Hacker News new | past | comments | ask | show | jobs | submit login
Facebook won’t let you opt out of its phone number ‘look up’ setting (techcrunch.com)
586 points by longdefeat on Mar 4, 2019 | hide | past | favorite | 243 comments

This will make keeping your social media private during recruiting much much harder because rather than trying to search for your name on FB or your email, an interviewer can just search your listed contact number. Names are often not unique but phone numbers are.

This matters because creating a new email account for recruiting is trivial, yet creating a new phone number for recruiting is not. Most phones are not dual sim, and you want to have a phone on you in case the recruiter or future employer calls. Hence the account id rate using a phone number should be much higher and makes it dramatically easier to find somebody.

The nasty part is even if you rename your account to your "first-name middle-name" or an alias, you could be found out via phone number search. So simply renaming your account no longer ensures random recruiters can't just find your profile. Your FB name could be "giant blue monkey" which prevents a regular name search but would still be identifiable via phone number search.

There are also a non negligible number of people using an alias on facebook because they have good reason.

Apparently when a woman uses a pseudonym on facebook, it is not unlikely that it is because of a nasty/stalkerish ex that she would rather get away from.

I am actually in favor of a transparent society (a la david brin) , but we have to grown up a lot and handle such cases before the advantages that come with it can even be contemplated.

> in favor of a transparent society

I suggest you read The Transparent Society by Byung-Chul Han. It’s a brutal 50-page indictment of the hypercult of transparency and its effects on the human soul, on the political discourse, and on traditional values like truth and beauty. Might change your view on the costs of transparency.

The Hypercult of Transparency[nice choice of words!] exists because people keep falling for the Transparency=Accountability meme. And until the rather recent advent of homeomorphic encryption, that meme did have some rather humongous amounts of truth to it. However, given the existence of homeomorphic encryption, this no longer rings true.

Speaking of homeomorphic encryption and Facebook:


Whats the connection between discussions about "the cult of transparency" and homeomorphic encryption?

Presumably that accountability could be achieved despite secrecy, through code. Also see Zero-knowledge proofs


The three body problem book part 2 also explores a fully transparent society; It's really interesting with all the sides effects (They can't lie, etc.). I recommend anyone to read it !

I read the first and while the ideas explored were interesting, I found the writing itself to be completely off-putting:

- first of all, Three Body seems like the most boring videogame ever developed, not sure how people could actually be believably playing that.

- the characters are pretty much caricatures of stereotypes (the cop), or just plain uninteresting.

- the massive exposure/infodump chapters killed the immersion from me, especially the ones written from the point of view of the other side of the conflict: it really felt like the author was getting towards the end and wanted to Explain All The Things, but couldn't find a subtle way to do so within the narrative, therefore decided to just vomit it all in a single spurt.

I was really looking forward to it but found it disappointing, won't read any more from this author.

Agreed, it's some of the worst prose I've ever read. Since I don't read Mandarin, I can't know how much of it can be blamed on the author and how much on the translator. There are some really interesting ideas in the novel but also some patently absurd ones, not to mention the terrible dialogue and characters.

I felt the same. I wonder if some of these issues stem from the fact that the book was originally written in Chinese (iirc)... maybe some of the infodump sections seem more natural in the original tongue?

Isn't the premise of that book that privacy is a deep human need, and that its erosion goes against our intent?

I would argue that the next generation coming up will have little to no _need_ for privacy. When you grow up with nanny cams in your bedroom, privacy per se isn't even valued, let alone met with an expectation.

Nanny cams won’t change the fundamental nature of human beings. If privacy was a deep human need a generation ago, it will continue to be for foreseeable generations. Technology has created an illusion of progress and transcendance of our own nature but in truth we’re still merely advanced primates.

There is a thoughtful counterargument to Han here:


IMO it doesn't sufficiently deal with the problems of the "full transparancy" ideal that Han points out though.

> Apparently when a woman uses a pseudonym on facebook, it is not unlikely that it is because of a nasty/stalkerish ex that she would rather get away from.

Also men do this...

>Also men do this...

True story. A stalker found my blog via my Instagram account and commented some far-out there shit on it, inferring a conversation that we never even had, "Told you that you weren't dead." WTF!?

Now, it's pseudonyms, pseudonyms everywhere; except, of course, where it serves a necessity to have your actual name being used, such as on LinkedIn, but even those will be discarded, as soon as it's no longer necessary. (Necessity, here, meaning seeking gainful employment.)

see also: Any employee in the education sector would have good reason.

I wonder how long it takes until the whole teaching profession just collectively decides to adopt professional pseudonyms. Would make "child at same school"-situations even more awkward I guess.

My mother was my french teacher at school three times. At home she was "mom" and in class she was "madame". It was not complicated.

That being said I did once call my male first grade teacher "mom" so maybe I'm not a good example

The issue would be safeguarding.

There's no problem what name the school has you on the books for. There's no reason what they have on file/police checks is the same name presented on office doors, emails and to parents.

We do this all the time for students that can't/won't use their legal names in school for a number of reasons.

I guess it is just a matter of getting the right systems in place to manage the administrative overhead.

There are quite a few lines of work where this might not be a bad idea. E.g. also Police and government employees in general.

While I appreciate the premise and good intent, the transparent society sounds like an idealized Girardian nightmare to me.

We had a million years to grow up, I don't think we'll ever get there (without drastic measures a la 1984, if you wish)

We haven’t started doing any serious genetic engineering (or maybe, depending on timeline, the equivalent for minds uploaded into computers) yet. Once we do, we could do a lot of “growing up” very quickly.

It isn't physical "growing up" that we, as a species, need to do. This is the way the whole society act. If you look at politics and corporate world, it feels like a bunch of pre schooler throwing tantrum. As a society we are not acting responsibly. You could argue that the worse are countries that still argue to go to war with their neighbors on the pretends the later are different, but the rest allowing to destroy the planet while keeping the rest of the society under control, preventing us, as a species, to achieve goals that are dreamed by the most creative of us. And it is depressingly easy to keep the status quo.

The "Growing up" reminded me of this song: https://www.youtube.com/watch?v=5ja-mHeYAKM

The point I wanted to make here is mostly this: https://slatestarcodex.com/2014/09/10/society-is-fixed-biolo...

IMHO, it doesn’t make sense to blame “society” for being pre schoolers, any more than it makes sense to blame individual humans for becoming mentally ill. Both are just failure modes of our mental hardware (our tribal-status instincts in the societal case.) The only solution to either that would “stick”—what I would interpret “growing up” to mean—is to remake ourselves without those failure modes.

Anything less might help individual humans who get some sort of maintenance treatment for their failure modes; but our society as a whole will still be a function of interactions between both people who have treated those failure modes in themselves, and those who have not yet (because e.g. they aren’t aware yet that they have a problem; or don’t see it as a problem; etc.)

Thank you for the link. I agree with what the author is saying, mostly. :)

Mind that when I mentioned society as a whole, this is inclusive to its individual parts: There is no society without individuals and as such any judgment on a society is a judgement on its parts. That being said, I know it is a naive view, as no one can condemn a society completely.

As for the bio engineering to try and weed out the "bad wiring", I am not even sure we are close to identify them clearly, as seems to indicate the science articles about the brain and other nervous system in recent years.

My GF uses a google voice number (and separate gmail accounts) for job search purposes both for this reason and because she can nuke the phone number later, cutting off headhunters once she'd found something she likes.

Sounds useful. It's unfortunate that google voice still isn't available outside North America. I don't know if that is for technical reasons or for (European/Asian) political reasons. But it sure would have been nice to keep separate numbers the same way it's sometimes necessary to keep separate google accounts.

Not advertising.. but Skype can also generate phone numbers for you, and you can equally drop them. I remember I used a Skype landline number for that specifi purpose - throaway number for when I was looking for a new job. And I discareded it immediately after.

>But it sure would have been nice to keep separate numbers the same way it's sometimes necessary to keep separate google accounts.

In Sweden, you can request a pre-paid SIM be sent to you in the mail[0].

To be fair, it's not entirely a "burner" SIM, as it's associated with your personnummer but it's a lot more convenient than queuing in a shop (if that's not your thing).

Maybe your country has a carrier that does the equivalent? :)

[0] - https://webbutik.comviq.se/kontantkort/checkout/comviqcart/p...

In the US, I can walk into a store and pay cash for a $30 flip phone without any ID, and unlimited talk and text. 15 years ago it was $150 and 200 minutes talk, 20 texts.

There are plenty of other providers. Here in the UK there's LocalPhone.com for instance. They're even able to get you a number in a country of your choice, forwarding to a phone in a country of your choice.

Google Voice is US-only.

"Google Voice is only available in the United States. To use Google Voice, sign up with a US-based phone number."

It's only available in US, not even Canada.

I think VOIP has great untapped potential for this, having helped many people get vanity numbers with their name embedded. Once the job hunt is over, you can literally reject all calls, and build a caller ID blacklist of spammy companies and recruiters. Plus, numbers are 1/4th to 1/10th the cost of domains these days.

It works the other way too.

I keep blocking spammy numbers, and they keep creating new ones.

Are they? I pay $1/mo for phone numbers, which is quite close to what I pay for most of my domains.

Could you share some places you use to buy numbers like that? Do you just set them up to forward, or do you have more control than that? I've always been interested in this, but apart from Google Voice, I haven't found a good way to get started.

Twilio is the easiest by far, IMO.

Twilio is also one of the most expensive providers, and if you don't need E911 you can easily get numbers for less than half that price.

That's great to know, could you point me towards any other companies?

phone numbers cost close to nothing to operators, but running a voip infrastructure hast its costs, and a lot of those costs come from protecting it from hacking attempts. They love open pbx boxes where they can generate a significant cost, or use to spam others.

also compassion with domain is not exactly fair in this case, it would make more sense to compare it to ip address.

Fail2ban, not using IP based auth, and mandatory TLS/SRTP will generally cover your bases (ofc, Fail2ban should be banning any IPs attempting TCP/UDP registration or calling without SRTP).

Not really rocket science, but the VOIP industry is stuck in the 1990s when it comes to security practices related to their core offering. Its a terrible state of affairs!

So get off public social networks. Problem solved.

I realize that you’re getting slammed for a pat, trite, or unhelpful answer to a complex problem, but it also happens to be the only answer. It’s an answer with real consequences, but when weighed against giving your privacy over to FB what else is to be done right now?

Public social networks are poison, they’re inimical to privacy, and we need to get off of any that harvest personal information. Telling people to “quit FB (and other similar services)” may come off wrong, but for a long time so did “quit smoking.” I get it, I’d love to have cigarettes that are healthy and delicious, but until then... quit smoking. Maybe someday public social media will be safe and sane, but until then... quit.

One major difficulty with leaving Facebook in particular over privacy concerns is that it doesn't really stop the social network from violating your privacy, or letting others do it (often without bad intentions on their part). Aside from its now famous shadow profiles, you've got your friends and family or work/business associates posting things with you in them, photos, videos etc and even naming you (don't think they can tag you though if your profile is shut down). And if you've erased your profile you can't even have the minimal safety of monitoring what gets posted by who, so you can ask them to maybe take it down if it's harmful. We get sucked into FB's network effect in all sorts of ways nowadays if we live any kind of normal social life in a connected society.

Agreed although I was curious about one of your points, specifically can FB users tag a person who is not on FB? If so this is really troubling. Also do you know if FB uses shadow profiles to suggest tag name in pictures the same as it does for regular users?

I don't think tagging works for people not on FB, though if anyone else here has seen different, i'd love to hear their two cents. As for tagging of people who were on FB but deactivated their profiles. I've seen tags work before and that;s bad enough because even if you try to leave the social network, people can post images or videos of you and associate your name with them regardless. What shadow profiles have to do with these things I don't honestly know, the social network would keep something like that pretty secret I think.

I don't know anyone around me who still uses facebook. Heard the story of a relative who organised a birthday on facebook and wondered why no one showed up.

I don't think it's an unhelpful answer to a complex problem. I think it's the right answer.

> but it also happens to be the only answer.

"Only" oversells the option. There's also:

* mix fake/mining-hostile data in with real data as needed for social media profiles * use public institutions to enact consumer protection policies

Both of these have their own difficulties and limits, of course, but so does ditching social media entirely.

I don't understand why people signed up for Facebook in the first place. The Zuckerberg email and dumbasses quote has been around for a long time.

This is such an unhelpful answer that it almost always worthless. The utility of social networks for contact is unmatched. One profile, ideally locked down how you see fit, that follows you for as long as you allow it to follow you. The response to this is usually that there nothing wrong with phone numbers or email addresses. Except there are.

Phone numbers change. This is less frequent now that we have mobile numbers, but they still change. Email addresses can also change as people move through different phases of life. Hell, email seems to be becoming unreliable as calling since unsubscribing from mailing lists you never joined doesn't seem to work any more.

I get it. Facebook is evil.

You can set it to be searchable by friends only, which should avoid recruiters being able to do this, unless they are adding themselves as friends first.

If you set it to searchable by friends only, wouldn't you still show up in the suggestions? Especially if your number is added in someone's cell phone?

By the way: I haven't actually used facebook since 2012...

I’m not entirely sure how suggestions work in this context, I would presume that you’d only show up in suggestions to the circle within which you had allowed your number to be searchable, and so ‘friends only’ should prevent being added by phone number.

I totally get people want a "only me" option here, but really how bad is "friends-only" here? If I'm "friends" with you, you probably already know my phone number in real life.

I'm not really actively using Facebook anymore, but when I did, the threshold for becoming a "Facebook friend" was a lot lower than that for regular friends, or people I shared my phone number with.

Because a "facebook friend" isn't an actual friend, and having these "friends" have my phone number is like everyone in a bar being able to look up my number. Or perhaps like going to a work conference and everyone being able to call me.

The random "How are you are you single wanna talk about sex with me?!!???" messages are bad enough. I certainly don't want those as phone calls.

Those on the list that are actual Friends might have my phone number. Might not, though, since there is no point (I moved countries). In any case, they know not to freaking call me unless it is important or you have reason or you want me to answer my door.

Letting your friends have your number is a separate setting you can turn off (at least for now). This is about friends who have your number being able tell that it is your number, I think.

> Because a "facebook friend" isn't an actual friend

That's only true for you if you choose it to be true for you.

On the surface that is true, but most folks understand it doesn't really work that way and facebook isn't really used that way. At a minimum, facebook is generally full of actual friends (for me, maybe 5 folks now), family (my family is large) and folks you generally have met from school and work and other folks you might know in a professional manner or through groups and activities.

Not all of these groups would have my phone number, but facebook isn't exactly a telephone service at its core.

Can't you limit your FB friends to actual friends?

Sure, at a cost. Actual friends and immediate family? I'm covered in 20 people or less. Most wouldn't call, though, since I moved across an ocean.

I could include folks I've been to school with, folks I met in language class, a few folks I've worked with, and so on. I don't want all of these folks to call me, though, and I*d rather some didn't have my number. I also don't fully dislike these folks.

More seriously, though, it would keep my social circle smaller. I met my spouse online around 10 years ago, and this sort of caution you ask about would mean I wouldn't have my life.

Becaused for most people "friends" on facebook range from tru life-long friends down to mearly contacts, people you need to interact with in some way butdon't neccessarily want bothering you by phone.

> Names are often not unique but phone numbers are.

Right out of "Myths programmers believe about phone numbers" which was on the HN front page a week back. Has everyone forgotten about landlines? Even cell numbers are not permanently assigned to a single person: especially in jurisdictions where pay-as-you-go accounts are the majority.

You use your real phone number on FB? MY no on there is a fake (but real number in my area code).

And I don't put my Mobile number on FB at all.

Might it be possible to compromise your account by getting control of that phone number?

Lol the 66666 number isn't normally handed out in the uk I used xxxx 66666.

If you apply to work at Facebook do they look at non-public content in your Facebook account? Let's assume you're not even keeping your Facebook profile a secret.

No. This would be a violation of our data privacy policies and would result in immediate termination of all employees involved.

Given the complete lack of respect that Facebook has for individual privacy and the wellbeing of our society in general why should anyone believe this?

If you think that of FB, why would you be applying to work there?

Not that I support the idea, but big bucks ?

It would violate terms of service you agreed to.

Um, please explain how Facebook using data you gave it for Facebook's purposes violates Facebook's terms of service.

I figured that was the answer for the hiring manager and all regular employees in the hiring chain, and wasn't implying that anyone might go digging in violation of the rules. (At least not since the early days where stories like that abound.) Wondering more about the HR department doing it under direct authorization of senior management. I assume that Facebook like most companies runs background checks on prospective employees. They must at least be tempted to include their own vast database as part of that background check. I could imagine an automated "security check" process that could be run on a profile without actually seeing that profile, and if it turned up red flags (keywords, high number of reported posts, etc.) HR goes digging further. Maybe not, but certainly wouldn't surprise me.

Sorry, but i cannot see any good reason to trust the word of anyone from Facebook. This company has shown that it is routinely deceptive and lying. Why woud this be an exception ?

That's why you never give them your primary number. Have a burner phone. Or lease a SIM in the Philippines.

> creating a new phone number for recruiting is not

Actually it's really straightforward with Twilio and you can set it to forward to a regular number. Works in most countries/regions.

I used it to give my wife a US number for clients (she's a freelancer).

Phones are not unique but a lot of them are reused when a subscriber changes provider

(They could have always searched you by name, if you're worried about your identity then it makes sense to not connect your phone number to FB)

>but a lot of them are reused when a subscriber changes provider

OT, but I had a not-so-nice experience with that. Some years ago I got myself a data-only phone number/SIM card for my 3G dongle.

It turned out that the number was reused, and the previous owner of that number had subscribed to a pay-for message service for upcoming events (concerts, movies, etc). And they kept arriving to my data-only dongle, and I didn't notice for a while. Had to pay for it, though.

I don't remember how I eventually managed to turn that off (the software for accessing/manipulating that part of the dongle was Windows only).

"This matters because creating a new email account for recruiting is trivial, yet creating a new phone number for recruiting is not."

I create (and destroy) new phone numbers all the time. Via the command line. I can route and forward and block them any way I like, to and from my existing phone (which is single SIM) or to ... nowhere.[1]


[1] I have a "ring forever" TwiML bin that I like to use.

Why would you ever use your real number vs. a throwaway google voice number designated for spam?

Because you don't know about or use Google Voice, or you live in a country it doesn't serve?

> yet creating a new phone number for recruiting is not

Doesn't Google Voice solve this problem? Or perhaps there are restrictions I don't know about. Of course, you still have to remember to create a burner phone number before giving out your contact info...

At least in canada with the national do not call list, I’ve found I receive very few robo calls. For those I do if I wait to talk to a real person and then press as too who is calling me so I can file a report they hang up quick and I don’t hear back.

> Doesn't Google Voice solve this problem? Or perhaps there are restrictions I don't know about.

Only sort of. I wouldn't be surprised if Facebook rejects Google Voices numbers and will only accept a real-live carrier numbers. It seems pretty easy to do, given how often my GV is rejected by sleezy services I'd like to give a throwaway (e.g. peoplesearch opt-outs).

However, I'm not going to personally test this theory by attempting to give a panopticon like Facebook even my semi-throwaway GV number.

Let me surprise you then so you can stop making false speculations - you can use a GV number for Facebook 2FA.

Even if FB was not allowing Google Voice, you could give FB the real number and give throwaway GB numbers to recruiters.

That would solve the issue voiced by OP

I imagine most people would have no idea their profiles could be searched via phone number. I didn't know until today.

If it never occurred to you that this could happen, you would not take steps to prevent it.

We don't have Google Voice in Australia.

Only for US and Canada.

Only US actually.

Because of all the issues with (1) terrorists, (2) foreign state influencers, (3) spammers, Facebook tries to block Google Voice as much as possible

Just two weeks ago: Falsehoods Programmers Believe About Phone Numbers - https://news.ycombinator.com/item?id=11321236

I haven’t heard: if you replace your phone number will they maintain the association with your historical one? It’d be trivial to get a Google Voice number or burner to replace yours.

At this point I have no pity for people who continuously feel violated by Facebook.

Data hygiene is both the responsibility of users & social media cooperations.

I still wonder why people rely on the kindness of strangers (the people that run the social networks) trying to make money off them. & then start crying foul when they are treated like garbage.

Simply don't; - Submit data you find sensitive. - Use bonus credentials where feasible - Deny app access to your mic, location, contacts, camera & calendar - Delete your account if you have substitutes for the features Facebook offers

...and if a single person (or company) with your number in their phone allows Facebook to access their contacts, FB has your phone number anyway.

Second phone numbers aren’t that hard or expensive. you don’t need a second sim, just an app. There is a yc startup providing them: openphone

They are rarely usable on web sites for 2fa as they disallow voip numbers. In fact, many websites don’t allow google voice numbers for the same reason.

Is it easy to distinguish voip numbers ?

Yes, using Twilio’s lookup service it’s trivial.

I honestly do not get what problem are you trying to solve here. If you have content which you think should be hidden from someone, just do not make it public.

This is surely a breach of GDRP. One of the principles is that data must only be used for the purpose for which it was collected. Taking a number provided explicitly for 2FA and using it for search certainly sounds like a breach.

I hope this will end up with a hefty penalty. At this point, I believe a strict regulation is the only way to tame the Facebook beast - the more so because I heavily really on FB to be in touch with my family and friends.

It might not given that the impetus of this change is to combat fake news and bot accounts from nation-states. ...so it might not be high on the target list for the EU since they are actively uncovering more influence operations.

You have to realize that privacy is not a priority for most governments, so unless it's explicitly against the rules, I suspect they won't do much.

What does GDPR say about using data about other people provided by a user (eg a Facebook user who shares their contact info — thus providing Facebook info on all their contacts). What is the “intended purpose” of sharing all your contact’s details ...?

> What is the “intended purpose” of sharing all your contact’s details ...?

That's Facebook job to make it clear when it happens.

I don't know the actual text of law, but I guess even if you are friends with someone, you doesn't have any right over any of it personnal data, thus they wouldn't be able to use it except if you previously accepted that usage (being matched with someone you know using that phone number).

Facebook is above regulations, just like the POTUS.

Source: Number articles over many years of laws being broken, Facebook.com still works and the POTUS is still the POTUS.

They might get around this by not doing it with numbers provided after the GDPR penalties came into effect.

No, that doesn't get them out of it.

If you are a Facebook employee, or are close to one, please help me understand. How does it feel to see reports like this being released almost weekly? I realize people are very good at dealing with moral dissonance when their paycheck depends on it, but surely you must be thinking, talking to your colleagues, about what your personal responsibility in this is?

They don't care. A job at Facebook is still considered prestigious by a large part of the tech community. They're starting to be grouped more with Palantir than Google, though.

> They're starting to be grouped more with Palantir than Google, though.

That's confusing. Is Palantir regarded as better or worse than Google?

Palantir is known to do lots of government contracting for US defense/anti-terrorism intelligence, so working there is viewed much like working for Lockheed Martin/Boeing/etc. where it is known the work you are doing could very well be involved in wars/military agendas.

Your role in your job there could cross the line of what some people would as ethical to some people, and Facebook's malicious behavior is making employees who work there to be viewed in a similar light.

I think most people consider google more prestigious. While they'll try to convince you otherwise, it's mostly because google pays better.

Overall, the vast majority of similar reports are completely irrelevant, partial or non-sensical. Happy to give details but the most common pattern is the same person demanding that Facebook regulate speech in one sentence and being outraged that Facebook feels allowed to regulate speech before that sentence is over. Most journalists who write about Facebook are deemed as “having no idea what they are talking about”. A lot of them are granted some internal access by people who think that it would improve the coverage but rapidly discover that their ignorance isn’t because they lack of access but it is a decision.

This case is a small but clear oversight, one team (Security) set-up a necessary 2FA option; another (Growth) re-using information attached to a profile without context. Both teams have clear objectives but should have clearer lines when edge-cases like these appear. Two remarks on that: 1. clarity in large organisation and 2. prioritisation.

1. Overall, Facebook teams need clearer demarkation but every company in the world has far, far worst practice so as soon as you try to interview, you reek in horror at practices anywhere else — and that’s what they are willing to tell you before you join.

The internal discussion is probably split between many debates; I’ve never been very good at expecting issues around security, but probably a dozen philosophical questions like:

- phone numbers and SMS are not safe from MITM attack, the company should not accept them at all; vs. other options like a device are too selective, demanding, etc. so if people are happy and their threat model doesn’t include MITM SMSs, the company should offer that as an option;

- this is the only piece of information that is “User only” and that visibility option was removed because it used to lead to abuses; vs. we can monitor abusive use of a visibility feature even if that’s extra work, more technical plumbing that could lead to more internal abuse;

- there are no identified threat actually unblocked if there were, our bug bounty would have caught them; vs. we do not have to limit Security to known threats, but “feels” for bad practices should be trusted as a sign there is a threat in there that the company should respect even if we can’t isolate why.

Knowing what to do as an individual contributor when you have gods fighting over your head can be daunting; you want to have a clearer picture that, say “Only me” will be a visibility option for longer and not replaced by “Hide that from anyone, even having access to the account to prevent an access even from escalating into a worse security threat” or that when it’s replaced, this piece of information won’t be missed or excluded.

Anyone who has build large data schemas would be familiar with how tricky changes like that can be when done without coordination. Anyone who follows visibility of information from Facebook has noticed a lack of clear purpose: more nuanced options appear and disappear because there’s a tension between simplification and curating interests.

2. Overall, working for Facebook feels like you are dealing with a fire, an earthquake, a zombie invasion, a revolution and a flood at the same time — and the public only seems to care about electricity shortages. And when you look into internal numbers about who cares about any of the above, the flood seems like a big deal, no one cares about electricity but someone you know that the fire and the zombie invasion are far worst. Facebook is the only place where managers are very clear that the fire will destroy your water pump much faster than the water goes up, and zombies are actually quite slow — and you can not prevent earthquakes, only deal with the aftermaths, so they want you to deal with them in a specific order: #1 Extinguish Fire, #2 Automate the water pumping for the Flood, into the fire-prevention stock, #3 Delegate the dyke-building, #4 Once you have a plan for that, expand dykes to protect from zombies, #5 Schedule a town-hall for after the physical security of everyone is guaranteed because talk is better than a revolution, #6 Imagine what seismographs could be like (network?) and how they could prevent bad things, given how fast earthquakes are. Nothing about electricity because it escapes everyone’s mind at this point.

I once had a task that was about preventing thousands of crimes from happening; it was #3 on my list. That felt wrong, but my manager explained how, if #1 and #2 were not done, I couldn’t do #3. It felt very strange. #2, in particular, was very debatable: I reached out to a friend of mine, a lawyer outside the company and probably one of the top 10 people on deciding if something like #2 was ethical. My friend told me that he had far bigger issues to deal with. So I did #2 reluctantly; I did it first because it made #1 easier. In the mean time, #1 was cancelled without my manager telling me. I had asked someone else to do #3 and he got a massive promotion.

Two years later, the press was up in arms because thinking about #7 was presumably unethical. #7 is about making sure that vulnerable users were even more protected than they were on Facebook (while no other platform did anything for them) and the press really objected to vulnerable users being on Facebook at all. The most widely circulated OpEd on the topic explicitly didn’t care for them being protected: that they were on Facebook at all was the problem. As a former employee, I knew why they really needed to be there: it is their only source of needed social life.

My experience was a little extreme, but it’s quite representative.

Take the recent appeal to have more community monitoring:

- Facebook notices, years before anyone, external agents using social media to spread inflammatory messages; they understand that they won’t be able to prevent the gutter-press from spreading it, so they appeal to institutions because they carry editorial authority and local understanding that Facebook can’t have.

- That is dismissed as interference, and Facebook is mocked for knowing nothing about the free press. As a reaction, Facebook publishes articles on polarisation and clearly point at external sources; they asks researchers to measure how much the News Feed bridges that gap and helps moderate the worst messages. The article is summarised clearly with graphs by internal comms. The article is summarised in the press as: Facebook is pouring gas on the political fire.

- Facebook anticipates that astroturfing will get worst, at an exponential rate, and decides to enforce strict “authentic identity” rules to cut most of it; also starts efforts in identifying “fake news”. Explicitly connects the efforts to political manipulation. Both efforts are openly disparaged by people who spread false information and openly ignore that Facebook has a clear handling process for people who don’t want to be found for legitimate reasons. Political parties gladly finance negative attack ads that are the main source of inauthentic, false coverage.

- Facebook gets signal that human censoring is not scaling; details become increasingly worrying. Facebook ramps up their AI research program to identify increasingly relative inauthentic users, messages; the program is ignored, or only presented as an Orwellian effort by “the Borg”. Mentions of issues in human reporting are completely overlooked by the press.

- Facebook realise that scaling its community enforcement won’t work because they don’t know how to manage those and the third-party company are treating them like lab rats at best. Asks for improvement on work conditions; nothing, or rather systematic executive-level Me-Too scandals. Facebook fires said companies out of desperation. Instant backlash because ‘Facebook fired journalists’. Facepalm, partial decision reversal. Silence from the press, which honestly is a relief at this point.

- Major progress on the front of automated community enforcement. Facebook is the first to identify several threats to democracy (Cambridge Analytica is banned in 2014; everyone finds Trump funny when he asked for Russia’s help, while Facebook Security reveals to the FBI suspicious behaviour). Unsurprisingly, Facebook is blamed for acting as a Good Samaritan; internal debate on whether to come clean publicly, or only tell law enforcement. Law enforcement is clearly dependent on electoral results, so coming clean publicly proves important… but extremely costly for the company brand. Should the company sacrifice the little goodwill it has left among the press now, to prevent current threats, or keep it for a worse crisis?

- No surprise: political parties don’t like being targetted as being bad actors and defend themselves by empowering lunatics and doubling down on a constant barrage of incendiary news. Community enforcement is completely overwhelmed by its own scale and size and catastrophic situations emerges. No one raises that Facebook has offered several solutions, from institutional standards, automated detection, visibility control and just blames the company for its subsidiaries. The company is just the enemy of everyone at this point. Facebook has two options: not having any community enforcement, or trusting suppliers that have repeatedly lied to them. The third one is what many employees are working on: automation.

Your question is: why wouldn’t they leave? Answer: many do. Drama is hurtful no matter how you understand the whole story. Whether those who stay are more confident, or less reliable in their ethical stand is debatable.

If you care more for technical problems, I’m happy to explain why facebook.com/ads/preferences is the best implementation at the moment of user-control over dark data brokers. It’s insufficient, but helping people identify threats and we can implement reporting from there that no other company will let you have, not without the transparency of Facebook.

This post might as well have been written by a third party to discredit facebook.

To summarize:

1) "As long as there's someone worse we don't have to worry"

2) "working for Facebook feels like you are dealing with making profit, pleasing management, pleasing partners, progressing your career and going home early at the same time — and the public only seems to care about privacy violations."

Not sure I wrote about any of those points and confused why you would think raising a strawman is a good argument.

I’m also not saying that large or influential companies should not be held to higher standards; they absolutely should, and they are where I come from. I’m simply saying that, if you consider problems where Facebook made a bad decision (a minority of the scandals) those issues trickle down to two systemic problems: clear, non-contradictory internal guidelines and prioritisation. Facebook employees are trained to recognise both. When they consider other options, they would often see companies where both are significantly worse. Other companies have simply not been through a decade of excruciating oversight by the international press. Those who have are not managed by someone who is nearly as willing to admit his fault as Mark.

I doesn’t mean that those companies are not better options for ex-Facebooker: they often are; or that they would not make the world a better place by joining those, and advocating for higher standards: they often would. Those companies typically should be held to a lesser standard because they have less of an overall impact. But, as an employee, if you want to prevent problems like those that you regret being a witness to at Facebook, leaving is hard because you can easily see the rest of the world as worst more often than not. If you come with your expectation, gained from working at Facebook, that any minor issue will be twisted into a scandal, most other companies feel very wrong.

You can see that by looking at how many people are above ex-Facebookers at the companies that they join: it’s unusually few. That’s because they rarely trust too many layers to make the right call.

To say that "the most common pattern" in the "vast majority of similar reports" is one of making starkly contradictory complaints, appears utterly self-serving - a convenient distortion designed to make it look as if there are no valid issues.

I’m simply trying to represent as accurately as I can the position as it is seen by and talked about by internal stakeholders.

Happy to give more examples, or to argue that the most visible and debated issues are not the most relevant. Even happy to say that this is a problem, but I don’t see it as an internal problem.

Thanks a lot for an opportunity to look into the world of Facebook employee, that was really interesting and I feel that I do understand it better now.

However, I wonder if you'd agree that maybe the main reason for Facebook problems is their desire to overconnect the social graph basically. All those moderation problems wouldn't be there if the newsfeed stayed simple chronological summary of updates by their friends and families instead of an algorithmically generated mess. Reddit AFAIK doesn't have problems as huge as Facebook's, and the reason for that is that communities tend to moderate themselves pretty well, and moderating communities themselves (e.g. banning drug sale groups) scales way, way better. In a sense FB itself kinda acknowledges that with its recent emphasis on Groups.

On the other hand, interpersonal connections between real-life friends and families (what Facebook sold to its audience and the way it keeps the users on the platform) barely need any moderation at all. It's quite unlikely your uncle James starts promoting antivax (or child suicide) in your family, and even if he does, he can either be contested (not letting spiral of silence to form) or banned/muted/unfriended/etc. Unfortunately, it's not how FB works: it baits you with friends and family and switches to engagement optimised cesspool.

It feels like the hyperconnected, algo-driven feed is actually the root of most facebook troubles, despite (obviously) generating massive revenues.

> All those moderation problems wouldn't be there if the newsfeed stayed simple chronological summary of updates by their friends and families instead of an algorithmically generated mess.

Yes, because Facebook would not be a usable service. This is not a joke: raw feed is really bad. Unusable. Spam-folder on steroids bad. If you care about the Facebook employees mindset: “My News Feed should be chronological” is about three times worse than “I’m just looking for a technical co-founder, I’m an ideas guy” to the HN crowd.

> Reddit AFAIK doesn't have problems as huge as Facebook's, and the reason for that is that communities tend to moderate themselves pretty well,

Reddit has significant efforts into massaging their own feeds. It’s less visible, but quite significant, mainly around abuses from large coordinated groups. They’ve talked about it extensively. They have fewer issues because a subreddit community has clear values (_News_ value immediacy; _Politics_ controversy; _WritingPrompt_ values long comments more than total Upvotes) which allows them to tailor their algorithm per context rather than per person. Well, they do that too, but it’s significantly messier. This part is hidden because there’s a lot more than you can see on Reddit, so you see a lot of good things, no matter the order. There is less good content from your friends simply because you don’t have a million of them, so your Facebook News Feed is a lot more sensitive to clues. Reddit also has a lot more input information with upvotes; people really don’t understand their feed would become massively better if they click on Like — including professionals who build recommendation engines for a living and complain about not having good data.

Finally, if you think that Reddit is a welcoming community without issues, I can easily guess your gender. That’s a big part of what Facebook empowers.

> interpersonal connections between real-life friends and families (what Facebook sold to its audience and the way it keeps the users on the platform) barely need any moderation at all

This is not true: anti-vaxxers (and before them, MLM) are a massive hindrance to their family; usually, they get ignored now, but being able to hide them (and dynamically detect problematic posts from important, non-MLM updates) is a key feature of the News Feed. The most common, and occasionally biggest pain-points that we’ve measured have been where friends and family merged, from your lame dad barging in a Let’s-go-to-the-club thread to gay people still in the closet liking posts about flamboyant things.

What you might be trying to say is that there is a real problem in merging all your aspects of life into one context. That’s definitely true. Without going into drama-prone topics, I speak several languages and that was not taken into account at all when I joined; my cousin routinely complained that she didn’t understand why I wrote in English “all the time”. There was some progress (thanks in very small part to my impulse) there.

Raising consciousness around those issues was part of what I did more generally. One effective and clear solution for that was Groups, that finally, for the last two years, got their place in the sun with a dedicated, empathic team in _Engagement_, rather than be a subsidiary of Pages that where a subsidiary of Ads. I don’t have internal knowledge but from public communications from Facebook management, I’m guessing they are growing much faster than Reddit, with a similar product.

> generating massive revenues.

Not really. The family stuff is great because if gets people to post more: they feel like they can share if they see similar things in their feed. That’s empowering people which Facebook believes in as a core value, but it’s not making much money. If Facebook wanted to print dollars, they’d go full Video.

The money comes from basic stuff: age, gender, location, family status (age of children) and interests; language, too: you’d be shocked to see how many ads are shown to people who just can’t read them. The money comes for “Custom audience” which is essentially Upload the emails of your users, and we’ll find them on Facebook, and “Similar audience” which is an augmentation of that, and let you advertise to those groups separately. That you love sharing lame puns with your uncle, or photos playing with your nephews isn’t going to attract anyone’s crazy CPA. If you click on ads about nappies, that‘s a really good signal though.

Honestly, Facebook is eating other people’s lunch in ads because they get very basic things right: separate your customers from non-customers. They don’t advertise for diamond rings next to an article about the war in Congo, like the NYTimes does, or for stilettos to burly football players. They remember which ads work for you, and show more of that. In my case, I’m in the market for a nice leather bag: Facebook knows that and shows me a lot of that. They are certainly making more than the average $50 by helping me general a list of a dozen nice options for my birthday.

Marketing (outside, possibly of political advertising) hasn’t really moved to crazy Orwellian stuff at scale. If, one day, posting landscape in black-and-white is correlated to you liking yogurt, maybe… but for now, it’s probably easier to ask your local supermarket.

this is the only piece of information that is “User only” and that visibility option was removed because it used to lead to abuses

This seems critically relevant to the issue at hand - can you explain it in a little more detail please?

I’m speculating in that part of my argument, imagining counter-arguments. Sorry if that isn’t clear.

When I was working there, I’ve worked on custom visibility option (things like lists of friends, a feature that hardly anyone used; home city, languages had been occasional “Smart lists”). Those options were unsupported or become discontinued in some cases. There was a significant mental load to have more visibility options than ‘Friends‘ and ‘Public’, and very few reasons (as in: active users) to support more. One option that I felt really corresponded to a lot of people’s need was “Friends except Acquaintances”: ‘Acquaintances’ had become a really good shorthand for “drama-prone” relations. Yes, you are friends with them, they can see some activity from you, just not everything. They have no reason to think you’ve excluded them. It was discontinued and I never figured out why.

I can imagine the “Only me” option being changed because of someone, either working on an easier audience selector or trying to make bad-behaviour-detection faster, might overlook the need to have some information on the site not shared with your friends. The impact of visibility option on every aspect of the site is nightmarishly complicated, and genuinely hard to keep in mind to think about clearly. I’ve dedicated a decade to that, and I struggled. People who are officially very smart (Math Olympiad laureates, Mensa-type: not that those are proof of social smart, but they should understand formal reasoning really well) struggled. If you include blockages, it gets really hairy. If you include bad actor and impersonation, you will lose your sanity. The alternative that I suggested (that information is probably what hackers would look for, so hide it even from an authenticated user) is probably more likely, given the overall privacy-conscious of the company. In that case, that information changes status even more.

I’m not saying that kind of blatant or casual disregard for nuanced privacy control is not bad. God knows I raised hell before I joined the company and after about list support, and more. I even convinced a friend to join because he made a great tool to manage your list of friends. He joined the company before me, helped me a lot internally — but never even mentioned his tool to anyone internally because there was no appetite for it, inside or outside the company. Just to tell you how much: do you remember the fiasco that was Google Plus Circles? Well, after _that_ blew up, I had low expectations. This was lower.

The company moved to Groups, non-friends contextual entities, and that was I think a lot better in many ways.

Regarding the media issues, it seems that Facebook is also being used as a convenient scapegoat: https://jakeseliger.com/2018/11/14/is-there-an-actual-facebo..., often by reporters who don't even understand the issues they're nominally covering, or who seem to have made up their minds about the system before starting to write.

That is a very common way that Facebook employees see the company. This is explicitly what I was told during my introduction: act impeccably in public and raise any ethical issues that could be imagined internally because the name of the company will be used to sell papers no matter what you did. To take several recent cases:

- Facebook employees consider that Cambridge Analytica was caught, abused their power, lied under oath and was never able to leverage Facebook Custom Audience anyway; short of using Police forces (and Facebook really should not have that kind of power) there wasn’t much that Facebook could have done more;

- As a consequence of that, there was a movement to control abusive pages in politics, and everyone was claiming for a clamp-down. It took 24 hours for Facebook to ask for ID for the moderators of all large political pages, because they realised that any of those could be GRU operatives, and 5 minutes for everyone to find this deeply objectionable. :facepalm:

- Apps sending their user’s actions to Facebook Analytics when those actions are Heartbeats, blood pressure, migraine and Period time: Facebook employees consider that Analytics is a service for people to target their own users based on their own classification. There are some possible issues with it (the classic being ethnic discrimination for real estate) but no one at Facebook cares about your period. Facebook could enforce more strongly that the apps communicate with their users about the Analytics tool, but that’s 100% going to blow back around the common theme that Facebook is abusing their power. You’ll have virulent op-ed outraged at how their dare to threaten to de-platform feminist apps about empowering women and their health, and how dare they. I’m happy to bet real money that the people asking for more control will be the same to protest against it, less than a week later.

_Catch-22_ comes to mind.

I've designed an OSINT system with this specific feature in mind (it's on github since a few months). Basically being able to go from phonenumber->accounts is very powerful and works even more efficiently to identify a person than an email address or even a real name.

The abuse potential of this is far greater than some people assume.

Plus you can look up the phone provider which probably makes banning spam accounts a lot more easy.

Can you post the link to your project?

It appears to be this: https://github.com/kpcyrd/sn0int


I refused the 2FA nag on Facebook because I didn’t want them to have my phone number

Then after a while the nag started popping up with my phone number already filled out.

Really fucking creepy and not okay.

Same here. I put my phone number in my Facebook profile when I first made it years ago and have since "removed" it. However, I'm pretty sure removing it does literally nothing because it will still pre-fill my phone number in that case and I'd bet money that advertisers targeting by phone number. Still, they're constantly nagging me to re-add it.

For what it's worth, I just deleted my phone number and added Google Authenticator, and it seemed to work fine.

Just to be clear. My phone number is not tied to my account, Facebook got my phone number elsewhere and suggested that I tie it to my account

Facebook got it from your own friends or associates. Such information gathering forms the "shadow profile" on Facebook.

Add an authenticator app and delete the phone number.

Might be your browser doing that.

It was in the iOS Facebook app

Well... your phone knows your number, so they might not have gotten it from somewhere else.

With the permissions in iOS they’re not supposed to have access to my phone number, but I do remember something about them having access to a “special api”, so I figure that’s exactly what happened

Could the "special api" be the built-in iOS Facebook sign-in?

Been warning people about this for years. Every major social media company has been pushing this shit as "security", when in reality its whats known in intelligence circles as "linkability". The more points of verification, the better a profile can be built to associate an actual identity with an email address, screen name, username, alias, etc. Snowden warned everyone about this, nobody listened.

While this is true, is 2FA not generally a good thing?

SMS verification increases linkability maybe, but a yubikey or something similar?

How many other social media companies? Curious.

twitter also aggressively collects your phonenumber.

Telegram is so aggressively anti privacy that I tried around 5 numbers I own and only 2 of them worked.

Ok, so Facebook has yet another appalling practice that's been known for quite sometime (see the Telegraph article linked in this one). The percentage of users boycotting the company and its products don't seem to materially matter. Facebook is making more money now than before. Facebook will not behave well on its own. Regulation and really hefty fines running into a low double digit percentage of revenue (not profits) are the answers!

hahaha thank you, the thought of republicans or democrats effectively regulating a predatory corporation for malicious business practices made me laugh out loud :D

I mean, Democrats have tried it in the past.

EU and GDPR.

Isn’t it the same for Twitter? I tried recently to create a second account, it’s now impossible to do so without specifying a phone number during signup. And the mobile application was trying to access my contact list, which seems to be used to suggest people to follow by looking for their phone number (see https://help.twitter.com/en/using-twitter/upload-your-contac...).

I think there's a "Sign up with email" link on Twitter.

Though of course, every time I created a new account there it was quickly blocked, only allowing me to unblock it by providing a phone number. That might have to do with a number of privacy-enhancing browser extensions I've got installed.

That said, thanks to GDPR, I'm relatively confident that they've actually deleted my phone number when I asked them to after verification.

Where do you find this “signup with email”? I don’t see it, but I may be looking at the incorrect place

Using security to further weaken privacy (quote from Zeynep Tufekci in the article) aptly sums up the method countless companies have been using to violate user privacy. It's essentially a form of fraud - obtaining private information on a false premise. It'll be a good test for GDRP - let's see if there's actually some accountability.

This seems just as bad as the bug they had before, where if you entered your email but not password correctly it would show up your real name.

The potential for abuse by spammers is too high. They not only would know who they're calling, but also all the public info on their Facebook profile and whatever else they can stitch it with.

A slightly off-topic question - how the hell do you contact Facebook if you don't have a Facebook account?

Someone has registered a Facebook account using my email address (apparently they do no verification at all) and I can't stop the spam ....

Request an new password, and then change the password on the Facebook account. I've done that myself.

well - I did that .... and changed the email address to a dummy account .... and still they send me almost weekly spam to the old address - "Why aren't you using FaceBook? here's a single link you can use to log on without a password" ... these bozos have no concept of security

Sounds like what has been happening to me. Except when I try to login to nuke the thing I get some error message about a database error and can't login. So the Facebook spam about new friend suggestions etc keeps coming. But since I have always marked it as spam it usually goes straight to the spam box.

If they won't stop spamming you, you can sue them under the CAN-SPAM act.

Or rather I should say "these bozos have no concept of their customer's security" .... but I guess we all knew that already

But at least they can solve graphing problems!

Just delete the phone number. You can use two factor authentication with OTP, SMS part is unnecessary.

> Just delete the phone number.

I'd be surprised if Facebook ever deletes anything like this voluntarily. Most likely "deleting the number" just means hiding it and using it only of ad targeting and more subtle forms of profile matching.

They do in GDPR jurisdictions or they’re fucked.

Define fucked in this context.

They'll pay a fine, perhaps, but it's not like Mark Zuckerberg will be laying in a gutter pissing blood.

Regardless, you can't put the cat back in the bag. Bad actors will still have scrapped your number, or way too much personal identifying information, anyway.

GDPR fines can be pretty significant. Google was hit with a €50 million fine in January.

€50 million doesn’t sound like a lot for a company with $100,000 million revenue.

Assuming it is proven

Deleting the data in your account settings isn't going to necessarily remove it from Facebook's database. Getting a vanity number that spells your first name or nickname would be a better workaround IMO, and you can set business hours and such to control your potential employer's access to you :P

I believe GDPR specifies right of erasure, and if Facebook doesn't delete the phone number you "deleted", Facebook will face much larger problems.

My comment was fairly US-centric, as we don't have GDPR. In the EU that'd be much more useful, as the cost of phone numbers in Europe and calling rates vary wildly, and can be quite exorbitant in some countries.

Facebook still operates as a business in the EU and can therefore be fined there. As a similar example, Google was fined €50 million earlier this year as a result of a GDPR violation.

Can Facebook be fined by the EU for actions outside the EU that only affect users outside the EU? Sure, but it would likely create political waves and I'd doubt it'd happen. Global enforcement of GDPR isn't realistic, as the EU doesn't have worldwide jurisdiction.

The last time I tried to do this, about a year, it required a phone number to enable 2FA in the first place, and then it was possible to use OTP (with e.g. Google Authenticator). But once I got sucked into doing that, I couldn't delete the phone number to do only OTP without it also disabling 2FA.

It still gives the same warning if you remove the phone number while TOTP is enabled. But I was able to remove and then set up TOTP based 2FA without a phone number.

I should add that removing the phone number didn't actually delete the number from my profile (who could have known?). You have to go into the Mobile tab and remove the phone number again.

All this despite me reluctantly adding my phone number just for 2FA. Dark patterns throughout the website.

Ugh, that sucks? I recently setup OTP-only 2FA, so apparently they fixed it.

Facebook does not delete the personal information they've harvested about you. Delete = Hide it from you. Maybe they will in GDPR Europe, but not anywhere else.

I don't recall giving them my cell phone number, though I do remember being nagged about it incessantly. Just went and looked and sure enough, they've got it. So I deleted it. The account, I mean, not the phone number. I haven't been active on FB in a while and it's no loss to me.

Facebook doing something ethically questionable again. Must be a day ending in "Y".

I'm a bit confused at the alarmist title.

I just checked my FB settings, and the article is correct, the best you can restrict your phone number is to just friends.

Why then are the top comments about the inescapablility of employers looking you up by phone number?

Unless you have your employer as a friend on Facebook, just change the setting to friends only.

My understanding is that on this setting, Facebook only allows someone to find your Facebook profile if they:

1. are your friend on FB and

2. have your phone number.

That seems quite reasonable to me.

This setting restricts the visibility on your profile page. The article claims that someone who already knows the number can type it into the search box and your profile will pop up.

(No idea whether this is true either way and I'm no longer on Facebook to be able to check; just trying to clarify).

The article disagrees with your understanding. "Facebook’s default setting allows everyone — with or without an account — to look up a user profile based off the same phone number "

For the vast majority of people who aren't on TC/HN, it's a surprise. Once info is leaked, it doesn't get unleaked. It's not just this once incident, it's a pattern of Facebook abusing user trust and chronically launching new features that leak private or semiprivate information by default and destroying the culture of security industry wide by showing users that account recovery phone numbers are not safe to use.

Glad I never gave them my number.

Don't worry someone in your circle of friends already handed it over.

Exactly. It takes just one person who knows your phone number to upload their entire contact list and it's saved. The likelihood that Facebook doesn't have your phone number and name is 0% unless you don't have a phone number.

It's worse than that. If you gave them your phone number, you can ask to see it and have them to erase it. If one of your contacts gave them your number, it's _their_ data, you cannot get Facebook to confirm they have it and you can't ask them to remove it ...

'ye old 'sync your address-book' trick.

You can't be sure that Facebook doesn't have your number unless you have never given your phone number to anyone who uses Facebook and has your name and phone number. They could be friends, co-workers, relatives, delivery people, cab drivers and many other service providers. One of them shares their address book with Facebook and it knows. A few of them share their address books with Facebook and it's reasonably sure what your number is (names can be fuzzy matched to your profile).

This is why I hate that people carelessly let any third party app have access to their contact list.

I can keep my data out of Facebook,but "friends and family" usually aren't careful and get tricked into opening up all that info.

A couple of years ago the only social media I had was Instagram. One day I went to login and it prompted me to enter my phone number and there was no way around it. I decided to delete the app instead. Shortly afterwards my account disappeared. That was the end of that.

I have been considering this off and on over many years, and I'm starting to think that others in this community may have done so as well: I want to ditch all my phone numbers, and replace them with addresses and identifiers that I can control myself.

It seems as though if a group of people all had the same app installed on our phones--like Signal, or something similar--we could bypass the phone number system, and set up our own audio-chat sessions over the data connection. If anyone else wanted to talk, they would also need to have the same app, or use its API, and add my contact information. That would add quite a bit of friction to person-to-person communication, but I kind of want that now, as it would also add equal friction to robot-to-person communications. But it isn't exactly easy to get a mobile data network connection without also buying in to the phone network addressing system.

Everywhere I look, in the realm of security breaches and vulnerabilities, a large number of exploits use the public switched telephone network, or its addresses, to compromise the security of the people forced to use them by network effects. Many of the others exploit email addresses on the large providers--apple.com, gmail.com, yahoo.com, hotmail.com--which are popular due to ease of use, and the difficulty involved in getting mail delivered from a private domain to someone using addresses from those providers.

I get the impression that if I set up a phone to ring on a SIP request to 'myhomephone@mydomain.example.com' instead of something like '2125551212@voipprovider.example.com', it would never get robo-dialed calls. But it would also never get calls from people I might want to speak with, because their phones can only call phone numbers. What's the way out of this trap? How do we stop jackasses from jumping into the middle of any private communications we might wish to have, in a way that is also easy enough to use that nontechnical relative can use a prepackaged setup for it?

Out of all possible choices, you can be sure FB will choose the worst one.

I was a user since 2004, deleted last year, and never looked back.

This is going to be interesting in EU where this is not allowed in such way. I believe fines are given as percentage of overall turnover. meaning expensive no matter the size of the company.

Okay so we finally killed off the telephone book and now Facebook reintroduces it? And you can't even opt out?

My policy of never giving out my phone number to an American company proves wise once more.

> Facebook spokesperson Jay Nancarrow told TechCrunch that the settings “are not new,” adding that, “the setting applies to any phone numbers you added to your profile and isn’t specific to any feature.”

They're not joking when they say this isn't new.

I remember a situation while I was still in high school (2011-2012 maybe?) in which someone tried to prank me by sending me SMS from a number I didn't have. I figured out exactly who it was using a simple Facebook search. The best you could do even then was to set it to friends-only, and the prankster didn't do that.

In 2013 (or 2014?) facebook had my cleaning lady's husband in my friend suggestions. I had never met the guy IRL, no friends in common, and had only spoken to him over text (from what I remember there was something about her not speaking English well so I'd coordinate with him instead). I remember being surprised at the time, but thinking, ok, so they are using phone numbers to link people. All that to say, doesn't sound like a new thing to me.

The article says you set the lookup to only work for friends. That means that no one that is not a friend can find you based on a phone number. Can someone explain why everyone is getting worked up?

All the comments refer to being findable to strangers and stalkers by phone number but that’s not the case.

They own WhatsApp, which is integral to having a social life in Germany. So they already have my phone number.

You don't need WhatsApp to have a social life anywhere, even in Germany.

There's something seriously wrong with society if an app owned by a malicious tech company is considered fundamental to the human experience.

Tell that to everybody I know who uses WhatsApp to communicate and coordinate.

It's only a problem when there is large enough majority of people that use the same network. It becomes easier to just not bother with reaching out to people on other networks, so then everyone has to use that one or be left out. In most countries it's Facebook (still), in a few it's Whatsapp or Telegram.

This article which is based on tweets by Jeremy Burge was posted earlier on HN:


Surprisingly, it didn't generate discussion or upvotes like this particular submission.

I added a fake number because they wouldn't stop asking me for it, and now it just occasionally asks for it. There's no reason they need it, and I don't even put my real name on there. If you wanna not hire me because of that, your loss.

Facebook disappointment of 2019: #24

What will it be tomorrow? We should also make a list so someone can actually see the number of things they do within a year alone.

Who in their right mind would give Facebook their phone number in the first place? Seriously…did people not expect Facebook to sell it to anyone with two pennies to rub together?

"I have nothing to hide" is a stupidly strong public mindset

I'm pretty sure initially they said the number was only used for two-factor authentication.

Who in their right mind wouldn't want two-factor authentication?

Particularly as other sites were offering it (and haven't changed their terms), and a significant portion of the tech press were saying it's a good idea — and it plainly is a good idea, of course.

I seriously doubt the vast majority of Facebook users would think about that.

The corporate motto for my next business is going to be: "People are not that bright."

While I tend to agree... it's also fair to say most people won't care about stuff outside their area of interest.

For example I know nothing and don't care about car stuff. I just leave the car at the mechanic, pay, and have to trust they did a good job.

I wish there was a way to prevent Facebook from continually uploading every photo I have ever taken on my iPhone to Facebook’s servers.

How do we coordinate outrage at facebook for this and many terrible things they've done?

Why coordinate outrage? So they will "learn" and do better in the future, HAHAHA.

Seriously, just delete your account, no one needs Facebook even those that make up ridiculous excuses for why the can't leave Facebook.

I don't trust them enough to just delete the account and leave it. I go on once every six months to delete everything I can reach with my name attached to it, that is older than six months, and leave a single "I'm still alive, but don't try contacting me via Facebook, as it will have up to six months latency" post.

For a while, it was extra-creepy whenever I did a semiannual log in, because pop-ups would appear, and in a very distinctive "Audrey II" voice, scream "FEED ME [your data], SEYMOUR!" But the last time I tried it, I didn't see that. Can't tell whether they gave up, or already got the data from other people and just don't need me any more.

Delete your history, starting from the oldest thing you can see. Un-like everything you liked. Un-tag everything you are tagged in. Remove your photos. Replace profile pic with a public domain image. When you finally get to zero, log out and delete all cookies and block all bugs and trackers. Then start increasing the time between log-ins. When you get the nag e-mails to come back, go on just long enough to turn off nag e-mails. Wean yourself off until you don't care about being on Facebook any more.

Then you can use Facebook on infrequent occasions, to tell all your still-trapped friends about all the other ways to contact you that have lower latency, better signal-to-noise ratio, and more privacy. If you just delete, that leaves a you-shaped hole in Facebook that the company could fill with a placeholder. Your character might become an NPC that the game-master could control to manipulate the other players.

I literally just had someone comment on a different post "There's nothing else shady happening at Facebook, we know it all now" - LOL.

Facebook, and Facebook uniquely (although Google too), must be regulated by world governments, and citizens must be protected from it through GDPR like rules.

That's why I don't put it in there.

Don't worry, your friends will help Facebook fill in the blanks with their smartphone address books. There is bound to be some Facebook-connected app (WhatsApp perhaps?) they use that does link your Facebook identifier with your phone number.

Good thing I never gave them a phone number.

does facebook support otp 2fa, or just sms

Facebook supports OTP 2FA. Use it.

Does it still require you to have the Facebook app installed, or can you use a 3rd party tool like Authy now?

Any Authy or Google Authenticator -like app works. I personally use Authy.

You can use any 3rd party tools.

Your friends already know what your phone number is

Isn't this a violation of gdpr? And if it is, how have they not been sued yet?


Whether or not it's a pain for businesses to comply has nothing to do with the reason these types of laws are implemented. Regulation is a pain, but that doesn't mean that we shouldn't have it. Protecting personal data is the priority when it comes down to it.

I don't see what that has to do with this. They just need to not implement the feature this way.

Don't put the 2FA number in the search index, just don't do it. By all means make it convenient to copy it there, but for the love of god do not put the 2FA number in the search index.

How is this related to an article that doesn't even mention GDPR?

There is an easy way to opt-out. Stop using Facebook.

Do you know how I can tell that you didn't read the article?

Deleting one's account does appear to be a mitigation

These constant articles are like watching someone stick their hand on a hot stove and complain over and over that it hurts. But try suggesting they take their hand off the burner and nope, freak outs and/or insults.

It really is an option. It really is the best option. It isn't flippant or sarcasm.

It may not be a great loss to you, but for many people, deleting Facebook would come at a great cost.

Facebook has done a sufficiently good job of intertwining itself into people's lives, so that to abandon it would mean losing touch with family and friends, missing out on invitations to events, excluding one's self from valued discussion groups and more.

What people resent is that Facebook seems to hold people to ransom like this, now they've made people so reliant on it.

So, sure, people can just leave, fine. But don't diminish the fact that for many people, quitting Facebook would have serious drawbacks.

I'm aware how dependent many people are. I imagine that's why suggesting they take responsibility for themselves triggers such emotional responses. I recall one academic study showed people would have to be paid ~$1000 before they'd consider stopping for just a year. But that only makes it all the more important.

If people don't like the way things are then they have to be the change. Facebook is not going to change as it's business model is based on selling it's users. In the absense of taking responsibility for themselves or Facebook chosing to change many default to arguements for government regulation. Bringing in the use of force like this creates problems significantly worse than the privacy issues of the original voluntary Facebook use.

I mean, yep, that's all valid and I'm with you on personal responsibility.

But you just don't stimulate constructive discussions by asserting that the only rational path is the quitting, whilst not factoring in the costs.

This is not a simple case of "watching someone stick their hand on a hot stove and complain over and over that it hurts", because the alternative action you advocate just causes pain of a different kind.

Most of what you're saying is valid, except for the fact that it's simple and obvious to fix.

If it were that simple, we wouldn't need to have this discussion at all.

Sadly I'm getting prompted to enter my phone number to login - can't login to delete the account now.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact