Hacker News new | past | comments | ask | show | jobs | submit login
Twitter forces all new users to enter a valid phone number (sucky.ninja)
713 points by ecmascript 29 days ago | hide | past | web | favorite | 359 comments



They have been doing this for any account registered from a VPN or Tor. However, you can simply appeal the block and tell them you haven't tweeted and not broken any rules.

They will send you an automated mail, offering to validate your phone number, or reply to the mail if your problem is not solved. Just reply to the mail.

Unfortunately, processing the request takes anywhere between 10 minutes and 2 weeks; usually a couple days at least. I assume this is on purpose to make it cumbersome for spammers.

They always reply with the same boilerplate, but the account will be unlocked:

  Your account is now unlocked, and we’re sorry for the inconvenience.
   
  Twitter has automated systems that find and remove automated spam accounts and it looks like your account got caught up in one of these spam groups by mistake. This sometimes happens when an account exhibits automated behavior in violation of the Twitter Rules (https://twitter.com/rules).

  Again, we apologize for the inconvenience. Please do not respond to this email as replies will not be monitored.


Simply, easily, trivial. With just a little effort. Try again often, try again later. No problem, to appeal, the process, Mr.Kafka, all you have to do is, be seen by two witnesses, to uphold your interest in.. Of course, if that is to complicated, and the nuances of the wording, are a endless stream of passive agressive insults to your intelect. Noone can help you, because there is noone home. The company you are trying to reach, consists of a algorithmic amobea, and would like to connect you with other concerned customers, so that you can all support each other in these difficult times, created by this difficult company.

Just give them a fake telephone number: https://receive-smss.com/


Those temp SMS numbers used to work, but now the places that require a phone number seem to be sharing notes and block them (they'll accept it, but never send a text). This is similar to how places that require an email address have gotten pretty good at blocking many of the temporary email providers (they'll accept them and just never send you an email).


When I worked in banking we would do this with suspect transactions. The feature was called “Strategic Delay”. After awhile, all of our project plans (this was back in the days of Gantt charts) would include two weeks of effort on “Strategic Delay”, even if that feature wasn’t involved.


This is slightly different though, twitter is silly and unnecessary - access to your money is not.

During some of the recent shows highlighting issues with payday lending these sorts of strategic delays were mentioned in the light that they can cause irregularly paid workers to have problems actually getting money out of their paycheck - forcing them into more borrowing until they are able to clear their checks.

Again, twitter is just silliness, but the banking example is a lot more serious of a case where the pros and cons need to be very carefully weighed.


Eh. It is the primary communication mode for the current US president.


Again, twitter is just silliness...


And a significant source for misinformation campaigns.


> twitter is just sillines

Would you say the same about your phone number? If not, why? If I run my business on Twitter (or YouTube, or Facebook) is it that different from a bank?


No?

I'm not clear on what the real point of this question is - twitter is a terrible platform to use for actual communication. Their sorting by "relevance" can cause recent messages to get lost in the shuffle and randomly mess with your visibility. It may be you're considering twitter as a business in which to coordinate product sales, but I'll assume it's for customer relations management, many companies that have a twitter account for CS stuff also offer email, messanger (of some sort) and phone if you have an issue you need to resolve due to the fact that platform just isn't well suited for business - the network effect of it is surprisingly low (a _lot_ of people aren't on or don't regularly use twitter), it is semi-public which may violate your business concerns and... you're handing the keys to your reputation to the third party that has acted poorly in the past.

If you check out youtubers talking about youtubers (I have no specific example on hand) they tend to complain endlessly about how the trending algorithms can drive thousands of potential viewers toward or away from their channel for no particular reason - there the network effect is strong enough that they don't have an option though, if your business is streaming a show then YouTube offers a much richer starting viewer base.

I guess my assumption is, if your business doesn't force you to use a particular social media platform exclusively then... use some other communication method per preference?

I'm really just confused by the question though - these things are not the same and twitter is simply not as important as the place your money lives (and I think pretty much everyone would agree? Maybe I'm getting too old)


You may dislike Twitter (I do) but it is a large thing that exists and appears to provide sufficient value to people that dismissing it as 'silliness' just sounds empty-headed and naive.


Instead of attacking the person who is making a fairly lengthy and supportable argument, and basing your stance on the notion of some nebulous value “people” find, maybe you could respond in kind? I have to say that I find myself in the camp of Twitter being silly, except when it’s being destructive. Instead of being dismissed as “empty-headed” I’d prefer some value proposition justifying the previous comparison to a phone number.

Twitter seems to be a rage factory and amplifier, a shitty blogging format, and very occasionally a way to twist the arm of recalcitrant customer service.


Twitter is a Rorschach test - all those things you criticize Twitter for seeming to be (rage factory, shitty blog, etc.)? That would be entirely the fault of the users in those specific circumstances.

The value proposition for me is receiving targeted news/information disseminated in a convenient format. As a concrete example, I'm crewing/pacing at a 100 mile trail run in two weeks, and I'm subscribed to that event's twitter feed. It's the Umstead 100 in case you are curious (@Umstead100). During the event, it will tweet out news and updates of interest to participants, volunteers, and others.

Yes, they could probably text everyone, or continuously update the website, or send emails - but Twitter is perfect for this situation and others like it: content/updates produces and consumed on mobile devices, sending frequent short updates with relevant info, etc.

Twitter has its abuses, but so does everything. Next time you're ready to shit all over Twitter, just remember that what you are likely ACTUALLY raging about is their userbase, i.e. the public.


> The value proposition for me is receiving targeted news/information disseminated in a convenient format. As a concrete example, I'm crewing/pacing at a 100 mile trail run in two weeks, and I'm subscribed to that event's twitter feed. It's the Umstead 100 in case you are curious (@Umstead100). During the event, it will tweet out news and updates of interest to participants, volunteers, and others.

> Yes, they could probably text everyone, or continuously update the website, or send emails - but Twitter is perfect for this situation and others like it: content/updates produces and consumed on mobile devices, sending frequent short updates with relevant info, etc.

Twitter is a poor choice for cases where you want to specifically subscribe to something, because it's deliberately designed as a global popularity contest/rage generator. A Facebook group, Discord, heck even Tumblr or Medium would be a better choice for that kind of use than Twitter.

> Twitter has its abuses, but so does everything. Next time you're ready to shit all over Twitter, just remember that what you are likely ACTUALLY raging about is their userbase, i.e. the public.

No, Twitter has a series of deliberate design decisions that result in worse interactions than any other platform. The limited message size strips away nuance and reasoned discussion, in favour of zingers and outrage. Their algorithmic feed shows the most "engaging" tweets while suppressing the follow-up discussion, so you'll see a controversial tweet without seeing the existing replies or subsequent retraction. The rage storms aren't just people being people, they're people being nudged into behaving a particular way by Twitter's optimized-for-engagement UI. There's a reason other platforms don't have these problems.


I've heard that even if you flip the "algorithmic timeline" switch off, you still don't see a linear feed of everyone you're following. It's still filtered and manipulated, just closer to linear.

Speaking of design decisions, here's a bit [1] about how the "quote tweet" encourages the behavior of "dunking", a usage I have only ever heard in regards to Twitter. Basically, if anyone with a Twitter account says something you think is stupid, you quote tweet them and "dunk" on them about how stupid it is and they are. Then everybody piles in and retweets the "dunk", perhaps adding their own riposte. And the original poster is only a click away in the quote, so you can then go to their profile and find other things to dunk on, send mean DMs, etc.

[1] https://slate.com/technology/2017/12/dunking-is-delicious-an...


the "quote tweet" encourages the behavior of "dunking"

Quoting people to negate or mock their argument has been around since Usenet - well, much longer in literary terms but I'm citing Usenet as an example of a system that's almost real-time and where it can be a spontaneous emotionally driven decision. It may not be called 'dunking' on every platform but the phenomenon is universal.


> Quoting people to negate or mock their argument has been around since Usenet - well, much longer in literary terms but I'm citing Usenet as an example of a system that's almost real-time and where it can be a spontaneous emotionally driven decision. It may not be called 'dunking' on every platform but the phenomenon is universal.

It may have occurred occasionally on other platforms, but the difference in degree is enormous enough that it's a de facto difference in kind.


at the same time, the medium is the message. Twitter encourages this bad behaviour, not because of intent but because it's highly geared towards hot takes and doesn't provide the character space for the level of nuance required to take a serious look at real life. So people condense what could be a complex question into a strong statement, even better if it's provocative because as provocation draws eyeballs.


Lots of things (a) exist, and (b) appear to provide sufficient value to people, and yet are either totally superficial or deleterious.

(a) and (b) are some of the lowest of bars. Even ISIS passes those, along with tons of other things (deep fried Mars bars, for one).

The parent made a qualitative argument and/or value judgement. Mere existence doesn't negate it, arguments why his values are bad, or shouldn't be taken into account, might.


Lots of things people value are suppliers of silliness. Humans put a lot of stock into silliness.


I'm really just confused by the question though - these things are not the same and twitter is simply not as important as the place your money lives (and I think pretty much everyone would agree?..

I disagree pretty strongly.

Twitter is much more important than the bank I keep my money in.

Banking in fungible. Twitter gives me access.

I've arranged meetings with the partners of the biggest VC fund in Australia sorely via Twitter. I've had in depth discussions of the details of ML models with their authors via Twitter.

Generally speaking I'm much more relaxed about a 2 day delay in my banking than a 2 day delay in Twitter.

Maybe I'm getting too old

I'm 43, so I doubt it's that.


"Twitter is much more important than then bank I keep my money in" Wow, I will gladly trade you my twitter handle for your credit card number ;D

"Banking in fungible." You cannot instantly replace a bank account, transfer credit, or make changes without the help of the bank itself yet twitter can instantly be replaced by many forms of communication (SMS, Email, IRC, Talking, etc).

"I'm much more relaxed about a 2 day delay in my banking than a 2 day delay in Twitter." So if your car is on empty and you stop to buy gas only to find that your checking and credit accounts (from the bank) have a 2 day delay, you would find that acceptable!?


"Banking in fungible." You cannot instantly replace a bank account, transfer credit, or make changes without the help of the bank itself yet twitter can instantly be replaced by many forms of communication (SMS, Email, IRC, Talking, etc).

The network and the way communication happens on those is not the same.

So if your car is on empty and you stop to buy gas only to find that your checking and credit accounts (from the bank) have a 2 day delay, you would find that acceptable!?

Please don't misquote me. The Generally speaking part is important here. Generally speaking, I don't let my car get to a situation where I'm on empty (I think I've been in that situation once in the last 20 years). And if the worst happened, it would suck but I'd ring a friend and it would be inconvenient but that's all.

OTOH, I've had multiple meetings in the last year where my only communication has been by Twitter and we've been arranging where to meet in the minutes before via it.


If you are running a business on Twitter, I don't see a big issue with having a phone number connected to that Twitter account. It doesn't strike me as unreasonable.


Depends on the business, and whether there's a limit to the number of accounts a number can be linked to. A business can quite legitimately have multiple accounts for different departments, brands, or any other purpose. If you can only have one account per phone number, that can quickly become a problem.


Their help page claims a phone number can be linked to 10 accounts at once, but in practice I've found that limit to be 4 or even less. Also, they often prevent a number from being added to more accounts for a few days or weeks even if you remove it from all accounts.


>Would you say the same about your phone number?

No.

>If not, why?

Because a phone is a universal method of communication, for businesses, spouses, families, friends, and everything in between.

Twitter is yet another social media gossip discussion site, just one with a gimmick (limited characters).

>If I run my business on Twitter (or YouTube, or Facebook) is it that different from a bank?

The only businesses run on Twitter are ads, influencers, and PR -- and those deserve to die anyway.


FWIW, there are far more businesses on social media than that. There’s an entire culture of chefs, makeup artists, and the like that advertises solely on twitter/instagram/etc. Social media is actually a really effective tool to reach your target audience in these cases.


>> chefs, makeup artists, and the like

Isn't that covered under "influencers"? What tangible benefit does Twitter provide to a working makeup artist (ie someone doing makeup for films/tv/photography/etc)? Sure, there are makeup artists that run businesses on Twitter, but their business is selling branded makeup and promoting sponsored products. That type of business is 100% reliant in social media, but aside from influencers are there any working professionals that would be unemployed without Twitter or Instagram?


No, why would he? They're completely different. Twitter is nothing at all like a phone number.


It's similar in that you may have set up your business in such a way that you rely on your phone number for clients to contact you, and you may have set up your business in such a way that you rely on your Twitter for clients to contact you.


Very common in banking is a situation where you deposit a check, but the bank puts a 2- to 5-business-day hold on availability of the funds until the check clears. They might do this if it's not a local bank, or if for whatever reason they have a doubt about the check clearing.


You assume didn’t weigh them? This was practically two decades ago, but I can assure you weren’t flagging payroll transactions. Typically we were flagging obvious cases of wire fraud.


> twitter is just silliness

It was one of the premier sources for propaganda during a certain country's recent election. It has been used to coordinate protests. It's been used to break national news. You can get minute-by-minute updates of events from it. Let's not pretend that one of the world's most-used communication platforms doesn't play a huge role in modern discourse.


Actually this^ I'm not certain why it was downvoted but I had forgotten to take the Arab Spring into account and Egyptians organizing on twitter around the internet ban. Both have had... outcomes. But they were clearly necessary actions and twitter did help fuel that occurrence.

To contrast though, if a service being a premier source of propaganda (avoiding the question of this specific case since... politics) and offers no other value, then it's actually worse than trivial it's harmful.

So, it's a mixed bag. I still wish there was a better engineered platform than twitter out there though.


to some, soccer and american football are just silliness. and yet these are multi-billion buckos industries.

It can be used to influence elections, to shape public opinion, to market products etc. Billions are at stake. It's real. It's not silliness.


Yeah, I have abandoned a bank due to bad rules on its strategic delays on transactions. Every time I had a problem I could solve it with a quick call, even outside of working hours, but it was a bother.

It's not an inherently bad thing to do, but it's easy to overdo, and on a company that depends on network effects it can be very dangerous.


The same is an efficient email anti-spam technique (greylisting). Except that you get all your emails delayed by 20min-5h, which will not make any user happy.


I tried to open a new account on Twitter app for Android, using only my email. It was going ok until it asked me to provide my phone after confirming my email. The reason: suspicious activity / spam behavior. The account is in limbo now, and I can't access it any more.

Time to spin up a Mastodon instance.


The same thing happened to me two years ago, though I had signed up with a PC with Gmail and my account was locked pending phone verification within an hour.


fwiw, if you challenge this, twitter will restore your account.


This didn't work in my case.

I signed up using a Tutanota e-mail. Every time I got a verification code and then entered it into twitter I got an "Oops, something went wrong." message. After spending many hours in vain trying to find Twitter's e-mail support, I gave up and initiated a "Trouble logging into my account" help procedure. However, that ultimately failed since surprise! Twitter couldn't find any history under that account name.


You don't even need to use a VPN or Tor, this happens often for pretty much any account registered from a residential IP as well.

This is the form you have to use: https://help.twitter.com/forms/general?subtopic=suspended


People... please... move to Mastodon https://mastodon.social/. There is no point in using commercial centralized service for things like sharing short message.

I hate Twitter because: - slow javascript - ads - won't show full thread without loging in - now requiring phone - censorship


Keep in mind your account isn't really unblocked, you have a very high chance of being shadow banned if you post on a VPN or TOR.


> They have been doing this for any account registered from a VPN

I made my own VPN with Algo[0] and host it on Digital Ocean. The IP is a Digital Ocean IP and therefore really hard to blacklist as a VPN. There is no way to tell if I am using a VPN and I regularly setup new accounts on Twitter (mostly shitpost accounts used for venting at products/companies that have wronged me), or novelty accounts that have a particular theme to them, etc

[0] https://github.com/trailofbits/algo


I think this process was the first actual change in my behaviour I noticed in response to GDPR: I actually did not mind providing my phone number that much, and trusted that they actually deleted it when I requested them to (using an option in the interface) after my account was re-approved.


They definitely do not delete it entirely because sometimes a phone number is prevented from being added to more accounts for a few days or weeks, saying "This phone number is already registered with another account" even if it's been already deleted from all accounts, though they may be just storing a hash of the number that's not linked to any user account.


The other component is that once they have the phone number, they can do anything with it they want, unless you leave the network. E.g. facebook once did the same, they required phone numbers "for two factor authentication". They promised to not use the numbers for anything else. A few years later they started sending SMS spam to users about what their friends did on facebook, and now facebook users can enter the number and the associated accounts show up... even though the number was supposed to be only for two factor auth. Your only choice as individual user is to leave the platform.


> Your only choice as individual user is to leave the platform.

That's not even enough anymore. You also have to make sure that every one of your contacts do not upload their address book to conveniently find friends like you who may or may not be on the network. And that they don't tag you in images, events, etc.

You're an entry in the Facebook database, whether you have or have had an active profile or not.


This is why you should block ads and trackers even if you're not a Facebook user. I have blocked all their domains in my hosts file also.


>This is why you should block ads and trackers even if you're not a Facebook user. I have blocked all their domains in my hosts file also.

...but that's such a myopic view of the problem. Facebook has this data. There's an entire market, intentionally kept from the public, that specifically deals in the selling and trading of profile data. This is why the concept of "shadow profiles" is important.

Let's say I have three friends who are on Facebook and I am not (which I'm not). Those three friends upload my contact details to Facebook and, from these three data points, Facebook can derive certain assumptions:

Sex from my name.

General age-range based on my friends.

General occupation (let's say all three are co-workers or previous co-workers)

General interests based on their interests. etc.

So, now Facebook has an ad-targeting profile of me. All they need to do to get more information on me, regardless of I'm blocking their specific domains, is to purchase correlating ad-profiles on what I'll call the advertising market.

So, my credit card purchases, my Google search history, etc. can all be correlated back down into this one shadow profile that Facebook holds on me and this can, in turn, be used to target ads to my friends. Not only that, but if I ever do sign-up for Facebook, they can immediately start targeting ads to me. (read: I'm not a net-advertising loss for being a "new user".)

I'm not saying that you shouldn't block Facebook domains but I think that, in the overall scheme of things, it's tossing a drop of water onto a raging bush fire.


Would you mind sharing the hosts file for blocking FB and all of their domains? I've done this too in the past, but my list seems outdated for a while now.



If you don't mind a bit more config to tune to your precise preferences, I'd highly recommend https://github.com/StevenBlack/hosts


I'm surprised that no nation or union (ie EU) has fought this. If people exchange phone numbers, are they also giving each other implicit rights to share them with anyone else? If not, shouldn't platforms that enable this en mass be reprimanded for it?

It is currently impossible to remain anonymous, regardless of whether you participate in the system or not.

In my case, given the density of my network on social media, and their propensity to fall for dark patterns that siphon private information - had I never owned a computer and lived off the grid, all the major tech companies would still know my: name, age, address, contact info, hometown, family members, income bracket, ethnicity, general dna (many family members did dna tests), and more.

Shouldn't I have a say in any of that? Shouldn't things like address book importing be restricted/illegal?


> I'm surprised that no nation or union (ie EU) has fought this.

Why would any politician fight this? It's a platform they all use to gain/sustain popularity, and it's the official national communication channel for the US.


Don't forget WhatsApp uploads your entire phonebook by default.


At least not on iOS, it needs to ask for permission first.


Actually, fb still requires the phone number, if you try to open up a few accounts in succession. You can't use throwaway numbers or Google Voice numbers either. So it's actually pretty hard these days to open a Fb (Or Hotmail or Gmail) account without a legit (cellphone) number.


throwaway numbers can mean many things even a 5 dollar sim. some services even let you change phone numbers on a whim cell numbers are mobile in more than one way and very easy.


Many places I've been won't let you buy a SIM without showing id.


Yeah. I think while not nation-state-secure, you can still improve your PII exposure to Facebook/Twitter/Google et al by buying/activating a SIM/phone-number and only using it one time for the purpose of creating an account.

I don't _think_ Twitter or Facebook are doing backroom deals with every prepaid sim vendor to be able to tie that phone number back the the identity used to register the sim card.

I wouldn't suggest you use this to register your Dream Market vendor account, but I doubt you'll end up with targeted advertising based on your other real-world web/app behaviour based just on the ID provided for a single-use burner SIM...


Yeah, what's the problem here? Presumably Facebook won't get the data on the legal owner of the number.


> Many places I've been won't let you buy a SIM without showing id.

You don't need to show any ID in Europe to buy non-contract phone number. You can go into most stores and get free or pay 1-5 euro for a phone number.


Germany passed an anti-terror law a few years ago, getting a phone number requires the same level of verification as opening a bank account.

Even before that prepaid phones have been a strawman argument, actually maintaining a 2nd number in the long run is quite a bit of work since it usually expires if you don't use it enough.


And then you typically need to do some kind of identity verification to activate it.


In Austria, Belgium & Germany you do, in Croatia & The Netherlands you don’t


Possible that's typical, but it's certainly not universal


Not in the UK you cant.


> Your only choice as individual user is to leave the platform.

For some platforms, even this is not an option. Case in point: LinkedIn (owned by Microsoft). I get "friend" suggestions about a friend that I know is not on LinkedIn. He's absolutely social-media averse, and would never be on LinkedIn (or FB, for that matter). But LinkedIn continues to claim that I can connect with him.

How did they get his email address? Because some third person (who emailed both of us) probably shared his contacts with LinkedIn.


> The other component is that once they have the phone number, they can do anything with it they want

Unless you are an EU-citizen.


Linking pseudonyms from two different networks (in this case, Twitter and the phone system) together is a classic and serious privacy leak.

It's far from clear exactly what information Twitter, in its longtime effort to combat spam, has already collected on its users. Throwing a phone number into the mix expands to range of activities that can be unambiguously tied to the same individual. Given that Twitter certainly knows IP addresses of its users, it's trivial to do things like link site visits directly to an individual answering the phone number.

Unfortunately, most people simply don't understand the implications of any of this. They don't understand what an entity, "authorized" or not can do with this kind of data. They are far too trusting of governments and other powerful entities to do the right thing. They have not been paying attention to the steady erosion of civil liberties around the world and can't conceive of, for example, ever ending up in prison for some lame post they made 10 years ago.


I agree. The first thing I thought was that someone will build a script that creates a Twitter account then simply uses Twilio's API to create a valid phone number to receive verifications.

Good luck Twitter!


"I agree. The first thing I thought was that someone will build a script that creates a Twitter account then simply uses Twilio's API to create a valid phone number to receive verifications."

Unfortunately, this will not work.

Twilio numbers are not "mobile" numbers and cannot receive SMS from shortcodes.

So while your twilio number can send/receive SMS just fine, it can't receive SMS from a shortcode.

As of my recent conversations with multiple Twilio engineers at Signal 2018, there are no exceptions to this rule - once a number is owned by Twilio it ceases to be a "mobile" number and networks providing shortcodes cannot send SMS to it.

In my experience, all banks/twitters/facebooks/etc. use shortcodes to send their auths/2FA/etc.

So it won't work, I'm afraid. I have heard, however, that there are some smaller twilio competitors that provide true mobile numbers but I forget the name(s) of those providers and honestly, I would be worried that those numbers would get blacklisted or filtered in some other way.

There's a reason other carriers refuse to send shortcode SMS to "non mobile" numbers ...


It won’t do. Twilio (and basically majority of other virtual number providers, except of very tiny few located in Europe) do not provide regular cell-type text messaging capabilities, but rather something PBX pros call “short codes”.

No self-respecting provider out there, be it Twitter Facebook, Gmail, Yahoo, Instagram, etc. will deliver your confirmation info via a short code. so you need regular ported cell number like Verizon or Tmobile.

Twitter allows up to 5 accounts created on one cellphone number, given you give each other few days of rest and use popular VPN.


> Twilio (and basically majority of other virtual number providers, except of very tiny few located in Europe) do not provide regular cell-type text messaging capabilities, but rather something PBX pros call “short codes”.

Twilio provides both regular phone numbers with SMS and MMS capability and short codes, the latter primarily for high-volume outbound messaging.


"Twilio provides both regular phone numbers with SMS and MMS capability and short codes, the latter primarily for high-volume outbound messaging."

Your parent is correct - you've missed each others' points.

Twilio sourced numbers cannot receive SMS from other shortcodes. No exceptions. They are not "mobile" numbers.

So yes, your twilio sourced number can send and receive SMS and you can even rent a shortcode from twilio and send/receive with that. What you cannot do is get a "normal" twilio number and receive shortcode messages.

For that reason, providing a twilio number to a provider like twitter or facebook will not work - they all typically send their auth messages via shortcode.


Those won’t work either with most big services asking for verification. There’s subreddits dedicated to getting non VOIP phone numbers (which Twilio isn’t) for verification.


The regular twilio numbers still (mostly) aren’t going to work for this stuff.


Full disclosure: I used to work at Twilio.

We ported wireless numbers in and out all the time.


And they've been trying to collect phone numbers for years. Any time an account is suspended, they try to require a phone number for it to log back in, for example.


At the risk of going off topic (and without responding to the issue of Twitter requiring real phone numbers), I want to make a point regarding your last sentence. If a post is somehow sufficient to (potentially) warrant a prison sentence (eg for leaking state secrets or inciting terrorist acts), then I would suggest the amount of time that has passed is irrelevant (within jurisdictional bounds). If a crime has been committed, responding to that within the statue of limitations is not an issue of civil liberties. Getting away with a crime (something worthy of s prison sentence) is not a civil liberty anyone enjoys.


You're thinking too big. Think smaller and more common.

Said something unpleasant about someone ten years ago? Guess what, he's the sheriff now, and has money in the budget to buy social media data on his enemies, or the freedom to tap into any shared federal database he likes. Next thing you know, there's a speed trap at the end of your block and each member of your family gets pulled over each day for a vehicle inspection.

These sorts of things weren't unheard of before the internet. The abuse of big data just makes it easier now.


You laugh, but in Terrebonne Parish, Louisiana, this was very much a thing recently.

https://reason.com/blog/2017/09/08/sheriff-settles-over-blog...


I think you forget that not every government is so nice. A comment against a young politician today could be a comment against the sitting dictator in 10 years that won’t care so much about the statute of limitations.


This is the reason I bailed while trying to create a twitter account recently. How often do you change your phone number? Once these ad companies get hold of your phone number they can track you across multiple services and build a complete profile of everything you do and track your every move.


Agree with the sentiment but what better alternative do you propose to prevent abuse?


Require a deposit to sign up. If you quit you get it back. If you get banned you lose it.


Pretty sure this is already a part of Paypal's business model, with their random account freezes.


This is what the discussion site metafilter does. Unlimited lifetime access for USD $5. It appears to work - very high S/N ratio there.


This is an interesting idea. Doubles as a strategy for monetizing.


From an accounting perspective in this hypothetical scenario I believe that you would not be legally allowed to dip into the deposit money save for that recovered through bans. Which creates very perverse incentives.


Landlords are allowed to place received security deposits into interest bearing accounts.


Where I live they owe interest to the tenants on deposits.


Correct. And they get that interest by placing it in an interest bearing account.


I suppose you could take the deposits and earn interest on them as a possible supplemental revenue stream.


Not trying to go there but this very clearly sounds like a staking system


Hasn't that battle been lost for a while now though? How many different services have linked phone numbers with email or some other handle? (Particularly for 2FA)


Depends on how you think of it.

On the few accounts I've been required to use that require a phone number, I've given them one. It just happens to be one from a modem phone pool.

I'll worry about what problem that may cause when it becomes one. Usually, these are for stupid things required for some project or another and the need for them is time-limited. I will not use FB, and have a pile of Twitter accounts with no phone numbers attached if I ever have reason to care about that.

And at the rate we're destroying trust in the phone system with spam, I don't think anyone will expect pickups in a few more years.


Quite many services require phone numbers. But services like reddit, GitHub, lobste.rs, or hacker news don't. Twitter has been in that list itself, but now is outside.


Twitter knows what IP you connect from, which might easily be through a VPN. The flip side of low-friction authentication is epidemic abuse by trolls, which arguably damages Twitter's brand.

Unfortunately, most people simply don't understand the implications of any of this.

Well, so you say.


>> epidemic abuse by trolls,

I am soo tried of hearing this excuse for mass censorship

First of it MASSIVELY over used to the point where people call anyone that disagrees with them "a troll" or a bot.

Twitter is hurting their own brand by their obvious political bias and selective enforcement of rules largely dependent on outrage mobs to "report" rule violations.

Like real names policies before it, these types of "verification" scheme do little to curb actual abuse, and in many cases shuts out moderate voices

Twitter is already quickly heading off a cliff where 2 political extremes are left yelling past each other (not actually communicating or discussing anything), and this policy will do nothing to change that

//disclosure, I have never, and will never have a twitter account


Wait so you don't actively participate in Twitter and yet you feel entitled to give a valid opinion about how the abuse works?

Cause let me tell you, the number of accounts I've seen whose commentd get overrun with bots is not trivial at all.


and you know they were bots how?


They give away themselves fairly easy:

* Random meaningless names like "lucy2342", "23markbeard" * No profile picture or a very obviosly random picture * Generic descriptions that dictate obvious political alignment like "Mother. Southwest USA, Republican, MAGA!" * No original content in their timeline except for retweets of political articles from garbage content farms * Really bad English grammar for whenever the bot requires human intervention.

They generally brigade tweets and have a complete lack of interests outside of this narrow activity.


1. It’s very strange for someone to both claim that they never use Twitter and also claim “abuse” is an overblown excuse. Twitter is currently the model platform for large scale mob justice and harassment. 2. The “real name” policy is effective on Facebook for the type of abuse Twitter is trying to curtail. It would help if you explain why you feel the real name policy is ineffective. In any case, only Facebook (the product) actively enforces a real name policy.


Facebook is a dying platform, but I would love to understand why you believe it was an effective policy.

It is not really enforced either, I know several people that have multiple accounts under fake names on Facebook


Not having an account is not the same thing as not using Twitter, you can read tweets without an account


Having to provide a phone number isn't mass censorship.

Twitter is hurting their own brand by their obvious political bias and selective enforcement of rules largely dependent on outrage mobs to "report" rule violations.

Like real names policies before it, these types of "verification" scheme do little to curb actual abuse, and in many cases shuts out moderate voices

Guess what, I just reported a guy with 106k followers that is inciting thousands of them to get ready for mass hangings of their political enemies "at a scale which will rock this world for 100 years" with gruesomely detailed threats against specific individuals. A self-professed adherent of the same conspiracy theory/cult committed a murder in New York just a week or two ago.

But I'm the bad guy in this scenario for saying that organizing murder might violate the Terms of Service.


Nice strawman you made there

You know full well that is not the type of reporting that I was talking about.

There are outrage mobs mass reporting people over jokes, things they find "offensive", and hurt feeling.


Oh, but you were being totally sincere when you took my comment about 'epidemic abuse by trolls' and complained that such terms were 'MASSIVELY over used to the point where people call anyone that disagrees with them "a troll" or a bot.'

I don't care what you were talking about. I was clarifying what I had been talking about before you came along and attempted to change the subject.


What's "MASSIVELY overused" is the trope where getting banned from a website equates to mass censorship. You're not entitled to a platform on twitter. If you get banned from twitter go do something else on the internet or beg for forgiveness and use their platform under their terms.


I always fine is amusing when Authoritarians that support censorship all of a sudden love liberty when they can use it to support censorship

The fact that I do not have a "right" to use twitter has no bearing on if Twitter engages in mass censorship of their platform, I did not claim that I have a right to use twitter, or that twitter did not have a right to censor it

Twitter can come out tomorrow and say only left identitarians are welcome on twitter, and everyone else would be banned. That would be be mass censorship AND with in their rights as a private company


I'm guessing we'd agree that Twitter has an overt bias. I'd suspect we'd disagree about which way it leans.

Which sort of suggests to me that we're both wrong.


the left bias of twitter is well documented and more or less admitted to by the execs.

There is zero evidence they would be right biased


I'm assuming it's to try de-anonymize users and make bots less cost effective.

Nothing propagates faster than hate on Twitter and seeing as it's being actively weaponized to spread propaganda, I'm all for new measures that try slow the spread down - esp. given nothing else has worked thus far.


I wish there was a service out there that you could use your phone number and they will validate that you are real for companies and they would be separate from Twitter or any company using them so the user remains anonymous. I don't like some of the nasty stuff the net throws my way either but I do ultimately think if I had to choose a censored internet vs uncensored but full of negatives, I would chose the uncensored. The internet is one of mankind's greatest achievements. Once you start censoring it, abuses of such control ultimately will happen.


This almost sounds like something too good to be true. Big companies like Twitter and Facebook wouldn't want to use this service because they want to collect the data. This company would need to charge websites for the service, otherwise their only alternative is to sell their user's data or advertise, which leaves us right where we already are.

Of course there may be other ways for such a service to survive, but those are my initial thoughts about seeing something like this happen. I would love for something like this to exist, though


I take the opposite view...something like this seems rather viable as a business that companies would gladly pay money for but it also basically sounds like another Equifax/Experian/Transunion fiasco waiting to happen. The only logical thing I can thing of is a consortium of the big telcos creating a shared database and service that companies could tap into.


I expect they'll reverse this. Twitter is literally just bots arguing with bots. That and every political operative has like 20 sock puppets to drum up 'grassroots support' for whatever they're shilling.

They should put Cheeto on the payroll, he's the only reason they're still relevant.


> and make bots less cost effective.

You can rent really mobile phones in China for 5cents or so, up to 20cents for EU and other countries which will probably have a better success rate.

It is not going to stop bots


Guess that means old legacy bot accounts just got a whole lot more valuable.


I had this problem when creating a new Twitter account last month. Within minutes after setting up an account via iOS app, was locked out for "suspicious behavior". Didn't even tweet once. Residential IP. They wanted me to add a phone number.

I went to the help section and wrote a pissed off message to customer support...if they wanted my phone # they should have asked for it instead of accusing me. Shortly after, my account started working again.

For anyone else with this issue, try: https://help.twitter.com/forms/signin


I had the same thing happen. During signup it asked for my phone number but said it was optional. A couple of minutes after I created my account, it was locked and they said it required a phone number to prove I wasn't a bot. I just closed out my account because I only planned to use it to follow some people anyway.


The exact same thing happened to me a few months ago.


This happened to me on Discord. I ended up just getting the admins to bridge the room into Matrix and joining there.


I wonder how anyone actually uses twitter because I constantly get messages that I am rate limited/blocked and when I signed up for an account it was quickly locked when I had posted nothing. Its like they actively want no one to use it.


If you contact support and say you don't have a phone number, they unblock your account as well. That worked for me.


Also happened to me. I ended up giving them a Google Voice #.


The article states and asks:

> I had a new IP

> I had a newly installed operating system and browser.

> What exactly about my behavior is unusual?

It's not that this behavior is unusual (though, it is), it's that this behavior looks exactly like a bot. It's sad, but this is the state of the world now. If you're a big actor like Twitter, you end up blocking anything that looks like a bot, with an escape hatch a user can't do. Phone numbers are the an option for that, and it not doubt helps block other cases Twitter wants to block as well.


It is kind of weird to consider not having a static IP as "suspicious" as dynamic IPs are the de-facto standard with most ISPs in my country, you actually have to pay extra if you want a static IP.


Oh, I don't know. I get 1 free static IP with my ISP.


Right now that may be the case but, I'm curious if this might cause some small nation with an international code to succumb to the massive amounts of money spammers will start offering for large banks of phone numbers... Looking at you British India Ocean Territories...


Once they noticed, they'd probably disallow that country code for verification. And if legitimate users from that country started complaining, I feel like "maybe you should ask your government to stop selling you out" would be a perfectly reasonable response.


I'm sure you're right. I honestly wouldn't be surprised to learn it's already started.

The escalating warfare will continue. I'm not sure where it'll go from here, but I'm sure it won't be fun for people that value privacy.


Why not just captchas and a classifier looking for bots in the sign up process? That, plus better detection and removal of bots seems like a "good enough" option that wouldn't inconvenience real users.


Captcha factory are cheap. You can find people solving 1000 recaptcha for $2.99, with API access.


The good news is, eventually it'll just be so loaded with bots that we can stop talking about Twitter all together.


It's understandable they might require a phone number to keep down spam.

It's less understandable they'd lie to new users on the reasons their account was blocked. We can't expect even the smallest scraps of honesty from corporations anymore.


It is understandable why they'd lie. If the error message was something like, "your request was blocked because you've included HTTP headers in the order [x-foo, x-bar], which is the header ordering in 99.9% of spam tweets", they would just change their agent's header order instead of no longer spending spam.

I am not sure people realize what a high percentage of users of "free" services are spam bots of some sort. Sit around in the average Twitch channel and you'll see a flood of spam from similarly-named accounts every so often. They get around the filters because Twitch tells you why you're filtered. "This room is in followers only mode", so they follow the stream they want to spam a few days/weeks in advance. "This word is not allowed by the spam filters", so they change one letter and continue spamming that word. Etc., etc.

It sucks for normal users caught up in spam filters, but it's an enormous problem that there is no easy solution to.


You misunderstand - not divulging what triggered the suspicion isn't lying. Claiming a phone number is required due to suspicious activity, when in fact it is required of almost all new accounts, is.


Another covert spam fighting way is when one of the platforms require you to set up a phone number "for two factor authentication", basically not letting you to use their service unless you actually provide the number. There are multiple platforms framing the issue in this way.

Facebook once required that you set up 2 factor authentication and they promised that the phone number won't be used for anything else. Few years later, they started spamming users at those phone numbers with notifications about what their friends did. And since this year, those numbers can be used to search for users on the platform.

The big issue with giving those platforms your data is that you hand over control. Even if they promise you something.


> And since this year, those numbers can be used to search for users on the platform.

And someone really should go after them for it. Last month an abuser from a decade ago found me on facebook and messaged me out of nowhere. Upside is i was able to tell him off, but I know many other people would have a far more.. trying encounters.


Creating an account from a system which no Twitter tracking pixel has ever seen may well be suspicious, where suspicious means statistically correlated with accounts create to spam or acts as hostile bots.

I don't think this is lying at all.


I'd find anyone creating a Twitter account in 2019 to be somewhat suspect.


New people are born every day.


I've wanted this as a service forever. Does anyone do it?


I believe Google's captcha does. With the unfortunate side-effect of Google de-anonymizing everyone they let through - as you'll know if you try to access something behind captcha through Tor, and get stuck in an infinite loop helping Google train their artificial vision.

They claim it's against bots, but no matter how well you identify traffic lights and fire hydrants, it won't let you through.


Google's works with JS, though, right? It's not a service where you feed it a request and it responds how likely that request is to be spam, right?

I know JS is probably better for this, since you can do all sorts of things like measure how the user types and scrolls and whatnot.


I don't use Twitter much, but every time I click on a Twitter link from my Android phone...it pops an error page.

The page says either something about an error, or that I'm rate limited. A page refresh usually then works fine and displays the page.

Is this related to similar attempts to block bots/spammers? Or maybe just something wrong on my end?


Are you trying to do so from Firefox / a reddit app? This is fairly normal and the general conspiracy theory is that it's an erroneous error to get you to download the Twitter app once and for all.


Stock chrome on an Android phone. Most often from a Twitter link on HN. I'd say I get an error 90+% on the first try, and the refresh usually works the first time... occasionally, I need to do two.

Bone stock phone, nothing notable about it or the browser. Doesn't happen on my Windows or Linux desktops.


I have the same problem. I don't really use twitter, but sometimes I get a link to there from Reddit or HN. Twitter never works on the first try with Firefox or Chrome on Android. Often a refresh helps, but sometimes it does not work at all.

I too think it is done intentionally to get users to install the app. I can't think of a reason this is a simple bug. But the again... Hanlon's razor.


Open the links in desktop mode and see if the errors go away.


Why would you run stock chrome on android? Use a privacy respecting browser like firefox or Brave and install an ad-blocker like Ublock before browsing the web.

Chrome does not respect user privacy and is designed to not support add-ons as it will hurt Google's core advertising business.


^This guy privacies. Let me add the suggestion of CanvasBlocker, since browser fingerprinting is a thing that all of the kids are doing, nowadays.


Ok it’s not just me. Twitter works fine on my desktop, but whenever I seem to use it on mobile I get the rate limited error. I swear it’s 70% of the time. Usually if I go back and try again or refresh it works the second time.

Always regular mobile Safari.


Now I'm wondering if there is maybe a repeated, but not infinite, redirect loop from regular twitter.com to mobile.twitter.com

Repeated enough to trigger the rate limited error.


I think they rate limit based on the HTTP referrer. That happens to me but it's always gone away when I manually copy-paste the URL.


It happens to me too, only when linked from HN.


Ahh, so rate limit by referer? That's weird. I wonder why. Almost guarantees viral events make Twitter look broken.

I mostly only navigate to Twitter from here, so I didn't make that connection.


> Ahh, so rate limit by referer?

I don't know. Maybe they just don't like HN and this is a better way of saying it than a photo of a testicle.


They also aren't allowing "throwaway" VoIP numbers, so you can't even mask your main phone number - I tried signing up with both a Twilio number and a TextNow number and both failed with a "This number is not supported" error. I ended up opening a support ticket and they allowed me to bypass that requirement only after I explained that I don't have a traditional phone number.


Did they require any more PII to do it over the phone?


No, I just had to open a support ticket. That said, it definitely added significant friction to signing up, and took two days for the ticket to be approved.


Unlike some other popular sites, at least it's possible for a regular user to open a support ticket.


i was able to do the same by saying i didnt have a cell phone. it took some time only one email correspondence but they are somewhat catering. twitter in this case.


We're going this way as well (requiring & verifying phone numbers, not locking accounts).

We don't have a problem with bots, but users in the "not so tech savvy" segment tend to switch/discard/forget their email address. Rather than try to recover their account with us, this group will subsequently just create a new one, and then wonder & complain that their profiles/settings/content/histories aren't carried over. We fix them up after an identity check. It's both a support burden and a negative user experience.

Turns out that phone numbers, whilst also subject to flux, have better long-term congruence to identity, and thereby help us to detect account duplication and manage it.

People also make fewer errors in entering their phone number.

It irks me that public sentiment could be normalized against supplying a phone number due to abuse by the global-scale consumer surveillance utilities, because those of us running trustworthy businesses can use it to legitimately provide a better user experience.


> Turns out that phone numbers, whilst also subject to flux, have better long-term congruence to identity

Exactly why using verified phone numbers endangers a user's data. A phone number is much closer to a their true identity than an email address, exposing disparate system data to be cross-referenced by breaches and malicious actors.

For this very reason it's illegal in Australia to use a person's government uuid (Tax File Number) as a username.

I'm sure the unwashed masses don't care right now, but the recent kerfuffle over Facebook's sneaky 2FA switcheroo and other privacy sins shows that they might care after enough scandals.


> Turns out that phone numbers, whilst also subject to flux, have better long-term congruence to identity

I'm not sure this is actually true, at least in the long-term. Most people keep their phone number for a long time, but if they ever cancel their phone service, the number usually gets recycled and given to someone else (unlike an email, which almost never gets re-used). If you're storing any kind of sensitive data, and allowing people to access it as long as they can verify their phone number, it could end up being a pretty serious privacy risk. It could also stop people from signing up for your service - if I get a new phone number, and the previous owner of the number has already signed up, what am I supposed to do?


That's an interesting nuance and is the reason we can't/don't use phone number as the primary identity, and must be wary of it for account recovery, but we can and do safely use it (in conjunction with other factors) for duplicate account detection.


> Turns out that phone numbers, whilst also subject to flux, have better long-term congruence to identity, and thereby help us to detect account duplication and manage it.

What service do you offer? Because I would never give a company where I wasn't paying for the service my phone number. How do you guarantee you won't misuse it or have ample protections in case of a breach?


We're a two-sided network for sports competition management and work with athletes, clubs, associations, and governing bodies. Users pay real money for our services, we don't carry ads or even tracking pixels, and our privacy policy details exactly how, when and to whom PII is disclosed.

The broader point is that collection of phone number isn't intrinsically a bad thing, it's rather the usage and trust level that matters. Judging by the parameters and caveats in your question, you have a similar perspective.


>The broader point is that collection of phone number isn't intrinsically a bad thing

Phone numbers as usernames is intrinsically bad for user data security at the meta level. If a service requires a verified phone number to signup, it becomes a de-facto username.

Let's say a fetish dating site is partially breached, and the usernames are emails. Now your let's say your database is fullly breached, with the usernames as phone numbers and emails included. Guess what happens next with the intersection of those two datasets?


That is a general problem even if the phone number is not the username and is not limited to phone numbers, but also any data that is referenceable by email addresses, which is to say almost every unit of PII in almost every online system that exists today.


The implication being that if a system requires a verified phone number to use, then breaches are intimately tied to an individual's real identity. This is far less true of email addresses.


Your remarks only make sense to me if you're trying to remain entirely anonymous on a fetish dating system whilst simultaneously disclosing personally identifying information for reasonable use, and I can't reconcile these two objectives.


At the meta level: I use a variety of online systems that I trust to varying degrees, from high to low. Currently I can control my level of information disclosure by using different email addresses. If these systems now require a verified phone number, I then have to trust them all at 100%, tied to my real identity.

So a SaaS website requiring verified phone numbers seems benign on the surface. However if this becomes widespread then the overall identity landscape is compromised for the user.

At the system level: This is essentially the pseudonym-vs-realname debate. Twitter is the perfect example. Let's say I open an account to whisteblow on my government's nefarious activities. Now if there's a breach or state interception (eg China), they know exactly who I am and where to find me.


Well then this is going to bake your noodle: we also ask for correct name, date of birth, and emergency contact details, because those are also useful/necessary for our business.


Fair enough - your product is clearly operating at a high level of trust. My concern with required verified phone numbers is if they become a widespread pattern, I now need to treat eg my Reddit porno alias as if it is linked to my street address (in case your system and Reddit become compromised).

Back to the context of Twitter, this is mitigating the troll system problem by introducing a user identity one.


> our privacy policy details exactly how, when and to whom PII is disclosed.

And it's your right to simply change that privacy policy whenever you see fit, and you still have my phone number. There is nothing legally and systemically that revokes your right to that.

> The broader point is that collection of phone number isn't intrinsically a bad thing

It's intrinsically a bad thing because our general trust model is simply fragmented and thus poor. See my point above.


We might want to call you if there’s a problem with your account e.g. a failed payment.

This overwrought paranoia and worst-case-scenario scaremongering just leads to bad customer service.

If you’re not a customer then I neither need nor want your contact details.


>Rather than try to recover their account with us, this group will subsequently just create a new one, and then wonder & complain that their profiles/settings/content/histories aren't carried over.

Did this sentence make anyone else really sad?


We're in a similar sort of space with regards to shifting emails and a lack of easy account recovery. I have educated my family on password managers and I really would appreciate (it's beyond my means) someone putting some serious effort into getting a larger proportion of the population onto using password management software - along with a nice free cloud based option. There is so little data involved in these sorts of things that it's got to be pretty much incidental to offer free storage in a safe encrypted manner.


What service of yours am I avoiding now? Phone numbers are terrible pii for reasons enumerated here and countless other posts. Why on earth would you do that?


In order to call you if there’s a problem.


But why do you require phone numbers instead of offering them as an option alongside email? What about people who don't have a mobile number?



For the use case I described, that article actually confirms our direction.


Something like this happened to me. It certainly prompted me to look for alternatives (e.g., Mastodon).

You can start small: sign into Twitter every other month. IIRC, this will decrease the number of active users they report to investors.


Instead of only logging in every other month you might as well ditch the service completely, no?


I can't get the article to load (hugged to death?), but I'd imagine the reason that they are finally moving on this is due to combat harassment.

I can't blame Twitter for adding friction to its sign up process because of others abusing the platform.


I could blame them, but considering everything else wrong with Twitter there is no point. Avoiding Twitter is easy and you lose very little.


About a year ago, there were a lot of topical submissions to HN (that I liked reading) but received community backlash, because they consisted almost entirely of posting tweets (of Trump et al) about the current political situation. The community here made an argument that I could agree with: if I wanted to read it, I should just follow them on Twitter.

So I made a Twitter account, that I checked about once every two months, that followed the relevant players. I didn't make any tweets of my own and I didn't favorite or retweet anything. Just catching up on what people have been saying worked for my interests. Twitter banned me for Harassment. I had nothing that could have possibly offended anyone - I didn't even have a bio for my profile. I'd say the system assumed I was a robot? It was frustrating to me, because in order to appeal my ban, I had to provide my phone number. I don't want to give Twitter my phone number. I get the fewest spam calls of anyone I know, and I do that by protecting my phone number. Twitter has earned no trust from me, and is not getting my phone number. I tried to delete my account, but it needed my phone number to do that. I tried to sign out of the account so I could just see tweets as a guest, but it wanted my phone number for that too. Well, I signed out by deleting browser data, but there is still a tombstone on my email address in their database.

This experience has sown distrust with me about Twitter's harassment numbers. It's not that I don't think harassment is a real problem, it's that I think they are often self-serving in their actions and analysis, and for them to say they're doing something because of harassment isn't enough for me anymore. We can speculate all we want about what their reasons might be, but to be so trusting as to take their harassment claim at face value isn't something I'll do.


are daily active users not a thing that are reported to investors


MAU (monthly active users) is typically the metric they look at.


Twitter specifically said they will no longer share their MAU numbers and will only report "monetizable daily active users" going forward: https://www.recode.net/2019/2/7/18215204/twitter-daily-activ...


thats rad. cant imagine an advertiser doing legitimate spend justification on mau.


My wife and I cancelled our phone services a while back to save money since we rarely if ever have to call anyone and just use messaging to keep in touch with each other and friends.

What are people like us supposed to do?

I do have a Google voice number, but I noticed one or two places recently that won't accept that anymore.


> I do have a Google voice number, but I noticed one or two places recently that won't accept that anymore.

Mind sharing where? I've use my Google Voice number exclusively for 6 or 7 years now. Can't say I've ever ran into such a thing.


Sites that require phone number verification often block numbers allocated for VoIP services for fear of spammers. YMMV if you've tethered your GV number to a physical device at some point.

I've run into this semi-frequently over the years, and it's always extremely frustrating when it happens, but somehow I can't remember exactly where either.

Old references online point to Facebook, Line, and Snapchat: https://www.reddit.com/r/Googlevoice/comments/3uv3mt/google_...


I can back this claim up. I was unable to verify my Citi credit card over the phone using my Google Voice number, they insisted on a non-VoIP number which ultimately delayed the verification process by a week.


FWIW I may have just signed up at the right time, but both my Facebook and Snapchat are tied to my GV number and I've never had any issues.


I don't remember honestly, but I was looking for a site to do my taxes when I saw the last one. I didn't finish signing up. It mentioned not supporting "voice over IP" numbers, or something to that effect. I wish I'd taken a screenshot.


It’s happened to me a few times with my Gvoice number. Which is really annoying because this is why I use it.

It usually gives no specific information about why it failed, but then I use my main mobile number and it works fine.


It used to happen for me on Telegram (I think it's been fixed within the last year though), and recently a startup (Mealplan) blocked it because it's a "voip" number. I even tried emailing and explaining, but they just said they don't support it.


Tinder won't accept Google Voice numbers. That kept me off their platform for years.


Microsoft won't take any known voip account for an Azure registration, which created a minor challenge for me as all my numbers are google voice only as well.


Craigslist is one recent example that I came across.


Another is Credit Karma. And others have said Zelle no longer allows it.

Would love if someone made a list so those that have moved to VoIP wouldn’t need to waste time.


WhatsApp.


I have a prepaid account, which is basically free after the initial investment, which is usually just a few €/$/£/etc.

If you're careful enough it can also be reasonably anonymous.


> reasonably anonymous

The signup process has always been quite invasive for me. Is it possible get a phone in the states without handing over your SS, name, and DoB? I've never tried; what happens if you give bogus info?


I don't know about the United States as I've not been, but in every other country I've gotten a SIM it's been a matter of picking it up and the store and handing over money, same as if you're buying, say, deodrant. You can top up money anonymously too by buying prepaid vouchers.

I've certainly never had to hand over stuff like social security number (wtf?), but perhaps laws and/or telcos are different in U.S.


My family lived in Thailand when I was teenager, and this is how it worked there until just before we left (around 2013) there was a new law or something, and you actually had to physically go to a place, fill out a form, and show your passport just to get the stupid sim unlocked. At least in the US you can do it online or through the phone.


Prepaid cards..?


there is no real prepaid in the US, the closest is USMoble which is still around 20 US a month


t-mobile has a USD 3/month pay-as-you-go plan.

(I don't live in the US, but keep a T-mobile sim card active for when I travel there).


If I weren't so attached to my number I'd probably ditch phone service too. Do you have issues with Google Voice needing another phone number?


Haven't so far, but I know a real number is required to sign up, so who knows how long it will work..


If there are enough people like you, I'm sure they'll find some way to accommodate you. Maybe they will accept a scan of your passport or ask for a bank account number or some other piece of data that makes it at least a tiny bit harder to open an account.


> Maybe they will accept a scan of your passport

It won't be long before https://haveibeenpwned.com/ will let you type in your driver's license or passport number and tell you if a scan of it has been leaked.


There has got to be a better way to do online identity as a society! The most promising ideas I've heard about are WebAuthn and Estonia's digital identity system. How long is it going to take to get out of the dark ages and get this right?

One thing I'm sure of, uploading a scan of my passport to every website is not an appealing thought. Besides the inconvenience, do I really want my passport spread around on dozens/hundreds of different high-value servers run by who-knows-who?


There isn't any good way to maintain perfect privacy while also rejecting bots/trolls with 20 accounts.


Here's an idea that I thought of..

Suppose WebAuthn was the standard authentication scheme everywhere. People used a series of tokens (Yubikeys, phone apps, etc.) with private keys which they use to authenticate to services. The government runs a department where you present them proof of your identity and the public keys from your Yubikeys/whatever, and they would publish a cryptographically signed electronic message which read the equivalent of "the owner of the private keys associated with public keys a, b, and c is a real person"). Then, when you signed up for an account at Twitter, or wherever, they could quickly check that published list and know that you where a real person.

Advantages, you own your own private keys and completely manage your online identity. The government doesn't have any control over where you log in, or who you sign up for accounts with. Also, you can remain anonymous to the site you sign up to. They can check that you're a real person and only signed up once, without actually knowing your real name or other details.


This still doesn't allow for the case where you have multiple accounts for valid reasons like keeping personal and professional accounts but neither does a phone number so this is still an improvement.

I think the main thing blocking this is its a huge pain to go through this system when the average person doesn't care that facebook and twitter have their phone number


> huge pain

The current system is a huge pain too...

I have 700+ accounts recorded in my password manager. Organizing, managing, occasionally changing passwords on important ones, etc. etc. takes a non-trivial amount of time and dedication!

And it's way way harder for many people who never got a system down, something I'm reminded of every time I visit my grandparents.. :-) Their main email account used to be an old ISP one that they'd payed for for years, and for whatever reason (I couldn't figure out why) it stopped working with some sites. Without that email account they lost access to a bank account, several credit card accounts, and some other stuff, and I ended up walking them through setting up a gmail account and calling in to change the email associated with all those accounts. Well, I used their landline phone to help set up the gmail account, and this year they moved, no longer have that phone number, and lost access to that account. I tried to help recover it, but wasn't successful. Guess what... they had to repeat the process for the bank and all those credit cards.


This reminded me of something I recently learned of, SQRL, a 77 digit numerical identity for web service authentication.


NOTE: in the following when I talk about "digital cash" systems I am not talking about blockchains!

It might be possible to do something based on one of the centralized "digital cash" systems that cryptographers have developed. A typical system allows some central entity (e.g., a bank) to issue a "digital dollar".

The digital dollar can be transferred to a merchant in such a way that the merchant can turn it back in to the bank, and the bank (1) can recognize that it corresponds to one they issued, (2) can tell that it has not previously been turned in, and (3) gets no information whatsoever about who they originally issued it to.

So suppose some entity that people trusted revealing their identity to provided a service where you prove your identity to them, and they use a digital cash system to issue you a token. You can redeem that token at Twitter, which verifies it with the issuer, and if it is valid and not previously redeemed, lets you create an account with no further need for identification.

The token issuing entity does end up with a list of real identities of Twitter users, but has no way to match those to Twitter accounts. (Or rather, they have the identities of people who asked for Twitter account creation tokens...they have no way of knowing if a given person ever actually went ahead and created an account).

If your Twitter account gets banned and you want another one, you'll either have to try to go through the token issuer again, and they can see that a token was already issued using your real identity and refuse. You'll have to do something like get other people who don't have Twitter accounts to use their real identities to get tokens, and then give those to you.

That was just an off the cuff idea, to suggest some possibilities, and based on the capabilities of the earliest digital cash systems. I bet you could design a more sophisticated system where the token issuing entity works with multiple sites, and can't tell which site you are getting a token for, but can still limit you to one account per site.


You don't even need the token issuer to have government identities, you just need some way of rationing tokens.

Using identities for that is actually somewhat problematic because identity theft is generally pretty easy. The attacker compromises many devices, or a database containing the information of millions of people necessary to impersonate any of them to the token issuer. Then not only does the attacker get a large number of tokens, a large number of people also lose the ability to sign up for the service themselves. It also opens you up to deanonymization attacks if the token issuer and the site collude, or anyone else can compromise or coerce both of them at once.

But there are plenty of other alternatives.

You could ration them based on some other scarce thing, e.g. issue only X number of tokens per public IPv4 address or IPv6 /64 block per year.

You could exchange tokens for a security deposit. A few dollars for a token that can be used for over a decade is a minimal cost to a real user, but a few dollars for a token that lasts 90 seconds before getting banned is a real cost to the spammer.

And you can combine them. One free token per public IPv4 address per month, and if you need more then provide a security deposit.


There is proof of stake. You stake some moderate amount ($25), refundable at any time but forfeit if you spam. For a non-spammer it effectively costs nothing but the spammer loses their stake for every spam someone reports, and every spam posted against the same stake can be disabled at once.

The requirement obviously being the ability to make small anonymous payments.


Post a bond? I like this idea a lot.

I think it would be great for Twitter if they could get away from the advertising model. If holding a Twitter account required holding a share of Twitter stock, I wonder if users could end up owning the platform?


This is the new norm... expect all services to require phone numbers due to spam and propaganda.


I have a really split opinion about this. On the one hand I've seen a lot of really hateful stuff lobbed around on sites like Twitter, and I suspect that linking accounts to phone numbers would dramatically reduce that. On the other hand, I'm not sure I want Twitter (et. al.) knowing my phone number.


I think that at this point FB has proven that people will be nasty regardless of how not-anonymous they are.

As such I'm doubtful this will change anything about peoples behavior.

It's also quite scary how nonchalant many people here are arguing for this to stop "propaganda" which these days seems to be as easily defined as "Anything that doesn't conform with a Western/US-centric narrative".

Because I have yet to see one of these "propaganda ban waves" be reasoned with anything but "Russia/Iranian/Chinese propaganda" like that's the only kind of "propaganda" that exists [0].

As such I consider these "propaganda bans" just another exercise in propaganda [1].

[0] https://washingtonsblog.com/2014/07/pentagon-admits-spending...

[1] https://en.wikipedia.org/wiki/Falsehood_in_War-Time#Summary


This is bit of hypothetical, but does some sort of pki-like scheme exist that would allow me to hold a certificate (of sorts) from an authority that I could use to prove myself to an service, but also simultaneously would not leak any information about me to that service? Similarly service a and service b should not be able to link accounts behind my back. Sounds like a interesting crypto problem


There'd need to be some central authority (like you said) doing the certificate issuing that verifies that you are, indeed, a human, and that your a unique human that they haven't already given a certificate to.

Chances are they'd want more than a phone number; probably a photo ID or something as well, else their value proposition isn't very strong.

I'm not sure if that's better for privacy and safety than many services asking for just a phone number (which I can generate a semi-throwaway Google Voice number for).


I agree. I would rather pay them some fee. But they don't seem to want to monetize their service via user fees.


Oh my god, paid Twitter would be amazing.

Well, then again, something awful was a paid forum iirc, and it was still a den of villainy.


But on Something Awful, it was a feature, not a problem.


Seems like it would make a lot of sense for them to offer both options; either would discourage bots, and you'd give people the choice whether to go the free route or the privacy-conscious route


Surely a phone number is no more identifying than a credit card payment in the age of KYC.

And accepting a cryptocurrency would probably have little impact on all the lucrative scams that get spammed around Twitter.


I like it.

I've grown suspicious with many accounts on Twitter. Maybe I can learn to trust more.


Sad but true. At the hosting company I work for, we had to start requiring phone numbers for cloud servers due to a massive wave of abuse. It's one of the few roadblocks that helps at least somewhat.

Previously, we didn't even require a full name. A few idiots always ruin it for everyone.


A few idiots always ruin it for everyone.

Bad attitude. They're not idiots, they're abusers. Ruining it for everyone else is a feature, not a bug, although if they have been using a platform successfully they may be sad about their scope for abuse being curtailed. Also, consider that punishing everyone because of the actions of a few is the overreaction of someone who isn't willing to understand the problem and just wants it to go away.


How would you solve hosting fraud, then?


You seem to ignore that this constrains abusers as much as it does legitimate users. Collective punishment in order to mitigate abuse by a few is the wrong way to go.


Easy to say until you're running a service that's a target of said abuse. Do you have a better solution?

If you do, it'd be quickly adopted because no one likes adding unnecessary friction.


Invest in your content moderators and in tools to track and trace them. Very few firms seem to have any interest in how or why they are selected by abusers or in the dynamics of the abuse that takes place on their platform. People pointing out abuse are usually treated as an annoyance, when in fact they may have considerable knowledge about the bad actors exploiting the service.

A very low-cost approach suitable for a small firm would be that if someone is abusing your platform, you expose their account history.


What if it's not a content site? But abuse of "free" resources/trials?


Then you can adjust the meaning of my comment to encompass that. I'm not trying to describe all conceivable use cases.


This is, you might say, not just an important problem in society, but the only problem in society.

"Why do I need a driver's license? It's just bureaucracy and a revenue collection scam." Except, when you don't test drivers or provide a mechanism for taking bad drivers off the road, a few bad people spoil it for everyone.

And so on, and so forth. That is not a justification for any one thing like this, but the general principle is that when the bad actors make things toxic enough for the mainstream users, somebody has to step in, or a social platform quickly degrades until it becomes 4Chan, or Gab, or whatever.

Same reasoning behind moderation here on HN.


> "Why do I need a driver's license? It's just bureaucracy and a revenue collection scam." Except, when you don't test drivers or provide a mechanism for taking bad drivers off the road, a few bad people spoil it for everyone.

This is an atrocious analogy. The reason we require licenses for motor vehicles is that they are very dangerous pieces of machinery that can easily do fatal damage to car occupants and pedestrians, as well as property damage. Likening such a domain with that of communication and speech (what we're discussing here) is ridiculous.


Think through this analogy a little more thoroughly. Freedom of speech is an important issue precisely because it’s dangerous. Speech can ignite revolutions against unjust tyrants, and speech can also mobilize hate and terrorism.

Speech is not without consequence to society. If it was not dangerous to the lives and property of others, it wouldn’t matter so much.

I think the argument that speech is less dangerous than the right to drive a car is naïve and uninformed by both history and what we see in plain sight.

I mean seriously, can you look at white supremacist terrorisms radicalized online and tell me that speech has no consequences?

Of course it has consequences. If speech didn’t have consequences, it wouldn’t be worth defending.

———

But even if you refuse to accept that speech is dangerous, you must accept that it has consequences, that it can affect the experience of other people.

If it didn’t, there wouldn’t be a need to moderate speech on this very platform. Everyone could post anything they like. It would be more like... Maybe the right to park your car on a busy street during rush hour.

Nobody will slam into your car, but it will certainly affect their use of a common resource.

Unrestricted use of a common resource leads to a tragedy of the commons, and nobody ends up enjoying it except the vermin, who reduce each other’s enjoyment to the barest minimum.


There are two ways of dealing with the issue. You can default-deny, like only allowing people to drive after a test, or you can default-allow, like just like anything else.

We usually use default-deny only where the severity of bad behavior is very high. That's because it has a high cost for both most people and the test-issuers, and it has a very high cost to the few people caught as false positives. It is a very damaging mode for society. We are also migrating into only using default-deny on the internet, even on consequence-less contexts, and the previous paragraph still applies.

We may get a better world if we take some of the privacy away from the network level, we may even get to keep more of it overall.


Well, it works, and it's a minor annoyance at most for our legitimate customers.

Abusers, on the other hand, have to burn a phone number on each account that gets locked.


I think you don't get it. It's not about annoyance. It's about the complete unreliability of any online service today. All and every customers show (and should rightfully show if they don't yet) complete distrust for a good reason.

You are asking my phone number today and next day I will find it out in the open because of your and others' businesses don't give a .... when it comes to security.

And don't tell me that's only a minority or the exception. Because that's just simply not true.

500px, Quora, Facebook, Twitter, Equifax among others all have been hacked at one point or have been exposed as unreliable and untrustworthy. It's just simply not a logical proposition to trust any online platform with private and/or sensitive data.


We do care about security and hash the phone numbers after sending the verification SMS (we only need to determine whether a given phone number is associated with a locked account - a hash is good enough for that).

Our problem is that criminals open hundreds of accounts with fake data and stolen credit card data, abuse our services until we get abuse complaints or detect it and lock them, then repeat that. This leads to legitimate customers suffering from bad IP reputation and is expensive to clean up.

Requiring phone numbers and blacklisting known throwaway providers has been extremely effectively in preventing this, without generating complaints from our legitimate customers. We don't want to use browser fingerprinting or other intrusive mechanisms for detecting sybil registrations.

What else do you suggest we do?


I assume by "propaganda" what you mean is "deplatforming".

Much easier to keep people who emit thoughtcrime off of your platform if they have to keep getting new mobile numbers each time they are banned.


Or, you know… propaganda.


When the NYT is cheer-leading for the next foreign war, will they get kicked off Twitter to? I sincerely doubt it.

America's newspaper of record has a track record of being wrong during the onset of wars, parroting whatever Washington tells them is true, then eating crow much later and apologizing for. The most recent case was the aid truck fire in Venezuela, which it took them weeks to correct. You've also got WMDs in Iraq that never existed, and their parroting of the Nayirah testimony in 1990, only to admit two years later it was fraudulent.


or you know, algorithmically prevent their posts from showing up in front of people


Does Twitter have a right to police their platform or not?


Companies shouldn't be regulated at all ever except when it comes to letting racists spout hate. Then they should be regulated into requiring that. Plus harassment and other bad behaviours.


Racist hate is still legal speech.


You'd have to agree that the people affected most by this change will be bot networks (Russian IRA, etc).

I doubt their goal is to keep "right wingers" they ban off there platform.


True, requiring phone number are to prevent sybil attacks and are for accountability.


Phone numbers are extremely easy to obtain. This won't achieve anything in the long run.


Can I have 100 phone numbers for free? I don't believe it is so easy.


The same way we have the robocall situation (thanks to shady telcos that turn a blind eye), the same way this system will be bypassed with similar telcos offering massive blocks of numbers at very cheap prices per unit (Twilio numbers seem expensive at small scale, but I guarantee you will get those prices down if you commit to getting like a thousand of those or so at once).


What you're saying is, this has increased the cost of creating a Twitter spam account from practically zero cents to... what, 50 cents an number? A few dollars per number?

That's a huge leap, and it sounds like requiring a phone number is a great way to increase the cost of spamming.


Especially considering your average user already has a phone number and its basically free to verify. It only has a cost for spammers.


It has a non-negligible privacy cost.


Which is almost funny, because phone numbers have been so devalued by marketers.


spam and propaganda

When they tell you it's not about the money... it's about the money.

When they tell you they want your phone number for anything other than making more money... it's about the money.

Edit: -4, huh? Really? Have people forgotten what Facebook just did? https://www.eff.org/deeplinks/2018/09/you-gave-facebook-your...


???

Of course it's about the money.

I'm not the CFO at Twitter or anything, but even I can see that spam and propaganda cost those guys a lot of money. The number of advertisers who stop paying Twitter because of spam will be orders of magnitude larger than the number of advertisers who stop using Twitter because of phone numbers.


I think you know what I mean.


Maybe I don't? Because that's what I thought you meant.

I thought you meant Twitter is trying to put the squeeze on the spammers and propaganda ministers because they will lose advertisers if they can't?

Did you mean something else?


Did you read the link to the EFF page I added to the post? Why should Twitter be considered any more trustworthy than Facebook when they ask me for something they don't need to know?

They can avoid being victimized by spam and propaganda some other way... preferably some other way that I couldn't trivially defeat by giving them the number of a throwaway SIM card or a public phone booth.


How else would you suggest they combat spam? How do you receive a verification SMS on a public phone booth?

Most actual humans have a phone number, and Twitter wants a semi-1:1 mapping between human and Twitter account. Spammers have hundreds. This seems like a reasonable way to greatly increase the cost of making accounts for spammers.


How else would you suggest they combat spam?

Disable the account temporarily when some (small) number of other users flags its posts as spam. If a user is discovered to be filing false spam reports, disable that account. Accounts without a history of posting legitimate tweets should be rate-limited in both their posting and reporting privileges.

Externalizing the costs of fighting spam and "propaganda" (whatever that is) by demanding irrelevant personal information from all users is not the answer... at least, it's not the answer to those particular questions. It's better to empower users to build the trust necessary to solve the problem themselves.


>Disable the account temporarily when some (small) number of other users flags its posts as spam...

I'm not sure you're really hearing us.

The advertisers don't want their ads connected to spam or propaganda posts AT ALL. If Twitter actually shows the post, and then has ads along side it, it's too late. I mean it's great that someone bothers to flag that post as spam, but the advertiser's Twitter firehose processor is going to detect that pairing. Under your proposed regime the advertiser would be constantly detecting violations by spam users who were not being punished by Twitter. Under Twitter's proposed regime, the advertiser would report the first violation and the user, and his/her posts, would be gone. On top of that, there would be far fewer occurrences of such matches in the firehose data in the first place because accounts would be more difficult to create. Now add to all that the fact that the spammer would have to get a new burner phone to create a new account. That cost, coupled with the fact that each account could only pull off limited spamming means less profit for the spammer.

Put another way, the ROI of each new account tends toward zero under Twitter's model. Under your model, the ROI is bounded only by chance. That chance being the chance that enough people bother to mark the post as spam. Here's the thing though, what if they don't? What if the first Twitter hears about the spam is from the advertiser? Being in that situation is what Twitter is trying to keep to a minimum. That is the nightmare scenario that they live in today. Today they are in that situation several hundred times per week. Those are uncomfortable calls. (Probably hundreds per day by now? I haven't checked in a while.) With their new system, over time, I could see that going to ten to a hundred a week. (Maybe even lower if you add automated firehose processing for advertisers on the backend.)

They say "The customer is always right." Well, for Twitter, the customer is the advertiser.


The advertisers don't want their ads connected to spam or propaganda posts AT ALL

Then they will need to get used to disappointment, just like the rest of us. What they're asking for -- and what Twitter is promising -- is not reasonably achievable without fundamentally changing the nature of the service.

Today they are in that situation several hundred times per week.

TWTR has a $25 billion market cap, which they achieved with their current terms of service. I'm sure I have a violin small enough to play for them around here somewhere, but my scanning electron microscope is in the shop.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: