Hello r/movies! Since MoviePass has become a large part of my, and many others’, cinema experience over the past few months, I felt it was important to post about something they’re doing that is a bit discomforting.
Recently, MoviePass introduced a ticket verification system where users would upload their ticket stubs to verify that the movie they checked in for was in fact the movie they saw. This system is currently in beta and is being rolled out to users in waves.
MoviePass is not verifying these tickets in house. Instead, they’re outsourcing the job to Amazon’s Mechanical Turk, a platform where freelance workers can perform small, isolated tasks like taking surveys, transcribing data or, as is the case here, verifying user info.
In my opinion, this is not a bad thing. Verifying your ticket via a single snapshot strikes me as incredibly reasonable, and outsourcing the verification job to a separate company makes a lot of sense, especially since MoviePass is infamously understaffed.
What is bad, however, is that some of these tickets are being posted to public forums without your knowledge. On r/MoviePassmTurk, Mechanical Turk workers are sharing user-submitted verification photos. These are shared primarily to mock faults with the photo, with the primary joke being that the MoviePass user submitted something incorrectly and will likely have their account banned. A few of these photos even feature people in them and, though the eyes are always censored, nothing else is.
Beyond this, anybody with an Amazon account (NOT a mTurk account, just a normal Amazon account) can view these photos by following a few simple steps, as documented here. This means that, right now, you can go onto mTurk and look through the photos until you find one featuring someone’s face or unintentionally submitted personal information. (EDIT FOR CLARITY: There is some conflicting information about whether or not MoviePass fixed or somewhat limited this. However, even if they did, they do not appear to have made a public statement letting people know about the data breach.)
MoviePass has a carefully worded Privacy Policy that allows them to collect and share your user data as necessary. However, there is an expectation that this data will not be publicly accessible and will not be handed to employees that have no accountability and can share it as they wish.
Now, some of you may be wondering why this is a big deal. That’s a fair question. Personally, I think the fact that MoviePass users are being publicly shamed and, in a few cases, having their faces and other minor data publicly displayed is reason enough to raise a small stink. However, it goes well beyond that. If MoviePass’ company infrastructure permits the public display of user photos, it raises questions about how they handle your more sensitive information, such as your address and credit card number.
TL;DR – In an attempt to outsource ticket verification, MoviePass is posting user photos to Amazon’s Mechanical Turk. This means your private data is available to anyone with an Amazon account, raising serious concerns about how MoviePass manages user information.
Submitted May 06, 2018 at 08:32AM by LeiAdeline https://ift.tt/2rpZvTs
