Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Does Instagram suspend accounts just to get their phone numbers?
106 points by gurchik on Sept 6, 2023 | hide | past | favorite | 74 comments
I registered for an Instagram account today. Immediately after I signed in for the first time, I was suspended due to violating the Community Guidelines. I appealed, which they require a phone number to do so. After verifying my phone number, I was immediately redirected to an unsuspended page. "We reviewed your account and found that it does follow our Community Guidelines." It happened too fast for a human to have been involved. I've heard of this happening recently to other people as well[1].

Is this a required flow in order to siphon phone numbers from new accounts without making it "required" on the sign up page?

1: https://lapcatsoftware.com/articles/2023/8/4.html




I have never had an Instagram account but decided to make one while I was traveling. The second I finished signing up, I got a notification saying I violated community guidelines and the only way to get my account unbanned was to share my phone number. I uninstalled the app immediately.


I was required to upload a selfie of myself with my genuine name and username scribbled on a piece of paper. I quickly closed the page and never tried again.


Same for me for any Meta product, except (as I recently found out), Oculus. For some reason that was fine not asking for my number.


The only reason why I don't have an Oculus is because meta built it. It actually required you to sign in to your facebook account in the past. They don't any more, but Zuckerberg could change his mind about that at any time.


When Meta tried to force users to sign into facebook for their quest everyone hated it so they backtracked to allowing standalone oculus accounts.

It's no secret Instragram has an issue with bots. Meta probably wishes their VR platform had the same problem haha.


I think that's because its a hardware product.

They want you on their games marketplace, and they don't want you to return the product/make a consumer complaint. Plus there aren't any bots to worry about when the cost of entry is a few hundred $.


They don't care about what policy you violate. They want to force you to give away PII (Personally Identifiable Information) to put in their databases in exchange for access to a "free" account. Which is more important to you, your privacy or access to a glorified photo gallery app with commenting? I choose my privacy.


I have no problem with giving my phone number in exchange for a free service. If that changes in the future, there are a lot of self hosted Fediverse options. I just don't understand the charade of suspending a user and needing to go through an "appeal" process which automatically approves you. Just ask for the phone number during registration. I can't help but wonder if this is a plausible deniability thing where they can tell EU regulators they only collect phone numbers when they suspect fraud, and leave out that they've engineered their systems to suspect fraud by default for all new accounts.


If they were honest, more people would opt out of the deal. The waste your time signing up for an account so that there's a loss incurred by abandoning it. Then accusation is a lie that probably helps shame some percentage of people into complying or makes them afraid they've accidentally committed a crime or maybe their new account has been hacked and will be used nefariously if they don't comply.

Meta even uses this to extort driver's license scans out of long existing accounts. Twitter and Microsoft both use this altered the deal scam to get phone numbers as well for new accounts. Meta and Twitter have both been fined for using 2FA numbers for tracking in the past. They want that PII and they don't have a problem with outright lying and misusing data to get at it.


There's probably some super narrow footprint of IPs, names, email registrars etc that doesn't flag a fraud check. But I doubt it's a big one.


> I just don't understand the charade

because it is that cold-blooded; it is not an agreement between equals. hint- you have no options but what they provide, can be changed at their whim basically


> you have no options but what they provide, can be changed at their whim basically

Are you telling me the service I've decided to sign up to defines the rules of that service?


It doesn't seem to be that people are complaining about the service defining the rules, merely that the service is dishonest about what they want in exchange for your use of the "free" service.

It does seem very bait and switch.


you are one person, and one person counts for nothing.. it is a Great Game and the participants are projecting power via an app, to "clients" in the millions. Your data is aggregated. Faux-control about "signing up" is a scrap from their table.


> glorified photo gallery app with commenting

This condescending, dismissive attitude is why people tune out privacy advocates.


This happened recently to me, too. It was a jarring experience to sign up for a service and then have that service immediately suspend me. It's like the opposite of that trend where the service would display balloons and stuff upon successful sign-up.


I have had a similar experience on DoorDash. As soon as I tried to place my first order, I got suspended. Despite many calls with their support people and seemingly getting unsuspended, trying to place an order seemed to always get my account suspended.


While I'd love to attribute this to data harvesting and don't love Meta as a company, as someone who has tried to scrape Instagram in the past (to get recent images users have posted for specific restaurants), I believe this is a reasonable measure to increase the cost of new spam accounts.

The cost of an email is virtually 0. The cost of a unique phone number that can receive text-messages is non-zero. This was a pain in the butt for me, as you often have to get a real phone number (they reject VoIP ones) and that takes more work to get working.

Bots and scraping is a huge issue for Instagram. Instagram really dislikes the fact that you can buy a lot of likes for very cheap, so I kinda understand why they do this.


> I believe this is a reasonable measure to increase the cost of new spam accounts.

You seem to be overlooking the bald-faced lie told by Meta/IG that someone's new account is violating "Community Guidelines" before they can even use it.

Moreover, it makes no sense that a phone number would be a "get out of jail free" card for violating Community Guidelines.


> You seem to be overlooking the bald-faced lie told by Meta/IG that someone's new account is violating "Community Guidelines" before they can even use it.

I don't know about OP, but the the article they linked had a screenshot showing that the Community Guidelines they'd violated were around "account integrity". Looking at those[1], it seems plausible that OP and the article's author used something during account creation that triggered an integrity system, similar to what the parent was describing. Maybe they used a proxy/VPN, or something else that caused the robots to think that they were "Creat(ing) an account by scripted or other inauthentic means."

I don't think that big tech deserves a free pass on much, but to think they they're suspending accounts just to harvest phone numbers seems like it would be something they'd likely get into deep shit over: stock price drop, huge fines, CEO in front of Congress-type of thing. I doubt it would be worth it to them.

1. https://transparency.fb.com/policies/community-standards/acc...


> the article they linked had a screenshot showing that the Community Guidelines they'd violated were around "account integrity". Looking at those[1], it seems plausible that OP and the article's author used something during account creation that triggered an integrity system, similar to what the parent was describing. Maybe they used a proxy/VPN, or something else that caused the robots to think that they were "Creat(ing) an account by scripted or other inauthentic means."

Compare my HN username to the domain name of the linked article. I am the author.

I did not use a proxy or VPN.

> to think they they're suspending accounts just to harvest phone numbers seems like it would be something they'd likely get into deep shit over: stock price drop, huge fines, CEO in front of Congress-type of thing. I doubt it would be worth it to them.

Apparently it was worth it to them:

https://techcrunch.com/2019/10/08/twitter-admits-it-used-two...

This is not a conspiracy theory, it's something that has actually happened.


For what it's worth, I got the same "account integrity" explanation. Until proven otherwise I'm assuming that's the same canned response they always give. I did not use a proxy or a VPN, and I did not use an anonymous email address like a protonmail account or something similar.


My experience as well. I can think of 2 reasons: 1. Phone number can be matched with off-market data sale of transactions 2. Emails have filters to auto-delete marketing emails, text messages still do not have a parallel.


3. They’re obviously trying to reduce bots.


I disagree. They can use a captcha at account creation to stop bots. They want to make money by tying together your activities with grey-market financial data and then show advertisers on how accurate their ad-targeting is.


I presume any large tech company will ask for my number, at least, at some stage. This is why I have a number on standby in-case that happens, and this is not my main phone number. I have a separate number for Big Tech™, and another private one for giving out to friends & family that I don't attach to any online service.


Then those friends and family will use the Upload Contacts feature of their: FB, Tiktok, snapchat, messenger, whatsapp, instagram.

And suddenly you're in the system.


This is why there needs to be a privacy.com for phone numbers. (A single secondary number doesn't work. One per service / one per person, and the ability to quickly invalidate or re-issue compromised numbers, is necessary to truly make reselling useless.)


There are online services that get you a single use phone number for a couple cents (depending on the service – Instagram is 30–50 cents for example). I use SMS-REG but I'm not happy with it lately (many times SMS just doesn't go through; and credit refilling is tedious).

Won't help with friends uploading your number to WhatsApp though.


I very explicitly stated "a single secondary number doesn't work" so this is the exact sort of thing that is not a solution to this problem.

There are a million services that give you a single additional phone number, but AFAIK none that let you generate any number of completely anonymous virtual numbers that forward to your real number, like what privacy.com does. (I think there are a bunch that let you buy each additional phone number and have them each contain their own inbox and everything, but none of them really act as just free relay services like what privacy.com does.)

privacy.com also locks each number to a single merchant, allows me to instantly revoke numbers that have been compromised or that are no longer going to be used, allows me to get credit for fraudulent purchases without having to file a real chargeback (I do realize this doesn't really have a phone-number equivalent, but you get the idea), etc. absolutely invaluable protection layer.


Yeah, this is not a single additional number though – they give you a new random number for like 5 minutes which is enough to set up the account but obviously not enough to use it afterwards. I guess they do it so that they can allow reusing the number with other services.

Why there's no service generating multiple permanent virtual numbers is a mystery to me, too. They don't seem much more scarce than credit card numbers. On the other hand, only Privacy.com seems to allow issuing that many cards (in contrast, Revolut only allows you to have 5 permanent cards + 1 single use card – this seems to be the usual limit in other banks as well), so they might know some kind of a secret sauce.


privacy.com does have a secret sauce - a direct partnership with Visa that allows them to register cards that don't show up as "pre-paid". As far as I know, nobody else has this. I don't remember what they used before - perhaps still Visa, just pre-paid.

I don't think there is any major residential phone provider that would offer that sort of partnership to the point where you could trick services like OpenAI into thinking that the number is that of a real person. Aaand spinning up any new phone provider for this purpose is like registering a brand new super-blockable ASN for a VPN's IP addresses.

FWIW, Telnyx allows you to keep phone numbers indefinitely, and receive/forward SMS messages and phone calls. But they do not offer an integration out of the box - you'd have to code that up yourself using their APIs. And each phone number you allocate has to be paid for individually. And also, Telnyx is super detactable and blockable, of course.


Slightly tangential but I'm wondering how hard would it be to build a “bring your own eSIM” kind of service that you can register an external SIM profile QR code with and it would host it with a SIP interface for voice + some kind of API for SMS, and allow you to switch active line between different SIM profiles on the go. (Charge something like 10 ¢/mo per profile stored, and $5/mo per active line?)


I typically use 5sim(no affiliation) for phone number verification, although the phone numbers don’t persist so 2fa and otp doesn’t work with it, which is required for some services like Hotstar.


I personally used Telnyx, which usually isn't detected as "VoIP" because they offer actual SIMs with these numbers, usually for IoT applications. Sometimes they are still detected though, which annoys me a lot because usually the services that bother to do that detection are the ones I least want to have my phone number (ex: OpenAI)

I've resorted to hawking sites like BugMeNot and using the trash/spam accounts there, which usually manage to have some phone number or have performed some sort of weird exploit to get into their system somehow. It's how I managed to play quite a bit with ChatGPT around the tail end of 2022 when it first came out, but these days the rate limits are so strict that I can't ever get a single message through any of the shared/trash accounts (which is probably their objective).


There simply aren’t enough phone numbers for that to be viable.


Honestly if companies started realizing this they might stop requiring them. A lot of people don't even have a phone number.

Though maybe they would move to something more invasive like ID or something... which may or may not be even rarer, but is definitely more personal.


> Honestly if companies started realizing this they might stop requiring them. A lot of people don't even have a phone number.

If you're too poor (or paranoid) to have a phone number, you aren't much value as a lead. The current system qualifies that (a) you're not a bot, (b) you have money to spend, and (c) you're in a specific metro area (and not Antarctica as you claim). Self-reported location, IP and phone number can all be spoofed, but 2/3 data points aligning is close enough.

There's no incentive to onboard unvetted accounts.


To clarify my point: there are enough phone numbers for all people to have a few. There are not enough phone numbers for the combinatorial explosion of every person-to-person pair having a unique phone number.


Maybe there should be. I personally would love to usher in a digital age where you can only call someone by a passkey unique to you, and it's normal/easy to generate these and transfer them over to people/services that need them.

But of course this still leaves the problem of people who don't even have a phone.


The POTS (plain old telephone system) is explicitly designed for discoverability. They used to physically throw a book that mapped numbers to names and addresses on your doorstep for free, and chained the same directory to every public telephone. Fighting against a fundamental design goal of a system is a fool’s errand. The features you are looking for can be easily accomplished over the internet, and they smell very similar to PGP and also feel pretty adjacent to Signal/WhatsApp with some variation. Heck if we’re limiting it to off the shelf consumer solutions, FaceTime with custom email domains matches the description if you squint hard enough.

The vast majority of people find what you are describing to be completely impractical to the point of uselessness.


Well I would still like my bank to support something other than fucking SMS for two-factor authentication.


Which number do you use for online banking and similar? Sometimes it is hard for me to figure out where to draw the line. Then you have PayPal and CashApp and other things in more of an in-between area. And then you have certain services like iCloud where it might make more sense to use your Real Number for some of their features and exceptions to the rule have to be made


Curiously I don't want to shell money on a secondary phone number when I think or believe the other party shouldn't ask for it. I'd also have to maintain it battery and credit wise.

I know I should though if I want to use ig and others free of mind.


If you're in Europe, just get one of those pre-paid free SIM cards (you don't even have to top up nor activate the card using KYC). You simply have to text a number they give you and you will get an active phone no for 14 days.

I've used this countless times to activate google products and other such privacy invading services.


What happens down the road when google or whoever text a login code to that number you used ?

Just happened to me with apple after I moved countries and lost my old number


I'm not sure if you run later in trouble, if you don't have the number yourself but somebody else.


Why do they give you a number free for 14 days?


They just do, you pay a £2 for a sim card in some news agent, and get a number.


I've had the same experience with Twitter: immediately after I sign up a new account (e. g. for a project or something) it get blocked for “suspicious activity”, and I get a prompt to verify a phone number to unblock it.


The same thing happened when I signed up for Twitter a few years ago. I emailed Twitter support and explained that I didn’t want to give them my phone number for privacy reasons, and they unblocked me. Never had a problem with it again.

I think there was an actual person on the other end of the ticket, I don’t think the odds would be very good if someone tried it nowadays.


I signed into Instagram because one of the news sites referenced it. A few months later I signed on again to set up a business account, only to be informed I was "violating the Community Guidelines" and asking to send a text (so I gave a number intended for the business - only for the text to ask me to bend over, kiss the nether parts, and, oh yes, write a number on a piece of paper and take a selfie for them. So far, Zinc is asking for photos. So I wrote Meta's chief legal officer to ask for a justification for mining for personal identification information under fraudulent circumstances. No answer yet so it's time to go see if I can get triple damages for not responding to the demand letter. Ho Hum, we hardly knew ye.


Recent and related:

Threads.net Can Go to Hell - https://news.ycombinator.com/item?id=37254294 - Aug 2023 (60 comments)


That happened to me as well as I created a new account like 3 days ago.

I was quite shocked all i did was created a new account how did I ended up violating the community just by creating a new account


The benevolent interpretation is that they are doing it to fight scraping and fake followers. The prompt you get for suspected scraping or botting is along the lines of "complete an SMS 2FA challenge within 24 hours or be banned forever", but maybe the first step when you don't have a phone number connected looks like what you experienced.


Same experience. I like to give the benefit of doubt but I don’t think so in this case. Dark patterns like this will continue until it is codified into law ones right to have personal information deleted. Even then I assume it would be too late and you never truly have your data removed.


Twitter/Shitter has been doing this for ages. It's a common practice.


Facebook/Instagram seem to have higher standards for minimum required jockiness to be considered human, and that posed a bit of problem when they launched VR headset, but most social media today do that.


It's always surprising to see how willing people are to give up their phone number to use an app. It's not just Meta products. Telegram & ChatGPT too.

I'm afraid more services will go in this direction.


In my country phone numbers are public information so not really giving up much.


The problem is with linking the account/activity with your identity.

HN can only use less reliable identifiers (eg GeoIP) to link my account to other data. A phone number (potentially) connects me to more data about me.


This has been my experience as well. If I use proton mail, I always have to provide a phone number. This is a new norm, be it IG, Twitter, etc.


Same for tutanota and ig.


Tangential: I’ve recently tried to change my profile picture in Uber and it turned out I can’t - they’re asking me to schedule an appointment at their shop. Out of curiosity I checked - the closest one is exactly 84 kilometers from where I live. Nope, won’t happen. Things are crazy nowadays.


Yes. Twitter and Discord do this as well, it's basically an industry standard at this point.


The server owner decides this and if you have a somewhat big server you want it enabled. I guess you could blame Discord for not having better spam prevention and toxicity filters but it's not an easy problem and I presume they catch a lot we don't see.


> The server owner decides this and if you have a somewhat big server you want it enabled.

I am not talking about servers requiring phone numbers, I am talking about Discord blocking your account entirely for no reason until you give them a phone number. Maybe you haven't experienced it yet, but I have.


The only times Discord has asked for my phone number (and I have many alts) is when a server specifically says that only people who have added a phone number to their account can join. This is off by default.


Nowadays if you want to create a discord account you have to fork over a non voip phone number.


Hasn't happened to me, it's not linked to a real FB account either.


Same with Twitter. That's why I don't use it.


Yes.


This is a standard dark pattern user manipulation technique. It's a continuation of the trend where techbro-run companies make it LOOK like creating an account will be easy and take seconds. But every time you step forward, there is one more hoop to jump through.

It's a very common manipulation technique where if you are a baddy, you ask someone to do a small thing that is not something they would normally do. And then keep asking them to do incrementally larger and riskier things, eventually backed by some kind of threat.

Unfortunately this one is darker because it's even more actively evil. They are claiming to suspend your account, causing you to believe you are "in trouble", a very real fear for most people, while actually doing nothing of the sort. They just want your phone number and are literally bullying you for it. They could just say, "hey, we'll need your phone number if you want to create an account with us," but they would lose some percentage of sign-ups by being honest. Which is pretty much all you need to know about that business!

The world would be a lot better place if we taught our children (and people in general) about how all kinds of manipulation techniques can be used against them.


Similarly, does Google suspend payment accounts to get your driver's license photo?

Google knows FULL WELL that the card is valid through the month but locks any payment account associated with it a month prior.

I suspect there's a lot of this going on, though I mind the phone number less. Having dealt with fraud on the other side, requiring a phone number is one of the few (mostly) universal things and costly enough to acquire enough numbers that it really helps slow down spam and fraud.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: