477 comments

[ 0.26 ms ] story [ 323 ms ] thread
I'm surprised people didn't know this... this has been happening for at least 4 years through custom audiences. An advertiser can upload a list of mobile numbers or email addresses to target people.
Actually this should be an act of "good faith" where you are adding a layer of security to your account and not about making even more harm to your account.
The reason I never give fb my mobile is if you use a pseudonym account, it will suggest your profile as a friend to anyone who has your mobile in their phone contact list (eg ex-partners, stalkers, employers, drug dealers). Found that one out the hard way.

I know Zuck wants me to preemptively upload my nudes, but still.

Lucky you already have your account. These days you can sign up for one without a phone number, but then you flat-out can't sign in without giving one.
You can even do a search by mobile number, by typing a mobile number into the search without pressing enter.

Depending on the owner's security settings, Facebook will often suggest the profile of the person in the type-aheaded search results.

I believe they removed this feature a couple of months ago.
FB's terms of service do not allow pseudonym accounts.
Do people honestly give a shit about terms of service?
Yes. Especially ones with broad arbitration clauses, and double especially ones where your access to the courts is determined by whether you opt out within a short time period after agreeing to them.

These are frighteningly common, typically enforceable in the US even for consumers, and typically enforceable in most countries for even small business customers (though rarely for consumers in much of Canada and Europe if the vendor has enough ties to the area for local consumer protection law to apply and you win the race to the courthouse).

This is basically how FBI Director Comey's secret Instagram account (and thus Twitter account) was unmasked. But it was even worse - you are suggested to 3rd party people who just follow the people who know you: https://gizmodo.com/this-is-almost-certainly-james-comey-s-t...
Yep, something similar I discovered recently that if you sign up to Instagram with somebody's email that they use on Facebook then within a day or two you'll start to see all of their friends from Facebook whom are also on Instagram in your recommended follows. All of this happens without email verification..
> All of this happens without email verification

This has very interesting consequences...

Whoa... so it was around in the open since around 2013, and still not fixed? 0_0
Almost every shop does this, no verification before use. ffs, at least provide a "report not mine" function.
I've only ever seen a "report not mine" function from Google. Where else have you seen it? I am not on FB/LinkedIn/most similar ones, so I may be missing examples.
Yep, I have a relatively common name and @gmail.com address. Last week, some guy with my name signed up for Instagram with my email adddress and started posting without ever verifying his email.

I reset his password and tried to close the account after he kept trying to access it by resetting his password again. Instagram support asked me to send a clear photo of myself holding up some random number to prove it was me. Nope lol.

> The reason I never give fb my mobile

Here's the issue with it. You might not give it but your friends would. Therefore, this strategy is pretty useless as network effects kick in.

TIP which I discovered by accident: create a bogus account with your phone number.

Facebook will remove the phone number from your account when you do that. You can also use that to check who are your friend who gave FB your phone number.

> You can also use that to check who are your friend who gave FB your phone number.

Can you explain further how this will work?

Probably by suggesting users who have your number as friends.
(comment deleted)
this is an interesting idea but probably one already-implemented feature from being circumvented
Facebook gonna Facebook. It's long past time to consider regulation of an ethically bankrupt corporation.
"four months ago" they stopped requiring it for 2FA, that's the time GDPR came in.

I wonder if Facebook acts differently for European users?

Why have costly government regulation when users can just quit?

Plenty of other online and offline ways to connect with the people in your life.

Users cannot "just quit". Facebook probably has a profile for my grandma who never touched a PC in her whole life.
Many people can't quit because they are addicted, but there is an option to permanently delete your account and it takes about 5min. I'm not aware of Facebook creating profiles for people that haven't signed up for their service. If so, that should definitely be illegal.

The government should have bigger fish to fry than trying to regulate the distribution of information that you have and continue to willingly provide to a company. If you don't like it, sure government could jump in and make Facebook just how you like it, or you could delete the info you don't want them to have. The later sounds easier on everyone.

Why have costly government regulation when people can just not breathe polluted air?

There are some things users/people did not sign up for and cannot (reasonably) opt out of that still harm them. This is what regulations are for.

Air is a necessity, Facebook is not. I don't use Facebook and personally don't want my tax dollars spent overseeing a non-essential service. I'd rather send our tax dollars towards environmental pollution and areas that actually affect us all much more seriously.
The point wasn't that Facebook is a necessity. It's that Facebook is unavoidable.

Unfortunately, whether you created a profile or not, you can't just "not use Facebook" with their whole shadow profiles.

Sure, they aren't (currently) pumping waste into the environment. I'm not saying those things aren't important, but I do think we're going to look back 10 years from now and wonder how we let Facebook even get this bad.

you generally don't regulate companies, but whole industries. Then you punish companies for breaking the industry regulations.
No regulation needed, just avoid using their 'services' and block anything facebook at the point of access. They might keep 'shadow profiles' and use facial recognition to find you on images posted by others but if you keep them out of your network they can have a ball trying to target their advertising at that closed door.

Not that I allow any advertising here, mind you - everything is blocked at the router (ipset [1] comes in handy here), at the client and in the browser. This works at home as well as abroad since I route all my data through a VPN (OpenVPN) terminating at my router.

[1] http://ipset.netfilter.org

Then it definitely sounds like regulation is required, the vast majority of Facebook's users don't know how to do all that. The public should not have to protect themselves from unethical companies, the companies should have to stop with their unethical behavior lest the government shuts them down.

Drawn to its logical extreme, you don't need regulation to be protected from racketeering if you run a restaurant either, you can just hire private security and arm yourself.

It would be really surprising if that was a facebook only thing. For starters Google pesters me at least as much to add my phone number to secure my account.
I think it will stop pestering you for a phone number if you give it some neutral second factor like a Security Key ?

(Security Keys are actually way more anonymous than I'd even thought possible until I understood how they work, if you know Susie uses the same key for DropBox and GitHub, and you suspect Susie also uses this key for the account NumberOneSecretTrumpFan on GitHub, and then you steal all the account credentials from GitHub somehow, this doesn't end up being enough to verify that Susie has the same key as NumberOneSecretTrumpFan, nor is it enough to sign into Susie's DropBox account, and unless GitHub's data includes the backup passphrases or whatever it's not even enough to sign into GitHub as Susie, NumberOneSecretTrumpFan, or any other Security Key user...)

I'm not sure how it is now, but for a long time Google required you to enable SMS auth (by giving your phone number) before you could enable TOTP or other 2FA methods.
Phone numbers were not a secure 2FA anyway, and I've been using the TOTP alternative since it's been available... but I don't really see a problem with them using whatever to show "more relevant ads", if you don't want ads just use an ad blocker.
What if the more relevant ads are robocalls like in this case?
Who is still answering phone calls on their cell from numbers not in their contact book? If you call me and you're not in my phone my phones just dumps you direct to voicemail.

Not excuse this behavior in the least, but robo calls in general are a solved problem for me.

The answer is many folks depending on lifestyle.

But more importantly, increased robocalls seriously means more life interruptions. Work nights? Sleeping while sick? That phone still rings, and there are many reasons to leave the sound on. Direct to voicemail simply doesn't really solve all the issues.

Yeah, I eventually got so sick of spam callers in the UK waking me up that I just got into the habit of leaving the house phone unplugged.

Didn't live in a mobile service area either, so no mobile too. Some parts of that were really good. :)

> Who is still answering phone calls on their cell from numbers not in their contact book?

Anyone with kids.

Anyone who works as a B2B customer contact.

People call me all the time to offer me work, and they're not in my contact book until I've talked to them at least once.
Here's a typical problem:

* Be in the US, get your mobile number years and years ago and it has the area code of where you lived at the time.

* Move somewhere else, keep the mobile number.

* Now you get 4-5 robocalls per day spoofing numbers from "your" area code and calling at reasonable hours for that area... which are not reasonable hours where you now live.

And if you say "just turn on do not disturb", remember some folks have to be on call for their jobs, don't know in advance what numbers the pager alerts will come from, and so have to leave the phone open to ring from whoever calls. Which will be robocalls with "helpful" offers at 4AM.

What I would love to see in a future mobile operating system is the ability to say "block all calls from this area code unless they're in my contacts".

I realize it's not a great option for lots of people, but the optimal solution is to choose a phone number with an area code far away from where you will ever have any legitimate contacts, and block everything from that area code.
> Who is still answering phone calls on their cell from numbers not in their contact book?

Anyone who runs a small business?

Likewise, passwords fail to protect against a whole class of attacks. I don’t know why Facebook still uses them.
Phone numbers fail against remote third party undetectable attacks with O(1) complexity. You'd have to use a password like "1234" to fail like that.
"Give me as much service as you can while keeping me as far off the grid as possible" is a skill that is sorely lacking in this market. I don't have this problem with weed dealers, but I have this problem with information dealers. Internet companies could seriously learn a thing or two from the black market on how you treat your customers.
Does your weed dealer provide the service for free? If you want to be treated as a $$$ paying customer start paying. Problem with social networks and $$$ is that network effects will not come into effect as not everyone will be willing to pay.

There are actually ethical information dealers but they require you to pay them as you are paying your weed dealer.

I'm probably wrong but I feel like there's a market for an ethical advertiser that does no tracking and placed ads by content only. is that impossible? it was reality until the 90s
I think (but might be wrong) that duckduckgo works like that.

They show ads based on search the content rather than via tracking.

I mean, if you give a $$$ option instead of giving up data than you removed the intended targets of most ads out of your advertising pool.
The ultimate goal is to make money, not serve ads.
Of course, but I can guarantee Facebook has run the numbers. They are currently doing what makes them the most money. That happens to be ads.

The user data they sell to advertisers has a lot to do with your social network. Who you know, what their interests are, who they know, etc.

For Facebook to allow individuals to pay to opt out of their data being sold, it affects more than just that individual's data. I.e. it affects all their friends and friends-of-friends data.

I expect that the only way Facebook would be able to offer a pay-to-opt-out plan would be for everyone on Facebook to start doing, which would never work and they would never attempt.

I imagine the most we'll see in this direction is some sort of half-assed attempt where they offer to let you pay them money to stop some tracking, but still continue to most of it anyway.

I'm sure it's possible to advertise without tracking. We did it for years.
I'd whitelist a true advertiser who ditches tracking entirely and focuses more on advertising content relevant to the page it's going on instead. Chances are if I'm looking at some Python programming page or server setup tutorial I'd be more inclined to click on ads relevant to the page as opposed to a creepy ad of something vague as heck that I looked up on Amazon 5 years ago that Amazon really wants to sell, or whatever.

I really would love to see advertisement companies that are less focused on tracking and more focused on ad placement that's relevant to the content it's going on, and hey sometimes there's no relevant ads for content and that's cool too, but at least show anything generic or close enough at that point. Also advertisers who don't do pop ups or annoying ads (that I swear could cause epilepsy on some users) are also good stewards of the online billboard market.

> who ditches tracking entirely

Problem is, it never stays ditched. It's always a slippery slope.

I just don't want to participate in this anymore.

I'd be fine with "visitor count" type of "tracking" as long as it's just that, as far as how many per country / region. No following users around the web, aka no cookies needed. Then you could have a page for advertisers to choose sites to advertise directly on for themselves.
minor correction: creepy ads for the things i already purchased two weeks ago. brilliant use of ad targeting spend by companies i already gave my money to
I'd happily attempt a startup/side-project that offers an API for non-tracking advertisements, but I don't think there's space in the market. It'd be very difficult to compete with the existing incumbent advertisers.
Most internet service companies, including Facebook and Google, don't give you the option of paying for privacy even if you wanted to.
I think that if it's possible to define a way of operating businesses in a way that doesn't harvest data in a way that's nonessential to the services, then there should be a law requiring this option: to pay out of your pocket directly the amount of revenue the company would have expected to make, in exchange for the company not doing this data collection. But it seems difficult to get to such a definition. I think this law would be very popular.
Indirectly GDPR does this. All data collection must be either opt in, or necessary to provide the service.
Oh, I forgot an important detail. I should have added another aim I would want is that as a result of paying this money, you wouldn't receive any advertisements from the service.
We're trying to build the idea of "paid for storage" that doesn't look at your stuff, but getting people to pay fora service that others provide with advertising for free is hard.

Any company being truthful about what their customers want can't be tracking them 24-7 and sifting everything they type. Almost no-one wants that level of invasiveness. We just put up with it because there are no real (easy) alternatives or aren't aware.

But does GDPR really allow this business model at all? A website cannot as per GDPR say "accept tracking or we refuse service", if tracking is not necessary to provide the service. Can they say "pay or accept tracking or we refuse service"?
That's exactly what The Washington Post does. They have a free option where "You consent to the use of cookies and tracking by us and third parties to provide you with personalized ads" and a "Premium EU Ad-Free Subscription" with "No on-site advertising or third-party ad tracking".

https://www.washingtonpost.com/gdpr-consent/

I happily pay for YouTube Premium, just to avoid ads. I wish I could do the same with Facebook
Do you still get tracked and your data collected if you pay?
Of course, but you don't get served ads.
So if I pay GM for a car they won't data-mine me? Just yesterday on HN we learned that this is not the case. Why do you think companies wont take your money and then proceed to sell your data anyway?
You should ask for your moneyback, because you're already paying in private data.
I mean, I've paid both Comcast and Verizon a lot of money for internet access, and they both have done awful, privacy-shattering things while I've paid them. (Subverting DNS, X-UIDH header, etc).

Once there's money on the table, companies are going to take it and assume the number of customers who walk away aren't enough to offset the profits.

That battle has already been lost; between a complete lack of at least semi-anonymous banking (I.E. GNU's Teller, well see notes), ad behamoths, "credit" companies (Experian, etc), and all sorts of proprietary social platforms having a majority of the market roped in: there's a shadow profile in one sense or another for everyone short of the crazy cabin in the wilderness types.

A focus on consumer rights, protections, and building difficult to defraud and difficult to exploit consumers systems is where effort needs to be spent.

* GNU Taler - A digital cash / micro-transaction system that hopes to be audit-able for tax and other legal reasons while still being anonymous for consumers.

Please read about privacy, verifiable in the right ways, and the "operational in 2018" claim

https://taler.net/en/index.html

https://en.wikipedia.org/wiki/Micropayment#GNU_Taler

This is exactly the kind of abuse that GDPR is designed to curtail.
Yes using information for a purpose other than it was collected for. Hopefully this means in Europe we won’t see this spam.
Hopefully? Hopefully this means we will see facebook employees faceing criminal charges!
If it's a corporate decision they won't be liable.

"Similarly, individual employees, managers, and directors are liable for their own malfeasance or lawbreaking while acting on behalf of the corporation, but are not generally liable for the corporation's actions."

from https://en.wikipedia.org/wiki/Corporate_personhood#Case_law_...

I don't think GDPR has any tooth in this.

Maybe not. But you can hope about the future. Laws are created because of malfeasance. And they can change.
i'll be ok-ish with a $5B fine or whatever makes sense. it'll be cheaper then to hold the employees liable.
It's a corporate decision made way above the heads of the developers, for sure. But, there has been very notable occasions in history when the US and Europe wasn't content with "I was just following orders" as a defense.

And, during at least one of those periods in history, the US was not content with superiors claiming ignorance of any wrong doing either.

Don't count on it. From the Gizmodo article:

> I’ve been trying to get Facebook to disclose shadow contact information to users for almost a year now. But it has even refused to disclose these shadow details to users in Europe, where privacy law is stronger and explicitly requires companies to tell users what data it has on them. A UK resident named Rob Blackie has been asking Facebook to hand over his shadow contact information for months, but Facebook told him it’s part of “confidential” algorithms, and “we are not in a position to provide you the precise details of our algorithms.”

Hmm the information isn't the algorithm. It would be excellent if the courts could get them to release this data!
Small question: how do you prove it, adequately for a court of law?

I imagine that to prove it, you'd have to make several accounts, with several phone numbers, and somehow demonstrate to a judge that the information leaks through. Not an easy task.

It's "easy".

1. Ask for the judges phone number 2. Register new account with judges phone number (clean browser, no friends added or pages liked) 3. See friend recommendations from the judge in this new FB profile.

wouldn't be surprised if FB kept a list of regulators and judges whose information is treated differently from the rest of us.
The GDPR is not applied by courts, but by regulators, who are tasked with investigating just that sort of thing. Courts may come later, if the company disputes, I think.
Facebook files on every person in such regulator would make Stasi files look like a collection of drawings of a one year old.
So disappointed in the GDPR evangelism on HN.

https://www.techdirt.com/articles/20180920/17133740682/gdpr-...

GDPR is a tool that is going to be abused to hide and censor. The EU didn't create this regulation for the benefit of the citizens of EU.

The Right to be Forgotten existed before GDPR though.
The previous right to be forgotten was limited to only search engines operating in the EU. Meaning, google didn't have to remove the data itself, just the entry to the link in the index. GDPR is far more onerous in that it applies to all data processors everywhere.

"The ECJ ruling only enforced the right to erasure on search engines operating in Europe. The proliferation of personal data that is available online extends far beyond their indexes. It's often exploited for the benefit of others, and their motivations may be contrary to the wishes of the data subjects. It will now be extended to all data processors."

https://www.techworld.com/data/could-right-be-forgotten-put-...

I don't believe in "right to be forgotten" period. That's quite orwellian. The data must flow.

does GDPR talk about hashes of emails, or just emails? (or mobile numbers or whatever)
As a security engineer, I cannot overstate just how horrible this is. Phone numbers might not be an ideal 2nd factor for authentication, but to punish users for setting up 2FA by using the provided phone number for ad targetting is incredibly unethical.
I never heard of this company when I did a monitor.firefox.com search of my work address.

Exactis Breach date:June 1, 2018 Compromised accounts:131,577,763

https://haveibeenpwned.com/PwnedWebsites

> Compromised data: Credit status information, Dates of birth, Education levels, Email addresses, Ethnicities, Family structure, Financial investments, Genders, Home ownership statuses, Income levels, IP addresses, Marital statuses, Names, Net worths, Occupations, Personal interests, Phone numbers, Physical addresses, Religions, Spoken languages

I agree with your sentiment.

But, as someone who understands that not all people and companies use the same moral set as myself, this is why I've never set up 2fa using a phone.

Why should I give some company my phone number? Increasingly it's become a single point of metadata to uniquely describe myself (just as my email addresses have).

You don't have to but it's the most user-friendly, although flawed, method of enabling 2FA. They could have easily used a software token but that requires non-tech savvy users to download a 3rd party authentication app, as well as understand the basic usage. Why do that when users can simply get a text sent on a method they most likely have?
> just as my email addresses have

That doesn’t need to be the case though with just a little bit of effort and minimal cost. Use your own domain for email and set your account to be a catchall. Then use facebook.com@yourdomain.tld and your email address is no longer a cross site unique identifier.

Isn't this it though, the engineers designing the ad targeting system at Facebook is linking the random emails you use as "catch all" to your main identity so you can be targeted specifically even though neither party has full knowledge of the linkage between your catchall email and your main identity email. This is facilitated by information that is not under your control.

If facebook was able to design and build this system, you can bet that other companies are doing this too.

Check the TOS and/or implementations for many of the tracking providers and you’ll see they use hashed emails. Show me a way to extract the common domain name from the below:

9425ca8eb02d022309ec175a7067b1567a5f741ec7010cc1b5034287f9db6e2f

4d1c86b9f418c713e784760fea809e34418c2f13e993d907783572ecc2c9bb6e

If the hashing algorithm is known (and my guess is it is at least possible to reverse engineer it, if it isn't documrnted) then cracking a hash with a GPU may be quite feasible.
The hashing algorithm is well known, it’s unsalted md5/sha1/sha256. That doesn’t make it necessarily possible (sure, some cases yes, but not even most), let alone feasible, to rainbow table them.
The simple way would be to use part of the hash for the domain and part for the user. If you alternated bits it wouldn't be obvious.

I doubt it'd be worth spending the effort to target people with personal domains though, and it would have some negative effects, so your point is well taken.

Its pretty simple to crack unsalted hashes using rainbow tables, unless each hash is salted with a random distinct salt and if that is the case then these hash seem pretty useless. So how do tracking providers use these hash ? What other info is sent along with the hash ?
> So how do tracking providers use these hash?

They use it to match traffic across devices and IP addresses.

> pretty simple to crack unsalted hashes

Go ahead and rainbow table those hashes then. If you do it and are the first one to email me (email address in profile), I’ll pay you $100.

> Isn't this it though, the engineers designing the ad targeting system at Facebook is linking the random emails you use as "catch all" to your main identity so you can be targeted specifically even though neither party has full knowledge of the linkage between your catchall email and your main identity email.

If you use the method described in the grandparent, you use a unique email address for every site (e.g site1@yourdomain.tld, site2@yourdomain.tld, etc). The domain will be the common part, which would be very hard for a company to use because most domains are shared between many separate users.

This is no longer "just a little bit of effort and minimal cost" - most likely no one will use unique emails for every site as well as use private browsing mode permanently in order to avoid cross cookie / cross site contamination via 3rd party (non facebook) tracking. Which is cited as a "feature" - allowing clients to bring their own ad tracking database and integrating that into the FB one in order to make ad targeting more specific.
Lots of people do this, in the past it has exposed data leaks.

My if my site-specific email giqjtodvdksu@... has been getting spam lately then it is likely that either they sold it or they got hacked.

>Lots of people do this...

You mean a very small percentage of FB users do this?

The point being as parent comment said it’s not “a little effort and minimal cost”. Figure a $10-15 overhead cost for the domain and maybe $5/month/e-mail account? Effectively to minimize tracking on Facebook one would have to spend a minimum of $70/year?

It doesn’t seem like a great solution...go with a “free product” like Facebook in exchange allowing them to collect and monetize your data, only to pay to combat their business model? May as well offer a competing service that doesn’t track you, collect/monetize your data and pay say...half the cost of a domain and email.

No, it sucks, but it is the only way.

> May as well offer a competing service that doesn’t track you

I would kill for that. But this day and age it would be hard. Also, even subscription services typically see fit to track you and serve you ads.

Sort of like at first people thought paying for cable tv would mean that there would be lots of channels without ads. Didn't happen. Only a few where you get to pay even more for now ads. Now Netflix begins the cycle anew.
> This is no longer "just a little bit of effort and minimal cost" - most likely no one will use unique emails for every site

It takes a tiny amount of effort: you setup your domain with a wildcard so all you need to do to create a new email address is to use it. You could send mail to barkingcat@real.domain.for.394549.net right now, and it will be delivered to my inbox with no setup required.

It's also great in case you start spamming me. I don't have to struggle with your unsubscribe links, I can just blacklist all mail sent to barkingcat@real.domain.for.394549.net, and be done with it without any collateral damage.

> most likely no one will use unique emails for every site

I do and have done so for over 10 years. It’s been very eye opening to say the least to see how many sites have leaked my email.

It is completely possible to fingerprint a browser and then group all the email accounts used on it and treat them as a single user. When was the last time you lent your device to someone so they could check their email?
Google claims that multiple people checking their e-mail in the same browser is common enough that they had to redesign browser log-in around it.
Doing this seems like it would slow down an adversary with Facebook like capabilities for a handful of milliseconds.
>Then use facebook.com@yourdomain.tld and your email address is no longer a cross site unique identifier.

unless sites smarten up and realize facebook@johndoe.com is the same person as pizzaplace@johndoe.com, especially when johndoe.com isn't a "common" email domain like hotmail.com

Most marketing companies don’t share raw email addresses (rather md5/sha1/sha256 hashes of the emails). In that scenario, linking the common domain name is very difficult to near impossible to do currently.
As someone that has created a facebook account with an unused email without using my name or any information they still recommend my friends, family and interests. Instagram did the same thing with my interests.

There's a lot more going on than linking email addresses.

If you used an app (rather than just a website), then all your contacts were uploaded. (Instagram has always been an app, hasn't it?)
You can do it with Gmail to some extent already. E.g. instead of using myemail@gmail.com I would use myemail+facebook@gmail.com. Gmail ignores anything after the plus. As someone mentioned, marketing companies usually share just the hash of email. The trick is not too popular and I didn't experience a company handling it yet.
A vast majority of companies either don't accept the plus because they are too lazy to implement proper email validation, or they strip the pluses from gmail addresses because they're strictly useless to them.
Then you can use dots. An 11-character email has 2^10=1024 different addresses.
The "trick" is both popular and commonly made to be moot by programmers. Source: I know programmers at multiple companies that have written production code to strip the +suffix from the username portion of gmail addresses.
If someone does that with one of my (custom domain) addresses, it won’t work, here’s what I implemented: https://zackorndorff.com/2015/03/10/disposable-email-address...

(To save you a click, they look like aa_COMPANY+SHORTHASH@mydomain.com, with shorthash being based on COMPANY and a secret)

Downside is the address ends up absurdly long, and I’ve had to manually create some aliases for companies that won’t accept the plus.

I don’t recommend this setup, it’s kind of a pain to maintain, but I wish one of the mainstream providers would implement something similar.

Agreed. This isn't done just for ad targeting, either. If a user invokes a GDPR right to be forgotten, it's useful to make sure you've found all the instances of that user's email address in your system regardless of the +additions.
This is not what an average user of Facebook can do. What an average user can do is demand adopting laws like GDPR to regulate PII.
I've been typically using name+website@domain.tld to distinguish email origins (and leakage). Ironically, I've already set up otherdomain.tld@privacy.domain.tld to hide registrar information, but hadn't thought of using it for day-to-day signups until now.

I think I'll extend the latter (and reduce the required Spam score) before it gets sent to my inbox.

It's also something that people should have expected. I don't understand how people have not noticed that all of the major sites that generate revenue through user profiling and advertising have been pushing hard for users to either be obligated to register using their phone, or to setup a two factor authentication using their phone when it's not necessary for registration.

The reason I say it's something people should have expected is because if people were more critical of the things asked of them, then things like this would never get off the ground. Instead, because people do not seem inclined to naturally believe that corporations might have ulterior motives, such practice has become common place and on some sites even mandatory.

> Instead, because people do not seem inclined to naturally believe that corporations might have ulterior motives

People worship at the altar of success, and there aren't many relatively new companies as profitable as FB. That's not to say that these companies don't spend significant coin in pushing their inane message of "we're connecting the world" wherever they can. And mass media for the most part go along with it, mostly focusing on the stock price, rarely bothering to examine how FB makes its money and what tradeoffs that comes with.

Somewhere in the bowels of FB is the product manager who feels like a smug genius for coming up with this 'feature'.
Ethics do not matter vs profit, so long as the elected representatives can be properly paid off and the public lied to that regulation is always bad.
There has to be a reason Facebook reminds me 50 times (yes 50 times) a year to put my phone number in for security reasons. That’s extremely unethical tbh and then I can’t recall if this is true because I’ve stopped using Facebook but I’m 80% sure they then filled out my phone number and just wanted me to confirm it.
I'm using adblock, how does this affect me ?
How is a difference in how ads are targeted a punishment?
Another personal observation. I have an Instagram account that I thought was fully incognito. I never connected it to any other social account, I used a separate email for authentication etc. Just days after the Instagram founders left Facebook I started receiving friend suggestion on my IG that were very very relevant. Those were people I knew in real life and mostly connected via Facebook but not only. I shouldn't be surprized as being connected to the Internet by itself is an end to your privacy but still, this was probably the spookiest invasion into my privacy so far. Bye-bye Instagram.
Haven't you used the same web browser for both, Facebook and Instagram? They might just be sharing cookies.
Well, Instagram and FB being 2 separate domains , they shouldn't (in theory at least) be able to access each others cookies in browser. The tracking is most likley still server side based.

Based on what the OP is writing, the unique identifier foe the user can even be the IP address...

They shouldn't be able to access each other's cookies at the browser's level, but instagram.com might include third-party javascript code from facebook.com, which connects the two accounts in the system.
Are you sure you didn't access it from the same IP address? There are so many fingerprints you are willingly sending to the public.
I did of course, how could I not access both from the same IP. The bottom line is: a property owner is a property owner even if it comes to separate domain names.
‘Willingly’? I think unwittingly is more likely.
It's your computer which store cookie and localStroage data to the local storage. It' your computer which execute JavaScript program to retrieve that data.

It's your choice to use the same IP address.

It's your will.

This happened to me after Facebook acquired Instagram. I had my mobile no in Instagram profile. Instagram cross-referenced my mobile with my Whatsapp contact list(I haven't given Instagram access to my iPhone contacts). I suddenly got suggestions to follow my colleagues on Insta. Colleagues with whom I interact only on Whatsapp. Since then my trust level in Instagram,Facebook & Whatsapp has gone into negative.
Definitely location tracking of some sort. IP, location data from the browser (if allowed), and scraping photo metadata can all lead to them associating people.
This is a perfect example of the need for physical comparmentation. Separate devices never connected through the same internet service. As far as devices go, to think you have separated “anything” on only one device, you’re living in fantasyland.
Qubes OS disagrees with you here.
Agreed. From my POV, unless you’re really needing anonymity, I don’t include TOR as a practical solution for day to day needs.
If the app can look at your wireless, even that is not enough. It can just make a map of the SSID/BSSID around you.
Statements like this make me want to learn phone OS development just so I can have a better understanding on what information an app can get from the OS. Honest question, why would an app ever need to know the SSID of a wireless network? The app should only care if there is a valid network connection, and then use it. I can see being able to know if it is wifi vs cellular so they can have the option to limit large downloads to wifi only. However, the SSID would not be necessary information for the app.
An example would be an app for associating a device without a screen on to a wireless network. Think IoT devices or Alexa. Saves the user from having to type in the SSID which is a pain.
IP address commonality is probably a major part of this, so using separate devices only helps if they are on different carriers and you never use wifi AND you don't allow location services or practically any other permissions.

With a single device, it's fairly reliable to use a vpn or multiple vpn providers and only log in to each account when connected to a given vpn.

When I was in another country on a business trip I bought a temporary local SIM, originally valid for two weeks but I've kept it active as I travel there often.

I used that foreign number to create my Instagram account and I've gotten the benefit of only being shown suggested accounts from locals from that country (zero people I know). Same goes for ads as well. Currently I keep it on roaming and actually use it to verify other online services that may stubbornly require SMS.

Might be worth a try for those of you looking to pseudo-opt-out of phone number tracking & recommendations on social media services that do this, if you can get your hands on one.

Just as a warning to anyone who might try this, it won't work. (At least not without a massive amount of opsec effort expended on your side.)

I'll give you an example of why it might not work. Since your phone has roaming, you happen to have it with you at work, or at a party, or at the library, or anywhere really. If even a single acquaintance of yours is "nearby", the information is leaked. If acquaintances seem to always be "nearby", children, wives, husbands, siblings, your info is DEFINITELY leaked.

If anyone is going to try to use this strategy for anything which might result in the loss of your livelihood, (eg - porn), please realize there are many, many, many more precautions you will have to take than are listed in oedfmarap's comment. If you just do what you see in that comment, you could find yourself without a job somewhere down the line.

While one would think that this is only important for things you're doing that you don't want the government to know about (see [1] page 52 for details on how not to mess this up -- basically don't have them turned on together, don't turn one off and turn the other on in the same place, or log in to the same sites or store the same numbers on both phones), it's also important for Facebook and other private tracking. If you have Facebook on your burner phone and your friends have Facebook on their phones with location enabled, it's over [2].

[1] https://www.defcon.org/images/defcon-22/dc-22-presentations/...

[2] https://splinternews.com/facebook-is-using-your-phones-locat...

I've seen this, and concluded that friend suggestions must use GPS to see who I am near on a regular basis.
This is absolutely true, when I moved to London a few years ago, I rented a room in a house with 3 other housemates I had never met.

Within 1-2 days, Facebook recommended one of them as a friend - bear in mind I hadn't added any of them to Fb, so all it could have used was our location...

I believe they used Wifi BSSID tracking for that, GPS would be too battery heavy. If you're connected to the same Wifi networks it can reasonably assume you're in the same vicinity.
It's possible Facebook uses location data for this, but I've got an alternate theories.

This happens to me often too, with much briefer encounters: mainly dates and meetups. Since I've shared similar amounts of time at the same restaurant with hundreds or thousands people with whom I had no interaction, many of who's arrival and departure times would happen by chance to line up with mine, they must be using something else. I also share a duplex-house and an office building with people who've never been inexplicably recommended on Facebook.

From these observations, I've come to think that location data has to play a very small role in Facebook's recommendation system.

Here's my best (but untested) theory to explain this: Your house-mate searched for you on Facebook, which triggered Facebook to think you might be friends.

I’ve seen this happen with YouTube, specifically this video: https://youtu.be/bKgf5PaBzyg

I had watched it many many years ago, and I suddenly remembered about it while at my friends apartment, (which is in the same building). Now I searched it up on my friends computer which was logged into his gmail account. We watched it and laughed. However, an hour later, I was on my iPhone at home when it appeared in my related videos.

http://i.imgur.com/u31ZuWM.jpg

I refreshed and it was gone...

Again? Weren't they called out on this about half a year ago already? Did they continue doing this? How irresponsible and total lack of any ethical standard. Its horrible but mostly just sad that users are just a commodity to make profit. So let's trick them to sign up for 2FA to pretend they have more security and then we can send them nice little ads. What a bad company this has become.
The other really stupid thing, besides generally hurting the adoption of 2FA forever, is that they probably did it for hardly more than scraps, compared to their conventional add targeting capabilities.

Maybe I am completely wrong about this, but I'm pretty convinced that almost all of the ad spending for that feature would have reached Facebook's coffers anyways had it not been available.

At Facebook's scale even the scraps can be worth millions.

And the sad truth is that the vast majority of people will not be deterred by, be aware of, or even understand the fact that Facebook is abusing their phone number in this way, so as far as Facebook is concerned it's a small bump in the long road to increased profitability.

> At Facebook's scale even the scraps can be worth millions.

Sure, but the same is true about negative headlines, the effect is just more difficult to quantify.

Maybe it's a general world view problem within Facebook, but usually these things are the result of one overly ambitious person or group optimizing the singular bonus metric of their own little fiefdom at the cost of corporation-wide commons. Big organizations need to be extremely vigilant in their defense against internal foes who won't blink an eye costing the company billions for a gain of millions add long as the latter will be attributed to them while the former won't.

"Millions" is still scraps to a company with the scale of Facebook
> An ever increasing craving for an ever diminishing pleasure is the formula. It is more certain; and it's better style. To get the man's soul and give him nothing in return -that is what really gladdens our Father's(0) heart. - C.S. Lewis, senior demon to a junior, 'Screwtape Letters'. (0) Satan
Same can be said about personally-targeted advertising in general. Really, how more effective is it?
For exotic niche products, incredibly. On Facebook, you can advertise to golfers who don't subscribe to a golf magazine. This is new and valuable (to everybody except the publishers of golf magazines, who suddenly have to face competition in golf-specific ad-spending). But if you are selling washing detergents, even the tiniest premium for targeted over untargeted would be a waste.
I didn’t give facebook my phone, my email has timed out (and facebook knows it, it deactivated my email) and I forgot my password, more or less intentionally. So the only thing tying me to Facebook is my browser cookie. I have to say, I’m surprised I’ve been able to keep this account open for years in this state, it’s almost as if they really wanted me to stay. But it’s possible to keep a facebook account alive with no accurate contact information.
When people suggested phone 2fa was a data collection scheme they were hushed and called tinfoils.
People still do that when you point out that using a phone number as a required identifier (WhatsApp, Signal, etc.) gives every 'free' service a near perfect unique identifier that's the same for all services used by that person. Ideal for cross-service collation.

Who wants a social security number when you've got someone's phone number?

Except that a phone number is as quickly and easily disposable and changeable as an email address or any other identifier?
While I share the sentiment, I think I should be fair to HN: according to a quick search I've just performed, I brought up the topic 4 times in comments over 3 years, and those comments have scores of 7, -4, 16, and 3 [1][2][3][4]. So saying that I was "hushed and called tinfoil" would not be fair to HN.

[1] https://news.ycombinator.com/item?id=17515029

[2] https://news.ycombinator.com/item?id=14105696

[3] https://news.ycombinator.com/item?id=12782158

[4] https://news.ycombinator.com/item?id=9804876

All my personal details on Facebook are (and have always been) false. My phone number is the number of a hotel in Monte Carlo. When Facebook nagged me to give them my mobile number for 2fa I ignored them. My friends thought I was crazy. I know it's not exactly gracious of me but feeling very self righteous right about now.
Your friends also gave Facebook your actual phone number too....

Facebook app abuses your phones internal Contacts API.

Effectively, you are linked and your main Facebook account is known to be a pseudonym already

So you're stuffing it full of false data, but still connected to people who aren't stuffing it full of false data?

That seems like a lot of effort for no real payoff.

This is basically the only reason I don't "delete" my Facebook account. I have so many family members and friends that I cannot realistically prevent putting pictures and the like about me on Facebook.

At least I can see some of what Facebook has about me instead of none.

This should have been obvious for anyone who is paying attention.

When data collection and advertising companies such as Facebook (and Google) push a feature actually beneficial to users so aggressively – such as 2FA – during the sign-up process; you'd have to be naive to think it's for your benefit.

It's not 2007 any more... tech savvy users should know better than to trust such organisations with any scrap of additional personal information than absolutely necessary.

Tech savvy or not, really there's no way any current fb user would be concerned with it nowdays and they will continue to rat you out to the fb apparatus. You know how they say "ignorance is a bliss".
(comment deleted)
Sadly, I believe Facebook will truly respect their users in the face of backlash.
Lately FB says when I go on there "Add a profile pic so people know who you are". Huh? I've always one.
Ha! I'm being constantly nagged whenever I visit fb (to see if those who can't live anymore without it, didn't want something etc.) to update my details - which I removed long ago; among that, they sometimes "suggest" updating new profile pic, which I haven't change since end of 2014 - when I stopped wasting time there
The worst part about these updates is that you have two options - "Yes" and "Not Now". The "No" option doesn't exist in their dictionary.
The url should point to the Gizmodo article; not the sensationalizing tweet.

https://gizmodo.com/facebook-is-giving-advertisers-access-to...

The actual story is FB enriching your profile with shadow contact information about you when you or third parties provide it with details it wasn't aware about yet. For instance when a friend of yours has your landline number in their address book and gives FB access to the latter; or when an advertiser provides FB with the same as part of targeting an ad campaign.

Is this any surprise? Just a few hours ago the Acton article on the front page[0] talked about them doing this in WhatsApp:

> Later he learned that elsewhere in Facebook, there were “plans and technologies to blend data.” Specifically, Facebook could use the 128-bit string of numbers assigned to each phone as a kind of bridge between accounts. The other method was phone-number matching, or pinpointing Facebook accounts with phone numbers and matching them to WhatsApp accounts with the same phone number.

> Within 18 months, a new WhatsApp terms of service linked the accounts and made Acton look like a liar.

Companies like this, and Facebook in particular, are desperate to connect identities. Phone numbers are an incredibly useful way to do so. Most people only have a couple of them, their re-use rate is slow, they get entered into forms all over the place, and they're usually valid (because they were provided as a primary method of contact).

In this case advertisers have an identity (and phone number), Facebook wants to match on that value. They're going to do it any way they can.

It may not be ethical, but the carrot is right there and it's naive to think you can give them your identifying number and they're going to turn a blind eye to it.

[0] https://news.ycombinator.com/item?id=18074690

Wasn't one of the conditions to get the deal approved by EU regulators to NOT share any data between services? [0] Did they just restart it because they found reprieve or simply decided to ignore the regulation?

Edit. Also this [1]. Does GDPR suddenly open the door for sharing this data "legitimately"?

[0] https://www.ft.com/content/951d650e-abf5-11e6-9cb3-bb8207902...

[1] https://www.theguardian.com/technology/2018/mar/14/whatsapp-...

According to the article it was one of the conditions and they paid ~$100-200M (IIRC) in fines for breaching it.

Which furthers my point, that Facebook will jump on any carrot in front of it.

I remember FB doing that with WhatsApp at least 6-9 months before announcing it officially and pushing the new "terms of service."

It's a shame the EU didn't punish them more severely over that, because they were basically already using the feature without mentioning it in their ToS for almost a year, if not longer.

Oh, that's troubling. Not the fact that they are adding 2FA phone numbers to their collected data, but rather that custom audience is a thing.

I thought they were taking pains to limit the ability to directly target individuals. They limited audience size to at least 1000 people previously when doing regular targeting.

How is it that I've never heard of custom audience until now?

They limited as targetting to 1,000 people because (a) people were using it in very noticeably creepy ways, highlighting thing FB wanted less attention on and (b) it wasn't making money. Targeting 1 person is not the advertising business.

Custom audiences though, is why FB are profitable. The platform before those tools were intriduced (5-8 yes ago) made a lot less.

I am guessing part of the reason that the Instagram co-founders left is that Mark kept adding in all of these "features" to Instagram
That‘s what happens when you give a dog a bone
On android, if messenger handles SMS, FB knows how much you have in the bank and your transactions.
having any FB-developed app on your phone is a serious mistake in the first place
It's a mistake many people make just by buying a phone. I had an HTC M8 and liked it except that they made it absolutely impossible to remove FB until I flashed Lineage on to it.
How so? Do you get your transactions by SMS??
maybe not by default, but if you have transaction notifications delivered through SMS, it's possible
I guess EU users should be fine? GDPR is a masterpiece.

I actually assume that they violate GDPR, but GDPR gives users a sliver of chance to fight back.

The situation is such that this is what's expected of Facebook. It would be a shocker if Facebook didn't do this. Actually, it's quite surprising that it took so long to do this.

Bottom line, Facebook will devalue you as a human and invade your privacy in any manner possible for as long as it can withstand legal pressures and get away with paltry fines. Obviously, all these measures are to provide users with a better experience. That's Facebook's DNA.

Honestly, I hate how many 2FA systems want you to use a phone number. There are other ways that are much better.
Everybody punts security issues from identification to the next guy. Eventually the only safeguard left between you and the bad guys is a minimum wage salesman working at the t-mobile counter. It's sad to know that all of your primary email addresses, with links to online shopping accounts with credit cards, bank accounts, etc, can all be accessed by spoofing your phone number.
I honestly wish sites would use client side certs or auth via a private key.
Client side certs mean now every user has a verifiable identity. Maybe you're OK with Facebook knowing your full ID, but is it also OK to tell Grindr, Redtube and Amazon?

Security Keys are better here. The security key can prove to a site that its the same one as before. "Before what?" Well that's up to the site. In most cases it's going to register one or more keys when you sign up to the site, and then check you still have one when logging in. This is completely useless for everything except the one thing it's intended for, a Second Factor during login.

You can always generate a new key pair though. I don't necessarily mean a cert signed by a CA. More akin to use a key pair for SSH.
Wait? Did somebody ever doubt this? I always believed collecting phone numbers for their marketing needs is exactly the reason why do any of the social networks ever introduce SMS auth.