901 6-Nov-2024 13:36
Send private message

IRD has had my incorrect address for over 18 years.

 

I got the above letter today as well. The address on 8 February would’ve been the wrong one including email and phone number.

 

I only updated to correct address when they started taking money directly from my wages to pay tax bill.

 

I hadn’t updated address with IRD as thought they were all knowing, know who my employer is, know my bank account numbers, can take money from wages etc at will, yet they can’t get my contact details from anyone, even though they were sharing details had on me to others!

 

Looks like doing the data matching with face book, didn’t help them get contact  details either. Don’t get why they just didn’t ask bank or employer. Yet they went out of way to ask employer to deduct from wages.

 

I’ve since joined MyIrd and updated my  details. New letters are being recieved through there, plus can see all lost letters and address they were sent to.

 

 


1 | 2 | 3 | 4
View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00


eero Pro 7 Review
Posted 23-Jul-2025 12:07


BeeStation Plus Review
Posted 21-Jul-2025 14:21


eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01


WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32


RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26


Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24


Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05


Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01


Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01


Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22


Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46


Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42


D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34


Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.