What happened:
Twitter asks users on sign up to scan their contacts (read: steal and upload them).
If you say no, twitter asks again and again every day / every login until you finally allow it to.
Twitter builds a huge and unnecessary db of users and phone numbers, as well as non-users IDs tied to phone numbers.
Someone uses an API to steal this info that in most cases twitter only collected by tricking their users / forcing it.
Anyone affected by this should be suing twitter for even collecting this information! My friend can give away my phone number because of this data collection.
A trick I found to stop this nonsense is, at least on iOS, answer yes to the Application's custom dialog to ask permission. This will then invoke the iOS security dialog where you can click "No" and never be asked again.
Generally what I see happening is apps will ask the user if it's okay, and only when the user says yes will they execute the necessary system call to request access. In iOS at least, if a user clicks No the app can never prompt for that permission ever again. Until the app makes this formal request to the operating system, it does not show up under privacy (as the app had never asked for it in the first place).
There was no book with everyone's phone number in it. There were many books that covered small regions. If you lived in Oshkosh Wisconsin and wanted the number for someone in Kansas City, or even Madison Wisconsin it wasn't that easy to get that book. Maybe your library had it. Phone numbers on paper aren't that useful. You can't robodial a paper phone book without hiring actual people. But no matter what you couldn't get millions of phone numbers while sitting on your couch, and if you could they would be useless because they were all on paper.
I mean we realize this thread of argument has nothing to do with the point right?
A cell phone number does not equal your kitchen phone in terms of access to information. The whole this is moot. The issue now is that this is my personal phone number, me, personally, and is being used as a piece of validating information in a variety of compromises databases.
This just isn’t true. Ever heard of the Haines Directory?
I used it at a summer job in the late 80’s. You could order reverse lookup books for anywhere you wanted, and of course could get that data electronically too. You could also call information for anywhere you could think of by dialing the area code plus 555-1212.
Never heard of it, but how much did it cost? How much did the reverse lookups cost? And even if you could get it electronically there was no way practical way to do much with them.
With the twitter leak millions of phone numbers/names are available for free instantly, and the technology to do some harm with them is readily available.
In my country it is voluntary to be listed in such a phonebook whereas with already a small number of friends the chances approach 100% that at least one of them has my contact info stolen by Twitter, FB, WA, etc. If i dont like this i would have to stop giving out numbers and not be reachable by sms/call.
I have a friend of mine who flat out refuses to give email address or any contact info of the people I meet at his house. It has been a bit annoying one time or two.
Phone numbers used to be really public. As in "Someone has collected your phone number, your address and family name and put it in this huge book they update every year. And they drop a copy of this book on everybody's porch.".
These people I have been seeing them at his house on numerous occasions, we are on a first name basis and open jokes.
It's not like I had glimpsed someone's shoulders and wanted to cold call them to pitch them my startup idea of the week or creepily ask for a date (I remember it was to follow through with a conversation about DIY hydroponic with one and coffee brewing with another). Friend got tired of relaying messages at some point :). We rarely got to the point of giving out contact information on the moment though (that was the flow of those meetings and I think it's not a cultural thing to exchange business card in such settings in my country). Also, we are not the kind of people to hang on facebook, so discovery is weak.
Totally agree it is correct behaviour with strangers though.
And it was only a minor annoyance at some point so well... no biggie. (Except that time he divorced and he wouldn't give me his ex-wife's number so I could get back some DVD she had borrowed)
edit: also, I wouldn't ask for contact info if I wasn't confident that it was okay for the person to get a call from me and I am confident that my friend knows I won't mess up things by being inappropriate.
I see where you are coming from. I just meant as a general rule it is better to not give out people’s information.
The message your friend could have relayed could have been “hey is it ok if I get your contact info?”.
What your friend isn’t getting right is that maybe you and his friends DO want to contact each other. He is deciding for both parties that they don’t. He could adjust his behaviour on that front a bit.
Why not just ask the people directly for their contact information? Or vice versa ask your friend to ask them if it's okay to hand out your contact information?
I've had several friends ask if it's okay to give out my contact information to third parties who were interested in acquiring this information to continue conversations through more private channels.
But there was always an element of consent involved on my part.
I wish there was an easy way to effectively only allow white listed callers to call you directly (and the rest of the calls to go to voice mail). That's what I do with my email at least.
Actually for most things in iOS, once the system dialog has been brought up, the operating system won't allow it to be brought up again. It won't stop the application in question from nagging you, but at least then even if you click "allow" on the application pop-up the system will still require you to go into the app permissions and explicitly allow it.
That's exactly what iOS does, the app is making a fake system popup to ask multiple times and only brings you the real system popup if you agreed to the first one.
My post below is wrong, please move along. Keeping as-is, so the replies make sense. Thanks repliers!
The native prompts don't allow for app specific explanatory text to be presented. I haven't reviewed iOS guidelines, but Google provides guidance to inform users of why you're asking for permissions before you do it, and I would guess Apple would suggest the same as well. Pestering people for access once a day is probably not within the scope of the guidelines though.
> The native prompts don't allow for app specific explanatory text to be presented
Not true. iOS apps can specify explanatory text to be included in the native prompt. In fact they are required to do this, since at least two years ago.
The NSContactsUsageDescription string (in the Info.plist file) is the place to specify this.
Incorrect, iOS does allow explanatory text on the system prompt, in fact it’s required.
There is no good reason for Apple to allow apps to mask permission requests with their own dialogs, it’s just a case of not bothering to fix this loophole.
>Anyone affected by this should be suing twitter for even collecting this information! My friend can give away my phone number because of this data collection.
Given the ramifications on leaking Name with phone number of people who didn't agree directly anything with Twitter and just had there contact details trawled by any of their friends signing up. Not good as with that, hijacking phone numbers has been done many ways and times, even the CEO of Twitter had that stunt pulled upon him. What with 2FA for many being a text message sent to your phone number. The ramifications of this could be bigger than they first appear and remember. They only found this, how long has this been open to such abuse. So anybody who had their phone number hijacked in X period of time, this `might` be a possible explanation in some of those instances.
Legally - no idea how this will pan out, but certainly not be the last we read about this.
This certainly would break plenty of valid use cases for a feature like this. More likely they ought to have policy in their developer docs to scope reasonable uses of the full contact list and start rejecting updates for applications that violate the new rule.
Any application whose primary concern is something with contact lists. Maybe it offers a special view into it. Maybe special searches. Maybe a better management interface.
I can't imagine it would be difficult to implement a "Select All Contacts" functionality, in addition to selecting individual contacts and/or selecting all then deselecting some. Automatically allowing access to future contacts also shouldn't be difficult. There is no need for apps to always have access to all contacts.
I’m not sure how that would be functionally different than the current situation. Instead, simply regulating how contacts are allowed to be used would remove the need to build a logically complex system, and since Apple already reviews every app submission it would just be one more thing for a reviewer to check.
I don't give WhatsApp access to my contacts. Few enough people in my life use it, and they all have different profile pictures.
I find it very weird to find, for example, my boss, or certain specific coworkers, on any social app. I don't want them to be able to find me either. This design decision of giving apps your entire contacts book by default has to die, and individual users need more choice instead.
Whatsapp has 1.5B MAU. I don't think people are interested in adding each and everyone manually. I want to know how that would work for majority of those people and not you personally.
That's great for you, but whatsapp is de facto standard messaging app in a lot of countries. Memorizing hundred numbers, or profile pictures (assuming that everyone has one) is just not feasible.
An app (such as whatsapp) getting access to all contacts is a valid use case, even though it doesn't apply to you.
And sadly for him, it doesn't matter anyway, presumably most if not all his friends already uploaded their address books, so WhatsApp already knows his real name and phone number and network of friends...
I use WhatsApp without allowing them access to my contacts. I have to just add people's numbers manually and I have to memorize who is who based on # and profile picture (thankfully the people I talk to with WhatsApp all have different area codes).
I don't use Facebook nor Instagram, and I only use WhatsApp for 3 Android users, the rest of the people I talk to I use iMessage.
> I use WhatsApp without allowing them access to my contacts.
That appears to be impossible for WhatsApp on Android. Someone wanted me to install it a bit ago, I refused to give it access to my contacts and it refused to do anything else until I did.
We did try that and it supposedly claimed to the other party that I didn't have the app installed. Not that that would have been a scalable solution anyway, since then no pair of people could use it unless one of them gave it all their contacts.
Meanwhile the option remains available to use a different app that doesn't behave that way.
I made the choice for Apple to have my contacts by buying an iPhone. If I didn't want Apple to have my contacts (as I do not want Google or Facebook to have mine) I would have not bought an iPhone.
Personally, I made the choice for Apple NOT to have my contacts (by entirely disabling iCloud). The only company I accept handling my contacts is the one I paid (Fastmail).
Yes, you sound like a very typical whatsapp user, I can see how whatsapp could work fine without contacts access, since most users are like you. 3 total contacts, all with different area codes -- very typical, I don't know why whatsapp even asks for contact access, probably something nefarious.
Consider yourself lucky, any account i create without a phone is immediately flagged\blocked and if i do use mine(personal), i get asked to add permissions like the parent said every single time.
I've been using Twitter daily pretty much continuously since 2008 and I don't remember ever being prompted to upload contacts. I can believe it has happened at some point, but it certainly doesn't repeatedly ask me. I use the web interface and the first-party iOS app (though over the years I have also used various third-party apps on both iOS and macOS).
That's not the only way Twitter uses to collect phone numbers. It can arbitrarily block your account and require to confirm a phone number to unblock it (under excuse of "better security"). How disclosing your phone number helps being safer I don't understand.
Now those collected and leaked phone numbers will be available not only to Twitter and US government but to anyone wishing to buy them from hackers.
>Anyone affected by this should be suing twitter for even collecting this information! My friend can give away my phone number because of this data collection.
If you made some agreement as to how your friend could use your phone number and 'sharing with Twitter' is a violation then you could sue them I suppose. Annoying as this data collection is, labeling information about you as only yours is incorrect, it's your friends and Twitters's (and Google/FB/AMZ/etc.) information too.
Twitter should be seen as an asylum if you ask me. But yes, if they leaked numbers from third parties not involved in Twitter at all, there should be severe legal consequences.
But I doubt there is much incentive to even create a legislative basis for such transgressions. Complicated topic to be fair, but we will only see improvements if there are severe penalties for "loosing" data. Since no system is safe, there is only the alternative left not to collect info you do not need.
It's for this reason that I use PWAs wherever possible. Right now I'm using it for Twitter and Uber. Tired of turning off permissions and then having to do it again when apps auto-update and restore the original permissions.
I think they’re selecting target demographic to do this, because for e.g. Japanese it means having Twitter account associated with their real names means they’ll be laughed at from everyone close to(maybe 25% literal) death. Same for follow suggestions based on IP.
Anyone affected by this should be suing twitter for even collecting this information! My friend can give away my phone number because of this data collection.