
Facebook spamming users via their 2FA phone numbers - pinewurst
https://mashable.com/2018/02/14/facebook-spam-2fa
======
SamLevin88
Finally, somewhere I can appropriately vent about this.

About TWO years ago I was constantly annoyed by the 'secure your account: add
your phone number here' banner frequently displayed at the top of the page
upon loading FB, so I input my number to make it disappear for good. (Also,
they kept hiding the 'x' (close) icon in different spots, making the banner
difficult to dismiss.)

A few days later I got a text message containing a Facebook notification. I
was flabbergasted. What an EGREGIOUS misuse of personal information.
Completely under the guise of account security... Facebook had in reality
acquired another way to keep their brand under my nose.

Naturally I was livid so I spent the better portion of the day scrubbing
whatever sensitive information I could. Sure enough, the banner came back a
few days later. And here we are.

I realize that the proper solution is to terminate my account and never
attempt to log back in.... but I've had my account since 2006 and despite the
company's terrible practices, I'm really not interested in disconnecting for
good at this time

~~~
saguro
That thing facebook does with demanding your phone number, that's my favorite
dark pattern. Apple does the same thing with iOS upgrades.

First you pose a seemingly innocent question, like 'would you like to give us
your phone number so we can keep your account secure?' or 'would you like to
upgrade to new iOS?'. Then you take away the NO option. You replace it with
'i'll decide later'. And by doing so, you make it not a choice for the user.
You make it a statistical guarantee that sooner or later, most users will cave
in and hit yes, even if by accident. iOS is an extreme example of this - when
you say you don't want to upgrade, you are immediately prompted with a pin
code request as if your device just locked itself, and your reflex is to punch
in the pin to unlock it again. But if you read what it says at the bottom,
it's asking for your pin to get permission to schedule the upgrade that you
just said no to.

Whoever the designers are who came up with this stuff, fuck them. This shit is
going to be in ethics textbooks in a decade or two. I hope someone from the
facebook UX team is reading this, I hope they know their day job is to make
the world a worse place.

~~~
Giroflex
When I first opened up the Netflix mobile app and it asked me if I wanted it
to show me notifications I thought "hey, that's nice, most apps just start
spamming me without asking". I clicked "No thanks" and went on my way.

It turns out, though, that it asks that _every_ single time I open the app.
It's really annoying and I'm about to allow them only to block them at the OS
level.

~~~
r00fus
This is one reason some folks prefer Apple. iOS had privacy options at the OS
level for years before Android got into the game (yes xPrivacy but not
everyone can root)

~~~
Tijdreiziger
If you buy a current Android phone, it will have privacy controls for 90%
(guesstimate) of apps in the Play Store.

~~~
teddyfrozevelt
You can allow/block permissions from any app, no matter what Android version
it targets. If the app targets a version below 6.0 (Marshmallow) then the app
won't ask at runtime and Android will warn you that block a permission for
that app may break it.

~~~
Tijdreiziger
Ah yes, I forgot about that.

------
reaperducer
Things like this are the reason that when a company starts spamming me, I
update my account with the company's own information.

I started when no matter how many times I tried to unsubscribe, Walgreens kept
using my phone number (which is supposed to be used to verify that the right
person is getting the prescription) to spam me flu shot notices, auto-refill
offers, and more. So now those robocalls go to Walgreens HQ.

Most companies list an email address and phone number for their PR departments
on their web sites, so these are what I use since they're not hidden and go to
real people.

I know this doesn't work for 2FA, but it's certainly satisfying in other
scenarios.

~~~
Faaak
I do the same with B2B email spam. Just give another spammer's info, so
company A spams company B, B spams C, etc.

I've got a small list with CEOs emails, numbers, etc.

Not legal, but I like it

~~~
JankySolutions
It's not legal? What part is illegal?

~~~
Faaak
When a website offers you a quote about water fountains/new printers/whatever,
I doub't it's legal to say that you're company X and that you'd be interested
in this particular quote.

~~~
JankySolutions
I'd be interested in seeing a specific law or case where that sort of thing
was illegal. Lying by itself isn't illegal (in the United States at least, i
dunno about elsewhere)

------
jzl
It's pretty clear from some simple googling that he ended up somehow
activating a feature called "Facebook Texts" (the key giveaway -- that
replying to the texts posted to his wall):

[https://www.facebook.com/help/130694300342171?helpref=faq_co...](https://www.facebook.com/help/130694300342171?helpref=faq_content)

I believe that he didn't set this up intentionally and it may very well be a
bug that caused him to be signed up, but as bad as Facebook is I'll eat my
shoe if they signed up every single person who gave a 2FA phone number to this
service.

Not to detract from the fact that Facebook's nagging is indeed a huge problem.

~~~
reaperducer
> I'll eat my shoe if they signed up every single person who gave a 2FA phone
> number to this service.

Facebook doesn't have to sign up every 2FA person. It can pick a few hundred
or thousand and see what happens. If engagement increases, then more 2FA
people are brought on board.

If this isn't widespread, it may not be the user's fault. It may just be the
camel's nose under the tent.

~~~
akvadrako
The evil of unrestrained A/B testing.

~~~
throwaway2048
I've heard engagement increases if you give the impression a family member is
going through a personal crisis, perhaps facebook ought to look into the
technique, seems excellent for the metrics.

------
davidbiehl
I found a similar thing with email notifications. If you regularly login to FB
and look at your feed they will leave you alone. Delete the app from your
phone or neglect logging in and you’ll start to get email notifications about
the silliest things. Of course they don’t contain much more than “so and so
shared a link” without any description of what was shared (trying to get you
to login and look.) Not quite as bad as 2FA number, but irritating
nonetheless.

~~~
tankenmate
I have blocked all of FB's allocated networks worldwide on my machine (via a
look up of allocated IP space and fed into iptables / ipset).[0] So FB doesn't
even get "phantom" traffic from me (indirect traffic from FB logos / js on
random websites). I only log into FB a few times a year and only via a
temporary VPS in another country and using an incognito browser tab.

So now FB has taken to emailing me complaining that they are missing me and
that I should log in.

:)

WAYNE: I don't own A gun let alone many guns that would necessitate an entire
rack. STACEY: You know Wayne if you're not careful you're gonna lose me.

[0]
[https://news.ycombinator.com/item?id=15222936](https://news.ycombinator.com/item?id=15222936)

EDIT: fixed link to go direct to the comment

~~~
kuschku
I know a few people that completely block every IP range owned by Google,
Amazon, or Facebook.

Most of that works fine, sometimes some shitty websites are on AWS or GCP or
load JS frameworks from their CDNs, but the worst is:

You can't connect from Android to their WiFi anymore.

Android pings a Google server, if it can't open a connection, it immediately
disconnects. In Android 8.1, there's no way around that anymore. You can try
every setting in the WiFi settings, and it won't change a thing.

~~~
tankenmate
Can the response be faked?

~~~
kuschku
Probably, considering that domain is HTTP only, but why is this even
necessary?

Sometimes I do want to connect to a local network without internet.

~~~
tankenmate
Oh I agree, it is a very one size fits all fallacy kind of mistake.

------
danbruc
_The social media behemoth has seen a decline in traffic in recent weeks along
with millions of users leaving its platform [...]_

Two years ago I said that Facebook will be dead by 2020 [1] and that line made
me check the current situation, we are right on track and linear extrapolation
still hits zero in mid 2020 [2]. As mentioned in the original thread, don't
get fooled by the normalized numbers, the search traffic for Facebook is
enormous and chances are good that any search term you consider popular will
be indistinguishable from the horizontal axis if you add it for comparison.
But »facebook« is already down from ten to four times »porn«. And yes, the
trend can and possibly is at least partly due to other factors, some are also
discussed in the original thread.

[1]
[https://news.ycombinator.com/item?id=11442935](https://news.ycombinator.com/item?id=11442935)

[2]
[https://trends.google.com/trends/explore?date=all&q=facebook](https://trends.google.com/trends/explore?date=all&q=facebook)

~~~
ryanwaggoner
Wishful thinking. Facebook may be struggling in 2020, but they certainly won’t
be dead. I’d wager they’ll still have more than a billion DAU.

Edit: do you have an explanation for why this graph has been cratering for
years while Facebook’s MAU and DAU have continued to climb?

Also, see Youtube’s search trend. Pretty sure it hasn’t been dying for years
now.

This just isn’t a good signal, sorry.

~~~
danbruc
My best guess is that the active user numbers are not representative. Once you
have an Facebook account checking once a day if something interesting happened
or sending a few messages makes you an active user, I guess, but in my book
that does not mean you are really using Facebook.

I still visit Facebook almost every day, mostly to chat with friends, even
though my feed has mostly become an uninteresting desert years ago and I
rarely - less than once a month - post, comment or like something. So if I am
not an exception, then looking at the number of users posting or commenting on
any given day might vastly differ from the number of active users but I
admittedly don't know how exactly Facebook defines those.

And if you look at the search traffic for MySpace, Google+, or the German
StudiVZ and MeinVZ [1] it certainly tracked the rise and fall pretty exactly.
Finally the YouTube search traffic is essentially flat for me since 2012
besides a step at the beginning of 2016 due to changed data collection
methods.

[1] [https://i.imgur.com/SGci58n.png](https://i.imgur.com/SGci58n.png)

~~~
ryanwaggoner
Ah, I see. So in this case, “dead” means billions of people who login multiple
times per week and the accompanying tens of billions in ad revenue.

May we all have startups that suffer such a fate.

Seriously though, I’m not sure what your point even is. Facebook doesn’t care
about how often you login or why, as long as ad revenue keeps flowing. And
those numbers have grown like crazy over the period where you say their search
traffic (and thus their userbase) has been cratering. I just don’t see it.
Every meaningful metric for Facebook that you can find for the period in
question points to the search trend not being a reliable predictor.

Also, my point with YouTube is that their search trend has been flat or
declining since 2012, but YouTube as a platform has been anything but over
that time period.

Not a useful signal.

------
Panino
> Importantly, Lewis isn't the only person who claims this happened to him.
> One Facebook user says he accidentally told "friends and family to go [to]
> hell" when he "replied to the spam."

Wow. I deleted my FB acct. 8 or 9 years ago because it kept getting worse and
worse. It's just sad to read about it now.

From my POV, Facebook is like a TV series that had an incredible first few
episodes but quickly grew progressively and irreversibly worse, with a large
percentage of its users only hanging on now with grim determination.

~~~
Caveman_Coder
We've probably hit peak FB...or perhaps FB has jumped-the-shark using your TV
series comparison...either way, any news about the decline of FB is good in my
book.

~~~
tomc1985
Like most products it started as something pure and simple, but once all the
various business strategy dips got a chance to put their hands on it, it was
ruined.

Like so many things. It is so saddening that we nerds do this to ourselves,
allowing the wonderful things we build to be ruined by foolish idiots, time
and time again

------
modi15
I suspect facebook is doing an even sinister version of this in India. It runs
what is called an free mobile authentication service for startup called
Account kit. A lot of apps use it to authenticate mobile numbers because it s
free.

However, I suspect that facebooks intention behind this are not charitable at
all. With this service facebook is able to get your phone number even if you
dont give it to it. As long as you have installed any app on your mobile phone
which uses Account kit to authenticate, facebook will be able to get your
phone number and associate with your facebook account.

We talk about how Uber has lost the way, but somehow Facebook escapes all
criticism. I think facebook is so lost at this point that they might as well
shut the company down and go home.

------
creator_lol
Facebook Insider: That is nothing compared to how Facebook uses your phone
number on a another persons contact list then aligns that with cookie activity
on your computer to get friend recommendations to other accounts that are
unrelated to your phone number. The use of your personal phone number
internally at Facebook is perverse.

~~~
perfectstorm
If you block Contacts access on your phone (iOS/Android) can Faceboook still
access your contacts ? Are you aware of any loopholes that lets Facebook
access someone's contacts ?

~~~
jobigoud
If some of your contacts have this enabled then they can rebuild the network.

There was a case not so long ago where unrelated patients of a psychiatrist
were suggested as friend to each other. The only possible link is that they
all had the psychiatrist in their contact or vice-versa. The friending
suggestion by itself was an outing of private medical information.

~~~
DoubleGlazing
My wife is a private practice speech therapist. She goes to great lengths to
separate her personal social media from work social media. She has separate
work and personal accounts for Facebook, Google, WhatsApp etc. Still she gets
friend suggestions for her clients on her personal accounts. And it's not just
once or twice, usually her suggested friends list is almost the exact same as
her current client list.

Its creepy, and slightly disturbing to realise just how much effort they are
putting in to mapping out your life and acquaintances even when you try to
prevent it.

------
loorinm
This happened to me too. The value of being on facebook is an illusion. In
person relationships are vastly more rewarding, both emotionally and
financially.

~~~
endless1234
Is that really something people do - substitute in person relationships for
Facebook ones? "I could hang out with my SO today, but I guess I'll just go on
FB instead"

~~~
akvadrako
Many people do this habitually, though not so explicitly.

------
_Microft
Facebook has been asking me to add my mobile number to secure my account. It
even _prepopulated the input field_ with my mobile number that I never shared
with them! My best guess is that their app farmed it out of the phone adress
book of one of my friends. Either way, they definitely overstepped the mark
here, in my opinion.

~~~
exhilaration
Do you use Whatsapp? Unless you opted out during the short window they offered
during the summer, Facebook got all your Whatsapp contacts and data, and that
of course includes your phone number: [https://www.cnet.com/how-to/how-to-
stop-whatsapp-from-sharin...](https://www.cnet.com/how-to/how-to-stop-
whatsapp-from-sharing-your-information-with-facebook/)

~~~
netsharc
It'd be very easy for Facebook to cross-reference multiple address books (even
1 would be enough) and create "virtual profiles". E.g. if Alice is not part of
the Facebook/Whatsapp ecosystem but Bob, Charlie and Donna are, and they all
have Alice's phone number (unique identifier!) on their phone. If all 4 hang
out together a lot and Bob, Charlie and Donna upload a lot of pictures of all
of them, and they diligently tag people who have accounts, then Facebook can
probably figure out the 4th person (which face they've stored for their
recognition engine) is probably Alice.

And if Alice, like the poster, never gave Facebook her phone number, but Bob,
Charlie and Donna have it under "Alice Lastname", and they're all friends with
Alice Lastname on Facebook, Facebook can probably be certain to say "Store
your phone number, we think this is it.". Or to word that properly, "Confirm
your number, although we already know this is it."

------
dboreham
Slightly related peeve: if you enable 2FA on Facebook they will _never_ expire
any existing browser cookie or mobile app token. Thus whoever gets their hands
on your desktop or a device, even months into the future, will bypass 2FA.

~~~
gfosco
That's not true, you have the ability in settings to see all old sessions and
revoke device approvals. It's pretty easy to clear out your old machines.

~~~
mattmanser
If you remember and know where to look.

Google eventually asked if I wanted to remove a phone I'd stopped using 2
years ago the other day.

~~~
JustSomeNobody
Google's is pretty easy:

[https://myaccount.google.com/](https://myaccount.google.com/)

Under Device activity

~~~
dx034
Google also reminds me regularly to review app passwords. Facebook has never
asked me to review a list of apps that I allowed to authenticate with.

------
stratelogical
Unbelievable. When signing up for 2FA, FB never said what else it would be
used for. From a legal standpoint, aren’t companies are supposed to say what
the phone number will be used for when asking for phone number?

Somebody from FB - please tell us this is a bug.

~~~
Meph504
Well as far as legal protections go, nothing definitive, and they can always
argue their statements about enhancing user experience would cover this.

Check westlaw on it
[https://content.next.westlaw.com/6-502-0467?transitionType=D...](https://content.next.westlaw.com/6-502-0467?transitionType=Default&contextData=\(sc.Default\)&__lrTS=20171230152626026&firstPage=true&bhcp=1)

I think the real issue, is people think they are doing one thing, but doing
another.

depending on the age of your account, you'll notice that the notifications for
SMS maybe defaulted on, this didn't matter if you didn't have a phone number
associated with your account. When you add a phone number to your account, its
not "solely" 2FA, you add the number to your account, and 2Fa is enabled, just
like all the other default setting that apply to phone numbers.

which is why when people are responding to the SMS its posting on their wall,
its because what their settings are set to do.

see the settings below where they can disable this.
[https://imgur.com/a/6pOHH](https://imgur.com/a/6pOHH)

It's another case of people screaming to the heavens about evil megacorp. when
in reality they can't be bothered to check their own settings.

~~~
Slansitartop
> It's another case of people screaming to the heavens about evil megacorp.
> when in reality they can't be bothered to check their own settings.

Facebook's settings are often opaque and unintuitive, and some of the stuff
around notifications qualifies as dark patterns. Also, as you mentioned,
Facebook has a history of using selfishly-chosen defaults which are often not
what a user would likely want or expect.

I'm not going to fault people for complaining about getting tricked into
settings they didn't want.

~~~
Meph504
I won't defend their practices in most cases, changing the news feed to recent
for example is far more work than it should be, and reverts randomly.

but this setting is Settings>Notifications it's not really buried.

I suppose I'm not upset at people who discovered the issue, but I am annoyed
at mashable.com for making it a specifical when it shouldn't be, quoting a "a
self-described technosociologist, professor at UNC" and their uninformed
statements.

------
duncan_bayne
I really hope this is a sign of the end times for Facebook. I genuinely
believe that the world will be better off without it, and its effect on
culture, mental health, work habits, and socialisation. _Especially_ for young
people.

~~~
darkstar999
We might be seeing the (slow) decline of Facebook, but in no way will we see
the decline of social media that causes those bad effects.

~~~
duncan_bayne
Unless there is a sufficient cultural backlash for social media _in general_
to become 'uncool'.

"Look at that loser. Spends all his time checking Instagram."

Is it Machiavellian to wonder how we could memetically inoculate children
against social media?

~~~
egypturnash
No. Not at all. We teach kids about a lot of dangers already. Some are real,
some are highly exaggerated. For-profit social media is a thing we’re starting
to realize may be a complicated, subtle danger. Maybe all social media. Maybe
just corporate-owned social media.

~~~
duncan_bayne
Yeah, that's what I meant :) I run my own Mattermost server for friends and
family.

------
tomc1985
Seriously, why do the rank-and-file of Facebook engineering allow this to
happen? Does anyone stand up to their employers anymore? Or does everyone just
drink the koolaid and ask no questions?

~~~
a-priori
These things are never spelled out in any plans. They're done piecemeal, by
separate teams, incrementally over long development cycles.

One team implements 2FA, and they add a way for users to enter their phone
numbers as a second factor. The engineers are fine with this because it's for
the users' benefit, so they can secure their account.

Another team implements the mobile notifications, which a user has to turn on
explicitly. The engineers there do this for the users' benefit, for those
users that want notifications by phone. They're opting in, after all.

Sometime in here, the fact that the phone numbers are being collected for 2FA
gets forgotten. This sets the stage for a third team, who is tasked with
improving engagement numbers. They see that lots of inactive users have phone
numbers associated with their accounts. Maybe they might be interested in
something their friends are doing? So they try an experiment where they send a
notification to these users, and a large percentage of them engage with it!
That must mean that the users were interested in the notification right? After
all, they opened the link or replied. So they roll it out to a wider audience,
and the engagement numbers go up. Awesome! Pats on the back all around.

To be clear, I have no idea about how this actually happened, or if this is
the right chronology, or anything else. It really doesn't matter, my point is
that this is how this sort of thing happens in large organizations. No one has
the whole picture, and in their own world view everyone thinks they're doing
something good for their users.

But if you put them all together, and sprinkle in a little willful ignorance,
you get Facebook spamming their users on their 2FA numbers.

~~~
brianpan
Occam's razor suggests otherwise.

~~~
a-priori
To me, Occam's razor says that a grand, company-wide initiative is unlikely,
and it's more likely a series of isolated projects that individually make
sense and that well-meaning engineers can work on in good conscience.

This is actually a scarier prospect: it means that a large organization can do
unethical things even when almost all individuals involved act ethically. This
makes it hard for an individual engineer to ensure that their own actions
don't contribute to unethical behaviour.

------
HankB99
FB (among other web sites) continually asks for my phone number. I continually
ignore their entreaties. I always suspected they could not resist the
temptation to use it like this. I really expected them to sell it to
telemarketers.

~~~
eterm
Not only asks but I've had it display what it thinks is my number and asked,
"is this your number?".

I've consistently denied telling it my phone number. Of course it has it via
whatsapp now but I've repeatedly made clear I don't want it associated with my
facebook account. Reading this news I'm very glad I've put up with its demands
and not linked it just for 2fa.

~~~
D-Coder
Call the President. PHONE NUMBERS:

Comments: 202-456-1111.

Switchboard: 202-456-1414.

------
K0nserv
Reposting my comment from the other thread:

I’ve always been suspicious of services that use SMS as the primary 2FA
mechanism. TOTP is more secure and convenient, but it doesn’t allow the
service to collect and extra datapoint. Using a communication channel intended
for security as a method to boost falling engagement is as shady as it gets.

Matthew Green’s twitter thread[0] on this is an interesting read.

0:
[https://twitter.com/matthew_d_green/status/96376666146678784...](https://twitter.com/matthew_d_green/status/963766661466787840)

------
wand3r
This is terrible and totally shit. FB had opt in by default spam notifications
when I provided my number and as I stopped using the service regularly spammed
my number. I turned off notifications and then the password reset link didnt
work via phone. Also, the random intentional "security" interruption to force
you to send a selfie to train their AI model.

------
wlesieutre
Not as egregious, but Twitter last week started spamming my email once a day
with a “HEY YOU SHOULD SIGN IN AND CHECK OUT YOUR NOTIFICATIONS” message.

After 5 days of that I finally bothered to look. The notifications were about
someone mentioning me in December.

[https://i.imgur.com/MaH7EcW.png](https://i.imgur.com/MaH7EcW.png)

How about not doing that?

~~~
ninkendo
The same thing happened to me a few weeks back when I got an email about my
“twitter birthday” and how I should post something.

I just deleted my account instead.

I had the same thing happen with Facebook texting me to post after I turned
all notifications off in settings, which was the final straw that got me to
delete my FB account too.

Now it’s a pattern I repeat everywhere: if your site emails me, I always will
click unsubscribe, and go through every possible setting you have to stop you.
If you email me again, I delete my account.

------
terlisimo
I just remembered that I got an "password reset" email from facebook like a
month ago?

I didn't log in to my FB account since 2008 or so.

For a minute I was baffled and thought someone might be trying to hack my
defunct profile (but why?) and my instinctive reaction was to log in and reset
the password but gave up and forgot about it.

But now that people keep mentioning shady "come back, come back, to Mordor
we'll take you" tactics, this sure smells fishy.

Anyone else got an unsolicited PW reset email after not using FB for a long
time?

~~~
bprasanna
Yes, this follows the same strategy. All they want is to lure the user back.
Either message will say reset password, or trouble logging in.

------
jeffdavis
Network effects work both ways. Can cause a meteoric rise, or a dramtic
decline.

------
ceejayoz
If they're not processing STOP as an opt-out, they're in major violation of
the CTIA's rules on short codes.

~~~
kelnos
If you send a STOP, though, won't that cause you to stop getting 2FA codes as
well?

~~~
ceejayoz
I'm not sure if the rules carve out an exemption for that.

If they don't, polluting the 2FA short code with other types of messages is
doubly bad.

------
crawfordcomeaux
A platform created to addict people is now beginning to act like an addict
begging for a fix?

Can't wait to see what their rock-bottom looks like.

~~~
akvadrako
MySpace, tumbler and digg are probably good examples.

------
freyir
It’s a good thing they have Instagram and WhatsApp, because their flagship
property seems like it’s going down the tubes. Those acquisitions were in 2012
and 2014 though. Wondering what’s next.

------
joewee
Problem is Facebook is still using the original revenue model that has made it
rich, which requires engagement. Unfortunately they encourage engagement using
the techniques that initially made it grow, which the market is now tired of.
Facebook needs to diversify. Take a note from amazon, Netflix.

~~~
cwkoss
Engage on every sponsored post... but engage with it in a way that the
advertisers will dislike.

ex. Health product -> "I heard this product causes cancer."

~~~
dang
I know you meant well, but please don't duplicate comments on HN. I'm sure
that's why they were flagged.

The idea behind this site is intellectual curiosity. That shrivels under
repetition.

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

------
azifali
Someone added my phone numbers on 2FA and now I am able to login to their
account, without a password.

~~~
jobigoud
It's not really 2FA if you can login with just the one factor of the phone…
Maybe you unconsciously reset the password to your own at some point and it's
saved?

~~~
azifali
Agreed. But its not even my account. I have similar things happening to me,
except those messages are linked to my google voice number with someone else's
account. One click and I am able to login. I had to block that number from
receiving facebook updates.

------
zodPod
Seriously! It always drove me nuts that they sent emails when you didn't check
your facebook regularly too. I used to get so many damn emails. "This person
shared this." "This person liked this" etc and I didn't give a shit that's why
I didn't check Facebook in the first place. So why the hell would I want a
message about it? This is so much worse. I'm not checking facebook why the
hell would I want a text about it?

------
Feniks
GDPR is looking better every day isn't it? Honestly I wouldn't trust Facebook
with my cat's name.

------
deevolution
Just reading this may have just pushed me over the edge to delete my
account... except i need it to use tinder and bumble. I already havent signed
in for months and i feel great. I only use messenger, but now im starting to
see annoying ads polluting my messenger list.

~~~
dx034
You don't need to use your account. Not viewing ads hurts them enough and if
you don't login they can't count you as an active user. The overall number of
users is unimportant anyway and they won't delete your data, so no reason to
deactivate the account.

------
fortylove
As this stream of negative facebook articles continue, I can't help but feel
duped about my experiences with it.

I've quit fb since new years, but I can't help but wonder if I was played the
whole time. I feel like they advertised fb as an altruistic platform, when in
reality, I was just a means to marketing dollars and they fed whatever
altruistic lines they wanted to keep me coming back.

Serious question: does fb purely exist as a company in order to sell our
information? Do developers at fb believe they're making the world a better
place? I'm not saying developers _need_ to make their career about making the
world a better place. I do, however, feel like that's the line fb was feeding
about their company culture.

~~~
thephyber
> I feel like they advertised fb as an altruistic platform

Zuck's "Facebook's mission is to give people the power to build community and
bring the world closer together" always felt like a stretch. If they were
altruistic, they would be a B corp or a non-profit, not a Delaware-based C
corp. Never forget that companies are run by Boards and that your data can be
reappropriated if the company is merged with another.

Hell, even Enron's mission statement was:

> We treat others as we would like to be treated ourselves....We do not
> tolerate abusive or disrespectful treatment. Ruthlessness, callousness and
> arrogance don't belong here[1]

> when in reality, I was just a means to marketing dollars and they fed
> whatever altruistic lines they wanted to keep me coming back.

Meh. It's marketing. You typically don't tell the most attractive person your
worst qualities when they first see you. You try to make a good impression by
highlighting your more attractive qualities and staying quiet about the
others.

The NSA doesn't tell you it's watching all of your internet activity and
correlating it to build profiles on you and your 6 billion fellow great apes.
The NSA's marketing is to try and make you forget that it's there, one of the
reasons it was dubbed "No Such Agency". When the CIA and the NSA do make their
rare public statement, they talk about themselves as the "intelligence
community".

BP doesn't advertise itself as a cost-cutting, Deepwater Horizon spilling,
exploding rig megacorp. They advertise themselves as the company that saved
the Gulf Coast from near permanent economic collapse.

VW doesn't advertise itself as a lying, massively polluting company that makes
more cars than any other. They advertise themselves as the "people's car" that
is small and cute and sleek. Oh, and they lied that one time, but they learned
from their mistakes and they are making amends.

[1] [http://www.nytimes.com/2002/01/19/opinion/enron-s-vision-
and...](http://www.nytimes.com/2002/01/19/opinion/enron-s-vision-and-values-
thing.html)

------
Sylos
What's the legal situation for this in the US?

Pretty sure, this is illegal in most of the EU already, but the GDPR will
definitely prohibit it on the basis of the data clearly not being used for the
originally specified purpose.

~~~
kbart
I can't wait for GDPR to take effect and I won't be lazy to go through every
f*ckin option on my Windows PC, Android phone, Google account etc. and report
every bit that violates it. I see it as a revenge for all these years of dark
UI patterns.

------
vadimberman
OK, so my hunch was right.

It's not only Facebook, BTW. Whenever you provide those "additional details"
to "secure" your account, be sure there's a high probability they will be used
elsewhere.

In my case, I provided a personal email address to Azure as an alternative
email. That email address had an Azure account associated with it. Microsoft
merged the two accounts without me asking for it and (not very surprising) it
caused some issues displaying the subscriptions properly to the point that
their support asked me to create an empty subscription with a brand new email
address.

------
jmcgough
I experienced this a few months ago and it was the last straw for me - it
really feels like they're willing to do anything to drive engagement and ramp
up addiction. This was after I'd removed messenger and facebook from my phone
(having them really push hard for me to use messenger creeped me out; it's
obviously in order for them to track my location). I've crippled facebook via
chrome extensions to the point that it's only a place for me to check messages
and keep in touch with local groups/events, and I'm slowly moving off of it
entirely.

~~~
thisacctforreal
Consider trying [https://mbasic.facebook.com/](https://mbasic.facebook.com/)

It's a JavaScript-free version :)

Also works with the Tor hidden service
[https://mbasic.facebookcorewwwi.onion/](https://mbasic.facebookcorewwwi.onion/)

------
AhtiK
To break away from the newsfeed for good the most effective method is to just
start unfollowing everyone and everything who appears in your feed. After a
few days of satisfaction from clicking, the wall becomes 100% empty and stays
so.

Much more effective than deleting your account or exercising any other kind of
self-control. Good luck with having the determination to start following
everyone once again -- not going to happen.

~~~
0x00000000
It used to be if you get a notification you could go into settings and
"disable this type of notification". But they removed that screen and you
still get shit even with EVERYTHING disabled. I really hope they get what's
coming to them soon

------
skc
Ahh, I got a friendly SMS "reminder" to log back into Facebook when I got a
new phone.

Haven't logged back into Facebook since I got the new device, primarily
because I don't use Facebook all that often.

But despite the outrage here, I can see the vast majority of Facebook users
finding this sort of thing useful. I know it seems counter-intuitive but there
are A LOT of people that use and like Facebook.

------
codemusings
I think it's worth pointing out that all the screenshots I've seen so far are
from iMessage. I too have 2FA activated but never got spam like this via text
(I have an Android phone and no FB app installed, only Messenger). So I wonder
whether it's specific to an iMessage plugin or something similar?

EDIT: Apparently this is US specific.

------
ianamartin
No fucking way. A company whose revenue absolutely depends on user engagement
is coercing users into engaging with the platform.

I'm shocked. Shocked to hear about this. I can't possibly imagine how this
could've happened. It's time to rethink everything we know, rewrite C in rust,
and put the social back in media.

~~~
dx034
Misusing 2FA for "engagement" is indeed more than you should expect from any
company. That looks very desperate and I haven't heard of other companies
using these tactics.

------
drpgq
Facebook becomes LinkedIn

~~~
simonswords82
I think you'll find LinkedIn is actually becoming Facebook.

------
visualword
Tangentially related, make sure to remove any phone numbers you no longer use.
I started receiving sms FB notifications for another person's account (I'm
guessing they switched numbers). The link in the message logged me directly
into their account. I reported it, but they said this was expected behavior.

------
roadbeats
The best decision I made in 2018 was to start a new year without Facebook. I
deleted my account _permanently_.

------
3pt14159
Just get multiple phone numbers. It's easy these days and totally worth it.
They're only $1 / month and being able to keep your real number separate from
all these BS sites is great. Plus, for 2FA social engineers aren't going to
get you just by working your network.

~~~
reaperducer
Why exactly should I spend my money because Facebook can't behave itself? I'm
not the problem; Facebook is.

------
riyakhanna1983
I removed my number from my Facebook account when I realized that FB was
linking my WhatsApp conversations to my FB account using my phone number and
displaying ADs on my FB feed based on my WhatsApp conversations. What a
desperate move by FB! losers! lol

------
beedogs
A good way to avoid this is to stop using Facebook. I wish everyone would
abide by this.

------
JustSomeNobody
Between this and Onavo, I think FB need to check themselves. I only keep an FB
account so I can check in on people easily, but I'm borderline tempted to just
clear out of there and bring as many people as I can with me.

------
cmurf
I don't understand why they require your phone number to do 2FA, and prefer it
over any OTP app like Google Authenticator. It's 2018 Facebook.

~~~
a_imho
Maybe they like phone numbers. Nevertheless Google Authenticator's permissions
are in another league completely and one should probably be as suspicious of
Google as Facebook.

Version 5.00 can access: Camera

    
    
        take pictures and videos
    

Other

    
    
        create accounts and set passwords
        full network access
        control Near Field Communication
        use accounts on the device
        control vibration

~~~
dx034
I guess it needs camera access to use QR codes? Maybe NFC falls in the same
category. Not sure about the others though.

------
SilasX
Using 2FA number for ads? Are they doing it in Europe too? (Where there are
harsh laws against using data for a purpose it wasn't collected for.)

------
baybal2
Have anybody believed to their pledge "to never spam you and only use it for
ensuring your account security?"

~~~
dx034
I did because other companies respect that. This is the first time I hear 2FA
misused for marketing/engagement. I use my phone with Google, Dropbox and
others and never received unsolicited text messages.

------
Mc_Big_G
Delete your facebook/instagram/whatsapp/<facebook owned> account asap. The
sooner the better.

~~~
dx034
No reason to delete it. They won't delete your data anyway and they only count
active users. Just not logging in hurts them as much as deleting the account.

------
booleandilemma
How do I make it stop? They’re texting me updates about people I haven’t
spoken to in _years_.

------
shivamd
I still get this, such a pain. I thought it would go away. But 3 months later,
nope.

------
davesque
This happened to me a while back. So I disabled 2FA on Facebook.

------
chrisseldo
I find it dissuading to read an article when the actual article itself is
confined to <1/2 of the browser screen.

------
horsecaptin
Good time to remind everyone: If you are not the customer, then you are the
product!!

