But, as someone who understands that not all people and companies use the same moral set as myself, this is why I've never set up 2fa using a phone.
Why should I give some company my phone number? Increasingly it's become a single point of metadata to uniquely describe myself (just as my email addresses have).
That doesn’t need to be the case though with just a little bit of effort and minimal cost. Use your own domain for email and set your account to be a catchall. Then use email@example.com and your email address is no longer a cross site unique identifier.
If facebook was able to design and build this system, you can bet that other companies are doing this too.
I doubt it'd be worth spending the effort to target people with personal domains though, and it would have some negative effects, so your point is well taken.
They use it to match traffic across devices and IP addresses.
> pretty simple to crack unsalted hashes
Go ahead and rainbow table those hashes then. If you do it and are the first one to email me (email address in profile), I’ll pay you $100.
If you use the method described in the grandparent, you use a unique email address for every site (e.g firstname.lastname@example.org, email@example.com, etc). The domain will be the common part, which would be very hard for a company to use because most domains are shared between many separate users.
I do and have done so for over 10 years. It’s been very eye opening to say the least to see how many sites have leaked my email.
It takes a tiny amount of effort: you setup your domain with a wildcard so all you need to do to create a new email address is to use it. You could send mail to firstname.lastname@example.org right now, and it will be delivered to my inbox with no setup required.
It's also great in case you start spamming me. I don't have to struggle with your unsubscribe links, I can just blacklist all mail sent to email@example.com, and be done with it without any collateral damage.
My if my site-specific email giqjtodvdksu@... has been getting spam lately then it is likely that either they sold it or they got hacked.
You mean a very small percentage of FB users do this?
The point being as parent comment said it’s not “a little effort and minimal cost”. Figure a $10-15 overhead cost for the domain and maybe $5/month/e-mail account? Effectively to minimize tracking on Facebook one would have to spend a minimum of $70/year?
It doesn’t seem like a great solution...go with a “free product” like Facebook in exchange allowing them to collect and monetize your data, only to pay to combat their business model? May as well offer a competing service that doesn’t track you, collect/monetize your data and pay say...half the cost of a domain and email.
> May as well offer a competing service that doesn’t track you
I would kill for that. But this day and age it would be hard. Also, even subscription services typically see fit to track you and serve you ads.
unless sites smarten up and realize firstname.lastname@example.org is the same person as email@example.com, especially when johndoe.com isn't a "common" email domain like hotmail.com
There's a lot more going on than linking email addresses.
(To save you a click, they look like aa_COMPANY+SHORTHASH@mydomain.com, with shorthash being based on COMPANY and a secret)
Downside is the address ends up absurdly long, and I’ve had to manually create some aliases for companies that won’t accept the plus.
I don’t recommend this setup, it’s kind of a pain to maintain, but I wish one of the mainstream providers would implement something similar.
I think I'll extend the latter (and reduce the required Spam score) before it gets sent to my inbox.
Breach date:June 1, 2018
> Compromised data: Credit status information, Dates of birth, Education levels, Email addresses, Ethnicities, Family structure, Financial investments, Genders, Home ownership statuses, Income levels, IP addresses, Marital statuses, Names, Net worths, Occupations, Personal interests, Phone numbers, Physical addresses, Religions, Spoken languages
The reason I say it's something people should have expected is because if people were more critical of the things asked of them, then things like this would never get off the ground. Instead, because people do not seem inclined to naturally believe that corporations might have ulterior motives, such practice has become common place and on some sites even mandatory.
People worship at the altar of success, and there aren't many relatively new companies as profitable as FB. That's not to say that these companies don't spend significant coin in pushing their inane message of "we're connecting the world" wherever they can. And mass media for the most part go along with it, mostly focusing on the stock price, rarely bothering to examine how FB makes its money and what tradeoffs that comes with.
It is OBVIOUSLY for ad targeting, I think I mentioned it not even two weeks ago: https://news.ycombinator.com/item?id=18020177
But none of it is actually slowing FB down. Its biggest dip in value came from decelerating growth and spending to make FB more user-friendly, so there's a clear disconnect between shareholder incentives and those of the general populace.
On top of that, most people remain unaware that FB owns both WhatsApp and IG, and while the departures of their top brass have made waves in these circles, it's not a concern for most.
I don't see FB's dominance relenting any time soon, though I wish it would.
And where do you stop? Are all doctors working for big pharma related to opioid crisis complicit? what about people working for firms related to the financial crisis? engineers working for any company that suffered data breaches due to lax data security? what about engineers working for companies that haven't suffered data breaches yet but might have lax security? scientists working to certain biotech firms related to GM? engineers working for car manufacturers that cheated emission norms? engineers working for telecom/internet service providers that cheat users by throttling/net neutrality etc. etc. etc.
If any Facebook engineer suddenly acquired some moral sense, he should spend his time working to sabotage the company from within. Some have walked away; others have walked away and publicly spoken about facebook’s dubious culture.
Now it’s time to see some sabotage.
The problem with whistleblowing is that the consequences need to be more direct and actually leave a dent. As it is right now, FB can absorb pretty much any fines they're hit with.
I consider all of the energy being spent in the maintenance of facebook to be malicious. If a datacenter caved in because of a structural flaw in the building, then that’s a lot less energy going into supporting facebook. How many datacenters would have to cave in before they wouldn’t be able to recover?
Last time I checked, Facebook did not offer free personal and company e-mail and collaborative office suite.
No-one is forced to give all their info to fb. Better yet, no one is forced to use fb.. Of your using these services, and you give all your info to them, that's on you, not engineers just earning a check.
You are absolutely right this calls for nanny state involvement. This is precisely a case where the invisible hand of capitalism is impotent and government regulation is essential.
The only type of ad that makes sense to me at all is one that educates someone about a class of problem and that there's at least one product (X) that can be used to solve this problem.
In many cases it would make more sense to focus these efforts on making stores more effective at presenting solutions and grouping related solutions in expected areas to improve the search effectiveness of independent agents that have black box algorithms and are outside of the store's control.
Attempting to modify said black boxes by an inundation of annoyances is ethnically wrong to me. (As implied above, when it ceases being educational it's increasingly likely to cross that line, particularly if the campaign is based on gimmicks or repetition to be effective in vulnerable population segments.)
- not all people buying FB ads are experienced marketers
- companies throw tons of money at ineffective ads, that should be obvious…
- we have no idea what the ratio of "successful" to unsuccessful campaigns is
- even if that ratio is negative, Facebook is still one of the only remaining "games" in town, so people _will_ continue throwing money at it. “Least worst” is a fine and lucrative place to be in.
- can we just get over this idea of rational economies, by the way
- marketing is less of a science than a craft, and all the implications thereof
If you want to see how things work, start a small ad campaign yourself of FB. It's all about ROI, attribution, cost per action, super detailed targeting, etc. It's the opposite of "throwing money at it hoping that it'll work", unlike offline advertising or even traditional display ads.
"Sniper Targeting on Facebook: How to Target ONE specific person with super targeted ads" https://medium.com/@MichaelH_3009/sniper-targeting-on-facebo...
This is key and undermines a lot of rational arguments. People buying ads aren't reading HN and then making a buying decision based on the general vibe they get there. They'll buy based on budget. Budget is based on decisions made in a meeting a year or two before. Those decisions will be based on a strategy. For many that strategy is to the tune of 'I keep hearing about this social media thing that's supposed to be the future. I notice we aren't spending anything in digital. We need to buy more digital'.
If public opinion sours on Facebook it may be a while before we see a significant drop in revenues.
- marketing companies they ask to run Facebook campaigns for you may be as clueless as they are
Source: I used to work for one (we had separate development and social media marketing departments). People doing marketing had no clue about statistics, they just shoved random whale graphs from Facebook's fanpage panel into a word document and wrote narratives that suggested everything is peachy. Customers read those reports, and since they had no way or skill of reevaluating the results on their end, they were happy and willing to pay. I'm not even assuming malicious intent on the part of the provider - just general cluelessness.
I'm increasingly convinced a lot of marketing on the Internet looks that way. Neither party understands the real meaning of the results, but as long as the buyer is happy, money keeps flowing.
When we advertise to raise money (for politicians) that provides a direct provable ROI and I can tell you nothing else has come close. Seems that is true for many corporations as well just look at FBs growing revenue. FB provides the tools to measure either a sale or the value of an app install over time the increased spend is proof of quality/value so clearly many others have also found success. I wonder who/what/how your campaigns didn't provide value?
Also, FB MAUs and DAUs are stalled , meaning users are becoming less interested in the blue website.
If anything, FB is closer to a 'boiling point' now than ever in the past.
The MAUs and DAUs are more interesting, especially since younger people seem to be avoiding it entirely (although many are flocking to IG, so again, no loss for FB).
I am not surprised. If you let Google autocomplete the search "is facebook o" for you, you'll find these autocomplete results in order:
1. is facebook owned by google
2. is facebook on roku
3. is facebook over
4. is facebook offline
5. is facebook overvalued
10. is facebook on its way out
— Facebook copied Snapchat's functionality on all their platforms.
— Instagram and Whatsapp copied it too.
— Yeah, that's what I meant by all their platforms.
— They're owned by Facebook?
She uses Instagram and Whatsapp everyday!
Which is the reaction most people will have, I'm guessing.
There definitely was a big difference between MySpace and the other social networks. Facebook ran well and worked. People forget the total shit show MySpace was in the middle of 2008. The site ran terribly, was getting hammered by spammers, and they starting covering it in banner ads. We didn't see a repeat of those problems with Instagram or Snapchat.
There is a coolness factor. It isn't as defined as fashion, or the latest hot nightclub, but it is there. That alone won't be enough to make the "next" Facebook, but I think it is the foot that gets stuck in the door.
Facebook might be able to acquire the next challenger in the US, but they will definitely fail to get it by EU regulators.
Nevertheless, your larger point holds, Facebook users are even less cool now than they were before.
Networks are driven by positive feedback both going up and down. This sounds good, but isn't: the system and balance points are inherently unstable. Nothing succeeds like success, or fails like failure.
But it does mean that an even somewhat diligent antitrust enforcement could strangle them to death. They shouldn't be allowed to acquire their future competitors. If the US won't stop them, maybe European regulators can?
What I mean is that we are comparing two different beasts, so I'm not sure "it happened to MySpace" is a good telltale sign of what will eventually happen to Facebook.
I've seen this a lot more in countries where internet access wasn't too common until the past 5-10 years and people didn't start out with a less centralized web before apps and closed networks gained popularity.
My partner isn't from the US originally and when I mention how obnoxious it is that Facebook is like the new AOL and I thought we were past this, she reminds me that it's all anyone back home uses for anything and they didn't have internet access back then.
To her and her friends/family back home, the internet basically is Facebook (and occasionally being forced to open their browser app to search for something if they don't just ask around on Facebook). A handful of other apps and defaults define the internet for them and anything else just sounds like too much hassle.
I suspect Facebook knows this and will keep acquiring new platforms when they can.
I take everything Facebook has done that caused any level of public outcry as a guide book to design a better platform, likewise with Google. And I won't dive into the history or foundation of Facebook, however it's not surprising their path would lead to problems - and at indirect cost to society.
I would much rather see industries self-regulate. But I have big concerns about industries where people are mainly the product, not the customer. I think it breaks the key feedback loop that makes most self-regulation work: irritable users/customers.
For me America's best backup to irritable customers has always been class action suits. It allows aggrieved customers to band together and force accountability where otherwise individual harm would be too small to justify the costs of a lawsuit. But mandatory arbitration is breaking that too, and anyway doesn't work as well when users aren't customers.
So if we don't have user-fueled self-regulation, and we don't have class action, then I'm not sure what we can do short of government regulation. It's a last resort for me, but nothing else seems to have worked on Facebook.
This is always the case when the general populace are not customers but products. It cannot not be the case.
The problem is Facebook is allowed to buy rising competitors on its way down, thus prolonging its monopoly in the social media space.
A good real world example is Disney. Disney has been almost broke a few times over its lifetime, yet currently it's so huge that people believe it will never fail again.
Facebook have so much money in the bank, that the moment their primary model is no longer viable, they'll just go to market and buy up the next hot thing, and switch their focus there. They are like an unstoppable pandemic virus in this aspect.
In dystopian sci-fi novels and films, there is commonly the concept of 'The Company' who see-all, and control-all. It used to be that we'd predict it would be IBM, or Microsoft who would be 'The Company', more recently we'd say it would be Google. Currently however, it's more likely to be Facebook.
This is exactly why we shouldn’t worry about it. The company that we think is going to rule the world forever changes every ten years.
What are 2FA numbers in the context of ads?
There are actually ethical information dealers but they require you to pay them as you are paying your weed dealer.
Any company being truthful about what their customers want can't be tracking them 24-7 and sifting everything they type. Almost no-one wants that level of invasiveness. We just put up with it because there are no real (easy) alternatives or aren't aware.
I really would love to see advertisement companies that are less focused on tracking and more focused on ad placement that's relevant to the content it's going on, and hey sometimes there's no relevant ads for content and that's cool too, but at least show anything generic or close enough at that point. Also advertisers who don't do pop ups or annoying ads (that I swear could cause epilepsy on some users) are also good stewards of the online billboard market.
Problem is, it never stays ditched. It's always a slippery slope.
I just don't want to participate in this anymore.
They show ads based on search the content rather than via tracking.
Once there's money on the table, companies are going to take it and assume the number of customers who walk away aren't enough to offset the profits.
The user data they sell to advertisers has a lot to do with your social network. Who you know, what their interests are, who they know, etc.
For Facebook to allow individuals to pay to opt out of their data being sold, it affects more than just that individual's data. I.e. it affects all their friends and friends-of-friends data.
I expect that the only way Facebook would be able to offer a pay-to-opt-out plan would be for everyone on Facebook to start doing, which would never work and they would never attempt.
I imagine the most we'll see in this direction is some sort of half-assed attempt where they offer to let you pay them money to stop some tracking, but still continue to most of it anyway.
A focus on consumer rights, protections, and building difficult to defraud and difficult to exploit consumers systems is where effort needs to be spent.
* GNU Taler - A digital cash / micro-transaction system that hopes to be audit-able for tax and other legal reasons while still being anonymous for consumers.
Please read about privacy, verifiable in the right ways, and the "operational in 2018" claim
I used that foreign number to create my Instagram account and I've gotten the benefit of only being shown suggested accounts from locals from that country (zero people I know). Same goes for ads as well. Currently I keep it on roaming and actually use it to verify other online services that may stubbornly require SMS.
Might be worth a try for those of you looking to pseudo-opt-out of phone number tracking & recommendations on social media services that do this, if you can get your hands on one.
I'll give you an example of why it might not work. Since your phone has roaming, you happen to have it with you at work, or at a party, or at the library, or anywhere really. If even a single acquaintance of yours is "nearby", the information is leaked. If acquaintances seem to always be "nearby", children, wives, husbands, siblings, your info is DEFINITELY leaked.
If anyone is going to try to use this strategy for anything which might result in the loss of your livelihood, (eg - porn), please realize there are many, many, many more precautions you will have to take than are listed in oedfmarap's comment. If you just do what you see in that comment, you could find yourself without a job somewhere down the line.
Within 1-2 days, Facebook recommended one of them as a friend - bear in mind I hadn't added any of them to Fb, so all it could have used was our location...
This happens to me often too, with much briefer encounters: mainly dates and meetups. Since I've shared similar amounts of time at the same restaurant with hundreds or thousands people with whom I had no interaction, many of who's arrival and departure times would happen by chance to line up with mine, they must be using something else. I also share a duplex-house and an office building with people who've never been inexplicably recommended on Facebook.
From these observations, I've come to think that location data has to play a very small role in Facebook's recommendation system.
Here's my best (but untested) theory to explain this: Your house-mate searched for you on Facebook, which triggered Facebook to think you might be friends.
I had watched it many many years ago, and I suddenly remembered about it while at my friends apartment, (which is in the same building). Now I searched it up on my friends computer which was logged into his gmail account. We watched it and laughed. However, an hour later, I was on my iPhone at home when it appeared in my related videos.
I refreshed and it was gone...
It's your choice to use the same IP address.
It's your will.
Based on what the OP is writing, the unique identifier foe the user can even be the IP address...
With a single device, it's fairly reliable to use a vpn or multiple vpn providers and only log in to each account when connected to a given vpn.
I know Zuck wants me to preemptively upload my nudes, but still.
I reset his password and tried to close the account after he kept trying to access it by resetting his password again. Instagram support asked me to send a clear photo of myself holding up some random number to prove it was me. Nope lol.
This has very interesting consequences...
Depending on the owner's security settings, Facebook will often suggest the profile of the person in the type-aheaded search results.
Here's the issue with it. You might not give it but your friends would. Therefore, this strategy is pretty useless as network effects kick in.
Facebook will remove the phone number from your account when you do that. You can also use that to check who are your friend who gave FB your phone number.
Can you explain further how this will work?
These are frighteningly common, typically enforceable in the US even for consumers, and typically enforceable in most countries for even small business customers (though rarely for consumers in much of Canada and Europe if the vendor has enough ties to the area for local consumer protection law to apply and you win the race to the courthouse).
I've never had such uncertainty about what a job would involve before - the "you find your match" sounded good initially, but in retrospect I'm wondering if I dodged a bullet - so hard to know.
That facebook is doing bad things because ads are their only real source of income is a problem because of the bad things, not the ads. At the time the primary concern was "what should facebook be doing about de facto empowering hate speech and (actual) fake news?" and that's a tricky problem that I don't think has a resolved answer, and I sympathize with those that empower communication and only later realize people have more desire to trash things than apply rational caution. Since then much more has come out about some FB practices (and Google), and the question of whether ads-as-your-primary-revenue-source is too much incentive to be "evil" is being implicitly raised, but is likewise not yet resolved.
That said, I do think there are lines to draw and lines not worth drawing. There's very few jobs that don't end up supporting bad things. I don't think it's right to pretend that if you aren't doing it directly that you AREN'T supporting such things...but I also think it's sometimes unrealistic to make your situation worse to deny an indirect support. Deciding where that line lives is an individual decision, and one I have to regularly re-evaluate. To expand my point in the previous post, the news coming out about FB practices definitely made me feel like I'd have been uncomfortable even if I wasn't working directly in ads.
I have always been suspicious of the aggressive "give us your phone number to secure your account" campaigns that so many sites/apps are running. And I think this is a HUGE disservice to users.
At first I was like, cool, companies are being responsible and encouraging good security practices, good on them. But there was something a touch too.. aggressive and "marketing-y" about it. It raised my spidey sense. Maybe the form and frequency and placement of them just was too familiar to previous campaigns to grab your email for "opt in" spam.
Seriously F these companies for breaking user trust.
ALSO: Did Zuckerberg lie to Congress?
In America (and most places), law normally lags quite a bit behind the events of the day. Standard Oil destroyed markets unchecked for several decades in the 1800s. No individual or company could withstand their market power. Then the government divided it into dozens of vertically integrated companies, which allowed for a wave of new market entrants, better deals for consumers, and higher standards of living for more people.
We are obviously at that breaking point now with the tech behemoths and their sprawling, impregnable market power. It is time for antitrust action against Facebook and the gang.
I'd argue that it would not -- 1,000 small Facebooks could still violate privacy. Creating privacy legislation is the only real way to achieve proper privacy guarantees.
Who wants a social security number when you've got someone's phone number?
This kind of thing has been going on forever, and I've told people this. 99% of people don't actually care, though.
Not for privacy, but to deny them revenue. I block Google ads on every single site I visit, period. I don't care if the advertising is non-obtrusive. If it's being run through Google, part of that revenue is going to fuel Google's tracking. I support creators directly instead. And if creators refuse to give me a way to support them, that's not an excuse to expect me to contribute to Google's bottom line.
Huge props to the people who are working on blocking trackers and protecting privacy. I'm very glad they exist, and I don't think their efforts are worthless. But, it is currently a losing battle to fight these companies on the privacy front, because the tracking model is so profitable that they will always be pushing more resources into it than we are. Collectively, the people fighting for privacy don't have enough resources to win.
But there's an easy, completely legal solution to that problem; the one thing companies haven't figured out how to get around is ad blocking. And a good ad blocker will block even native ads. For a company like Facebook, all of this boils down to getting you to click on ads. If enough people target that chokepoint, then the advertisers will start pulling out of the system, and there'll be less financial incentive for these companies to undermine people's security and privacy.
And we have evidence that this works. Even Google, which is the powerhouse for getting their ads to actually show up, is starting to devote more resources into trying to figure out how to stop mainstream people from installing adblockers. That's where all the autoplay stuff came from, that's where the acceptable ads initiative came from. They desperately want your roommate to say, "I'm not going to mess around with these weird Chrome extensions or whatever, that's too complicated. Chrome blocks this stuff itself, anyway."
Install adblock on every browser you get access to, tell ordinary people who aren't on HN to use it, and let the advertising industry kill itself. Make it very obvious to companies that buying ads on Facebook is a complete waste of time because even non-technical users just won't see them.
Which means Facebook has a shadow profile of you even if you don't use it at all: http://theconversation.com/shadow-profiles-facebook-knows-ab...
We should try to find one. I fully support the privacy fixes people are proposing. I think that's really important. But it's pretty obvious that Facebook is winning right now.
However, the only thing that Facebook cares about is getting you to click on an ad. So even if you can't stop Facebook from getting a shadow profile on you, at least you can make that profile worthless by blocking ads literally everywhere that Facebook can think to display them to you, for you and your family/friends.
And you can be public about it to ensure that when Facebook goes to companies and says, "we have all this data for your next campaign", somebody in the sales-pitch meeting raises their hand and says, "yeah, but nobody looks at your ads."
I doubt that holds in court, but as mentioned in the article, there are people in the EU who for months have tried to get Facebook to provide the shadow profile data on GDPR grounds, and Facebook has yet to allow it.
It seems like Facebook can afford to stall, they've got more knowledge and power than a single EU citizen can have, so I'm sure they know what they're doing.
To be honest, I think Facebook is in breach of _multiple_ GDPR articles _simultaneously_ here, which is quite a feat in itself.
They're in breach of:
- Privacy by Design (a.k.a. Privacy by Default)
- Right to Access
- Right to Be Forgotten (which is older than GDPR..?)
- Data Portability
Then again, Facebook is not alone. I'm pretty sure there are very, very few companies on the web that are not in breach of GDPR at least in spirit, if not in letter.
There's a zero chance that holds in court. If it were possible to have a negative chance it would have a negative chance of holding in court.
Data protection does not in any way relate to "ownership" of data.
If the data are personal data then you are forbidden from processing that data unless you have one of seven lawful bases enumerated in the GDPR, and where the data are sensitive then those bases are reduced further.
Under GDPR, the company I just gave that information to doesn't have your permission. So, let's say that later on, you go to the company and say, "hey, delete any information about me." For them to comply, they can't keep on syncing your contact information in my address book, right?
I guess, how does GDPR handle a situation where a separate customer is going to Facebook and saying, "hey, let me put in that I'm X's cousin"? Should Facebook block that person from specifying the relationship in the UI? Or would that just fall under "essential for business"?
How would that work?
instead of deleting facebook (or not having it), create a shell profile, just enough for you family to pointlessly add. then subscribe the account with a service (aka The Idea) that simply post a once a month post on how to install ad blockers and such.
Personally, as long as the user has an opt-out and opt-in options, I don’t think ad targeting is necessarily an unethical pattern, the blurring lines of ads and recommendations would be actually a pattern that users might like. Would you rather use Netflix or Spotify without recommendation engine?
> Would you rather use Netflix or Spotify without recommendation engine?
Personally for me the term "personalisation" is becoming a dirty word and I am becoming uneasy when I hear it mentioned in design docs and product launches etc. I dont want to see what some algorithm thinks I want to see. Instead I would prefer to see the real, unfiltered, unfettered data. I think the whole Fake News outcry started me thinking about it in a more deep way.
Imagine if you went into a fancy restaurant for some special occasion and the waiter took a look at you as you walked in and brought you a "special" menu based on some decision they made silently in their own head about what they think you want. Rightly you'd want to see the full menu and not just what they think you want to see. Sure I'd welcome them pointing out some highlights on the menu, but I'd apprecaite seeing the whole thing before making up my own mind.
As a result now I use DuckDuckGo exclusively and have Firefox set up with Google Container to keep the Google cookies separate from everything else (I dont use facebook at all so their cookies are entirely blocked as 3rd party) as well as the usual uBlock Origin, privacy badger et al. I am even toying with the idea of moving away from my gmail that I've been using since 2004/05.
1 - https://addons.mozilla.org/en-US/firefox/addon/google-contai...
That's also a corruption of the meaning of "personalisation." Personalisation is about me making choices to adapt a product to my preferences, it's not about the product making choices about how to interact with me.
Real personalisation would be having the (sticky) option to shut the algorithm off and "see the real, unfiltered, unfettered data."
Anyway, I still upvoted your comment, because it's interesting to read what someone working at FB has to say on this.
EDIT: Images seem to be missing from the original link, so here is an archived version: https://web.archive.org/web/https://readwrite.com/2012/12/11...
The space of phone numbers is small enough that this is not a significant consideration.
Lol! Phone numbers have less than 40 bits of entropy, it's trivial to break those hashes.
Facebook would be unable to contact the user via SMS, they would have to issue a token via WWW or app and have the user text that to a specific address from the corresponding phone number to achieve phone-based 2FA. This might even be a third-party service to deny FB any direct access to the phone number.
The verification channel might become a phishing target via spoofed FB pages or apps, though that would be moderately expensive and of limited use. An attacker might request FB login credentials (the actual verification would not), might acquire a phone number (generally, though not always, a non-critical datapoint), and would still be denied account access via 2FA without further compromises, say, social-engineering the phone account (a proven risk, though expensive at scale).
Tildes.net uses a similar mechanism for recovery email addresses.
A 10-digit number is only 10 billion possibilities, much less if you consider that they aren't completely random and have area codes, etc.
You can probably brute-force a hash of a phone number in seconds to minutes _on a CPU_.
Somehow, the knowledge that the efforts to tie every trace of my existence together to help marketers target ads to me are done in a cryptographically secure fashion is not entirely comforting.
In general, I have been unimpressed with recommendation engines of any sort. Spotify can't suggest music I'd like worth a damn, and it's working within a relatively specific domain. Whatever fractional gains in ad relevance are currently obtained from this aren't worth the privacy invasions needed to obtain them.
It's not even cryptographically secure, a phone number is like a 10 digit number that isn't even completely random because of area codes, trivially brute-forceable.
Related artists per track, that would be more, than enough.
I'd rather it didn't have a recommendation engine. I'm fed up with it trying to get me to watch something else - I'd rather it just stay out of my way.
Needless to say, Facebook's goals and incentives are very different.
But on Facebook people go for socialising, and not to get personalised ads.
Facebook app abuses your phones internal Contacts API.
Effectively, you are linked and your main Facebook account is known to be a pseudonym already
That seems like a lot of effort for no real payoff.
At least I can see some of what Facebook has about me instead of none.
Maybe I am completely wrong about this, but I'm pretty convinced that almost all of the ad spending for that feature would have reached Facebook's coffers anyways had it not been available.
And the sad truth is that the vast majority of people will not be deterred by, be aware of, or even understand the fact that Facebook is abusing their phone number in this way, so as far as Facebook is concerned it's a small bump in the long road to increased profitability.
Sure, but the same is true about negative headlines, the effect is just more difficult to quantify.
Maybe it's a general world view problem within Facebook, but usually these things are the result of one overly ambitious person or group optimizing the singular bonus metric of their own little fiefdom at the cost of corporation-wide commons. Big organizations need to be extremely vigilant in their defense against internal foes who won't blink an eye costing the company billions for a gain of millions add long as the latter will be attributed to them while the former won't.
That's one way to encourage people to use 2FA App, I guess.
They also refuse VoIP numbers for authentication.
>>(Albeit, the company only added the ability to do non-mobile phone based 2FA back in May, so anyone before then was all outta luck.)
I.e. if you switch from using a 2FA phone number to using the app do they stop using that phone number in your facebook profile? And your shadow profile?
Yes. Yes. We did: https://www.theverge.com/2018/2/16/17022162/facebook-two-fac...
So either they lied in February or they have changed their minds. Either way, I think there is value to bring this very similar discussion back to our minds.
I wonder if Facebook acts differently for European users?
Not that I allow any advertising here, mind you - everything is blocked at the router (ipset  comes in handy here), at the client and in the browser. This works at home as well as abroad since I route all my data through a VPN (OpenVPN) terminating at my router.
Drawn to its logical extreme, you don't need regulation to be protected from racketeering if you run a restaurant either, you can just hire private security and arm yourself.
(Security Keys are actually way more anonymous than I'd even thought possible until I understood how they work, if you know Susie uses the same key for DropBox and GitHub, and you suspect Susie also uses this key for the account NumberOneSecretTrumpFan on GitHub, and then you steal all the account credentials from GitHub somehow, this doesn't end up being enough to verify that Susie has the same key as NumberOneSecretTrumpFan, nor is it enough to sign into Susie's DropBox account, and unless GitHub's data includes the backup passphrases or whatever it's not even enough to sign into GitHub as Susie, NumberOneSecretTrumpFan, or any other Security Key user...)
Plenty of other online and offline ways to connect with the people in your life.
The government should have bigger fish to fry than trying to regulate the distribution of information that you have and continue to willingly provide to a company. If you don't like it, sure government could jump in and make Facebook just how you like it, or you could delete the info you don't want them to have. The later sounds easier on everyone.
There are some things users/people did not sign up for and cannot (reasonably) opt out of that still harm them. This is what regulations are for.
Unfortunately, whether you created a profile or not, you can't just "not use Facebook" with their whole shadow profiles.
Sure, they aren't (currently) pumping waste into the environment. I'm not saying those things aren't important, but I do think we're going to look back 10 years from now and wonder how we let Facebook even get this bad.