As a security engineer, I cannot overstate just how horrible this is. Phone numbers might not be an ideal 2nd factor for authentication, but to punish users for setting up 2FA by using the provided phone number for ad targetting is incredibly unethical.
But, as someone who understands that not all people and companies use the same moral set as myself, this is why I've never set up 2fa using a phone.
Why should I give some company my phone number? Increasingly it's become a single point of metadata to uniquely describe myself (just as my email addresses have).
That doesn’t need to be the case though with just a little bit of effort and minimal cost. Use your own domain for email and set your account to be a catchall. Then use facebook.com@yourdomain.tld and your email address is no longer a cross site unique identifier.
Isn't this it though, the engineers designing the ad targeting system at Facebook is linking the random emails you use as "catch all" to your main identity so you can be targeted specifically even though neither party has full knowledge of the linkage between your catchall email and your main identity email. This is facilitated by information that is not under your control.
If facebook was able to design and build this system, you can bet that other companies are doing this too.
Check the TOS and/or implementations for many of the tracking providers and you’ll see they use hashed emails. Show me a way to extract the common domain name from the below:
The simple way would be to use part of the hash for the domain and part for the user. If you alternated bits it wouldn't be obvious.
I doubt it'd be worth spending the effort to target people with personal domains though, and it would have some negative effects, so your point is well taken.
If the hashing algorithm is known (and my guess is it is at least possible to reverse engineer it, if it isn't documrnted) then cracking a hash with a GPU may be quite feasible.
The hashing algorithm is well known, it’s unsalted md5/sha1/sha256. That doesn’t make it necessarily possible (sure, some cases yes, but not even most), let alone feasible, to rainbow table them.
Its pretty simple to crack unsalted hashes using rainbow tables, unless each hash is salted with a random distinct salt and if that is the case then these hash seem pretty useless. So how do tracking providers use these hash ? What other info is sent along with the hash ?
> Isn't this it though, the engineers designing the ad targeting system at Facebook is linking the random emails you use as "catch all" to your main identity so you can be targeted specifically even though neither party has full knowledge of the linkage between your catchall email and your main identity email.
If you use the method described in the grandparent, you use a unique email address for every site (e.g site1@yourdomain.tld, site2@yourdomain.tld, etc). The domain will be the common part, which would be very hard for a company to use because most domains are shared between many separate users.
This is no longer "just a little bit of effort and minimal cost" - most likely no one will use unique emails for every site as well as use private browsing mode permanently in order to avoid cross cookie / cross site contamination via 3rd party (non facebook) tracking. Which is cited as a "feature" - allowing clients to bring their own ad tracking database and integrating that into the FB one in order to make ad targeting more specific.
> This is no longer "just a little bit of effort and minimal cost" - most likely no one will use unique emails for every site
It takes a tiny amount of effort: you setup your domain with a wildcard so all you need to do to create a new email address is to use it. You could send mail to barkingcat@real.domain.for.394549.net right now, and it will be delivered to my inbox with no setup required.
It's also great in case you start spamming me. I don't have to struggle with your unsubscribe links, I can just blacklist all mail sent to barkingcat@real.domain.for.394549.net, and be done with it without any collateral damage.
You mean a very small percentage of FB users do this?
The point being as parent comment said it’s not “a little effort and minimal cost”. Figure a $10-15 overhead cost for the domain and maybe $5/month/e-mail account? Effectively to minimize tracking on Facebook one would have to spend a minimum of $70/year?
It doesn’t seem like a great solution...go with a “free product” like Facebook in exchange allowing them to collect and monetize your data, only to pay to combat their business model? May as well offer a competing service that doesn’t track you, collect/monetize your data and pay say...half the cost of a domain and email.
Sort of like at first people thought paying for cable tv would mean that there would be lots of channels without ads. Didn't happen. Only a few where you get to pay even more for now ads. Now Netflix begins the cycle anew.
It is completely possible to fingerprint a browser and then group all the email accounts used on it and treat them as a single user. When was the last time you lent your device to someone so they could check their email?
>Then use facebook.com@yourdomain.tld and your email address is no longer a cross site unique identifier.
unless sites smarten up and realize facebook@johndoe.com is the same person as pizzaplace@johndoe.com, especially when johndoe.com isn't a "common" email domain like hotmail.com
As someone that has created a facebook account with an unused email without using my name or any information they still recommend my friends, family and interests. Instagram did the same thing with my interests.
There's a lot more going on than linking email addresses.
Most marketing companies don’t share raw email addresses (rather md5/sha1/sha256 hashes of the emails). In that scenario, linking the common domain name is very difficult to near impossible to do currently.
You can do it with Gmail to some extent already. E.g. instead of using myemail@gmail.com I would use myemail+facebook@gmail.com. Gmail ignores anything after the plus. As someone mentioned, marketing companies usually share just the hash of email. The trick is not too popular and I didn't experience a company handling it yet.
A vast majority of companies either don't accept the plus because they are too lazy to implement proper email validation, or they strip the pluses from gmail addresses because they're strictly useless to them.
The "trick" is both popular and commonly made to be moot by programmers. Source: I know programmers at multiple companies that have written production code to strip the +suffix from the username portion of gmail addresses.
Agreed. This isn't done just for ad targeting, either. If a user invokes a GDPR right to be forgotten, it's useful to make sure you've found all the instances of that user's email address in your system regardless of the +additions.
I've been typically using name+website@domain.tld to distinguish email origins (and leakage). Ironically, I've already set up otherdomain.tld@privacy.domain.tld to hide registrar information, but hadn't thought of using it for day-to-day signups until now.
I think I'll extend the latter (and reduce the required Spam score) before it gets sent to my inbox.
You don't have to but it's the most user-friendly, although flawed, method of enabling 2FA. They could have easily used a software token but that requires non-tech savvy users to download a 3rd party authentication app, as well as understand the basic usage. Why do that when users can simply get a text sent on a method they most likely have?
> Compromised data: Credit status information, Dates of birth, Education levels, Email addresses, Ethnicities, Family structure, Financial investments, Genders, Home ownership statuses, Income levels, IP addresses, Marital statuses, Names, Net worths, Occupations, Personal interests, Phone numbers, Physical addresses, Religions, Spoken languages
It's also something that people should have expected. I don't understand how people have not noticed that all of the major sites that generate revenue through user profiling and advertising have been pushing hard for users to either be obligated to register using their phone, or to setup a two factor authentication using their phone when it's not necessary for registration.
The reason I say it's something people should have expected is because if people were more critical of the things asked of them, then things like this would never get off the ground. Instead, because people do not seem inclined to naturally believe that corporations might have ulterior motives, such practice has become common place and on some sites even mandatory.
> Instead, because people do not seem inclined to naturally believe that corporations might have ulterior motives
People worship at the altar of success, and there aren't many relatively new companies as profitable as FB. That's not to say that these companies don't spend significant coin in pushing their inane message of "we're connecting the world" wherever they can. And mass media for the most part go along with it, mostly focusing on the stock price, rarely bothering to examine how FB makes its money and what tradeoffs that comes with.
There has to be a reason Facebook reminds me 50 times (yes 50 times) a year to put my phone number in for security reasons. That’s extremely unethical tbh and then I can’t recall if this is true because I’ve stopped using Facebook but I’m 80% sure they then filled out my phone number and just wanted me to confirm it.
What's facebook's boiling point? My guess is they'll respond, they'll no longer use 2FA #'s for ads, the damage will have been done, and 99% of the population won't know any of it occurred. We'll repeat this cycle when a fresh revelation occurs months from now, as facebook continues to test how much they can leverage for more ad revenue.
But none of it is actually slowing FB down. Its biggest dip in value came from decelerating growth and spending to make FB more user-friendly, so there's a clear disconnect between shareholder incentives and those of the general populace.
On top of that, most people remain unaware that FB owns both WhatsApp and IG, and while the departures of their top brass have made waves in these circles, it's not a concern for most.
I don't see FB's dominance relenting any time soon, though I wish it would.
A reminder that if you work for Facebook you are fully complicit. Especially if you're an engineer, there should be no shortage of jobs available to you at this time. There is no excuse to work for a company that's sole focus is exploitation of its users.
The problem with this argument - I care about issue X, company C is known to disregard/exploit users with X and so I assume all employees of company C are complicit while I give a free pass to the users who remain ignorant and simply don't care no matter how many times these issues surface.
And where do you stop? Are all doctors working for big pharma related to opioid crisis complicit? what about people working for firms related to the financial crisis? engineers working for any company that suffered data breaches due to lax data security? what about engineers working for companies that haven't suffered data breaches yet but might have lax security? scientists working to certain biotech firms related to GM? engineers working for car manufacturers that cheated emission norms? engineers working for telecom/internet service providers that cheat users by throttling/net neutrality etc. etc. etc.
Yes, they’re all complicit, to different degrees. Even the janitors and cooks are complicit when they support unethical enterprises.
If any Facebook engineer suddenly acquired some moral sense, he should spend his time working to sabotage the company from within. Some have walked away; others have walked away and publicly spoken about facebook’s dubious culture.
Whistleblowing would be a good middle-ground here. Also, I don't think sabotage would be as efficient since FB would just restore everything in an instant.
The problem with whistleblowing is that the consequences need to be more direct and actually leave a dent. As it is right now, FB can absorb pretty much any fines they're hit with.
I was offering creative suggestions. What I said wasn’t anything I’d avoid saying in person, nor did I have any ill will toward the commenter I replied to.
No need for “aggression”. The CIA wrote a sabotage manual, which involved things like “forgetting” to lubricate wheels, spending lots of time in meetings which go nowhere, slowing down and getting distracted while working, etc.
I consider all of the energy being spent in the maintenance of facebook to be malicious. If a datacenter caved in because of a structural flaw in the building, then that’s a lot less energy going into supporting facebook. How many datacenters would have to cave in before they wouldn’t be able to recover?
Exactly. When I get recruitment emails from Facebook I like to kindly remind the recruiters that I am not interested in furthering the interests of a company that in my opinion is making the world worse, not better.
Yes, but it’s not about business model, it’s about trust. Both companies, Facebook and Google, built their business modeles around advertisers and have no other option than to sell your data. But, for some reason, 9 out of 10 engineers that I work with dislike Facebook and don’t trust them. They are willing to share work documents and emails with Google, but not Facebook.
This is an asinine, Deference to authority, nanny state garbage take..
No-one is forced to give all their info to fb. Better yet, no one is forced to use fb.. Of your using these services, and you give all your info to them, that's on you, not engineers just earning a check.
Did you read TFA? It's clear that FB has info on people that they never willingly gave to FB. It's also clear that FB can mine information about people who have never used FB, simply by virtue of their being in the contact list of someone who DOES use FB.
You are absolutely right this calls for nanny state involvement. This is precisely a case where the invisible hand of capitalism is impotent and government regulation is essential.
As someone who has occasionally runs experiments with FB adverts for various types of business. I feel it's boiling point will be when people and organisations advertising on the platform really start to look deeply into the value for money they are getting on it. I can't tell you the amount of times I've seen organisations throw money at it in return for dubious clicks from markets they never targeted, bot like users and poor really ROI after advertising with it.
The only type of ad that makes sense to me at all is one that educates someone about a class of problem and that there's at least one product (X) that can be used to solve this problem.
In many cases it would make more sense to focus these efforts on making stores more effective at presenting solutions and grouping related solutions in expected areas to improve the search effectiveness of independent agents that have black box algorithms and are outside of the store's control.
Attempting to modify said black boxes by an inundation of annoyances is ethnically wrong to me. (As implied above, when it ceases being educational it's increasingly likely to cross that line, particularly if the campaign is based on gimmicks or repetition to be effective in vulnerable population segments.)
I mean, Facebook tricked advertisers initially into spending 100s of millions into the platform (if not billions?) with their bait and switch of telling advertisers they'd "own" the users that liked their pages - and people still trust them even with that starting pointing to keep advertising? It's strange to me.
Are you hinting that FB advertisers are throwing 50 billion (expected 2018 revenue) at ads that are poorly performing? Obviously that is not correct, the result of all this detailed targeting is campaigns that are performing very well for experienced marketeers.
FB is making sure you can't calculate the ROI of a campaign. Marketers are putting money in FB because they think this is where they can the most accurately target people.
This is demonstrably not true. FB provides better tools than pretty much anyone else to tie sales to advertising (online or off) and to track app instal lifetime advertising revenue generated over time. The human data and walled garden of tracking they have are hugely valuable in proving ROI.
- not all people buying FB ads are experienced marketers
- companies throw tons of money at ineffective ads, that should be obvious…
- we have no idea what the ratio of "successful" to unsuccessful campaigns is
- even if that ratio is negative, Facebook is still one of the only remaining "games" in town, so people _will_ continue throwing money at it. “Least worst” is a fine and lucrative place to be in.
- can we just get over this idea of rational economies, by the way
- marketing is less of a science than a craft, and all the implications thereof
I'm in ad tech, and believe me: FB advertising works. The vast majority of their ad revenue is coming from experienced ad buyers that are spending immense amounts on direct response campaigns, not branding.
If you want to see how things work, start a small ad campaign yourself of FB. It's all about ROI, attribution, cost per action, super detailed targeting, etc. It's the opposite of "throwing money at it hoping that it'll work", unlike offline advertising or even traditional display ads.
Exactly like this article states. You can give Facebook a list of phone numbers or email addresses and it will put your ad in front of only those people. Does anyone know how small a list you can target? List of one? List of one plus N number of dead email addresses? Therefore a list of one, but more expensive?
> The smallest audience you can upload is an audience size of 30 people. Also, this audience size needs to be 30 people which Facebook can identify and find. So, if you upload an email list of 30 and Facebook can match only 20 of those email addresses to Facebook profiles then it will reject your list, so in most cases you need to upload a list of about 60 people. You then need ensure you upload a list of only females or males which includes the one email address of the person you are targeting (the opposite to the one person that you are targeting). Lastly you need to choose the gender in the demographic filtering which matches the intended target. Here’s a step by step example below
Informative article, mostly about how amoral this salesman is. I wonder if most people in sales think this way. Maybe the article was created solely as an ad for the author's company and the content is all lies. I'd have no way to know with out trying the myself and a fake article would be in complete alignment with the author's value system.
> can we just get over this idea of rational economies, by the way
This is key and undermines a lot of rational arguments. People buying ads aren't reading HN and then making a buying decision based on the general vibe they get there. They'll buy based on budget. Budget is based on decisions made in a meeting a year or two before. Those decisions will be based on a strategy. For many that strategy is to the tune of 'I keep hearing about this social media thing that's supposed to be the future. I notice we aren't spending anything in digital. We need to buy more digital'.
If public opinion sours on Facebook it may be a while before we see a significant drop in revenues.
- marketing companies they ask to run Facebook campaigns for you may be as clueless as they are
Source: I used to work for one (we had separate development and social media marketing departments). People doing marketing had no clue about statistics, they just shoved random whale graphs from Facebook's fanpage panel into a word document and wrote narratives that suggested everything is peachy. Customers read those reports, and since they had no way or skill of reevaluating the results on their end, they were happy and willing to pay. I'm not even assuming malicious intent on the part of the provider - just general cluelessness.
I'm increasingly convinced a lot of marketing on the Internet looks that way. Neither party understands the real meaning of the results, but as long as the buyer is happy, money keeps flowing.
People have been doing this for years on Google's platform and the behaviors still haven't changed (I have a lot of hands-on experience with $100k+ annual ad spend budgets that are atrocious), so I disagree. People set it and forget it (mainly to ad ops agencies who charge 10%), because they don't know any different as long as sales keep coming in.
Buying digital advertising is big part of my job. I find the exact opposite to be true. FB provides high quality, low fraud. Especially compared to anything that's not Google/FB.
When we advertise to raise money (for politicians) that provides a direct provable ROI and I can tell you nothing else has come close. Seems that is true for many corporations as well just look at FBs growing revenue. FB provides the tools to measure either a sale or the value of an app install over time the increased spend is proof of quality/value so clearly many others have also found success. I wonder who/what/how your campaigns didn't provide value?
from that egoistically lawless point of view, they will do better on each privacy violation that gets reported as it signal better return for the investment of advertisers.
My problem is how easy it is to "fake" advertising. As in I go to website browse and buy then I get ads after about said product. Is that counted as evidence of a successful add sale?
FB is now running it's own branding ads in out of home media [1], which is a signal they've done the cost/benefit analysis internally and are now losing enough user trust to justify this brand spend.
Also, FB MAUs and DAUs are stalled [2], meaning users are becoming less interested in the blue website.
If anything, FB is closer to a 'boiling point' now than ever in the past.
Definitely worth noting, but I think they felt pressured to respond because the election meddling made enough waves with
the gen pop to warrant a message, I don’t see it having a lasting impact.
The MAUs and DAUs are more interesting, especially since younger people seem to be avoiding it entirely (although many are flocking to IG, so again, no loss for FB).
> most people remain unaware that FB owns both WhatsApp and IG
I am not surprised. If you let Google autocomplete the search "is facebook o" for you, you'll find these autocomplete results in order:
1. is facebook owned by google
2. is facebook on roku
3. is facebook over
4. is facebook offline
5. is facebook overvalued
...
10. is facebook on its way out
Seriously, people? "Is Facebook owned by Google?". AFAIK most people have no idea what goes on with tech companies and they have no idea how much power they have and how they work with your data, or what personal data is even comprised of.
TBH, people don't really care about who owns what. We know it because it's our domain of expertise, but, for instance, I couldn't tell you if Uncle Ben's rice is owned by Nestlé, Unilever, Kraft Foods, Mars, Coca-Cola or some other food brand. Yet I eat rice several times a week.
I think platforms like Facebook depend on being "cool" over some demographic. Then other demographics adopt it, time passes, other demographics grow tired of the same old Facebook look their parents also used, and Facebook starts to die. We've seen this as well with other social networks like hi5, myspace, that once dominated entire continents as the preferred social website. Of course they are smart and competent people so they will try to prevent it, and it seems to have lasted longer and left a bigger mark already, but still; I'm sure a lot of people around the world already share the sentiment of "not doing anything on FB", and just keeping it open for messenger chat.
It is an anti-network effect. The early adaptors are cool, the late adaptors are not. In Facebook's case, the early adaptors are now old people posting photos of their children. The users aged to irrelevance.
There definitely was a big difference between MySpace and the other social networks. Facebook ran well and worked. People forget the total shit show MySpace was in the middle of 2008. The site ran terribly, was getting hammered by spammers, and they starting covering it in banner ads. We didn't see a repeat of those problems with Instagram or Snapchat.
There is a coolness factor. It isn't as defined as fashion, or the latest hot nightclub, but it is there. That alone won't be enough to make the "next" Facebook, but I think it is the foot that gets stuck in the door.
Facebook might be able to acquire the next challenger in the US, but they will definitely fail to get it by EU regulators.
They're both network effects. The difference is that the relative value per node, to other nodes has changed. Disaster hits when the high-value nodes leave.
Networks are driven by positive feedback both going up and down. This sounds good, but isn't: the system and balance points are inherently unstable. Nothing succeeds like success, or fails like failure.
This is why acquisitions such as IG and WhatsApp are crucial. If they purchase the next cool thing, they never really go out of fashion.
FB has gone from throwing sheep at your friends to this. I don't think they are stopping anytime soon
> This is why acquisitions such as IG and WhatsApp are crucial. If they purchase the next cool thing, they never really go out of fashion. FB has gone from throwing sheep at your friends to this. I don't think they are stopping anytime soon
But it does mean that an even somewhat diligent antitrust enforcement could strangle them to death. They shouldn't be allowed to acquire their future competitors. If the US won't stop them, maybe European regulators can?
I see what you mean, but I'm under the impression that Facebook is not "your father's social network" in that it's not even comparable to what MySpace was, neither in numbers nor in qualities.
What I mean is that we are comparing two different beasts, so I'm not sure "it happened to MySpace" is a good telltale sign of what will eventually happen to Facebook.
Not to mention the growing number of people who only use a mobile phone as their gateway to internet services (along with all of the personal info to be gleaned from them) and who spend the vast majority of their time on the web using Facebook.
I've seen this a lot more in countries where internet access wasn't too common until the past 5-10 years and people didn't start out with a less centralized web before apps and closed networks gained popularity.
My partner isn't from the US originally and when I mention how obnoxious it is that Facebook is like the new AOL and I thought we were past this, she reminds me that it's all anyone back home uses for anything and they didn't have internet access back then.
To her and her friends/family back home, the internet basically is Facebook (and occasionally being forced to open their browser app to search for something if they don't just ask around on Facebook). A handful of other apps and defaults define the internet for them and anything else just sounds like too much hassle.
I wonder too if there is a boiling point with the mechanisms at play. Google was a "do no evil" company, and yet there was maybe a small earthquake within the company regarding the news coming to light they're making a censorship-friendly version of their search.
I take everything Facebook has done that caused any level of public outcry as a guide book to design a better platform, likewise with Google. And I won't dive into the history or foundation of Facebook, however it's not surprising their path would lead to problems - and at indirect cost to society.
Which is a bit of a mug's game, as most investors are explicitly about profits. Externalities be damned.
I would much rather see industries self-regulate. But I have big concerns about industries where people are mainly the product, not the customer. I think it breaks the key feedback loop that makes most self-regulation work: irritable users/customers.
For me America's best backup to irritable customers has always been class action suits. It allows aggrieved customers to band together and force accountability where otherwise individual harm would be too small to justify the costs of a lawsuit. But mandatory arbitration is breaking that too, and anyway doesn't work as well when users aren't customers.
So if we don't have user-fueled self-regulation, and we don't have class action, then I'm not sure what we can do short of government regulation. It's a last resort for me, but nothing else seems to have worked on Facebook.
It may be in decline, but like a ship slowing down from light speed, it will take years before there's any significant change in the social media landscape. They have a very long time-frame of opportunity to turn their ship around, and it wouldn't surprise me if they do.
A good real world example is Disney. Disney has been almost broke a few times over its lifetime, yet currently it's so huge that people believe it will never fail again.
Facebook have so much money in the bank, that the moment their primary model is no longer viable, they'll just go to market and buy up the next hot thing, and switch their focus there. They are like an unstoppable pandemic virus in this aspect.
In dystopian sci-fi novels and films, there is commonly the concept of 'The Company' who see-all, and control-all. It used to be that we'd predict it would be IBM, or Microsoft who would be 'The Company', more recently we'd say it would be Google. Currently however, it's more likely to be Facebook.
It used to be that we'd predict it would be IBM, or Microsoft who would be 'The Company', more recently we'd say it would be Google. Currently however, it's more likely to be Facebook.
This is exactly why we shouldn’t worry about it. The company that we think is going to rule the world forever changes every ten years.
FB seems to be the favorite punching bag for HN, probably because it’s full of people who have tried to set up 600 different startups and raised exactly $0 where as Zuckerberg made more money than all the people here combined in 100 years.
"Give me as much service as you can while keeping me as far off the grid as possible" is a skill that is sorely lacking in this market. I don't have this problem with weed dealers, but I have this problem with information dealers. Internet companies could seriously learn a thing or two from the black market on how you treat your customers.
Does your weed dealer provide the service for free? If you want to be treated as a $$$ paying customer start paying. Problem with social networks and $$$ is that network effects will not come into effect as not everyone will be willing to pay.
There are actually ethical information dealers but they require you to pay them as you are paying your weed dealer.
I think that if it's possible to define a way of operating businesses in a way that doesn't harvest data in a way that's nonessential to the services, then there should be a law requiring this option: to pay out of your pocket directly the amount of revenue the company would have expected to make, in exchange for the company not doing this data collection. But it seems difficult to get to such a definition. I think this law would be very popular.
Oh, I forgot an important detail. I should have added another aim I would want is that as a result of paying this money, you wouldn't receive any advertisements from the service.
We're trying to build the idea of "paid for storage" that doesn't look at your stuff, but getting people to pay fora service that others provide with advertising for free is hard.
Any company being truthful about what their customers want can't be tracking them 24-7 and sifting everything they type. Almost no-one wants that level of invasiveness. We just put up with it because there are no real (easy) alternatives or aren't aware.
But does GDPR really allow this business model at all? A website cannot as per GDPR say "accept tracking or we refuse service", if tracking is not necessary to provide the service. Can they say "pay or accept tracking or we refuse service"?
That's exactly what The Washington Post does. They have a free option where "You consent to the use of cookies and tracking by us and third parties to provide you with personalized ads" and a "Premium EU Ad-Free Subscription" with "No on-site advertising or third-party ad tracking".
I'd whitelist a true advertiser who ditches tracking entirely and focuses more on advertising content relevant to the page it's going on instead. Chances are if I'm looking at some Python programming page or server setup tutorial I'd be more inclined to click on ads relevant to the page as opposed to a creepy ad of something vague as heck that I looked up on Amazon 5 years ago that Amazon really wants to sell, or whatever.
I really would love to see advertisement companies that are less focused on tracking and more focused on ad placement that's relevant to the content it's going on, and hey sometimes there's no relevant ads for content and that's cool too, but at least show anything generic or close enough at that point. Also advertisers who don't do pop ups or annoying ads (that I swear could cause epilepsy on some users) are also good stewards of the online billboard market.
I'd be fine with "visitor count" type of "tracking" as long as it's just that, as far as how many per country / region. No following users around the web, aka no cookies needed. Then you could have a page for advertisers to choose sites to advertise directly on for themselves.
I'd happily attempt a startup/side-project that offers an API for non-tracking advertisements, but I don't think there's space in the market. It'd be very difficult to compete with the existing incumbent advertisers.
minor correction: creepy ads for the things i already purchased two weeks ago. brilliant use of ad targeting spend by companies i already gave my money to
So if I pay GM for a car they won't data-mine me? Just yesterday on HN we learned that this is not the case. Why do you think companies wont take your money and then proceed to sell your data anyway?
I'm probably wrong but I feel like there's a market for an ethical advertiser that does no tracking and placed ads by content only. is that impossible? it was reality until the 90s
I mean, I've paid both Comcast and Verizon a lot of money for internet access, and they both have done awful, privacy-shattering things while I've paid them. (Subverting DNS, X-UIDH header, etc).
Once there's money on the table, companies are going to take it and assume the number of customers who walk away aren't enough to offset the profits.
Of course, but I can guarantee Facebook has run the numbers. They are currently doing what makes them the most money. That happens to be ads.
The user data they sell to advertisers has a lot to do with your social network. Who you know, what their interests are, who they know, etc.
For Facebook to allow individuals to pay to opt out of their data being sold, it affects more than just that individual's data. I.e. it affects all their friends and friends-of-friends data.
I expect that the only way Facebook would be able to offer a pay-to-opt-out plan would be for everyone on Facebook to start doing, which would never work and they would never attempt.
I imagine the most we'll see in this direction is some sort of half-assed attempt where they offer to let you pay them money to stop some tracking, but still continue to most of it anyway.
That battle has already been lost; between a complete lack of at least semi-anonymous banking (I.E. GNU's Teller, well see notes), ad behamoths, "credit" companies (Experian, etc), and all sorts of proprietary social platforms having a majority of the market roped in: there's a shadow profile in one sense or another for everyone short of the crazy cabin in the wilderness types.
A focus on consumer rights, protections, and building difficult to defraud and difficult to exploit consumers systems is where effort needs to be spent.
* GNU Taler - A digital cash / micro-transaction system that hopes to be audit-able for tax and other legal reasons while still being anonymous for consumers.
Please read about privacy, verifiable in the right ways, and the "operational in 2018" claim
Another personal observation. I have an Instagram account that I thought was fully incognito. I never connected it to any other social account, I used a separate email for authentication etc. Just days after the Instagram founders left Facebook I started receiving friend suggestion on my IG that were very very relevant. Those were people I knew in real life and mostly connected via Facebook but not only. I shouldn't be surprized as being connected to the Internet by itself is an end to your privacy but still, this was probably the spookiest invasion into my privacy so far. Bye-bye Instagram.
This happened to me after Facebook acquired Instagram.
I had my mobile no in Instagram profile. Instagram cross-referenced my mobile with my Whatsapp contact list(I haven't given Instagram access to my iPhone contacts).
I suddenly got suggestions to follow my colleagues on Insta. Colleagues with whom I interact only on Whatsapp.
Since then my trust level in Instagram,Facebook & Whatsapp has gone into negative.
When I was in another country on a business trip I bought a temporary local SIM, originally valid for two weeks but I've kept it active as I travel there often.
I used that foreign number to create my Instagram account and I've gotten the benefit of only being shown suggested accounts from locals from that country (zero people I know). Same goes for ads as well. Currently I keep it on roaming and actually use it to verify other online services that may stubbornly require SMS.
Might be worth a try for those of you looking to pseudo-opt-out of phone number tracking & recommendations on social media services that do this, if you can get your hands on one.
Just as a warning to anyone who might try this, it won't work. (At least not without a massive amount of opsec effort expended on your side.)
I'll give you an example of why it might not work. Since your phone has roaming, you happen to have it with you at work, or at a party, or at the library, or anywhere really. If even a single acquaintance of yours is "nearby", the information is leaked. If acquaintances seem to always be "nearby", children, wives, husbands, siblings, your info is DEFINITELY leaked.
If anyone is going to try to use this strategy for anything which might result in the loss of your livelihood, (eg - porn), please realize there are many, many, many more precautions you will have to take than are listed in oedfmarap's comment. If you just do what you see in that comment, you could find yourself without a job somewhere down the line.
While one would think that this is only important for things you're doing that you don't want the government to know about (see [1] page 52 for details on how not to mess this up -- basically don't have them turned on together, don't turn one off and turn the other on in the same place, or log in to the same sites or store the same numbers on both phones), it's also important for Facebook and other private tracking. If you have Facebook on your burner phone and your friends have Facebook on their phones with location enabled, it's over [2].
This is absolutely true, when I moved to London a few years ago, I rented a room in a house with 3 other housemates I had never met.
Within 1-2 days, Facebook recommended one of them as a friend - bear in mind I hadn't added any of them to Fb, so all it could have used was our location...
I believe they used Wifi BSSID tracking for that, GPS would be too battery heavy. If you're connected to the same Wifi networks it can reasonably assume you're in the same vicinity.
It's possible Facebook uses location data for this, but I've got an alternate theories.
This happens to me often too, with much briefer encounters: mainly dates and meetups. Since I've shared similar amounts of time at the same restaurant with hundreds or thousands people with whom I had no interaction, many of who's arrival and departure times would happen by chance to line up with mine, they must be using something else. I also share a duplex-house and an office building with people who've never been inexplicably recommended on Facebook.
From these observations, I've come to think that location data has to play a very small role in Facebook's recommendation system.
Here's my best (but untested) theory to explain this: Your house-mate searched for you on Facebook, which triggered Facebook to think you might be friends.
I had watched it many many years ago, and I suddenly remembered about it while at my friends apartment, (which is in the same building). Now I searched it up on my friends computer which was logged into his gmail account. We watched it and laughed. However, an hour later, I was on my iPhone at home when it appeared in my related videos.
Definitely location tracking of some sort. IP, location data from the browser (if allowed), and scraping photo metadata can all lead to them associating people.
It's your computer which store cookie and localStroage data to the local storage. It' your computer which execute JavaScript program to retrieve that data.
I did of course, how could I not access both from the same IP. The bottom line is: a property owner is a property owner even if it comes to separate domain names.
Well, Instagram and FB being 2 separate domains , they shouldn't (in theory at least) be able to access each others cookies in browser. The tracking is most likley still server side based.
Based on what the OP is writing, the unique identifier foe the user can even be the IP address...
They shouldn't be able to access each other's cookies at the browser's level, but instagram.com might include third-party javascript code from facebook.com, which connects the two accounts in the system.
This is a perfect example of the need for physical comparmentation. Separate devices never connected through the same internet service. As far as devices go, to think you have separated “anything” on only one device, you’re living in fantasyland.
Statements like this make me want to learn phone OS development just so I can have a better understanding on what information an app can get from the OS. Honest question, why would an app ever need to know the SSID of a wireless network? The app should only care if there is a valid network connection, and then use it. I can see being able to know if it is wifi vs cellular so they can have the option to limit large downloads to wifi only. However, the SSID would not be necessary information for the app.
An example would be an app for associating a device without a screen on to a wireless network. Think IoT devices or Alexa. Saves the user from having to type in the SSID which is a pain.
IP address commonality is probably a major part of this, so using separate devices only helps if they are on different carriers and you never use wifi AND you don't allow location services or practically any other permissions.
With a single device, it's fairly reliable to use a vpn or multiple vpn providers and only log in to each account when connected to a given vpn.
The reason I never give fb my mobile is if you use a pseudonym account, it will suggest your profile as a friend to anyone who has your mobile in their phone contact list (eg ex-partners, stalkers, employers, drug dealers). Found that one out the hard way.
I know Zuck wants me to preemptively upload my nudes, but still.
This is basically how FBI Director Comey's secret Instagram account (and thus Twitter account) was unmasked. But it was even worse - you are suggested to 3rd party people who just follow the people who know you: https://gizmodo.com/this-is-almost-certainly-james-comey-s-t...
Yep, something similar I discovered recently that if you sign up to Instagram with somebody's email that they use on Facebook then within a day or two you'll start to see all of their friends from Facebook whom are also on Instagram in your recommended follows. All of this happens without email verification..
Yep, I have a relatively common name and @gmail.com address. Last week, some guy with my name signed up for Instagram with my email adddress and started posting without ever verifying his email.
I reset his password and tried to close the account after he kept trying to access it by resetting his password again. Instagram support asked me to send a clear photo of myself holding up some random number to prove it was me. Nope lol.
I've only ever seen a "report not mine" function from Google. Where else have you seen it? I am not on FB/LinkedIn/most similar ones, so I may be missing examples.
Lucky you already have your account. These days you can sign up for one without a phone number, but then you flat-out can't sign in without giving one.
TIP which I discovered by accident: create a bogus account with your phone number.
Facebook will remove the phone number from your account when you do that. You can also use that to check who are your friend who gave FB your phone number.
Yes. Especially ones with broad arbitration clauses, and double especially ones where your access to the courts is determined by whether you opt out within a short time period after agreeing to them.
These are frighteningly common, typically enforceable in the US even for consumers, and typically enforceable in most countries for even small business customers (though rarely for consumers in much of Canada and Europe if the vendor has enough ties to the area for local consumer protection law to apply and you win the race to the courthouse).
recently interviewed at Facebook (didn't pass the in-person) and one thing I was looking for was a job that WASN'T based on ads. I didn't want to come across negative so I was circumspect in my asking ("Tell me about the positions at Facebook that I as an outsider don't know about - I know ads, messaging, and events"). I wasn't really excited by the answers I got - ads seemed worked into everything they brought up, but the answers weren't super-nefarious either. This was the Seattle office, which apparently has a strong ads-basis. Because they hire people and then (allegedly) let them pick from available team openings (after a "bootcamp" to do onboarding), I simultaneously felt like I'd have a chance to avoid the worst but also couldn't be sure of what I was committing to.
I didn't pass the interview and the few weeks since have tried very hard to make me not regret that by raising issues like this one, despite my natural tendency to give FB the benefit of the doubt and to recognize the difficulty of moderating speech sanely.
I've never had such uncertainty about what a job would involve before - the "you find your match" sounded good initially, but in retrospect I'm wondering if I dodged a bullet - so hard to know.
I find it interesting that you would absolve yourself for working for Facebook just because you wouldn't be working directly on ads. Facebook is an ad company with services attached (a fairly reprehensible one in my opinion). If you work for them, you are helping them achieve their goals, which ultimately is about serving people ads, it doesn't matter what particular role you are doing there.
"absolve" is not the correct term (I think) - I don't find ads particularly offensive, I just don't ENJOY them, and I was looking for a job I'd enjoy and enjoy telling people about. I'm perfectly fine with ads existing, though I'm supportive of being able to buy my way out of them. (You can raise issues about ads being inherently deceptive and manipulative, and I wouldn't say you're wrong, but I've not taken a position against them...yet)
That facebook is doing bad things because ads are their only real source of income is a problem because of the bad things, not the ads. At the time the primary concern was "what should facebook be doing about de facto empowering hate speech and (actual) fake news?" and that's a tricky problem that I don't think has a resolved answer, and I sympathize with those that empower communication and only later realize people have more desire to trash things than apply rational caution. Since then much more has come out about some FB practices (and Google), and the question of whether ads-as-your-primary-revenue-source is too much incentive to be "evil" is being implicitly raised, but is likewise not yet resolved.
That said, I do think there are lines to draw and lines not worth drawing. There's very few jobs that don't end up supporting bad things. I don't think it's right to pretend that if you aren't doing it directly that you AREN'T supporting such things...but I also think it's sometimes unrealistic to make your situation worse to deny an indirect support. Deciding where that line lives is an individual decision, and one I have to regularly re-evaluate. To expand my point in the previous post, the news coming out about FB practices definitely made me feel like I'd have been uncomfortable even if I wasn't working directly in ads.
> They found that when a user gives Facebook a phone number for two-factor authentication or in order to receive alerts about new log-ins to a user’s account, that phone number became targetable by an advertiser within a couple of weeks.
I have always been suspicious of the aggressive "give us your phone number to secure your account" campaigns that so many sites/apps are running. And I think this is a HUGE disservice to users.
At first I was like, cool, companies are being responsible and encouraging good security practices, good on them. But there was something a touch too.. aggressive and "marketing-y" about it. It raised my spidey sense. Maybe the form and frequency and placement of them just was too familiar to previous campaigns to grab your email for "opt in" spam.
All of these companies should be shamed to high hell. Getting people to adopt 2FA is so important and here they are shamelessly exploiting it to market to you for undisclosed purposes.. well, buried in the privacy policy, but you know how that goes. The prompt is 100% about securing your account and nothing mentioned there about using it for targeting.
Seriously F these companies for breaking user trust.
I am becoming anxious to see some action out of the DOJ Anti-Trust division against Google, Facebook, and Amazon, etc. These tech behemoths effectively own most of the consumer internet and they use their muscle to either acquire or force out the majority of other players. More regulation is not going to cut it (or else it would have already).
In America (and most places), law normally lags quite a bit behind the events of the day. Standard Oil destroyed markets unchecked for several decades in the 1800s. No individual or company could withstand their market power. Then the government divided it into dozens of vertically integrated companies, which allowed for a wave of new market entrants, better deals for consumers, and higher standards of living for more people.
We are obviously at that breaking point now with the tech behemoths and their sprawling, impregnable market power. It is time for antitrust action against Facebook and the gang.
I think we need proper privacy measures, since the misuse of data is not necessarily an "antitrust issue". For instance, would breaking up Facebook really mean that the newly formed constituents respected privacy? And would antitrust enforcement against Google or Facebook reduce privacy exploitation by smaller entities?
I'd argue that it would not -- 1,000 small Facebooks could still violate privacy. Creating privacy legislation is the only real way to achieve proper privacy guarantees.
While I share the sentiment, I think I should be fair to HN: according to a quick search I've just performed, I brought up the topic 4 times in comments over 3 years, and those comments have scores of 7, -4, 16, and 3 [1][2][3][4]. So saying that I was "hushed and called tinfoil" would not be fair to HN.
People still do that when you point out that using a phone number as a required identifier (WhatsApp, Signal, etc.) gives every 'free' service a near perfect unique identifier that's the same for all services used by that person. Ideal for cross-service collation.
Who wants a social security number when you've got someone's phone number?
I talked with the lead engineers from a company back in 2014, that shall remain nameless, that bought private profile data from Facebook, ran it through a bunch of algorithmic mumbo jumbo, and sold the aggregated data to marketing firms. They acted like this was really cool and awesome, much like the wide-eyed cultists. It was very creepy, and I backed away slowly even though this place was looking for more engineers.
This kind of thing has been going on forever, and I've told people this. 99% of people don't actually care, though.
Are you sure the "private profile data" wasn't aggregated before it was sold? Either way, selling private data is not something Facebook is actually known to do much (outside of misunderstandings by confused activists/journalists). If you contact me (info in profile) I'm very curious to understand more.
Maybe they bought it from someone violating the terms of setting up a Facebook app? I can't stress that this shit's illegal but I also can't stress how the Cambridge Analytica scandal showed that Facebook had almost no way of regulating this.
You can personally decide not to use Facebook, which is good. But you can't convince everybody to do that. So if you or your family members do use Facebook, at least install an ad blocker for all of them.
Not for privacy, but to deny them revenue. I block Google ads on every single site I visit, period. I don't care if the advertising is non-obtrusive. If it's being run through Google, part of that revenue is going to fuel Google's tracking. I support creators directly instead. And if creators refuse to give me a way to support them, that's not an excuse to expect me to contribute to Google's bottom line.
Huge props to the people who are working on blocking trackers and protecting privacy. I'm very glad they exist, and I don't think their efforts are worthless. But, it is currently a losing battle to fight these companies on the privacy front, because the tracking model is so profitable that they will always be pushing more resources into it than we are. Collectively, the people fighting for privacy don't have enough resources to win.
But there's an easy, completely legal solution to that problem; the one thing companies haven't figured out how to get around is ad blocking. And a good ad blocker will block even native ads. For a company like Facebook, all of this boils down to getting you to click on ads. If enough people target that chokepoint, then the advertisers will start pulling out of the system, and there'll be less financial incentive for these companies to undermine people's security and privacy.
And we have evidence that this works. Even Google, which is the powerhouse for getting their ads to actually show up, is starting to devote more resources into trying to figure out how to stop mainstream people from installing adblockers. That's where all the autoplay stuff came from, that's where the acceptable ads initiative came from. They desperately want your roommate to say, "I'm not going to mess around with these weird Chrome extensions or whatever, that's too complicated. Chrome blocks this stuff itself, anyway."
Install adblock on every browser you get access to, tell ordinary people who aren't on HN to use it, and let the advertising industry kill itself. Make it very obvious to companies that buying ads on Facebook is a complete waste of time because even non-technical users just won't see them.
Yep. And I don't know a way to get around shadow profiles.
We should try to find one. I fully support the privacy fixes people are proposing. I think that's really important. But it's pretty obvious that Facebook is winning right now.
However, the only thing that Facebook cares about is getting you to click on an ad. So even if you can't stop Facebook from getting a shadow profile on you, at least you can make that profile worthless by blocking ads literally everywhere that Facebook can think to display them to you, for you and your family/friends.
And you can be public about it to ensure that when Facebook goes to companies and says, "we have all this data for your next campaign", somebody in the sales-pitch meeting raises their hand and says, "yeah, but nobody looks at your ads."
The standard official Facebook response to this is that you do not own your "shadow profile" since it's a profile made out of data gathered from other people and companies, and thus they can not let you control it. In other words "it is not your data".
I doubt that holds in court, but as mentioned in the article, there are people in the EU who for months have tried to get Facebook to provide the shadow profile data on GDPR grounds, and Facebook has yet to allow it.
It seems like Facebook can afford to stall, they've got more knowledge and power than a single EU citizen can have, so I'm sure they know what they're doing.
----
To be honest, I think Facebook is in breach of _multiple_ GDPR articles _simultaneously_ here, which is quite a feat in itself.
They're in breach of:
- Privacy by Design (a.k.a. Privacy by Default)
- Right to Access
- Right to Be Forgotten (which is older than GDPR..?)
- Data Portability
Then again, Facebook is not alone. I'm pretty sure there are very, very few companies on the web that are not in breach of GDPR at least in spirit, if not in letter.
There's a zero chance that holds in court. If it were possible to have a negative chance it would have a negative chance of holding in court.
Data protection does not in any way relate to "ownership" of data.
If the data are personal data then you are forbidden from processing that data unless you have one of seven lawful bases enumerated in the GDPR, and where the data are sensitive then those bases are reduced further.
So this is an interesting scenario that I've seen people bring up before, but I've never been completely clear on the answer. Let's say I'm using an online virtual assistant with auto-replies and stuff like that, and I upload your contact information and phone number so it can help me manage my schedule/emails/etc...
Under GDPR, the company I just gave that information to doesn't have your permission. So, let's say that later on, you go to the company and say, "hey, delete any information about me." For them to comply, they can't keep on syncing your contact information in my address book, right?
I guess, how does GDPR handle a situation where a separate customer is going to Facebook and saying, "hey, let me put in that I'm X's cousin"? Should Facebook block that person from specifying the relationship in the UI? Or would that just fall under "essential for business"?
That doesn't make a difference. GDPR doesn't talk about data ownership it talks about data on persons. If it's data about me it's not allowed to hold it if there is no otherwise relationship.
you gave an idea for a weekend project. posting here in case I change my mind and slack on something else.
instead of deleting facebook (or not having it), create a shell profile, just enough for you family to pointlessly add. then subscribe the account with a service (aka The Idea) that simply post a once a month post on how to install ad blockers and such.
As an FB Marketing API developer, this has been available for several years . The way it works, advertisers can send their phone list to FB for ad targeting. However, phone hashes are sent, not clear ones.
Personally, as long as the user has an opt-out and opt-in options, I don’t think ad targeting is necessarily an unethical pattern, the blurring lines of ads and recommendations would be actually a pattern that users might like. Would you rather use Netflix or Spotify without recommendation engine?
Thanks for the info - didn't think of this angle (i.e. advertising sending a list of numbers to target, and facebook tying that to their cookie ID they have on you). There I was wondering how this works in a browser since browsers don't know your phones number (right?).
> Would you rather use Netflix or Spotify without recommendation engine?
100% yes.
Personally for me the term "personalisation" is becoming a dirty word and I am becoming uneasy when I hear it mentioned in design docs and product launches etc. I dont want to see what some algorithm thinks I want to see. Instead I would prefer to see the real, unfiltered, unfettered data. I think the whole Fake News outcry started me thinking about it in a more deep way.
Imagine if you went into a fancy restaurant for some special occasion and the waiter took a look at you as you walked in and brought you a "special" menu based on some decision they made silently in their own head about what they think you want. Rightly you'd want to see the full menu and not just what they think you want to see. Sure I'd welcome them pointing out some highlights on the menu, but I'd apprecaite seeing the whole thing before making up my own mind.
As a result now I use DuckDuckGo exclusively and have Firefox set up with Google Container[1] to keep the Google cookies separate from everything else (I dont use facebook at all so their cookies are entirely blocked as 3rd party) as well as the usual uBlock Origin, privacy badger et al. I am even toying with the idea of moving away from my gmail that I've been using since 2004/05.
> Personally for me the term "personalisation" is becoming a dirty word and I am becoming uneasy when I hear it mentioned in design docs and product launches etc. I dont want to see what some algorithm thinks I want to see. Instead I would prefer to see the real, unfiltered, unfettered data. I think the whole Fake News outcry started me thinking about it in a more deep way.
That's also a corruption of the meaning of "personalisation." Personalisation is about me making choices to adapt a product to my preferences, it's not about the product making choices about how to interact with me.
Real personalisation would be having the (sticky) option to shut the algorithm off and "see the real, unfiltered, unfettered data."
Advertising destroys reccomendations. Suddenly it's not based on any genuine attempt to work out what the user might like but only what benefits the margins of the advertiser. This is why Google's adverts are in a separate box at the top, un-mingled with the search results.
If Facebook were required to hash and salt phone numbers, then the correct 2FA value might still work (it would match the salt and has), but an arbitrary list of submitted values would be expensive to match to the hashed set.
Facebook would be unable to contact the user via SMS, they would have to issue a token via WWW or app and have the user text that to a specific address from the corresponding phone number to achieve phone-based 2FA. This might even be a third-party service to deny FB any direct access to the phone number.
The verification channel might become a phishing target via spoofed FB pages or apps, though that would be moderately expensive and of limited use. An attacker might request FB login credentials (the actual verification would not), might acquire a phone number (generally, though not always, a non-critical datapoint), and would still be denied account access via 2FA without further compromises, say, social-engineering the phone account (a proven risk, though expensive at scale).
Tildes.net uses a similar mechanism for recovery email addresses.
Somehow, the knowledge that the efforts to tie every trace of my existence together to help marketers target ads to me are done in a cryptographically secure fashion is not entirely comforting.
In general, I have been unimpressed with recommendation engines of any sort. Spotify can't suggest music I'd like worth a damn, and it's working within a relatively specific domain. Whatever fractional gains in ad relevance are currently obtained from this aren't worth the privacy invasions needed to obtain them.
> are done in a cryptographically secure fashion is not entirely comforting.
It's not even cryptographically secure, a phone number is like a 10 digit number that isn't even completely random because of area codes, trivially brute-forceable.
> Would you rather use Netflix or Spotify without recommendation engine?
I'd rather it didn't have a recommendation engine. I'm fed up with it trying to get me to watch something else - I'd rather it just stay out of my way.
Speaking as someone who hasn't used facebook in years, I think it's awkward trying to compare it with netflix/spotify. The latter are narrowly-focussed, with a clear target for recommendvertising - i.e. I am viewing a film or listening to music, the case for suggesting another is pretty good, and useful. That's very different from, for example, recommending a product to me when I'm viewing my friends' photos.
Also, one pays for Netflix, and there are no ads. They try to give you, the user/customer, a better experience, so that more users/customers sign up and pay.
Needless to say, Facebook's goals and incentives are very different.
All my personal details on Facebook are (and have always been) false. My phone number is the number of a hotel in Monte Carlo. When Facebook nagged me to give them my mobile number for 2fa I ignored them. My friends thought I was crazy. I know it's not exactly gracious of me but feeling very self righteous right about now.
This is basically the only reason I don't "delete" my Facebook account. I have so many family members and friends that I cannot realistically prevent putting pictures and the like about me on Facebook.
At least I can see some of what Facebook has about me instead of none.
The other really stupid thing, besides generally hurting the adoption of 2FA forever, is that they probably did it for hardly more than scraps, compared to their conventional add targeting capabilities.
Maybe I am completely wrong about this, but I'm pretty convinced that almost all of the ad spending for that feature would have reached Facebook's coffers anyways had it not been available.
At Facebook's scale even the scraps can be worth millions.
And the sad truth is that the vast majority of people will not be deterred by, be aware of, or even understand the fact that Facebook is abusing their phone number in this way, so as far as Facebook is concerned it's a small bump in the long road to increased profitability.
> At Facebook's scale even the scraps can be worth millions.
Sure, but the same is true about negative headlines, the effect is just more difficult to quantify.
Maybe it's a general world view problem within Facebook, but usually these things are the result of one overly ambitious person or group optimizing the singular bonus metric of their own little fiefdom at the cost of corporation-wide commons. Big organizations need to be extremely vigilant in their defense against internal foes who won't blink an eye costing the company billions for a gain of millions add long as the latter will be attributed to them while the former won't.
> An ever increasing craving for an ever diminishing pleasure is the formula. It is more certain; and it's better style. To get the man's soul and give him nothing in return -that is what really gladdens our Father's(0) heart. - C.S. Lewis, senior demon to a junior, 'Screwtape Letters'.
(0) Satan
For exotic niche products, incredibly. On Facebook, you can advertise to golfers who don't subscribe to a golf magazine. This is new and valuable (to everybody except the publishers of golf magazines, who suddenly have to face competition in golf-specific ad-spending). But if you are selling washing detergents, even the tiniest premium for targeted over untargeted would be a waste.
Note however that to enable any other type of 2FA you first have to give them your phone number. You can delete your phone number afterward, but it's too late, they have seen everything.
Well it won't matter once you change your number, but nobody should have to consciously think about doing that because the company you gave it to is using it for non-user account security purposes.
Interesting, thanks for letting me know. I don't have an account. I understand _why_ they require you to verify a phone number though, for the exact reason this article explains.
The phone number isn't for your protection (it's actually really terrible for 2FA), it's for Facebook's protection. It's an anti-bot mechanism to require a unique phone number for each account, or no more than 5 accounts per number or so.
Yeah, but it looks like it still doesn't work if you switch to the app after having given them your phone number for 2FA. The sentence that follows your quote says:
>>(Albeit, the company only added the ability to do non-mobile phone based 2FA back in May, so anyone before then was all outta luck.)
can you actually "opt out" of that number being used or is the spokesperson just saying "we don't get your number via this method if you never give it to us via this method"
I.e. if you switch from using a 2FA phone number to using the app do they stop using that phone number in your facebook profile? And your shadow profile?
I think it is relevant: back in february they made us believe that them using 2FA phone numbers for marketing purposes was a bug and today we learn that them using 2FA phone numbers for marketing purposes is a feature.
So either they lied in February or they have changed their minds. Either way, I think there is value to bring this very similar discussion back to our minds.
No regulation needed, just avoid using their 'services' and block anything facebook at the point of access. They might keep 'shadow profiles' and use facial recognition to find you on images posted by others but if you keep them out of your network they can have a ball trying to target their advertising at that closed door.
Not that I allow any advertising here, mind you - everything is blocked at the router (ipset [1] comes in handy here), at the client and in the browser. This works at home as well as abroad since I route all my data through a VPN (OpenVPN) terminating at my router.
Then it definitely sounds like regulation is required, the vast majority of Facebook's users don't know how to do all that. The public should not have to protect themselves from unethical companies, the companies should have to stop with their unethical behavior lest the government shuts them down.
Drawn to its logical extreme, you don't need regulation to be protected from racketeering if you run a restaurant either, you can just hire private security and arm yourself.
It would be really surprising if that was a facebook only thing. For starters Google pesters me at least as much to add my phone number to secure my account.
I think it will stop pestering you for a phone number if you give it some neutral second factor like a Security Key ?
(Security Keys are actually way more anonymous than I'd even thought possible until I understood how they work, if you know Susie uses the same key for DropBox and GitHub, and you suspect Susie also uses this key for the account NumberOneSecretTrumpFan on GitHub, and then you steal all the account credentials from GitHub somehow, this doesn't end up being enough to verify that Susie has the same key as NumberOneSecretTrumpFan, nor is it enough to sign into Susie's DropBox account, and unless GitHub's data includes the backup passphrases or whatever it's not even enough to sign into GitHub as Susie, NumberOneSecretTrumpFan, or any other Security Key user...)
I'm not sure how it is now, but for a long time Google required you to enable SMS auth (by giving your phone number) before you could enable TOTP or other 2FA methods.
Many people can't quit because they are addicted, but there is an option to permanently delete your account and it takes about 5min. I'm not aware of Facebook creating profiles for people that haven't signed up for their service. If so, that should definitely be illegal.
The government should have bigger fish to fry than trying to regulate the distribution of information that you have and continue to willingly provide to a company. If you don't like it, sure government could jump in and make Facebook just how you like it, or you could delete the info you don't want them to have. The later sounds easier on everyone.
Air is a necessity, Facebook is not. I don't use Facebook and personally don't want my tax dollars spent overseeing a non-essential service. I'd rather send our tax dollars towards environmental pollution and areas that actually affect us all much more seriously.
The point wasn't that Facebook is a necessity. It's that Facebook is unavoidable.
Unfortunately, whether you created a profile or not, you can't just "not use Facebook" with their whole shadow profiles.
Sure, they aren't (currently) pumping waste into the environment. I'm not saying those things aren't important, but I do think we're going to look back 10 years from now and wonder how we let Facebook even get this bad.
I only use Facebook like every month now but it always asks about my phone number. It also asks me to enable a log-in short-cut every time.
This last time, they crossed a line: they pre-filled the field (I do NOT have this set up in the browser), meaning they already figured out my number (probably by scrubbing some friend’s phone) and just want it confirmed. To hell with that. I would not be surprised if every spam call in existence can be traced to Facebook.
Though you can probably gat at least an IP address, and if you create a nice looking fake e-shop with something your target may want, ... they may give you the rest.
Phishing ads on FB may be less obvious than sending them a phishing link over e-mail.
Or if you use Whatsapp. Their privacy policy makes this pretty clear:
As part of the Facebook family of companies, WhatsApp receives information from, and shares information with, this family of companies. We may use the information we receive from them, and they may use the information we share with them, to help operate, provide, improve, understand, customize, support, and market our Services and their offerings. This includes helping improve infrastructure and delivery systems, understanding how our Services or theirs are used, securing systems, and fighting spam, abuse, or infringement activities. Facebook and the other companies in the Facebook family also may use information from us to improve your experiences within their services such as making product suggestions (for example, of friends or connections, or of interesting content) and showing relevant offers and ads.
Bizarrely, whilst general everywhere else, the policy specifically calls out banner ads to make it clear that they won't use them until they do, at which point they'll stop saying they don't:
No Third-Party Banner Ads. We do not allow third-party banner ads on WhatsApp. We have no intention to introduce them, but if we ever do, we will update this policy.
> We do not allow third-party banner ads on WhatsApp. We have no intention to introduce them, but if we ever do, we will update this policy.
I wonder how do they come up with this kind of language? Do they write a short text that gets filtered several times by multiple teams of lawyers and comes down to this? I cannot honestly imagine a sane human being writing such intricate bullshit, even on purpose.
If I recall correctly creating a Facebook account today requires a phone number. So, consider yourself lucky that you have the option to protect that bit of yourself.
It should be already well understood that free services aren't free. To me the moral issue of the story is how Facebook isn't upfront about "the cost" of the services they provide.
You want to use facebook to get in touch with friends? We all now know that you will be targeted by ads customized with every piece of information that you reveal (and some bits that you are not even aware you are revealing...)
Assume that an extra layer of security is also costing you some privacy. Interesting dilemma...
It is not well understood that they are a service.
To many people it is more like a place, and places are free. Sure, technically you can buy a place and own it and charge for access, and technically somebody owns almost all places you might care to go to, but mostly we think of them as free.
The fact that it costs nothing, monetarily, to access… that very thing often makes something seem like it has no cost.
I suspect most people don’t get as far as “thinking” that in a conscious, deliberative, system-2 sense of the word — They see no price tag, so it’s free.
Also, it's one thing to willingly give up your own data in exchange for using Facebook etc for free, but often the data they collect could reasonably considered other people's - for instance uploading your contact book to "find friends" tells Facebook what names to associate with phone numbers and helps them build "shadow profiles" (or whatever the term they use is) for users who haven't given them anything.
This is particularly an issue when minors are present in the photo, videos, comments, etc... Dad/Mom/Uncle/Grandma shares a photo of a young family member, and without a doubt a new individual has been added to Facebook's records.
It's worse than that. You can't even buy privacy-respecting Facebook service if you wanted to, even at the ARPU/LTV that Facebook would be happy to get, and network effects mean that you suffer when your friends and family choose to use Facebook but you opt out.
I always imagined they would probably end up doing this, and that's why I've never accepted 2FA anywhere a site has tried to push it on me. They can't spam me if they don't know my number...
Again? Weren't they called out on this about half a year ago already? Did they continue doing this? How irresponsible and total lack of any ethical standard. Its horrible but mostly just sad that users are just a commodity to make profit. So let's trick them to sign up for 2FA to pretend they have more security and then we can send them nice little ads. What a bad company this has become.
People of multiple platforms dislike me for discrediting facebook. Simply talking about facts and what they could expect. They think they know it all. Some corps are good some are evil. People tend to forget that an evil person could also be your most trusted and reliable one. I work as a cyber security engineer and the things i have see flying by are crazy. The fact that information is sold without you4 knowledge is real. Its a dark world out there in disguise.
What can we do about it? I realize this is probably not answerable in this thread but I find myself asking this question more frequently lately and I still cannot answer it.
would be happy to see this discussion split into an Ask HN: or other, I think this topic should be debated quite a bit more than it is with the goal of attaining real results on fixing these issues.
Simple: delete your Facebook account. Many of us already have. Nothing will send a stronger message than people doing this en masse. Even if they don't get the message or don't care, it's the only way to protect yourself from their never-ending privacy violations.
This. Though I will say, in my opinion tech companies are more or less wild animals we pretend are domesticated.
Nothing is free.
Facebook continues to do good for people. Twitter as well. These are invaluable communication channels for many people.
I imagine this problem will get fixed about the same time my physical spam mail stops arriving. I'm not holding my breath, given that I can _say_ something to my wife in the privacy of our own home and get a cold call or physical mailing about it a few weeks later.
I try to encourage people to pay for the services they believe in. Whether you love or hate Microsoft for $6.99/mo you can get Office, (decently private) email, cloud storage, and Skype. Hate Skype? Don't blame you but from there you can get a phone number that you can give out and keep your personal number just for family/emergencies.
This sends a powerful message to folks trying to build a better mouse trap. It is _very_ hard to produce a free service that competes with these folks but if we show we're willing to pay for privacy then maybe we'll start to see competitive innovation in that space again.
Now that I have a family it inspires rage that my phone rings constantly from spammers and I might ignore a call that's time sensitive and important.
> Whether you love or hate Microsoft for $6.99/mo you can get Office, (decently private) email, cloud storage, and Skype. Hate Skype? Don't blame you but from there you can get a phone number that you can give out and keep your personal number just for family/emergencies.
I deleted facebook in 2008, this article discusses shadow profiles.... I suspect that more people deleting facebook and moving to facebook owned subsidiaries, or anything that is centrally owned and not federated will not solve the problem. even then there will be new mining techniques with their own set of challenges.
unfortunately I do not think that more people doing that will solve the root of the problem... only try to treat a symptom.
> Simple: delete your Facebook account. Many of us already have. Nothing will send a stronger message than people doing this en masse. Even if they don't get the message or don't care, it's the only way to protect yourself from their never-ending privacy violations.
And if you're not willing to delete your account just yet, switch your profile pic and cover photo to messages saying you're planning on using Facebook less or eventually deleting your account.
If enough people do that, it adds a social element to the exodus. Just deleting you account makes it poof out of existence without a sound, and most of your FB friends won't even notice.
Facebook will still harvest your personal information to profit from. They'll just do without your involvement. They'll get it from anyone or anything you've ever revealed information about yourself to.
Australia needs something like the GDPR, can't happen soon enough. I enjoyed the wild west days of IT, but I think now companies are enjoying it a bit too much.
It doesn't help that legislators wouldn't have the foggiest clue about some of these issues^, so there's no impetus from the legal community or political arena to make changes, while nefarious companies are doing whatever the hell they like.
I deleted FB years ago, and this infuriates me to know they might still be trying to sell my information based on contacts and what I share with them.
^ Actually, they've recently tried to pretend they are above the law of mathematics, so...
Same thing we are currently doing about it. Keep talking.
FB and similar surveillance shops thrive because people let them. People let them, primarily, because humans instinctually follow a safety-in-numbers model - FB just couldn't be that bad, or someone would have done something about it. That is likely the most clever/evil hack - FB flips this instinct on its head.
So keep telling people the truth about FB. It is a tacky AOL 2.0 panopticon optimized to manipulate you in the name of your friends and family. The company routinely lies about their practices, the CEO gives all appearances of being an untrustworthy weasel, and they're more interested in growth than the damage (up to and including facilitating mob violence!) they're doing.
And: the net is a big place. FB is a big corner of it, but unless you'd also think living inside a Walmart is a great idea, there's a lot out there that you're missing.
It took years, but I've gotten some family members to stop using them.
Not related to private data but I've seen a bank shadow fund a project to get the mortgage review packages of a competitor to run through their models and test them out, also giving this one bank all the data on the mortgage packages and the scores. A really big bank did this to two others BIG lenders (one lender directly related to the federal government).
We were instructed to turn a blind eye and the business model was exfiltrating info to a different lending institution while the auspice is we were only building a product as a service.
My personal opinion is ALL your data is being sold. Every single bit that can be collected will be sold with no protections, regulations.
> My personal opinion is ALL your data is being sold. Every single bit that can be collected will be sold with no protections, regulations.
I don't understand -- especially in this crowd -- how this is even a question, at this point, nor why anything related to this fact even warrants discussion any more, given the knowable ubiquity of the practice. I guess the only thing left is figuring out a novel way to capitalize on it, like the Gold Rush.
You don't need his crazy stories, really. All you need to do is accept that Facebook isn't behaving exceptionally poorly, this is industry standard. Lo and behold - the entire sector is suddenly a cesspool of disrespect and money grabbing at the cost of your data, your privacy, anything they will be able to get away with. And they can get away with a lot, because you are not allowed to talk when you work anywhere. On pain of basically having your life ruined.
The behaviour is poor, yes. But if you view it among it's peers it's not at all poor, it's normal. That that normal is actually "exceptionally poor" might be true, but that's not really the point I was trying to make. On that I think we agree.
If you're implying that "most in the know" think FB is much worse than competitors or even other IT companies, we do indeed disagree. Sadly that is not something we can argue here, because if you are in the know you cannot share examples :)
I had my mobile phone-number appear pre-filled in an add-your-number-to-your-account prompt on Facebook's mobile website while I never provided it in any way to Facebook myself (in the meaning of: neither added it to my account nor mentioned it ever on the website; I never used their apps at all either) . They had farmed it from one of my contacts adressbook obviously.
Not surprising that they'd do that but still a disconcerting feeling to actually see it happen.
I'm in a wired situation, I opened my facebook account with a phone number, not email, my username is phone number I had ~5 years ago. I lost the sim card ~4.5 years ago, so since then I still use the same login. Every time I login facebook asks me to update my phone number because it's no longer valid, so they probably know it's been recycled and someone else owns the number. Another thing... a year ago, I got a new sim card with new phone number again (I change my number every 1-2 years), and since that time I can't use this phone number to setup 2FA because... someone else on Facebook has this number in their profile!
It's admittedly off topic but if you don't mind me asking, what are the reasons for you to change your number every 1-2 years?
Doesn't that complicate things with past clients, old friends and maybe even with family?
I changed my number 3 years ago but I still keep my old number active because it occasionally gets calls or text from past contacts.
I don't use phones for communication, I much more relay on emails. My friend and family know how to contact me and they know that my phone number might stop working any time. I don't give phone numbers to clients, as I don't want to be disturbed when they want something, instead I respond to emails when I have time.
Wait? Did somebody ever doubt this? I always believed collecting phone numbers for their marketing needs is exactly the reason why do any of the social networks ever introduce SMS auth.
The situation is such that this is what's expected of Facebook. It would be a shocker if Facebook didn't do this. Actually, it's quite surprising that it took so long to do this.
Bottom line, Facebook will devalue you as a human and invade your privacy in any manner possible for as long as it can withstand legal pressures and get away with paltry fines. Obviously, all these measures are to provide users with a better experience. That's Facebook's DNA.
For WhatsApp in its initial incarnation I did not mind allowing it access to my contacts since the phone number was the way it identified people and since it was universal.
With these upcoming incarnations I'm not sure I want to use it, and I'll be looking for a simple IM application which just charges a simple fee for service.
The only justification I could come up is that Facebook has grown so big that "one hand does not know what the other hand is doing." The security and privacy folks at Facebook agreed to this kind of abuse is somewhat hard to believe and the most likely explanation is that these features never got fully reviewed and vetted. Either way its a big failure.
Don't get me wrong, this is absolutely a scummy thing to do since it's deceptive. That said, I don't understand why everyone thinks this is such a big deal. They already have your phone number from 2FA anyways, and they already show advertisements. What difference does it make that they let advertisers target people based on their number?
I'm not sure I understand what's going on here and the article doesn't really explain. What does it mean that they are "using your 2FA phone number"? It doesn't seem like they are texting ads to people. Are they just using the area code to determine where you live?
Advertisers can upload lists of phone numbers that represent people they want to see their ads. Facebook matches those up with your 2FA phone number to show you those ads.
Multiple devices and linking them to a single person is an active area of development. Say your phone you’ve never signed into Facebook on safari, so Facebook won’t know what account it is. But you sign into some other service that you give it your phone. Since phone is pretty uniquely identifying, the two companies share info and thus Facebook knows that safari browser is you and can track everything you do to your account.
And yet in April Mark Zuckerberg told the US Congress that he wasn't "familiar" with shadow profiles[1]:
Lujan: Facebook has detailed profiles on people who have never signed up for Facebook, yes or no?
Zuckerberg: Congressman, in general we collect data on people who have not signed up for Facebook for security purposes to prevent the kind of scraping you were just referring to [reverse searches based on public info like phone numbers].
Lujan: So these are called shadow profiles, is that what they’ve been referred to by some?
Zuckerberg: Congressman, I’m not, I’m not familiar with that.
I bet plausible deniability is that they call them by a different name internally.
Information brokers are so sketchy – it makes me so sad that the coolest tech companies are also some of the sketchiest.
Do you remember back when the internet and web were all so full of promise? Instead we got tech behemoths that would put Standard Oil and AT&T in their day to shame.
It's a mistake many people make just by buying a phone. I had an HTC M8 and liked it except that they made it absolutely impossible to remove FB until I flashed Lineage on to it.
This is the kind of thing that is stupidly hard to fight now. Even if you block Facebook’s 80,000 domains at your router, your friend’s address book dump gives lots of goodies to Facebook and 3rd parties and you can’t touch it. Every new thing they try becomes illegal in 2 years “but not yet” so they do it until they can’t.
Sometimes it seems like the “Default deny” security concept needs to apply to Internet companies. Instead of having years to screw with data and the Internet until told “no”, how about every idea they have is illegal until it can be proven through thorough review that it might be valuable?
This is probably the reason Jan Koum left Facebook. He knew the betrayal of privacy promised of Whatsapp was completed by Facebook by doing exactly this.
This doesn’t surprise me at all. Facebook has been bothering me for YEARS to enter my mobile number for “account recovery” purposes. My email is fine for that.
Now Facebook is recommending pages and friends to me who I only am connected with on Instagram. Not to mention Facebook notifications are now integrated into IG.
I wouldn’t be surprised if these were the final nails that made Kevin Systrom leave.
This should have been obvious for anyone who is paying attention.
When data collection and advertising companies such as Facebook (and Google) push a feature actually beneficial to users so aggressively – such as 2FA – during the sign-up process; you'd have to be naive to think it's for your benefit.
It's not 2007 any more... tech savvy users should know better than to trust such organisations with any scrap of additional personal information than absolutely necessary.
Tech savvy or not, really there's no way any current fb user would be concerned with it nowdays and they will continue to rat you out to the fb apparatus. You know how they say "ignorance is a bliss".
I believe that for us to wait for our governments to have to make regulations around our privacy and data is overly optimistic. Since companies like Google and FB exist on a global market the only way to truly bring about any real changes is to take away the very thing that they're looking for, and that's our use of said services. As someone that works daily with the general public trying to educate them on the safety and use of their technology, I often ask what their feelings are on the subject of companies like FB and Google selling their data to anyone willing to pay for it. The response I get the vast majority of the time is that they aren't doing anything illegal so why would they care? My response to that is "Would you let strangers walk into your house and dig through your personal items?". Every time i get the same response. "Of course not!" Well in my mind this is no different. I've read a lot of suggestions on what we feel government should do to regulate these things but we need face facts here. Society is addicted to many of these services. The simple solution would be to just STOP USING THEIR SERVICES. There are alternatives to both of those services. We now know that the data being collected and sold has the potential of revealing information that could be used maliciously against us, and we complain about what's going on. But then many people turn right around and continue to use the free service. I truly feel that this isn't totally an issue with government regulation as much as it an issue with the vast majority of its users being completely addicted to it. If we want to truly make any kind of impact we need to take personal responsibility for these things. And not only that, but as people that are knowledgeable on these topics we need to educate those non-technical people around us just what it is they're giving up when they click Accept on their EULA's and privacy agreements. As much as I dislike what FB and Google are doing at the end of the day they are counting on the fact that the general public won't spend even 30 seconds reading these agreements. If users care so little about the fact that they're making a legally binding agreement why would FB and Google? Most are so concerned with getting access to whatever service they're attempting to gain access to that they just click the accept button with little or no thought about what it is they're agreeing to. Government can't be expected to do our thinking for us.
Umm, based on the content of the article, no, Facebook did NOT advertiser access to your shadow contact information.
Advertisers can specifically say that they want to advertise to a phone number THAT THEY ALREADY HAVE, (READ: THE ADVERTISER ALREADY KNOW WHO YOU ARE). And Facebook will display that ads to the Facebook account that use that phone number in their shadow contact info.
At no point does advertiser have access to which Facebook account that is.
We know that social networks are here to stay, and even if people disagree the writing is on the wall for Facebook to have Myspace moment, as soon as an alternate is available.
What will it take for some prominent VCs/Investors to just come together and create a fund to fund FB replacement? If done right, they will make a killing (from a returns perspective).
Orwells final warning is chilling and beautiful, in a some kind of perverse metaphorical sense it's strangely relevant to the future of the Brave new world that we are "faced with":
The article states that you can give Facebook a list of phone numbers or email addresses and it will put your ad in front of only those people. Does anyone know how small a list you can target? List of one? List of one plus N number of dead email addresses? Therefore a list of one, but more expensive?
Everybody punts security issues from identification to the next guy. Eventually the only safeguard left between you and the bad guys is a minimum wage salesman working at the t-mobile counter. It's sad to know that all of your primary email addresses, with links to online shopping accounts with credit cards, bank accounts, etc, can all be accessed by spoofing your phone number.
Client side certs mean now every user has a verifiable identity. Maybe you're OK with Facebook knowing your full ID, but is it also OK to tell Grindr, Redtube and Amazon?
Security Keys are better here. The security key can prove to a site that its the same one as before. "Before what?" Well that's up to the site. In most cases it's going to register one or more keys when you sign up to the site, and then check you still have one when logging in. This is completely useless for everything except the one thing it's intended for, a Second Factor during login.
It upsets me that the "normal" way to keep in touch with people now seems to be to use some kind of big-brother-esque system.
I try and evangelize Signal over WhatsApp and most of my friends won't budge. I deleted my Facebook four years ago, and as a result I have lost contact with a lot of friends.
Before this sort of technology keeping in contact with friends wasn't trivial. Both parties had to want to keep it up. And if they didn't, or you didn't, you just lost contact with a lot of people as a normal matter of course. Everyone moved on with their lives, you met new people, and so on.
That there is this artificial world where people can arbitrarily keep in contact doesn't make that sort of non-interaction of occasionally commenting on or liking posts normal or better. It certainly is easy though to search for someone you knew ages ago, add a friend, have the five minute conversation of what's been going on the last five, ten, twenty years and then never really talk again.
In this regard facebook isn't the problem, and your preferred platform isn't a solution. The problem is people.
As someone who still makes phone calls and writes letters, it seems like a step backward. Most people have nothing to even discuss once they 'get together' as they have shouted everything remotely interesting about themselves and their lives into the void already.
I have letters I treasure and will keep to my death. Emails? Not so much. The impression, the personal touch is missing. We as humans notice that sort of thing even when we pretend its all the same.
I work in sysops. Our user base is larger 40+ year olds. It has taken us nearly two years to convince our users to use a phone or email for password resets. We are now moving to 2fa and this sort of stuff only hurts the industry.
The big picture here seems to be alluding people. Let's not get bogged down with Symantec's and logistics. It boils down to self preservation, people need to understand who/ what that " self" is.
Well Frosty, I for one am glad to see the struggle and gasping for oxygen. As for hope in each generation, I honestly believe #3 is growing stronger each day. We are alive in a great moment in time.
Well Frosty, I for one am glad to see the scrambling and gasping for oxygen. As for hope in each generation, I believe #3 is getting stronger each day. We are living in a truly glorious time.
>The researchers also found that if User A, whom we’ll call Anna, shares her contacts with Facebook, including a previously unknown phone number for User B, whom we’ll call Ben.
I really liked it when people downvoted me when I wrote that Google pushing for 2FA phone numbers is doing it to get your phone number. (they don't use it for ads but lately I don't trust them, also 6mo ago I removed my FB)
In the end I gave Goog even 2 of my numbers because I am scared as hell to lose access to my account. I got my Gmail account when it was in 'innvite only' so it is my main account for long time. Have to move out of it soon.
Ha! I'm being constantly nagged whenever I visit fb (to see if those who can't live anymore without it, didn't want something etc.) to update my details - which I removed long ago; among that, they sometimes "suggest" updating new profile pic, which I haven't change since end of 2014 - when I stopped wasting time there
cambridge, whatsapp founders, instagram founders, 2FA exploit and so on. What's next for Mark?
And actually what would be the trigger for people to flee away?
It is probably still the mantra for people who work there, as corporate culture is slow to change, but Zuck changed it in 2014 to "Move Fast With Stable Infra"[1].
There is also this from his college days. Nothing much has changed:
Zuck: Yeah so if you ever need info about anyone at Harvard
Zuck: Just ask
Zuck: I have over 4,000 emails, pictures, addresses, SNS
[Redacted Friend's Name]: What? How'd you manage that one?
Zuck: People just submitted it.
Zuck: I don't know why.
Zuck: They "trust me"
Zuck: Dumb f*cks
The actual story is FB enriching your profile with shadow contact information about you when you or third parties provide it with details it wasn't aware about yet. For instance when a friend of yours has your landline number in their address book and gives FB access to the latter; or when an advertiser provides FB with the same as part of targeting an ad campaign.
Oh, that's troubling. Not the fact that they are adding 2FA phone numbers to their collected data, but rather that custom audience is a thing.
I thought they were taking pains to limit the ability to directly target individuals. They limited audience size to at least 1000 people previously when doing regular targeting.
How is it that I've never heard of custom audience until now?
They limited as targetting to 1,000 people because (a) people were using it in very noticeably creepy ways, highlighting thing FB wanted less attention on and (b) it wasn't making money. Targeting 1 person is not the advertising business.
Custom audiences though, is why FB are profitable. The platform before those tools were intriduced (5-8 yes ago) made a lot less.
Is this any surprise? Just a few hours ago the Acton article on the front page[0] talked about them doing this in WhatsApp:
> Later he learned that elsewhere in Facebook, there were “plans and technologies to blend data.” Specifically, Facebook could use the 128-bit string of numbers assigned to each phone as a kind of bridge between accounts. The other method was phone-number matching, or pinpointing Facebook accounts with phone numbers and matching them to WhatsApp accounts with the same phone number.
> Within 18 months, a new WhatsApp terms of service linked the accounts and made Acton look like a liar.
Companies like this, and Facebook in particular, are desperate to connect identities. Phone numbers are an incredibly useful way to do so. Most people only have a couple of them, their re-use rate is slow, they get entered into forms all over the place, and they're usually valid (because they were provided as a primary method of contact).
In this case advertisers have an identity (and phone number), Facebook wants to match on that value. They're going to do it any way they can.
It may not be ethical, but the carrot is right there and it's naive to think you can give them your identifying number and they're going to turn a blind eye to it.
Wasn't one of the conditions to get the deal approved by EU regulators to NOT share any data between services? [0] Did they just restart it because they found reprieve or simply decided to ignore the regulation?
Edit. Also this [1]. Does GDPR suddenly open the door for sharing this data "legitimately"?
I remember FB doing that with WhatsApp at least 6-9 months before announcing it officially and pushing the new "terms of service."
It's a shame the EU didn't punish them more severely over that, because they were basically already using the feature without mentioning it in their ToS for almost a year, if not longer.
> I’ve been trying to get Facebook to disclose shadow contact information to users for almost a year now. But it has even refused to disclose these shadow details to users in Europe, where privacy law is stronger and explicitly requires companies to tell users what data it has on them. A UK resident named Rob Blackie has been asking Facebook to hand over his shadow contact information for months, but Facebook told him it’s part of “confidential” algorithms, and “we are not in a position to provide you the precise details of our algorithms.”
If it's a corporate decision they won't be liable.
"Similarly, individual employees, managers, and directors are liable for their own malfeasance or lawbreaking while acting on behalf of the corporation, but are not generally liable for the corporation's actions."
It's a corporate decision made way above the heads of the developers, for sure. But, there has been very notable occasions in history when the US and Europe wasn't content with "I was just following orders" as a defense.
And, during at least one of those periods in history, the US was not content with superiors claiming ignorance of any wrong doing either.
Small question: how do you prove it, adequately for a court of law?
I imagine that to prove it, you'd have to make several accounts, with several phone numbers, and somehow demonstrate to a judge that the information leaks through. Not an easy task.
1. Ask for the judges phone number
2. Register new account with judges phone number (clean browser, no friends added or pages liked)
3. See friend recommendations from the judge in this new FB profile.
The GDPR is not applied by courts, but by regulators, who are tasked with investigating just that sort of thing. Courts may come later, if the company disputes, I think.
The previous right to be forgotten was limited to only search engines operating in the EU. Meaning, google didn't have to remove the data itself, just the entry to the link in the index. GDPR is far more onerous in that it applies to all data processors everywhere.
"The ECJ ruling only enforced the right to erasure on search engines operating in Europe. The proliferation of personal data that is available online extends far beyond their indexes. It's often exploited for the benefit of others, and their motivations may be contrary to the wishes of the data subjects. It will now be extended to all data processors."
I didn’t give facebook my phone, my email has timed out (and facebook knows it, it deactivated my email) and I forgot my password, more or less intentionally. So the only thing tying me to Facebook is my browser cookie. I have to say, I’m surprised I’ve been able to keep this account open for years in this state, it’s almost as if they really wanted me to stay. But it’s possible to keep a facebook account alive with no accurate contact information.
Google has been pushing SMS 2FA a little more aggressively over the past couple of years, too. And I think Apple made it "easier to use SMS 2FA" in iOS 12 for the same reason.
I also said before that this is exactly why Facebook wanted to "verify people's faces for security purposes", too. It just seemed so obvious to me that Facebook would use security as an excuse to get people to put their own 100% accurate face scans into Facebook. It's also because Facebook used the same excuse with the shadow tracking (it's for your own good!), which is as ridiculous as Google claiming Analytics is for website visitors' own good.
No dude, Apple has an excellent track record for privacy of customer data. They don't share anything with anyone else, intentionally. It's a walled-in garden. They have always, and continue to, view themselves as a hardware company. They make money on hardware sales. I mean look at their margins. Any such activity, if called out, may lower their hardware sales.
Information and data is the modern day 'gold'. There's much more value to tying an account to something that with negligible doubt identifies them than just selling it to advertisers. It lets you create sophisticated models and track and model users' behavior across services, and even outside the digital domain.
There are also extrinsic benefits outside advertising. Apple, for instance, is also a member of PRISM and one can only imagine how many other surveillance programs across the world that remain classified. Companies are undoubtedly 'compensated' for their involvement in these programs, and the more information they have and can gain - the more valuable their participation would be seen as.
This conflict of interest is why I think we will never see any sort of significant guarantee of privacy at the federal level in the US. The more information companies obtain, the more information the government has access to.
I'm surprised people didn't know this... this has been happening for at least 4 years through custom audiences. An advertiser can upload a list of mobile numbers or email addresses to target people.
Actually this should be an act of "good faith" where you are adding a layer of security to your account and not about making even more harm to your account.
Phone numbers were not a secure 2FA anyway, and I've been using the TOTP alternative since it's been available... but I don't really see a problem with them using whatever to show "more relevant ads", if you don't want ads just use an ad blocker.
Who is still answering phone calls on their cell from numbers not in their contact book? If you call me and you're not in my phone my phones just dumps you direct to voicemail.
Not excuse this behavior in the least, but robo calls in general are a solved problem for me.
* Be in the US, get your mobile number years and years ago and it has the area code of where you lived at the time.
* Move somewhere else, keep the mobile number.
* Now you get 4-5 robocalls per day spoofing numbers from "your" area code and calling at reasonable hours for that area... which are not reasonable hours where you now live.
And if you say "just turn on do not disturb", remember some folks have to be on call for their jobs, don't know in advance what numbers the pager alerts will come from, and so have to leave the phone open to ring from whoever calls. Which will be robocalls with "helpful" offers at 4AM.
What I would love to see in a future mobile operating system is the ability to say "block all calls from this area code unless they're in my contacts".
I realize it's not a great option for lots of people, but the optimal solution is to choose a phone number with an area code far away from where you will ever have any legitimate contacts, and block everything from that area code.
But more importantly, increased robocalls seriously means more life interruptions. Work nights? Sleeping while sick? That phone still rings, and there are many reasons to leave the sound on. Direct to voicemail simply doesn't really solve all the issues.
I was purging my life of all things Google(Facebook went first), so I was changing my email addresses under all my various accounts. An odd thing happened when I was changing my info for my Microsoft account: they texted my as a security precaution. The only problem is that I NEVER gave Microsoft my phone number. I do not have 2FA set up. In my contact details, there is a blank for my phone number. WTF Microsoft.
I think it's much worse when HTC places ads on your phone via bloatware apps that can't be uninstalled. That's absolutely vicious and hardly ever gets any press time. But, oh, facebook makes a minor little slip up and they even FIX the problem and everyone looses their heads over it.
