Tell HN: Instagram demands I send a picture of myself to prove I own my account

332 points by jdthedisciple ↗ HN
So I tried to create an Instagram account yesterday. After registering, I was immediately told my account was disabled for suspicious activity, but that if I wished they would review it within 24 hours. Weird, I thought, but maybe it's just some rare false positive that can be triggered and I'm just unlucky. So I waited, patiently.

After 24 hours I tried to log in again and to my surprise, my account wasn't just temporarily disabled anymore but permanently deactivated and I was met with this message:

> Your account has been disabled for violating our terms. Learn how you may be able to restore your account. https://help.instagram.com/521372114683554

How can I allegedly have broken Instagram terms when I just created the account and even verified it by phone? So I visited that link and asked them to restore it. What I get is an email by facebook that demands I send them a picture of myself holding a paper that I wrote a specific code on. Verbatim the email is this:

> Hello, thank you for contacting us. Before we can help you, you must confirm that you are the owner of the account. Please respond to this email and attach a photograph of yourself, where you hold a piece of paper with the following, handwritten code on it: *** Please make sure that the photo fulfills the following criteria: - shows the above mentioned, handwritten code on a clean piece of paper, followed by your full name and username - shows both of your hands holding the paper as well as your complete face - it is well-lit and not too small, dark or blurred - is attached as a JPEG-file to your response E-Mail Note: Even if this account does not contain and pictures of yourself or it represents somebody or something else, we can only help you when we receive a picture of you which fulfills these criteria.

Am I the only one who finds this incredibly intrusive? I know I might be partially beating a dead horse here, as everyone knows Meta is pure evil. But this email really "gave me the rest". I wouldn't use IG for posting pictures of myself anyway but now I won't ever be using anything from Meta even for business reasons.

Are there really no less intrusive ways than the above to prove ones ownership of account?? Why is email and phone verification not enough anymore these days? Is this the type of "progress" happening at FAANG? LOL

210 comments

[ 3.4 ms ] story [ 244 ms ] thread
They won't do anything after you've sent a selfie anyway. Same thing happened to me. They'll ignore all of your contact attempts. IG support is pretty much non-existent.
They also won't act on trademark claims until a suit is filed. Been down that rabbit hole too.
D̶o̶e̶s̶n̶'̶t̶ ̶t̶h̶a̶t̶ ̶m̶e̶a̶n̶ ̶t̶h̶e̶y̶ ̶l̶o̶s̶e̶ ̶l̶i̶a̶b̶i̶l̶i̶t̶y̶ ̶p̶r̶o̶t̶e̶c̶t̶i̶o̶n̶s̶ ̶u̶n̶d̶e̶r̶ ̶t̶h̶e̶ ̶D̶M̶C̶A̶?̶

edit: whoops, I misread the parent. I swear I know the difference between various IP types!

The DMCA covers copyright violations, not trademark.
I don't think DMCA touches trademark.

And depending on what you mean by "lose liability protections" for ignoring valid takedowns, I'm pretty sure that applies to the specific item and they don't stop being a safe harbor in general.

Same here. I was fairly active on my Instagram and used it directly from the app on my phone. One day, while using the search function, I suddenly got locked out.

I sent in the selfie and haven't heard back in over 6 months.

It seems that we are only one step away from "verified by Ancestry.com".
My wife had to send a photo of herself, her ID, herself, her ID, herself, her ID, and after the third of fourth cycle, her account was marked as legit.

I only can wish you good look against whatever "algorithm" they are using.

One of those stupid dating apps has decided that I am not myself and I cannot upload pictures of myself because it's not me.
so we're at the point where the steps to prove you're human are so arduous only a bot will have the patience to create a new account

someone should try using "photograph of yourself, where you hold a piece of paper with the following, handwritten code on it: **" as a prompt on DALL-E/imagen

Dall-E and its relatives are still pretty awful at text, at least for now. They have a decent idea of how individual letters are shaped, but trying to produce a specific word or phrase is generally pretty hopeless. Dall-E can sometimes correctly reproduce words that appear frequently in its training data, like "PIZZA", but its success rate on less common words is dismally low, especially when they're appearing out of context.

Some pretty convincing examples of this behavior can be seen at: https://twitter.com/JanelleCShane/status/1531624303770279937

Because they haven't been trained on that.

Yet.

Modern captchas have gotten really annoying, too. You used to be able to just effortlessly type characters from a distorted image in 5 seconds, but now proving that you're an actual real human is so much work I'm tempted to automate it.
My personal worst experience with captchas is Vultr: every time I go to their page from my Linux desktop, I need to solve a recaptcha. And if I don't do it within ~3 seconds, the page reloads and I need to start over again. I bet there are more robots than humans who can solve it in such a short time. You need to read the instructions, pattern match 9 photos... twice... in 3 seconds. It doesn't happen when I visit the Vultr's page from my iPhone though. When I get a spare moment, I will move my VPS to another, less obnoxious provider (maybe even Amazon).
Why on earth would someone go through with this?
Instagram can have useful business purposes. Some personal trainers/consultants/very small businesses only have an Instagram account, and seem to be doing well. Canada's public broadcaster published an article about this a while back, and the consequences when such business owners were locked out of their account due to an outage: https://www.cbc.ca/news/business/facebook-instagram-outage-b...

Otherwise, in certain social groups (especially young adults), Instagram is the main way to stay to stay in touch with friends, even just for the messaging app. So, not having an account means missing out on significant social connection for some (e.g. if it's the platform where the group chats are hosted).

It really depends on your friend group, though; for many people, their social groups just aren't on Instagram or social media very much or at all, so it's easier to quit because there's nothing to miss out on (so for these people, the verification would hardly be worth it).

Because Facebook and their various properties have a monopoly on humanity's social fabric in a lot of places. Not participating can put you at a severe disadvantage.
Instagram is important to me for keeping up with family because all my cousins post stories of their kids on there, so it's how I keep up with them and what their kids are up to. Same with a bunch of my friends. It's replaced Facebook which replaced family mailing lists and newsletters. It's also how they keep up with what I'm doing.

Also a bunch of my younger ex-coworkers and I are only connected on Instagram, and even some of my business contacts. I literally just got an investment lead via Instagram.

Why do you need to keep up with what other people are willing to announce to the world they are doing though?

I always found this a tad odd. Most people would only share flattering or happy pieces on social media so you cannot account for hardships or problems they are facing in real life which I assume would be one objective reason to keep up with family.

Well first off they use private accounts so it's not announcing to the world, just people that they know. And many of them post the bad stuff too, especially when they are soliciting advice.
I got it. I never thought of people using Instagram or any other social media for soliciting advice on sensitive personal topics which ought to be ephemeral and private (encrypted instead of available to thousands of employees at Facebook and elsewhere).
I have a hard time believing every friend of yours is a security engineer. And if they are, maybe you need to pop out of that friend bubble a bit and see how the other 99.9999% interact with social media.
Almost everyone I communicate with is on Instagram and no other platform collectively.

It's a primary communication tool.

I also do a lot of photography and it's the place to show my work (at least if I remotely want and real reach).

Many people use Instagram for their business too, as it's the best way to reach their audience.

For the newer generation it's a mandatory tool for social validation. Not defending that it's good. But it is what it is.

reach, audience, dopamine hits
Did she have to upload her full ID or was she allowed to redact some info like the number or such? I'd be really careful handing out my PI like that.
Not to defend the practice (because your case is a false positive for a new account), but rather to speculate on why your account was banned, it's likely due to an increase in impersonation on Instagram recently.

In other words, some accounts steal the pictures of real people and then send follow requests to friends, and try to get them to tap on links that can give the bad actor access to the friends' accounts or buy cryptocurrencies. It's been spiking recently over the past couple of months (one case in a Canadian news article at: https://www.cbc.ca/news/canada/manitoba/instagram-photos-sto...), with other prominent cases documented in the past (2019: https://www.cnbc.com/2019/09/24/how-i-stopped-someone-impers... and 2021: https://www.cnbc.com/2021/12/14/instagram-accounts-created-w...). Bleeping Computer published a deeper article on the most recent ongoing spike (describing the crypto and Onlyfans scams): https://www.bleepingcomputer.com/news/security/instagrams-da...

This doesn't justify at all the permanent deactivation of your completely new account, but just for curiosity's sake, I speculate that this is the reason your new account was banned (overly high security sensitivity on Instagram's end, due to a recent spike in false accounts that impersonate real people, to encourage others to buy cryptocurrency and/or click malicious links).

This particular scheme has been a ridiculous plague among my circle of friends on instagram recently. People create accounts mimicking an existing user, add an underscore at the end of the username, and then spam follow requests to all of their connections. Most people get a notification from someone they know, and they accept it without even thinking about. It is insanely effective.

Reporting the accounts for impersonation seem to do nothing, instagram's responses to the support requests even say they don't have enough people to look at all of them, and so they didn't.

Yeah, unfortunately multiple reports of the impersonator's account doesn't work in practice, even though it really should. Another source confirming this is from the Bleeping Computer article (source: https://www.bleepingcomputer.com/news/security/instagrams-da...).

I read that the fastest way to take down the account is for the person getting impersonated to fill out a form (via Instagram's help page at https://help.instagram.com/370054663112398), which unfortunately requires a picture of the person's driver's license/government-issued ID.

> requires a picture of the person's driver's license/government-issued ID.

I have no idea whether or not it is illegal to ask for this, but it is generally considered dangerous to send photos of your state ID.

Is this a US thing related to identity theft, or is there a deeper reason?
It's usually an identify theft thing, because if I have all the information on your state ID I can make a copy that would be good enough for ... getting access to your instagram account I guess.

It's pretty hard to fake an ID in physical form, but one good enough for a webcam photo shouldn't be too hard.

I just got my passport renewed.

The new US passport is pretty crazy. The photo page appears to be one giant NFC chip. The picture is barely visible. I suspect that it is meant to be inserted into some kind of reader machine, that will display a high-resolution version to the Customs agent.

This is exactly what happens, you lay your passport on a scanner thing machine, and the guard never looks at the title page, just stamps the visa, etc.

Or if you have an older passport, you lay it on the scanner machine five or six times, then an assistant comes and tries it on four or five of the machines, then gives up and hands you and the passport to the guard.

Not quite the same thing but it's quite common for hotels (in Europe in particular) to make a copy of your passport, for auto dealerships (at least in the US) to make a copy of your driver's license for a test drive, and many many other situations. I'm sure I'm forgetting lots of other cases. (And Twitter requires for verified accounts.)
> which unfortunately requires a picture of the person's driver's license/government-issued ID.

They should move to something like IRMA (1). This would ensure they don't get data except for the government's certification that you're really who you claim to be.

(1) https://privacybydesign.foundation/irma-en/

Works great for any government as long as your government is the Netherlands.
> In other words, some accounts steal the pictures of real people and then send follow requests to friends, and try to get them to tap on links that can give the bad actor access to the friends' accounts or buy cryptocurrencies.

How would me sending them a picture change that when it says right in the email that:

> Even if this account does not contain and pictures of yourself or it represents somebody or something else, we can only help you when we receive a picture of you which fulfills these criteria.

So I can send Instagram a real picture and post someone else's picture all over the account.

> How would me sending them a picture change that

It doesn't. It's just a barrier that inconveniences low effort scammers. Most scammers don't want to associate their face with their scams, and/or they aren't skilled enough to photoshop some other photo. Instagram is overwhelmed with garbage and it's logical to 80/20 rule as much as they can.

This impersonation is only really useful when one person can create multiple fake accounts.

If Facebook can simply run image comparison between the the face used and other accounts while knowing that picture isn’t copied from elsewhere because it includes their onetime key it could prevent duplicate accounts.

In practice I doubt it’s more effective than a new CAPTCHA.

Not to mention that scammers are relatively unlikely to want to show their face for ID purposes even if it's their only account (whereas ordinary people that want to join a service for posting pictures of themselves on the Internet generally don't mind), especially not when there's a wide world of other scams they can be getting on with that don't involve showing their face.
Are you sure that you can just send in a picture? Had this happen recently and I had to install the iOS app and then the app took video of me with the front facing camera.

I think my account was flagged because I follow a lot of people but I don't have a profile picture, never post anything, and I only use the web app (and sometimes from a "suspicious" OS named Linux) so basically I look like a follow-bot.

> This doesn't justify at all the permanent deactivation your completely new account

It's hilarious that I'm reading this comment right before an article from the EFF titled, "Facebook says Apple is Too Powerful. They're Right." How refreshing it would be if Facebook bothered to say, "Meta is too powerful."

This particular scam sounds like it ought to be relatively easy to algorithmically detect (high degree of similarity with a particular account name plus high volume of friend requests to that account name's friends). I guess you'll flag up a few false positives (family members with different initial.firstname accounts who naturally share circles of friends) but not many compared with heuristics involving user agents and geolocations and email providers and not-having-Facebook
Facebook/Meta has how many thousands of general engineers, AI specialists, and massive amounts of hardware at their disposal, and they can't solve this in a more practical way?

Pushing their problems down to the user in this way feels shitty, at best.

Not if you are constantly attacked by millions of scammers, bot nets and government-sponsored info-terrorists.

Same people that complain in this post about over-jealous verification, will complain in another post about misinformation and propaganda.

I don’t buy that excuse.

If they cannot adequately protect against these scenarios they really should not be trying to collect and monetize so much granular user data. Clearly the organization is incapable of operating what they have built.

The reality, IMO, is that it is just not financially worthwhile for them to give a shit. People will jump through hoops for stupid validation purposes because they want access. Why spend engineering time solving a problem that is more easily handled by inconveniencing your users.

Your very insightful last paragraph makes the preceding ones an unnecessary appeal to high mindedness. They absolutely should be collecting granular user data if the user and the jurisdiction is willing to let them, and it makes them money. They absolutely are capable of operating what they've built if they're financially healthy despite being a dark pit of nothingness to randomly fucked users. Not prioritizing users can work as a business model for some time. Maybe that's the time horizon their shareholders care about. Don't judge.
> Same people that complain in this post about over-jealous verification, will complain in another post about misinformation and propaganda.

A bit tangential but actually I suspect those are nearly disjoint sets. In my experience the people who complain about misinformation and propaganda are okay with identity verification and censorship while those that want privacy (such as myself) typically dislike censorship and don't want a central authority getting involved to judge whether something is misinformation.

It largely comes down to trust in authority and centralized versus decentralized system design.

Yes they have engineers but they're all nearsighted, uncreative and high hubris engineers with little to no empathy.
"Pushing their problems down to the user in this way feels shitty, at best ..."

You've identified exactly what is going on.

Platforms such as this are facing a brutal, relentless scam/spam onslaught and I think we can conclude that no, in fact, they do not have an elegant solution to it.

The closest things I have seen to real, elegant solutions to this problem are:

1) metafilter charging $5 per new registration - I think you can send them a five dollar bill

2) lobste.rs with their chained/linked account referral which puts the cost on the referrer and introduces some personal responsibility for new signups, etc.

The common solution is to demand a SIM identity - any SIM identity - "for your protection". That's the best solution they have come up with - any functioning truly mobile number (backed by a SIM card, not VOIP) is enough sand in the gears to slow down the onslaught ...

It has been [27] years since the tech industry started looking for a good solution to spam and fraud. Although my sister just freaked out over a phone call from someone claiming to be a tax collector, so it's not just the Internet with this problem.
And ironically, good security hygiene makes you look like a bad actor. While this "verification" is intrusive and unreasonable - I'm not defending it - often the root is creating an account from a VPN, or with minimal browser fingerprinting allowed, etc. An average user who doesn't take any precautions is likely to have a substantial activity profile already associated to their IP / cookies / etc. But run through a VPN? You trigger all the fraud checks. Use private browsing? Trigger all the fraud checks and hope you like filling out CAPTCHAs constantly on top of that. Tor? Likely to be blocked completely.

Seasoning fake accounts in realistic ways mostly isn't worth the effort, because bad actors can just compromise real accounts and use those instead. (There are some specific use cases, mostly with nation-state actors, where seasoned and aged fake accounts might make sense, but those are unusual.)

I registered in normal browsing mode using the brave browser and no VPN.
If I were you, I'd use Google Chrome on Windows next. Surely this shouldn't really matter but... (throwing hands up)
Um, you do realize that photographs don't actually take your soul right?
VPN is definitely one trigger. A friend with a completely genuine and tame account got blocked for months and the only non-standard thing he did was access it via a VPN.

Unfortunately, the non-spammers using VPNs are unlikely to be desirable users (high level of contribution, receptive to ads) so might be seen as acceptable collateral damage.

A practice dating back to MySpace, or even before it.

Facebook used to do the same "yo wait, you need to send us a photo of yourself to verify the account". You could send... any selfies, even ones already uploaded to the account.

The people or algos doing the verification didn't give a fuck/weren't advanced enough and the accounts could be verified with a high success rate, you could even retry with different photos.

Maybe they improved that.

That was when I stopped using Facebook. Facebook had a single edited photo of me that (at the time) was 10 years old, and I didn't care to give them another. I decided that I didn't use Facebook enough to care, so I just stopped. One of these days I need to go in and officially delete my account.
ADA lawsuit opportunity here for anybody without two hands...
Simple rule: Don't use meta products. Shame everyone who attempts to copy their business practices.
Right... people should just stop using services that are aggressive. Remember you are the product, unless you pay them. So they dont care about you.

Just dont use them. If o go to a restaurant and they let me waiting standing up more than 20 minutes, I'll just go somewhere else. Why do people treat internet websites any different? (You dont lose anything for not having Meta)

> If o go to a restaurant and they let me waiting standing up more than 20 minutes, I'll just go somewhere else. Why do people treat internet websites any different?

What if that restaurant is the one where all your friends and family are waiting for you? Somehow over the last couple of years, your friends and family just gave up on all the other restaurants and only gather in this restaurant, even though everyone agrees that the food isn't very good, but out of convenience everyone settled for this one (and for the promotions that they had in earlier days). Actually many of the other restaurants closed because of these network effects and the owner of the famous restaurant got rich and arrogant, but now that everyone goes to this restaurant, it is hard to convince people to try something else.

It is a weak argument imo. If you’re important to them they will follow. If not, there’s no point to keep in touch. I understand that there’s edge cases when it’s really difficult to switch or use an alternative platform (i.e. because of age), but overall it’s not that hard. At least it wasn’t in my case. And yeah, it is possible to eat in multiple restaurants at the same time, when it comes to social platforms.
It is not hard to install a new messenger. It is extremely hard to rebuild your (compatible) contact list on a new platform. The EU seems to be introducing laws for enabling cross-platform messaging on large platforms, which is desperately needed in order to combat walled gardens and weaponized network effects, I think.
>What if that restaurant is the one where all your friends and family are waiting for you?

If friends/family are already there, and as I said the restaurant is keeping me waiting at the door for more than 20 minutes? I'll freaking leave and SMS my friends to see them somewhere else.

Shit, if I HAD a job interview in said restaurant, the interviewer was waiting for me there and the restaurant blocked me from entering , I'll just call the interviewer to tell them the fact, and maybe even recommend the taco stand in the corner.

No freaking service is worth it. Not even Google, and I have all my emails since 2004 and docs in gdrive there. I'm a heavy FB user, but the moment they font want my data/usage to show me ads, I wont shed a tear.

> If friends/family are already there, and as I said the restaurant is keeping me waiting at the door for more than 20 minutes? I'll freaking leave and SMS my friends to see them somewhere else.

That's what I do with people on FB. Only a tiny fraction of people is willing to try alternatives, no matter how much they learn about FB. The consequence is missed interactions, because I will not use FB in this life.

In this analogy; it's JUST a restaurant it's not that important that you be there with your friends and family. There's plenty of other ways you can see and interact with them, the restaurant isn't important or necessary.
> it's JUST a restaurant it's not that important that you be there with your friends and family.

Not if that restaurant is THE place where all your friends hang out. Sure, probably you can convince your best friends to go to another place in order to meet you, but that inroduces friction if they actually prefer to go to the hip place.

I understand that very well. But let's stretch the analogy more:

There's this restaurant (Facebook) where all the cool people go to meet every night. Those meetings are so cool that, you know you just cannot miss them, otherwise you'll get out of touch.

You arrive to the reception, and the receptionist tells you that yep, the meeting you are looking for is going on, everybody is there. They even let you take a peek from outside and you see everyone is there.

But you just cannot participate now. You must provide the receptionist all your personal data, including a picture of you, your telephone number and a lot of other quite personal info... Oh, and you cannot lie because they will check everything with online databases.

You are annoyed, but you think it is worth it, at the end of the day John Carmack and other really amazing figures are sitting dinning there. So you give your information relucantly.

Then they let you in and, as you approach the dining area you realize that there's a VERY LOUD SOUND coming from a sound system. You pay attention to the sound and realize that it is basically a bunch of advertisements blasting one after another. The main problem is that the sound is so loud that you know it will interfere with your talk with other people in the table.

You sit down and start interacting with the party. You spend some time, talking loudly so that your stories can get through the advertisment noise. You share some pictures and anecdotes, and even find out that the person in front of you may want to buy the used bycicle you want to get rid of.

Suddenly as you are enjoying your steak and chatting about your home state with a random person, a waiter comes in along with a security guard and grab you by the arm. They won't tell you what happend, but they pull you out of the table and take you to the restaurant door. Once there (after the noise of the ads has diminished) you ask them what is going on, why did they take you out? They just say "sorry, you violated our terms and conditions, you have been banned" and close the restaurant door behind you.

So you are left outside lookig at the dinner. You either fight to get in again, or just go your home, fix some dinner and watch a movie. Is it worth it to knock on the door and try to argue your way to the restaurant? Where you know they will treat you really bad and the noise of advertisement is terrible?

This is where I argue that for me, it is not worth it at all. But for some reason we have been "desensitized" to lower our bar for online services. I don't think I would even stay in a restaurant that was blasting advertisements that interferred with my communication. Maybe I'm just grumpy and getting old.

>You dont lose anything for not having Meta

As an individual, you lose the a network of people.

As a business, you lose exposure.

In your restaurant analogy, you are just going to a different one, but your friends are still inside.

I went to the Instagram sign-up page and filled out some info and submitted it and then decided not to submit whatever it was they were asking for next.

Since then when I click on a link to an Instagram post shared on FB they blocked me and demand I set up an account. But if I use a different web browser I can view those posts.

I rarely do that though. I just cannot give them the hit.

Sadly, for a side hustle, an Insta account is seemingly in my future. For someone like me that has never had an Insta account nor have I logged into my FB account for over 8 years, how does one create an account without this happening?

Also, these kinds of stories fit well within the narrative of Meta === EvilCorp#1, but I always feel like there's a lot more going on than what is being told in these Ask HN/Tweets/etc. Like, how many accounts were attempted to be made in what time period coming from the same device/IP address/etc? Are the algos at Meta/FB/Insta so bad that legit users are honestly getting flagged like this?

>"For someone like me that has never had an Insta account nor have I logged into my FB account for over 8 years, how does one create an account without this happening?"

This is speculative, but probably try to recover your Facebook account first (because it's already verified), and then choose the option to try and create an Instagram account based on your logged-in Facebook account.

I haven't tried this in practice as I haven't created a new account in a long time, so there's no guarantee this will work. If it doesn't, then unfortunately you would have to block off time to persistently follow the instructions as closely as you can (sending your photo and a note), likely over several days to create the account.

Look at it from their viewpoint. It is hard to do what they do. How else would they collect sellable info on you, without your assistance?
> Even if this account does not contain and pictures of yourself or it represents somebody or something else, we can only help you when we receive a picture of you which fulfills these criteria.

That's the part that makes me wonder what they're trying to accomplish. I had the same thing happen in 2019, so it's been going on for a long time. For me it happened with a handle that matches a decent .com domain I own when I was going around and registering accounts at every site I could think of (ie: brand protection).

As far as I'm concerned they got nothing that helps them determine whether or not I'm going to use the account for legitimate purposes. I also did not violate their terms of service because it was a brand new registration. I didn't even get an email. I had to figure out where to send the request to have my account reactivated.

I didn't like the idea of sending them a photo, but felt forced into it to make sure no one else could come along and squat on the handle that matches my brand. I don't have trademarks (yet) and, even if I did, claiming someone is violating a trademark is going to be a significant amount of effort vs sending them the photo they want.

So, I capitulated even though I have no idea what they're using my photo for. My best guess is that Mark has it framed and hanging in his private art studio.

I think there's a good chance that eventually big tech is going to run on massive facial recognition databases that were built against our will. I think Facebook, Google, Apple, and Microsoft should be chopped into about 10 different companies each and the government shouldn't give any consideration to the impact it has on their business. They have no respect for us. We shouldn't have any respect for them IMO.

> I think there's a good chance that eventually big tech is going to run on massive facial recognition databases that were built against our will.

too late - this is an active industry with lots of funding. Further I believe that "metaverse" is an attempt to link that auto-ID to place, with tracking and profiles of all sorts of meat-scale interactions. The calls to boycott "metaverse" in the USA could not come soon enough.

>I think there's a good chance that eventually big tech is going to run on massive facial recognition databases that were built against our will.

>eventually

Already does. It's just not a bread and butter component of every company's business yet.

We're already past the time where, in a few years, people will start pointing back and saying "well, if you don't like it, you should have done something then."

My guess is that they get more utility out of the photo as a boolean metric for prioritizing support requests than as an authentication method.
Sadly, email and phone verification have never been particularly effective methods of proving personhood/identity/non-malevolent intent. Witness the dozens of spam phone calls / pig butchering texts / Gmail-originating spam emails one gets a day.

I noticed that after enabling iCloud Private Relay on my phone, I get a _lot_ more CAPTCHAs very suspicious of my activity. This is both annoying and logical; a site's confidence in my existence / non-malevolence is much decreased when I don't appear from a consistent IP and the IPs that I appear from have a non-zero quantity of bad actors from which I must now be disambiguated.

This seems a classic example of a challenging problem of balancing privacy (wanting an option to be anonymous in my use of a service, including ones where I can post information or message others) with security (wanting to be sure that my counterparties are real humans unlikely to be malevolent or misrepresenting themselves). Service providers get slammed for errors on both sides.

That's not to give up on trying to solve it or suggest that the current status quo is optimal.

Going out on a limb here, I could imagine a solution where e.g. Private Relay users had egress from a special set of IPs that indicate to service providers that the originating user had indeed been identified/validated by Apple as authentic. Traffic inbound from these IPs could have a slightly relaxed threat posture. This is roughly in line with what Apple has been trying to do with Login With Apple; not just making it easier for users to sign in but helping reduce automated signups. An ideal component missing here would be a way to backchannel to Apple from a service provider "Hey, user $UID did a Bad Thing just FYI" to allow Apple to better risk-score Apple profiles/activity, obviously weighted by Apple for believability on the part of the service provider.

What you propose there could be built on the basis of identity federation, right?
In theory, yes, and ideally any of this would be implemented as a standard, for instance as a segment of a TLS ClientHello added by a forwarding proxy (such as Private Relay) that includes a UUID connection identifier, a risk category for the user, the identity of the proxy, and the proxy's signature for the whole of the ClientHello packet.

There would then also be presumably a way to interrogate a proxy for reporting back bad actions of a user by a service provider, with those attestations also signed by the service provider. (FLAGGED_AS_BOT, CHILD_PORN_TAKEDOWN, FINANCIAL_FRAUD, SPAMMING, OTHER_TOS_VIOLATION, etc) The service provider would pass in the UUID connection identifier which the proxy could then map back to the known user, weighted by the degree to which the proxy trusts the service provider's reports.

> Going out on a limb here, I could imagine a solution where e.g. Private Relay users had egress from a special set of IPs that indicate to service providers that the originating user had indeed been identified/validated by Apple as authentic.

It's not that crazy if you think about it. Apple's user base is a juicy target demographic. Apple's "privacy focused" approach is reducing the insights of every other tech company. If they can get it to the point where the other big tech companies have nothing to distinguish legitimate users from bad actors they can make a huge identity and reputation play.

I doubt it would be private IPs or anything though. I think it's more likely that Apple assigns some type of trust/relationship score to each user based on Apple's view of them and then let's users opt in to some type of system where Apple vouches for them. Ex: I ask Apple for a short-lived token to attest to facebook.com or microsoft.com that I'm not a bad actor.

Apple's userbase would eat that up because they already think they're better than everyone else and now they'll be "rewarded" for that by getting a premium experience online.

That would also position Apple as the only company that could do super targeted advertising like Facebook does now.

(comment deleted)
I have a rule of only ever using Edge on Windows with no plugins (does Edge even have that?) when interacting with Google or Amazon account services, to avoid this "your account has been locked due to suspicious activity" nonsense, knowing that it only results in a hopeless black hole of canned email responses asking for information to unlock the account, only for it to remain locked after said information is provided.

When using your accounts, never use Firefox, since it's down to like 2% marketshare, and automatically suspicious, and never use privacy-oriented plugins like uBlock, which suspiciously alter how and how much your browser communicates with these sites. Also never buy anything online late at night (like after 1 AM). Apparently that's suspicious, since a lot of fraudsters are international.

It's incredible that these shitty ML hueristic systems are the best these "genius" FAANG developers, who get paid $150-300k a year, can come up with up. I love it when they or their loved ones get ensnared by these systems, like the Googler who threw a Twittertantrum when they locked his and his husband's Google Photos (or whatever they call it) account for "suspicious activity," and they lost thousands of photos. Pure lifefuel:

https://news.ycombinator.com/item?id=24791357

> It's incredible that these shitty ML hueristic systems are the best these "genius" FAANG developers, who get paid $150-300k a year, can come up with up.

I think it gets personalized / fingerprinted fairly quickly TBH. For example, I have 2 identical (Linux + Firefox + uBlock Origin) VMs that I use over the same VPN connection. One of them gets almost no captcha challenges and the other gets them continuously. My subjective experience is that it's based on what you're searching for on Google or maybe due to hitting sites that Google might have flagged as malicious (guilt by association). It's tough to tell, but it sure feels like there's some type of cumulative score based on activity.

this happened to both me and my wife. never heard back. account remains unavailable. multiple follow ups went to black holes.
Do they even want users? What is their motive?
Zuckerberg is a problem. He exists only to buy out everyone else and will not stop until everybody is destroyed
I highly dislike this forced real identity thing on the internet. What is the problem with using internet aliases to post internet stuff in a manner entirely unrelated to your personal life?
Because, while extremely imperfect, making a modicum of effort to make sure someone is a real person still screens out a lot of bots and anonymous scammers--which is at least a start.
While completely destroying a core benefit of the internet.
Anonymity was not really considered a core benefit of the early Internet.

In fact, early Internet users typically had true names associated with universities, companies, and the government.

If you define "Internet" to be email and such, yes. But as soon as the World Wide Web went mainstream in the mid 90's, being pseudonymous while online was very much a core principle of the internet. "No one knows you're a dog on the internet" was a common saying.
nothing stopping you from chilling in IRC or mastadon

it's just the normie networks that want real names

Disagree, i think it's so you can find your friends.
The problem is you're adamant on using these platforms. The Internet exists outside them and still works fine. In fact, Google and Chrome are a bigger danger as they can force people to do whatever at the very point of entry to the Internet. Smart Kants.
Companies are incentivized to do this because investors and advertising partners want assurance that what they're buying gives them access to real users.
More like they (the providers) don't want competition (access to their main asset – human users). Why buy ads if you can buy fake accounts and advertise/"influence" through those?
don't forge the story of The Ring of Gygees

https://en.wikipedia.org/wiki/Ring_of_Gyges

IMHO anonymous internet account names were fine with just universities and nerds and big smart tech companies. As soon as we forced everyone's cousins and uncles and grandpas on to the network we needed "real-names" because those new people... love 'em, but they're not baptized in punch cards.

Papers, please.

Glory to Arstotzka! Cause no trouble.

Yesterday I had a consultant locked down in one of these Chinese zero-economy policy snap lockdowns. Hordes of special police came to enforce the lockdown which is ongoing. His hotel was right at the edge. After some suitable wangling he was able to obtain a special paper from a petty official to leave the quarantine zone. Returning in the evening, split lovers could be seen smooching over the quarantine fence. Nobody gave a damn. We expect it to last three days then return to normal.
Be thankful that they've given you a way to restore your account. They didn't to me. I suspect I was supposed to be thrown into the same verification pipeline as you, but something got messed up along the way and now I have a completely unresponsive app (black screen with a refresh button that does nothing) with no instructions on how to fix it. I thought maybe it was some weird Android bug, so I bought an iPhone and logged in on that only to find that it is also unresponsive.

I just want to delete the account at this point, but I can't, since trying to access the deletion link returns an error telling me to open the (unresponsive) app to regain access to my account.

I've contacted a lawyer who works in the field, since I'm pretty sure preventing me from deleting my account is a violation of their TOS. Who knows if that will go anywhere. I'm kind of at my wit's end here. If anyone has any better ideas, I'm all ears.

> I've contacted a lawyer who works in the field, since I'm pretty sure preventing me from deleting my account is a violation of their TOS

If you're in the EU, it's also a violation of "the right to be forgotten" and you can contact your ICO.

I made a twitter account, followed a few accounts, and then it was locked and twitter demanded I send them a scan of my government issued ID to prove I was a real person.

I decided twitter wasn't worth that kind of identity theft risk. Same thing this happening with instagram - I'm not sure why anyone would want to volunteer this information to these companies whose whole finance model is abusing your personal information.

I personally don't think any of these social media companies are worth sending pictures or ID to.

We should stop using Instagram or any Facebook service.
> How can I allegedly have broken Instagram terms when I just created the account and even verified it by phone?

Your account appears, for whatever reason, bulk-created. For example maybe you were creating it from a network that somebody had used for a lot of IG account creation, or you created it with Firefox on Linux and 99% of their Firefox+Linux registrations are from spammers since it's easy to automate and run on a cloud server, etc.

It's actually pretty friendly from them to notify you immediately, rather than wait until you have gotten attached to the account.

> Are there really no less intrusive ways than the above to prove ones ownership of account??

Your ownership of the account is obviously not really under question. It's a freshly created account, it can't possibly have been hijacked yet. But is it your first account or the thousandth? Email addresses can be minted for free. Phone numbers for pennies. Since phone-verified, US-IP Instagram accounts seem to be selling for about $7 in bulk, those pennies are not much of an obstacle.

But it's pretty hard for you to get selfies from a lot of people in an automated way. (Sure, you could go to a parking lot and pay people to do the selfie for you. But that's a much higher bar.)

And then if suspicion remains, it allows IG to ask for either a second selfie or a picture of a government ID, and verify that your identity has actually stayed stable.

> from a network that somebody had used for a lot

side note: I still can't edit wikipedia because my block of IP addresses has been banned for some reason. I just moved to a new house and can only edit if I go to a coffee shop!

Normally you can make an account while on a non-blocked IP, then use that account on the blocked-IP.
Same here. Not my IP but a whole IP ranges probably spanning almost the whole country.
> you were creating it from a network that somebody had used for a lot of IG account creation

I'm so tired of people insisting on using IP addresses for things that aren't packet routing.

> I'm so tired of people insisting on using IP addresses for things that aren't packet routing.

And? What is your proposal instead that is practical?

My proposal is only using IP addresses for packet routing and nothing else at all. All those IP-based "spam reputation" schemes only punish unsuspecting people for doing nothing wrong, for something they are unaware of and can't change.
That is true of basically every anti-spam mechanism that exists. This is the trade-off to trying to deal with spam.
I had a similar experience creating a FB account. Before I could even fully log in, it was suspended for violating whatever.
Your experience sucks but it's too simplistic to consider this malice/evil.

I think none of us fully understand the extreme levels of abuse a service like Insta (and several other services) have to deal with. It's abuse at scale and ever-changing, hence an endless cat and mouse game where non-transparent heuristics create false positives.

By the way, your method of verification (holding up a sign) is also common at porn sites. That's what my friend told me anyway.

Bit similar happened to me. I had account for about 3 years, posted like once a month, followed friends and some celebs - nothing out of ordinary. Then some day I was greeted via form that I needed to give my birthday as I apparently had not done that yet. I just threw in random date as I thought it is none of their business. Well turns out now that due to me "being under 13" my account is marked for deletion and I have 30 days to appeal with similar requirement. I tried to write them but got automated response.

Ended up losing my IG account and learned valuable lesson that if I am not in control of my data I am not calling the shots either.