This does not look like scraping. A prima fascie database leak, and an invalidation of Facebook's claims of them not using your phone number past the validation, as well as them claiming using encryption at rest.
You need to do a bit more than that; a one-way transform with no secrets isn't good enough for easily brute-forceable data like phone numbers, SSNs, passport numbers, credit card numbers etc. There's just not enough entropy in the data.
There are ways to do these things though so the spirit of your comment is correct.
I’d assume encryption wouldn’t help much since wouldn’t the key most likely be available if the database was compromised?
I would have thought hashing would work if it’s made more expensive such as by choosing an expensive hash function and increasing the number of rounds.
Edit: Would first encrypting the value with the salt and then hashing the encrypted value and salt add more entropy and make hash collisions less revealing?
To protect "sensitive, low-entropy data", the main things I've seen people do are encryption, tokenizing, or anchored hashing. I'm certain there's a bunch of academic work out there I'm not across so I'm writing from the limited perspective of "things I've seen people do in industry".
The best thing to do tends to depend on how you need to use the data, exactly.
With hashing alone there's just no reasonable cost function that will provide (say) 1 year of security in the event of database exfil, but also not DoS your service computing it :/ The problem is being offline-attackable.
Encryption is one possible answer and I think most HNers understand the tradeoffs. Generally the less transparent it is, the more effective it is. Volume encryption or transparent database encryption are good to turn on, but don't protect you much. Keys available at application level only (let's say some fields are KMS'd) are better and will be of use under common failure scenarios (SQLi / DB exfil). You still have to get key management and application security right though and it turns out those are hard to do at scale. Your encrypted fields will also not be efficiently searchable unless you are using deterministic encryption.
The tokenize pattern replaces sensitive data with a random value which is mastered in a centralised, controlled service. This really only makes sense if you can set things up so that almost all operations can be performed using the token.If you allow too many things to do token -> value lookups then it's pointless. Also all your eggs are now in basket so you have to watch that basket. Operations look like:
- Exchange sensitive value for token
- Compare tokens for equality (optional, but usually handy)
- "Domain operations on token". For credit card, "bill the user", for phone numbers your domain operations might be "send SMS" or "robocall".
- Exchange token for value (controls go here; limit access to customer service staff only, auditing, rate limits etc. The value should ideally only come out if a human has to look at it, and you should be able to definitely say who looked at what).
Anchored hashing uses a secret value in your "hash" operation. Keeping this value actually secret is hard, so an "industrial strength" implementation will use an HSM or other hardware to do the operation. This means any brute-forcing has to happen inside your network where you can see it. You ideally want a bit more entropy than with tokenization to make this work, but with appropriate rate-limits against attack from inside your infrastructure, it has legs. It's hashing, so works well for "have I seen this sensitive data before". The main advantage of this pattern is that it doesn't have to keep state.
So it sounds like all of these techniques are to force sensitive data access to a single well secured point 1) with the hope that these actions will be eventually noticed and 2) to enforce rate limits on actions to slow progress and increase exfil duration to support (1). (2) can only be made so slow since, as you mentioned, the service needs reasonably quick access.
On a related note some HSMs can enforce rate limiting in hardware so even if the machine enforcing this access is compromised the rate limits still cannot be bypassed.
You can not prevent the phone number form being found eventually but that's not the goal you just need to make it more expensive than a phone number could ever be worth to someone.
If you use a secret you have the same problem as before the legit system need to have access to the secret but an attacker should never get it. So if an attacker gets hashes and the secret(s) he has everything.
I've had a play with the data for a few people whose phone numbers I actually know, and they all seem old enough users that they just have the number on the account anyway. I could be wrong but I haven't found anyone my age who's number I can confirm.
Great, so we get the worst of both worlds: outrageously obnoxious opt-out games (which, if skipped, implies free rein) and non-compliance as a cost of doing business. Wonderful.
GDPR/CCPA were always a way to punish the many (i.e. us) for the sins of the few (Facebook and Google).
And, I might add, it's to their benefit. What we're entering is a future where only Amazon, Google, Facebook, and Apple can handle data.
You see this constantly on HN. "Don't handle your own auth, just let Firebase do it!" People are against anyone other than AWS touching their data. And, well, we're getting the dystopia we deserve. What else can I say.
> Facebook already breaches the GDPR in many ways and has yet to see significant consequences, so this is unlikely.
Not having the data encrypted at rest seems to me a different infraction than the previous ones. The scale also matters, and that it isn't the first infraction.
Facebook's tracking consent flow has been in breach since the regulation went into effect in 2018, and has affected millions of people, both users and non-users. Keep in mind that had Facebook been compliant with the GDPR, the recent Apple changes regarding tracking consent on iOS wouldn't have been an issue for them at all.
I'd argue this is a much bigger issue than the lack of at-rest data encryption, and yet nothing has been done.
These events are not a matter of if but when. And since the overwhelming majority of the people in my social circles has zero understanding of the real nature of the relationship between them - FB users and FB I just hope this will become increasingly frequent and painful experience for them. As in: I really hope this will get FB users in trouble as a result of identity theft etc.
This may sound extremely cynical but at this point it's the only way for the non-technical folk to understand the implications of giving away your privacy so that you can share cat pictures with other people.
> people in my social circles ... I just hope this will become increasingly frequent and painful experience for them.
Very strange to wish harm upon your friends with the hope that that will convince them to join your side in a political fight! I would suggest instead that you only wish that if it becomes a painful experience, they would realize why and renegotiate their relationship with FB. Typically wishing pain on your friends is not a good stance.
Not that strange. The whole "rock bottom" concept for addicts is similar, right? Sometimes you have to see a friend or family member truly experience real pain to get them to want to change. People are like that.
The sad fact is that as much as I wanted to believe that positive reinforcement was "better" for me because it was supposedly "better" for people in general, in practice it's only ever been negative reinforcement that has enacted any change in my life. Trying to deny that fact for so long only accomplished setting my life back by several years. Even the simplest things like dental hygiene only became habits because I suffered catastrophic losses from neglecting them.
I think it's because my imagination of the failing scenario will never compare to the experience of the failure itself. Whereas if there's no singular point at which the failure becomes obvious and decidedly life-changing, then...
It's a pretty minor harm and it's one somewhat like ripping a band-aid off. The pain will come sooner or later since we (at least in the US) aren't addressing the irresponsible data practices in industry. The sooner people detach themselves from the likes of FB, the better off they'll be when leaks happen.
I think it would take more than this to be leaked, particularly if users had their 'private' messages on services leaked, then they would start to realize it.
I think most normal people acknowledge that so many companies know their phone number and name that they may be past caring.
Same here, i started recieving both calls and SMS which the last i find more annoying. I do use Android and these ones haven't been able to be detected as spam
Those are usually generated, they call numbers in area code/exchange randomly, assuming you will pick up something that seems familiar. Jokes on them, I moved to another state, easy for me to tell.
I toyed with that for a while but I kept missing important work calls. I might have a look for an app later, but I have a feeling it might not exist...
Yeah. I tend not to pick up calls that are in the "Who would be calling me from Texas?" vein. But while it's annoying to have to look at my phone when it rings, I do get calls from locations that seem plausible and they usually are legit. I'm not really willing to make myself harder to reach for legitimate and even important reasons because of the occasional junk call.
Work uses slack/teams/Webex. One person sends me Signal. No one has ever used telephony, except I use it to call he dial in numbers because my phone audio is better than Bluetooth / virus agent laden laptop displaying ten videos of peoples homes thru vpn.
Not natively, but there is an API that apps can use to do it for you. I use Mr. Number because it’s literally the first one I found and it’s worked good enough for me.
Best thing I ever did for myself was to get a Google Voice number in an area code I've never lived in.
A lot of these fake calls rely on people assuming "local number = neighbor" kind of mentality which rarely comes into play these days as we're much more mobile than we used to be. Plus area code splits, separate area codes for cell vs landline services becoming increasingly common.
If my GV number were: AAA-BBB-CCCC
And my actual home area code is DDD-EEE-FFFF
Any and all numbers from AAA-BBB-xxxx can be ignored.
I never answer calls that come in on my cell carrier provided number, so that eliminates that issue. Silent ring, no forward to voicemail.
Anything left, about 95% of the time, tends to be legit.
With regional calling being a thing of the past and most cell plans being unlimited text and talk, it makes very little sense to keep a local number. Especially now as it's SOP for roboscammers to fake Caller ID and try to match the first 6 of your 10 digits.
I've been getting a lot more recently as well and I figured it was due to the phone companies promising to get rid of caller id spoofing this year so scammers are working overtime until they can't anymore.
Oh, is that a real thing that's happening? Caller ID spoofing is the main reason I hold onto my phone number from [small town] Texas, since only my immediate family ever calls me from there, so I somewhat reliably know anything else from that area code is a scammer.
An "exact" google search excluding adjacent phone numbers seems to work well for my numbers, and culls a lot (not all) of the autogen pages. So if your number was 212-555-1239, search Google with these strings:
Tried it, you're right. Got 6 of my past addresses, 9 past phone numbers, 8 relatives, all correct. Some incorrect info, but not much as a percentage.
If you reverse search the PO Box address listed on the site contact page, you'll find an Amateur Radio license listed to a person that is probably the owner of the site, based on his past experience.
Also, searching for their Adsense publisher id reveals some other sites they own: peoplesearchnow.com, fastbackgroundcheck.com, smartbackgroundchecks.com
Those sites have new and different PO Boxes in other cities, etc.
I am amazed and horrified at the fact data brokers like that are legal. and the hoops to which you must leap in order to get your information out of them, even with california privacy laws.
Just submitted a removal request for myself, a flow full of dark patterns (in fact the Remove button didn't even show up until I disabled my Pi-Hole). Remains to be seen whether all I did was make the data more valuable by confirming my email address. The page recommends signing up at BrandYourself to prevent various other data brokers from showing the same data. How is this not extortion?
so if I search my phone number, it brings me to my name and everything. But if I search my name it doesn't get my phone number right. Any ideas why it's like that?
This is just one of the websites. Here is a list of all the websites which have your information with easy links to opt-out from them.
I do not maintain this but don't know where I got this from, however I have notifications when this spreadsheets gets updated to remove my information from another website
Yikes. That's the only one of those that was even close to being accurate for me. And I'm not sure I can get it removed because they don't have any of the right email addresses. I don't usually leave much of a trail on these sites, but the info that is correct vs incorrect makes me suspect they probably got it from one of my parents.
Not really an answer to your question, but one partial solution to the problem of having your number leaked or sold is to setup a service like Twilio to act like a phone proxy. You can have Twilio forward calls it receives on a different number ("spam number") to your actual phone number ("real number"). You provide spam number to anyone who isn't a business or personal contact. Every few months, you rotate spam number. If your spam number is leaked, you don't care because its only a transient number which isn't more permanently associated with you.
You can also have more permanent proxy numbers for services or people that may need to get in touch with you long term.
Is this available to people outside of the US as well and is there a guide for setting this up? Last time I used twilio for a basic sms gateway there was a lot of clicking and typing.
I've been using voip.ms in Canada to great success. Even SMS codes from banks and Whatsapp work correctly. Excellent service, highly recommend, especially with voicemail auto-transcription (then sent to email) and SMS from desktop via email.
Can you think of any drawbacks of using this for important services like say PayPal? Or are you strictly using this for throw away products and services?
Telemarketing or political campaigns. Check out the Robocall article on wiki. In Europe it depends on the country. In Poland I receive a few calls daily but they are people calling me, not bots. Never received a robocall here.
In the US, the vast majority of them are simple frauds. For a year I got a robocall every few days from a Chinese woman (in Chinese) that a friend of mine said is a threat to get (the hypothetical Chinese immigrant) me deported unless I pay them.
Right now I'm getting a fake credit card debt collection call (I've never had a credit card in my life, only debit), and a call telling me that I'm eligible to have my AT&T (phone) bill halved (I don't have AT&T phone service) and all I have to do is call the number "on my caller ID." I think those two are both being read by the same woman (not the Chinese one.)
I'm more of a texter than a caller, so the vast majority of calls I get are robocall frauds. I'd love to get a robocall that was just annoying for a change, rather than completely predatory.
I recall there were a ton of them in France. Usually pretending to be DHL or another courier asking about a package. Nobody I knew interacted much with the calls.
If you're in Europe, but don't share a language with a much poorer country, you're safe from these.
This could be the first large breach we've seen from FB like this. Most past breaches were of a much different and smaller nature (scraping or API access abuse), and seeing a real leak like this could change the landscape for FB quite a bit, since historically companies like Facebook and Google have been very good with preventing them. I don't know a ton about FB's specifics, but there's a chance this data could be 'public' from people with the given privacy settings, if perhaps 25% of users have that turned on. If that is not the case though, then this would be the first serious breach from FB imo.
Either way at this point I operate under the expectation that most information I input into a database may be leaked at some point. This is particularly rough for services that demand and track a lot of things, but it cannot be helped.
Would like to know if non Facebook users are included because Facebook has non Facebook user's phone numbers due to the fact that Whatsapp uploads the entire phonebook to Whatsapp. That means Facebook is likely to know your phone number although you don't use Facebook or Whatsapp.
Every time someone argues that people can avoid the privacy problems of Facebook by simply not using it, I point out this issue (plus the shadow accounts).
I recently purchased a phone that had the Facebook app preinstalled. If I had to guess, the mere act of connecting to WiFi caused a whole slew of info to get sent.
I didn’t check what permissions it was given by default but hopefully not too many and with those not much spying. It would be nice to have a clear map of what data can be obtained with what permissions.
There was a dark phase when it looked as if the only way to sign up for various services was going to be Facebook. If memory serves, there was a time when Spotify sign up required Facebook.
The difference between malware and "legitimate" software is whether there's a "legitimate" company behind it and whether that company has a "legitimate" interest in the information. Sad but that's how it is. Just like how governments give themselves the right to crack computer security and surveil everyone but throw citizens in jail if they do the same thing.
It claims not to, which isn't a guarantee. After all, they also claimed not to use phone numbers given to them for 2FA for anything else, and yet ended up using them for ad targeting.
"Cathcart: It’s true that we do have some information about how people use WhatsApp and that we do know, for example, the device ID. We collect this only to secure our services and protect from attacks. When you use WhatsApp and allow access to your phone book, we only see the phone numbers, not the name.
DER SPIEGEL: Do you share these numbers with your parent company Facebook?
Cathcart: No, we don’t. The updated privacy policies will actually not change anything globally in our ability to share data with Facebook."
Affiliated Companies. We are part of the Facebook Companies. As part of the Facebook Companies, WhatsApp receives information from, and shares information with, the Facebook Companies as described in WhatsApp's Privacy Policy, including to provide integrations which enable you to connect your WhatsApp experience with other Facebook Company Products; to ensure security, safety, and integrity across the Facebook Company Products; and to improve your ads and products experience across the Facebook Company Products. Learn more about the Facebook Companies and their terms and policies here.
AFAIK, that addition was what caused the uproar earlier this year.
(Also note the dark pattern in both terms of service that seed confusion as to which are the ones that apply to the EU. In the first sentence, “If you live in the European Region, WhatsApp Ireland Limited provides the Services to you under this Terms of Service and Privacy Policy.”, ‘this’ doesn’t refer to the text you’re reading, but to the texts behind the hyperlinks)
That doesn't seem to be correct, although what does 'phone numbers' mean in this context?
Quote: "WhatsApp, which was acquired by Facebook in 2014, does share some limited data with Facebook, including phone numbers. However, the firm has reassured users that messages will always be protected by end-t0-end encryption, which means neither WhatsApp or Facebook can see these private conversations"
"Limited" is a weasel word, as it can mean anything. e.g. a "limited time offer" can mean it lasts for 2 days or 2 years, because it is not unlimited.
Likewise, sharing a limited amount of information with Facebook simply means they don't hoover up every single bit. Perhaps Facebook is not interested in those automated texts you get confirming haircut appointments...
On the other hand, if you just got a haircut, then they know that you’ll be looking for another one in a set amount of time (based on your hairstyle, which they also know from photos), and they could advertise hairsalons to you then.
I’m not sure their algorithm is this refined, but it’s not impossible.
Others can still allow access to their phone book and the information stored in them about you will be transmitted and saved at Facebook, won't it? Is there a way to disable that?
Exactly this. I recently started a twitter for my academic career. Didn't share my contacts or anything (I only follow academic twitter too). I get tons of suggestions of people I know and several have followed me. The information is from their contact list because twitter knows my number and connected us. There's a clear benefit to this, but there's also privacy concerns too. The lack of control over this is what is concerning.
How are you able to send whatsapps to people you don't have a prior conversation with ?
I am doing the same boat...and was working fine until i lost & replaced my old phone. All conversations were lost, and this makes it challenging to use whatsapp for any non-group conversations (since I can't start any).
As I've seen on WhatsApp on every smartphone I've had: when you download WhatsApp and tap the "New chat" icon in the upper right corner, the app SHOWS YOU a list of everyone from your phone's contact list who has a WhatsApp account. They also show the list when you click "Chat" at the bottom and then "New Group."
It goes so much further than this and it is absolutely frighting. The following sketched situations applies if you don't use Facebook at ALL.
99+% of every single person you meet has either FB, IG or WA installed on their phones and shares their phonebooks with them (assuming you live in [insert western country here]). There is also a very big chance at least some have your full name and address in their phonebook. Facebook not only knows who you are, but also who you are in contact with, when you meet new people and who they are. They also collect phone and text records with their apps so they also know the frequency that you have contact with them and they can even read the content of text messages (most people these permissions to the apps because it will automatically verify the associated phone number). Add all the location data, ssid/mac address collection and countless of other datapoints to it and they can draw out your entire life even when you don't use anything from facebook. There is no escape.
As a counterpoint I can think of dozens of personal acquaintances who are happily non-users and never interact with Facebook properties (retirees not into tech, busy executives, to cool for Facebook hipsters). If your country or social circle doesn't use WhatsApp, Facebook itself is already dying and Instagram is getting their lunch eaten by Tiktok.
It's not about the information you give, it's all those friends and family who signed up for it and uploaded their address book... They now have your phone number and email probably your date of birth, and even some photos of you.
They are like the credit companies, they have information on you whether you allow them to or not.
Exactly. People who save your details in their Address Book and click the "Sync your Contacts" when an app suggests it, are the loophole in privacy and security.
The only way is to have a separate set of email, phone numbers, for those family and friends who doesn't care about privacy and security, that way it is easy to dispose those information later.
Beyond that … if we truly want to avoid it … the only course of action is to not give them anything at all. Not a single email, not a single phone number, not even our home addresses.
That is exactly how I deal with it. I use a throwaway webmail address and a Google Voice number. No way they're getting my real email or phone number that I use for work and clients.
You're not avoiding having a shadow account created about you though, once I've upload my contact list and you're right there, Jim Wyclif, with your real phone number, and I've also tagged you in a photo we took together last year. And then there are all the other people who have your real phone number and who have been on Facebook, Messgenger, Instagram, or WhatsApp since they saved the number. And then there's even relatives and former classmates and co-workers who've looked up your name and typed in your town, school, and/or former company to find you. When I use Facebook, it still recommends former classmates and acquaintances who I literally looked up once ever. (As a side-note, Snapchat does the same type of things; people I've worked for in the past, as a tutor, are recommended to me on the "Add Friends" page.)
> it's all those friends and family who signed up for it and uploaded their address book
Hmm, not many of my friends have my phone number either. I don't usually use phone with friends. Come to think of it I almost never use phone, I always use FB, WeChat, LINE, Hangouts, etc. for voice calls, and sometimes just use a straight up WebRTC call.
I suppose one way to alleviate this for the masses is that when giving your number to a friend, have them use a pseudonym that is easy to remember for them and not use your real name.
I've found that VOIP numbers from certain countries and area codes can evade this problem. Not listing publicly, in case the idiots in charge of the system are prowling this site.
But I don't even understand why they're allowed to look up the provider, or why I can't define myself as a mobile operator.
I don’t use Facebook or their other apps (eg WhatsApp). Facebook has my email address as I used to get regular invites to sign up. Facebook also knows what I look like from friends tagging me in pictures, and seems knows my date of birth as people tell me that they were notified by Facebook.
So even if you have avoided all their stuff, you aren’t immune.
Yeah, I feel Messenger or WhatsApp doesn't really come into play here. Facebook has at least two different privacy settings when it comes to phone numbers and how it's shown to people:
1. At https://www.facebook.com/USERNAME/about_contact_and_basic_in... - there's a contact info section where one can fill in a phone number (among other details) and set the visibility to Public/Friends/Friends except <group>/Only me/Custom/custom lists.
2. And https://www.facebook.com/settings?tab=privacy - there's a "How people can find and contact you" section that covers "Who can look you up using the phone number you provided?" with options of Everyone/Friends of Friends/Friends/Only me. I imagine it'd be very easy to select the wrong thing during setup due to the overwhelming number of things to read and click.
I suspect those who have set the latter, or both options to "Everyone" will most likely be in the "free" data dump (except perhaps for most Australian Facebook users, for now).
I feel the second setting is riskier, especially if you don't want employers or colleagues to be able to simply look you up on Facebook by phone number. For example, I could hypothetically display my phone number to "Everyone" on an incognito profile and no one should be able to just wander by and spot my profile and immediately figure out who I am (assuming this profile doesn't somehow get suggested to "Friends you might know" - big assumption, yes; but this would depend on how I complete my profile). Regardless, either one or both set to "Everyone" is a recipe for disaster.
I believe more people would have allowed number searching compared to those who just have their phones displayed to everyone on their contact info sections. In effect, it's a bit of a reverse phone book, plus extra.
it just occured to me that the data from the leak could be used to test if they are in compliance with the Gdpr, Now in the event that it turns out that they don't follow the rules, could this leak be used as evidence in court?
We should start thinking of these breaches in terms of their accumulated impact. It's not the 1990s anymore, where data is difficult to store and networking too slow to move it.
We should assume the leaked data doesn't go away; that instead people out there are consolidating Equifax data with Vastaamo data, adding data from Exchange hacks and the Accellion hack, to cross-reference with data from Facebook... it's like water flooding a levee now, instead of evaporating.
Honestly sounds like a fun job for future historians. By aggregating all the leaks over a long period, how much of a person can you reconstruct?
For example even though I am using a throwaway account, HN's logs might one day get compromised. So now they can join the IP address to other compromised sites that I was logged into using my usual email. And from my email they already have my name, SSN, address, phone number, usernames, passwords, etc, exposed from prior breaches. But now they know about my shitposts too.
That's exactly my point. I think I am safe on HN because I'm using a random user name with no email attached. But their logs definitely have my ip address and that ip address will be common across other compromised logs on other sites, some of which I might be logged into with a real email (this is true regardless of incognito mode since it's the same computer).
Looks like this is the "To match users to their friends by phone number, you need an API which can take as input a phone number, and return information about if that number has an associated account" problem.
There is no way to let a user find their friends on a service without such an API. Yet if you have such an API, someone can simply brute force all phone numbers worldwide (there are only 10^10), and now they have a database of all users...
Rate limits can help defend, but considering many users might have 1000 phone numbers in their address book, you can't set the rate limit very low without impacting user experience. Attackers can reduce the search space dramatically by only checking phone numbers that resolve to an active line (using VoIP stuff to test a number).
The only real solution is for your app not to have a "Here is a list of your friends already in the app" screen... But as you can imagine that means you won't get any user growth or VC funding...
This is the same fallacy that leads to apps asking for permission to access your whole picture library.
Facebook could have an API by which an app can prompt its user to show a list of all of that user’s friends who have the app installed. The app would only learn the identities of people whom the user explicitly selects, and phone numbers would not be part of that identity.
It works for photos because the threat model is about protecting local files against malicious apps.
But for phone numbers, you about protecting Facebook API (which is publicly available via the internet) against arbitrary devices, which Facebook has no way to tell from legitimate ones
What I mean is: Facebook should remove that API entirely. Apps do not need a way to look up a phone number in Facebook’s database. The “find my friends using this app” feature does not require this capability.
I think it should be illegal for apps to help find friends. If you genuinely meet someone offline, then they could generate you a token that then you could enter on the site to "connect".
Telegram had this issue too and they made a setting "who can find me by my number" you set it to "my contacts" so only mutual contacts can find each other.
I think you misunderstood that. This setting isn't about privacy of your friends number its about who can find you with your number. For example by brute-forcing numbers.
Whether you upload your address book or not is another story and it does ask if you want to do that. Obvious if you decline and then set to above setting to "my contacts" then no one will be able to find you by your number (which is exactly what I personally want)
There is absolutely no need to upload your address book to make you number unsearchable.
I think there are way more than 10^10 phone numbers in the world. I think there are 10^10 combinations in the USA alone (filtering by unused area code, etc will decrease that number, but even then https://www.ck12.org/c/probability/permutation/rwa/Wrong-Num... says almost 8×10⁹ remain)
Also, at least some countries have longer phone numbers (Germany, the UK and China have 11-digit ones, for example), and the international public telecommunication numbering plan says plan-conforming numbers are limited to a maximum of 15 digits, excluding the international call prefix (https://en.wikipedia.org/wiki/E.164), so the search space, potentially, is a lot larger.
> I think there are 10^10 combinations in the USA alone
Canada and USA share the same numbering plan and that's sometimes overlooked.
I always "press 1" to interact with the 'your social has been criminally suspended blah blah' or 'card-services' robo-calls.
When I have time I share circular stories about my grand-kids that don't visit me anymore, but when I don't, I just respond in French with something like "Je pense vous etes une pamplemousse."
Most recently, one responded with "NO HABLOS ESPANOL". lordy lordy...
I believe they mean it can't effectively be sold if everyone has it. It loses value as a commodity if anyone can access it, but the value of the data is still in tact.
But facebook is not in the business of selling your data. It's in the business of selling your attention and it uses data to do so. There's nothing about this leak that changes Facebook's position in this market in this regard.
I can’t find any Facebook resource that says I can buy data, or any other reputable source that reports Facebook is selling details about people. Can you provide any?
This one is interesting and refutes the argument you are making
“When the company argues that it is not selling data, but rather selling targeted advertising, it’s luring you into a semantic trap, encouraging you to imagine that the only way of selling data is to send advertisers a file filled with user information. Congress may have fallen for this trap set up by Mr. Zuckerberg, but that doesn’t mean you have to. The fact that your data is not disclosed in an Excel spreadsheet but through a click on a targeted ad is irrelevant. Data still changes hands and goes to the advertiser.”
The opposing view is that the leaked data is only valid up to the time of the leak, and there is no guarantee it doesn't go stale, while Facebook has the fresh data.
The only way the data can lose value is when everyone in the list change their numbers. If making it public drives them to do that, then good, but the inertia to do that is so big that I doubt most would. Spammers and marketers don't care if the list is being used by competitors, so the value of the data as spam target is also not reduced by making it public.
Thanks. Was just able to verify I'm not affected (deleted my acc years ago), but it's crazy how many of my friends' names plus phone number are on there.
Thanks. I'm just getting a "Please open Telegram to view this post from @freedomf0x" message. Any way to access this without signing up for Telegram? The irony of giving my personal info to another 3rd party just to check if my personal info was leaked by a different party is too much...
Which link? The ufiles? Why does it go without saying? Not like stuff is instantly executed by downloading. All I got for my selected country was a plain text file.
I've tried three different browsers and none can get the download to work. It's possible I'm blocking some tracking domain at the router-level that's integral to the download functioning.
I doubt you'll find it anywhere else, it probably gets removed anywhere it gets posted due to violation of terms of service. I created a Telegram account and the Telegram link still works. I think that's your best bet.
OT: Failed their hCaptcha probably 10-15 times before I gave up and just closed the tab. Hadn't seen it in the wild yet; I'm glad it's not pervasive (yet).
You might give this a look. It's a FOSS browser extension that auto-solves google captchas by switching them to sight-impaired mode and using speech recognition.
Because of this I use fastmail or Apple sign-in to make a new email for every online service I register for, and when it's a username I pull random words together from a dictionary. I also avoid using my real name as much as possible.
That kinda sad, because that is what’s going to happen and then we’ll nothing more.
At this point I’m not really sure what it will take for companies, like Facebook, to understand that you need to not fuck around with peoples private data.
Put a monetary cost of holding user data, and a steep monetary cost on losing user data.
Ex, pay x amount per month in perpetuity for each piece of information about a user your keep. And have to pay the "net present value" of those payments if you lose the data.
Having to pay for hoarding user personal data changes the incentives from gobble up as much as possible, to instead only pay for a users data that is worth the cost to your business.
And as an extra incentive to not hold unneeded user data, know the costs you'd pay if it was breached.
Who would get this money? I agree that it needs to be some solution involving a cost, given that most of these companies have shown multiple times that profit isn’t just their main concern, it’s the only concern.
The government typically... who might in turn do something like a tax rebate (write a check to everyone, ontario has been doing with the carbon tax) or just stick it into the general pool of taxes (reducing everyone's taxes).
Think of it like a class action lawsuit on behalf of investors. Instead of entrusting their savings to a company, people are entrusting them with their personal information. If there is gross negligence on part of the company leading to that data being leaked then all of the people whose data was stolen should be able to claim monetary damages. If a legal precedent is established so that these claims can be pursued whenever this happens it should provide enough motivation for these companies to take preventative measures.
Honestly the EU need to finans a organisation to deal with GDPR violation, hell it could finans it self. The GDPR is the single best piece of legislation ever written, in term of privacy, but enforcement is lacking.
I work in the security field and let me tell you something I realized: nobody cares about security. If someone cares about security, it's because they've had many many incidents in the past. We humans are not a species that is good at preventing, we are good at reacting.
the security handbook[^1] has a chapter on that actually, and they basically say that role playing is the only way of not getting burned. Humans are excellent at role playing, and it can help you prevent a lot of catastrophe without having experienced them before.
I think part of the problem is that many orgs see security as an overhead that engineers do to sleep well at night. A few more breaches, a few more fines and it will finally be seen as a feature to keep the CEO out of jail.
This is just it. I also work in the security industry, and the fact of the matter is that we (security professionals) can't give guarantees. I don't know what exotic exploit or bug will exist tomorrow. Security professions basically offer what (to me) seems like a crappy insurance policy. Depending on your orgs threat model, it is often just cheaper to deal with the breaches. --- I am not saying facebook falls into this category. ---
Security is not a replacement for a data breach insurance. Security is basic hygiene for insurance to work at all.
To me, a good parallel is home insurance. If you get robbed, a good insurance will cover your losses. However, if said insurance determines that you were negligent -- say you never lock your front door -- you are on your own.
Do you have precious art at home that you want insured? No problem. Just make sure you add an alarm and sprinklers.
That is how I want discussions around security to be held. Are you a start-up with 10 users? It's okay to do minimal security. Are you a bank whose wires carry $1B? Make sure you throw sufficient "bodies" at the problem, from the top of the hierarchy to bottom.
"You keep using that word. I do not think it means what you think it means."
I "deleted my account" in the run-up to the 2016 election, because I could see how social media was being manipulated, and what it is doing to society. And I mean I _deleted_ it. I took the extra steps of researching how to REALLY delete it; not just suspend it.
A couple years later, I needed to get a new account to help admin a page. You can guess where this is going. I tried my usual email -- since it should be free, and it was deleted, right? And... what do you know? Everything was still there. All my posts. All my connections. Everything.
I think this is because is very expensive to delete and also to develop true delete process. I think that is not acceptable and cost shouldn't be an excuse for keeping content forever.
Even if you manage to get deleted from the live servers, chances are your content is still going to live in backups and will never be deleted. Some backup systems are write-once and could only be deleted by physically destroying the medium.
I wish this was properly addressed in legislation.
Interested to know the GDPR implications of this for Facebook. This seems like one of those occasions where the regulator might be tempted to impose the maximum fine…
Long story short, regulators already have more than enough evidence about Facebook's lack of GDPR compliance so they could've already imposed large fines if they wanted to. The fact that it hasn't happened yet shows there's no motivation to actually enforce the regulation.
But Facebook have enough money and lawyers to ensure a plea deal is agreed. We work out as nothing more than a slap on the wrist.
All the big tech companies budget for these fines. You'll often see it called out at earnings where they allocate funds for a particular fine in a given quarter even though the investigation isn't finalised.
The root of the problem is not the privacy policy or the system security. The root of the problem is the collection itself. All large businesses, health care providers, and governments maintain databases. Every one of them will eventually be leaked. All it takes is a corruptible trusted insider.
Exactly - either the data is basically not valuable at all (the category for which PII rarely fits) or else when the company collapses or is bought, the data moves too.
There's always an incentive to steal or leak it to other companies for money; so as long as the incentives are aligned with GATHER ALL DATA and KEEP IT FOREVER then yes, it will just be a matter of a time before each data store is compromised by mistake or purposefully.
I doubt the claim, but the sentiment I think is valid. If you think about what data these entities are holding, it's not unique to a single database or entity. Your name/address/phone/ssn/etc. Is likely stored in so many places that the probability it gets leaked from at least one eventually I'd say is very nearly, if not 100%.
Google has a huge number of activist (and surely some corruptible) employees, and yet the incidents of users data getting out are very close to zero.
I think this demonstrates that user data can be managed safely and effectively.
Usually the incidents reports on user data leaks show that the company seemed to barely be trying - We need laws that force them (even small companies) to put serious effort into it.
You don't know that. While the publicly available data leaks are indeed rare, you cannot know if they don't use the data for trading or other purposes for their personal gain without disclosing it to the public.
There are infinite things we can't know - opening the discussion up to that really makes anything possible, but the discussion wasn't even about what they might do with the data beyond leaking or selling it.
People do have access to privileged information and that will influence their decisions on both conscious and unconscious levels. It's not possible to detach yourself from work completely and asses your thinking whether it is influenced by something you saw or not on an objective level.
It will also be difficult to prove. For example if an employee hobby is trading, how do you prove that the trades they made are based on their own independent research or based on what they saw?
If they saw something that could make them money, they could easily create a trail of evidence that they researched the matter on their own - it will be difficult to prove that it originated from looking up the privileged information and unless someone is going to be making millions, it's frankly not economical to commit resources to.
It is also in the interest of the company that such incidents don't see the light of day.
I understand your point, but everything you're saying is hypothetical. You're not going to persuade anyone of something happening if you can't come up with any evidence of it happening.
> Google has a huge number of activist (and surely some corruptible) employees, and yet the incidents of users data getting out are very close to zero
Am I reading this wrong, or are you saying that activists would be more likely to leak data? Then I would wonder what kind of activists you have in mind.
Agreed that yes indeed it seems possible to build a security serious company, and that Google is (seems to be) a good example. (Now, there are other things I don't like about Google but I guess that's of topic.)
Surely they would. We already learned that members of their own security team don't seem to see any problems with employees abusing privileged access to mandatory Chrome extensions to agitate for unionisation (at Google of all places!!). Twitter employees screwed with the account of the president of the United States.
Ideological employees of big tech firms taking a sudden disliking to someone or some group and abusing privileged access is certainly a threat that ever larger numbers of people are talking seriously. In particular, it is a concern for industries that do things activists don't like, such as working with immigration control (though perhaps that's no longer an issue now Trump is gone).
Kathryn Spiers, who worked as a security engineer, updated an internal Chrome browser extension so that each time Google employees visited the website of IRI Consultants — the Troy, Michigan, firm that Google hired this year amid a groundswell of labor activism at the company — they would see a pop-up message that read: “Googlers have the right to participate in protected concerted activities.”
Note that she wasn't able to do that unilaterally. Some other member of the team approved her CL and others defended her in public.
I have a vague feeling there was another case like this some years ago where some security engineer modified a Chrome extension for political reasons, but I can't remember the exact details and can no longer find it.
Equifax has more at stake than most. And they've been hacked. Repeatedly. The government has been hacked. Yahoo was COMPLETELY owned. I mean, if someone would put together a list, it would make for shocking reading. It's become so common, that we go, "Oh no! Anyway."
Yeah, both my health insurance company and the company that eventually bought my mortgage have both sent me letters. And this point I just dump them in a folder in the filing cabinet with the rest.
I don't trust in the government, but I think digital "personal data" should be only available for "confirmation" to companies that need it. Say, a government entity could have an API that allow you to send hashed personal data that they can verify is right. This way companies will ask the user for their data and hash it client-side. Then they can send the hashes (hashed with a custom provided salt to the entity (government, maybe private) who will basically reply with a True or False on the verification of the different data.
It may even be an interesting use case for a public blockcahin, where your personal data is stored in a Merkle Tree type of data structure, so that one can verify that certain pesonal data of a person is true, without disclosing the data.
Wouldn't this fall down as soon as someone enters your details with the wrong casing or uses a +country code rather than a localised phone number and so on?
Humans will error and enter data incorrectly so the hash would be different every time potentially despite being "correct" to a human at a glance?
You could standardise everything (lowercase etc) but I imagine there are country and regional edge cases such as capitalisation having meaning in a given language (I can imagine it being a thing but I don't know it for sure)
There could be instructions in place to specify only all lowercase or just use .toLowercase() when sending. Also there could be a specified format for phone numbers or a function that turns all input into the desired format by stripping all special characters. Possibly only hashing the last 9 digits of the phone number for non mission critical applications instead of the full 10 digits.
This sounds like a good use case for short brief documentation.
It's probably not implemented as closely as what you described but check out Europe, this small continent across the pond and the tech scene in the smaller countries.
For example Estonia has had famously and online identity stuff linked via a federal ID (in europe there are more republics then federations so it's easier to manage country-wise) [0] [1]
Or more familiar to me with a bigger sample is a movement in Poland which is gaining popularity - mojeID (myID) which is a Single Sign On system with major banks as providers (they really regligiously check the identities when you open a bank account) or the statebacked login.gov. The mojeID system allows other entities to use your actual identity as an authentication factor without having to keep that much data and pose risks - for example an online alcohol shop can verify the age. [2] [3]
I mean, yes, but.. what's the solution? Never collect data? In at least some of those cases (and arguably all), that data does need to be collected and stored. What is the government going to do, not maintain birth registries, tax registries, land owner registries etc? What is a big business like a bank going to do, not collect customer data like your name and address?
I have a different view: it’s not the collection that’s the problem, it’s the firehose attached to the database. For the applications you mention, make aggregation over all records prohibitively expensive by design.
I still think there might be something here. You can allow certain aggregations (like “sum of the tax column”), but they have to be explicitly permitted; otherwise shuffle and hash everything enough times to make a single lookup sort of cheap, while a scan very expensive (plus distribute over enough physical servers and make the network between them low bandwidth to thwart lower level attacks). With enough regulatory or legal pressure on companies to lock down their data, paying this premium might start to look attractive; one could even found a startup peddling the World’s Slowest Database™!
Edit: what I was thinking originally was that in the world of paper-only archives, these massive leaks were all but impossible, yet business could still be done. It should be possible to combine this slowness with the convenience of computers.
I mean, that slowness is the reason we moved to computers.
That said this is certainly interesting, I wonder if there has already been an exploration of this topic. Could definitely make an interesting startup idea :)
Interesting numbers in the linked tweet in the article.
5M accounts for the Netherlands exposed. Almost 1/3 of the population. Compared to Germany where “only” 6M are leaked, not even 10%.
Right? They're masters at adopting the (supposedly) moral high ground and acting all hurt when others criticize them - you'll hear 'we need to be better' but there's this overriding sense of, how dare people differ from what we feel is best?
523 comments
[ 4.1 ms ] story [ 262 ms ] threadThere are ways to do these things though so the spirit of your comment is correct.
Do you have a link to anything that explains why, and what the ways are to do these things?
I’d assume encryption wouldn’t help much since wouldn’t the key most likely be available if the database was compromised?
I would have thought hashing would work if it’s made more expensive such as by choosing an expensive hash function and increasing the number of rounds.
Edit: Would first encrypting the value with the salt and then hashing the encrypted value and salt add more entropy and make hash collisions less revealing?
The best thing to do tends to depend on how you need to use the data, exactly.
With hashing alone there's just no reasonable cost function that will provide (say) 1 year of security in the event of database exfil, but also not DoS your service computing it :/ The problem is being offline-attackable.
Encryption is one possible answer and I think most HNers understand the tradeoffs. Generally the less transparent it is, the more effective it is. Volume encryption or transparent database encryption are good to turn on, but don't protect you much. Keys available at application level only (let's say some fields are KMS'd) are better and will be of use under common failure scenarios (SQLi / DB exfil). You still have to get key management and application security right though and it turns out those are hard to do at scale. Your encrypted fields will also not be efficiently searchable unless you are using deterministic encryption.
The tokenize pattern replaces sensitive data with a random value which is mastered in a centralised, controlled service. This really only makes sense if you can set things up so that almost all operations can be performed using the token.If you allow too many things to do token -> value lookups then it's pointless. Also all your eggs are now in basket so you have to watch that basket. Operations look like:
- Exchange sensitive value for token
- Compare tokens for equality (optional, but usually handy)
- "Domain operations on token". For credit card, "bill the user", for phone numbers your domain operations might be "send SMS" or "robocall".
- Exchange token for value (controls go here; limit access to customer service staff only, auditing, rate limits etc. The value should ideally only come out if a human has to look at it, and you should be able to definitely say who looked at what).
This is a general technique, mostly used for credit cards. There's a whole industry around it. https://en.wikipedia.org/wiki/Tokenization_(data_security)
Anchored hashing uses a secret value in your "hash" operation. Keeping this value actually secret is hard, so an "industrial strength" implementation will use an HSM or other hardware to do the operation. This means any brute-forcing has to happen inside your network where you can see it. You ideally want a bit more entropy than with tokenization to make this work, but with appropriate rate-limits against attack from inside your infrastructure, it has legs. It's hashing, so works well for "have I seen this sensitive data before". The main advantage of this pattern is that it doesn't have to keep state.
A decent write up of "anchoring" is here: https://diogomonica.com/2017/10/08/crypto-anchors-exfiltrati...
So it sounds like all of these techniques are to force sensitive data access to a single well secured point 1) with the hope that these actions will be eventually noticed and 2) to enforce rate limits on actions to slow progress and increase exfil duration to support (1). (2) can only be made so slow since, as you mentioned, the service needs reasonably quick access.
On a related note some HSMs can enforce rate limiting in hardware so even if the machine enforcing this access is compromised the rate limits still cannot be bypassed.
If you use a secret you have the same problem as before the legit system need to have access to the secret but an attacker should never get it. So if an attacker gets hashes and the secret(s) he has everything.
(before you post a link to enforcementtracker.com please first compare the fine amounts with Facebook's revenue)
And, I might add, it's to their benefit. What we're entering is a future where only Amazon, Google, Facebook, and Apple can handle data.
You see this constantly on HN. "Don't handle your own auth, just let Firebase do it!" People are against anyone other than AWS touching their data. And, well, we're getting the dystopia we deserve. What else can I say.
Not having the data encrypted at rest seems to me a different infraction than the previous ones. The scale also matters, and that it isn't the first infraction.
And as I read it, not encrypting at rest is a breach of Article 6 and fined under Article 83 (5) (https://www.privacy-regulation.eu/en/article-83-general-cond...), which puts the fine limit at 4% of the annual turn-over.
Yes, it doesn't mean they have to fine as much, but the point remains, that this is in the category of the most severe infractions.
I'd argue this is a much bigger issue than the lack of at-rest data encryption, and yet nothing has been done.
They also appear to be ignoring Subject Access Requests with total impunity: https://ruben.verborgh.org/facebook/
which is not the same as data much be encrypted at rest.
This may sound extremely cynical but at this point it's the only way for the non-technical folk to understand the implications of giving away your privacy so that you can share cat pictures with other people.
Very strange to wish harm upon your friends with the hope that that will convince them to join your side in a political fight! I would suggest instead that you only wish that if it becomes a painful experience, they would realize why and renegotiate their relationship with FB. Typically wishing pain on your friends is not a good stance.
I think it's because my imagination of the failing scenario will never compare to the experience of the failure itself. Whereas if there's no singular point at which the failure becomes obvious and decidedly life-changing, then...
I think most normal people acknowledge that so many companies know their phone number and name that they may be past caring.
Is there a trustworthy phone number version of https://haveibeenpwned.com?
The odd thing is, the calls often come through having a caller ID very similar to my own number.
A lot of these fake calls rely on people assuming "local number = neighbor" kind of mentality which rarely comes into play these days as we're much more mobile than we used to be. Plus area code splits, separate area codes for cell vs landline services becoming increasingly common.
If my GV number were: AAA-BBB-CCCC
And my actual home area code is DDD-EEE-FFFF
Any and all numbers from AAA-BBB-xxxx can be ignored.
I never answer calls that come in on my cell carrier provided number, so that eliminates that issue. Silent ring, no forward to voicemail.
Anything left, about 95% of the time, tends to be legit.
With regional calling being a thing of the past and most cell plans being unlimited text and talk, it makes very little sense to keep a local number. Especially now as it's SOP for roboscammers to fake Caller ID and try to match the first 6 of your 10 digits.
https://en.wikipedia.org/wiki/STIR/SHAKEN
An "exact" google search excluding adjacent phone numbers seems to work well for my numbers, and culls a lot (not all) of the autogen pages. So if your number was 212-555-1239, search Google with these strings:
If you reverse search the PO Box address listed on the site contact page, you'll find an Amateur Radio license listed to a person that is probably the owner of the site, based on his past experience.
Those sites have new and different PO Boxes in other cities, etc.
Imagine getting into a facebook argument with someone and that person becomes so emotionally enraged with what you said that they go to your house.
Is is a link? BrandYourself has an affiliate program, so they are probably making money on referrals.
I do not maintain this but don't know where I got this from, however I have notifications when this spreadsheets gets updated to remove my information from another website
https://docs.google.com/spreadsheets/d/10wzyKEl-fAxjCD42u9HQ...
Can't say too much about trustworthyness though.
U could also just download the set from e.g. raid forum to check for yourself.
You can also have more permanent proxy numbers for services or people that may need to get in touch with you long term.
https://support.twilio.com/hc/en-us/articles/223179908-Setti...
I would recommend using the Studio workflow which is GUI based and easy.
https://support.twilio.com/hc/en-us/articles/115016033048-Fo...
https://www.twilio.com/blog/make-receive-calls-twilio-number...
Your existing cell number can be ported over to Twilio if you are patient.
The only problem is trying to use the number for 2fa. A growing number of banks (like Capital One) block Twilio services from recieving their SMS.
Right now I'm getting a fake credit card debt collection call (I've never had a credit card in my life, only debit), and a call telling me that I'm eligible to have my AT&T (phone) bill halved (I don't have AT&T phone service) and all I have to do is call the number "on my caller ID." I think those two are both being read by the same woman (not the Chinese one.)
I'm more of a texter than a caller, so the vast majority of calls I get are robocall frauds. I'd love to get a robocall that was just annoying for a change, rather than completely predatory.
If you're in Europe, but don't share a language with a much poorer country, you're safe from these.
Either way at this point I operate under the expectation that most information I input into a database may be leaked at some point. This is particularly rough for services that demand and track a lot of things, but it cannot be helped.
And since it's a Facebook controlled company a leak like this happening again isn't that improbable.
Quote:
"Cathcart: It’s true that we do have some information about how people use WhatsApp and that we do know, for example, the device ID. We collect this only to secure our services and protect from attacks. When you use WhatsApp and allow access to your phone book, we only see the phone numbers, not the name.
DER SPIEGEL: Do you share these numbers with your parent company Facebook?
Cathcart: No, we don’t. The updated privacy policies will actually not change anything globally in our ability to share data with Facebook."
I don’t see how that “globally” can be true. If one compares the WhatsApp terms of service in the EEA (https://www.whatsapp.com/legal/updates/terms-of-service-eea/...) with those elsewhere (https://www.whatsapp.com/legal/updates/terms-of-service/?lan...), you’ll see the latter adds:
Affiliated Companies. We are part of the Facebook Companies. As part of the Facebook Companies, WhatsApp receives information from, and shares information with, the Facebook Companies as described in WhatsApp's Privacy Policy, including to provide integrations which enable you to connect your WhatsApp experience with other Facebook Company Products; to ensure security, safety, and integrity across the Facebook Company Products; and to improve your ads and products experience across the Facebook Company Products. Learn more about the Facebook Companies and their terms and policies here.
AFAIK, that addition was what caused the uproar earlier this year.
(Also note the dark pattern in both terms of service that seed confusion as to which are the ones that apply to the EU. In the first sentence, “If you live in the European Region, WhatsApp Ireland Limited provides the Services to you under this Terms of Service and Privacy Policy.”, ‘this’ doesn’t refer to the text you’re reading, but to the texts behind the hyperlinks)
Quote: "WhatsApp, which was acquired by Facebook in 2014, does share some limited data with Facebook, including phone numbers. However, the firm has reassured users that messages will always be protected by end-t0-end encryption, which means neither WhatsApp or Facebook can see these private conversations"
Source: https://www.forbes.com/sites/carlypage/2021/01/15/whatsapp-d...
They want to know who talks to who. Limited data? What a bunch of horseshit.
Likewise, sharing a limited amount of information with Facebook simply means they don't hoover up every single bit. Perhaps Facebook is not interested in those automated texts you get confirming haircut appointments...
I’m not sure their algorithm is this refined, but it’s not impossible.
These advertisements with half the information about the technology should be illegal.
But Facebook has no history of lying right? /s
No.
I am doing the same boat...and was working fine until i lost & replaced my old phone. All conversations were lost, and this makes it challenging to use whatsapp for any non-group conversations (since I can't start any).
There are also some apps and webpages that helps with this process (Disclaimer: I'm the author of one of them for Android [0])
[0] https://play.google.com/store/apps/details?id=com.trianguloy...
99+% of every single person you meet has either FB, IG or WA installed on their phones and shares their phonebooks with them (assuming you live in [insert western country here]). There is also a very big chance at least some have your full name and address in their phonebook. Facebook not only knows who you are, but also who you are in contact with, when you meet new people and who they are. They also collect phone and text records with their apps so they also know the frequency that you have contact with them and they can even read the content of text messages (most people these permissions to the apps because it will automatically verify the associated phone number). Add all the location data, ssid/mac address collection and countless of other datapoints to it and they can draw out your entire life even when you don't use anything from facebook. There is no escape.
Aside from China, Japan and Korea, do such countries exist?
citation very much needed
Get a virtual phone number if any service requires a phone number from you. Don't submit to this nonsense.
They are like the credit companies, they have information on you whether you allow them to or not.
The only way is to have a separate set of email, phone numbers, for those family and friends who doesn't care about privacy and security, that way it is easy to dispose those information later.
Beyond that … if we truly want to avoid it … the only course of action is to not give them anything at all. Not a single email, not a single phone number, not even our home addresses.
Hmm, not many of my friends have my phone number either. I don't usually use phone with friends. Come to think of it I almost never use phone, I always use FB, WeChat, LINE, Hangouts, etc. for voice calls, and sometimes just use a straight up WebRTC call.
I suppose one way to alleviate this for the masses is that when giving your number to a friend, have them use a pseudonym that is easy to remember for them and not use your real name.
But I don't even understand why they're allowed to look up the provider, or why I can't define myself as a mobile operator.
1. At https://www.facebook.com/USERNAME/about_contact_and_basic_in... - there's a contact info section where one can fill in a phone number (among other details) and set the visibility to Public/Friends/Friends except <group>/Only me/Custom/custom lists.
2. And https://www.facebook.com/settings?tab=privacy - there's a "How people can find and contact you" section that covers "Who can look you up using the phone number you provided?" with options of Everyone/Friends of Friends/Friends/Only me. I imagine it'd be very easy to select the wrong thing during setup due to the overwhelming number of things to read and click.
I suspect those who have set the latter, or both options to "Everyone" will most likely be in the "free" data dump (except perhaps for most Australian Facebook users, for now).
I feel the second setting is riskier, especially if you don't want employers or colleagues to be able to simply look you up on Facebook by phone number. For example, I could hypothetically display my phone number to "Everyone" on an incognito profile and no one should be able to just wander by and spot my profile and immediately figure out who I am (assuming this profile doesn't somehow get suggested to "Friends you might know" - big assumption, yes; but this would depend on how I complete my profile). Regardless, either one or both set to "Everyone" is a recipe for disaster.
I believe more people would have allowed number searching compared to those who just have their phones displayed to everyone on their contact info sections. In effect, it's a bit of a reverse phone book, plus extra.
We should assume the leaked data doesn't go away; that instead people out there are consolidating Equifax data with Vastaamo data, adding data from Exchange hacks and the Accellion hack, to cross-reference with data from Facebook... it's like water flooding a levee now, instead of evaporating.
Not the first time I've harped here about this (ie: https://news.ycombinator.com/item?id=26604753, https://news.ycombinator.com/item?id=24586258), but I hope we start planning for that kind of future.
For example even though I am using a throwaway account, HN's logs might one day get compromised. So now they can join the IP address to other compromised sites that I was logged into using my usual email. And from my email they already have my name, SSN, address, phone number, usernames, passwords, etc, exposed from prior breaches. But now they know about my shitposts too.
It's risky if things go sideways, but HN doesn't require an email address for an account.
There is no way to let a user find their friends on a service without such an API. Yet if you have such an API, someone can simply brute force all phone numbers worldwide (there are only 10^10), and now they have a database of all users...
Rate limits can help defend, but considering many users might have 1000 phone numbers in their address book, you can't set the rate limit very low without impacting user experience. Attackers can reduce the search space dramatically by only checking phone numbers that resolve to an active line (using VoIP stuff to test a number).
The only real solution is for your app not to have a "Here is a list of your friends already in the app" screen... But as you can imagine that means you won't get any user growth or VC funding...
Facebook could have an API by which an app can prompt its user to show a list of all of that user’s friends who have the app installed. The app would only learn the identities of people whom the user explicitly selects, and phone numbers would not be part of that identity.
But for phone numbers, you about protecting Facebook API (which is publicly available via the internet) against arbitrary devices, which Facebook has no way to tell from legitimate ones
But Facebook's app needs to access Facebook's database somehow; and anyone can impersonate Facebook's app and query that database too.
There is absolutely no need to upload your address book to make you number unsearchable.
Also, at least some countries have longer phone numbers (Germany, the UK and China have 11-digit ones, for example), and the international public telecommunication numbering plan says plan-conforming numbers are limited to a maximum of 15 digits, excluding the international call prefix (https://en.wikipedia.org/wiki/E.164), so the search space, potentially, is a lot larger.
Canada and USA share the same numbering plan and that's sometimes overlooked.
I always "press 1" to interact with the 'your social has been criminally suspended blah blah' or 'card-services' robo-calls.
When I have time I share circular stories about my grand-kids that don't visit me anymore, but when I don't, I just respond in French with something like "Je pense vous etes une pamplemousse."
Most recently, one responded with "NO HABLOS ESPANOL". lordy lordy...
Like for real, it took me 2mins to find the leak myself...
There are an awful lot of arguments against this stance and the argument supporting the claim appear to split hairs in a very convenient manner.
https://www.bbc.com/news/technology-46618582
https://www.independent.co.uk/news/world/americas/facebook-d...
This one is interesting and refutes the argument you are making
“When the company argues that it is not selling data, but rather selling targeted advertising, it’s luring you into a semantic trap, encouraging you to imagine that the only way of selling data is to send advertisers a file filled with user information. Congress may have fallen for this trap set up by Mr. Zuckerberg, but that doesn’t mean you have to. The fact that your data is not disclosed in an Excel spreadsheet but through a click on a targeted ad is irrelevant. Data still changes hands and goes to the advertiser.”
https://www.theverge.com/2018/12/14/18140146/does-facebook-s...
It’s in reaction to this below link in the NYT which is also interesting.
https://www.nytimes.com/2018/12/12/opinion/facebook-data-pri...
I argue that FB makes money by collecting data, then selling it. What’s the opposing view?
I haven't checked the content myself, but this tg channel is usually legit
I've tried three different browsers and none can get the download to work. It's possible I'm blocking some tracking domain at the router-level that's integral to the download functioning.
Edit: Turns out I was blocking Google's captcha.
https://siasky.net/AAC7DeBiGWL-QbG0cEFpCwuEiRlmrNLu7FdOUrF3t...
And a couple other Sia portals it's available through:
https://skyportal.xyz/AAC7DeBiGWL-QbG0cEFpCwuEiRlmrNLu7FdOUr... https://skydrain.net/AAC7DeBiGWL-QbG0cEFpCwuEiRlmrNLu7FdOUrF...
https://www.perthnow.com.au/technology/internet/federal-gove...
Earlier, it appeared Troy Hunt was sent both Australia and Austria:
https://twitter.com/troyhunt/status/1378481134086971394
https://gist.github.com/troyhunt/00b9aa28d486c9b81f18259fa80...
~196 MB vs ~34 MB respectively.
However, he later posted an update later expressing some similar curiosities:
https://twitter.com/troyhunt/status/1378938375881682946
https://gist.github.com/troyhunt/9a081cea0de6cbc63d93ebc0104...
The second gist is the one showing "Austriaia" (Austria, not Australia) and ~35 MB.
Edit: Nevermind I found the pastebin below.
https://raidforums.com/Thread-SELLING-Free-FaceBook-533M-rec...
However, the comments in that forum suggest that it's not "free" and/or not there.
https://github.com/dessant/buster
Regrettably, I was forced to create a FB account for work.
Search for :YourFirstName:YourLastName:YourGender
I've been pwned 33 times. At this point, it's just noise. My passwords are all unique (password manager). Honest question - What should I worry about?
I guess I could envision a scenario where you're being investigated, and these leaks provide a roadmap of services to subpoena.
Could you please review https://news.ycombinator.com/newsguidelines.html and stick to the rules? We'd appreciate it.
The cats sorta out of the bag, but one can dream.
At this point I’m not really sure what it will take for companies, like Facebook, to understand that you need to not fuck around with peoples private data.
Ex, pay x amount per month in perpetuity for each piece of information about a user your keep. And have to pay the "net present value" of those payments if you lose the data.
Having to pay for hoarding user personal data changes the incentives from gobble up as much as possible, to instead only pay for a users data that is worth the cost to your business.
And as an extra incentive to not hold unneeded user data, know the costs you'd pay if it was breached.
Respectfully, I'm not sure either of these lead to outcomes we want
the security handbook[^1] has a chapter on that actually, and they basically say that role playing is the only way of not getting burned. Humans are excellent at role playing, and it can help you prevent a lot of catastrophe without having experienced them before.
[^1]: https://securityhandbook.io/
To me, a good parallel is home insurance. If you get robbed, a good insurance will cover your losses. However, if said insurance determines that you were negligent -- say you never lock your front door -- you are on your own.
Do you have precious art at home that you want insured? No problem. Just make sure you add an alarm and sprinklers.
That is how I want discussions around security to be held. Are you a start-up with 10 users? It's okay to do minimal security. Are you a bank whose wires carry $1B? Make sure you throw sufficient "bodies" at the problem, from the top of the hierarchy to bottom.
Mark Zuckerberg probably spends more on personal and family security and privacy than Facebook spends on their users' security.
https://twitter.com/Liz_Shepherd/status/1378398417450377222
"You keep using that word. I do not think it means what you think it means."
I "deleted my account" in the run-up to the 2016 election, because I could see how social media was being manipulated, and what it is doing to society. And I mean I _deleted_ it. I took the extra steps of researching how to REALLY delete it; not just suspend it.
A couple years later, I needed to get a new account to help admin a page. You can guess where this is going. I tried my usual email -- since it should be free, and it was deleted, right? And... what do you know? Everything was still there. All my posts. All my connections. Everything.
Facebook never deletes anything.
Long story short, regulators already have more than enough evidence about Facebook's lack of GDPR compliance so they could've already imposed large fines if they wanted to. The fact that it hasn't happened yet shows there's no motivation to actually enforce the regulation.
But Facebook have enough money and lawyers to ensure a plea deal is agreed. We work out as nothing more than a slap on the wrist.
All the big tech companies budget for these fines. You'll often see it called out at earnings where they allocate funds for a particular fine in a given quarter even though the investigation isn't finalised.
[X] Doubt
There's always an incentive to steal or leak it to other companies for money; so as long as the incentives are aligned with GATHER ALL DATA and KEEP IT FOREVER then yes, it will just be a matter of a time before each data store is compromised by mistake or purposefully.
I think this demonstrates that user data can be managed safely and effectively.
Usually the incidents reports on user data leaks show that the company seemed to barely be trying - We need laws that force them (even small companies) to put serious effort into it.
Am I reading this wrong, or are you saying that activists would be more likely to leak data? Then I would wonder what kind of activists you have in mind.
Agreed that yes indeed it seems possible to build a security serious company, and that Google is (seems to be) a good example. (Now, there are other things I don't like about Google but I guess that's of topic.)
Ideological employees of big tech firms taking a sudden disliking to someone or some group and abusing privileged access is certainly a threat that ever larger numbers of people are talking seriously. In particular, it is a concern for industries that do things activists don't like, such as working with immigration control (though perhaps that's no longer an issue now Trump is gone).
Sounds interesting, you don't happen to have a link? (So I can read more)
Kathryn Spiers, who worked as a security engineer, updated an internal Chrome browser extension so that each time Google employees visited the website of IRI Consultants — the Troy, Michigan, firm that Google hired this year amid a groundswell of labor activism at the company — they would see a pop-up message that read: “Googlers have the right to participate in protected concerted activities.”
Discussion here: https://news.ycombinator.com/item?id=21813619
Note that she wasn't able to do that unilaterally. Some other member of the team approved her CL and others defended her in public.
I have a vague feeling there was another case like this some years ago where some security engineer modified a Chrome extension for political reasons, but I can't remember the exact details and can no longer find it.
Equifax has more at stake than most. And they've been hacked. Repeatedly. The government has been hacked. Yahoo was COMPLETELY owned. I mean, if someone would put together a list, it would make for shocking reading. It's become so common, that we go, "Oh no! Anyway."
I don't trust in the government, but I think digital "personal data" should be only available for "confirmation" to companies that need it. Say, a government entity could have an API that allow you to send hashed personal data that they can verify is right. This way companies will ask the user for their data and hash it client-side. Then they can send the hashes (hashed with a custom provided salt to the entity (government, maybe private) who will basically reply with a True or False on the verification of the different data.
It may even be an interesting use case for a public blockcahin, where your personal data is stored in a Merkle Tree type of data structure, so that one can verify that certain pesonal data of a person is true, without disclosing the data.
Humans will error and enter data incorrectly so the hash would be different every time potentially despite being "correct" to a human at a glance?
You could standardise everything (lowercase etc) but I imagine there are country and regional edge cases such as capitalisation having meaning in a given language (I can imagine it being a thing but I don't know it for sure)
This sounds like a good use case for short brief documentation.
For example Estonia has had famously and online identity stuff linked via a federal ID (in europe there are more republics then federations so it's easier to manage country-wise) [0] [1]
Or more familiar to me with a bigger sample is a movement in Poland which is gaining popularity - mojeID (myID) which is a Single Sign On system with major banks as providers (they really regligiously check the identities when you open a bank account) or the statebacked login.gov. The mojeID system allows other entities to use your actual identity as an authentication factor without having to keep that much data and pose risks - for example an online alcohol shop can verify the age. [2] [3]
[0]: https://en.wikipedia.org/wiki/Estonian_identity_card
[1]: https://e-estonia.com/solutions/e-identity/id-card/
[2]: https://www.kir.pl/en/administration/mojeid/
[3]: https://www.mojeid.pl/#zastosowanie
https://www.spid.gov.it
- "How much money is currently owed in taxes to the government?"
- "Can't tell you that, we're not allowed to aggregate data".
Edit: what I was thinking originally was that in the world of paper-only archives, these massive leaks were all but impossible, yet business could still be done. It should be possible to combine this slowness with the convenience of computers.
That said this is certainly interesting, I wonder if there has already been an exploration of this topic. Could definitely make an interesting startup idea :)
A quick google indicates "maybe": https://about.fb.com/news/2020/06/may-cib-report/