As a security engineer, I cannot overstate just how horrible this is. Phone numbers might not be an ideal 2nd factor for authentication, but to punish users for setting up 2FA by using the provided phone number for ad targetting is incredibly unethical.
But, as someone who understands that not all people and companies use the same moral set as myself, this is why I've never set up 2fa using a phone.
Why should I give some company my phone number? Increasingly it's become a single point of metadata to uniquely describe myself (just as my email addresses have).
It's also something that people should have expected. I don't understand how people have not noticed that all of the major sites that generate revenue through user profiling and advertising have been pushing hard for users to either be obligated to register using their phone, or to setup a two factor authentication using their phone when it's not necessary for registration.
The reason I say it's something people should have expected is because if people were more critical of the things asked of them, then things like this would never get off the ground. Instead, because people do not seem inclined to naturally believe that corporations might have ulterior motives, such practice has become common place and on some sites even mandatory.
There has to be a reason Facebook reminds me 50 times (yes 50 times) a year to put my phone number in for security reasons. That’s extremely unethical tbh and then I can’t recall if this is true because I’ve stopped using Facebook but I’m 80% sure they then filled out my phone number and just wanted me to confirm it.
What's facebook's boiling point? My guess is they'll respond, they'll no longer use 2FA #'s for ads, the damage will have been done, and 99% of the population won't know any of it occurred. We'll repeat this cycle when a fresh revelation occurs months from now, as facebook continues to test how much they can leverage for more ad revenue.
But none of it is actually slowing FB down. Its biggest dip in value came from decelerating growth and spending to make FB more user-friendly, so there's a clear disconnect between shareholder incentives and those of the general populace.
On top of that, most people remain unaware that FB owns both WhatsApp and IG, and while the departures of their top brass have made waves in these circles, it's not a concern for most.
I don't see FB's dominance relenting any time soon, though I wish it would.
"Give me as much service as you can while keeping me as far off the grid as possible" is a skill that is sorely lacking in this market. I don't have this problem with weed dealers, but I have this problem with information dealers. Internet companies could seriously learn a thing or two from the black market on how you treat your customers.
Another personal observation. I have an Instagram account that I thought was fully incognito. I never connected it to any other social account, I used a separate email for authentication etc. Just days after the Instagram founders left Facebook I started receiving friend suggestion on my IG that were very very relevant. Those were people I knew in real life and mostly connected via Facebook but not only. I shouldn't be surprized as being connected to the Internet by itself is an end to your privacy but still, this was probably the spookiest invasion into my privacy so far. Bye-bye Instagram.
This happened to me after Facebook acquired Instagram.
I had my mobile no in Instagram profile. Instagram cross-referenced my mobile with my Whatsapp contact list(I haven't given Instagram access to my iPhone contacts).
I suddenly got suggestions to follow my colleagues on Insta. Colleagues with whom I interact only on Whatsapp.
Since then my trust level in Instagram,Facebook & Whatsapp has gone into negative.
When I was in another country on a business trip I bought a temporary local SIM, originally valid for two weeks but I've kept it active as I travel there often.
I used that foreign number to create my Instagram account and I've gotten the benefit of only being shown suggested accounts from locals from that country (zero people I know). Same goes for ads as well. Currently I keep it on roaming and actually use it to verify other online services that may stubbornly require SMS.
Might be worth a try for those of you looking to pseudo-opt-out of phone number tracking & recommendations on social media services that do this, if you can get your hands on one.
I had watched it many many years ago, and I suddenly remembered about it while at my friends apartment, (which is in the same building). Now I searched it up on my friends computer which was logged into his gmail account. We watched it and laughed. However, an hour later, I was on my iPhone at home when it appeared in my related videos.
Definitely location tracking of some sort. IP, location data from the browser (if allowed), and scraping photo metadata can all lead to them associating people.
The reason I never give fb my mobile is if you use a pseudonym account, it will suggest your profile as a friend to anyone who has your mobile in their phone contact list (eg ex-partners, stalkers, employers, drug dealers). Found that one out the hard way.
I know Zuck wants me to preemptively upload my nudes, but still.
This is basically how FBI Director Comey's secret Instagram account (and thus Twitter account) was unmasked. But it was even worse - you are suggested to 3rd party people who just follow the people who know you: https://gizmodo.com/this-is-almost-certainly-james-comey-s-t...
Lucky you already have your account. These days you can sign up for one without a phone number, but then you flat-out can't sign in without giving one.
recently interviewed at Facebook (didn't pass the in-person) and one thing I was looking for was a job that WASN'T based on ads. I didn't want to come across negative so I was circumspect in my asking ("Tell me about the positions at Facebook that I as an outsider don't know about - I know ads, messaging, and events"). I wasn't really excited by the answers I got - ads seemed worked into everything they brought up, but the answers weren't super-nefarious either. This was the Seattle office, which apparently has a strong ads-basis. Because they hire people and then (allegedly) let them pick from available team openings (after a "bootcamp" to do onboarding), I simultaneously felt like I'd have a chance to avoid the worst but also couldn't be sure of what I was committing to.
I didn't pass the interview and the few weeks since have tried very hard to make me not regret that by raising issues like this one, despite my natural tendency to give FB the benefit of the doubt and to recognize the difficulty of moderating speech sanely.
I've never had such uncertainty about what a job would involve before - the "you find your match" sounded good initially, but in retrospect I'm wondering if I dodged a bullet - so hard to know.
I find it interesting that you would absolve yourself for working for Facebook just because you wouldn't be working directly on ads. Facebook is an ad company with services attached (a fairly reprehensible one in my opinion). If you work for them, you are helping them achieve their goals, which ultimately is about serving people ads, it doesn't matter what particular role you are doing there.
> They found that when a user gives Facebook a phone number for two-factor authentication or in order to receive alerts about new log-ins to a user’s account, that phone number became targetable by an advertiser within a couple of weeks.
I have always been suspicious of the aggressive "give us your phone number to secure your account" campaigns that so many sites/apps are running. And I think this is a HUGE disservice to users.
At first I was like, cool, companies are being responsible and encouraging good security practices, good on them. But there was something a touch too.. aggressive and "marketing-y" about it. It raised my spidey sense. Maybe the form and frequency and placement of them just was too familiar to previous campaigns to grab your email for "opt in" spam.
All of these companies should be shamed to high hell. Getting people to adopt 2FA is so important and here they are shamelessly exploiting it to market to you for undisclosed purposes.. well, buried in the privacy policy, but you know how that goes. The prompt is 100% about securing your account and nothing mentioned there about using it for targeting.
Seriously F these companies for breaking user trust.
I am becoming anxious to see some action out of the DOJ Anti-Trust division against Google, Facebook, and Amazon, etc. These tech behemoths effectively own most of the consumer internet and they use their muscle to either acquire or force out the majority of other players. More regulation is not going to cut it (or else it would have already).
In America (and most places), law normally lags quite a bit behind the events of the day. Standard Oil destroyed markets unchecked for several decades in the 1800s. No individual or company could withstand their market power. Then the government divided it into dozens of vertically integrated companies, which allowed for a wave of new market entrants, better deals for consumers, and higher standards of living for more people.
We are obviously at that breaking point now with the tech behemoths and their sprawling, impregnable market power. It is time for antitrust action against Facebook and the gang.
I think we need proper privacy measures, since the misuse of data is not necessarily an "antitrust issue". For instance, would breaking up Facebook really mean that the newly formed constituents respected privacy? And would antitrust enforcement against Google or Facebook reduce privacy exploitation by smaller entities?
I'd argue that it would not -- 1,000 small Facebooks could still violate privacy. Creating privacy legislation is the only real way to achieve proper privacy guarantees.
I talked with the lead engineers from a company back in 2014, that shall remain nameless, that bought private profile data from Facebook, ran it through a bunch of algorithmic mumbo jumbo, and sold the aggregated data to marketing firms. They acted like this was really cool and awesome, much like the wide-eyed cultists. It was very creepy, and I backed away slowly even though this place was looking for more engineers.
This kind of thing has been going on forever, and I've told people this. 99% of people don't actually care, though.
You can personally decide not to use Facebook, which is good. But you can't convince everybody to do that. So if you or your family members do use Facebook, at least install an ad blocker for all of them.
Not for privacy, but to deny them revenue. I block Google ads on every single site I visit, period. I don't care if the advertising is non-obtrusive. If it's being run through Google, part of that revenue is going to fuel Google's tracking. I support creators directly instead. And if creators refuse to give me a way to support them, that's not an excuse to expect me to contribute to Google's bottom line.
Huge props to the people who are working on blocking trackers and protecting privacy. I'm very glad they exist, and I don't think their efforts are worthless. But, it is currently a losing battle to fight these companies on the privacy front, because the tracking model is so profitable that they will always be pushing more resources into it than we are. Collectively, the people fighting for privacy don't have enough resources to win.
But there's an easy, completely legal solution to that problem; the one thing companies haven't figured out how to get around is ad blocking. And a good ad blocker will block even native ads. For a company like Facebook, all of this boils down to getting you to click on ads. If enough people target that chokepoint, then the advertisers will start pulling out of the system, and there'll be less financial incentive for these companies to undermine people's security and privacy.
And we have evidence that this works. Even Google, which is the powerhouse for getting their ads to actually show up, is starting to devote more resources into trying to figure out how to stop mainstream people from installing adblockers. That's where all the autoplay stuff came from, that's where the acceptable ads initiative came from. They desperately want your roommate to say, "I'm not going to mess around with these weird Chrome extensions or whatever, that's too complicated. Chrome blocks this stuff itself, anyway."
Install adblock on every browser you get access to, tell ordinary people who aren't on HN to use it, and let the advertising industry kill itself. Make it very obvious to companies that buying ads on Facebook is a complete waste of time because even non-technical users just won't see them.
you gave an idea for a weekend project. posting here in case I change my mind and slack on something else.
instead of deleting facebook (or not having it), create a shell profile, just enough for you family to pointlessly add. then subscribe the account with a service (aka The Idea) that simply post a once a month post on how to install ad blockers and such.
As an FB Marketing API developer, this has been available for several years . The way it works, advertisers can send their phone list to FB for ad targeting. However, phone hashes are sent, not clear ones.
Personally, as long as the user has an opt-out and opt-in options, I don’t think ad targeting is necessarily an unethical pattern, the blurring lines of ads and recommendations would be actually a pattern that users might like. Would you rather use Netflix or Spotify without recommendation engine?
All my personal details on Facebook are (and have always been) false. My phone number is the number of a hotel in Monte Carlo. When Facebook nagged me to give them my mobile number for 2fa I ignored them. My friends thought I was crazy. I know it's not exactly gracious of me but feeling very self righteous right about now.
The other really stupid thing, besides generally hurting the adoption of 2FA forever, is that they probably did it for hardly more than scraps, compared to their conventional add targeting capabilities.
Maybe I am completely wrong about this, but I'm pretty convinced that almost all of the ad spending for that feature would have reached Facebook's coffers anyways had it not been available.
I only use Facebook like every month now but it always asks about my phone number. It also asks me to enable a log-in short-cut every time.
This last time, they crossed a line: they pre-filled the field (I do NOT have this set up in the browser), meaning they already figured out my number (probably by scrubbing some friend’s phone) and just want it confirmed. To hell with that. I would not be surprised if every spam call in existence can be traced to Facebook.
[+] [-] ummonk|7 years ago|reply
[+] [-] cmroanirgo|7 years ago|reply
But, as someone who understands that not all people and companies use the same moral set as myself, this is why I've never set up 2fa using a phone.
Why should I give some company my phone number? Increasingly it's become a single point of metadata to uniquely describe myself (just as my email addresses have).
[+] [-] qrbLPHiKpiux|7 years ago|reply
Exactis Breach date:June 1, 2018 Compromised accounts:131,577,763
[+] [-] TangoTrotFox|7 years ago|reply
The reason I say it's something people should have expected is because if people were more critical of the things asked of them, then things like this would never get off the ground. Instead, because people do not seem inclined to naturally believe that corporations might have ulterior motives, such practice has become common place and on some sites even mandatory.
[+] [-] dymk|7 years ago|reply
[+] [-] samstave|7 years ago|reply
[+] [-] propman|7 years ago|reply
[+] [-] matz1|7 years ago|reply
[+] [-] kevin_b_er|7 years ago|reply
[+] [-] gammateam|7 years ago|reply
It is OBVIOUSLY for ad targeting, I think I mentioned it not even two weeks ago: https://news.ycombinator.com/item?id=18020177
[+] [-] adpirz|7 years ago|reply
But none of it is actually slowing FB down. Its biggest dip in value came from decelerating growth and spending to make FB more user-friendly, so there's a clear disconnect between shareholder incentives and those of the general populace.
On top of that, most people remain unaware that FB owns both WhatsApp and IG, and while the departures of their top brass have made waves in these circles, it's not a concern for most.
I don't see FB's dominance relenting any time soon, though I wish it would.
[+] [-] anonytrary|7 years ago|reply
[+] [-] mojuba|7 years ago|reply
[+] [-] helloindia|7 years ago|reply
[+] [-] oedmarap|7 years ago|reply
I used that foreign number to create my Instagram account and I've gotten the benefit of only being shown suggested accounts from locals from that country (zero people I know). Same goes for ads as well. Currently I keep it on roaming and actually use it to verify other online services that may stubbornly require SMS.
Might be worth a try for those of you looking to pseudo-opt-out of phone number tracking & recommendations on social media services that do this, if you can get your hands on one.
[+] [-] finnjohnsen2|7 years ago|reply
[+] [-] rubatuga|7 years ago|reply
I had watched it many many years ago, and I suddenly remembered about it while at my friends apartment, (which is in the same building). Now I searched it up on my friends computer which was logged into his gmail account. We watched it and laughed. However, an hour later, I was on my iPhone at home when it appeared in my related videos.
http://i.imgur.com/u31ZuWM.jpg
I refreshed and it was gone...
[+] [-] mooman219|7 years ago|reply
[+] [-] ezoe|7 years ago|reply
[+] [-] krn|7 years ago|reply
[+] [-] hnzix|7 years ago|reply
I know Zuck wants me to preemptively upload my nudes, but still.
[+] [-] ageitgey|7 years ago|reply
[+] [-] lysp|7 years ago|reply
Depending on the owner's security settings, Facebook will often suggest the profile of the person in the type-aheaded search results.
[+] [-] black_puppydog|7 years ago|reply
[+] [-] denzil_correa|7 years ago|reply
Here's the issue with it. You might not give it but your friends would. Therefore, this strategy is pretty useless as network effects kick in.
[+] [-] rickdg|7 years ago|reply
[+] [-] ergothus|7 years ago|reply
I've never had such uncertainty about what a job would involve before - the "you find your match" sounded good initially, but in retrospect I'm wondering if I dodged a bullet - so hard to know.
[+] [-] mav3rick|7 years ago|reply
[+] [-] sweezyjeezy|7 years ago|reply
[+] [-] abalone|7 years ago|reply
I have always been suspicious of the aggressive "give us your phone number to secure your account" campaigns that so many sites/apps are running. And I think this is a HUGE disservice to users.
At first I was like, cool, companies are being responsible and encouraging good security practices, good on them. But there was something a touch too.. aggressive and "marketing-y" about it. It raised my spidey sense. Maybe the form and frequency and placement of them just was too familiar to previous campaigns to grab your email for "opt in" spam.
All of these companies should be shamed to high hell. Getting people to adopt 2FA is so important and here they are shamelessly exploiting it to market to you for undisclosed purposes.. well, buried in the privacy policy, but you know how that goes. The prompt is 100% about securing your account and nothing mentioned there about using it for targeting.
Seriously F these companies for breaking user trust.
ALSO: Did Zuckerberg lie to Congress?[1]
[1] https://techcrunch.com/2018/04/11/facebook-shadow-profiles-h...
[+] [-] kevmo|7 years ago|reply
In America (and most places), law normally lags quite a bit behind the events of the day. Standard Oil destroyed markets unchecked for several decades in the 1800s. No individual or company could withstand their market power. Then the government divided it into dozens of vertically integrated companies, which allowed for a wave of new market entrants, better deals for consumers, and higher standards of living for more people.
We are obviously at that breaking point now with the tech behemoths and their sprawling, impregnable market power. It is time for antitrust action against Facebook and the gang.
[+] [-] trendia|7 years ago|reply
I'd argue that it would not -- 1,000 small Facebooks could still violate privacy. Creating privacy legislation is the only real way to achieve proper privacy guarantees.
[+] [-] a_imho|7 years ago|reply
[+] [-] ravenstine|7 years ago|reply
This kind of thing has been going on forever, and I've told people this. 99% of people don't actually care, though.
[+] [-] danShumway|7 years ago|reply
Not for privacy, but to deny them revenue. I block Google ads on every single site I visit, period. I don't care if the advertising is non-obtrusive. If it's being run through Google, part of that revenue is going to fuel Google's tracking. I support creators directly instead. And if creators refuse to give me a way to support them, that's not an excuse to expect me to contribute to Google's bottom line.
Huge props to the people who are working on blocking trackers and protecting privacy. I'm very glad they exist, and I don't think their efforts are worthless. But, it is currently a losing battle to fight these companies on the privacy front, because the tracking model is so profitable that they will always be pushing more resources into it than we are. Collectively, the people fighting for privacy don't have enough resources to win.
But there's an easy, completely legal solution to that problem; the one thing companies haven't figured out how to get around is ad blocking. And a good ad blocker will block even native ads. For a company like Facebook, all of this boils down to getting you to click on ads. If enough people target that chokepoint, then the advertisers will start pulling out of the system, and there'll be less financial incentive for these companies to undermine people's security and privacy.
And we have evidence that this works. Even Google, which is the powerhouse for getting their ads to actually show up, is starting to devote more resources into trying to figure out how to stop mainstream people from installing adblockers. That's where all the autoplay stuff came from, that's where the acceptable ads initiative came from. They desperately want your roommate to say, "I'm not going to mess around with these weird Chrome extensions or whatever, that's too complicated. Chrome blocks this stuff itself, anyway."
Install adblock on every browser you get access to, tell ordinary people who aren't on HN to use it, and let the advertising industry kill itself. Make it very obvious to companies that buying ads on Facebook is a complete waste of time because even non-technical users just won't see them.
[+] [-] bla2|7 years ago|reply
Which means Facebook has a shadow profile of you even if you don't use it at all: http://theconversation.com/shadow-profiles-facebook-knows-ab...
[+] [-] gcb0|7 years ago|reply
instead of deleting facebook (or not having it), create a shell profile, just enough for you family to pointlessly add. then subscribe the account with a service (aka The Idea) that simply post a once a month post on how to install ad blockers and such.
[+] [-] boraturant|7 years ago|reply
Personally, as long as the user has an opt-out and opt-in options, I don’t think ad targeting is necessarily an unethical pattern, the blurring lines of ads and recommendations would be actually a pattern that users might like. Would you rather use Netflix or Spotify without recommendation engine?
[+] [-] Spearchucker|7 years ago|reply
[+] [-] FilterSweep|7 years ago|reply
Facebook app abuses your phones internal Contacts API.
Effectively, you are linked and your main Facebook account is known to be a pseudonym already
[+] [-] Loughla|7 years ago|reply
That seems like a lot of effort for no real payoff.
[+] [-] usrusr|7 years ago|reply
Maybe I am completely wrong about this, but I'm pretty convinced that almost all of the ad spending for that feature would have reached Facebook's coffers anyways had it not been available.
[+] [-] css|7 years ago|reply
That's one way to encourage people to use 2FA App, I guess.
[+] [-] pilif|7 years ago|reply
Yes. Yes. We did: https://www.theverge.com/2018/2/16/17022162/facebook-two-fac...
[+] [-] mellow-lake-day|7 years ago|reply
[deleted]
[+] [-] darthoctopus|7 years ago|reply
[+] [-] unquietcode|7 years ago|reply
[+] [-] makecheck|7 years ago|reply
This last time, they crossed a line: they pre-filled the field (I do NOT have this set up in the browser), meaning they already figured out my number (probably by scrubbing some friend’s phone) and just want it confirmed. To hell with that. I would not be surprised if every spam call in existence can be traced to Facebook.
[+] [-] dangrover|7 years ago|reply
[+] [-] magicalhippo|7 years ago|reply