338 comments

[ 1249 ms ] story [ 3605 ms ] thread
This problem, namely bazillions of ways to get auth wrong, is solved by Web3.

I really don't get why everyone here hates it.

Edit: Yes, I meant that login is tied to your wallet. This can be a hardware wallet, so it's very difficult to have it attacked, can be backed up, never expires, etc. This auth mechanism removes _tons_ of problems with existing web sites & giant corporations. But I guess most of you work for them, so have fun mocking people who are not like you :)

It would be helpful if you were to explain why Web3 would be beneficial here instead of just tossing snark towards HN.
It'd also be useful for them to define what they mean by Web3 in this context.
metamask with login with wallet, i assume, is what they mean.
Like pretty much everything else involving blockchain there are more straightforward ways to solve the problem without all the BS.
yeah for auth is a blockchain even required? it's pretty much just asymmetric crypto at that point isn't it?

I think the 'web3' way would make it worse wouldn't it? like metamask relying on centeralized service to query the blockchain

I guess a real benifit I could see would be being able to use a blockchain to revoke your keys somehow but that's not how metamask and web3 stuff seems to work right now

Metamask can sign data, which would help you prove the user has the private for a given public key. You do not need the blockchain.

The chrome extension to cryptography would help - but we have FIDO that does exactly that (and webauthn i guess).

Indeed that is possible, the problem is all the greedy corporations that want to suck all our data, so they can't simply trust the signed messages of Metamask and want instead to implement layers of poor software for their profit
oh i mean, identity/authentication alone doesn't make profit right?

The problem with using PK cryptography is that if you lose your keys, you'd be locked out.

Then we would probably have other key schemes M-of-N etc or social proof to compensate for the problems with single-key PK, which then has other problems.

Metamask relies on whatever RPC you give it, including your own node if you want

The asym crypto is enough for proper authentication, but decentralized apps generally are built to use it, without relying on centralized data. A message signature being verified by a stateless service is all that is required

Could do without web3, but the practice of predatory web giants and smaller startups is to exploit the users so they don't do that

The BS makes it a more sticky though.

If your entire life (identity and finance) is gated by a single password, a user will Care more and that makes it easier to use and remember.

In other words, having your wallet behind the same password supports adoption.

> I really don't get why everyone here hates it.

Partly because comments like this.

Thanks for being helpful.

All the web3 or crypto hate if you prefer is a very strong bias in this site. There are no real arguments, just that it is a scam or whatever. Is asymmetric crypto a scam? Is Leslie Lamport an idiot and nobody needs decentralized computing?

Please enlighten me

You just name dropped web3 as a solution without having any explanation about how and why exactly would it help and now you are complaining I'm not being helpful? You serious?
> solved by Web3.

To the extent that web3 is even well defined, no it absolutely doesn't. The blockchain space right now is rife with scams and people getting stuff stolen from their wallets. At best it makes it harder for the average user to understand how to be secure and at worst it changes this scenario from "I lost my facebook account" to "I lost control of every asset I own and my entire identity".

(comment deleted)
The problem here is that the user had their own domain and lost it. Obviously the analog here is having their own wallet and losing it, in which case they're probably more screwed rather than less.
Run out of time is a little more accurate, and a failure mode that Cannot Happen with crypto, though. Steps can be made to make your wallet impossible to lose, but not your domain.
Wallets do not expire
Technically true, but if you lose your key and don't have a backup, or forget your password, you're stuck; there's no recovery process (except brute force, which doesn't work on secure passwords), by design.
One thing that may have prevented this hacking: facebook could have noticed that the primary email for the user was for an expired domain, and proactively notified them to remove it.

When a domain expires, there's a grace period, and just checking daily whether a user's email's domain is expired, and if so texting them or otherwise notifying them to change the email, would have been sufficient.

This wouldn't even require _that_ many checks since the total number of unique domains to check is probably low. 99% of all users will be on gmail/outlook/yahoo/etc, and all users using the same domain only require a single check a day for the domain not having lapsed.

She's a mom of 2 who recently is living in a new place. Things like this are always overlooked. Let's just cut her some slack. I am a parent too, I know how difficult kids are. On that note, maybe there is a chance if she contacted someone from LinkedIn who works in Meta.
>Let's just cut her some slack.

TheDong isn't suggesting something she could have done. TheDong is suggesting something Facebook could have done.

It's just an expenditure that won't produce any profit. The technical term for this is "waste."

The only way this would not be waste is if fixing it would do something to reduce the amount of ill will towards facebook which is quite intangible and unlikely to add up to covering the costs. But who knows what calculations are being made, or how they may change in the future.

The whois check for a domain literally contains when it will expire. You can do this one time (combined with an MX lookup) while the email is added.

And knowing the ASN of a domain is also quite helpful. If anything changes (e.g. geolocation of ASN or different domain registrar) you can easily force the user to confirm this while they are already logged in.

Source: I am doing this for my tholian.network products.

> The whois check for a domain literally contains when it will expire. You can do this one time (combined with an MX lookup) while the email is added.

That’s not reliable. A domain can be deleted before expiration.

Sure, but that is usually by the request of the owner, if I'm not mistaken?

Better cover most of the cases than none.

All I’m saying is if you’re building such a system you should be aware of this and possibly account for it with some low frequency scanning before listed expiry. Or not, if you decide it’s not worthwhile.
Could also be renewed
Alternatively you could do a whois query of the domain (and verify against cached details) before sending out the recovery email. It's probably best to do that every time the email addresses are changed or updated.
Note that some WHOIS servers (as in port 43) are hostile to automation and might block you if you’re doing it too much, although you could be paying a few cent per custom domain per month to have a service perform the data aggregation for you.
Agree, most ToS of WHOIS servers say they don't want automated queries.

In this case I think it'd be simpler to just do a DNS check, either NS alone or A/MX. Scales better. If NXDOMAIN is returned over a period of days then the domain can be flagged.

How many accounts per year do you think are hacked this way? How many accounts per year do you think are hacked in other ways? Facebook has a finite amount of engineering effort, and the effort they put in to stopping hacks probably goes toward things they expect will prevent a large amount of hacks.
I’m sorry. Meta has a finite amount of engineering? The profit margins are so thin that there is no possibility of improving service for users? That everyone is fully dedicated to new development that support for existing products can’t be spared? That Zuckerberg is so fearful of his board that he is afraid of being forced out if he lets up on the gas for just 1 sec?

Or is it that they just don’t care?

>The profit margins are so thin that there is no possibility of improving service for users?

I'm saying that there are many ways of improving service for users. If we prioritize those ways, I doubt doing checks for expiring DNS would be near the top.

Based on experience, it does not seem like they prioritize ANY improvements in customer service. And until there is a credible threat of government action I doubt they ever will
Remember that most users are not customers here, they are inventory. A bit of breakage is expected.

The advertisers are the customers.

Yes, they don't care. Why would they? That user probably doesn't generate much revenue, and losing them won't cause any major scandal in the press or anything embarrassing to top FB managers. I can't see any motivation for them to care.
>One thing that may have prevented this hacking: facebook could have noticed that the primary email for the user was for an expired domain, and proactively notified them to remove it.

Almost any website, app or online activity that requires logging uses email based authentication. Do you think all existing web sites and apps should verify the expiration of mail domains? And what about phone numbers? A user can lose his phone number, should they verify that, too?

>Do you think all existing web sites and apps should verify the expiration of mail domains?

No - it probably wouldn't be worth it. But it could absolutely be worth it (weighing bad outcomes against amount of effort needed to prevent those outcomes) for the biggest sites with billions of users.

... especially when they won't otherwise offer recourse/support in case of rare events like this. Rare events become less rare when there are billions of users.
And every small website who offer email authentication should implement all of that that and more?
This should be a part of the process of ALL sites that use email/domain ownership as proof of identity. There are a lot of them besides Facebook.

Yeah, it's not currently possible for phone numbers, but that's not a reason for not doing it for domains where it is possible. It's also easy to imagine a privacy-respecting public registry for phone numbers, which only reported when the ownership had changed.

(comment deleted)
> facebook could have noticed that the primary email for the user was for an expired domain, and proactively notified them to remove it.

Or just wait at least a week before emailing a password reset PIN to secondary email addresses. I reported this exact vulnerability 4 years ago:

https://news.ycombinator.com/item?id=17835127

This sucks to hear. Having dealt with Meta properies, they won't be interested in helping you.

I had something similar happen to my Instagram account.

A few weeks ago, I got a popup inside IG to verify my age. Not wanting to give them my real age, I set my age as 0. The popup playfully said that my age can't be 0. So I set it to 20 years and the popup got stuck. After a few taps, my account was marked as underage account and I had to send my photo id to get it back else it will be deleted permanently after 30 days.

I though about all the photos and messages in my account and while it would be sad to let it go, I reckon IG's ban was a blessing as the quicker I let it go, the free'er I would be from Meta's clutches.

In in the end, I didn't verify my account. By now, it would be wiped out by a cronjob.

---

The sooner you realize these companies(and Meta in particular) don't care about you, the better. These are all rented platforms and should be treated as such.

Don't invest too much in these platforms and if you must, invest in a personal blog hosted on your own domain.

I wish they would wipe accounts. Instead it will be kept probably forever and your backup email will be spammed forevermore. I started creating an account more than a decade ago. Maybe entered my birthdate and university and stopped. I get so many facebook emails and cannot stop it and I never used it. I don't have the password to recover and im sure it would be flagged if i tried.
FB employee here.

Instead of assuming they don't care about you, assume scale and sometimes incompetence. Things happen, people are striving to be better, but scale comes with pain sometimes, sadly.

At sufficiently large scale, there'll be people who have bad experience with the platform. The teams are always working on improving it, and security of accounts are obviously important, but sometimes things go wrong for some unforeseen circumstances like in this case.

> scale and sometimes incompetence.

This would mean that automation is built for trust, not for "don't call us anytime".

Everything facebook so far has automated when it comes to customers is actively helping scammers taking over accounts more easily, rather than helping actual real people that are who they say they are.

But, facebook's incentive is ad business, that's why things like this will never get prioritized.

There are FAR more non-ads people than there are ads people.
> There are FAR more non-ads people than there are ads people.

Not to be terribly facetious, but ads pay the bills. I'm not aware of any significant money-making ventures Meta is involved in outside of ads. In the end, that makes all employees "ads people". All ventures, projects, features, enhancements, and bug fixes are to serve the ads machine. Unless, of course, there is legitimately a new market opportunity that will create revenue without ads.

Even the Oculus arm of the company is really just a new platform for ads in the end.

alpha_squared: that's a little too much extrapolation. people outside of ads don't really care much about ads, to the point i find kind of annoying (i am in ads). non ads teams in general have non-ads metrics they care about more. obviously revenue is being kept in mind, but it's more of a guardrail and not the goal (for non ads teams).
(comment deleted)
It doesn't help sell ads if there's nobody to sell ads to.

But the "monetizable eyeballs" are interchangeable, 100% so.

(comment deleted)
A lot of businesses have significant overhead staff. Cost centers are notorious for having skeleton crews, regardless of their relative size.
> Instead of assuming they don't care about you, assume scale and sometimes incompetence.

I think we do assume scale when we pass harsh judgments on large corporations.

At sufficiently large scale there will be employees that just don't care about their users. It doesn't mean every individual at Facebook is like this, but Facebook as a corporation, and a certain percentage of employees, do not care about the users. That's not to cast judgment on you or your team, I believe there are people who genuinely try to help at all corps :)

Unfortunately, like you said, the reality is that as the scale of a product increases the quality will decrease on both sides of the transaction for some people.

Of course, there will always be someone who won't care about their users, it's inevitable. But knowing how sausage is made, there are different trade offs when it comes to authentication...

I was at google before here, and things there are much much more stricter to the point where even an internal employee cannot do much help for themselves [1] as it happened to me with my own account. That's also not good. Things do get better, but they probably have different trade offs.

I am not sure if "scale of product increases quality will decrease". I remember twitter fail whale, and seeing it constantly, I remember android bugs from google, I somewhat remember fb's own issues (but this part is fuzzy as i have been a very light user - twitter is more my jam vs fb). Also early on internet was cleaner, spam and fraud was less, crypto money scams were nowhere to be seen at the time. So i'd say things actually got much better, maybe "attention to detail" diminished, which i guess i could see.

[1] https://news.ycombinator.com/item?id=31391843

There seems to be a loose consensus (which I agree with) that takes a bit of a dim view toward patronizing a company (any company) where the scale is such that there’s no effective relationship between the company and non-paying users. I think that’s probably a better way to capture and elucidate the sentiment than “scale goes up, quality goes down.”

There’s something to be said for being able to get support for issues from a human being who is empowered and resourced to solve your issues amicably.

It makes a huge difference. Since I’ve worked hard to rid my personal and professional lives of non-paid services and all social media, I’m just a happier and more consistently productive person.

I think this is fair. Part of the issue is as the number of users increase, the support staff has to increase, which in turn would increase the "attack surface" where a support staff might go rouge etc, and cost also increases probably super-linearly.

Google took the opposite approach and delegated everything to automation, which had other problems.

Being a paid user also probably helps with contractual side of things, but ianal.

Everything here is my personal opinion if it weren't clear.

I think future tech like Kilt protocol would go a long way to helping solving this problem. But I think generally there is a lot of solution options such as KYC processes that could take steps to solve it, some countries would perhaps be easier than others to solve initially. Is there not a team/ think tank working purely to solve these types of problem?

Solving this type issue should matter most above all, its the grass roots of users that's made FB what it is.

Try doing KYC and people will go bonkers(americans in particular).

I personally don't give out my passport info unless i absolutely have to. IRS recently implemented this id.me id verification thing and I only went through it because i had to.

Also people use Fake Ids all the time. Even when you present an ID in person, it would be somewhat fakeable.

Imagine now doing it over laptop camera, with tech like deep fake it will get even easier eventually.

In my IRS case, automated system couldn't get me verified, so i had to wait i forgot how long to get to a person who just said "yup, you are you" and had other limitations and probaly would quickly run into scale problem if it were peak times or peak use cases.

No, you should definitely assume they don't care. As soon as they can no longer extract profit from you, the economic incentive for them to care simply vanishes. To believe otherwise would be completely foolish.

If you want to put a positive spin on things, you can assume that their intention is to not let spammers overrun the platform, or kick off legitimate users, as a matter of protecting their brand integrity. The costs of being 100% effective at this are prohibitive due to diminishing returns in any such enterprise. Within the organisation there are probably a great many people who would love to help an embattled user, trapped in the Kafkaesque nightmare of having to deal with the corporation. It's just a matter of jumping up and down and screaming loudly enough. You can chose to see that as a positive example of the kindness of humans, even humans who work in gigantic corporations, or you can chose to see it as an example of offloading costs on to the consumer to protect profits. Tomato/tomato.

"Assume scale and sometimes incompetence" means basically the same thing to me as "they don't care about you." In either case, it's "we're okay with not making things right for a number of people who have done nothing wrong."
0.1% * 1B users = 1M users. 0.01% * 1B users = 100K users.

I don't know if anyone ever designed a fool proof system with 0 bad cases, but feel free to prove me wrong.

I tried once. No one could route a connection through the epoxy in the Ethernet ports :-(
> feel free to prove me wrong.

Yeah my money is definitely on 'they don't care'

But I do know people who have designed systems to make it more difficult for those 0.01% of people to contact a human or get anything done about it because that increases their profits.

Okay, maybe you're fine that some amount of people are just collateral and the system is not going to be adjusted to minimize that because there are other priorities (eg. meta's share price).

But when people need to spread their wings and fly off in to a fantasy world in order to pretend that isn't happening, then it's probably not going to end well for them / be conducive to their mental health in the long run.

If a company's answer to 100K of its users having insolvable problems is "it's scale, deal with it", maybe that company has no business being so large. And yes, that applies to Google and all the others as well.
I don't know if you can really say that for a social network or a search engine. They naturally grew due to their network effects.

A weird analogy would be saying "US should have no business growing to 300M if it has XM people under poverty level". Sure it should strive to do better, but doesn't mean that number can reach to 0. Sorry i couldn't think of anything else close to a billion users with systemic problems that's not a bigcorp so had to use government.

Shit happens, indeed. The question is what recourse there is when shit happens. Usually, one would contact the company and figure things out with a support rep, if the company is any good. In facebook's case, that's virtually impossible. And that is pretty much by design.
If most people having no recourse to a problem that they face is just a problem of scale to the company, then may be the company doesn't deserve to operate at that scale.
> assume scale

Scale is an excuse used by corporations to get away with whatever they want. Blaming things on scale is exactly equal to calling your customers a mere statistical data point.

"I'm sorry, we through your meal out the window, but 98% of the current customers dining in got their meals successfully. Here's a website with no contact info to help recover your meal."

If these "scale" corporations like Amazon, Facebook, Google, and the ilk actually cared about their puppet customers, then they'd go read the work by Stafford Beer and other complex systems thinkers and learn how to take care of unhandled variety rather than creating it behind the excuse of scale.

"...there'll be people who have bad experience, unfortunately". The bad experience is the frustration of a kafkaesque process that dead ends with an ID submission form without the personnel infrastructure to actually support it. It's there to shrink from saying what you just said. You shouldn't need to come to Hacker News to get the real answer.
"Don't tell me what you value. Show me your budget, and I'll tell you what you value."

Blaming scale is just another way of saying FB won't fund enough user support. And if FB won't fund it, it doesn't care about it.

collects $10k/week paycheck

"Scale comes with pain sometimes, sadly"

"Things happen"

have any more substantive comments besides ad hominem attacks?

it's 10pm, and i reported this problem a few hours ago - i probably either care about the problem, or i am nerding out on HN, or both.

Money doesn't define how i think of problems, if it decides yours, power be onto you.

It's not ad hominem, it's an observation about senior FANG engineering
Is it an observation about specific people? I doubt it.

Also it's clearly directed at me. Hard to spin it otherwise because it's using things i said

either whay you are saying sound more like a stereotype. I doubt you observed enough people in person to make a stereotype worthy conclusion.

You most likely care (otherwise you would have stayed out of this thread). But when the recourse for many users are getting their issue on HN, it’s difficult not to draw the conclusion that Meta on an organizational level doesn’t care.

Or rather: It’s value-based customer service. If the monetary value of fixing one user’s issue is less than the lifetime monetary value of keeping them as a user, then fixing it is a net loss and so it shouldn’t be fixed. When a user gets their issue on HN, the calculation changes.

Choosing scale over service was a conscious choice your employer made. They didn’t have to make that choice.
If you get more and more users do you say sorry, we are an exclusive club of 2m[1] we won't let you have a chat/group/event with your other friends who were late to the party.

That sounds wrong.

[1] rando number, large enough to brag about probably small enough to have easier support problem

Scale is multi-dimensional. It's not just a question of user base; there's also all the different features they have added over time as well that they have chosen to dedicate resources to. Also, support has cost, and putting service as a key feature of your brand often means sacrificing margins.
> invest in a personal blog hosted on your own domain.

It appears that's how the problem arose in the first place.

I was gonna say the same thing. If she didn't use her domain for her email address and used e.g. Gmail, this problem wouldn't have occurred.
It’s been said too many times, I know.

You’re the product! When the product is spoiled, you throw it away! Recovering spoiled product doesn’t do anyone a damn bit of good.

I think it’s even worse than that. I’ve been locked out of my Uber account for years, and that is not an ad based company. It’s just that at a certain scale , it’s not cost effective to handle edge cases.
Probably what, if it was inclinded to do so, the universe thinks about humanity.
> By now, it would be wiped out by a cronjob.

You are an optimistic person.

(comment deleted)
Something similar happened to me. I had to upload photo id, then it disappeared into the block box.

Facebook does have a process for getting things like this fixed very quickly. The trick is you need to know someone who works there.

I was locked out for six months then circumstances meant that I knew someone at Facebook. I told them the problem and it was fixed in 24 hours.

Make enough noise and someone at FB will hear and fix it for you.

>>> The trick is you need to know someone who works there.

The people at Meta/FB who are in charge of this stuff have IG models throwing sex at them to get accounts restored. I'd be surprised if those guys take action to fix the account of someone who isn't making it....ahem worth their while, so to speak.

https://www.newsweek.com/onlyfans-star-slept-meta-employees-...

(comment deleted)
> Facebook does have a process for getting things like this fixed very quickly

Maybe that's true for some things, but the community standard violation/restriction code seems like it's always been a mess, every fix breaks something else, every new FB feature makes it fail in new ways, and there's no real motivation to make it good (who cares about violators, right?).

I feel it's so bad because because it's been constantly patched under pressure every time media catches on something on the platform (e.g. after the livestream of the Christchurch shooting, FB started handing out livestreaming restrictions like candy for every minor violation, and to my knowledge it stayed like that until today). I honestly would love to see the code like I love to watch terrible movies.

It's so consistently and innovatively bad, and I have such a hard time thinking nobody violating CS has friends at FB, that the unmaintainable mess is the only explanation I can find.

> The trick is you need to know someone who works there.

This also works with Google wrt Google Play. They even have "developer relations" people specifically to handle this kind of communication.

> Something similar happened to me. I had to upload photo id, then it disappeared into the block box.

I abandoned my account awhile back, but I remember them suddenly demanding a photo id for "security reasons" or else they wouldn't let me in. I just closed the tab and decided I was all done with facebook since I wasn't crossing that bridge. A few months later I tried to login again and suddenly they didn't need the id anymore.

I have an instagram account that got locked out because I signed in from a new device. The email I used to register the account 12 years ago was deleted, so I'm unable to receive the security code to unlock it. This account is also apparently ineligible to ID verification because it was registered pre-facebook acquisition.

I couldn't find anyone at FB/IG willing to help me with this. There are pictures of my friend who passed away years ago and apparently this is going to stay online forever...

So you're free now! Go enjoy life without facebook.
Nooo, you definitely want to permanently delete your data off there before leaving or it's going to haunt you forever.

I would encourage anyone to delete and leave, but having a spammer take control of your account before you can do that has to be a nightmare.

Anyway, I am free, so I am going to go outside and play with a stick. Too much keyboard for one day :)

> or it's going to haunt you forever.

I think this is pretty inaccurate unless you’d be haunted by being unable to delete any profile/timeline data, ie. Education/work info and post data. Ad profiles tend to be useless after a few months, just make sure you’re actually blocking and limiting tracking wherever you can.

(comment deleted)
Tried to help out a charity that got their ad account hacked. Thousands of dollars spent. No way to get the money back from FB so they ended up doing a charge back. Can't get any response from Meta at all. Every single support option dead ends into a form that never gets a response, an unhelpful robot, or an unhelpful support page.
They do respond to lawyers
This is one shortcoming of having your own domain. If you let it expire, there is nothing preventing someone else from recycling email addresses.

On the other hand, having your own domain gives you many advantages, including not having to fear that you'll lose your email address because a big tech company decides to ban you for no reason (which is tangentially related to what happened to OP).

So, it's a bit of a double edged sword, but can be good as long as you are diligent about renewing your domain.

Thankfully, with cloudflare offering 10 year renewal terms, things are much better these days. You could bet prices fall and go year by year but given inflationary pressures, it almost certainly seems to be a good deal to do a 1
Until they ban your account and hold your domain hostage, not letting you transfer out for those 10 years.
At least Cloudflare has real human reviewers unlike Google's sleep(10); reject; appeal process.
That risk exists with every registrar and I would rather deal with cloudflare than godaddy
I registered my domain with Google domains. The worst of both worlds.
So transfer it to another registrar. I registered one of my primary domains through them way back when they started offering G Suite for free, but after a year I moved it to the registrar that holds my other domains. It's not difficult.
I know somebody whose instagram account got somehow taken over and used to post crypto scams. They asked her for a picture of her ID, she provided that, and… it’s still just crypto bullshit. No hearing back for months
Instagram seems to have a big problem with this. I know several people who have been hacked, some of whom never got their account back and just started new accounts
Increasing we automate processes, have programs do the work humans once did.

It's extremely helpful and productive, but it has a darker side. The processes are rigid because machines are rigid, and the designers cater to the 99% cases.

But then the 1% happens, and you're left out in the cold.

In the old world of humans and paper, as wasteful as it was, it was easy for exceptions to be made if the clerk was willing, and if they weren't you'd find another clerk, or a clerks supervisor. The processes tended towards being flexible.

But today, you increasingly don't interact with any humans, or if you do don't be surprised if, in your unusual case, they say "the computer won't let me".

As governments move more and more towards digitization, and embrace machine learning, I expect similar stories might unfold - only it won't be with an opt in social media website.

My wife and most of her friends have all lost their Facebook accounts at least once. They all gave up getting them back. Many tears as most of them use it as their only photo backup for kid pictures.

At this point it’s just routine for them to have their account taken over and lost periodically.

> Many tears as most of them use it as their only photo backup for kid pictures.

Painful as that is, those of us who tend more technical should be helping people understand the nature of social media companies, and encouraging backups in whatever form is supported.

... and then helping push them over the edge to find other ways to communicate with friends, share photos, etc. "Do it all on Facebook!" was novel, 10-12 years ago. Now it's just a lack of creativity and a willingness to help add feet to the next yacht.

My girlfriend's mother had this happen to her recently. They got in and changed her password, profile picture and name. Account recovery options didn't work, and also reporting the profile as stolen / whatever option was most appropriate on the form didn't achieve anything.

I found it quite confusing as to the motivation, and seeming gap in the armour of automated bans.

As far as I know, many people get instant banned if they attempt to setup a second profile for their Oculus or similar, I assume the motivation is to get a fake account that has history to avoid this. What surprises me though is that changing password, profile picture and full name in quick succession + attempts to recover / report don't trigger this mechanism/some kind of review process.

I feel like losing all your stuff is part of your digital journey. Then you learn the importance of backups.

Nowadays cloud backups are almost becoming default which is a good thing imo.

Facebook was their cloud backup
Backup is a backup only if you have working copy. If not it is the working copy even not in use.
Facebook is not a backup tool, that was their mistake.
Reminds me of the rollout of Obamacare. I went to sign up on the website almost immediately. Ran into a host of errors. Called numerous times and every agent there told me they couldn't help and didn't know what was wrong. The solution: call us back in 3-4 weeks.
>> In the old world of humans and paper, as wasteful as it was, it was easy for exceptions to be made if the clerk was willing,

One of my first jobs out of college was an account manager at a big corporation. It was an easy job. Half customer service and half sales. The guy in the cube next to me was always chided for being a dinosaur because his desk (in his words) "looked like a tree just puked on his desk" because of all the paper copies he had floating around - but damn if he couldn't find a contract six months old or an email with some promise he had made a client a year earlier.

It was his file system and it worked magically. You'd ask him a question and he'd look around and then dive to a stack of copies of contracts, come up with the right contract and let the customer know the details so quickly. Customer's loved him because he could reference things so quickly and was so sharp with conversations and notes he had taken. No problem if his laptop crashed - he already had a paper copy. He always referenced himself as a go-between the paper world and the digital world that was quickly consuming his talents.

I heard he retired a few years back - but he was the guy you're talking about to a tee. He was around during the transition to email from everything being paper. Dude still made it work, even when he knew his time had come and gone.

> As governments move more and more towards digitization, and embrace machine learning

I spent a decade in the public sector digitalisation of Denmark, a country that competes with Estonia about having the most digitalisation in the world.

I fully believe we should legislate against automated processes taking decisive actions.

It’s inefficient, but what I experienced in regards to laws is that they are way more messy than anyone working in digitalisation seem to realise. We build a system that let employees report their business-related driving, in Denmark you get a tax-reduction when you drive in your own car for work purposes, and the laws covering it is basically an A4 page of tax-law that seems sort of clear. You have 3 set of taxation rates that you get to deduct from, they are meant to be used for different types of work related driving. Simple, right?

Well, it turned out that in 9 different municipalities there was 9 different ways to interpret that A4 page of law text, and, more than a 100 different union agreements on how to extend or alter the tax law for certain groups of workers.

As hilarious as it was to sit through meetings with different sets of tax people from different municipalities getting into heated arguments about who was break the law, it was also sort of eye opening for me at the time. Because we made this as an OSS project where we bought the development that we project managed. My role was part of the project management team as a code-reviewer/specifier of sorts, and all our estimates simply went out the window when we realised we really had to build all those different ways of interpreting the law, as well as making room for future alterations. In the end, it didn’t extend the project that much, I think we still delivered it on schedule but it was a very different product with lots and lots of setup required, because the different municipalities needed to be capable of deciding which rules were turned on for which groups of workers, as well as control over how the approval system was handled by everything from tax lawyers going through every submission to secretaries to RPA robots simply clicking accept on everything.

The system wasn’t related to decision making automation that couldn’t be easily undone by humans, because it was still a relatively simple system. But if that sort of complexity is what you get from some of the simplest legislation we have, then imagine what it would look like for laws covering thousands of A4 pages of text.

>I fully believe we should legislate against automated processes taking decisive actions.

There are certainly decisions that should not be fully automated. But this has very little to do with the account recovery issue we're talking about.

I believe that account recovery, and more generally proving your identity, can be done automatically with greater accuracy and far more securely than any process involving humans.

We have secure, electronic, government issued identity documents that are perfectly suitable for automation. Let's just use them! If we must legislate then let's introduce a right to prove our identity using our government issued ID.

There are other issues related to oligopoly accounts that are hard to solve. But proof of identity is not one of them.

> We have secure, electronic, government issued identity documents that are perfectly suitable for automation.

And what do you propose as a solution if your government-provided identity gets lost or stolen or hacked?

Or for people who have a hard time getting such a doc? (note: Sweden currently has a crisis because it can take over 1 year to get a passport).

Or for people who live in countries which don't have these systems?

Are you really ok with uploading a video of you holding your passport every time you want to log onto a service (see "id.me" controversy)?

Now, what might be nice is if the government used a highly secure crypotgraphic system to allow identity verification, but drivers licenses and passports aren't that.

>And what do you propose as a solution if your government-provided identity gets lost or stolen or hacked?

Report the old one stolen/compromised, get a new one, use it in the account recovery process.

>Or for people who have a hard time getting such a doc? Or for people who live in countries which don't have these systems?

This is a core responsibility of any government. It works well enough in many countries and we should not wait for the last government on earth to get its act together before using it. It can be gradually introduced country by country.

>Are you really ok with uploading a video of you holding your passport every time you want to log onto a service (see "id.me" controversy)?

Having a right to prove your identity using an official ID is not the same as having an obligation to do so. I would only use it with a few key accounts that I trust (and with financial institutions where ID checks are mandatory).

Also, I wouldn't have to hold up my passport at all, nor would I have to do it every time I log in. The platform would read the passport chip once upon registration or during account recovery and check if the picture on the chip matches my face.

>Now, what might be nice is if the government used a highly secure crypotgraphic system to allow identity verification, but drivers licenses and passports aren't that.

https://www.icao.int/Security/FAL/PKD/Pages/ePassport-Basics...

> Having a right to prove your identity using an official ID is not the same as having an obligation to do so.

I'm sceptical as to whether you can avoid it becoming an obligation.

You sign up for $SOCIALNETWORK. Some opaque 'bot detection' process deems your account 'suspicious' and locks it. They offer to unlock your account if you prove your identity using an official ID.

That makes it obligatory in practice, if not in theory.

I share your scepticism, but that's a political decision. Nothing protects us from bad political decisions besides participating in the democratic process.

What's happening right now is that we are sacrificing a lot for the financial benefit of corporations and for politicians' control obsession while we can't use some of the same technologies and capabilities for our own benefit.

We often have an obligation to prove our identity using a government issued ID, but we have no right to do so when we want to.

In my view, that's a bad deal.

Dehumanisation of essential civic processes is a step towards "cybernetic governance", and is a topic I explore in some detail in Digital Vegan [1]. This is distinct from what most of us still call "e-governance" in subtle ways. I am concerned that people do not yet understand the nuances between processes that can be automated to really improve life and where we cross the line into technofascist dystopias that will tear societies apart.

I share an attitude with Frank Zappa here. Zappa was rather oddly against "Love song lyrics". He said they led to poor mental health by propagating unrealistic expectations of intimate relations.

Similarly, I think that Science Fiction has a lot to answer for. I personally love most SciFi, but like Orwell the Cyberpunk genre was misinterpreted as a blueprint instead of a warning, and many people carry around disported, unrealistic and quite mentally damaged ideas of what a "good" technological society should look like.

[1] https://digitalvegan.net

You can also read this story another way: Non-scaled manual processes have accumulated decades or generations of accidental complexities. I've seen this in the example of a central software my university was ordering to manage the records of all grades, achieved credits, registered exams and so forth. Most of this was already managed by a centralized agency (Zentrales Prüfungsamt) but every faculty had slightly different examination regulations and processes. It's not that most of these differences really provide any benefit to the students or the institution – electrical and mechanical engineering are so close to each other that there is no rational way to explain why they can't have the same length of time the registration window for practical courses is open – except that everybody is used to the way it is now and each faculty makes a stand for their right for the status quo.

And in my opinion the reason for most of the conflicts that arose is a failure of expectation management what the digitization effort can accomplish (in a reasonable budget): Software systems are cost efficient only with mostly homogeneous processes. Their development is such an expensive undertaking that it can only compete with individually trained humans when you can amortize the costs over large amount of use cases (c.f. https://xkcd.com/1319/ ).

Thus the first step should always be to get everybody on-board to give up some of their non-essential individuality. There is no need for car taxation to change from municipality to municipality. (Be aware of the reverse phenomenon as well, though: Individual needs getting thrown under the rug by systems that are too rigid or simplistic in the wrong places. See all the falsehoods programmers believe about {names, time, gender, ...} articles. TFA in my opinion is not an example of that phenomenon btw.: Facebook, like Google, is justifying cost cutting at places which obviously need trained human support, with a fetish for technological solutions.)

Of course this homogenization is not something that my parent poster would be in any position to accomplish, so this is not meant as a critique. Also I agree with EnKopVand that automated processes (or even overly rigid bureaucracies) should not take decisive actions on their own.

You should absolutely read it that way, and, you should go even further and point fingers at the legislation itself. In my decade of public service we had five different ministers of “digitalisation” (they had other titles because IT doesn’t win votes) that all put effort into making our laws better suited for digitalisation. I think we even had a prime minister get into it, and every prime minister throughout my entire life has had an ambition of making laws less complicated.

Well, let’s just say that while you’re completely correct, I don’t think we should wait for our countries to become less Kafkan, which is why I’m a fan of simply banning the automated decision making. Maybe if you hurt the bureaucracy where it matters (cost) we might actually get some officials who deal with the root cause of the issues.

(comment deleted)
> As governments move more and more towards digitization, and embrace machine learning, I expect similar stories might unfold - only it won't be with an opt in social media website.

It's already arrived, in the form of the Australian government's "Robodebt" scheme: 20,000 automated debt notices per week with minimal oversight [1]. The government denies it killed people, but there are claims that it did [2]. After several years a court eventually stopped the scheme and awarded about $2 billion in compensation, but by then a lot of lives had been ruined.

[1] https://en.wikipedia.org/wiki/Robodebt_scheme

[2] https://www.theguardian.com/australia-news/2020/jul/31/not-c...

It has nothing to do with automation and everything to do with unaccountable centralisation of power.

It does not matter what moderation scheme they use -- automated or beauraucratic, if you gift the town square to a private entity and allow access to it to be determined hy their whims you get this.

(comment deleted)
Not entirely related, but I always like to take a moment to remind everyone to download their Google backup codes as they are the only way to recover your account if anything goes wrong.
I think it won’t help if account got hacked.
This sucks balls. Sorry. I had similar things happen in the past with Twitter and Google. The problem with these giant tech companies is that we are products, not customers. And so because of that, they don't give a shit. Hope you resolve it.
Basically it's a story of a regular account got hacked and used for spamming. This must have happened a lot. But Facebook is so incompetent that it cannot identify this very obvious pattern:

1. A legitimate account has long history of posting organic content.

2. The account email/password gets changed.

3. The account starts doing spamming.

Seriously, how hard is it? How hard is it?

If Facebook really care about the legitimate user behind the account, they can easily get this problem fixed.

If I am wrong, please enlighten me why it is a problem difficult to solve.

It's not like anyone else has solved it, look at the way Google locks you out.
I really think something like https://Manyver.se will be the solution to this mess.

Let people manage their account keys just like they manage their home or car keys.

(comment deleted)
> Let people manage their account keys just like they manage their home or car keys.

The loss rate of those (especially car keys) is pretty high and losing them usually requires an expensive lock replacement. Is that what you were going for?

I have the opposite problem: there are more and more profiles on Facebook and Instagram that impersonate me in order to scam people. However, Facebook does not delete them even after having the profile reported by multiple times by different friends. This week, scammers even setup a fake Instagram profile to impersonate my mother! It's still online despite having been reported by half my family...
Get in touch with an attorney and see if there's potential to sue for libel or some other law (I assume using one's likeness to advertise scams must break some law).

Big tech scum responds very quickly when it comes to legal issues.

Trying to help someone though this now. Her email got hacked and they took over everything and wiped out their trail. She’s got it all back but the Meta products, Instagram in particular. Her face is plastered all over the account and the photo verification process is failing.

Meanwhile the attackers are posting scans to her page with impunity.

Sorry this happened to you Emily. This is unfortunately a common thing. Facebook is a soulless corporation and always has been. They've never given a fuck about the users who are just cattle to them for their marketing machine. Seen posts from FB banning devs too with no justification and blocking them from their oculus app purchases.
solution - ban Facebook
I'm very sorry to hear this has happened to you.

I, too, had my Facebook account compromised last week.

My account of 15 years that I'd grown up with: a couple thousand friends I'd connected with travelling the world, 90% of my day-to-day comms, a decade and a half of photos and memories etc.

The part that hurts the most is that I've lost countless photos of and messages from my father who passed away a few years ago. Pretty heartbreaking.

To those who would mock me for being so invested in Facebook, I'd point out that I'm 27: that is to say that I entered my teenage years just as Facebook began to take off. In retrospect, it's obvious that Facebook is evil and doesn't give a shit about their users, but alas, at the time it wasn't so clear to 13 year old me (nor my peers) that we'd risk ending up in a Kafkaesque nightmare.

Interestingly, the only conclusion I can point to as to how my account was compromised is that my session data was somehow compromised, allowing the attackers to enter my account without having my password or access to my email which served as 2fa. Apparently Facebook auth related 0days are quite common due to their incentive to keep you logged in and their lackluster security.

In my case, they didn't change my password as they didn't have it, instead they were simply able to log in and add a secondary 2fa (a hardware key) which effectively locked me out so I couldn't declare something was wrong. Pretty smart.

From there, as I understand from my research, they immediately proceed to get your personal account banned so that you can't recover your Business Manager (advertising) account, which is what they're after. It looks like I was banned within 20 minutes or so of the attackers gaining access.

Worryingly, I've read that the way they get you banned so swiftly is through uploading CSAM/terrorist content, which results in an immediate ban and potentially a notification to law enforcement. I'm guessing this is why accounts are seldom recovered when attacked in this way.

On the support front, I've had a similarly frustrating experience trying to get help from Facebook — from searching here on HN and across various blogs & forums, there seem to be two methods of recourse:

1) The mysterious 'Oops' internal ticketing system at Facebook/Meta[1] for friends and family. This allows your case to be viewed by a real human, and from what I've read leads to it being restored within 24 hours.

2) You buy an Oculus and use the serial number to raise a ticket with Oculus support, which gives you the ability to submit evidence and have your case viewed by a team at Facebook (hopefully).

I own a Rift S, so I was able to go the 2nd route, but it's been close to a week now and I haven't seen any results nor had a response.

So yeah, it's pretty bleak. Despite my account being banned, the attackers are still setting up Facebook Ads. I get multiple emails every day that new ads have been approved for their scam stores. Salt in the wounds.

Note this article[2] I came across of a similar attack a couple of months ago. I reached out to the author on Twitter[3] to see if she'd had any luck with recovery, but alas she had not, despite raising several tickets at Facebook.

So, sadly it looks like we're fucked, although I'd be glad to be wrong.

[1] https://www.cnbc.com/2019/03/14/facebook-oops-special-employ...

[2] https://www.forbes.com/sites/forbesagencycouncil/2022/03/22/...

[3]

> In my case, they didn't change my password as they didn't have it, instead they were simply able to log in and add a secondary 2fa (a hardware key) which effectively locked me out so I couldn't declare something was wrong. Pretty smart.

That doesn't really checks out to me because to make any changes to 2fa in FB, you must provide your password first.

I think Meta can afford to hire a couple of humans to deal with such cases.
The problem is that it'd require a lot more effort than that. Not only do you need the two people, you need the content teams to make sure users who are hacked can find information about how to contact the right people, you need devs to build tools for the two people to investigate and "unhack" compromised accounts, you need processes to make sure attackers can't compromise an account by falsely claiming its been hacked, and then you need all the usual things around managing those two people like HR, line management, review, hiring, etc.

Adding people to an org, even one as big as Meta, is never a simple process.

It's always surprising to see people use FB given their reputation and how it's common to lose accounts. I feel the same about popularity of WhatsApp.
Anecdotally in my geopolitical region FB is pretty close to abandonware. The only people i know use it are elderly folk who got into it to keep up with grandkids pictures etc and the odd nutter screaming into the void.

Instagram and WhatsApp are still very popular though. WhatsApp requiring a critical mass to make it endlessly compelling for users. Lots of the techy people i know tried to remove themselves from WhatsApp for signal but they've come back lately as its impractical due to poor adoption.

Would be interesting to know how their monetisation share between IG & FB is split in different regions. As much as I hate adverts in general i even find the IG ads useful from time to time; especially the hyperlocal targeting.