Hacker News new | past | comments | ask | show | jobs | submit login
Twitter starts to require login to view tweets (reddit.com)
912 points by oenetan 63 days ago | hide | past | favorite | 619 comments

Managements always work toward managing towards what they can measure. I’m sure that daily signups are a metric that they track, hence they’ll prioritize signups even at the cost of user frustration and love, something that’s less tangible.

This is the kind of thing that kept me off Quora forever. It’s a great resource but I don’t feel like logging in 100% of the time. So now I just ignore all of their links.

Also Twitter had changed their policy regarding API keys. You no longer just ”get” them. You need to apply. I was rejected for getting key to export my own tweets.

Of course, this means everyone is using web scrapers for what was used API keys before, because of you can use public internal API.

I prefer to just steal keys by reverse engineering mobile apps. So easy to get keys for just about anything and charge someone else for it that way.

Excellent replies to everyone in this thread. You're spot on.

Just out of curiosity, is there a marketplace for private APIs? I'd love if you could elaborate on the "charge someone else for it" part.

I know of RapidAPI by rakuten, it operates as an API marketplace like this

Interesting. As someone who hasn't done any mobile dev at all, is there a way to prevent something like this from happening? Can't you somehow encrypt such secrets in the app?

You can try, but you won't succeed against a dedicated reverse engineer, simply dropping a hook in on the API calls would be enough to grab the decrypted key in a case like that, if not simply statically reading the encryption keys and decrypting it. That's not to say it's useless - some reversers will simply move on to the next app when there's a list of dozens.

You can also send requests via your own server, which would allow you more control over the requests that get sent out to your 3rd party APIs and just restrict tokens as much as possible to the minimal set of features necessary for your application.

What about secure key import on Android? It's still not that widely available, but should be everywhere in a few years. The idea is:

-a keypair is generated in secure hardware

- you send the public key to a server which encrypts the secret key with it

- the server sends the encrypted key back

- then it goes inside the secure hardware where it gets decrypted

The decrypted secret key is never in the userspace.

Mobile developers can implement certificate pinning to prevent man in the middle snooping. Twitter's app does this.

That achieves nothing against someone who uses something like apktool/baksmali to do static RE, let alone inject something like Frida to perform dynamic RE. There are even Xposed modules designed to just bypass certificate pinning.

Certificate pinning is a good security measure, but not a counter-RE one.

Certificate pinning is neither a good security measure nor a good obfuscation one.

I hope you did not just assume that general purpose computing and device ownership can be subverted by mere certificate pinning.

If it's executing on my device, you can be sure I can poke it and see what it's doing.

Frontend is in the hand of enemy. There is no secret on the client side.

You could proxy requests over a server you control. This might just shift your problem, depending on the use case.

Rate-limiting works really well in most cases, though CGNATs makes that a horror nowadays too.

I believe solutions like SafetyNet on Android might help here. AFAIK no one has successfully reversed SafetyNet enough to spoof it.

Please don't legitimize SafetyNet. It is an existential threat to real ownership of your phone as any flavor of Android but that blessed by Google trips SafetyNet. It's the equivalent of barring people from running software on their laptop because they've installed a flavor of Windows that wasn't shipped from the factory. People everywhere have a right to do with their phone what they want to.

I agree with all your points, but what's the reasonable alternative? There is a reason that apps have decided to go with SafetyNet as a requirement. It dramatically reduces abuse.

Unless an API you're looking at requires/supports attestation via SafetyNet or you're willing to proxy via your own server this is likely not an option.

Additionally, while it's true (to my knowledge) that re-implementing a full safteynet spoof is not currently publicly available, a combination of Frida and MagiskHide is able to bypass SafetyNet for dynamic RE purposes, just launch the app as normal with MagiskHide enabled then attach to it with Frida as root. If they enforce full hardware attestation this may change in the future, but right now we're good.

But as a developer, I won't put the API key in the client.

How will the client communicate with the API then?

And this is likely because there were a few years of "insert your own API key" third party clients after Twitter limited their max user count.

This from the site that used to indicate on every tweet the client used

Quora ended for me when spun/copy+pasted Google results started to replace answers. For example: I asked for the science behind the EPA's recommendations on UV exposure, and the answers were all word-for-word copies of the first result in Google, which had no detail on the science behind it. Just "avoid going out before x," "wear x SPF sunscreen," but nothing about the basis for the recommendations.

That was years ago. Recently, I went looking for how to un-retweet something from an account that has since blocked me, and every single answer on every instance of someone asking that on Quora is more or less a copy of Twitter's documentation for an ordinary un-retweet. Useless search result pollution.

Quora is such a shit show though - what happened there ?

Their algo will just continually blast email you every category you ever clicked on

No idea. I used it a while and enjoyed the content, then they changed something in the algorithm and I'd suddenly get basically the same content every single day, often >30% of the feed would be the exact same as the week before. They also removed the list of topics, so there was no obvious way to escape the near static feed.

Not sure what they wanted to achieve with that change, but I never visited the site again.

It's a real shame. I used to really enjoy my daily Quora digest email. One of the only automated emails I truly dug into and read in detail. Over time I read it less and less. Then switched it to be weekly, then turned it off. I miss the old Quora.

It's because they need to start collecting more first-party data from users who land on their site. This is a result of Apple (and others in the future) blocking third-party cookie tracking.

They are doing this SOLELY because of the need for audience creation, marketing attribution, and ad revenue.

Broadcast radio, television, and print newspapers still exist without these things.

They sure do; however, digital media and social in particular, absolutely rely on significant investment in their audiences, attribution, etc in order to drive more revenue and thus higher CPMs. More traditional media (such as OOH, Print, etc) all rely on very high-level metrics such as daily traffic volumes and lack of direct impact evidence in their attribution of value.

This is why Facebook is SO very against what Apple is doing with iOS14+, particularly with cross-device and cross-app tracking opt-in, because they know it will decimate their ability to do what they do today.

Bingo. They need this for user-level measurement and targeting. Wouldn't be surprised if this also supports part of their audience extension work with twitter audience platform as well.

With Quora you can just add ?share=1 at the end of the url and you can view the content without logging in.

I could imagine they're trying to prioritize things like user retention and ad revenue, both of which can be done better by tracking user behavior. Losing a percentage of their logged out user base could very well be worth it to them in order to increase what helps their business.

Quora's not a great resource anymore. It's just peoples' opinions boosted by an echo chamber.

This is probably the only good content that existed on there before it became a cesspool: http://qsf.cf.quoracdn.net/best_of_quora_2010-2012.pdf

Opening Quora links in a new private tab each time solves the issue for me. But agreed, it sucks.

This is not about measurement. This is about tracking people across third-party websites.

This is about growing users, they are stagnant now and had been for a while just like facebook.

I posted this yesterday:


this is an issue (and I fail to see this mentioned here today) in that public sector agencies use Twitter to disseminate emergency information. With a login wall, this information is not getting out to the people who need it the most.

I mod /r/Twitter and saw about a week ago a number of threads complaining about a new login-wall. This shit is 100% user-hostile, Twitter.

Beyond the Login wall, Public Sector Agencies should not be using Twitter as a Primary communication method, it would be Ok to have the messages Copied their from Official Sources, but there should be Official Sources to obtain the same info, at the same time, update in the same frequency.

Seriously, how is Twitter better than an RSS feed for this use?

the people in the public sector don't know any better. It's going to take regulation and legislation to force a position into standards-compliance.

I’ve complained to government agencies about using Facebook and not making their posts public. Maddening.

The real culprits here are these public sector agencies. They shouldn't use inaccessible mediums like Twitter as their primary channel of information.

Yes, and no. They use what's available and what gets them in front of the users. IMO I don't see anything wrong with that.

The problem comes if they don't provide any other way to access their information.

I like Debian's approach to this; publish short news on their own site and also automatically republish those items on social networks. Full blog posts get similar treatment.

https://micronews.debian.org/ https://wiki.debian.org/Teams/Publicity/micronews https://wiki.debian.org/Teams/Publicity/otherSN

reply because I can't edit. even HN knows how User Hostile Twitter is:


On top of it, it's not just a matter of creating an account because they get blocked within two minutes until you also give them your phone number, despite the registration pretends it's not required (because once you signed up, it's easier to trick people into giving up yet more information than asking for it upfront).

Which is not reassuring considering their past abuse of phone numbers provided for allegedly only security reasons. [0]

[0] https://www.eff.org/deeplinks/2019/10/twitter-uninentionally...

It's worse: Twitter staff sold private user PII to the Saudi government (the one that assassinates journalists):


Remind me again, why did we leave IRC?

I don't understand the question. IRC is a real-time chat protocol and twitter is a proprietary micro-blogging website. I don't see how the two are related, other than they are both something to do with the Internet.

You do understand the question, you've just decided to respond in a silly way.

Would you please stop posting flamebait and/or unsubstantive comments to HN?

If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and sticking to the rules when posting here, we'd be grateful.

The above commenter is correct, the original question is silly, however much flak they may get as people here love IRC.

Do you genuinely believe (1) IRC is anywhere near as usable as Twitter for the general population, or that (2) a real-time chat is an equivalent offering to Twitter?

I'll add (3) the only reason IRC isn't equally abused is because it's so bad that it can't attract enough people to justify any kind of ad-based (or otherwise) monetization model. IRC is the opposite of being a victim of one's own success.

EDIT: I should note that beyond being more usable than IRC, I have precious little good to say about Twitter.

I'm beginning to seriously believe the general population doesn't deserve services like Twitter and giving it to them was a mistake. When something can be had so easily there is no respect for it. A lack of respect for the technology and a lack of thoughtfulness into its implications have caused a lot of harm. The hope of the internet was that it would increase communication and understanding. But nobody is communicating. They are talking at each other. They should be listening but have just become more self absorbed.

So in a way IRC is better. If for no other reason because it required some personal discipline and will to learn to use and it segmented the internet to prevent these monstrous echo chambers. Humans aren't ready for a global forum. We are still only good at small communities.

If this is your takeaway you’re following toxic people. I have learned a lot and changed my mind on several issues just from Twitter discourse.

Or they clicked on a trending topic on the wrong day.

Or they read an article about one twitter group bashing another twitter group and clicked on one of the tweets.

There's no path from toxic Twitter to constructive Twitter, but there are thousands of paths the other way.

Which can only mean that toxic twitter is where Twitter wants its users, so it seems like you're using twitter wrong in their view.

That would imply that Twitter has total control about such paths; I find it hard to believe.

In general social media is a big negative for people. Just because some of them find it useful doesn't change that.

My point isn't that meaningful conversation is impossible on twitter. Its that the majority isn't and most abuse the gift of an instant global platform. Its tragedy of the commons on an unprecedented scale.

Of course there are worthwhile interactions to be made. But the people making them would have been doing so on the less accessible older internet anyways.

The old internet was filled with hate, racism, sexism, people fighting, hating and swearing. Things are actually better.

The news seems just as negative as social media.

These things existed, but you usually had to go seek them out specifically. You weren't reading a friend's, say, blog, when suddenly a link to some exciting online argument about some nonsense appeared. That does happen on ~all social media. Unfortunately, many news(paper) websites are baiting with "hot" controversial topics now as well.

I see you were not part of the "old internet".

You just need to make an IRC channel that contains everyone in the world.

No, it would be one channel per person. Only you would be able to talk (post) in your channel. People who want to read your posts would join your channel.

Private DMs easily map to one-on-one privmsgs. Public replies and threads won't have an equivalent unless there was some meta-protocol to temporarily allow another person to talk in your channel + duplicate your posts in your channel to theirs + expire that access eventually.

Also subscribing to tags won't work without a similar "copy all messages from one channel to another" relay.

Channels are basically tags, without history for those who join. Anyone can PRIVMSG a channel by default, it is prevented by setting the common +n mode.

My point is that IRC messages need to be duplicated across multiple channels to be the equivalent to how Twitter works.

Well to compare that to Twitter you'd also have to have everyone in the world on Twitter which is overwhelmingly not the case.

That's basically what twitter is.

Make all channels -n and you now have Twitter hashtags, kind of.

IRC is just a protocol... one could potentially implement a client (or website if you wish) which presented IRC comments as a "tweet stream".

Malicious bots are definitely more effective and reliable on Twitter.

It's not a silly response. The thing about IRC is that there's channels, and you chat with people in those channels. The deal with Twitter is you both publish and subscribe to short messages, but there's no enforcement of reciprocity -- I don't have to follow someone just because they follow me. There are replies, but that's not the same thing, and Twitter is starting to give people more tools to restrict replies to their Tweets, making the platform even less reciprocal. Everyone in an IRC channel gets the same experience, everyone on Twitter gets a unique experience.

If my only current understanding of a question is "that's a silly question," then I'm also going to assume first that it's my failure to understand rather than assuming something worse about someone else.

Don't be disingenuous.

We need to revive the ad free, commercial interest free Internet of the 90s. It will be small in size, but so was the internet back then.

Someone should come up with a pub-sub distribute micro blogging service like how emails work.

gemini https://gemini.circumlunar.space/

fediverse: mastodon, pleroma, pixelfed

indieweb: https://indieweb.org/

twtxt: https://indieweb.org/twtxt

scuttlebutt https://scuttlebutt.nz/

hypercore https://hypercore-protocol.org/ (see iris.to for an implementation)


Also, hit up a bulletin board or two: https://www.ipingthereforeiam.com/bbs/?step=name&all=0

On the IM side there's also https://delta.chat/en/

I would add RetroShare to the list.

> We need to revive the ad free, commercial interest free Internet of the 90s. It will be small in size, but so was the internet back then.

It still exists, it’s just harder and harder to find. For example, most of the tech blogs you see on HN are hosted on personal websites with no ads.

pub-sub distribute micro blogging service like how emails work

It's called NNTP

Usenet died of its own inability to handle scaling issues, ranging from culture and posting conventions to various forms of abuse and criminality.


Attempting to resurrect Usenet at any scale simply won't work. Even with a lessons-learned set of improvements (Usenet II), it went nowhere.

The culture issue alone is a killer.

People say they want the old early-90s internet, but that internet only worked that way because almost nobody outside of universities was on it and nothing on it actually mattered to anybody.


It took me way too long to find the usage numbers (which ironically were within an arm's reach on my bookshelf most of the time), but ~1988 Usenet was under 1 million potential users, and fewer than 150,000 active readers. Even by the mid-1990s, it was under 1 million active participants.

Google+ was considered a failed social network with at least 10--100 million active users (by my own conservative estimates based on sampled profile data, independently verified by a much larger analysis). Facebook has 3 billion MAUs (monthly active users).

Until ~1992 (the Eternal September), Usenet users were largely represented as cohorts of a few hundred to low thousands, each subject to the disciplinary authority of university network administrators. Privileges could be and were revoked. Netadmins had a hardcopy directory in which everyone's number was listed twice (forward and reverse search). They talked to each other.

I'm active on Diaspora (for over a decade) and Mastodon (for about five years now). Both are far smaller than their comparable commercial equivalents (FB and Twitter, respectively). Each already strains under abuse, spam, and propaganda efforts, though Mastodon seems to have a more robust containment toolkit. Much resembles the old Usenet model: individual instance administrators can determine what users (locally or remotely) or instances (remote federation) can interact, and to what extent. It's high-touch, and has issues, but at present scale it mostly works. (Not perfectly, but it's not completely blown up yet either.)

Diaspora ... seems on far shakier grounds. User controls, admin engagement, reporting tools, and the culture of active management are all far weaker. The saving grace is the lack of algorithmic amplification, but bad actors are a distinct presence, if largely walled off into their own small, sad world.

On the google+ 99.99% if offered would gladly take google+ for free. It was a huge success.

Google closed it down because they realize they never needed it. You were rarely providing new information to google because you already had an account and they already were tracking you everywhere. Your posts on other social networking sites google knows about and uses. What sites you visit google knows about.

The only thing google+ gives google is your social graph. But not your friends/family social graph more of your professional social graph. I don't think there was a way to target that info through ads into more profit. They probably leveraged access to facebook's data for ads in exchange for shutting it down.

Google+ literally had billions of registered profiles. Somewhat fewer than 99.99% actively used the site.

I sampled a random selection of ~50,000 profiles to find out how many were actually actively using the site.

9% of all profiles had ever posted anything at all to the site. This is somewhat fewer that 99.99%.

And only 0.016% of all G+ profiles had posted publicly in the first 18 days of 2015, when I performed my sampling.


And again, you're talking to the guy who ran that experiment.

Eric Enge of (then) Stone Temple Consulting independently replicated my analysis using a much larger sample of 500,000 profiles, confirming the results I'd found and providing additional details:


I had absolutely no idea Enge was doing this until he published his results. They're a completely independent validation. Which is how science is supposed to work.

Your other comments about G+ are at best speculation, and largely fail to match my knowledge and understanding of the site and service.

> Your posts on other social networking sites google knows about and uses.


> They probably leveraged access to facebook's data for ads in exchange for shutting it down.


More commonly known as Usenet. (Or maybe google groups, lol)

> Someone should come up with a pub-sub distribute micro blogging service like how emails work.

As well as NNTP (mentioned in a sibling comment), listserves work for that (and don't just work like email, they use email.) And both have been around longer than the web.

Mastodon and diaspora* might fit this description, especially the "small in size" part.

The only way to do this is with blogrolls/linkrolls and other decentralized mechanisms. Making a centralized repo of links like a Yahoo! style web directory is only going to lead to that directory monetizing its gatekeeper status.

I would love that but think adding in any kind of automated service will keep it from being the back-then internet.

There's gemini. Not the web, but maybe has the vibe you're looking for.



How about email?

You don't have to be on twitter. If we can get more people off that platform, then the world has become a better place. I deleted mine years ago. Never felt better.

IRC is just a protocol; it’s not immune to these issues (see the last Freenode debacle).

It is immune, precisely because it's a protocol. Freenode is dead but switching to another network is literally as simple as pointing the client to a different domain name.

So the same as the HTTP protocol (i.e. switching from a website like Twitter to another, similar, website).

Comparing protocols like that is comparing apples to oranges, but I think I see your point.

When people say 'I miss IRC', they don't necessarily mean the technicalities of the protocol though.

It's not apples to oranges, it's directly analogous: both represent federated networks on the internet where users have the freedom to decide which client they want to use and which servers they want to connect to.

They are not analogous. IRC is a chat protocol with semantics suitable for a chat protocol. HTTP is at this point just a transport level thing for whatever you want to send. It doesn't have any significant semantic implications for sites like Twitter.

> HTTP is at this point just a transport level thing for whatever you want to send.

So what? They're analogous not identical. The distinction you point out isn't relevant to the point of the analogy.

You wrote:

> switching to another network is literally as simple as pointing the client to a different domain name.

irc and http are the same in this respect, thus they are analogous.

Most use it through the app protocol which is cross platform.

TIL people use twitter for its "HTTP protocol". Great comparison!

And recreating all existing channels

IRC does not require your phone number to work.

That would be up to the server

you can host your own server and it's so simple it's hardly a problem.

Because IRC hasn't meaningfully improved in about 30 years. There have been attempts to make it friendlier with things like IRCCloud, but then the beards just scoff at the idea of a $5/month bouncer-as-a-service and go right back to wondering why the protocol is dying.

Can't tell if you're being ageist on purpose but "the beards" don't _have_ to use IRCCloud and can just keep using their TUI clients and bouncer daemons if they want instead of having their UX change weekly at the whim of some resume-driven front-end team.

Well, here's one issue: I can tell you what a reply and hashtag is but I'm going to fail the quiz that asks me to define a TUI client. (And don't get the Chrsmistian Fundamentalists hellbent on taking downn Tumblr et al. starter anything involving a "daemon".)

The point was that the stereotypical "beards" in question can continue using their TUI clients, not that someone who doesn't know what a TUI client is should be forced to use one.

I think my point was that the insistence on interface purity is part of what (or emblematic of the ethos that) killed the chance of the protocol reaching mainstream adoption. But I take your point.

Begone print daemon, thou shall not infect mine systems.

This is a crusade I could get behind.

.....what is this comment?

Me being far too confident in Samsung's spellcheck, is what. It's too late to edit but you get the gist: nerd stuff must don user-friendly garb for to not scare the customers. UX.

This sounds like the release candidate of GPT-3 which hasn’t made it.

> Because IRC hasn't meaningfully improved in about 30 years.

I'd way rather have something that doesn't improve for 30 years than something that actively gets worse at a rapid clip.

I'd argue that Twitter hasn't been improved meaningfully in the past decade either, certainly no more than how IRCCloud has 'improved' upon IRC.

What does IRC lack that is an improvement you missed in the last 30 years?

I think the lack of channel history is a big showstopper for many people but personally I think that's a feature. The idea that I should have to dig through slack history and its rambling conversation format to find information pertinent to my work is downright dumb.

Because corporate interests have brainwashed us into thinking that IRC isn't good enough any more

I often hear people suggest that the internet couldn't exist without corporate interests and surveillance capitalism. usually along the lines of "If there were no ads, we wouldn't have any internet at all!"

That's an example of what corporate interests have brainwashed people into thinking. They didn't have to turn us against IRC. Most internet users don't even know it exists.

So, in this fictitious world where IRC is a stable protocol and easy enough for the average layperson to use, who pays for the IRC server bills and how?

> easy enough for the average layperson to use

At one point it was easy enough for the average person to use, because the average person had to deal with a command-line. But tech, in its infinite quest to Make More Money, keeps chasing the dumbest of the dumb so that it can expand its market into an imagined infinity. It kinds of reminds me of the windshield repair shop that takes a baseball bat to nearby windshields at night to drive business

How about we work towards unwinding this whole mess and meet users in the middle??

FOSS and open protocols are criminally undervalued because of greed, and all the fake newbie empathy it generates

Having better things to do with your time than learning an obscure CLI is not the same thing as being dumb.

Really? We almost saw a resurgence with the chatbot craze that recently passed. And frankly command-line is something that GUIs do easily, or have we as a field forgotten that too?

People have such a gap-filled view of the past. I barely had to learn any IRC command-line stuff because of mIRC

I know that GUI IRC clients exist. You’re the one who brought up CLIs.

As for the chatbot craze? It was a craze. A fad.

Completely different communication paradigm.

IRC is an instant-messaging platform, while Twitter is a microblogging platform that was available to anyone in the pre-smartphone era as it was initially tailored for SMS message length.

IRC requires a client (okay, you could use a web gateway), and you somewhat need to know what you're doing (not saying it's hard, but the average user might not even care about accessing IRC if it requires a minimum of effort), while Twitter could be used through a flip-phone or accessed simply through a web browser, which you can assume everyone have.

plenty of people never left IRC, but Twitter right now is probably a thousand times larger than IRC was at its peak. IRC is a niche community for nerds, not a platform with mainstream appeal. The same is even true for more user friendly, modern services like Mastodon.

99% of users just don't value the things you value in these services.

How do you show programmatic ads to people on IRC?

bots? seems possible if you don't mind those ads being text

Did you? Some of "us" never did.

A combination of we couldn't agree on what character encoding to use, and no one made a good mobile client.

Have you tried Irccloud? It’s good! And it’s available for both Android and iOS.

I didn’t :-p

TBH: These days I prefer other venues though. E.g. HN, Slack and Facebook groups.

> Saudi government (the one that assassinates journalists):

Just like the US does : https://www.theguardian.com/us-news/2020/jun/15/all-lies-how...

Just use a verification service like https://sms4sats.com

What is a 'sats'?

What is the list of services used for?

This needs a lot more explanation built into the site!

>What is a 'sats'?

Techbro lingo for bitcoin's smallest unit, the satoshi.

Techsis use a different one?

Twitter is not listed there for my region. So no, I can't just throw some sats at this problem.

Ah yes, $0.5 per SMS, what a bargain!

it depends how much you value your privacy. People that get their phone number/email leaked and get phished would tell you it's worth more than 50 cents. so it's subjective.

Here is a research how much phone number verification decreases account fraud a.k.a. spam bots


Of course, in order to help out the unfortunate website operators, people should willingly give up pii that the same companies have shown they don’t give a damn about protecting. /s

"For your protection."

The most abused and dishonest phrase of the 21st century.

They always add that incorrect “y”.

Also at top of the list: “We care about your privacy” (and not that we are required by law to give you these options that follow)

"We value your privacy" is even better.

That's actually an honest one, since they know exactly what the value is of the PII that they sell to third parties.

"They know the price of everything and the value of nothing."

Right there with "for us to deliver better user experience"

Twitter's users are its advertisers.

Tiwtter's product is you.

We criticize free services all the time for this, but I think that paying users are monetized all the same. Using American examples, the DMV sells data, internet providers are selling user data, credit card companies are selling user data... so it's not like any other companies don't monetize their users in other ways.

This is true. Paid services also tend to parasitise their legitimate users and maximise revenues.

A key difference is that in the Twitter case, there's no monetary penalty which can be imposed by the host class (that is, the unpaied content contributors).

Much of the "harvest as much data as possible" element is also driven by fundamental power and monopolistic differences.

An important finesse.

uh, 'to protect the children' would like to have a word.

Next to: 'no need to worry about privacy if you've got nothing to hide'.

"For purposes of National Security . . .", a close second.

> The most abused and dishonest phrase of the 21st century.

The T&C equivalent of "your call is very important to us"?

Right before "We are experiencing higher than usual call volumes."

Along with "For your own safety".

"safety" is a term that's been abused since at least 1793: https://en.m.wikipedia.org/wiki/Committee_of_Public_Safety

The translation is inaccurate. It means safety in the same way as the salvation of the soul for Christians, but in a non-religious way, and applied to all of society. Yes, they were both quite grandiose in their wordings and full of themselves.

Safety, as it is commonly used, would better be translated, in French, as "sûreté". "Salut" would be a much, much stronger word.

Although I do see your point.

Well damn, that ruins one of my favourite points.

But I'm still not quite sure what the French word "salut" means. Is there not a simple one-word English translation? What exactly is the remit implied by the name Comité de salut public?

"Salut" in this context translates as "salvation" in the sense of "preservation or deliverance from harm, ruin, or loss".

Exactly. "Committee of Public Salvation". Sounds weird.

So, in this case, considering they considered themselves the defenders of the greatest ideology of all time and the (worthy) people, and were at war with both foreign countries and some of their own people, I’d say it'd mean something like:

"Committee in charge of delivering the country, the Republic (the idea of Republic itself; not just it’s French incarnation) and freedom / democracy (even though they weren’t quite democratic) from utter ruin and certain doom"

But that’s quite a mouthful.

Wait — you mean "Sanitized for your protection" on glasses at cheap motels isn't true?

I think it stopped being true at the word, "Sanitized".

I mean what do you want them to actually do instead? Like seriously I’ve implemented at a company I worked for and it’s the least invasive thing to actually rate limit people.

Alternatives included:

- pay a small fee but that requires a credit card

  - send us government documents which is worse

  - mine crypto for a while but it doesn’t stop people who are actually motivated

  - send a selfie and then do some face matching, also worse.
Like what other things can we ask for that actually work and aren’t more invasive?

I just want to be able to occasionally read a few tweets with no required login or account. Just the same with Instagram and similar, I just won't use it and I'll forget about it. I guess Twitter is next. No, I've never had a Twitter account. I don't have a Facebook account.

I don't think Twitter cares that you won't use it. They've almost certainly weighed the cost of a tiny portion of people caring vs a massive reduction in bots.

The rule of thumb is that 99% of users are lurkers. Since more and more people are privacy focused and it's clear that forcing lurker to register is not in their best interest they obviously miscalculated.

Reddit, Qora and Pinterest all tried it, shot themselves in the foot, lost a huge readership and reversed it or will reverse it.

It's hard to realise how bad it is as only lurker don't have a sunk cost fallacy and easily quit and their quitting is invisible.

How do you make that kind of calculus though? Presumably Twitter will want to stay around for a very long time. If people like BTCOG take away a negative experience from it then doesn't it seed a future negative opinion of Twitter?

10 years ago when a government banned Twitter it was almost universally seen as bad. That's probably not the case anymore. Will it be worse in the future?

>They've almost certainly weighed the cost of a tiny portion of people caring vs a massive reduction in bots.

I'm sure they have. And I, being used to being in the minority of users, will likely find some 3rd party solution around the problem they created. Win-win outside of me wasting a few minutes installing another extension.

>I mean what do you want them to actually do instead?

Nothing. Hire more moderators maybe. it also looks dishonest to frame it this way when twitter asks these pii for "spam protection" and yet still can't ban obvious Fiverr-like spam accounts

> Like what other things can we ask for that actually work and aren’t more invasive?

Nothing, somehow plenty of websites do fine without even asking for email, including this one. It seems what you really want to say is "What can we ask from you for it not to cost us anything?".

They've already rejected doing nothing, as it doesn't work.

I want Tesla to give me a free car too, but it ain't happening. At some point a company makes decisions you aren't gonna agree with and your only recourse is to not use them. If that means you can't read Twitter, then that's the price you pay. You aren't "owed" a free Twitter account solely on your own personal terms.

> You aren't "owed" a free Twitter account solely on your own personal terms.

It's funny that all those companies are trying to get so big and so central to our lives, to the point many news (including from police precincts or first responders) are only posted on twitter or fb, yet when you point out they shouldn't ask you a phone number to access them it's "they owe you nothing".

But you can’t blame that on Twitter, no matter how much they welcome it and how evil they are. Blame it on unspeakably bad judgement on the part of government employees. Making Twitter the conduit for official communications? I can’t even fathom the mindset.

If they have a monopoly on the public square, arguments could be made...

There should not be a channel for government communications that is only available upon giving money or information to a private party.

(But that's a ship that sailed long before the internet age. "Want to know the laws? Pay up!")

talk to your electeds about regulation then.

Public sector and publicly funded groups should be communicating through standards-based channels. Their content belongs to the digital commons. This exists today, via the ActivityPub and RSS sphere of ecosystems.

... to break them up?

Play nicer as a start.

No one's asking for a free car.

They're asking for a stop to major companies lying to the public. To stop harvesting people's data under false pretenses.

I think citizens can and should demand those things from companies that choose to incorporate in their country. That avail themselves of the legal systems and protections. That take advantage of the workforce present.

Companies are free to choose where they operate and incorporate.

Yet customers love free stuff, aslong as they can send cat pictures they dont care.

> You aren't "owed" a free Twitter account solely on your own personal terms.

If we go that route of argumentation: Can Twitter please close shop and go away then? Their value is vastly overestimated: Most people don't want to use Twitter specifically, they are peer pressured into it because it is where everyone is. There are better free and open source alternatives without them trying to steal from me. Twitter burns all that money (do they generate a profit yet?) to stay on top, just so that nobody else can.

To stay with your analogy: Tesla rolled up and pushed every other car manufacturer out, now they are giving a somewhat free car and in return they want you to do everything they say, and the keys to your house "just in case".

We don't owe Twitter anything.

>You aren't "owed" a free Twitter account

no you see, that's the problem. I don't WANT a twitter account, but I apparently need to use the site to view local updates in my town.

I'm perfectly happy continuing to not post there. I just don't see the benefit in making me find an extension around this annoyance so I can continue to not have a twitter account.

Obvious to a human manually looking at the account isn't obvious to a computer system that has to pick them out a huge dataset. You will never be able to ban Fiverr type accounts because for the same reason residential VPNs work well. You're paying someone who has a clean record and will send all the right signals.

HN works because it's niche. It can be moderated by a handful of people. Once you cross the "can't be moderated by humans" threshold of size you're solving a completely different problem.

I won't knock you for saying "well then you shouldn't exist at that scale" but that's a non-answer for the real world where giving up PII in exchange for participating in a huge social network is a trade enough people are willing to make that you feel pressure to do it in order to get in.

> someone who has a clean record

It doesn't follow to me, those people open thousands of account for those scams, how are they clean? They are not sophisticated, they don't even use them like real humans and it's literally for $5!

> "can't be moderated by humans" threshold

Is it a threshold or simply a cost center that starts to be big and needs to be slashed in order to please shareholders?

To me it's perfectly possible to be big and have moderators, you just can't have it cheaply.

Twitter is stopping viewing, which isn't a fraud / abuse issue at low rates.

In the case of posting, rate limiting / scoring w/o a phone number without explicitly banning until you build more reputation works pretty well from what I can see, and most legit twitter users, especially new ones, don't post a lot and mostly read anyway.

And in twitter's case, I think paying a small amount of crypto would actually be something the CEO is interested in this case for the private types who won't / can't get a phone number. Some of twitter best accounts are anonymous and the CEO is into crypto. Add a monero payment option for those small amounts who aren't fraudulent and are private people and you will probably get rid of a lot of complaints.

Personally I'm a fan of the fee idea. You can quickly outstrip the yearly revenue per user with even a small fee, and the fee payment could e.g. happen via PayPal which doesn't require credit cards, to give one example. The issue with fees though is that you might need a billable address for tax purposes which renders this entire exercise pointless.

> The issue with fees though is that you might need a billable address for tax purposes.

Maybe there is room for some simple innovation here. Is it possible to do “coarse” address for tax purposes? After all I imagine they only care about which tax jurisdiction such as county / parish or something like that?

I don’t understand that in this context.

Let’s say you pay a fee for being able to view tweets without logging in. How will they know it’s you who’s trying to view a tweet if you don’t effectively log in?

MetaFilter's been doing this for decades and it seems to be working well for them

Sure, instead of a phone number you can:

* Give us your Credit Card information

* Give us a picture of your real life self

Neither of these are solutions to the privacy and compromise potential problem that is the 'phone number or else' requirement. Its objectively worse, so that you go "oh, guess you can have my phone number instead".

I want to go further here.

- Combat spam.

- Be large.

- Allow (pseudo-)anonymous accounts.

A social network can only pick two.

> A social network can only pick two.

Reddit has all three (no need for email even), they might not be perfect but I can't remember any time I saw "viagra links" or other obvious spam. They have problems with accounts obviously, but you can't frame it as a spam problem.

I see a lot of spam on Reddit.

That does nothing to speak of “auto moderator”, fragmented rules/guidelines and ilk and the sheer effort involved by volunteers.

Even then: the spam gets through. But I agree that PII is not solving this.

>I see a lot of spam on Reddit.

Where? I've seens a couple of ghost subreddits with spam, but then you see the same with ghost fb groups, weird twitter profiles, youtube, etc On even moderately sized subs I've seen any that wasn't removed quickly by the mods.

People can say mods are too expensive for fb and twitter, but there is the dishonesty, instead of paying mods they pass on that cost to us with our pii while pretending it's free.

uptimeporn, for a very specific example from today. I wont link it because the spam is NSFW and probably removed by now, but- I saw it, so moderation effort is obviously not effective.

Okay, I'll bite.

How does allowing people to read (but not post) without logging in produce "spam"?

There are some attemps to make proof-of-human



But in the end it comes to the fact that your Google/Apple needs to have your app store account that is verified to be human enough (less fake accounts) and then a web browser confirms this via a login to this account.

We get into the Ex Machina situation. It was a pretty good movie about Android (robot?} proving itself human.

One option might be to allow people to view tweets if they have accounts from reputable federated identity providers, then you have an identity of an individual person without having to do the validation yourself. You can then rate-limit based on that individual ID.

Another option might be to rate-limit by things which don't require accounts, which won't strictly rate-limit individuals, but it's unlikely that's the terminal goal here. It's not actually clear what they are trying to accomplish. Reducing the amount of resources wasted on scraping bots ?

One option would be to just allow people to view public tweets without requiring sign in.

It doesn't achieve the stated goal of rate-limiting individual people, which sounds like an instrumental goal for an actual (unstated) business objective.

Currently federated identity providers do not provide a separate identity to each site you are authenticated on. At that point any collaborating sites can pull together all the information you give to any one of them. Hell, in most cases your "identity" is your email address, so every site you authenticate with can spam you directly.

"Trust tokens" was built to deal with these issues just for this use case: https://developer.chrome.com/docs/privacy-sandbox/trust-toke...

The Shibboleth Idp also support per SP opaque nameID but nobody like SAML based protocol and as far as I know outside the academical identity federations, no one deploys Shibboleth ...

Shibboleth is terrible -- so terrible it was easier for me to write my own SAML IdP from the specification than try to make it useful. Lots of people use Active Directory Federated Services (ADFS), which has a SAML IdP.

> I mean what do you want them to actually do instead?

I want them to do nothing.

Proton mail requires a small fee which can be paid pseudo-anonymously via cryptocurrency.

~10 years ago I made about 10k Twitter accounts just for fun. I never used them. They still exist, no one deleted them. A while ago I lost the script and password for them.

Back then you could bypass captchas and other checks by changing Tor endpoint (some endpoints required captchas, some didn’t). Made a script that did just that.

It also worked for Facebook and I still receive facebook spam for those accounts daily.

I have no problem with asking for a phone number during registration, it complicates automated account registration and makes it quite expensive. But I dislike the idea of hiding content behind login page, internet should not be a walled garden.

So maybe don’t require an account to view tweets, or don’t let me tweet until I provide phone number but still let me view… lots of options

But then they don't get data on which tweets you viewed.

They can't set a cookie? Associate my phone with my desktop by IP address correlation on home ISPs? C'mon, they oughta be more capable than that.

Cookies don't track you nearly as well. What happens if you delete a cookie? Fingerprinting isn't a universal solution either as iDevices all look extremely similar to each other. As to IP addresses, they only work if you connect from your home WiFi. Not every phone has that set up. Often they use carrier grade NAT so you only have a few IPs to work with.

Last, customers of their data love being able to search/correlate by phone number, not by some pseudonymous identifier that might not be present in some other dataset.

I think this crackdown might in fact be a reaction to attempts by institutions like Apple to ensure better privacy. If fingerprinting isn't giving them the data, they ask for it directly at the threat of restricting access.

>What happens if you delete a cookie?

I imagine the data of 99.9% people they mostly care about are the ones who dont know what cookies are, let alone how to delete them or otherwise mask/misdirect various internet trackers.

How is that relevant to read-only access, which is what is reportedly being newly blocked?

If reading content generates spam, You Have A Bigger Problem.

Their fraud problems don't justify anything though. Nobody outside Twitter cares about Twitter's problems. Just because they have a problem doesn't mean they should get to solve it, especially if it involves personal information disclosure which can get people killed.

That is genuinely a very interesting paper - thanks for sharing

I have noticed that most those services (twitter, Skype and so on) block login without giving phone number...until few months later they automatically unblock. I simply check out in every week, are they removed block or not. Once I was stupid and gave phone number one of those kind services, that was bad idea. Account went into some weird state after giving code received from SMS. So my personal experience: wait, never give phone number.

Ideally, there should be an option to not give it. It’s a security risk for those with MFA elsewhere.

That's odd. I've never given Twitter a phone no. (Granted my account predates their phone no. fetish.) Still use Twitter daily without any issue. Perhaps it's because I'm still logged in and not trying to re-login?

Twitter doesn't seem to care much about established accounts, but every attempt I've made to make a new account under a new name gets suspended.

> Granted my account predates their phone no. fetish

I doubt that - twitter started as an SMS service…

Doubt all you like - that's how it is.

Same experience, and why I do not use a twitter account. Plus the last thing in the world I would do is to let some woke SV company associate the political opinions I follow with a real identity, not in the current environment.

unless they've changed their policy on this you can email support and say you don't have a phone number and they'll re-active your account, has worked for me in the past.

While this works, I still hate the lie that they have suspended your account for "suspicious activity".

If you're going to require a phone number to read tweets, don't lie about it, just be up front about it.

I can confirm this as recently as June 2021

couldn't you just call them instead?

>> it's easier to trick people into giving up yet more information than asking for it upfront

What I found interesting is that “translate tweet” button doesn’t appear unless you are signed in. Why cannot I read news from all over the world unless I’m signed in? Why do users have to sign in to read translated tweets in real time?

Does Twitter have to pay to use Google or MS's translate API?

I have no idea but twitter uses google translate API

Apparently it costs money. https://cloud.google.com/translate/pricing

Now it makes sense!

Thanks a lot

And Tweetdeck uses Microsoft's API.

I'm not sure I'll blame Twitter for (effectively) requiring phone numbers - they are stuck between a rock and a hard place.

On one side, people rightfully complain about trolls, harassers, spam, CSAM, misinformation campaigns and propaganda on online services. And on the other side, people will also rightfully complain about data harvesting, and an ever growing lack of anonymity on the Internet.

At the moment, phone numbers are the closest thing we have to at least have some cost associated with spamming and a legal pointer to get hold of criminal-level abusers. Using government IDs such as the German Personalausweis (which can communicate with a website using NFC and a special app) would outright kill anonymity, using middle men to do the same (or video/postal identification) like for banks, porn and gambling sites costs money and is not much better in terms of anonymity.

But all I want to do is read the tweets? I'm not contributing to spam if I don't even have an account.

I want to be able to read the New York Times without a subscription too, yet here we are. Corporations don't have to give all their services to us for free. They can charge, require free registration, whatever.

NYT pays people to write its content, but Twitter users post their content for free.

People is giving content for free to Twitter. Should they start charging for it? Twitter is not on the same league as the NYT.

That doesn’t make the rock-and-hard-place point apply to that situation though, which is what the comment you replied to was a reply to.

It's not you. It's scraper bots they are trying to protect against.

You can request phone numbers when creating a certain number of tweets, or trying to reply to a well known account, or if upvoting a comment that is controversial or reported as spam.

It's a lazy solution that pushes spam control costs onto the users.

Personally, I don’t mind giving them my phone number because my number is already public information. It sucks though that I can’t get tweets by text.

This was the original use case of twitter. I understand SMS is not secure enough to publish tweets but why can we no longer get texts when someone tweets?

I'm pretty sure you can still get SMS notifications by turning it on in your Settings[0] and then also clicking on the "Notifications" button on the specific profile for which you want to receive notifications. I haven't used it in ages but all the settings appear to be there still :)

[0] https://twitter.com/settings/sms_notifications

And this is why things like Sign In With Apple are a godsend* for users, which predatory devs rail against on HN.

* Even though the bait-and-switch can be done there too, but at least you didn’t have to give up your email to the scummy service.

FWIW: HN are receptive to member feedback about improvements to Hacker News itself.

This includes both encouraging sites, content, and/or users, and suggestions as to unwelcomed behaviour.

email hn@ycombinator.com

You can remove the number after you've used the account for a while and not get locked, but they shouldn't require it in the first place.

And yet that account will still get suggestions to follow people who have that phone number in their address book. Thinking face emoji

It's probably permanently held in their databases. Some services use immutable data models that "append deletes". (GDPR made those types of systems fun to deal with.)

Might be bad for activists, whistleblowers, et al.

The point is to never give it to them.

You can petition them (via email) to not require your phone number and if your emails are persuasive enough they will activate the account without a phone number. But yeah, that is an extra step, and usually takes 2-3 emails that say something like "this account is vital to our business"

Unrelated, but does anyone know if Facebook does this? They seem to allow signing up with just an email address, but I haven't tried going through with it and seeing if they'll eventually require a phone number.

Facebook do require a phone number to access their API (or otherwise manage a Facebook App).

You can remove your phone number easily under account settings.

This trickery is still a very effective way to get phone information for masses of people, but on the individual level, it's possible to avoid.

Yes, but once you've added it, they have it, even if you can't see it in your settings.

You're assuming they keep it, but is there evidence of that? Regardless, it's a good assumption. I'll actually ask twitter support right now!

I created an account in May 2021 without a phone number to follow some people without blogs etc, and it’s still working with just a disposable email.

They’ve added sign in/up with Google & Apple recently though.

You can get away with that on a residential IP sometimes, but don’t count on it. Log in from the wrong location or a VPN or do certain patterns of behavior and it drops you.

I exclusively use it via VPN, with a ProtonMail address from the web (so many login notifications) while like, commenting, and subscribing on politically controversial content and soccer.

Three, almost four months in and zilch. It’ll be a good test case anyways.

They flagged my phone number-less account after four months, probably because I replied to a high traffic thread.

I think the key to using a phone number less account is to use it as much as you can in read only mode.

Fixed wireless ISP in the US and I hit a captcha on every site from time to time when logging in (and sometimes just trying to read-only) - and I'm effectively blocked from anonymous sites.

I can "lock in" an apparent IP address, i.e. ssh to some box with no-ops; but that's either per-connection or still NAT enough that I get flagged. att aggregates all such connections at F5 routers in large cities, mine is in Dallas, for both of my fixed wireless connections.

At some point there will only be people who don't care at all about their privacy that use twitter, Facebook, Instagram... All these American services in "social" media.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact