Hacker News new | comments | show | ask | jobs | submit login
Facebook Lies (learmonth.me)
438 points by JoshTriplett 11 months ago | hide | past | web | favorite | 194 comments

I've tried (and failed) to delete my Facebook a couple times in the past, so this most recent go, when I quit using Facebook, I just quit using Facebook -- I uninstalled the apps from my phone, and mapped 'facebook.com' to localhost in my /etc/hosts files.

The result was... amusing. Facebook kept emailing me the "Hey, did you see what so and so posted?" emails, knowing full well that I didn't see them. But then, after that, I started getting weekly reminders that "You haven't updated your timeline in a week". Facebook, ever the clingy ex-girlfriend it is, seemed to start amping up the frequency of the emails the more I neglected them, so I started just marking them as spam.

Two blissful days went by in which Facebook wasn't a distraction, but then they shifted from email to SMS which, as an Android/Hangouts user, was even more annoying, since now I have to engage in multiple steps to delete.

They really, really want me to use their service.

This is such a weird thing to think. You can turn off all notifications and they'll never contact you, ever.

I stopped using Facebook 6 years ago and haven't gotten a single email / sms from them since then, because I used the settings properly.

Yeah, if you just ghost them and never click "update your email settings" at the bottom of every email they send, they'll keep sending them.

Anecdote incoming: I've turned off every notification setting possible on my Facebook account. The issue is that every time they add a new notification "feature" it seems like they flip all of them back on again. All as if to say, "Everybody wants a daily/weekly rollup of what happened on Facebook! Subscribe everybody by default!"

So I feel the GP's pain, I've taken to marking them as spam as well because I know that my settings aren't guaranteed to stay where they are. It's not even in Facebook's best interest to try and keep my notification settings where they are.

For a long time I intentionally configured Facebook to only send me notifications by email and only when someone added me or tagged me, since I almost never actually signed in to see those things.

At some point or another they decided to expand this to include re-engagement garbage like "{{Some person you haven't interacted with in 10 years}} {{ commented on their status || uploaded a photo || added a video}}!", so now I've turned off everything but security alerts.

My current frustration is how they won't let you get notifications about new messages by email. I don't want the app, I don't want to 'delete' my account since we know it doesn't really remove anything and I'd rather retain a semblance of control, but I also don't want to leave the occasional person hanging who tries to contact me via Facebook Messenger, since people can still message you even if you mark yourself 'offline'.

I know this is completely intentional and designed to get me to install the Messenger app and look at their ads, but damn if it doesn't grind my gears. If I could go back to 2005 I never would have made a Facebook account to begin with.

just FYI, I never see ads on Messenger app

I've had notifications disabled for at least a year and have never had this happen.

They're probably A/B testing it, and you're the control group.

Or resetting those settings to try to get back some high earning users. Ignoring those they don't profit from.

Or maybe observing country-specific laws and regulations

Same here. For at least 5 years.

The growth hacker mentality was cute when FB was a scrappy little startup. Now they're dominant, it's just creepy.

> cute when [...] was a scrappy little startup. Now they're dominant, it's just creepy.

Microsoft/Gates also had trouble with this. What is "business hardball" in a startup, can be illegal conduct in an almost-monopoly.

In a kitten, pouncing aggression is cute... in a liger, not so much. For the same behavior, you'd put it down.

Individuals can similarly fail to recognize transitions. "You can't do X." "But I've been doing X for years!" "Yes, but here you have relationship Y, so X is no longer ethical/legal."

In a liger. Indeed.

“Growth hacking” is always creepy.

It was always creepy.

> This is such a weird thing to think

It's weird to expect that deleting your account will result in the account being deleted and notifications for the account you no longer have to go away?

It's nice to know there's a workaround for when account deletion isn't respected, but you could skip the incredulity, you shouldn't have to go through your settings, and your settings shouldn't affect your notifications, if you delete your account.

> It's weird to expect that deleting your account will result in the account being deleted and notifications for the account you no longer have to go away?

But the person above just stopped using their account, didn't delete it (or disable it, which is what facebook sends you on the path towards), so that is why the notifications continued. They still had an active account, just hadn't logged in for some time.

Yes, but the person above only had an account to stop using because Facebook wouldn't delete it when asked, similar to the OP's post. Reasonable / normal expectation is that notifications should have stopped the first time.

Regardless of account deletion attempts, they knew they had an active account and didn't change any notification settings. They still expected Facebook to magically know to stop sending them notifications. That is weird.

Yes, you're right, this time they didn't try to delete. I read the comment, I understand what happened.

Why should @bmelton expect Facebook to respect the notification settings after he has evidence they didn't respect the account deletion request multiple times?

It's not weird nor is it magic to expect Facebook to stop the notifications. That's what pretty much all other web sites and services currently do. They may ping you several times, but eventually they will stop. I know because I run a service that does this, and I pay attention to what other services are doing, and I care about what is socially acceptable. Facebook, unlike other services, ramps up their notification schedule when you get quiet, rather than assuming that no contact and no response after multiple attempts means you don't want to use their service.

What Facebook is doing is what's weird here.

Elsewhere in this thread, @wpietri makes a compelling argument that were Facebook a person in your life, the increasing notifications would be considered very annoying and needy. This is the reason it's weird for a company to do the same thing.


You're just conflating issues here. Nobody disagrees that Facebook is behaving in a scummy way. People simply think it's weird to complain about an endless stream of FB messages when the solution is in plain sight.

> It's not weird nor is it magic to expect Facebook to stop the notifications. That's what pretty much all other web sites and services currently do.

No, it's not. This would be like if my post office stopped delivering my mail because I didn't call them up and tell them to keep delivering my mail.

The post office isn't a web site. Many web sites do stop delivering mail, I know because I've checked, and because I run one. The post office does stop delivering your mail if it's returned to sender multiple times. The post office will also respect your first cancellation request, and they don't send you letters or text you every day reminding you to use the post office more because they noticed you haven't sent a letter today. So I don't buy your analogy.

Alright, let's ignore the analogy, then.

What is the correct functionality for Facebook given this user's settings?

I do not agree that it should stop sending notifications. Let's say I _want_ to keep getting notifications via email without having to open Facebook every so often. I would have my settings match theirs and I would be quite annoyed if it just stopped working because I didn't log in.

You don't have to open Facebook, you just have to receive your notification, e.g., read their email. They know when their reminders to use Facebook are being avoided.

You might be lumping all notifications into the same bucket. There's a difference between a Facebook message that notifies you of someone else IMing or commenting on your photo, and a Facebook message that reminds you to use Facebook or upsell you on services.

That difference has standard terminology in the web business sphere: transactional email vs marketing email. Generally speaking these things have a hard line between them, and are easy to define & separate. Marketing is sales, and transactional is private notifications about your account activity & private notifications from social contacts. Marketing is what other sites stop sending after too much inaction, and marketing is what Facebook is increasing in response to inaction. Transactional notifications don't stop, and they shouldn't stop. I suspect you're misunderstanding me and assuming I'm talking about all email, and not just marketing.

I really appreciate the explanation. That is actually super informative.

I agree that I misunderstood part of what you were saying. It also sounds like we both agree that the notifications ("transactional email", from the sounds of it) should be going through. I was only ever trying to make a statement about those types of emails. I agree that upping the marketing emails is pretty bad.

I think this line in particular is where I misunderstood:

> It's not weird nor is it magic to expect Facebook to stop the notifications.

In this case, I interpret "notifications" as "transactional emails".

"Regardless of account deletion attempts"? Seriously? First step of account deletion is, that Facebook deactivates the account, therefore, they should also know better to not send notifications. Why would they burden the user with notification settings, when the users wish/intent is clear enough? Spamming them with unwanted notifications is unethical behavior.

Yes, seriously. They made it pretty clear that _their account was still active_. That's why it's "regardless": it doesn't matter for the situation at hand.

> when the users wish/intent is clear

How is it clear? Their whole post is stating that all they did was not use the site for a bit.

Given that they have an active account and notification are set to notify, why would they ever assume you no longer want notifications? They could very well want all of those notifications (since they have them turned off), so not sending them would actually be the exact opposite of what it should do.

This would be like if my post office stopped delivering my mail because I didn't call them up and tell them to keep delivering my mail.

That's not what they expected. They didn't explain expectations. They didn't expect what happened though: FB notifications got more and more pushy over time. That's interesting to remark on regardless of whether or not you'd expect it.

You make a fair point that the OC didn't explicitly declare that they expected the emails to stop.

However, if that isn't the basis of their expectation, I don't really understand the rest of their post. Especially "knowing full well that I didn't see them" (how?) and proceeding to mark the emails as spam... instead of turning off the notifications...

The latter is why I believe they expected the notifications to stop.

Edit: as far as the notifications getting more frequent, that actually is pretty interesting, but not really relevant to the other points made.

> Especially "knowing full well that I didn't see them" (how?)

Are you not aware that Facebook is attempting to track emails and links for everyone? The mechanisms are numerous and varied, but putting "tracking pixels" in HTML emails is standard practice. If you ever ran a Mailchimp list, you'd know you get reports on who received your email, who opened and looked at them, who clicked any link in them, etc.

Facebook also track visits to any site on the web with Facebook integration, via cookies, which is a large number of popular sites. They know when you've seen their emails, if you're like "most people" and you use hotmail or gmail and not pine. You have to be pretty privacy & security adept to have a Facebook account and avoid getting tracked. 99% of people who use Facebook are not adept enough (or just don't care enough to fight it), and their emails & visits to Facebook and elsewhere are tracked.

I wonder if a strategy of coopting a group of friends to flag your messages that have some cryptic message everyone claims is inappropriate would trigger a full deletion like his obscene messages strategy.

Is it? "I'll leave them alone and they'll leave me alone" seems like a pretty normal thing to think.

Me, I think it's weird to think: "It's perfectly reasonable that if you once give somebody your email they will bother you until the end of time unless you jump through any arbitrary hoops they set up."

If every email they send has an unsubscribe link and you don't click it, you're kind of losing the reasonable grounds to expect them to stop emailing you.

I've done this before, just let myself keep getting emails and hoped they stopped. Then I just clicked all of the unsubscribe links they are legally required to put in every email, and I never got an email again.

You don't have to hope for what you want, you can act upon it.

I understand that's the culture we've established. If a company has your address, it is currently acceptable for them to send you infinite electronic marketing nonsense in an attempt to manipulate you into being a profitable resource for them.

My point is that it's not how it normally works with humans. If a person did this, it would be creepy and controlling. But when a group of people does it because it might make them money, it's ok to blame the person they're bothering.

I get your perspective and agree that it is, for the moment, the dominant one. I just disagree that it's weird to think otherwise.

I apologize if it seems like I'm making a moral judgement.

I don't think it's any more ideal to have to opt out of communications, I'm merely saying that expecting not to have to opt out is a misjudgement.

I'd rather more closely understand reality than hope it gives me exactly what I want. Facebook does not owe me anything.

well to be fair it is how it normally works with humans. If someone has your physical address they can send you as much junk as they want in the mail. It's not really different online.

Normal human interaction is not conducted mostly by post.

So snail mail isn't a good standard for email...what is a good standard?

A good standard is another question. We're discussing what standards are weird. I am saying that normal human interaction is not a weird standard. Neither is paper mail.

Although when bringing up paper mail, we should note there are many different standards. Are we talking the standards of 1792, when the USPS was created? Perhaps we use the 1879 mail classification act? The 1920s, when the Direct Mail Advertising Association was formed? How about around the time of the junk mail controversy of 1953? Or perhaps 1970, when Chief Justice Warren Berger wrote, "Everyman's mail today is made up overwhelmingly of material he did not seek from persons he does not know. And all too often it is matter he finds offensive."

The advice I got was to never click any links in spam email. I think the rationale was three part:

1) Clicking "unsubscribe" confirmed that you received the spam mail, so spammers would activate your email address on their other lists, thereby increasing the amount of spam you received. Otoh, acting like /dev/null increased the chance that spammers culled your address to increase their apparent delivery ratio.

2) Following those links gives the spammer access to your web browser, along with tracking cookies, and chances to exploit any plugin vulnerabilities.

3) Your chances of getting phished are way higher if you follow mail that looks like it's from ICQ than if you just go directly to icq.com and find their unsubscribe settings. (I didn't say I got that advice recently....)

That applies to spam from an unknown sender, not a bona fide company you have a relationship with. Messages from Facebook about your account are hardly unsolicited. I don't think it's useful to call every email you don't like "spam".

If the user didn't opt in to a notification, then by definition, it is unsolicited.

He probably has opted in without noticing. Quick show of hands: How reads all ToS that they agree to?

Whatever the fine-print legalities, if you didn't notice, I don't think it can count as opting in.

No disagreement from my side, but that's how the law generally [1] works.

[1] In Germany, there is a specific section of the public code governing ToS ("AGB-Gesetz", part of the BGB). Among other things, it forbids "unexpected" terms, acknowledging that people usually cannot read all the ToS that they have to agree to in practice. Quite a few ToS have been nullified by courts because of that rule.

> If every email they send has an unsubscribe link

On Facebook, the unsubscribe link is very fine-grained, and is specific to the exact type of notification the link appeared on. I don't think you can fault anyone for giving up on them if you use one but still get Facebook spam.

In fact, those unsubscribe links are the only fine-grained way to control notifications. You can't only preemptively subscribe to the specific notifications you want. The options you get are all, nothing, or dick around with dozens of unsubscribe links for weeks.

Facebook is all dark UI patterns. It's so bad to the point where I don't think any user can be faulted for not knowing how get it to do what they want.

> It's so bad to the point where I don't think any user can be faulted for not knowing how get it to do what they want.

I just don't buy this. I don't get emails. I didn't have to contact customer support. I didn't have to ask for help. I just clicked the link in the email and turned everything off.

> I just clicked the link in the email and turned everything off.

That's false; Facebook demonstrably does not work that way at present. If you're getting Facebook emails, the unsubscribe link is scoped only to the particular type of email notification it appeared on. You'll continue to get all the others until you click unsubscribe on each individually, or go into the settings and disable email notifications totally.

Again, they use dark and overly complicated UX patterns to make difficult for people to unsubscribe totally, and this is almost certainly intentional (but deniable). I think it's totally reasonable for someone just assume Facebook's whole unsubscribe system doesn't work, as it's not really reasonable to expect people to invest the time to learn Facebook's deliberately bad unsubscribe system.

Facebook "tricked" me into getting texts for 2fa, now texts me at weird times with crap like: your friends posted 84 updates since last week (why would I care).

I never asked FB to send me any texts other than for 2fa and this is pushy and unwelcome.

An earlier story:

"Facebook activated my dormant account and it won’t let me deactivate it"


The story there is an incredibly uncharitable reading of what actually happened. It appears as if the author's password was guessed and the account was reactivated. When he went to dispute this as account theft, they demanded ID to prove ownership.

That doesn't strike me as particularly unreasonable, rather projection of ill will onto Facebook. They have no way of knowing which person is actually the account owner, actual ID would definitively settle the matter.

If you think that is weird, consider what I have done. I manually went through 1100+ friends on facebook and unfollowed them all because facebook won't show me everything in the activity feed but rather tries to guess what I like best. My activity feed is now perfect because it is pretty much just me.

Funny thing, I used to use Facebook for messenger and a news feed. Then they switched to this whole thing about forcing friends posts to come up first. Unfortunately this means now I get news I'm not interested in (memes, my grandma's crazy internet news, conspiracy theories from that guy I went to high school but have had 0 interaction on facebook with, etc). I also unfollow people that post crazy stuff and I keep getting their content. I've been trying to find that feed that you have, but good lord does facebook not want me to have it.

Yep--that's certainly weirder.

Yup, in an attempt to avoid falling into Facebook's echo chamber I have created a news feed that is funnily enough just my posts. At least this means I don't have any incentive to look at my news feed anymore.

Just curious, if you want to go and never visit it, why don't you just delete your account? That way you'd not have to worry about retroactive hacks, and you aren't bound by Facebook TOS anymore.

they've reset my email settings twice I think

I deactivated first for about 6 months, didn't get any communication from them. Eventually I went to delete and used a link from deletefacebook.com taking me straight to the right page. Maybe it was because I was on mobile but there wasn't any emotional blackmail begging me to stay and it was done. I was expecting much worse but the experience was quite smooth for me and I'm happily free of Facebook for good now.

Psychological lesson in that:

The best advice I've ever read for the spouse who is on the receiving end of a divorce request/demand and wishes for reparation is to acquiesce quickly and approach the ordeal as a business transaction. You'll find story after story of anecdotes of that working to allow a couple to repair relations and figure out what was broken. Much better than being very emotional and otherwise reinforcing the reasons for the divorce request in the first place.

I think FB is being wise in taking this approach considering how difficult it is to find the real "delete" as opposed to "pause" button.

That's a lesson I've applied to many areas of business to very good outcomes -- customers wishing to terminate, etc.

> Eventually I went to delete and used a link from deletefacebook.com taking me straight to the right page.

Just out of curiosity, does anyone know whether by "deleting" your account, facebook removes your account/data completely or do they just mark your account deleted?

Is facebook required to remove your account from all data sources ( dbs, failover sites, recovery sites and even the backup tapes )?

I know certain sites, when you "delete" your account, it just updates a column marking your account "deleted" or "inactive".

But I'm most curious about the backup tapes of logs/data.

I don't know how certain we can really be, I had the same concerns myself, I could just keep my account disabled and stop feeding information to Facebook but still keep access to it myself if I ever needed it. Or I delete my account, Facebook maybe has access to that data but I do not, it was a thought process that delayed my action for a while.

This non-committal situation created some anxiety for me, it was a decision that still needed to be made in my mind so wouldn't go away.

Then Bryan Lunduke went through the process on his YouTube channel and he claims his contacts at Facebook were unable to find his data once it was deleted, so that was good enough to push me off the fence and I finally made the decision to delete.

I can never be absolutely certain but there's really not much more I can do besides use European privacy laws to try and force the issue, but that probably won't do much about the NSA backup. ;) But my mind is at rest now, I don't worry about it apart from doing my best to limit tracking online but that's another story.

Enjoy real life!! In the months I had no Facebook, life was amazing and I was more productive, though a bit lonely mainly because I live in a foreign country adn my family is thousands of miles away.

Both of my siblings live abroad but I stay in touch through messaging. Facebook always made me feel my relationships there were shallow, and many people I regularly interacted with never followed up off-site. For me this is a good thing. Pruning false relationships frees up time to invest properly in those relationships that really matter. Facebook gets in the way of social relationships, you can't see who really matters while you're distracted talking to people you'll probably never meet again. Quality > Quantity every time.

I don’t see why that isn’t expected. Next time try deactivate it instead of uninstall the app, then there is an option to opt out communication. In your account settings, you can also opt out. I have not received a single email from facebook since then (although I am back on it again).

I did not expect them to ramp up the amount of notification spam 100-fold as I engage with the service less.

I've no intention of logging back in to check my notification settings, but when I was using Facebook, I would get a push notification maybe once or twice every couple of days. Now, I get more than a dozen SMS messages a day.

I've built notification systems in the past, and in every instance, respecting the fact that abusing the notification power entrusted to us by our customers was seen as a cardinal sin. Maybe it's the absence of that respect that has catapulted Facebook to where it is, or the presence of it that's held me back in my own endeavors, I don't know, but man, as the recipient of all this spam, it really, really feels unsavory, and further evaporates whatever trust I might have had in the platform.

> I've built notification systems in the past, and in every instance, respecting the fact that abusing the notification power entrusted to us by our customers was seen as a cardinal sin.

The keyword in your sentence is customers. The people using Facebook aren't its customers, they're the product and thus open season for all kinds of nefarious things you'd never do to your customers.

Hmm that is odd. I get the phone notification because I had thst problem if I didn’t remove the app and if I haven’t been on facebook for more than a day.

I think the “user is idle let’s poke the user” is a supposedly a “nice” user engagement to get users back on the system. I hear your concern.

I think at this point:

* opt out notifications before deactivate your account (go to account settings)

* deactivate and opt-out notification at the time of deactivation

* set facebook email as spam or something (although you’d miss any potential real security notifications.)

Or you can also remove your phone number and change the account’s email address. I own a dozen gmail accounts, one for mailing list, one for billing, one for personal, one for school, one for important tech accounts like digital ocean/aws, one for banks, one for general garabge I don’t care and so on. I also run a YouTube channel with a friend so I also own a separate gmail account to be added as a manager of the channel.

Much neater than labels (amazon emails can fuck me up easily, ugh).

I highly recommend this multi-email account approach. I can ignore 50 emails sitting in other accounts most of the time. All of them have second auth and some accounts have different passwords for additional security. Not hard to manage because the address format is always <A>.<purpose>@gmail.com. Consistency!!

Sounds like you could benefit (to some extent except ignoring certain inboxes) from a custom email domain and enabling catch-all. I use this in order to segregate people(services mainly) sending me emails to different addresses that I don't have to manually create (but can easily block/disable an entire address)

The only major issue I've had, with gsuite at least, is not being able to reply from one of the not-actually-existent addresses on my domain.

Try Fastmail. If you want to reply you can setup a sending identity with the necessary email address. You don't have to do anything ahead of time.

I was going to, but looking at the benefit of having the rest of the Google applications and being free, I didn't.

Sweet, will check it out, I'm not particularly attached to gsuite

They also have a neat way of doing wildcard delivery if you use them for DNS: tag@name.domain.com gets translated to name+tag@domain.com.

This would definitely help with douchebag sites that consider "+" an invalid character

Why can't you just click 'unsubscribe' in the bottom of the email?

If they don't provide the unsubscribe option as a one-click option, mark their emails as spam. It's harsh, but getting flagged for spam when they won't stop spamming you or providing the required one-click opt-out is their problem, not yours.

It is fairly easy to configure Facebook notifications the way you want them to be (for example, I want to know when someone logs into my account, but nothing else). I post on my timeline less than once a month, and receive no notifications. Not to defend Facebook, but notifications are hardly its biggest annoyance.

My email preferences have everything disabled, double triple and quadruple checked to make sure, and I still occasionally get an email about one of my FB friends uploading a photo or some shit that is certainly (a) described by the settings as email I should not receive, and (b) not even what a notification should be. “A person with whom you’ve never interacted aside from accepting a friend request said something not about you on their own timeline.” ???

This is not true. They offer no fine-grained control besides dicking around with dozens of unsubscribe links over several weeks.

For instance, how do you easily configure Facebook to ONLY send you emails when you're invited to an event or someone sends you a Facebook message, but NOT when your friends post random stuff?

I have to agree on the no fine-grained control. My point was that it is easy to opt out of the notifications by email in general. I'm positive that there is an option where you receive a notification when someone send you a message, but I don't think it is possible to get event invitation notifications only.

It's so humorous. I never managed to activate my Facebook account (lucky me). Some "database error", or so it says. So I have never actually even logged in. But they do have an email address I used when I tried to create an account and it gets multiple emails per week with friend recommendations. They all get routed to my spam folder.

I set one up with my primary email address probably 10 years ago just to block someone else doing it. I keep their IP space blocked on my local network (but not my mail server - I try to be a good netizen). I have probably seen a facebook.com page three or four times since then - misclicks at work, etc. And never while 'logged in'[1].

I still get an endless stream of spam from them.

"Facebook - more AOL than AOL ever was."

[1] whatever that means, wrt them.

> (but not my mail server - I try to be a good netizen)

Blocking sources of spam is part of being a "good netizen".

Being reachable by other admins is what I was referring to[1]. I do aggressively block pure-spam hosts, of course, but I can't consider FB one of those.

[1] I find it exceedingly unlikely that FB mail admins would need to reach me to troubleshoot something, but it is the principle.

I removed everything from my account about 6 or so years ago, and instead of deleting it just stopped logging in completely. So far not a single E-mail from them. I'm afraid to log back in even if to simply delete the account, because I don't want to "tickle the tiger" and suddenly start being treated as a user...

Same for Twitter. I signed up once a long, long time ago, and maybe tweeted once and never logged in again. Occasionally I get E-mails from them about people (bots?) who "follow" me despite my inactivity. It's likely because my twitter handle is pretty short and an actual name, so probably some people get confused and follow the wrong person.

I get a monthly email from Facebook entitled "Help your friends recognize you".

I think my friends recognize me thank you very much Facebook, otherwise they're not, you know, my actual friends?

I got similar crap from them after two and a half weeks in Africa on holiday a year ago, because the internet so slow it wasn't worth checking Facebook.

Recently I have been busy with a new job, started meditating and reading my Kindle rather than a backlit screen. I use Facebook maybe 15% compared to a month ago. Life feels a bit better better as a result. Kind of like giving up smoking, or cutting down. It's just mental clutter.

I'm not sure why the emails are a big deal; they are pretty much trivial to filter out. Marking them as spam is probably not helpful in the bigger picture. I just let them accumulate in their own folder in gmail, they don't hurt anyone there.

They really, really want you to be their product.

I wrote this several years ago - it is still true:


You do not have a Facebook page. You never did. Facebook has a page on you.

> And besides, they take nothing that you don't give them.

This isn't true, at all. Facebook collects plenty of data that users and non-users don't directly give them.

You are correct, of course, although this was not so widespread at the time I wrote this piece (sometime in 2007 I think, despite what the byline claims.)

They've done it from the start.

Even 2007-era Facebook encouraged users to upload/sync their email contacts to "discover friends already using it".

I think it's important to make a couple of distinctions here.

1. Facebook collects on you when you interact with their systems

2. You can purposefully interact with facebook systems by requesting content from a Facebook registered IP (eg, FB.com, whatsapp, IG, Messenger, comment widget etc...)

3. You can passively interact with facebook systems by accessing a website that posts metadata/telemetry to a Facebook registered IP (eg. FB pixel etc...)

In either case you are requesting to access or interact with a facebook system, however in the latter you aren't aware of it unless you know to block it specifically.

So yes you do directly give it to them, but it's guilt by association. It's also not hidden at all, you can inspect the page and see the requests clearly [1].

I think the major issue is that 99% of people have no clue any of this is happening and just assume that they aren't under the spotlight of facebook because they aren't on facebook.com. However it's not just facebook, it's thousands of internet companies not to mention all of the ISPs and State Actors. So Facebook isn't really the issue, the issue is that people don't know or care about how their data flows around the world.


My account is deactivated now, but once upon a time I was an active FB user. I did not tell Facebook my birthday. However, friends who knew me would still post Happy Birthday messages on my birthday, and FB would auto-populate my birthday as a result. So I would go in every year and delete my birthday again.

Then they stopped allowing me to clear it out. Since people--without prompting--had wished me a happy birthday, FB was sure it was my birthday, and that was that. I could leave the year blank, but the month and day were literally unmodifiable.

That's when I started clearing all the personal data out of FB I could. No likes, no group memberships, nobody allowed to "check me in," and so on. They were collecting data on me I had no provided, against my expressed will.

I had a fake name on my account, but all of my real life friends knew what my name on Facebook was. I liked this system as it allowed me to connect with my friends without worrying too much about my name and data being out there.

Eventually Facebook said I had an invalid name and needed to change it. So I tried changing it to another fake name, which was rejected. I tried several more, including perfectly normal names and all were rejected. Not even abbreviations were accepted, it had to be my full exact name. Facebook knew what my real name was.

Later I realized that there was a feature asking you to type in the name of your friends based on their profile picture as a security measure (perhaps for account recovery?) anyway I suspect this one way they may have flagged my account. If friends recovering their account typed in my real name enough times, but got all the other names correct they might flag my account.

Yea good example of how network effects really work.

In this case your network opted in to Facebook and opted your data in - so again "guilty by association."

Those facebook 'like' and 'share' buttons you see on a huge number of websites also interact with their systems.

You don't have to be signed in, nor do you have to actually click them. They record your visit to the site, thus track you all over the web and build shadow profiles with your web visits, even if you don't have a profile.


> Facebook collects on you when you interact with their systems

I do not think this is true. What happens with my e-mail address when someone else signs up to Facebook and shares their contact list (with my e-mail address in it)?

How did Facebook know who my friends are the very moment I signed in, without sharing my address list?

They already have collected information on my social graph, without my own explicit permission, but with implicit permission from less tech-savy friends.

And that's nothing to say about people tagging me in Facebook pictures to train their giant DeepFace algorithm.

In both scenario's I am not accessing or interacting with a Facebook system, while my information is still being abused.

> It's also not hidden at all, you can inspect the page and see the requests clearly

It's sort of a grey area. The average person doesn't know that the functionality for the buttons is loaded by Facebook, and thus they are requesting information from Facebook that exposes information about them on every page that has a like button. It's "not hidden" in the same way that a pervasive network of closed caption cameras at all the businesses you frequent being owned by one company and having access to all your interactions at all those companies. Sure, the camera is in plain sight, and if you went up to it you might see a tag that says owned and operated by Facebook if you looked, but the normal expectation is that each business would have their own recordings, not that one company would be compiling all your transactions together to track your habits and make a profile. It's not hidden per se, but it's definitely not obvious and not what is expected by the average person.

Actually, I'm wondering is someone could sue Facebook under existing stalking laws.[1]

1: https://en.wikipedia.org/wiki/Stalking#United_States_2

A dossier, if you will.

One could almost call it a book of faces.

Facebook mostly collects data from non-users from the webpages they visit through its embedded 'like' buttons on those sites.

At the time Facebook was created, there was a lot of talk about how private organizations already had such dossiers on the general public. Facebook is more like the "tip of the iceberg". At least it gives users some control over how they are presented (though less and less every day as they filter timelines and use our names to endorse their ads)

No-one thinks otherwise.

Quite looking forward to GDPR forcing Facebook to actually remove all records they have on me. It’s a pain to implement for businesses, but it’s ultimately the right move.

At least for European customers. This won’t help everyone.

How is "European customer" defined?

If someone is not European but resides in Europe, do they have this right?

If someone not from Europe travels to Europe and issues the request while inside Europe, do they have this right? (If so, would using a VPN work?)

If that's actually the case, I can see a Deletion-as-a-service business. "We thoroughly delete your account for you."

The fact that I have to come up such mechanisms is a damning indictment of the way things are.

I really don't get why AckSyn's comment was marked dead.

There used to be a service like this for facebook and twitter, then those two services blocked them from doing so.

Which was sad, but it ultimately worked well for everyone who ended up using it before the ban. It would untag you from photos, delete your comments, wall posts, photos, information, change your name, and issue a deletion after changing your password (and emailing that to you).

I recently went to a GDPR seminar and the presenter claimed that GDPR applies to everybody physically in the EU (even tourists while they are passing through).

GDPR = https://en.wikipedia.org/wiki/General_Data_Protection_Regula...

> a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

Emphasis mine.

Full text at http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:320... .

> The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.

The specific clause concerning customers appears to be:

> In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.

Regarding non-resident visitors, I can't tell. The directive says "whatever their ... place of residence" so almost certainly yes. It also contains text like "data subjects residing on its territory" so you might have problems lodging a complaint if you aren't a resident.

The US needs to grow some backbone and pass equivalent privacy (and antitrust, while they're at it) laws. If something is a certain way in both the US and EU, most tech companies won't bother doing any differently worldwide.

It isn't a matter of backbone. Legislators are simply representing the interests of their customers, such as Experian and Facebook.

This seems incompatible with democracy.

We can blame/credit the Citizens United Supreme Court decision.

I guess the problems started much earlier, and that court decision was actually a result of such issues.

GDPR refers to any business that transacts with the European Union, so businesses outside the EU (and the UK) are included.

Even if you've never used Facebook, you have a "shadow" account, it is a well known fact. Every time somebody you know upload their contacts into FB, they link them with your shadow account, or create it if not already there, as a strong possible match.

I have started to use Facebook recently as I needed an account for work so decided to explore a bit, my biggest problem with Facebook is that your "feed" is made up of things that your "friends" liked or posted etc... but in what seems a random order, and not all of them appear. One has to wonder what kind of weighting they apply to each post to decide if it will make it to your feed or not.

Twitter has brought something similar recently, but at least you can disable it and get a sane timeline - Just tweeted about this today (check my profile for account).

The only way is to blur your analytics. Move out of Google/Facebook. Install Ad Nauseam extension to not just block tracking but click on everything in the background. This will ruin the information they gather about you with noise.


They also use those means to know your face to scan photos and ask people connected to that contact list to tag you in photos, so they know where you've been, even match them with events.

They can fill your shadow profile with photos, location and time data. It's frightening.

You can change the sort to most recent first, but the setting isn't sticky and the next day, it's back to the echo chamber, er, I mean, FB curated content.

When you set it as most recent then it switches to a very short timeline, and, again incomplete (judging from what you see as default).

Indeed, curated content, which is very scary.

FB should keep a hash of details on people who have deleted their profile and opted out of tracking in order to prevent re-creating shadow profiles.

I am in this Kafka-esque situation where I try to get an account deleted that is not even mine. I don't have and want a Facebook account, but Facebook does not agree.

I few years back I started receiving mail for an account that I never created. The name is not close to mine, but a silly sexual pun.

I have mailed security and account support multiple times, asking for the account to be deleted, or decoupled from my email address, because I keep getting login attempt notifications and even friend suggestions.

Just checking, and coincidentally the very last email is one for the Facebook account. "Hey, it seems you are having trouble logging in! Click here to sign in.". Yes, Facebook, someone, for whatever reason, is trying to log in to a Facebook account for 4 years now, and won't take no for an answer... "If this wasn't you, please let us know by clicking here". Ok, Facebook, this is not me, and it was not me the last 10 times I clicked that button.

(I now assume, that this account is somehow being used to mine my social connections. Something like a public ghost account.)


2013: Hi Fuck, you got more friends on Facebook than you realize! List of 6 people I know IRL.

2013: Hi Fuck, you have 1 friendship request. Log in to accept.

2013: Do you know [3 people I know]?

2013: Hi Fuck, Fuck placed something on your timeline and is waiting to see it.

2013: Do you know [9 people I know]?

2014: We've updated our Terms of Service

2015: Someone asked a new password for your account.

2017: Hey Fuck, it seems you are having trouble logging in.

2017: Hey Fuck, it seems someone tried logging into your account from a new location.

2017: Hey Fuck, we received your request to reset your account password. XXXXX is your reset code.

2017: Fuck, go back to Facebook in just one click.

2017: Hey Fuck, it seems you are having trouble logging in.

I have the same thing, but with PayPal. My full namesake has created another account, and used my email there - so I guess he is not getting any notifications. I am afraid to contact PayPal support, since they might just go ahead and block the wrong account, or both of them, so I just ignore these emails from parallel universe.

I was able to shut down a couple of Instagram accounts that were using my email though. Instagram does not verify emails, but fully trusts them to reset your password.

Well when I "deleted" my account years ago, Facebook made it absolutely clear that it was really only deactiviating the thing and that it would retain its records. Nonetheless, as far as any of my friends can tell, I am no longer on Facebook at all.

So maybe the author of this post removed his account at an earlier period when Facebook didn't make such an honest claim. In that case the title should be "Facebook used to lie."

The help page about deactivating or deleting (they are two separate actions) makes it quite clear that your data will be gone, not merely rendered inaccessible, when you delete: https://www.facebook.com/help/250563911970368

That page uses the phrase "permanently delete[d]" multiple times, says there's "no option for recovery," and calls out some information they do keep because it's not actually part of your count, implying that the rest is not kept.

Did you even read the comment you replied to?

Years ago they did not delete accounts. They would deactivate it and never delete the data. They do now (apparently), but in the past they were very openly not deleting anything.

Yes, I read it. I took it as meaning that they either read something else which was unclear, or just deactivated the account, or misremember what Facebook said at the time.

Do we know that Facebook actually deletes accounts now?

I'm not trying to defend Facebook, but I used the 14-day deletion and it worked for me. Just saying that there must be more to this story than just "I did it and Facebook lied to me".

I deleted my account there 10 years ago, about a year ago I needed an account to join a memorial group for someone. Facebook somehow knew that the email address I used to sign up with, which was new, was related to my old email address and tried to link my new account to my old data which was still there.

It also still knew a heck of a lot about me including suggestions for people I had just recently met. And some of them I only met once, in passing, never exchanged info with, and never saw again.

This is most disturbing. I remember big change in facebook policy on 1.1. 2015 that would mean that deleting your account would not delete data they had on you. Up to that point their policy was that after you delete, data about you is erased (at least in europe).

I did delete the account before that date with few other people (mostly because of that policy coming).

I never tried coming back but if they still kept all the data, that is pretty substantional. One could sue facebook for that or am i missimg something?

Before I left I used a tool that would delete all of my posts and content and stuff like that. Cleaned up the profile as best I could. The type of data they had was more about who they thought I knew, how desperately single I am stuff like that. Given how many privacy related scandals they have had I don't think suing them is going to do anything.

It's likely that at the time they deleted their account (unspecified "long ago"), Facebook either did not have a guarantee of deletion of all data, or this person did not follow the process that would delete all data and are misremembering how they deleted their account.

They are simply looking at the current documentation and thinking "oh yeah, I must have done that, and these guarantees were supposed to apply", when of course that isn't true if those guarantees are new, or if they never followed that procedure in the first place.

I've been locked out of my facebook account for almost a year because they didn't believe I legally changed my name to "Captain Hook Pope Mobile". I sent my revised birth certificate, drivers license, everything. No response on the support ticket for 8 whole months...

Wait a second. Don't tell me that you're actually the Captain Hook Pope Mobile

Could there ever be more than one?

Actually I think that an extra step is required to fully "delete" while the standard procedure only "deactivate" accounts.

I've permanently delete back in 2014 but actually needed a "ghost account" in 2016 to access some FB walled garden content.

I used the same email as my former one and data was gone, no restauration was proposed. (However friend suggestion based on email showed up due to some probable shadow account).

I did similar with a good 6 years between and with two different emails on different domains and it's friends suggestions both in it's own app and Instagram (not linked to FB account but sharing an email) manage to reference people I only ever knew during the time of the first account and never even interacted with on Facebook.

e.g a guy I interned for 10 years ago who I never spoke to/added on FB keeps showing up in my Insta suggestions. It's actually a bit unnerving and makes me worry who my account is suggested to.

Those people probably have your email in an inbox Facebook slurped (possibly as a CC or something)

I expected this, so I first deleted all posts, comments, events, whatever could be deleted, unfriended everyone, replaced everything that could not be removed with random strings, including my name and profile url, and then deleted the account.

Even if it gets reactivated, it will be useless.

It's annoying that this has to be done. There are several other well known companies that make account deletion a stupid hassle. Amazon for example should have already archived my account automatically after not being used for 7 years at all. Apple is another idiotic company that makes it hard to remove stuff from your account (you have to have a mac to disassociate credit card from your account, their web app doesn't allow it for no reason whatsoever (despite being able to add CC info there), only iTunes app on the mac can do it)

Companies should think more about account removals.

This would actually be a cool product. Could call it Facebook Discombobulator.

I believe there are some browser extensions to do this.

I just wrote a few document.querySelectorAll() based loops in the console that artificially clicked the right elements in the right order with some delay.

Fun thing is that while most things are very fats on facebook, deletion is super slow. It takes like 2 seconds to complete. They must have some artificial delay somewhere just to frustrate this kind of scripting.

I'm really really hoping regulators get their act together and come down hard on this sort of things.

If you live in the EU, do a search on GDPR.

It's been a while (6-8months) since I DELETED my account, but I do remember separate options for delete vs deactivation. Out of curiosity I tried logging in again and received "email you have entered does not match any account". While I'm sure the account exists somewhere in the facebook database, it appears to have been successfully deleted.

Anyone else have similar results?

Haven't ever had a Facebook account, but I've encountered the deactivation-deletion dark pattern before, most recently on Twitch.

I think, it's a matter of them being required by law (won't be the case in all countries) to have true account deletion, but then they try to deflect as many users as possible from actually deleting their accounts by having an account deactivation option and having it in a far more prominent place.

I "deleted" my account in 2013. In 2015, I was working on something that required a Facebook account, and I figured I'd try logging in again to see if it was really gone or not. I got a response similar to yours -- seemed to really be gone.

https://m.facebook.com/help/delete_account states that it will delete your account permanently. Facebook’s current FAQ notes it’ll take about 90 days for your information to be gone from their system.

Just reactivated my 8 year old account and deleted it permanently. Long overdue!

Glad I could help!

# Account successfully scheduled for deletion

Your account has been deactivated from the site and will be permanently deleted within 14 days. If you log into your account within the next 14 days, you will have the option to cancel your request.

No immediate deletion makes sense in that it would encourage hacking. But if they say 2 weeks it should be that.

However, as someone else mentioned, the reality is you don't have a FB account, FB has an account on you.

I fell into the timeline where it was so easy to log in with Facebook that I auth’d to almost every site with it.

Now I’ve got the “Facebook handcuffs”.

Stop using Facebook and recreate accounts for everything or keep My account active.

I know FB doesn’t care but I have my own little revolt I’ve staged.

- unfriended everyone and added random people

- swapped out my info (I know they still have it)

- post some bs links and nonsense just to dork with any ML running against my account

I wish more sites added functionality to sever Facebook auth from your account.

[EDIT] - I missed a key point, the author does say in the article that they deleted their account long ago.

While I'm all for bashing Facebook when they do something nefarious, this seems more to do with someone else having the author's password and using their account at an inopportune time (during the FB account deletion process).

As a refresher for all:

- FB delete != FB deactivate

- You can't log in (or let anyone else log in) for 2 weeks post FB delete through https://m.facebook.com/help/delete_account

- The only way you can be sure they delete your info is if you're in the EU, where the government has stepped in appropriately.

Facebook will very likely still know who you are, and have tons of information/"shadow profile" on you, because your friends will still post stuff there.

He explicitly says that he deleted his FB account "long ago". So this isn't about somebody interrupting the deletion process, it's about FB keeping the account around, ready to be "reactivated", even after the 2 weeks.

I deleted (NOT deactivated) my facebook account in August. I received an event invitation three days ago. It's emotionally taxing; it feels vaguely threatening.

I was always under the impression that Facebook never deleted accounts, just "deactivates" then.

The deletion is relatively new.

https://haveibeenpwned.com Make sure that you don't have any insecure accounts or reuse passwords that have been exposed through breaches.

For the site https://haveibeenpwned.com, does anybody happen to know if there is a quick and simple way to check email addresses that are one's regular email address with "+" and the service name appended?

For example, given the email address generic@genericmail.com, if I were to sign up for facebook with generic+facebook@genericmail.com, does the HIBP site provide a simplified method for checking all variations?

Really annoyingly though they don't provide the hashes. I'd really like to know which passwords have been leaked.

Does anyone know of a similar site that provides hashes? I don't need the complete list - just the hashes for my email.

What you're asking for is basically the full details of the data breach, which can be directly used to compromise accounts. You're not going to get that for free anywhere.

You can check your own passwords (hashes recommended) through their new Password service.


Ah yes, type all my passwords into a third party network. I thought this was a site about good security.

Also why wouldn't I get the full details for free anywhere? HIBP obviously has them. Criminals have them. I bet it isn't that hard to find them on bittorrent.

In fact, here they are: https://hashes.org/public.php

Edit: Although that doesn't match them up with usernames, so it's not entirely useful.

Edit 2: In fact I just discovered that a long password I used to use is still in the 'not cracked' category of the Last.fm leak (unsurprising since it is 13 random alphanumeric characters). That is useful information.

I agree however then I reminded myself I shouldn't reuse passwords and ended up using unique passwords everywhere I remembered I reused passwords. A password manager makes it feasible to do that. Also enabled 2FA as much as I could (pref with an application on phone, otherwise SMS).

If corporations are people why not file a restraining order?

You gotta work within the system, I like the idea...

This near exact scenario happened to me today.

I had disabled Facebook about 3 weeks ago. For good measure, I went ahead and deleted all apps, history, or any method by which I might wander back.

Needless to say I was a bit thrown off this morning by the slew of “welcome back to Facebook” texts from my friends. I assured them somebody had created a false account, but sure enough there I was seemingly alive and well with an active profile.

The only explanation I can think of is that an application or service attempted to authenticate via Facebook connect- if this is enough to reactive an account, it damn well shouldn’t be.

Given that social media has overtaken reality for most, it feels a lot like a company unknowingly took my life and ran with it. It’s a bit eerie to scroll through a feed of your friends trying to reach you, and living your life without you. For a few days, Facebook was a more believable authority on my life than I was.

Netflix also does this. I unsubscribed and many months later subscribed again only to find that all my everything was exactly the same. They never deleted my account.

With regard to Facebook, not exactly the same thing, but in August, I tweeted that I haven't logged in to Facebook in over a month. The next day, I got an email from Facebook asking if I'm having trouble logging in to Facebook. I never gave Facebook my Twitter account. https://twitter.com/AmrEldib/status/899423898139148289

Have they always had such a 14-day policy? If not, it’s entirely possible that the policy was different when the account was previously deleted, and the account was being retained under that old policy.

I’m also surprised that his hacker didn’t bother changing his password - maybe it wasn’t intended to be an account takeover.

Conspiracy theory: It was facebook pretending to hack is account so he would log back in and hopefully stay using the service.

But OT: I'm sure that unless they are legally forced to remove the data, they'd rather keep it.

I briefly had a Facebook account years ago before deciding I didn't like it. I deleted/deactivated my account. About 6 months ago I received an email saying that 'someone' had reactivated my account and that if it wasn't me I should log in and visit the help center. My old password still worked and there had been no activity. I strongly suspect this was an attempt by FB to get me back on board.

I deleted my Facebook account in 2009 and they had a 14-day policy at the time also.

I'll have to try this. One of my biggest regrets was deleting my Facebook account sophomore year of college when I moved schools. A lot of pictures and memories erased. I moved away so a huge part of my connection with my old life was gone. It would be amazing to get them back.

I deleted my account years ago. At the time there was a web plugin which could be used to automate the deletion of all posts, pictures, etc. I wonder if there is a tool to do this now as I'm sure FB has cracked down on automated deletion of content.

This reminds me of the hilarious phonecalls trying to cancel accounts at other companies:


> If it’s still not gone, I hear you can just post obscene and offensive material until Facebook deletes you. I’d rather not have to take that route though.

I honestly never thought about that. Spammer accounts often are cleaned up pretty well.

The closest thing you can do to deleting your account is actually manually deleting all your posts and albums first... the using their so called delete/deactivate option.

Try it for yourself. After a number of deletions, response time will slow, an error will occur. You'll reload your page and items you thought were deleted, are not. I've tried many, many times.

Wow, this is like, part Twilight Zone, part Franz Kafka.

I kept getting email messages from Facebook after I deleted my account. They stopped after I lodged a complaint with the Australian Communications and Media Authority. It enforces the Spam Act (2003) which prohibits the sending of unsolicited commercial electronic messages with an Australian link, i.e. if it originates or was commissioned in Australia or originates overseas but was sent to an address accessed in Australia.

I deleted mine over 10 years ago. My wife (who still uses) said that people still click on the "wish happy birthday" shit for me every year.

Well that shows how much they actually care... Yeah. Direct contact has value.

God that's creepy.

I deleted my account long time ago from facebook.

Liars, cheaters, fake news and privacy violations you will found only from facebook.

I really questioning whole company morals

This happened to me as well when I signed up for spotify under the same email I used for facebook, was shocked to see my ~six year old deleted account suddenly become "reactivated" despite them claiming it was "deleted" at the time. Nope, all the stupid stuff that was hilarious to post in 2007 was still there and came right up.

Turns out they never delete anything.

I think Google does the same with everything (email, web history, searches, ad profile, etc) but I believe their reasoning was that there is no way to guarantee that your data will be deleted from the backups, other redundant caches and whatnot, so they don't claim to be able to.

This person deactivated their account but didn't delete it. That's all there is to it.

How is it possible this reaches so high up Hacker News? None of you have seen users (or yourselves) make similar mistakes?

What if you fill your Facebook profile with bogus info? Like writing random bytes on a drive to wipe it.

They probably keep a history on all the changes you made, so I doubt it would help

Who expects anything different, really, from companies like Facebook?

Most people don't even think about the consequences until it's too late. It's a new kind of problem.

Huh? It's always been this way. Like more than 10 years ago I messed around trying with account deactivation. I've had a fb account since ~2004 it was only avail to certain colleges. This is exactly how it's always been. Am i missing something here? They never actually "delete" anything whatsoever. Isn't this already well known..

Applications are open for YC Winter 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact