GDPR says hello. Even something as easy as Google's recaptcha is impossible to implement GDPR-compliant according to many German authorities, so I highly doubt that this kind of invasive tracking is in any way legal.
Why can't they just use something like a proof-of-work mechanism to combat spam?
I agree that this is gross, but I do want to add some subtlety to the discussion. Reddit is trying to combat a different kind of activity than traditional spray-n-pray “buy our pills” spam. It is a large and influential enough forum that corporate and nation-state actors try to manipulate the tone and content of conversation with both words and votes. None of that is necessarily a volume-based issue, which is what proof-of-work is effective against.
It’s not clear to me how fingerprinting helps... eventually to defeat such protections, a nation state could develop virtual machines or botnets to trick any script into seeing their posts as unique. The newest trick is to amplify posts written by third-parties, for extra authenticity. I can see how this kind of service protects against “normal” sorts of abuses, but nation states can build their own Amazon Turk and at that scale, it seems impossible that a service like this would be effective for long. Sadly the only long-term defence of this might be to start slowly closing down the open internet borders, to make it harder for other countries to mimic a country’s citizens online. Similarly, countries have an added incentive to do this to spy on local servers. It’s possible that one way or another, we’ll all be living under a Great Firewall whether it’s government or corporate controlled, or both. Nation states hiding behind anonymity might just kill some of our abilities to be completely anonymous, that seems to be the trend here...?
Yeah, I can see the internet being segregated in future. It's just better that way and more moderate able according to local laws/culture. Give it 10 years.
Reddit could require users associate a mobile number with their account and use an SMS to validate. Zelle (the payment network) performs fraud validation using your mobile number as a signal, for example (using a Google Voice, Twilio, or similar virtual number will cause onboarding to fail).
There are also now services that do this for you so you don't even have to buy the SIM card yourself. They add some new phone numbers every day and publish the numbers along with every SMS they receive on a public site with ads on it. The "higher end" ones give you your own personal throwaway phone number but then you have to pay the $5.
This means sites should immediately stop using this verification method because it obviously isn't going to stop adversaries with even trivial resources, and the security implications of encouraging vulnerable populations to use random sites like that is hugely bad.
SMS verification is also ridiculous to begin with because phone numbers get recycled quickly and users should neither lose their account just because their phone number changed nor have some stranger enabled to steal it.
This is a poor argument against a mechanism which clearly has both a cost and time component against an attacker. Of course you're not going to subvert attackers with enormous resources, but you will slow down most of them and it is cheap to implement (both upfront and for ongoing SMS costs).
It costs zero dollars and takes the same amount of time as the SMS verification would on a regular phone. If the sign-up site is continuously vigilant enough to find and prohibit every number on every one of these sites (not so cheap to implement) then there are sites that give you immediate access to a non-published number for $5. Even this is not "enormous resources" by any means.
But the even bigger implementation cost is that there are many people who don't have a personal cell phone number to receive SMS, and you're either disenfranchising them or pushing them to use sites like that which obviously allow anybody to see the verification codes sent to the phone number which is now associated with their account.
> A significant amount of online properties use SMS for 2FA and authentication
Using SMS for optional 2FA is a mediocre security practice but is mostly harmless (because people can opt out; though it still makes it possible to lose your account if you use it, your number changes and then the site requires you to authenticate with it).
Using it for mandatory 2FA has the problems discussed.
But I also want to point out that actual major sites exist that use SMS as the sole and mandatory authentication factor, and they are very powerfully incompetent.
This actually played out on the reddit-alike notabug.io (federated all js thing with proof of work anonymous voting). What happened was a couple users had the programming skill to write better than JS could ever be voting bots and then they controlled the "front page" and only looking at all posts by 'new' worked. This of course meant the anti-spam proof of work voting was not working and so useless.
It's the least worst system that allows for anonymous people to participate (no accounts required). Rather than stopping people the idea is to add just a little friction.
To say that, you're kinda assuming the objective though and then suggesting that it's a worthwhile one.
Like, this poor solution is probably the best thing on some dimension, I would just wonder if it's a dimension worth caring about.
The objective seems to be eliminating the requirement of registration at all. Why? Why would I care to enable people to upvote/downvote content that don't care to spend 1 second registering? I also don't think you can make a convincing case that the friction of registration makes or breaks any websites when almost all of the most popular websites require registration. Seems to be me users are willing to jump the hurdle by the millions if they care to engage.
It can't be a matter of privacy because the site could be logging your IP address in both cases.
It can't really be friction because you could make the most frictionless process possible. Maybe clicking upvote summons a tiny tooltip where you enter a username and password. EZBoard forums back in the day had that -- You would write your whole post and the submit button would assign you a random username that you could then customize.
I just see a forum that made the questionable decision to let you infinitely manipulate rankings without even trying to stop you, the actual impl of that (no registration, PoW puzzle, etc.) rather irrelevant.
Separate from GDPR, I'm wondering whether using security exploits (such as ones the article listed) will be considered violation of US law pertaining to unauthorized access of a computer system.
> It it allowed to embed captchas that prevent bots?
> Yes. The website operator has not only a vested interest in using captchas but is even obligated to do so as they have to guarantee website availability.
(I don't understand what this obligation is about - surely it's my own choice whether my website is up or down?)
> Is it allowed to embed Google captchas on the website?
> Website operators should strongly consider alternatives. If Google reCAPTCHA is used regardless, the responsible should be aware that they must be able to prove that this use is lawful according to [data privacy law]. When unable to explain how Google uses user data, the user cannot be informed transparently and the lawful use cannot be established.
> (I don't understand what this obligation is about - surely it's my own choice whether my website is up or down?)
They are likely either saying that the uptime of the service relies on the use of captchas (i.e. it's a technical obligation), or it is implying that the majority of sites are commercially operated, wherein the operator has a financial/legal/contractual obligation that they deliver a working product.
Why can't they just use something like a proof-of-work mechanism to combat spam?