260 comments

[ 2.9 ms ] story [ 275 ms ] thread
I'm mostly for privacy laws and recognize the importance. But I am also a data scientist and I have been involved in corporate compliance to GDPR for relatively small businesses, and it is definitely a pain.

Maybe even more so for those small businesses who perhaps just want to send out a newsletter. That compliance is pretty expensive, and it contributes only very little to the individual privacy.

Again, I'm mostly in favor of privacy regulations, but gosh, it's annoying at times!

I don't see what that has to do with this. They just need to not implement the feature this way.

Don't put the 2FA number in the search index, just don't do it. By all means make it convenient to copy it there, but for the love of god do not put the 2FA number in the search index.

How is this related to an article that doesn't even mention GDPR?
Whether or not it's a pain for businesses to comply has nothing to do with the reason these types of laws are implemented. Regulation is a pain, but that doesn't mean that we shouldn't have it. Protecting personal data is the priority when it comes down to it.
I've designed an OSINT system with this specific feature in mind (it's on github since a few months). Basically being able to go from phonenumber->accounts is very powerful and works even more efficiently to identify a person than an email address or even a real name.

The abuse potential of this is far greater than some people assume.

Plus you can look up the phone provider which probably makes banning spam accounts a lot more easy.
does facebook support otp 2fa, or just sms
Facebook supports OTP 2FA. Use it.
Does it still require you to have the Facebook app installed, or can you use a 3rd party tool like Authy now?
You can use any 3rd party tools.
Any Authy or Google Authenticator -like app works. I personally use Authy.
Just delete the phone number. You can use two factor authentication with OTP, SMS part is unnecessary.
Deleting the data in your account settings isn't going to necessarily remove it from Facebook's database. Getting a vanity number that spells your first name or nickname would be a better workaround IMO, and you can set business hours and such to control your potential employer's access to you :P
I believe GDPR specifies right of erasure, and if Facebook doesn't delete the phone number you "deleted", Facebook will face much larger problems.
My comment was fairly US-centric, as we don't have GDPR. In the EU that'd be much more useful, as the cost of phone numbers in Europe and calling rates vary wildly, and can be quite exorbitant in some countries.
Facebook still operates as a business in the EU and can therefore be fined there. As a similar example, Google was fined €50 million earlier this year as a result of a GDPR violation.
Can Facebook be fined by the EU for actions outside the EU that only affect users outside the EU? Sure, but it would likely create political waves and I'd doubt it'd happen. Global enforcement of GDPR isn't realistic, as the EU doesn't have worldwide jurisdiction.
> Just delete the phone number.

I'd be surprised if Facebook ever deletes anything like this voluntarily. Most likely "deleting the number" just means hiding it and using it only of ad targeting and more subtle forms of profile matching.

They do in GDPR jurisdictions or they’re fucked.
Define fucked in this context.

They'll pay a fine, perhaps, but it's not like Mark Zuckerberg will be laying in a gutter pissing blood.

Regardless, you can't put the cat back in the bag. Bad actors will still have scrapped your number, or way too much personal identifying information, anyway.

GDPR fines can be pretty significant. Google was hit with a €50 million fine in January.
€50 million doesn’t sound like a lot for a company with $100,000 million revenue.
(comment deleted)
Assuming it is proven
The last time I tried to do this, about a year, it required a phone number to enable 2FA in the first place, and then it was possible to use OTP (with e.g. Google Authenticator). But once I got sucked into doing that, I couldn't delete the phone number to do only OTP without it also disabling 2FA.
Ugh, that sucks? I recently setup OTP-only 2FA, so apparently they fixed it.
It still gives the same warning if you remove the phone number while TOTP is enabled. But I was able to remove and then set up TOTP based 2FA without a phone number.

I should add that removing the phone number didn't actually delete the number from my profile (who could have known?). You have to go into the Mobile tab and remove the phone number again.

All this despite me reluctantly adding my phone number just for 2FA. Dark patterns throughout the website.

Facebook does not delete the personal information they've harvested about you. Delete = Hide it from you. Maybe they will in GDPR Europe, but not anywhere else.
There is an easy way to opt-out. Stop using Facebook.
Do you know how I can tell that you didn't read the article?
(comment deleted)
Deleting one's account does appear to be a mitigation
These constant articles are like watching someone stick their hand on a hot stove and complain over and over that it hurts. But try suggesting they take their hand off the burner and nope, freak outs and/or insults.

It really is an option. It really is the best option. It isn't flippant or sarcasm.

It may not be a great loss to you, but for many people, deleting Facebook would come at a great cost.

Facebook has done a sufficiently good job of intertwining itself into people's lives, so that to abandon it would mean losing touch with family and friends, missing out on invitations to events, excluding one's self from valued discussion groups and more.

What people resent is that Facebook seems to hold people to ransom like this, now they've made people so reliant on it.

So, sure, people can just leave, fine. But don't diminish the fact that for many people, quitting Facebook would have serious drawbacks.

I'm aware how dependent many people are. I imagine that's why suggesting they take responsibility for themselves triggers such emotional responses. I recall one academic study showed people would have to be paid ~$1000 before they'd consider stopping for just a year. But that only makes it all the more important.

If people don't like the way things are then they have to be the change. Facebook is not going to change as it's business model is based on selling it's users. In the absense of taking responsibility for themselves or Facebook chosing to change many default to arguements for government regulation. Bringing in the use of force like this creates problems significantly worse than the privacy issues of the original voluntary Facebook use.

I mean, yep, that's all valid and I'm with you on personal responsibility.

But you just don't stimulate constructive discussions by asserting that the only rational path is the quitting, whilst not factoring in the costs.

This is not a simple case of "watching someone stick their hand on a hot stove and complain over and over that it hurts", because the alternative action you advocate just causes pain of a different kind.

Most of what you're saying is valid, except for the fact that it's simple and obvious to fix.

If it were that simple, we wouldn't need to have this discussion at all.

Sadly I'm getting prompted to enter my phone number to login - can't login to delete the account now.
(comment deleted)
(comment deleted)
This will make keeping your social media private during recruiting much much harder because rather than trying to search for your name on FB or your email, an interviewer can just search your listed contact number. Names are often not unique but phone numbers are.

This matters because creating a new email account for recruiting is trivial, yet creating a new phone number for recruiting is not. Most phones are not dual sim, and you want to have a phone on you in case the recruiter or future employer calls. Hence the account id rate using a phone number should be much higher and makes it dramatically easier to find somebody.

The nasty part is even if you rename your account to your "first-name middle-name" or an alias, you could be found out via phone number search. So simply renaming your account no longer ensures random recruiters can't just find your profile. Your FB name could be "giant blue monkey" which prevents a regular name search but would still be identifiable via phone number search.

I think VOIP has great untapped potential for this, having helped many people get vanity numbers with their name embedded. Once the job hunt is over, you can literally reject all calls, and build a caller ID blacklist of spammy companies and recruiters. Plus, numbers are 1/4th to 1/10th the cost of domains these days.
It works the other way too.

I keep blocking spammy numbers, and they keep creating new ones.

Are they? I pay $1/mo for phone numbers, which is quite close to what I pay for most of my domains.
phone numbers cost close to nothing to operators, but running a voip infrastructure hast its costs, and a lot of those costs come from protecting it from hacking attempts. They love open pbx boxes where they can generate a significant cost, or use to spam others.

also compassion with domain is not exactly fair in this case, it would make more sense to compare it to ip address.

Fail2ban, not using IP based auth, and mandatory TLS/SRTP will generally cover your bases (ofc, Fail2ban should be banning any IPs attempting TCP/UDP registration or calling without SRTP).

Not really rocket science, but the VOIP industry is stuck in the 1990s when it comes to security practices related to their core offering. Its a terrible state of affairs!

Could you share some places you use to buy numbers like that? Do you just set them up to forward, or do you have more control than that? I've always been interested in this, but apart from Google Voice, I haven't found a good way to get started.
Twilio is the easiest by far, IMO.
Twilio is also one of the most expensive providers, and if you don't need E911 you can easily get numbers for less than half that price.
That's great to know, could you point me towards any other companies?
So get off public social networks. Problem solved.
This is such an unhelpful answer that it almost always worthless. The utility of social networks for contact is unmatched. One profile, ideally locked down how you see fit, that follows you for as long as you allow it to follow you. The response to this is usually that there nothing wrong with phone numbers or email addresses. Except there are.

Phone numbers change. This is less frequent now that we have mobile numbers, but they still change. Email addresses can also change as people move through different phases of life. Hell, email seems to be becoming unreliable as calling since unsubscribing from mailing lists you never joined doesn't seem to work any more.

I get it. Facebook is evil.

I realize that you’re getting slammed for a pat, trite, or unhelpful answer to a complex problem, but it also happens to be the only answer. It’s an answer with real consequences, but when weighed against giving your privacy over to FB what else is to be done right now?

Public social networks are poison, they’re inimical to privacy, and we need to get off of any that harvest personal information. Telling people to “quit FB (and other similar services)” may come off wrong, but for a long time so did “quit smoking.” I get it, I’d love to have cigarettes that are healthy and delicious, but until then... quit smoking. Maybe someday public social media will be safe and sane, but until then... quit.

One major difficulty with leaving Facebook in particular over privacy concerns is that it doesn't really stop the social network from violating your privacy, or letting others do it (often without bad intentions on their part). Aside from its now famous shadow profiles, you've got your friends and family or work/business associates posting things with you in them, photos, videos etc and even naming you (don't think they can tag you though if your profile is shut down). And if you've erased your profile you can't even have the minimal safety of monitoring what gets posted by who, so you can ask them to maybe take it down if it's harmful. We get sucked into FB's network effect in all sorts of ways nowadays if we live any kind of normal social life in a connected society.
Agreed although I was curious about one of your points, specifically can FB users tag a person who is not on FB? If so this is really troubling. Also do you know if FB uses shadow profiles to suggest tag name in pictures the same as it does for regular users?
I don't think tagging works for people not on FB, though if anyone else here has seen different, i'd love to hear their two cents. As for tagging of people who were on FB but deactivated their profiles. I've seen tags work before and that;s bad enough because even if you try to leave the social network, people can post images or videos of you and associate your name with them regardless. What shadow profiles have to do with these things I don't honestly know, the social network would keep something like that pretty secret I think.
> but it also happens to be the only answer.

"Only" oversells the option. There's also:

* mix fake/mining-hostile data in with real data as needed for social media profiles * use public institutions to enact consumer protection policies

Both of these have their own difficulties and limits, of course, but so does ditching social media entirely.

I don't understand why people signed up for Facebook in the first place. The Zuckerberg email and dumbasses quote has been around for a long time.
I don't know anyone around me who still uses facebook. Heard the story of a relative who organised a birthday on facebook and wondered why no one showed up.

I don't think it's an unhelpful answer to a complex problem. I think it's the right answer.

> yet creating a new phone number for recruiting is not

Doesn't Google Voice solve this problem? Or perhaps there are restrictions I don't know about. Of course, you still have to remember to create a burner phone number before giving out your contact info...

> Doesn't Google Voice solve this problem? Or perhaps there are restrictions I don't know about.

Only sort of. I wouldn't be surprised if Facebook rejects Google Voices numbers and will only accept a real-live carrier numbers. It seems pretty easy to do, given how often my GV is rejected by sleezy services I'd like to give a throwaway (e.g. peoplesearch opt-outs).

However, I'm not going to personally test this theory by attempting to give a panopticon like Facebook even my semi-throwaway GV number.

Even if FB was not allowing Google Voice, you could give FB the real number and give throwaway GB numbers to recruiters.

That would solve the issue voiced by OP

I imagine most people would have no idea their profiles could be searched via phone number. I didn't know until today.

If it never occurred to you that this could happen, you would not take steps to prevent it.

Let me surprise you then so you can stop making false speculations - you can use a GV number for Facebook 2FA.
Let me surprise you since you seem to not know and so your idiocy can be corrected - GV only works in the USA.
Because of all the issues with (1) terrorists, (2) foreign state influencers, (3) spammers, Facebook tries to block Google Voice as much as possible
At least in canada with the national do not call list, I’ve found I receive very few robo calls. For those I do if I wait to talk to a real person and then press as too who is calling me so I can file a report they hang up quick and I don’t hear back.
We don't have Google Voice in Australia.
There are also a non negligible number of people using an alias on facebook because they have good reason.

Apparently when a woman uses a pseudonym on facebook, it is not unlikely that it is because of a nasty/stalkerish ex that she would rather get away from.

I am actually in favor of a transparent society (a la david brin) , but we have to grown up a lot and handle such cases before the advantages that come with it can even be contemplated.

We had a million years to grow up, I don't think we'll ever get there (without drastic measures a la 1984, if you wish)
We haven’t started doing any serious genetic engineering (or maybe, depending on timeline, the equivalent for minds uploaded into computers) yet. Once we do, we could do a lot of “growing up” very quickly.
It isn't physical "growing up" that we, as a species, need to do. This is the way the whole society act. If you look at politics and corporate world, it feels like a bunch of pre schooler throwing tantrum. As a society we are not acting responsibly. You could argue that the worse are countries that still argue to go to war with their neighbors on the pretends the later are different, but the rest allowing to destroy the planet while keeping the rest of the society under control, preventing us, as a species, to achieve goals that are dreamed by the most creative of us. And it is depressingly easy to keep the status quo.

The "Growing up" reminded me of this song: https://www.youtube.com/watch?v=5ja-mHeYAKM

The point I wanted to make here is mostly this: https://slatestarcodex.com/2014/09/10/society-is-fixed-biolo...

IMHO, it doesn’t make sense to blame “society” for being pre schoolers, any more than it makes sense to blame individual humans for becoming mentally ill. Both are just failure modes of our mental hardware (our tribal-status instincts in the societal case.) The only solution to either that would “stick”—what I would interpret “growing up” to mean—is to remake ourselves without those failure modes.

Anything less might help individual humans who get some sort of maintenance treatment for their failure modes; but our society as a whole will still be a function of interactions between both people who have treated those failure modes in themselves, and those who have not yet (because e.g. they aren’t aware yet that they have a problem; or don’t see it as a problem; etc.)

Thank you for the link. I agree with what the author is saying, mostly. :)

Mind that when I mentioned society as a whole, this is inclusive to its individual parts: There is no society without individuals and as such any judgment on a society is a judgement on its parts. That being said, I know it is a naive view, as no one can condemn a society completely.

As for the bio engineering to try and weed out the "bad wiring", I am not even sure we are close to identify them clearly, as seems to indicate the science articles about the brain and other nervous system in recent years.

> in favor of a transparent society

I suggest you read The Transparent Society by Byung-Chul Han. It’s a brutal 50-page indictment of the hypercult of transparency and its effects on the human soul, on the political discourse, and on traditional values like truth and beauty. Might change your view on the costs of transparency.

The Hypercult of Transparency[nice choice of words!] exists because people keep falling for the Transparency=Accountability meme. And until the rather recent advent of homeomorphic encryption, that meme did have some rather humongous amounts of truth to it. However, given the existence of homeomorphic encryption, this no longer rings true.

Speaking of homeomorphic encryption and Facebook:

https://news.ycombinator.com/item?id=19288633

Whats the connection between discussions about "the cult of transparency" and homeomorphic encryption?
Presumably that accountability could be achieved despite secrecy, through code. Also see Zero-knowledge proofs
The three body problem book part 2 also explores a fully transparent society; It's really interesting with all the sides effects (They can't lie, etc.). I recommend anyone to read it !
I read the first and while the ideas explored were interesting, I found the writing itself to be completely off-putting:

- first of all, Three Body seems like the most boring videogame ever developed, not sure how people could actually be believably playing that.

- the characters are pretty much caricatures of stereotypes (the cop), or just plain uninteresting.

- the massive exposure/infodump chapters killed the immersion from me, especially the ones written from the point of view of the other side of the conflict: it really felt like the author was getting towards the end and wanted to Explain All The Things, but couldn't find a subtle way to do so within the narrative, therefore decided to just vomit it all in a single spurt.

I was really looking forward to it but found it disappointing, won't read any more from this author.

Agreed, it's some of the worst prose I've ever read. Since I don't read Mandarin, I can't know how much of it can be blamed on the author and how much on the translator. There are some really interesting ideas in the novel but also some patently absurd ones, not to mention the terrible dialogue and characters.
I felt the same. I wonder if some of these issues stem from the fact that the book was originally written in Chinese (iirc)... maybe some of the infodump sections seem more natural in the original tongue?
Isn't the premise of that book that privacy is a deep human need, and that its erosion goes against our intent?

I would argue that the next generation coming up will have little to no _need_ for privacy. When you grow up with nanny cams in your bedroom, privacy per se isn't even valued, let alone met with an expectation.

Nanny cams won’t change the fundamental nature of human beings. If privacy was a deep human need a generation ago, it will continue to be for foreseeable generations. Technology has created an illusion of progress and transcendance of our own nature but in truth we’re still merely advanced primates.
While I appreciate the premise and good intent, the transparent society sounds like an idealized Girardian nightmare to me.
see also: Any employee in the education sector would have good reason.
I wonder how long it takes until the whole teaching profession just collectively decides to adopt professional pseudonyms. Would make "child at same school"-situations even more awkward I guess.
The issue would be safeguarding.
There's no problem what name the school has you on the books for. There's no reason what they have on file/police checks is the same name presented on office doors, emails and to parents.

We do this all the time for students that can't/won't use their legal names in school for a number of reasons.

I guess it is just a matter of getting the right systems in place to manage the administrative overhead.

There are quite a few lines of work where this might not be a bad idea. E.g. also Police and government employees in general.

My mother was my french teacher at school three times. At home she was "mom" and in class she was "madame". It was not complicated.

That being said I did once call my male first grade teacher "mom" so maybe I'm not a good example

> Apparently when a woman uses a pseudonym on facebook, it is not unlikely that it is because of a nasty/stalkerish ex that she would rather get away from.

Also men do this...

>Also men do this...

True story. A stalker found my blog via my Instagram account and commented some far-out there shit on it, inferring a conversation that we never even had, "Told you that you weren't dead." WTF!?

Now, it's pseudonyms, pseudonyms everywhere; except, of course, where it serves a necessity to have your actual name being used, such as on LinkedIn, but even those will be discarded, as soon as it's no longer necessary. (Necessity, here, meaning seeking gainful employment.)

You can set it to be searchable by friends only, which should avoid recruiters being able to do this, unless they are adding themselves as friends first.
If you set it to searchable by friends only, wouldn't you still show up in the suggestions? Especially if your number is added in someone's cell phone?

By the way: I haven't actually used facebook since 2012...

I’m not entirely sure how suggestions work in this context, I would presume that you’d only show up in suggestions to the circle within which you had allowed your number to be searchable, and so ‘friends only’ should prevent being added by phone number.
I totally get people want a "only me" option here, but really how bad is "friends-only" here? If I'm "friends" with you, you probably already know my phone number in real life.
I'm not really actively using Facebook anymore, but when I did, the threshold for becoming a "Facebook friend" was a lot lower than that for regular friends, or people I shared my phone number with.
Because a "facebook friend" isn't an actual friend, and having these "friends" have my phone number is like everyone in a bar being able to look up my number. Or perhaps like going to a work conference and everyone being able to call me.

The random "How are you are you single wanna talk about sex with me?!!???" messages are bad enough. I certainly don't want those as phone calls.

Those on the list that are actual Friends might have my phone number. Might not, though, since there is no point (I moved countries). In any case, they know not to freaking call me unless it is important or you have reason or you want me to answer my door.

> Because a "facebook friend" isn't an actual friend

That's only true for you if you choose it to be true for you.

On the surface that is true, but most folks understand it doesn't really work that way and facebook isn't really used that way. At a minimum, facebook is generally full of actual friends (for me, maybe 5 folks now), family (my family is large) and folks you generally have met from school and work and other folks you might know in a professional manner or through groups and activities.

Not all of these groups would have my phone number, but facebook isn't exactly a telephone service at its core.

Letting your friends have your number is a separate setting you can turn off (at least for now). This is about friends who have your number being able tell that it is your number, I think.
Can't you limit your FB friends to actual friends?
Sure, at a cost. Actual friends and immediate family? I'm covered in 20 people or less. Most wouldn't call, though, since I moved across an ocean.

I could include folks I've been to school with, folks I met in language class, a few folks I've worked with, and so on. I don't want all of these folks to call me, though, and I*d rather some didn't have my number. I also don't fully dislike these folks.

More seriously, though, it would keep my social circle smaller. I met my spouse online around 10 years ago, and this sort of caution you ask about would mean I wouldn't have my life.

Becaused for most people "friends" on facebook range from tru life-long friends down to mearly contacts, people you need to interact with in some way butdon't neccessarily want bothering you by phone.
My GF uses a google voice number (and separate gmail accounts) for job search purposes both for this reason and because she can nuke the phone number later, cutting off headhunters once she'd found something she likes.
Sounds useful. It's unfortunate that google voice still isn't available outside North America. I don't know if that is for technical reasons or for (European/Asian) political reasons. But it sure would have been nice to keep separate numbers the same way it's sometimes necessary to keep separate google accounts.
Not advertising.. but Skype can also generate phone numbers for you, and you can equally drop them. I remember I used a Skype landline number for that specifi purpose - throaway number for when I was looking for a new job. And I discareded it immediately after.
>But it sure would have been nice to keep separate numbers the same way it's sometimes necessary to keep separate google accounts.

In Sweden, you can request a pre-paid SIM be sent to you in the mail[0].

To be fair, it's not entirely a "burner" SIM, as it's associated with your personnummer but it's a lot more convenient than queuing in a shop (if that's not your thing).

Maybe your country has a carrier that does the equivalent? :)

[0] - https://webbutik.comviq.se/kontantkort/checkout/comviqcart/p...

(comment deleted)
In the US, I can walk into a store and pay cash for a $30 flip phone without any ID, and unlimited talk and text. 15 years ago it was $150 and 200 minutes talk, 20 texts.
It's only available in US, not even Canada.
Google Voice is US-only.

"Google Voice is only available in the United States. To use Google Voice, sign up with a US-based phone number."

There are plenty of other providers. Here in the UK there's LocalPhone.com for instance. They're even able to get you a number in a country of your choice, forwarding to a phone in a country of your choice.
Phones are not unique but a lot of them are reused when a subscriber changes provider

(They could have always searched you by name, if you're worried about your identity then it makes sense to not connect your phone number to FB)

>but a lot of them are reused when a subscriber changes provider

OT, but I had a not-so-nice experience with that. Some years ago I got myself a data-only phone number/SIM card for my 3G dongle.

It turned out that the number was reused, and the previous owner of that number had subscribed to a pay-for message service for upcoming events (concerts, movies, etc). And they kept arriving to my data-only dongle, and I didn't notice for a while. Had to pay for it, though.

I don't remember how I eventually managed to turn that off (the software for accessing/manipulating that part of the dongle was Windows only).

That's why you never give them your primary number. Have a burner phone. Or lease a SIM in the Philippines.
If you apply to work at Facebook do they look at non-public content in your Facebook account? Let's assume you're not even keeping your Facebook profile a secret.
No. This would be a violation of our data privacy policies and would result in immediate termination of all employees involved.
Given the complete lack of respect that Facebook has for individual privacy and the wellbeing of our society in general why should anyone believe this?
If you think that of FB, why would you be applying to work there?
Not that I support the idea, but big bucks ?
(comment deleted)
It would violate terms of service you agreed to.
Um, please explain how Facebook using data you gave it for Facebook's purposes violates Facebook's terms of service.
(comment deleted)
I figured that was the answer for the hiring manager and all regular employees in the hiring chain, and wasn't implying that anyone might go digging in violation of the rules. (At least not since the early days where stories like that abound.) Wondering more about the HR department doing it under direct authorization of senior management. I assume that Facebook like most companies runs background checks on prospective employees. They must at least be tempted to include their own vast database as part of that background check. I could imagine an automated "security check" process that could be run on a profile without actually seeing that profile, and if it turned up red flags (keywords, high number of reported posts, etc.) HR goes digging further. Maybe not, but certainly wouldn't surprise me.
Sorry, but i cannot see any good reason to trust the word of anyone from Facebook. This company has shown that it is routinely deceptive and lying. Why woud this be an exception ?
Why would you ever use your real number vs. a throwaway google voice number designated for spam?
Because you don't know about or use Google Voice, or you live in a country it doesn't serve?
(comment deleted)
> creating a new phone number for recruiting is not

Actually it's really straightforward with Twilio and you can set it to forward to a regular number. Works in most countries/regions.

I used it to give my wife a US number for clients (she's a freelancer).

At this point I have no pity for people who continuously feel violated by Facebook.

Data hygiene is both the responsibility of users & social media cooperations.

I still wonder why people rely on the kindness of strangers (the people that run the social networks) trying to make money off them. & then start crying foul when they are treated like garbage.

Simply don't; - Submit data you find sensitive. - Use bonus credentials where feasible - Deny app access to your mic, location, contacts, camera & calendar - Delete your account if you have substitutes for the features Facebook offers

...and if a single person (or company) with your number in their phone allows Facebook to access their contacts, FB has your phone number anyway.
You use your real phone number on FB? MY no on there is a fake (but real number in my area code).

And I don't put my Mobile number on FB at all.

Might it be possible to compromise your account by getting control of that phone number?
Lol the 66666 number isn't normally handed out in the uk I used xxxx 66666.
Absolutely. Using a number you do not control and which is in the possession of someone else is one of the stupidest things you can do in a situation like this.
Second phone numbers aren’t that hard or expensive. you don’t need a second sim, just an app. There is a yc startup providing them: openphone
They are rarely usable on web sites for 2fa as they disallow voip numbers. In fact, many websites don’t allow google voice numbers for the same reason.
Is it easy to distinguish voip numbers ?
Yes, using Twilio’s lookup service it’s trivial.
(comment deleted)
I honestly do not get what problem are you trying to solve here. If you have content which you think should be hidden from someone, just do not make it public.
> Names are often not unique but phone numbers are.

Right out of "Myths programmers believe about phone numbers" which was on the HN front page a week back. Has everyone forgotten about landlines? Even cell numbers are not permanently assigned to a single person: especially in jurisdictions where pay-as-you-go accounts are the majority.

I haven’t heard: if you replace your phone number will they maintain the association with your historical one? It’d be trivial to get a Google Voice number or burner to replace yours.
"This matters because creating a new email account for recruiting is trivial, yet creating a new phone number for recruiting is not."

I create (and destroy) new phone numbers all the time. Via the command line. I can route and forward and block them any way I like, to and from my existing phone (which is single SIM) or to ... nowhere.[1]

https://twilio.com

[1] I have a "ring forever" TwiML bin that I like to use.

This seems just as bad as the bug they had before, where if you entered your email but not password correctly it would show up your real name.

The potential for abuse by spammers is too high. They not only would know who they're calling, but also all the public info on their Facebook profile and whatever else they can stitch it with.

Glad I never gave them my number.
Don't worry someone in your circle of friends already handed it over.
Exactly. It takes just one person who knows your phone number to upload their entire contact list and it's saved. The likelihood that Facebook doesn't have your phone number and name is 0% unless you don't have a phone number.
Can’t understand the downvote as im thinking the same Anyone care to explain if it’s wrong how and/or why ?
It's worse than that. If you gave them your phone number, you can ask to see it and have them to erase it. If one of your contacts gave them your number, it's _their_ data, you cannot get Facebook to confirm they have it and you can't ask them to remove it ...
'ye old 'sync your address-book' trick.
You can't be sure that Facebook doesn't have your number unless you have never given your phone number to anyone who uses Facebook and has your name and phone number. They could be friends, co-workers, relatives, delivery people, cab drivers and many other service providers. One of them shares their address book with Facebook and it knows. A few of them share their address books with Facebook and it's reasonably sure what your number is (names can be fuzzy matched to your profile).
This is why I hate that people carelessly let any third party app have access to their contact list.

I can keep my data out of Facebook,but "friends and family" usually aren't careful and get tricked into opening up all that info.

A couple of years ago the only social media I had was Instagram. One day I went to login and it prompted me to enter my phone number and there was no way around it. I decided to delete the app instead. Shortly afterwards my account disappeared. That was the end of that.
A slightly off-topic question - how the hell do you contact Facebook if you don't have a Facebook account?

Someone has registered a Facebook account using my email address (apparently they do no verification at all) and I can't stop the spam ....

Request an new password, and then change the password on the Facebook account. I've done that myself.
well - I did that .... and changed the email address to a dummy account .... and still they send me almost weekly spam to the old address - "Why aren't you using FaceBook? here's a single link you can use to log on without a password" ... these bozos have no concept of security
Or rather I should say "these bozos have no concept of their customer's security" .... but I guess we all knew that already
But at least they can solve graphing problems!
Sounds like what has been happening to me. Except when I try to login to nuke the thing I get some error message about a database error and can't login. So the Facebook spam about new friend suggestions etc keeps coming. But since I have always marked it as spam it usually goes straight to the spam box.
If they won't stop spamming you, you can sue them under the CAN-SPAM act.
I refused the 2FA nag on Facebook because I didn’t want them to have my phone number

Then after a while the nag started popping up with my phone number already filled out.

Really fucking creepy and not okay.

Same here. I put my phone number in my Facebook profile when I first made it years ago and have since "removed" it. However, I'm pretty sure removing it does literally nothing because it will still pre-fill my phone number in that case and I'd bet money that advertisers targeting by phone number. Still, they're constantly nagging me to re-add it.
For what it's worth, I just deleted my phone number and added Google Authenticator, and it seemed to work fine.
Just to be clear. My phone number is not tied to my account, Facebook got my phone number elsewhere and suggested that I tie it to my account
Facebook got it from your own friends or associates. Such information gathering forms the "shadow profile" on Facebook.
Add an authenticator app and delete the phone number.
Might be your browser doing that.
It was in the iOS Facebook app
Well... your phone knows your number, so they might not have gotten it from somewhere else.
With the permissions in iOS they’re not supposed to have access to my phone number, but I do remember something about them having access to a “special api”, so I figure that’s exactly what happened
Could the "special api" be the built-in iOS Facebook sign-in?
Ok, so Facebook has yet another appalling practice that's been known for quite sometime (see the Telegraph article linked in this one). The percentage of users boycotting the company and its products don't seem to materially matter. Facebook is making more money now than before. Facebook will not behave well on its own. Regulation and really hefty fines running into a low double digit percentage of revenue (not profits) are the answers!
(comment deleted)
hahaha thank you, the thought of republicans or democrats effectively regulating a predatory corporation for malicious business practices made me laugh out loud :D
I mean, Democrats have tried it in the past.
Isn’t it the same for Twitter? I tried recently to create a second account, it’s now impossible to do so without specifying a phone number during signup. And the mobile application was trying to access my contact list, which seems to be used to suggest people to follow by looking for their phone number (see https://help.twitter.com/en/using-twitter/upload-your-contac...).
I think there's a "Sign up with email" link on Twitter.

Though of course, every time I created a new account there it was quickly blocked, only allowing me to unblock it by providing a phone number. That might have to do with a number of privacy-enhancing browser extensions I've got installed.

That said, thanks to GDPR, I'm relatively confident that they've actually deleted my phone number when I asked them to after verification.

Where do you find this “signup with email”? I don’t see it, but I may be looking at the incorrect place
How do we coordinate outrage at facebook for this and many terrible things they've done?
Why coordinate outrage? So they will "learn" and do better in the future, HAHAHA.

Seriously, just delete your account, no one needs Facebook even those that make up ridiculous excuses for why the can't leave Facebook.

I don't trust them enough to just delete the account and leave it. I go on once every six months to delete everything I can reach with my name attached to it, that is older than six months, and leave a single "I'm still alive, but don't try contacting me via Facebook, as it will have up to six months latency" post.

For a while, it was extra-creepy whenever I did a semiannual log in, because pop-ups would appear, and in a very distinctive "Audrey II" voice, scream "FEED ME [your data], SEYMOUR!" But the last time I tried it, I didn't see that. Can't tell whether they gave up, or already got the data from other people and just don't need me any more.

Delete your history, starting from the oldest thing you can see. Un-like everything you liked. Un-tag everything you are tagged in. Remove your photos. Replace profile pic with a public domain image. When you finally get to zero, log out and delete all cookies and block all bugs and trackers. Then start increasing the time between log-ins. When you get the nag e-mails to come back, go on just long enough to turn off nag e-mails. Wean yourself off until you don't care about being on Facebook any more.

Then you can use Facebook on infrequent occasions, to tell all your still-trapped friends about all the other ways to contact you that have lower latency, better signal-to-noise ratio, and more privacy. If you just delete, that leaves a you-shaped hole in Facebook that the company could fill with a placeholder. Your character might become an NPC that the game-master could control to manipulate the other players.

This is surely a breach of GDRP. One of the principles is that data must only be used for the purpose for which it was collected. Taking a number provided explicitly for 2FA and using it for search certainly sounds like a breach.
I hope this will end up with a hefty penalty. At this point, I believe a strict regulation is the only way to tame the Facebook beast - the more so because I heavily really on FB to be in touch with my family and friends.
It might not given that the impetus of this change is to combat fake news and bot accounts from nation-states. ...so it might not be high on the target list for the EU since they are actively uncovering more influence operations.

You have to realize that privacy is not a priority for most governments, so unless it's explicitly against the rules, I suspect they won't do much.

What does GDPR say about using data about other people provided by a user (eg a Facebook user who shares their contact info — thus providing Facebook info on all their contacts). What is the “intended purpose” of sharing all your contact’s details ...?
> What is the “intended purpose” of sharing all your contact’s details ...?

That's Facebook job to make it clear when it happens.

I don't know the actual text of law, but I guess even if you are friends with someone, you doesn't have any right over any of it personnal data, thus they wouldn't be able to use it except if you previously accepted that usage (being matched with someone you know using that phone number).

They might get around this by not doing it with numbers provided after the GDPR penalties came into effect.
(comment deleted)
No, that doesn't get them out of it.
Facebook is above regulations, just like the POTUS.

Source: Number articles over many years of laws being broken, Facebook.com still works and the POTUS is still the POTUS.

If you are a Facebook employee, or are close to one, please help me understand. How does it feel to see reports like this being released almost weekly? I realize people are very good at dealing with moral dissonance when their paycheck depends on it, but surely you must be thinking, talking to your colleagues, about what your personal responsibility in this is?
They don't care. A job at Facebook is still considered prestigious by a large part of the tech community. They're starting to be grouped more with Palantir than Google, though.
(comment deleted)
> They're starting to be grouped more with Palantir than Google, though.

That's confusing. Is Palantir regarded as better or worse than Google?

I think most people consider google more prestigious. While they'll try to convince you otherwise, it's mostly because google pays better.
Palantir is known to do lots of government contracting for US defense/anti-terrorism intelligence, so working there is viewed much like working for Lockheed Martin/Boeing/etc. where it is known the work you are doing could very well be involved in wars/military agendas.

Your role in your job there could cross the line of what some people would as ethical to some people, and Facebook's malicious behavior is making employees who work there to be viewed in a similar light.

Overall, the vast majority of similar reports are completely irrelevant, partial or non-sensical. Happy to give details but the most common pattern is the same person demanding that Facebook regulate speech in one sentence and being outraged that Facebook feels allowed to regulate speech before that sentence is over. Most journalists who write about Facebook are deemed as “having no idea what they are talking about”. A lot of them are granted some internal access by people who think that it would improve the coverage but rapidly discover that their ignorance isn’t because they lack of access but it is a decision.

This case is a small but clear oversight, one team (Security) set-up a necessary 2FA option; another (Growth) re-using information attached to a profile without context. Both teams have clear objectives but should have clearer lines when edge-cases like these appear. Two remarks on that: 1. clarity in large organisation and 2. prioritisation.

1. Overall, Facebook teams need clearer demarkation but every company in the world has far, far worst practice so as soon as you try to interview, you reek in horror at practices anywhere else — and that’s what they are willing to tell you before you join.

The internal discussion is probably split between many debates; I’ve never been very good at expecting issues around security, but probably a dozen philosophical questions like:

- phone numbers and SMS are not safe from MITM attack, the company should not accept them at all; vs. other options like a device are too selective, demanding, etc. so if people are happy and their threat model doesn’t include MITM SMSs, the company should offer that as an option;

- this is the only piece of information that is “User only” and that visibility option was removed because it used to lead to abuses; vs. we can monitor abusive use of a visibility feature even if that’s extra work, more technical plumbing that could lead to more internal abuse;

- there are no identified threat actually unblocked if there were, our bug bounty would have caught them; vs. we do not have to limit Security to known threats, but “feels” for bad practices should be trusted as a sign there is a threat in there that the company should respect even if we can’t isolate why.

Knowing what to do as an individual contributor when you have gods fighting over your head can be daunting; you want to have a clearer picture that, say “Only me” will be a visibility option for longer and not replaced by “Hide that from anyone, even having access to the account to prevent an access even from escalating into a worse security threat” or that when it’s replaced, this piece of information won’t be missed or excluded.

Anyone who has build large data schemas would be familiar with how tricky changes like that can be when done without coordination. Anyone who follows visibility of information from Facebook has noticed a lack of clear purpose: more nuanced options appear and disappear because there’s a tension between simplification and curating interests.

2. Overall, working for Facebook feels like you are dealing with a fire, an earthquake, a zombie invasion, a revolution and a flood at the same time — and the public only seems to care about electricity shortages. And when you look into internal numbers about who cares about any of the above, the flood seems like a big deal, no one cares about electricity but someone you know that the fire and the zombie invasion are far worst. Facebook is the only place where managers are very clear that the fire will destroy your water pump much faster than the water goes up, and zombies are actually quite slow — and you can not prevent earthquakes, only deal with the aftermaths, so they want you to deal with them in a specific order: #1 Extinguish Fire, #2 Automate the water pumping for the Flood, into the fire-prevention stock, #3 Delegate the dyke-building, #4 Once you have a plan for that, expand dykes to protect from zombies, #5 Schedule a town-hall for after the p...

This post might as well have been written by a third party to discredit facebook.

To summarize:

1) "As long as there's someone worse we don't have to worry"

2) "working for Facebook feels like you are dealing with making profit, pleasing management, pleasing partners, progressing your career and going home early at the same time — and the public only seems to care about privacy violations."

Not sure I wrote about any of those points and confused why you would think raising a strawman is a good argument.

I’m also not saying that large or influential companies should not be held to higher standards; they absolutely should, and they are where I come from. I’m simply saying that, if you consider problems where Facebook made a bad decision (a minority of the scandals) those issues trickle down to two systemic problems: clear, non-contradictory internal guidelines and prioritisation. Facebook employees are trained to recognise both. When they consider other options, they would often see companies where both are significantly worse. Other companies have simply not been through a decade of excruciating oversight by the international press. Those who have are not managed by someone who is nearly as willing to admit his fault as Mark.

I doesn’t mean that those companies are not better options for ex-Facebooker: they often are; or that they would not make the world a better place by joining those, and advocating for higher standards: they often would. Those companies typically should be held to a lesser standard because they have less of an overall impact. But, as an employee, if you want to prevent problems like those that you regret being a witness to at Facebook, leaving is hard because you can easily see the rest of the world as worst more often than not. If you come with your expectation, gained from working at Facebook, that any minor issue will be twisted into a scandal, most other companies feel very wrong.

You can see that by looking at how many people are above ex-Facebookers at the companies that they join: it’s unusually few. That’s because they rarely trust too many layers to make the right call.

To say that "the most common pattern" in the "vast majority of similar reports" is one of making starkly contradictory complaints, appears utterly self-serving - a convenient distortion designed to make it look as if there are no valid issues.
I’m simply trying to represent as accurately as I can the position as it is seen by and talked about by internal stakeholders.

Happy to give more examples, or to argue that the most visible and debated issues are not the most relevant. Even happy to say that this is a problem, but I don’t see it as an internal problem.

this is the only piece of information that is “User only” and that visibility option was removed because it used to lead to abuses

This seems critically relevant to the issue at hand - can you explain it in a little more detail please?

I’m speculating in that part of my argument, imagining counter-arguments. Sorry if that isn’t clear.

When I was working there, I’ve worked on custom visibility option (things like lists of friends, a feature that hardly anyone used; home city, languages had been occasional “Smart lists”). Those options were unsupported or become discontinued in some cases. There was a significant mental load to have more visibility options than ‘Friends‘ and ‘Public’, and very few reasons (as in: active users) to support more. One option that I felt really corresponded to a lot of people’s need was “Friends except Acquaintances”: ‘Acquaintances’ had become a really good shorthand for “drama-prone” relations. Yes, you are friends with them, they can see some activity from you, just not everything. They have no reason to think you’ve excluded them. It was discontinued and I never figured out why.

I can imagine the “Only me” option being changed because of someone, either working on an easier audience selector or trying to make bad-behaviour-detection faster, might overlook the need to have some information on the site not shared with your friends. The impact of visibility option on every aspect of the site is nightmarishly complicated, and genuinely hard to keep in mind to think about clearly. I’ve dedicated a decade to that, and I struggled. People who are officially very smart (Math Olympiad laureates, Mensa-type: not that those are proof of social smart, but they should understand formal reasoning really well) struggled. If you include blockages, it gets really hairy. If you include bad actor and impersonation, you will lose your sanity. The alternative that I suggested (that information is probably what hackers would look for, so hide it even from an authenticated user) is probably more likely, given the overall privacy-conscious of the company. In that case, that information changes status even more.

I’m not saying that kind of blatant or casual disregard for nuanced privacy control is not bad. God knows I raised hell before I joined the company and after about list support, and more. I even convinced a friend to join because he made a great tool to manage your list of friends. He joined the company before me, helped me a lot internally — but never even mentioned his tool to anyone internally because there was no appetite for it, inside or outside the company. Just to tell you how much: do you remember the fiasco that was Google Plus Circles? Well, after _that_ blew up, I had low expectations. This was lower.

The company moved to Groups, non-friends contextual entities, and that was I think a lot better in many ways.

Regarding the media issues, it seems that Facebook is also being used as a convenient scapegoat: https://jakeseliger.com/2018/11/14/is-there-an-actual-facebo..., often by reporters who don't even understand the issues they're nominally covering, or who seem to have made up their minds about the system before starting to write.
That is a very common way that Facebook employees see the company. This is explicitly what I was told during my introduction: act impeccably in public and raise any ethical issues that could be imagined internally because the name of the company will be used to sell papers no matter what you did. To take several recent cases:

- Facebook employees consider that Cambridge Analytica was caught, abused their power, lied under oath and was never able to leverage Facebook Custom Audience anyway; short of using Police forces (and Facebook really should not have that kind of power) there wasn’t much that Facebook could have done more;

- As a consequence of that, there was a movement to control abusive pages in politics, and everyone was claiming for a clamp-down. It took 24 hours for Facebook to ask for ID for the moderators of all large political pages, because they realised that any of those could be GRU operatives, and 5 minutes for everyone to find this deeply objectionable. :facepalm:

- Apps sending their user’s actions to Facebook Analytics when those actions are Heartbeats, blood pressure, migraine and Period time: Facebook employees consider that Analytics is a service for people to target their own users based on their own classification. There are some possible issues with it (the classic being ethnic discrimination for real estate) but no one at Facebook cares about your period. Facebook could enforce more strongly that the apps communicate with their users about the Analytics tool, but that’s 100% going to blow back around the common theme that Facebook is abusing their power. You’ll have virulent op-ed outraged at how their dare to threaten to de-platform feminist apps about empowering women and their health, and how dare they. I’m happy to bet real money that the people asking for more control will be the same to protest against it, less than a week later.

_Catch-22_ comes to mind.

Thanks a lot for an opportunity to look into the world of Facebook employee, that was really interesting and I feel that I do understand it better now.

However, I wonder if you'd agree that maybe the main reason for Facebook problems is their desire to overconnect the social graph basically. All those moderation problems wouldn't be there if the newsfeed stayed simple chronological summary of updates by their friends and families instead of an algorithmically generated mess. Reddit AFAIK doesn't have problems as huge as Facebook's, and the reason for that is that communities tend to moderate themselves pretty well, and moderating communities themselves (e.g. banning drug sale groups) scales way, way better. In a sense FB itself kinda acknowledges that with its recent emphasis on Groups.

On the other hand, interpersonal connections between real-life friends and families (what Facebook sold to its audience and the way it keeps the users on the platform) barely need any moderation at all. It's quite unlikely your uncle James starts promoting antivax (or child suicide) in your family, and even if he does, he can either be contested (not letting spiral of silence to form) or banned/muted/unfriended/etc. Unfortunately, it's not how FB works: it baits you with friends and family and switches to engagement optimised cesspool.

It feels like the hyperconnected, algo-driven feed is actually the root of most facebook troubles, despite (obviously) generating massive revenues.

> All those moderation problems wouldn't be there if the newsfeed stayed simple chronological summary of updates by their friends and families instead of an algorithmically generated mess.

Yes, because Facebook would not be a usable service. This is not a joke: raw feed is really bad. Unusable. Spam-folder on steroids bad. If you care about the Facebook employees mindset: “My News Feed should be chronological” is about three times worse than “I’m just looking for a technical co-founder, I’m an ideas guy” to the HN crowd.

> Reddit AFAIK doesn't have problems as huge as Facebook's, and the reason for that is that communities tend to moderate themselves pretty well,

Reddit has significant efforts into massaging their own feeds. It’s less visible, but quite significant, mainly around abuses from large coordinated groups. They’ve talked about it extensively. They have fewer issues because a subreddit community has clear values (_News_ value immediacy; _Politics_ controversy; _WritingPrompt_ values long comments more than total Upvotes) which allows them to tailor their algorithm per context rather than per person. Well, they do that too, but it’s significantly messier. This part is hidden because there’s a lot more than you can see on Reddit, so you see a lot of good things, no matter the order. There is less good content from your friends simply because you don’t have a million of them, so your Facebook News Feed is a lot more sensitive to clues. Reddit also has a lot more input information with upvotes; people really don’t understand their feed would become massively better if they click on Like — including professionals who build recommendation engines for a living and complain about not having good data.

Finally, if you think that Reddit is a welcoming community without issues, I can easily guess your gender. That’s a big part of what Facebook empowers.

> interpersonal connections between real-life friends and families (what Facebook sold to its audience and the way it keeps the users on the platform) barely need any moderation at all

This is not true: anti-vaxxers (and before them, MLM) are a massive hindrance to their family; usually, they get ignored now, but being able to hide them (and dynamically detect problematic posts from important, non-MLM updates) is a key feature of the News Feed. The most common, and occasionally biggest pain-points that we’ve measured have been where friends and family merged, from your lame dad barging in a Let’s-go-to-the-club thread to gay people still in the closet liking posts about flamboyant things.

What you might be trying to say is that there is a real problem in merging all your aspects of life into one context. That’s definitely true. Without going into drama-prone topics, I speak several languages and that was not taken into account at all when I joined; my cousin routinely complained that she didn’t understand why I wrote in English “all the time”. There was some progress (thanks in very small part to my impulse) there.

Raising consciousness around those issues was part of what I did more generally. One effective and clear solution for that was Groups, that finally, for the last two years, got their place in the sun with a dedicated, empathic team in _Engagement_, rather than be a subsidiary of Pages that where a subsidiary of Ads. I don’t have internal knowledge but from public communications from Facebook management, I’m guessing they are growing much faster than Reddit, with a similar product.

> generating massive revenues.

Not really. The family stuff is great because if gets people to post more: they feel like they can share if they see similar things in their feed. That’s empowering people which Facebook believes in as a core value, but it’s not making much money. If Facebook wanted to print dollars, they’d go full Video.

The money comes from basic stuff: age, gender, location, family status (age of children) and interests; language, too: you’d be shocked to see...

Using security to further weaken privacy (quote from Zeynep Tufekci in the article) aptly sums up the method countless companies have been using to violate user privacy. It's essentially a form of fraud - obtaining private information on a false premise. It'll be a good test for GDRP - let's see if there's actually some accountability.
Your friends already know what your phone number is
That's why I don't put it in there.
Don't worry, your friends will help Facebook fill in the blanks with their smartphone address books. There is bound to be some Facebook-connected app (WhatsApp perhaps?) they use that does link your Facebook identifier with your phone number.
Okay so we finally killed off the telephone book and now Facebook reintroduces it? And you can't even opt out?

My policy of never giving out my phone number to an American company proves wise once more.

> Facebook spokesperson Jay Nancarrow told TechCrunch that the settings “are not new,” adding that, “the setting applies to any phone numbers you added to your profile and isn’t specific to any feature.”

They're not joking when they say this isn't new.

I remember a situation while I was still in high school (2011-2012 maybe?) in which someone tried to prank me by sending me SMS from a number I didn't have. I figured out exactly who it was using a simple Facebook search. The best you could do even then was to set it to friends-only, and the prankster didn't do that.

This is going to be interesting in EU where this is not allowed in such way. I believe fines are given as percentage of overall turnover. meaning expensive no matter the size of the company.
Been warning people about this for years. Every major social media company has been pushing this shit as "security", when in reality its whats known in intelligence circles as "linkability". The more points of verification, the better a profile can be built to associate an actual identity with an email address, screen name, username, alias, etc. Snowden warned everyone about this, nobody listened.
How many other social media companies? Curious.
twitter also aggressively collects your phonenumber.

Telegram is so aggressively anti privacy that I tried around 5 numbers I own and only 2 of them worked.

While this is true, is 2FA not generally a good thing?

SMS verification increases linkability maybe, but a yubikey or something similar?

Isn't this a violation of gdpr? And if it is, how have they not been sued yet?