Hacker News new | past | comments | ask | show | jobs | submit login
Facebook Is Giving Advertisers Access To Your Shadow Contact Information (gizmodo.com)
1359 points by dhotson on Sept 27, 2018 | hide | past | favorite | 458 comments

As a security engineer, I cannot overstate just how horrible this is. Phone numbers might not be an ideal 2nd factor for authentication, but to punish users for setting up 2FA by using the provided phone number for ad targetting is incredibly unethical.

I agree with your sentiment.

But, as someone who understands that not all people and companies use the same moral set as myself, this is why I've never set up 2fa using a phone.

Why should I give some company my phone number? Increasingly it's become a single point of metadata to uniquely describe myself (just as my email addresses have).

> just as my email addresses have

That doesn’t need to be the case though with just a little bit of effort and minimal cost. Use your own domain for email and set your account to be a catchall. Then use facebook.com@yourdomain.tld and your email address is no longer a cross site unique identifier.

Isn't this it though, the engineers designing the ad targeting system at Facebook is linking the random emails you use as "catch all" to your main identity so you can be targeted specifically even though neither party has full knowledge of the linkage between your catchall email and your main identity email. This is facilitated by information that is not under your control.

If facebook was able to design and build this system, you can bet that other companies are doing this too.

Check the TOS and/or implementations for many of the tracking providers and you’ll see they use hashed emails. Show me a way to extract the common domain name from the below:



The simple way would be to use part of the hash for the domain and part for the user. If you alternated bits it wouldn't be obvious.

I doubt it'd be worth spending the effort to target people with personal domains though, and it would have some negative effects, so your point is well taken.

If the hashing algorithm is known (and my guess is it is at least possible to reverse engineer it, if it isn't documrnted) then cracking a hash with a GPU may be quite feasible.

The hashing algorithm is well known, it’s unsalted md5/sha1/sha256. That doesn’t make it necessarily possible (sure, some cases yes, but not even most), let alone feasible, to rainbow table them.

Its pretty simple to crack unsalted hashes using rainbow tables, unless each hash is salted with a random distinct salt and if that is the case then these hash seem pretty useless. So how do tracking providers use these hash ? What other info is sent along with the hash ?

> So how do tracking providers use these hash?

They use it to match traffic across devices and IP addresses.

> pretty simple to crack unsalted hashes

Go ahead and rainbow table those hashes then. If you do it and are the first one to email me (email address in profile), I’ll pay you $100.

> Isn't this it though, the engineers designing the ad targeting system at Facebook is linking the random emails you use as "catch all" to your main identity so you can be targeted specifically even though neither party has full knowledge of the linkage between your catchall email and your main identity email.

If you use the method described in the grandparent, you use a unique email address for every site (e.g site1@yourdomain.tld, site2@yourdomain.tld, etc). The domain will be the common part, which would be very hard for a company to use because most domains are shared between many separate users.

This is no longer "just a little bit of effort and minimal cost" - most likely no one will use unique emails for every site as well as use private browsing mode permanently in order to avoid cross cookie / cross site contamination via 3rd party (non facebook) tracking. Which is cited as a "feature" - allowing clients to bring their own ad tracking database and integrating that into the FB one in order to make ad targeting more specific.

> most likely no one will use unique emails for every site

I do and have done so for over 10 years. It’s been very eye opening to say the least to see how many sites have leaked my email.

> This is no longer "just a little bit of effort and minimal cost" - most likely no one will use unique emails for every site

It takes a tiny amount of effort: you setup your domain with a wildcard so all you need to do to create a new email address is to use it. You could send mail to barkingcat@real.domain.for.394549.net right now, and it will be delivered to my inbox with no setup required.

It's also great in case you start spamming me. I don't have to struggle with your unsubscribe links, I can just blacklist all mail sent to barkingcat@real.domain.for.394549.net, and be done with it without any collateral damage.

Lots of people do this, in the past it has exposed data leaks.

My if my site-specific email giqjtodvdksu@... has been getting spam lately then it is likely that either they sold it or they got hacked.

>Lots of people do this...

You mean a very small percentage of FB users do this?

The point being as parent comment said it’s not “a little effort and minimal cost”. Figure a $10-15 overhead cost for the domain and maybe $5/month/e-mail account? Effectively to minimize tracking on Facebook one would have to spend a minimum of $70/year?

It doesn’t seem like a great solution...go with a “free product” like Facebook in exchange allowing them to collect and monetize your data, only to pay to combat their business model? May as well offer a competing service that doesn’t track you, collect/monetize your data and pay say...half the cost of a domain and email.

No, it sucks, but it is the only way.

> May as well offer a competing service that doesn’t track you

I would kill for that. But this day and age it would be hard. Also, even subscription services typically see fit to track you and serve you ads.

Sort of like at first people thought paying for cable tv would mean that there would be lots of channels without ads. Didn't happen. Only a few where you get to pay even more for now ads. Now Netflix begins the cycle anew.

It is completely possible to fingerprint a browser and then group all the email accounts used on it and treat them as a single user. When was the last time you lent your device to someone so they could check their email?

Google claims that multiple people checking their e-mail in the same browser is common enough that they had to redesign browser log-in around it.

Doing this seems like it would slow down an adversary with Facebook like capabilities for a handful of milliseconds.

>Then use facebook.com@yourdomain.tld and your email address is no longer a cross site unique identifier.

unless sites smarten up and realize facebook@johndoe.com is the same person as pizzaplace@johndoe.com, especially when johndoe.com isn't a "common" email domain like hotmail.com

As someone that has created a facebook account with an unused email without using my name or any information they still recommend my friends, family and interests. Instagram did the same thing with my interests.

There's a lot more going on than linking email addresses.

If you used an app (rather than just a website), then all your contacts were uploaded. (Instagram has always been an app, hasn't it?)

Most marketing companies don’t share raw email addresses (rather md5/sha1/sha256 hashes of the emails). In that scenario, linking the common domain name is very difficult to near impossible to do currently.

This is not what an average user of Facebook can do. What an average user can do is demand adopting laws like GDPR to regulate PII.

You can do it with Gmail to some extent already. E.g. instead of using myemail@gmail.com I would use myemail+facebook@gmail.com. Gmail ignores anything after the plus. As someone mentioned, marketing companies usually share just the hash of email. The trick is not too popular and I didn't experience a company handling it yet.

A vast majority of companies either don't accept the plus because they are too lazy to implement proper email validation, or they strip the pluses from gmail addresses because they're strictly useless to them.

Then you can use dots. An 11-character email has 2^10=1024 different addresses.

The "trick" is both popular and commonly made to be moot by programmers. Source: I know programmers at multiple companies that have written production code to strip the +suffix from the username portion of gmail addresses.

Agreed. This isn't done just for ad targeting, either. If a user invokes a GDPR right to be forgotten, it's useful to make sure you've found all the instances of that user's email address in your system regardless of the +additions.

If someone does that with one of my (custom domain) addresses, it won’t work, here’s what I implemented: https://zackorndorff.com/2015/03/10/disposable-email-address...

(To save you a click, they look like aa_COMPANY+SHORTHASH@mydomain.com, with shorthash being based on COMPANY and a secret)

Downside is the address ends up absurdly long, and I’ve had to manually create some aliases for companies that won’t accept the plus.

I don’t recommend this setup, it’s kind of a pain to maintain, but I wish one of the mainstream providers would implement something similar.

I've been typically using name+website@domain.tld to distinguish email origins (and leakage). Ironically, I've already set up otherdomain.tld@privacy.domain.tld to hide registrar information, but hadn't thought of using it for day-to-day signups until now.

I think I'll extend the latter (and reduce the required Spam score) before it gets sent to my inbox.

You don't have to but it's the most user-friendly, although flawed, method of enabling 2FA. They could have easily used a software token but that requires non-tech savvy users to download a 3rd party authentication app, as well as understand the basic usage. Why do that when users can simply get a text sent on a method they most likely have?

I never heard of this company when I did a monitor.firefox.com search of my work address.

Exactis Breach date:June 1, 2018 Compromised accounts:131,577,763


> Compromised data: Credit status information, Dates of birth, Education levels, Email addresses, Ethnicities, Family structure, Financial investments, Genders, Home ownership statuses, Income levels, IP addresses, Marital statuses, Names, Net worths, Occupations, Personal interests, Phone numbers, Physical addresses, Religions, Spoken languages

It's also something that people should have expected. I don't understand how people have not noticed that all of the major sites that generate revenue through user profiling and advertising have been pushing hard for users to either be obligated to register using their phone, or to setup a two factor authentication using their phone when it's not necessary for registration.

The reason I say it's something people should have expected is because if people were more critical of the things asked of them, then things like this would never get off the ground. Instead, because people do not seem inclined to naturally believe that corporations might have ulterior motives, such practice has become common place and on some sites even mandatory.

> Instead, because people do not seem inclined to naturally believe that corporations might have ulterior motives

People worship at the altar of success, and there aren't many relatively new companies as profitable as FB. That's not to say that these companies don't spend significant coin in pushing their inane message of "we're connecting the world" wherever they can. And mass media for the most part go along with it, mostly focusing on the stock price, rarely bothering to examine how FB makes its money and what tradeoffs that comes with.

How is a difference in how ads are targeted a punishment?

Somewhere in the bowels of FB is the product manager who feels like a smug genius for coming up with this 'feature'.

There has to be a reason Facebook reminds me 50 times (yes 50 times) a year to put my phone number in for security reasons. That’s extremely unethical tbh and then I can’t recall if this is true because I’ve stopped using Facebook but I’m 80% sure they then filled out my phone number and just wanted me to confirm it.

I'm using adblock, how does this affect me ?

Ethics do not matter vs profit, so long as the elected representatives can be properly paid off and the public lied to that regulation is always bad.

It is unethical and negligent to force people to use SMS 2fa without any other alternative

It is OBVIOUSLY for ad targeting, I think I mentioned it not even two weeks ago: https://news.ycombinator.com/item?id=18020177

What's facebook's boiling point? My guess is they'll respond, they'll no longer use 2FA #'s for ads, the damage will have been done, and 99% of the population won't know any of it occurred. We'll repeat this cycle when a fresh revelation occurs months from now, as facebook continues to test how much they can leverage for more ad revenue.

But none of it is actually slowing FB down. Its biggest dip in value came from decelerating growth and spending to make FB more user-friendly, so there's a clear disconnect between shareholder incentives and those of the general populace.

On top of that, most people remain unaware that FB owns both WhatsApp and IG, and while the departures of their top brass have made waves in these circles, it's not a concern for most.

I don't see FB's dominance relenting any time soon, though I wish it would.

A reminder that if you work for Facebook you are fully complicit. Especially if you're an engineer, there should be no shortage of jobs available to you at this time. There is no excuse to work for a company that's sole focus is exploitation of its users.

The problem with this argument - I care about issue X, company C is known to disregard/exploit users with X and so I assume all employees of company C are complicit while I give a free pass to the users who remain ignorant and simply don't care no matter how many times these issues surface.

And where do you stop? Are all doctors working for big pharma related to opioid crisis complicit? what about people working for firms related to the financial crisis? engineers working for any company that suffered data breaches due to lax data security? what about engineers working for companies that haven't suffered data breaches yet but might have lax security? scientists working to certain biotech firms related to GM? engineers working for car manufacturers that cheated emission norms? engineers working for telecom/internet service providers that cheat users by throttling/net neutrality etc. etc. etc.

Yes, they’re all complicit, to different degrees. Even the janitors and cooks are complicit when they support unethical enterprises.

If any Facebook engineer suddenly acquired some moral sense, he should spend his time working to sabotage the company from within. Some have walked away; others have walked away and publicly spoken about facebook’s dubious culture.

Now it’s time to see some sabotage.

I was with you until sabotage. It’s spending energy maliciously when as you say, there are plentiful options. Non aggression principle rules.

Whistleblowing would be a good middle-ground here. Also, I don't think sabotage would be as efficient since FB would just restore everything in an instant.

The problem with whistleblowing is that the consequences need to be more direct and actually leave a dent. As it is right now, FB can absorb pretty much any fines they're hit with.


You've gone off into uncivil territory—please don't.


I was offering creative suggestions. What I said wasn’t anything I’d avoid saying in person, nor did I have any ill will toward the commenter I replied to.

No need for “aggression”. The CIA wrote a sabotage manual, which involved things like “forgetting” to lubricate wheels, spending lots of time in meetings which go nowhere, slowing down and getting distracted while working, etc.

I consider all of the energy being spent in the maintenance of facebook to be malicious. If a datacenter caved in because of a structural flaw in the building, then that’s a lot less energy going into supporting facebook. How many datacenters would have to cave in before they wouldn’t be able to recover?


Exactly. When I get recruitment emails from Facebook I like to kindly remind the recruiters that I am not interested in furthering the interests of a company that in my opinion is making the world worse, not better.

Reminder that the same applies to Google.

Yes, but it’s not about business model, it’s about trust. Both companies, Facebook and Google, built their business modeles around advertisers and have no other option than to sell your data. But, for some reason, 9 out of 10 engineers that I work with dislike Facebook and don’t trust them. They are willing to share work documents and emails with Google, but not Facebook.

That's only because Facebook is optional. They use Google for their email and documents because they need something for those things.

> They are willing to share work documents and emails with Google, but not Facebook.

Last time I checked, Facebook did not offer free personal and company e-mail and collaborative office suite.

This is an asinine, Deference to authority, nanny state garbage take..

No-one is forced to give all their info to fb. Better yet, no one is forced to use fb.. Of your using these services, and you give all your info to them, that's on you, not engineers just earning a check.

Did you read TFA? It's clear that FB has info on people that they never willingly gave to FB. It's also clear that FB can mine information about people who have never used FB, simply by virtue of their being in the contact list of someone who DOES use FB.

You are absolutely right this calls for nanny state involvement. This is precisely a case where the invisible hand of capitalism is impotent and government regulation is essential.

As someone who has occasionally runs experiments with FB adverts for various types of business. I feel it's boiling point will be when people and organisations advertising on the platform really start to look deeply into the value for money they are getting on it. I can't tell you the amount of times I've seen organisations throw money at it in return for dubious clicks from markets they never targeted, bot like users and poor really ROI after advertising with it.

This is how I feel about ads in general.

The only type of ad that makes sense to me at all is one that educates someone about a class of problem and that there's at least one product (X) that can be used to solve this problem.

In many cases it would make more sense to focus these efforts on making stores more effective at presenting solutions and grouping related solutions in expected areas to improve the search effectiveness of independent agents that have black box algorithms and are outside of the store's control.

Attempting to modify said black boxes by an inundation of annoyances is ethnically wrong to me. (As implied above, when it ceases being educational it's increasingly likely to cross that line, particularly if the campaign is based on gimmicks or repetition to be effective in vulnerable population segments.)

I mean, Facebook tricked advertisers initially into spending 100s of millions into the platform (if not billions?) with their bait and switch of telling advertisers they'd "own" the users that liked their pages - and people still trust them even with that starting pointing to keep advertising? It's strange to me.

Are you hinting that FB advertisers are throwing 50 billion (expected 2018 revenue) at ads that are poorly performing? Obviously that is not correct, the result of all this detailed targeting is campaigns that are performing very well for experienced marketeers.

FB is making sure you can't calculate the ROI of a campaign. Marketers are putting money in FB because they think this is where they can the most accurately target people.



This is demonstrably not true. FB provides better tools than pretty much anyone else to tie sales to advertising (online or off) and to track app instal lifetime advertising revenue generated over time. The human data and walled garden of tracking they have are hugely valuable in proving ROI.

By spending x amount per week and by measuring signups/purchases/leads marketers are tracking roi.

okay so…

- not all people buying FB ads are experienced marketers

- companies throw tons of money at ineffective ads, that should be obvious…

- we have no idea what the ratio of "successful" to unsuccessful campaigns is

- even if that ratio is negative, Facebook is still one of the only remaining "games" in town, so people _will_ continue throwing money at it. “Least worst” is a fine and lucrative place to be in.

- can we just get over this idea of rational economies, by the way

- marketing is less of a science than a craft, and all the implications thereof

I'm in ad tech, and believe me: FB advertising works. The vast majority of their ad revenue is coming from experienced ad buyers that are spending immense amounts on direct response campaigns, not branding.

If you want to see how things work, start a small ad campaign yourself of FB. It's all about ROI, attribution, cost per action, super detailed targeting, etc. It's the opposite of "throwing money at it hoping that it'll work", unlike offline advertising or even traditional display ads.

Exactly like this article states. You can give Facebook a list of phone numbers or email addresses and it will put your ad in front of only those people. Does anyone know how small a list you can target? List of one? List of one plus N number of dead email addresses? Therefore a list of one, but more expensive?

> The smallest audience you can upload is an audience size of 30 people. Also, this audience size needs to be 30 people which Facebook can identify and find. So, if you upload an email list of 30 and Facebook can match only 20 of those email addresses to Facebook profiles then it will reject your list, so in most cases you need to upload a list of about 60 people. You then need ensure you upload a list of only females or males which includes the one email address of the person you are targeting (the opposite to the one person that you are targeting). Lastly you need to choose the gender in the demographic filtering which matches the intended target. Here’s a step by step example below

"Sniper Targeting on Facebook: How to Target ONE specific person with super targeted ads" https://medium.com/@MichaelH_3009/sniper-targeting-on-facebo...

Informative article, mostly about how amoral this salesman is. I wonder if most people in sales think this way. Maybe the article was created solely as an ad for the author's company and the content is all lies. I'd have no way to know with out trying the myself and a fake article would be in complete alignment with the author's value system.

> can we just get over this idea of rational economies, by the way

This is key and undermines a lot of rational arguments. People buying ads aren't reading HN and then making a buying decision based on the general vibe they get there. They'll buy based on budget. Budget is based on decisions made in a meeting a year or two before. Those decisions will be based on a strategy. For many that strategy is to the tune of 'I keep hearing about this social media thing that's supposed to be the future. I notice we aren't spending anything in digital. We need to buy more digital'.

If public opinion sours on Facebook it may be a while before we see a significant drop in revenues.


- marketing companies they ask to run Facebook campaigns for you may be as clueless as they are

Source: I used to work for one (we had separate development and social media marketing departments). People doing marketing had no clue about statistics, they just shoved random whale graphs from Facebook's fanpage panel into a word document and wrote narratives that suggested everything is peachy. Customers read those reports, and since they had no way or skill of reevaluating the results on their end, they were happy and willing to pay. I'm not even assuming malicious intent on the part of the provider - just general cluelessness.

I'm increasingly convinced a lot of marketing on the Internet looks that way. Neither party understands the real meaning of the results, but as long as the buyer is happy, money keeps flowing.

People have been doing this for years on Google's platform and the behaviors still haven't changed (I have a lot of hands-on experience with $100k+ annual ad spend budgets that are atrocious), so I disagree. People set it and forget it (mainly to ad ops agencies who charge 10%), because they don't know any different as long as sales keep coming in.

Buying digital advertising is big part of my job. I find the exact opposite to be true. FB provides high quality, low fraud. Especially compared to anything that's not Google/FB.

When we advertise to raise money (for politicians) that provides a direct provable ROI and I can tell you nothing else has come close. Seems that is true for many corporations as well just look at FBs growing revenue. FB provides the tools to measure either a sale or the value of an app install over time the increased spend is proof of quality/value so clearly many others have also found success. I wonder who/what/how your campaigns didn't provide value?

So... not anytime soon? As long as FB has real and active users advertisers will advertise and throw money at them.

from that egoistically lawless point of view, they will do better on each privacy violation that gets reported as it signal better return for the investment of advertisers.

My problem is how easy it is to "fake" advertising. As in I go to website browse and buy then I get ads after about said product. Is that counted as evidence of a successful add sale?

That's most likely poor retargeting setup

FB is now running it's own branding ads in out of home media [1], which is a signal they've done the cost/benefit analysis internally and are now losing enough user trust to justify this brand spend.

Also, FB MAUs and DAUs are stalled [2], meaning users are becoming less interested in the blue website.

If anything, FB is closer to a 'boiling point' now than ever in the past.

[1] https://www.ispot.tv/ad/wUQP/facebook-a-little-closer

[2] https://www.businessinsider.com/facebook-maus-daus-stalled-u...

Definitely worth noting, but I think they felt pressured to respond because the election meddling made enough waves with the gen pop to warrant a message, I don’t see it having a lasting impact.

The MAUs and DAUs are more interesting, especially since younger people seem to be avoiding it entirely (although many are flocking to IG, so again, no loss for FB).

> most people remain unaware that FB owns both WhatsApp and IG

I am not surprised. If you let Google autocomplete the search "is facebook o" for you, you'll find these autocomplete results in order:

  1. is facebook owned by google
  2. is facebook on roku
  3. is facebook over
  4. is facebook offline
  5. is facebook overvalued
  10. is facebook on its way out
Seriously, people? "Is Facebook owned by Google?". AFAIK most people have no idea what goes on with tech companies and they have no idea how much power they have and how they work with your data, or what personal data is even comprised of.

True. The other day I was talking to my cousin and the conversation was something like:

— Facebook copied Snapchat's functionality on all their platforms.

— Instagram and Whatsapp copied it too.

— Yeah, that's what I meant by all their platforms.

— They're owned by Facebook?

She uses Instagram and Whatsapp everyday!

TBH, people don't really care about who owns what. We know it because it's our domain of expertise, but, for instance, I couldn't tell you if Uncle Ben's rice is owned by Nestlé, Unilever, Kraft Foods, Mars, Coca-Cola or some other food brand. Yet I eat rice several times a week.

The best one is 'is facebook and twitter owned by the same person'.

I told my girlfriend about this just now, and she said "omg, they do?!", and went right back to her phone. Probably to check Facebook or Instagram.

Which is the reaction most people will have, I'm guessing.

Out of respect for you said "omg, they do", I reckon.

I think platforms like Facebook depend on being "cool" over some demographic. Then other demographics adopt it, time passes, other demographics grow tired of the same old Facebook look their parents also used, and Facebook starts to die. We've seen this as well with other social networks like hi5, myspace, that once dominated entire continents as the preferred social website. Of course they are smart and competent people so they will try to prevent it, and it seems to have lasted longer and left a bigger mark already, but still; I'm sure a lot of people around the world already share the sentiment of "not doing anything on FB", and just keeping it open for messenger chat.

It is an anti-network effect. The early adaptors are cool, the late adaptors are not. In Facebook's case, the early adaptors are now old people posting photos of their children. The users aged to irrelevance.

There definitely was a big difference between MySpace and the other social networks. Facebook ran well and worked. People forget the total shit show MySpace was in the middle of 2008. The site ran terribly, was getting hammered by spammers, and they starting covering it in banner ads. We didn't see a repeat of those problems with Instagram or Snapchat.

There is a coolness factor. It isn't as defined as fashion, or the latest hot nightclub, but it is there. That alone won't be enough to make the "next" Facebook, but I think it is the foot that gets stuck in the door.

Facebook might be able to acquire the next challenger in the US, but they will definitely fail to get it by EU regulators.

Facebook adopters were never cool. It began as a place for uptight Ivy bratlings, then grew by being more square and "safer" than Myspace.

Nevertheless, your larger point holds, Facebook users are even less cool now than they were before.

They're both network effects. The difference is that the relative value per node, to other nodes has changed. Disaster hits when the high-value nodes leave.

Networks are driven by positive feedback both going up and down. This sounds good, but isn't: the system and balance points are inherently unstable. Nothing succeeds like success, or fails like failure.

This is why acquisitions such as IG and WhatsApp are crucial. If they purchase the next cool thing, they never really go out of fashion. FB has gone from throwing sheep at your friends to this. I don't think they are stopping anytime soon

> This is why acquisitions such as IG and WhatsApp are crucial. If they purchase the next cool thing, they never really go out of fashion. FB has gone from throwing sheep at your friends to this. I don't think they are stopping anytime soon

But it does mean that an even somewhat diligent antitrust enforcement could strangle them to death. They shouldn't be allowed to acquire their future competitors. If the US won't stop them, maybe European regulators can?

We have a hard time making them pay their taxes, I'm pretty sure we won't be able to regulate them anytime soon.

I see what you mean, but I'm under the impression that Facebook is not "your father's social network" in that it's not even comparable to what MySpace was, neither in numbers nor in qualities.

What I mean is that we are comparing two different beasts, so I'm not sure "it happened to MySpace" is a good telltale sign of what will eventually happen to Facebook.

Not to mention the growing number of people who only use a mobile phone as their gateway to internet services (along with all of the personal info to be gleaned from them) and who spend the vast majority of their time on the web using Facebook.

I've seen this a lot more in countries where internet access wasn't too common until the past 5-10 years and people didn't start out with a less centralized web before apps and closed networks gained popularity.

My partner isn't from the US originally and when I mention how obnoxious it is that Facebook is like the new AOL and I thought we were past this, she reminds me that it's all anyone back home uses for anything and they didn't have internet access back then.

To her and her friends/family back home, the internet basically is Facebook (and occasionally being forced to open their browser app to search for something if they don't just ask around on Facebook). A handful of other apps and defaults define the internet for them and anything else just sounds like too much hassle.

This is a very good point. In particular kids wouldn’t be caught dead on a network their parents (and other elderly relatives) are on.

I suspect Facebook knows this and will keep acquiring new platforms when they can.

I wonder too if there is a boiling point with the mechanisms at play. Google was a "do no evil" company, and yet there was maybe a small earthquake within the company regarding the news coming to light they're making a censorship-friendly version of their search.

I take everything Facebook has done that caused any level of public outcry as a guide book to design a better platform, likewise with Google. And I won't dive into the history or foundation of Facebook, however it's not surprising their path would lead to problems - and at indirect cost to society.

It all comes down to Wall Street. As long as investors are OK with FB's shenanigans, they'll continue to find innovative ways to sell off their users.

Which is a bit of a mug's game, as most investors are explicitly about profits. Externalities be damned.

I would much rather see industries self-regulate. But I have big concerns about industries where people are mainly the product, not the customer. I think it breaks the key feedback loop that makes most self-regulation work: irritable users/customers.

For me America's best backup to irritable customers has always been class action suits. It allows aggrieved customers to band together and force accountability where otherwise individual harm would be too small to justify the costs of a lawsuit. But mandatory arbitration is breaking that too, and anyway doesn't work as well when users aren't customers.

So if we don't have user-fueled self-regulation, and we don't have class action, then I'm not sure what we can do short of government regulation. It's a last resort for me, but nothing else seems to have worked on Facebook.

> ... there's a clear disconnect between shareholder incentives and those of the general populace.

This is always the case when the general populace are not customers but products. It cannot not be the case.

>"...they'll no longer use 2FA #'s for ads..."

What are 2FA numbers in the context of ads?

I'm assuming it's meant that a user connects their phone to secure their account, but FB is also using it for marketing etc.

Ah I see, so the same 2FA just repurposed for things it wasn't intended to do. Thanks.

Facebook is already in decline (people have stopped using it, either completely or drastically reduced their usage of it).

The problem is Facebook is allowed to buy rising competitors on its way down, thus prolonging its monopoly in the social media space.

It may be in decline, but like a ship slowing down from light speed, it will take years before there's any significant change in the social media landscape. They have a very long time-frame of opportunity to turn their ship around, and it wouldn't surprise me if they do.

A good real world example is Disney. Disney has been almost broke a few times over its lifetime, yet currently it's so huge that people believe it will never fail again.

Facebook have so much money in the bank, that the moment their primary model is no longer viable, they'll just go to market and buy up the next hot thing, and switch their focus there. They are like an unstoppable pandemic virus in this aspect.

In dystopian sci-fi novels and films, there is commonly the concept of 'The Company' who see-all, and control-all. It used to be that we'd predict it would be IBM, or Microsoft who would be 'The Company', more recently we'd say it would be Google. Currently however, it's more likely to be Facebook.

It used to be that we'd predict it would be IBM, or Microsoft who would be 'The Company', more recently we'd say it would be Google. Currently however, it's more likely to be Facebook.

This is exactly why we shouldn’t worry about it. The company that we think is going to rule the world forever changes every ten years.

FB seems to be the favorite punching bag for HN, probably because it’s full of people who have tried to set up 600 different startups and raised exactly $0 where as Zuckerberg made more money than all the people here combined in 100 years.

"Give me as much service as you can while keeping me as far off the grid as possible" is a skill that is sorely lacking in this market. I don't have this problem with weed dealers, but I have this problem with information dealers. Internet companies could seriously learn a thing or two from the black market on how you treat your customers.

Does your weed dealer provide the service for free? If you want to be treated as a $$$ paying customer start paying. Problem with social networks and $$$ is that network effects will not come into effect as not everyone will be willing to pay.

There are actually ethical information dealers but they require you to pay them as you are paying your weed dealer.

Most internet service companies, including Facebook and Google, don't give you the option of paying for privacy even if you wanted to.

I think that if it's possible to define a way of operating businesses in a way that doesn't harvest data in a way that's nonessential to the services, then there should be a law requiring this option: to pay out of your pocket directly the amount of revenue the company would have expected to make, in exchange for the company not doing this data collection. But it seems difficult to get to such a definition. I think this law would be very popular.

Indirectly GDPR does this. All data collection must be either opt in, or necessary to provide the service.

Oh, I forgot an important detail. I should have added another aim I would want is that as a result of paying this money, you wouldn't receive any advertisements from the service.

We're trying to build the idea of "paid for storage" that doesn't look at your stuff, but getting people to pay fora service that others provide with advertising for free is hard.

Any company being truthful about what their customers want can't be tracking them 24-7 and sifting everything they type. Almost no-one wants that level of invasiveness. We just put up with it because there are no real (easy) alternatives or aren't aware.

But does GDPR really allow this business model at all? A website cannot as per GDPR say "accept tracking or we refuse service", if tracking is not necessary to provide the service. Can they say "pay or accept tracking or we refuse service"?

That's exactly what The Washington Post does. They have a free option where "You consent to the use of cookies and tracking by us and third parties to provide you with personalized ads" and a "Premium EU Ad-Free Subscription" with "No on-site advertising or third-party ad tracking".


I happily pay for YouTube Premium, just to avoid ads. I wish I could do the same with Facebook

Do you still get tracked and your data collected if you pay?

Of course, but you don't get served ads.

I'm sure it's possible to advertise without tracking. We did it for years.

I'd whitelist a true advertiser who ditches tracking entirely and focuses more on advertising content relevant to the page it's going on instead. Chances are if I'm looking at some Python programming page or server setup tutorial I'd be more inclined to click on ads relevant to the page as opposed to a creepy ad of something vague as heck that I looked up on Amazon 5 years ago that Amazon really wants to sell, or whatever.

I really would love to see advertisement companies that are less focused on tracking and more focused on ad placement that's relevant to the content it's going on, and hey sometimes there's no relevant ads for content and that's cool too, but at least show anything generic or close enough at that point. Also advertisers who don't do pop ups or annoying ads (that I swear could cause epilepsy on some users) are also good stewards of the online billboard market.

> who ditches tracking entirely

Problem is, it never stays ditched. It's always a slippery slope.

I just don't want to participate in this anymore.

I'd be fine with "visitor count" type of "tracking" as long as it's just that, as far as how many per country / region. No following users around the web, aka no cookies needed. Then you could have a page for advertisers to choose sites to advertise directly on for themselves.

I'd happily attempt a startup/side-project that offers an API for non-tracking advertisements, but I don't think there's space in the market. It'd be very difficult to compete with the existing incumbent advertisers.

minor correction: creepy ads for the things i already purchased two weeks ago. brilliant use of ad targeting spend by companies i already gave my money to

So if I pay GM for a car they won't data-mine me? Just yesterday on HN we learned that this is not the case. Why do you think companies wont take your money and then proceed to sell your data anyway?

You should ask for your moneyback, because you're already paying in private data.

I'm probably wrong but I feel like there's a market for an ethical advertiser that does no tracking and placed ads by content only. is that impossible? it was reality until the 90s

I think (but might be wrong) that duckduckgo works like that.

They show ads based on search the content rather than via tracking.

I mean, I've paid both Comcast and Verizon a lot of money for internet access, and they both have done awful, privacy-shattering things while I've paid them. (Subverting DNS, X-UIDH header, etc).

Once there's money on the table, companies are going to take it and assume the number of customers who walk away aren't enough to offset the profits.

I mean, if you give a $$$ option instead of giving up data than you removed the intended targets of most ads out of your advertising pool.

The ultimate goal is to make money, not serve ads.

Of course, but I can guarantee Facebook has run the numbers. They are currently doing what makes them the most money. That happens to be ads.

The user data they sell to advertisers has a lot to do with your social network. Who you know, what their interests are, who they know, etc.

For Facebook to allow individuals to pay to opt out of their data being sold, it affects more than just that individual's data. I.e. it affects all their friends and friends-of-friends data.

I expect that the only way Facebook would be able to offer a pay-to-opt-out plan would be for everyone on Facebook to start doing, which would never work and they would never attempt.

I imagine the most we'll see in this direction is some sort of half-assed attempt where they offer to let you pay them money to stop some tracking, but still continue to most of it anyway.

That battle has already been lost; between a complete lack of at least semi-anonymous banking (I.E. GNU's Teller, well see notes), ad behamoths, "credit" companies (Experian, etc), and all sorts of proprietary social platforms having a majority of the market roped in: there's a shadow profile in one sense or another for everyone short of the crazy cabin in the wilderness types.

A focus on consumer rights, protections, and building difficult to defraud and difficult to exploit consumers systems is where effort needs to be spent.

* GNU Taler - A digital cash / micro-transaction system that hopes to be audit-able for tax and other legal reasons while still being anonymous for consumers.

Please read about privacy, verifiable in the right ways, and the "operational in 2018" claim



Another personal observation. I have an Instagram account that I thought was fully incognito. I never connected it to any other social account, I used a separate email for authentication etc. Just days after the Instagram founders left Facebook I started receiving friend suggestion on my IG that were very very relevant. Those were people I knew in real life and mostly connected via Facebook but not only. I shouldn't be surprized as being connected to the Internet by itself is an end to your privacy but still, this was probably the spookiest invasion into my privacy so far. Bye-bye Instagram.

This happened to me after Facebook acquired Instagram. I had my mobile no in Instagram profile. Instagram cross-referenced my mobile with my Whatsapp contact list(I haven't given Instagram access to my iPhone contacts). I suddenly got suggestions to follow my colleagues on Insta. Colleagues with whom I interact only on Whatsapp. Since then my trust level in Instagram,Facebook & Whatsapp has gone into negative.

When I was in another country on a business trip I bought a temporary local SIM, originally valid for two weeks but I've kept it active as I travel there often.

I used that foreign number to create my Instagram account and I've gotten the benefit of only being shown suggested accounts from locals from that country (zero people I know). Same goes for ads as well. Currently I keep it on roaming and actually use it to verify other online services that may stubbornly require SMS.

Might be worth a try for those of you looking to pseudo-opt-out of phone number tracking & recommendations on social media services that do this, if you can get your hands on one.

Just as a warning to anyone who might try this, it won't work. (At least not without a massive amount of opsec effort expended on your side.)

I'll give you an example of why it might not work. Since your phone has roaming, you happen to have it with you at work, or at a party, or at the library, or anywhere really. If even a single acquaintance of yours is "nearby", the information is leaked. If acquaintances seem to always be "nearby", children, wives, husbands, siblings, your info is DEFINITELY leaked.

If anyone is going to try to use this strategy for anything which might result in the loss of your livelihood, (eg - porn), please realize there are many, many, many more precautions you will have to take than are listed in oedfmarap's comment. If you just do what you see in that comment, you could find yourself without a job somewhere down the line.

While one would think that this is only important for things you're doing that you don't want the government to know about (see [1] page 52 for details on how not to mess this up -- basically don't have them turned on together, don't turn one off and turn the other on in the same place, or log in to the same sites or store the same numbers on both phones), it's also important for Facebook and other private tracking. If you have Facebook on your burner phone and your friends have Facebook on their phones with location enabled, it's over [2].

[1] https://www.defcon.org/images/defcon-22/dc-22-presentations/...

[2] https://splinternews.com/facebook-is-using-your-phones-locat...

I've seen this, and concluded that friend suggestions must use GPS to see who I am near on a regular basis.

This is absolutely true, when I moved to London a few years ago, I rented a room in a house with 3 other housemates I had never met.

Within 1-2 days, Facebook recommended one of them as a friend - bear in mind I hadn't added any of them to Fb, so all it could have used was our location...

I believe they used Wifi BSSID tracking for that, GPS would be too battery heavy. If you're connected to the same Wifi networks it can reasonably assume you're in the same vicinity.

It's possible Facebook uses location data for this, but I've got an alternate theories.

This happens to me often too, with much briefer encounters: mainly dates and meetups. Since I've shared similar amounts of time at the same restaurant with hundreds or thousands people with whom I had no interaction, many of who's arrival and departure times would happen by chance to line up with mine, they must be using something else. I also share a duplex-house and an office building with people who've never been inexplicably recommended on Facebook.

From these observations, I've come to think that location data has to play a very small role in Facebook's recommendation system.

Here's my best (but untested) theory to explain this: Your house-mate searched for you on Facebook, which triggered Facebook to think you might be friends.

I’ve seen this happen with YouTube, specifically this video: https://youtu.be/bKgf5PaBzyg

I had watched it many many years ago, and I suddenly remembered about it while at my friends apartment, (which is in the same building). Now I searched it up on my friends computer which was logged into his gmail account. We watched it and laughed. However, an hour later, I was on my iPhone at home when it appeared in my related videos.


I refreshed and it was gone...

Definitely location tracking of some sort. IP, location data from the browser (if allowed), and scraping photo metadata can all lead to them associating people.

Are you sure you didn't access it from the same IP address? There are so many fingerprints you are willingly sending to the public.

‘Willingly’? I think unwittingly is more likely.

It's your computer which store cookie and localStroage data to the local storage. It' your computer which execute JavaScript program to retrieve that data.

It's your choice to use the same IP address.

It's your will.

I did of course, how could I not access both from the same IP. The bottom line is: a property owner is a property owner even if it comes to separate domain names.

A VPN would be one way

Haven't you used the same web browser for both, Facebook and Instagram? They might just be sharing cookies.

Well, Instagram and FB being 2 separate domains , they shouldn't (in theory at least) be able to access each others cookies in browser. The tracking is most likley still server side based.

Based on what the OP is writing, the unique identifier foe the user can even be the IP address...

They shouldn't be able to access each other's cookies at the browser's level, but instagram.com might include third-party javascript code from facebook.com, which connects the two accounts in the system.

This is a perfect example of the need for physical comparmentation. Separate devices never connected through the same internet service. As far as devices go, to think you have separated “anything” on only one device, you’re living in fantasyland.

If the app can look at your wireless, even that is not enough. It can just make a map of the SSID/BSSID around you.

Statements like this make me want to learn phone OS development just so I can have a better understanding on what information an app can get from the OS. Honest question, why would an app ever need to know the SSID of a wireless network? The app should only care if there is a valid network connection, and then use it. I can see being able to know if it is wifi vs cellular so they can have the option to limit large downloads to wifi only. However, the SSID would not be necessary information for the app.

An example would be an app for associating a device without a screen on to a wireless network. Think IoT devices or Alexa. Saves the user from having to type in the SSID which is a pain.

IP address commonality is probably a major part of this, so using separate devices only helps if they are on different carriers and you never use wifi AND you don't allow location services or practically any other permissions.

With a single device, it's fairly reliable to use a vpn or multiple vpn providers and only log in to each account when connected to a given vpn.

Qubes OS disagrees with you here.

Agreed. From my POV, unless you’re really needing anonymity, I don’t include TOR as a practical solution for day to day needs.

The reason I never give fb my mobile is if you use a pseudonym account, it will suggest your profile as a friend to anyone who has your mobile in their phone contact list (eg ex-partners, stalkers, employers, drug dealers). Found that one out the hard way.

I know Zuck wants me to preemptively upload my nudes, but still.

This is basically how FBI Director Comey's secret Instagram account (and thus Twitter account) was unmasked. But it was even worse - you are suggested to 3rd party people who just follow the people who know you: https://gizmodo.com/this-is-almost-certainly-james-comey-s-t...

Yep, something similar I discovered recently that if you sign up to Instagram with somebody's email that they use on Facebook then within a day or two you'll start to see all of their friends from Facebook whom are also on Instagram in your recommended follows. All of this happens without email verification..

Yep, I have a relatively common name and @gmail.com address. Last week, some guy with my name signed up for Instagram with my email adddress and started posting without ever verifying his email.

I reset his password and tried to close the account after he kept trying to access it by resetting his password again. Instagram support asked me to send a clear photo of myself holding up some random number to prove it was me. Nope lol.

> All of this happens without email verification

This has very interesting consequences...

Whoa... so it was around in the open since around 2013, and still not fixed? 0_0

Almost every shop does this, no verification before use. ffs, at least provide a "report not mine" function.

I've only ever seen a "report not mine" function from Google. Where else have you seen it? I am not on FB/LinkedIn/most similar ones, so I may be missing examples.

You can even do a search by mobile number, by typing a mobile number into the search without pressing enter.

Depending on the owner's security settings, Facebook will often suggest the profile of the person in the type-aheaded search results.

I believe they removed this feature a couple of months ago.

Lucky you already have your account. These days you can sign up for one without a phone number, but then you flat-out can't sign in without giving one.

> The reason I never give fb my mobile

Here's the issue with it. You might not give it but your friends would. Therefore, this strategy is pretty useless as network effects kick in.

TIP which I discovered by accident: create a bogus account with your phone number.

Facebook will remove the phone number from your account when you do that. You can also use that to check who are your friend who gave FB your phone number.

> You can also use that to check who are your friend who gave FB your phone number.

Can you explain further how this will work?

Probably by suggesting users who have your number as friends.

this is an interesting idea but probably one already-implemented feature from being circumvented

FB's terms of service do not allow pseudonym accounts.

Do people honestly give a shit about terms of service?

Yes. Especially ones with broad arbitration clauses, and double especially ones where your access to the courts is determined by whether you opt out within a short time period after agreeing to them.

These are frighteningly common, typically enforceable in the US even for consumers, and typically enforceable in most countries for even small business customers (though rarely for consumers in much of Canada and Europe if the vendor has enough ties to the area for local consumer protection law to apply and you win the race to the courthouse).

recently interviewed at Facebook (didn't pass the in-person) and one thing I was looking for was a job that WASN'T based on ads. I didn't want to come across negative so I was circumspect in my asking ("Tell me about the positions at Facebook that I as an outsider don't know about - I know ads, messaging, and events"). I wasn't really excited by the answers I got - ads seemed worked into everything they brought up, but the answers weren't super-nefarious either. This was the Seattle office, which apparently has a strong ads-basis. Because they hire people and then (allegedly) let them pick from available team openings (after a "bootcamp" to do onboarding), I simultaneously felt like I'd have a chance to avoid the worst but also couldn't be sure of what I was committing to. I didn't pass the interview and the few weeks since have tried very hard to make me not regret that by raising issues like this one, despite my natural tendency to give FB the benefit of the doubt and to recognize the difficulty of moderating speech sanely.

I've never had such uncertainty about what a job would involve before - the "you find your match" sounded good initially, but in retrospect I'm wondering if I dodged a bullet - so hard to know.

There's Oculus and Building 8. Also, backend infra stuff.

I find it interesting that you would absolve yourself for working for Facebook just because you wouldn't be working directly on ads. Facebook is an ad company with services attached (a fairly reprehensible one in my opinion). If you work for them, you are helping them achieve their goals, which ultimately is about serving people ads, it doesn't matter what particular role you are doing there.

"absolve" is not the correct term (I think) - I don't find ads particularly offensive, I just don't ENJOY them, and I was looking for a job I'd enjoy and enjoy telling people about. I'm perfectly fine with ads existing, though I'm supportive of being able to buy my way out of them. (You can raise issues about ads being inherently deceptive and manipulative, and I wouldn't say you're wrong, but I've not taken a position against them...yet)

That facebook is doing bad things because ads are their only real source of income is a problem because of the bad things, not the ads. At the time the primary concern was "what should facebook be doing about de facto empowering hate speech and (actual) fake news?" and that's a tricky problem that I don't think has a resolved answer, and I sympathize with those that empower communication and only later realize people have more desire to trash things than apply rational caution. Since then much more has come out about some FB practices (and Google), and the question of whether ads-as-your-primary-revenue-source is too much incentive to be "evil" is being implicitly raised, but is likewise not yet resolved.

That said, I do think there are lines to draw and lines not worth drawing. There's very few jobs that don't end up supporting bad things. I don't think it's right to pretend that if you aren't doing it directly that you AREN'T supporting such things...but I also think it's sometimes unrealistic to make your situation worse to deny an indirect support. Deciding where that line lives is an individual decision, and one I have to regularly re-evaluate. To expand my point in the previous post, the news coming out about FB practices definitely made me feel like I'd have been uncomfortable even if I wasn't working directly in ads.

> They found that when a user gives Facebook a phone number for two-factor authentication or in order to receive alerts about new log-ins to a user’s account, that phone number became targetable by an advertiser within a couple of weeks.

I have always been suspicious of the aggressive "give us your phone number to secure your account" campaigns that so many sites/apps are running. And I think this is a HUGE disservice to users.

At first I was like, cool, companies are being responsible and encouraging good security practices, good on them. But there was something a touch too.. aggressive and "marketing-y" about it. It raised my spidey sense. Maybe the form and frequency and placement of them just was too familiar to previous campaigns to grab your email for "opt in" spam.

All of these companies should be shamed to high hell. Getting people to adopt 2FA is so important and here they are shamelessly exploiting it to market to you for undisclosed purposes.. well, buried in the privacy policy, but you know how that goes. The prompt is 100% about securing your account and nothing mentioned there about using it for targeting.

Seriously F these companies for breaking user trust.

ALSO: Did Zuckerberg lie to Congress?[1]

[1] https://techcrunch.com/2018/04/11/facebook-shadow-profiles-h...

I am becoming anxious to see some action out of the DOJ Anti-Trust division against Google, Facebook, and Amazon, etc. These tech behemoths effectively own most of the consumer internet and they use their muscle to either acquire or force out the majority of other players. More regulation is not going to cut it (or else it would have already).

In America (and most places), law normally lags quite a bit behind the events of the day. Standard Oil destroyed markets unchecked for several decades in the 1800s. No individual or company could withstand their market power. Then the government divided it into dozens of vertically integrated companies, which allowed for a wave of new market entrants, better deals for consumers, and higher standards of living for more people.

We are obviously at that breaking point now with the tech behemoths and their sprawling, impregnable market power. It is time for antitrust action against Facebook and the gang.

I think we need proper privacy measures, since the misuse of data is not necessarily an "antitrust issue". For instance, would breaking up Facebook really mean that the newly formed constituents respected privacy? And would antitrust enforcement against Google or Facebook reduce privacy exploitation by smaller entities?

I'd argue that it would not -- 1,000 small Facebooks could still violate privacy. Creating privacy legislation is the only real way to achieve proper privacy guarantees.

When people suggested phone 2fa was a data collection scheme they were hushed and called tinfoils.

While I share the sentiment, I think I should be fair to HN: according to a quick search I've just performed, I brought up the topic 4 times in comments over 3 years, and those comments have scores of 7, -4, 16, and 3 [1][2][3][4]. So saying that I was "hushed and called tinfoil" would not be fair to HN.

[1] https://news.ycombinator.com/item?id=17515029

[2] https://news.ycombinator.com/item?id=14105696

[3] https://news.ycombinator.com/item?id=12782158

[4] https://news.ycombinator.com/item?id=9804876

People still do that when you point out that using a phone number as a required identifier (WhatsApp, Signal, etc.) gives every 'free' service a near perfect unique identifier that's the same for all services used by that person. Ideal for cross-service collation.

Who wants a social security number when you've got someone's phone number?

Except that a phone number is as quickly and easily disposable and changeable as an email address or any other identifier?

I talked with the lead engineers from a company back in 2014, that shall remain nameless, that bought private profile data from Facebook, ran it through a bunch of algorithmic mumbo jumbo, and sold the aggregated data to marketing firms. They acted like this was really cool and awesome, much like the wide-eyed cultists. It was very creepy, and I backed away slowly even though this place was looking for more engineers.

This kind of thing has been going on forever, and I've told people this. 99% of people don't actually care, though.

Are you sure the "private profile data" wasn't aggregated before it was sold? Either way, selling private data is not something Facebook is actually known to do much (outside of misunderstandings by confused activists/journalists). If you contact me (info in profile) I'm very curious to understand more.

Maybe they bought it from someone violating the terms of setting up a Facebook app? I can't stress that this shit's illegal but I also can't stress how the Cambridge Analytica scandal showed that Facebook had almost no way of regulating this.

You can personally decide not to use Facebook, which is good. But you can't convince everybody to do that. So if you or your family members do use Facebook, at least install an ad blocker for all of them.

Not for privacy, but to deny them revenue. I block Google ads on every single site I visit, period. I don't care if the advertising is non-obtrusive. If it's being run through Google, part of that revenue is going to fuel Google's tracking. I support creators directly instead. And if creators refuse to give me a way to support them, that's not an excuse to expect me to contribute to Google's bottom line.

Huge props to the people who are working on blocking trackers and protecting privacy. I'm very glad they exist, and I don't think their efforts are worthless. But, it is currently a losing battle to fight these companies on the privacy front, because the tracking model is so profitable that they will always be pushing more resources into it than we are. Collectively, the people fighting for privacy don't have enough resources to win.

But there's an easy, completely legal solution to that problem; the one thing companies haven't figured out how to get around is ad blocking. And a good ad blocker will block even native ads. For a company like Facebook, all of this boils down to getting you to click on ads. If enough people target that chokepoint, then the advertisers will start pulling out of the system, and there'll be less financial incentive for these companies to undermine people's security and privacy.

And we have evidence that this works. Even Google, which is the powerhouse for getting their ads to actually show up, is starting to devote more resources into trying to figure out how to stop mainstream people from installing adblockers. That's where all the autoplay stuff came from, that's where the acceptable ads initiative came from. They desperately want your roommate to say, "I'm not going to mess around with these weird Chrome extensions or whatever, that's too complicated. Chrome blocks this stuff itself, anyway."

Install adblock on every browser you get access to, tell ordinary people who aren't on HN to use it, and let the advertising industry kill itself. Make it very obvious to companies that buying ads on Facebook is a complete waste of time because even non-technical users just won't see them.

> You can personally decide not to use Facebook, which is good. But you can't convince everybody to do that. Pretty scary.

Which means Facebook has a shadow profile of you even if you don't use it at all: http://theconversation.com/shadow-profiles-facebook-knows-ab...

Yep. And I don't know a way to get around shadow profiles.

We should try to find one. I fully support the privacy fixes people are proposing. I think that's really important. But it's pretty obvious that Facebook is winning right now.

However, the only thing that Facebook cares about is getting you to click on an ad. So even if you can't stop Facebook from getting a shadow profile on you, at least you can make that profile worthless by blocking ads literally everywhere that Facebook can think to display them to you, for you and your family/friends.

And you can be public about it to ensure that when Facebook goes to companies and says, "we have all this data for your next campaign", somebody in the sales-pitch meeting raises their hand and says, "yeah, but nobody looks at your ads."

The workaround is called GDPR. A shadow account is illegal with that.

The standard official Facebook response to this is that you do not own your "shadow profile" since it's a profile made out of data gathered from other people and companies, and thus they can not let you control it. In other words "it is not your data".

I doubt that holds in court, but as mentioned in the article, there are people in the EU who for months have tried to get Facebook to provide the shadow profile data on GDPR grounds, and Facebook has yet to allow it.

It seems like Facebook can afford to stall, they've got more knowledge and power than a single EU citizen can have, so I'm sure they know what they're doing.


To be honest, I think Facebook is in breach of _multiple_ GDPR articles _simultaneously_ here, which is quite a feat in itself.

They're in breach of:

- Privacy by Design (a.k.a. Privacy by Default)

- Right to Access

- Right to Be Forgotten (which is older than GDPR..?)

- Data Portability

Then again, Facebook is not alone. I'm pretty sure there are very, very few companies on the web that are not in breach of GDPR at least in spirit, if not in letter.

>I doubt that holds in court

There's a zero chance that holds in court. If it were possible to have a negative chance it would have a negative chance of holding in court.

Data protection does not in any way relate to "ownership" of data.

If the data are personal data then you are forbidden from processing that data unless you have one of seven lawful bases enumerated in the GDPR, and where the data are sensitive then those bases are reduced further.

So this is an interesting scenario that I've seen people bring up before, but I've never been completely clear on the answer. Let's say I'm using an online virtual assistant with auto-replies and stuff like that, and I upload your contact information and phone number so it can help me manage my schedule/emails/etc...

Under GDPR, the company I just gave that information to doesn't have your permission. So, let's say that later on, you go to the company and say, "hey, delete any information about me." For them to comply, they can't keep on syncing your contact information in my address book, right?

I guess, how does GDPR handle a situation where a separate customer is going to Facebook and saying, "hey, let me put in that I'm X's cousin"? Should Facebook block that person from specifying the relationship in the UI? Or would that just fall under "essential for business"?

What if they dont keep an account but just a query that can return results like an account.

How would that work?

That doesn't make a difference. GDPR doesn't talk about data ownership it talks about data on persons. If it's data about me it's not allowed to hold it if there is no otherwise relationship.

you gave an idea for a weekend project. posting here in case I change my mind and slack on something else.

instead of deleting facebook (or not having it), create a shell profile, just enough for you family to pointlessly add. then subscribe the account with a service (aka The Idea) that simply post a once a month post on how to install ad blockers and such.

As an FB Marketing API developer, this has been available for several years . The way it works, advertisers can send their phone list to FB for ad targeting. However, phone hashes are sent, not clear ones.

Personally, as long as the user has an opt-out and opt-in options, I don’t think ad targeting is necessarily an unethical pattern, the blurring lines of ads and recommendations would be actually a pattern that users might like. Would you rather use Netflix or Spotify without recommendation engine?

Thanks for the info - didn't think of this angle (i.e. advertising sending a list of numbers to target, and facebook tying that to their cookie ID they have on you). There I was wondering how this works in a browser since browsers don't know your phones number (right?).

> Would you rather use Netflix or Spotify without recommendation engine?

100% yes.

Personally for me the term "personalisation" is becoming a dirty word and I am becoming uneasy when I hear it mentioned in design docs and product launches etc. I dont want to see what some algorithm thinks I want to see. Instead I would prefer to see the real, unfiltered, unfettered data. I think the whole Fake News outcry started me thinking about it in a more deep way.

Imagine if you went into a fancy restaurant for some special occasion and the waiter took a look at you as you walked in and brought you a "special" menu based on some decision they made silently in their own head about what they think you want. Rightly you'd want to see the full menu and not just what they think you want to see. Sure I'd welcome them pointing out some highlights on the menu, but I'd apprecaite seeing the whole thing before making up my own mind.

As a result now I use DuckDuckGo exclusively and have Firefox set up with Google Container[1] to keep the Google cookies separate from everything else (I dont use facebook at all so their cookies are entirely blocked as 3rd party) as well as the usual uBlock Origin, privacy badger et al. I am even toying with the idea of moving away from my gmail that I've been using since 2004/05.

1 - https://addons.mozilla.org/en-US/firefox/addon/google-contai...

> Personally for me the term "personalisation" is becoming a dirty word and I am becoming uneasy when I hear it mentioned in design docs and product launches etc. I dont want to see what some algorithm thinks I want to see. Instead I would prefer to see the real, unfiltered, unfettered data. I think the whole Fake News outcry started me thinking about it in a more deep way.

That's also a corruption of the meaning of "personalisation." Personalisation is about me making choices to adapt a product to my preferences, it's not about the product making choices about how to interact with me.

Real personalisation would be having the (sticky) option to shut the algorithm off and "see the real, unfiltered, unfettered data."

I disagree. Blurring the lines between ads and recommendations is super creepy[0].

Anyway, I still upvoted your comment, because it's interesting to read what someone working at FB has to say on this.

[0]: https://readwrite.com/2012/12/11/why-are-dead-people-liking-...

EDIT: Images seem to be missing from the original link, so here is an archived version: https://web.archive.org/web/https://readwrite.com/2012/12/11...

> However, phone hashes are sent, not clear ones.

The space of phone numbers is small enough that this is not a significant consideration.

"No worries we hashed IP adresses"

Advertising destroys reccomendations. Suddenly it's not based on any genuine attempt to work out what the user might like but only what benefits the margins of the advertiser. This is why Google's adverts are in a separate box at the top, un-mingled with the search results.

>However, phone hashes are sent, not clear ones.

Lol! Phone numbers have less than 40 bits of entropy, it's trivial to break those hashes.

Salt them.

How would that work in this setup?

If Facebook were required to hash and salt phone numbers, then the correct 2FA value might still work (it would match the salt and has), but an arbitrary list of submitted values would be expensive to match to the hashed set.

Facebook would be unable to contact the user via SMS, they would have to issue a token via WWW or app and have the user text that to a specific address from the corresponding phone number to achieve phone-based 2FA. This might even be a third-party service to deny FB any direct access to the phone number.

The verification channel might become a phishing target via spoofed FB pages or apps, though that would be moderately expensive and of limited use. An attacker might request FB login credentials (the actual verification would not), might acquire a phone number (generally, though not always, a non-critical datapoint), and would still be denied account access via 2FA without further compromises, say, social-engineering the phone account (a proven risk, though expensive at scale).

Tildes.net uses a similar mechanism for recovery email addresses.

> However, phone hashes are sent, not clear ones.

A 10-digit number is only 10 billion possibilities, much less if you consider that they aren't completely random and have area codes, etc.

You can probably brute-force a hash of a phone number in seconds to minutes _on a CPU_.

> However, phone hashes are sent, not clear ones.

Somehow, the knowledge that the efforts to tie every trace of my existence together to help marketers target ads to me are done in a cryptographically secure fashion is not entirely comforting.

In general, I have been unimpressed with recommendation engines of any sort. Spotify can't suggest music I'd like worth a damn, and it's working within a relatively specific domain. Whatever fractional gains in ad relevance are currently obtained from this aren't worth the privacy invasions needed to obtain them.

> are done in a cryptographically secure fashion is not entirely comforting.

It's not even cryptographically secure, a phone number is like a 10 digit number that isn't even completely random because of area codes, trivially brute-forceable.

> Would you rather use Netflix or Spotify without recommendation engine?

Hell yes.

Related artists per track, that would be more, than enough.

> Would you rather use Netflix or Spotify without recommendation engine?

I'd rather it didn't have a recommendation engine. I'm fed up with it trying to get me to watch something else - I'd rather it just stay out of my way.

Speaking as someone who hasn't used facebook in years, I think it's awkward trying to compare it with netflix/spotify. The latter are narrowly-focussed, with a clear target for recommendvertising - i.e. I am viewing a film or listening to music, the case for suggesting another is pretty good, and useful. That's very different from, for example, recommending a product to me when I'm viewing my friends' photos.

Also, one pays for Netflix, and there are no ads. They try to give you, the user/customer, a better experience, so that more users/customers sign up and pay.

Needless to say, Facebook's goals and incentives are very different.

And you use Netflix to watch videos and Spotify to listen to Music, no problem in being offered other, personalised, videos and music.

But on Facebook people go for socialising, and not to get personalised ads.

All my personal details on Facebook are (and have always been) false. My phone number is the number of a hotel in Monte Carlo. When Facebook nagged me to give them my mobile number for 2fa I ignored them. My friends thought I was crazy. I know it's not exactly gracious of me but feeling very self righteous right about now.

Your friends also gave Facebook your actual phone number too....

Facebook app abuses your phones internal Contacts API.

Effectively, you are linked and your main Facebook account is known to be a pseudonym already

So you're stuffing it full of false data, but still connected to people who aren't stuffing it full of false data?

That seems like a lot of effort for no real payoff.

This is basically the only reason I don't "delete" my Facebook account. I have so many family members and friends that I cannot realistically prevent putting pictures and the like about me on Facebook.

At least I can see some of what Facebook has about me instead of none.

The other really stupid thing, besides generally hurting the adoption of 2FA forever, is that they probably did it for hardly more than scraps, compared to their conventional add targeting capabilities.

Maybe I am completely wrong about this, but I'm pretty convinced that almost all of the ad spending for that feature would have reached Facebook's coffers anyways had it not been available.

At Facebook's scale even the scraps can be worth millions.

And the sad truth is that the vast majority of people will not be deterred by, be aware of, or even understand the fact that Facebook is abusing their phone number in this way, so as far as Facebook is concerned it's a small bump in the long road to increased profitability.

> At Facebook's scale even the scraps can be worth millions.

Sure, but the same is true about negative headlines, the effect is just more difficult to quantify.

Maybe it's a general world view problem within Facebook, but usually these things are the result of one overly ambitious person or group optimizing the singular bonus metric of their own little fiefdom at the cost of corporation-wide commons. Big organizations need to be extremely vigilant in their defense against internal foes who won't blink an eye costing the company billions for a gain of millions add long as the latter will be attributed to them while the former won't.

"Millions" is still scraps to a company with the scale of Facebook

> An ever increasing craving for an ever diminishing pleasure is the formula. It is more certain; and it's better style. To get the man's soul and give him nothing in return -that is what really gladdens our Father's(0) heart. - C.S. Lewis, senior demon to a junior, 'Screwtape Letters'. (0) Satan

Same can be said about personally-targeted advertising in general. Really, how more effective is it?

For exotic niche products, incredibly. On Facebook, you can advertise to golfers who don't subscribe to a golf magazine. This is new and valuable (to everybody except the publishers of golf magazines, who suddenly have to face competition in golf-specific ad-spending). But if you are selling washing detergents, even the tiniest premium for targeted over untargeted would be a waste.

> A spokesman also told us that users can opt out of this ad-based repurposing of their security digits by not using phone number based 2FA.

That's one way to encourage people to use 2FA App, I guess.

Note however that to enable any other type of 2FA you first have to give them your phone number. You can delete your phone number afterward, but it's too late, they have seen everything.

Well it won't matter once you change your number, but nobody should have to consciously think about doing that because the company you gave it to is using it for non-user account security purposes.

Interesting, thanks for letting me know. I don't have an account. I understand _why_ they require you to verify a phone number though, for the exact reason this article explains.

The phone number isn't for your protection (it's actually really terrible for 2FA), it's for Facebook's protection. It's an anti-bot mechanism to require a unique phone number for each account, or no more than 5 accounts per number or so.

They also refuse VoIP numbers for authentication.

Yeah, but it looks like it still doesn't work if you switch to the app after having given them your phone number for 2FA. The sentence that follows your quote says:

>>(Albeit, the company only added the ability to do non-mobile phone based 2FA back in May, so anyone before then was all outta luck.)

can you actually "opt out" of that number being used or is the spokesperson just saying "we don't get your number via this method if you never give it to us via this method"

I.e. if you switch from using a 2FA phone number to using the app do they stop using that phone number in your facebook profile? And your shadow profile?

Didn't we have this discussion already earlier this year and they told us it was an unfortunate bug and that it has been fixed?

Yes. Yes. We did: https://www.theverge.com/2018/2/16/17022162/facebook-two-fac...

not relevant

I think it is relevant: back in february they made us believe that them using 2FA phone numbers for marketing purposes was a bug and today we learn that them using 2FA phone numbers for marketing purposes is a feature.

So either they lied in February or they have changed their minds. Either way, I think there is value to bring this very similar discussion back to our minds.

Facebook gonna Facebook. It's long past time to consider regulation of an ethically bankrupt corporation.

"four months ago" they stopped requiring it for 2FA, that's the time GDPR came in.

I wonder if Facebook acts differently for European users?

No regulation needed, just avoid using their 'services' and block anything facebook at the point of access. They might keep 'shadow profiles' and use facial recognition to find you on images posted by others but if you keep them out of your network they can have a ball trying to target their advertising at that closed door.

Not that I allow any advertising here, mind you - everything is blocked at the router (ipset [1] comes in handy here), at the client and in the browser. This works at home as well as abroad since I route all my data through a VPN (OpenVPN) terminating at my router.

[1] http://ipset.netfilter.org

Then it definitely sounds like regulation is required, the vast majority of Facebook's users don't know how to do all that. The public should not have to protect themselves from unethical companies, the companies should have to stop with their unethical behavior lest the government shuts them down.

Drawn to its logical extreme, you don't need regulation to be protected from racketeering if you run a restaurant either, you can just hire private security and arm yourself.

It would be really surprising if that was a facebook only thing. For starters Google pesters me at least as much to add my phone number to secure my account.

I think it will stop pestering you for a phone number if you give it some neutral second factor like a Security Key ?

(Security Keys are actually way more anonymous than I'd even thought possible until I understood how they work, if you know Susie uses the same key for DropBox and GitHub, and you suspect Susie also uses this key for the account NumberOneSecretTrumpFan on GitHub, and then you steal all the account credentials from GitHub somehow, this doesn't end up being enough to verify that Susie has the same key as NumberOneSecretTrumpFan, nor is it enough to sign into Susie's DropBox account, and unless GitHub's data includes the backup passphrases or whatever it's not even enough to sign into GitHub as Susie, NumberOneSecretTrumpFan, or any other Security Key user...)

I'm not sure how it is now, but for a long time Google required you to enable SMS auth (by giving your phone number) before you could enable TOTP or other 2FA methods.

you generally don't regulate companies, but whole industries. Then you punish companies for breaking the industry regulations.

Why have costly government regulation when users can just quit?

Plenty of other online and offline ways to connect with the people in your life.

Users cannot "just quit". Facebook probably has a profile for my grandma who never touched a PC in her whole life.

Many people can't quit because they are addicted, but there is an option to permanently delete your account and it takes about 5min. I'm not aware of Facebook creating profiles for people that haven't signed up for their service. If so, that should definitely be illegal.

The government should have bigger fish to fry than trying to regulate the distribution of information that you have and continue to willingly provide to a company. If you don't like it, sure government could jump in and make Facebook just how you like it, or you could delete the info you don't want them to have. The later sounds easier on everyone.

Why have costly government regulation when people can just not breathe polluted air?

There are some things users/people did not sign up for and cannot (reasonably) opt out of that still harm them. This is what regulations are for.

Air is a necessity, Facebook is not. I don't use Facebook and personally don't want my tax dollars spent overseeing a non-essential service. I'd rather send our tax dollars towards environmental pollution and areas that actually affect us all much more seriously.

The point wasn't that Facebook is a necessity. It's that Facebook is unavoidable.

Unfortunately, whether you created a profile or not, you can't just "not use Facebook" with their whole shadow profiles.

Sure, they aren't (currently) pumping waste into the environment. I'm not saying those things aren't important, but I do think we're going to look back 10 years from now and wonder how we let Facebook even get this bad.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact