The more than one million messages obtained by 404 Media are as recent as last week, discuss incredibly sensitive topics, and make it trivial to unmask some anonymous Tea users.
It is negligence, but information workers have very little regulation when it comes to handling personal data (outside of specific fields, like healthcare and finance).
I say this as an information worker who handles a lot of personal data. Worst case scenario, I get fired and can’t use them as a reference. Unless I’m intentionally stealing data and using it for crimes there’s no risk of criminal penalties.
We needed privacy laws 20 years ago but the tech bros assured everyone that it would be fine and for a long time they were mostly responsible with our data. But now we’re well into the enshittification of the Internet and the lack of regulation is allowing these kinds of harms to become common.
Though, in a sane regulatory framework Tea wouldn’t be allowed to exist in the first place. The entire point of the site is to doxx people and share personal details about them without their consent.
At least some of the negligence is on Google, for the atrocious default security settings in Firebase
The vulnerability is called hospital gown because they leave the back end wide open by design. It’s not even a traditional vulnerability, since it’s technically working as intended
Both the company, for failing to protect its users; and a large majority of its users, for doxxing and libel.
Its unfortunate that it happened this way, but now the people who are being libeled against and doxxed have the ability to find out about it where they didn’t before.
Of COURSE the people in that group chat deserve punishment, and probably the same 20 years that French(?) guy got depending on who all did what.
Just because that happened though doesn’t excuse that this happened. The company did a horrendous thing by holding onto highly sensitive and private data it said it should have deleted and then failed to secure it in any way, AND the userbase was absolutely vile and abusive towards men.
All three things need to see justice brought to them, and you should not excuse one just because another happened and wasn’t dealt with properly.
No need for evidence. The idea of anyone being able to claim anything about a person without proof is inherently flawed. Are you saying that the app has some magical feature which forces everyone to tell the truth? No disgruntled ex can make up things about their previous partner? I would love to see you prove that.
No, of course I’m not saying that. It’s a profoundly stupid idea because it is so open to abuse. That doesn’t mean that the majority of users are abusing it, though, which seems to be what you’re claiming.
That this app was set up for libel and doxxing, and would be abhorrent if the demographics were switched at all.
You know the “pro features” included address and phone number? Never mind the unaccountable reviews the reviewed can’t even see making targeted harassment campaigns easier, posting “address and phone number” is “bad.”
B) Didn’t secure a goddamn thing and lied to users about the leaked info being deleted
so whether or not I benefit monetarily, I benefit by it being shut down and those responsible being held at least a little accountable for their various misdeeds to both their users and humanity at large. Plus that may serve as a deterrent for the next libel app that thinks they’ve reinvented facebook 1.0 (which, they might have some advice about this exact scenario, actually.)
It sucks for those people, but everyone should expect anything they say online to be possibly tied back to them. Secrets and identification information don’t mix. Especially online. The good news is that there is no evidence any of it is real, anyone can lie on the site saying whatever they want, so if doxed someone can just say they were bored and wanted to fit in and see what others were discussing or such. Hopefully for them it doesn’t turn into people getting hurt for talking behind someone’s back like it often does offline.
there’s so much underlying rules for private communication between computer systems, this type of thing is pure neglect boardering on international.
there’s no reason to think everything online should be open and available. we should all be allowed to be in private spaces, especially if it’s advertised as a private space
There are no private spaces online, your privacy is at the whim of whoever owns the servers and whatever government controls them.
Unless you’re using end to end encrypted communication with people you know and trust you should assume that everything you do online has your actual name and face attached to it.
I do agree that it sucks.
There should be laws, with criminal consequences, that protect our privacy but essentially every government is of the opinion that actual privacy should never exist online because they think it’s better to sacrifice everyone’s privacy than to let a single criminal go undetected.
This is why you see all Western governments simultaneously running “think of the children” campaigns as they slowly manuver the Internet into requiring every device be identifiable and linked to a person.
This is why the end-to-end encrypted communication providers are also being pressured right now. Because with systems built using encryption to enforce the rules are actually private.
Governments know this, as they heavily rely on encrypted communication systems. They just don’t want anybody else to have that privilege.
There are no private spaces online, because your privacy is only protected by the people who own the servers. Your data isn’t private to them, nor any governments who can compell them.
You cannot trust that any data you put on services, that you’re not completely in control of, is going to remain private.
There are countless examples of services selling your data, hackets getting access to your data or governments compelling a service provider to produce your data on demand.
The exception to that are services where you can enforce your privacy through well implemented encryption.
For exsmple, I don’t need to trust a cloud storage provider that is storing my data because it’s encrypted on my machine using keys that only I control prior to being stored. My privacy doesn’t require me to trust that Google will protect my data from insiders, hackers or hostile governments because they don’t have the ability to produce it. My privacy is protected by the laws of mathematics regardless of how compromised the service provider is.
The company should be sued into the ground. This is horrendous
I mean, it’s on brand. The doxxing app is successfully doxxing people…
In any other engineering discipline this would he negligence.
It is negligence, but information workers have very little regulation when it comes to handling personal data (outside of specific fields, like healthcare and finance).
I say this as an information worker who handles a lot of personal data. Worst case scenario, I get fired and can’t use them as a reference. Unless I’m intentionally stealing data and using it for crimes there’s no risk of criminal penalties.
We needed privacy laws 20 years ago but the tech bros assured everyone that it would be fine and for a long time they were mostly responsible with our data. But now we’re well into the enshittification of the Internet and the lack of regulation is allowing these kinds of harms to become common.
Though, in a sane regulatory framework Tea wouldn’t be allowed to exist in the first place. The entire point of the site is to doxx people and share personal details about them without their consent.
At least some of the negligence is on Google, for the atrocious default security settings in Firebase
The vulnerability is called hospital gown because they leave the back end wide open by design. It’s not even a traditional vulnerability, since it’s technically working as intended
In fairness if you leave Firebase in its default settings it won’t shut up about it.
You get warnings on the website, and constant emails telling you that you’re being a pillocked.
Both the company, for failing to protect its users; and a large majority of its users, for doxxing and libel.
Its unfortunate that it happened this way, but now the people who are being libeled against and doxxed have the ability to find out about it where they didn’t before.
I’m not going to hold it against women for having a private group to tell on predatory dudes when this existed and nobody ever faced any consequences. What We Learned About the 70K-Person Telegram Channel on How to Rape Women
This is some Grade-A whataboutism right here.
Of COURSE the people in that group chat deserve punishment, and probably the same 20 years that French(?) guy got depending on who all did what.
Just because that happened though doesn’t excuse that this happened. The company did a horrendous thing by holding onto highly sensitive and private data it said it should have deleted and then failed to secure it in any way, AND the userbase was absolutely vile and abusive towards men.
All three things need to see justice brought to them, and you should not excuse one just because another happened and wasn’t dealt with properly.
Arguing that tea was for “telling on predatory dudes” is like saying backdooring encryption is to catch people spreading CP.
That’s what the creator of the site said it was for.
Would you believe me if I told you some systems are used for other things than what’s intended?
Sure, if you have evidence. What do you think it was really being used for? And what’s your evidence?
No need for evidence. The idea of anyone being able to claim anything about a person without proof is inherently flawed. Are you saying that the app has some magical feature which forces everyone to tell the truth? No disgruntled ex can make up things about their previous partner? I would love to see you prove that.
No, of course I’m not saying that. It’s a profoundly stupid idea because it is so open to abuse. That doesn’t mean that the majority of users are abusing it, though, which seems to be what you’re claiming.
The Uk said the OSA is to protect children. But people lie.
Yeah, and the US Marshall’s service said Operation Flagship was just a football sweepstakes.
And that’s what the people seeking to ban encryption claim it to be for, as well. Doesn’t make it true.
What is the truth, then?
That this app was set up for libel and doxxing, and would be abhorrent if the demographics were switched at all.
You know the “pro features” included address and phone number? Never mind the unaccountable reviews the reviewed can’t even see making targeted harassment campaigns easier, posting “address and phone number” is “bad.”
You believe that women are more likely to lie about a man than tell the truth?
Just another story where victims go on to become absuers it seems.
Nah they were abusers all along
You get 89 cents in the settlement. Do you prefer to get a direct deposit or a check?
Nah, they just go bankrupt.
1 week free access to the service that did it in the first place is my favorite class action outcome.
Nah, just stop using it. Sueing does nothing, it just benefits lawyers and not any of us.
But it may hurt the creators who
A) Made this abhorrent shit to begin with
B) Didn’t secure a goddamn thing and lied to users about the leaked info being deleted
so whether or not I benefit monetarily, I benefit by it being shut down and those responsible being held at least a little accountable for their various misdeeds to both their users and humanity at large. Plus that may serve as a deterrent for the next libel app that thinks they’ve reinvented facebook 1.0 (which, they might have some advice about this exact scenario, actually.)
It sucks for those people, but everyone should expect anything they say online to be possibly tied back to them. Secrets and identification information don’t mix. Especially online. The good news is that there is no evidence any of it is real, anyone can lie on the site saying whatever they want, so if doxed someone can just say they were bored and wanted to fit in and see what others were discussing or such. Hopefully for them it doesn’t turn into people getting hurt for talking behind someone’s back like it often does offline.
fuck off with that complacency
there’s so much underlying rules for private communication between computer systems, this type of thing is pure neglect boardering on international.
there’s no reason to think everything online should be open and available. we should all be allowed to be in private spaces, especially if it’s advertised as a private space
There are no private spaces online, your privacy is at the whim of whoever owns the servers and whatever government controls them.
Unless you’re using end to end encrypted communication with people you know and trust you should assume that everything you do online has your actual name and face attached to it.
I do agree that it sucks.
There should be laws, with criminal consequences, that protect our privacy but essentially every government is of the opinion that actual privacy should never exist online because they think it’s better to sacrifice everyone’s privacy than to let a single criminal go undetected.
This is why you see all Western governments simultaneously running “think of the children” campaigns as they slowly manuver the Internet into requiring every device be identifiable and linked to a person.
This is why the end-to-end encrypted communication providers are also being pressured right now. Because with systems built using encryption to enforce the rules are actually private.
Governments know this, as they heavily rely on encrypted communication systems. They just don’t want anybody else to have that privilege.
Which is it? It logically cant be both. I own at least a dozen servers.
There are no private spaces online, because your privacy is only protected by the people who own the servers. Your data isn’t private to them, nor any governments who can compell them.
You cannot trust that any data you put on services, that you’re not completely in control of, is going to remain private.
There are countless examples of services selling your data, hackets getting access to your data or governments compelling a service provider to produce your data on demand.
The exception to that are services where you can enforce your privacy through well implemented encryption.
For exsmple, I don’t need to trust a cloud storage provider that is storing my data because it’s encrypted on my machine using keys that only I control prior to being stored. My privacy doesn’t require me to trust that Google will protect my data from insiders, hackers or hostile governments because they don’t have the ability to produce it. My privacy is protected by the laws of mathematics regardless of how compromised the service provider is.
Yes, I know all that. I spent 25 years in tech, which is why I also know how to run secure services online. Hence my comment above.
People complaining here that security was to lax, people complaining in the next thread that the libre dev is the victim because security was to high.
Is it possible to get both balanced, yes. But it will never make everyone happy.