this post was submitted on 22 Feb 2026
689 points (99.4% liked)

Privacy

9013 readers
614 users here now

A community for Lemmy users interested in privacy

Rules:

  1. Be civil
  2. No spam posting
  3. Keep posts on-topic
  4. No trolling

founded 2 years ago
MODERATORS
iopq@lemmy.world
689
Persona, Discords "Age Verification" Service, creates a profile of you, sends it to the US Feds and deems you suspicious based on your appearance, exposed by Hackers (www.therage.co)
submitted 2 days ago by not_IO@lemmy.blahaj.zone to c/privacy@lemmy.world
100 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] Lost_My_Mind@lemmy.world 184 points 2 days ago (7 children)

"Why wouldn't I use verification? I've got nothing to hide".

This. This is why you do not submit willingly, regardless of what you have to hide. Fascism doesn't give a shit if you're innocent.

[–] MonkderVierte@lemmy.zip 21 points 1 day ago (1 children)

"I've got nothing to hide".

That's not for you to decide.

[–] BarneyPiccolo@lemmy.today 4 points 1 day ago

We'll determine that after several days of brutal torture. If we determine that you're telling the truth, then you'll be free to go. No harm, no foul.

[–] leds@feddit.dk 51 points 2 days ago (2 children)

Using Microsoft teams at work, it keeps on asking me record a voice sample and selfy so it can identify me in meeting , yeah no thanks

[–] A_norny_mousse@piefed.zip 9 points 1 day ago (1 children)

And then your coworkers think you're IT challenged because you don't even know how to do the simplest things. (true story)

[–] Monument@lemmy.sdf.org 13 points 1 day ago (2 children)

My company just mandatorily implemented “Windows Hello”

No one seems to be able to tell me why the information from Microsoft says the fingerprint and face scans are both “local only” and may take 24 hours to sync after initial setup. Where are they syncing to?
(I opted for the ‘pin’ method instead of surrendering my biometrics.)

[–] Kiernian@lemmy.world 5 points 1 day ago (1 children)

PIN is the best way to go there. It only works on that one machine, although you can technically set the same PIN again on another computer.

I believe the typical intent is as follows:

  1. It is now possible to brute force things that were previously considered "complex" passwords in a semi-reasonable amount of time.
  2. This necessitates longer and more complex passwords
  3. People can't remember those so they have a tendency to write them down or do other relatively insecure things with them.
  4. Forgotten passwords can generate a lot of helpdesk calls and are also an attack vector
  5. If we insist on really complex passwords that are too long to reasonably brute force with current technology, we need a way for users to log in that's not going to make 3 and 4 a major issue.
  6. If the simpler PIN method is locked to a per machine basis, it matters a lot less if the PIN is compromised because you also need physical access to the computer or the PIN is useless.

This should, in theory, allow workplaces to set requirements for really complex passwords that only need to be reset once a year or so, without breaking helpdesk, inconveniencing users, or leaving gaping security holes.

Whether or not that all happens depends on the workplace, but that's the general thought process in most of the places I've worked where a modicum of sense prevails

[–] Monument@lemmy.sdf.org 2 points 1 day ago (2 children)

…. Oh!

You just explained a question I had.
I couldn’t figure out why a pin was considered more secure.

In my reasoning: How is a PIN (potentially numeric only), changed 1x a year, safer than a password (3 of 4: Alpha, Mixed case, numeric, special chars), changed 4x a year.

The answer, as you explained, is scope of trust. Machine only vs tenant-wide. That makes sense.

[–] tux7350@lemmy.world 3 points 1 day ago

Windows Hello ties the PIN to the TPM of the computer. It's not just you having a pin, its the pin + the crypto secret loaded on the device. Thats why its more secure then just a complex password.

[–] smh@slrpnk.net 3 points 1 day ago (2 children)

That makes sense. Something you have (that specific machine) + something you know (your pin).

I used to work someplace where we all had a pin+a smart card that we'd insert into the machine, same idea except I could log into any machine with the card+pin combination.

Loved not having to remember a long AF password. Didn't like having to drive home if I forgot my card on the kitchen counter.

[–] JcbAzPx@lemmy.world 2 points 19 hours ago

The problem is, if someone does get physical access to the machine, you've just made breaking into it much easier.

[–] Poem_for_your_sprog@lemmy.world 1 points 17 hours ago

Just keep the card in your anus

[–] wizardbeard@lemmy.dbzer0.com 5 points 1 day ago (1 children)

My assumption is that they are recorded locally, then hashed, then the hash is sent to Azure (Microsoft cloud) as Windows Hello leverages some cloud features. Some things in Azure have warnings about taking up to 24 hours to take effect.

Hashing locally and sending the hash to a server is the same way all passwords for online services and systems work, so nothing nefarious there.

There's probably perceptual hashing so they can count 95% similarity as a match without having to check against the source material every time.

[–] Monument@lemmy.sdf.org 8 points 1 day ago

I could accept that it has to do with azure propagation delays, but the verbiage was explicit about our computers syncing to the tenant. (Vs. data propagating across it.)

I sort of reject the idea that there’s nothing nefarious going on. The misdirect is weird.

Unless they’re salting the hashed data with information they can’t access, they’re just creating a database of faces and fingerprints.
Sure, maybe if their cryptography is good the DB cannot be reversed but they can still use an unsalted database to give match/no match info on scans of faces and fingerprints submitted to it.
But also, I firmly don’t trust Microsoft. They’ve violated our ELA several times - mostly around applying analytics tools to our data without consulting us first. (Like rolling out MS Viva without telling us.)

[–] buttmasterflex@piefed.social 4 points 1 day ago

Woof. Every time I open a Word doc at work, I now get a pop up saying I've disabled location services in my system settings. Why the fuck does Microsoft need to know my location for opening a Word doc?!

[–] MalReynolds@slrpnk.net 29 points 2 days ago* (last edited 2 days ago) (1 children)

Depending on context my favorite answers to 'Why do you need privacy if you have nothing to hide ?" are

"I need privacy, not because my actions are questionable, but because your judgements and intentions are.",

"Arguing that you don't care about privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say." - Edward Snowden,

and "The only difference between a wizard hat and a dunce cap is the wide brim of privacy."

ETA: None of which a fascist will give a shit about, but can be useful in politer society.

[–] Dry_Monk@lemmy.world 19 points 2 days ago (3 children)

My favorite is:

"So take off your pants. Right here, right now."

Gets the point across quickly and viscerally.

[–] TheBenCommandments@infosec.pub 4 points 1 day ago

This is good but I prefer demanding they unlock their phone and hand it to me.

[–] Kolanaki@pawb.social 6 points 1 day ago (2 children)

What do you do if they drop trou?

[–] No1@aussie.zone 4 points 1 day ago

Take a photo, and use that for face ID.

Or call the cops.

[–] Inkstainthebat@pawb.social 4 points 1 day ago

Inspect, very carefully, and point out every detail of course

[–] MalReynolds@slrpnk.net -1 points 2 days ago* (last edited 1 day ago) (1 children)

Jokes on you, not wearing any (and how would you know on the other side of a cable) ;)

I get your point but I think there are higher levels here than just a nudity taboo.

[–] A_norny_mousse@piefed.zip 8 points 1 day ago (2 children)

The point is to counter the dumb "I have nothing to hide" statement. It simply isn't true. If that evolves into a deeper convo, good.

[–] Dry_Monk@lemmy.world 1 points 1 day ago

This exactly. It's meant to open up the conversation.

[–] MalReynolds@slrpnk.net -3 points 1 day ago

Fair cop, not my style, but you do you.

[–] ImgurRefugee114@reddthat.com 32 points 2 days ago (1 children)

"If you have nothing to hide, why are you wearing pants? Why don't you tell me your password?"

[–] VitoRobles@lemmy.today 17 points 2 days ago (1 children)

I wear pants to protect my password! No, please! Don't hit me in the password!

[–] zurohki@aussie.zone 26 points 1 day ago* (last edited 1 day ago) (1 children)

Your password is too short error

[–] dethedrus@lemmy.dbzer0.com 1 points 21 hours ago

Ooof, right in the password! That'll leave a mark.

[–] NotASharkInAManSuit@lemmy.world 8 points 1 day ago (1 children)

Innocence proves nothing.

[–] Ghostie@lemmy.zip 5 points 1 day ago* (last edited 1 day ago)

“Suspicious how defensive you are getting about your innocence towards the crime we’ve accused you of committing.”

[–] zergtoshi@lemmy.world 19 points 2 days ago

Whether there's "nothing to hide" is an assessment made by the fascists and not by the people giving out information.

[–] WanderingThoughts@europe.pub 15 points 2 days ago

And then a new president comes into office or just changes their mind and now something that used to be innocent is now a violation. Luckily the government recorded everything you ever said and did, so knows exactly who to arrest.