Tell HN: Instagram demands I send a picture of myself to prove I own my account
After 24 hours I tried to log in again and to my surprise, my account wasn't just temporarily disabled anymore but permanently deactivated and I was met with this message:
> Your account has been disabled for violating our terms. Learn how you may be able to restore your account. https://help.instagram.com/521372114683554
How can I allegedly have broken Instagram terms when I just created the account and even verified it by phone? So I visited that link and asked them to restore it. What I get is an email by facebook that demands I send them a picture of myself holding a paper that I wrote a specific code on. Verbatim the email is this:
> Hello, thank you for contacting us. Before we can help you, you must confirm that you are the owner of the account. Please respond to this email and attach a photograph of yourself, where you hold a piece of paper with the following, handwritten code on it: *** Please make sure that the photo fulfills the following criteria: - shows the above mentioned, handwritten code on a clean piece of paper, followed by your full name and username - shows both of your hands holding the paper as well as your complete face - it is well-lit and not too small, dark or blurred - is attached as a JPEG-file to your response E-Mail Note: Even if this account does not contain and pictures of yourself or it represents somebody or something else, we can only help you when we receive a picture of you which fulfills these criteria.
Am I the only one who finds this incredibly intrusive? I know I might be partially beating a dead horse here, as everyone knows Meta is pure evil. But this email really "gave me the rest". I wouldn't use IG for posting pictures of myself anyway but now I won't ever be using anything from Meta even for business reasons.
Are there really no less intrusive ways than the above to prove ones ownership of account?? Why is email and phone verification not enough anymore these days? Is this the type of "progress" happening at FAANG? LOL
210 comments
[ 3.4 ms ] story [ 244 ms ] threadedit: whoops, I misread the parent. I swear I know the difference between various IP types!
And depending on what you mean by "lose liability protections" for ignoring valid takedowns, I'm pretty sure that applies to the specific item and they don't stop being a safe harbor in general.
I sent in the selfie and haven't heard back in over 6 months.
I only can wish you good look against whatever "algorithm" they are using.
someone should try using "photograph of yourself, where you hold a piece of paper with the following, handwritten code on it: **" as a prompt on DALL-E/imagen
Some pretty convincing examples of this behavior can be seen at: https://twitter.com/JanelleCShane/status/1531624303770279937
Yet.
Otherwise, in certain social groups (especially young adults), Instagram is the main way to stay to stay in touch with friends, even just for the messaging app. So, not having an account means missing out on significant social connection for some (e.g. if it's the platform where the group chats are hosted).
It really depends on your friend group, though; for many people, their social groups just aren't on Instagram or social media very much or at all, so it's easier to quit because there's nothing to miss out on (so for these people, the verification would hardly be worth it).
Also a bunch of my younger ex-coworkers and I are only connected on Instagram, and even some of my business contacts. I literally just got an investment lead via Instagram.
I always found this a tad odd. Most people would only share flattering or happy pieces on social media so you cannot account for hardships or problems they are facing in real life which I assume would be one objective reason to keep up with family.
It's a primary communication tool.
I also do a lot of photography and it's the place to show my work (at least if I remotely want and real reach).
Many people use Instagram for their business too, as it's the best way to reach their audience.
For the newer generation it's a mandatory tool for social validation. Not defending that it's good. But it is what it is.
In other words, some accounts steal the pictures of real people and then send follow requests to friends, and try to get them to tap on links that can give the bad actor access to the friends' accounts or buy cryptocurrencies. It's been spiking recently over the past couple of months (one case in a Canadian news article at: https://www.cbc.ca/news/canada/manitoba/instagram-photos-sto...), with other prominent cases documented in the past (2019: https://www.cnbc.com/2019/09/24/how-i-stopped-someone-impers... and 2021: https://www.cnbc.com/2021/12/14/instagram-accounts-created-w...). Bleeping Computer published a deeper article on the most recent ongoing spike (describing the crypto and Onlyfans scams): https://www.bleepingcomputer.com/news/security/instagrams-da...
This doesn't justify at all the permanent deactivation of your completely new account, but just for curiosity's sake, I speculate that this is the reason your new account was banned (overly high security sensitivity on Instagram's end, due to a recent spike in false accounts that impersonate real people, to encourage others to buy cryptocurrency and/or click malicious links).
Reporting the accounts for impersonation seem to do nothing, instagram's responses to the support requests even say they don't have enough people to look at all of them, and so they didn't.
I read that the fastest way to take down the account is for the person getting impersonated to fill out a form (via Instagram's help page at https://help.instagram.com/370054663112398), which unfortunately requires a picture of the person's driver's license/government-issued ID.
I have no idea whether or not it is illegal to ask for this, but it is generally considered dangerous to send photos of your state ID.
It's pretty hard to fake an ID in physical form, but one good enough for a webcam photo shouldn't be too hard.
The new US passport is pretty crazy. The photo page appears to be one giant NFC chip. The picture is barely visible. I suspect that it is meant to be inserted into some kind of reader machine, that will display a high-resolution version to the Customs agent.
https://en.wikipedia.org/wiki/United_States_passport#Biometr...
Or if you have an older passport, you lay it on the scanner machine five or six times, then an assistant comes and tries it on four or five of the machines, then gives up and hands you and the passport to the guard.
They should move to something like IRMA (1). This would ensure they don't get data except for the government's certification that you're really who you claim to be.
(1) https://privacybydesign.foundation/irma-en/
How would me sending them a picture change that when it says right in the email that:
> Even if this account does not contain and pictures of yourself or it represents somebody or something else, we can only help you when we receive a picture of you which fulfills these criteria.
So I can send Instagram a real picture and post someone else's picture all over the account.
It doesn't. It's just a barrier that inconveniences low effort scammers. Most scammers don't want to associate their face with their scams, and/or they aren't skilled enough to photoshop some other photo. Instagram is overwhelmed with garbage and it's logical to 80/20 rule as much as they can.
If Facebook can simply run image comparison between the the face used and other accounts while knowing that picture isn’t copied from elsewhere because it includes their onetime key it could prevent duplicate accounts.
In practice I doubt it’s more effective than a new CAPTCHA.
I think my account was flagged because I follow a lot of people but I don't have a profile picture, never post anything, and I only use the web app (and sometimes from a "suspicious" OS named Linux) so basically I look like a follow-bot.
It's hilarious that I'm reading this comment right before an article from the EFF titled, "Facebook says Apple is Too Powerful. They're Right." How refreshing it would be if Facebook bothered to say, "Meta is too powerful."
Pushing their problems down to the user in this way feels shitty, at best.
Same people that complain in this post about over-jealous verification, will complain in another post about misinformation and propaganda.
If they cannot adequately protect against these scenarios they really should not be trying to collect and monetize so much granular user data. Clearly the organization is incapable of operating what they have built.
The reality, IMO, is that it is just not financially worthwhile for them to give a shit. People will jump through hoops for stupid validation purposes because they want access. Why spend engineering time solving a problem that is more easily handled by inconveniencing your users.
A bit tangential but actually I suspect those are nearly disjoint sets. In my experience the people who complain about misinformation and propaganda are okay with identity verification and censorship while those that want privacy (such as myself) typically dislike censorship and don't want a central authority getting involved to judge whether something is misinformation.
It largely comes down to trust in authority and centralized versus decentralized system design.
You've identified exactly what is going on.
Platforms such as this are facing a brutal, relentless scam/spam onslaught and I think we can conclude that no, in fact, they do not have an elegant solution to it.
The closest things I have seen to real, elegant solutions to this problem are:
1) metafilter charging $5 per new registration - I think you can send them a five dollar bill
2) lobste.rs with their chained/linked account referral which puts the cost on the referrer and introduces some personal responsibility for new signups, etc.
The common solution is to demand a SIM identity - any SIM identity - "for your protection". That's the best solution they have come up with - any functioning truly mobile number (backed by a SIM card, not VOIP) is enough sand in the gears to slow down the onslaught ...
Seasoning fake accounts in realistic ways mostly isn't worth the effort, because bad actors can just compromise real accounts and use those instead. (There are some specific use cases, mostly with nation-state actors, where seasoned and aged fake accounts might make sense, but those are unusual.)
Unfortunately, the non-spammers using VPNs are unlikely to be desirable users (high level of contribution, receptive to ads) so might be seen as acceptable collateral damage.
Facebook used to do the same "yo wait, you need to send us a photo of yourself to verify the account". You could send... any selfies, even ones already uploaded to the account.
The people or algos doing the verification didn't give a fuck/weren't advanced enough and the accounts could be verified with a high success rate, you could even retry with different photos.
Maybe they improved that.
Just dont use them. If o go to a restaurant and they let me waiting standing up more than 20 minutes, I'll just go somewhere else. Why do people treat internet websites any different? (You dont lose anything for not having Meta)
What if that restaurant is the one where all your friends and family are waiting for you? Somehow over the last couple of years, your friends and family just gave up on all the other restaurants and only gather in this restaurant, even though everyone agrees that the food isn't very good, but out of convenience everyone settled for this one (and for the promotions that they had in earlier days). Actually many of the other restaurants closed because of these network effects and the owner of the famous restaurant got rich and arrogant, but now that everyone goes to this restaurant, it is hard to convince people to try something else.
If friends/family are already there, and as I said the restaurant is keeping me waiting at the door for more than 20 minutes? I'll freaking leave and SMS my friends to see them somewhere else.
Shit, if I HAD a job interview in said restaurant, the interviewer was waiting for me there and the restaurant blocked me from entering , I'll just call the interviewer to tell them the fact, and maybe even recommend the taco stand in the corner.
No freaking service is worth it. Not even Google, and I have all my emails since 2004 and docs in gdrive there. I'm a heavy FB user, but the moment they font want my data/usage to show me ads, I wont shed a tear.
That's what I do with people on FB. Only a tiny fraction of people is willing to try alternatives, no matter how much they learn about FB. The consequence is missed interactions, because I will not use FB in this life.
Not if that restaurant is THE place where all your friends hang out. Sure, probably you can convince your best friends to go to another place in order to meet you, but that inroduces friction if they actually prefer to go to the hip place.
There's this restaurant (Facebook) where all the cool people go to meet every night. Those meetings are so cool that, you know you just cannot miss them, otherwise you'll get out of touch.
You arrive to the reception, and the receptionist tells you that yep, the meeting you are looking for is going on, everybody is there. They even let you take a peek from outside and you see everyone is there.
But you just cannot participate now. You must provide the receptionist all your personal data, including a picture of you, your telephone number and a lot of other quite personal info... Oh, and you cannot lie because they will check everything with online databases.
You are annoyed, but you think it is worth it, at the end of the day John Carmack and other really amazing figures are sitting dinning there. So you give your information relucantly.
Then they let you in and, as you approach the dining area you realize that there's a VERY LOUD SOUND coming from a sound system. You pay attention to the sound and realize that it is basically a bunch of advertisements blasting one after another. The main problem is that the sound is so loud that you know it will interfere with your talk with other people in the table.
You sit down and start interacting with the party. You spend some time, talking loudly so that your stories can get through the advertisment noise. You share some pictures and anecdotes, and even find out that the person in front of you may want to buy the used bycicle you want to get rid of.
Suddenly as you are enjoying your steak and chatting about your home state with a random person, a waiter comes in along with a security guard and grab you by the arm. They won't tell you what happend, but they pull you out of the table and take you to the restaurant door. Once there (after the noise of the ads has diminished) you ask them what is going on, why did they take you out? They just say "sorry, you violated our terms and conditions, you have been banned" and close the restaurant door behind you.
So you are left outside lookig at the dinner. You either fight to get in again, or just go your home, fix some dinner and watch a movie. Is it worth it to knock on the door and try to argue your way to the restaurant? Where you know they will treat you really bad and the noise of advertisement is terrible?
This is where I argue that for me, it is not worth it at all. But for some reason we have been "desensitized" to lower our bar for online services. I don't think I would even stay in a restaurant that was blasting advertisements that interferred with my communication. Maybe I'm just grumpy and getting old.
As an individual, you lose the a network of people.
As a business, you lose exposure.
In your restaurant analogy, you are just going to a different one, but your friends are still inside.
Since then when I click on a link to an Instagram post shared on FB they blocked me and demand I set up an account. But if I use a different web browser I can view those posts.
I rarely do that though. I just cannot give them the hit.
Also, these kinds of stories fit well within the narrative of Meta === EvilCorp#1, but I always feel like there's a lot more going on than what is being told in these Ask HN/Tweets/etc. Like, how many accounts were attempted to be made in what time period coming from the same device/IP address/etc? Are the algos at Meta/FB/Insta so bad that legit users are honestly getting flagged like this?
This is speculative, but probably try to recover your Facebook account first (because it's already verified), and then choose the option to try and create an Instagram account based on your logged-in Facebook account.
I haven't tried this in practice as I haven't created a new account in a long time, so there's no guarantee this will work. If it doesn't, then unfortunately you would have to block off time to persistently follow the instructions as closely as you can (sending your photo and a note), likely over several days to create the account.
That's the part that makes me wonder what they're trying to accomplish. I had the same thing happen in 2019, so it's been going on for a long time. For me it happened with a handle that matches a decent .com domain I own when I was going around and registering accounts at every site I could think of (ie: brand protection).
As far as I'm concerned they got nothing that helps them determine whether or not I'm going to use the account for legitimate purposes. I also did not violate their terms of service because it was a brand new registration. I didn't even get an email. I had to figure out where to send the request to have my account reactivated.
I didn't like the idea of sending them a photo, but felt forced into it to make sure no one else could come along and squat on the handle that matches my brand. I don't have trademarks (yet) and, even if I did, claiming someone is violating a trademark is going to be a significant amount of effort vs sending them the photo they want.
So, I capitulated even though I have no idea what they're using my photo for. My best guess is that Mark has it framed and hanging in his private art studio.
I think there's a good chance that eventually big tech is going to run on massive facial recognition databases that were built against our will. I think Facebook, Google, Apple, and Microsoft should be chopped into about 10 different companies each and the government shouldn't give any consideration to the impact it has on their business. They have no respect for us. We shouldn't have any respect for them IMO.
too late - this is an active industry with lots of funding. Further I believe that "metaverse" is an attempt to link that auto-ID to place, with tracking and profiles of all sorts of meat-scale interactions. The calls to boycott "metaverse" in the USA could not come soon enough.
>eventually
Already does. It's just not a bread and butter component of every company's business yet.
We're already past the time where, in a few years, people will start pointing back and saying "well, if you don't like it, you should have done something then."
I noticed that after enabling iCloud Private Relay on my phone, I get a _lot_ more CAPTCHAs very suspicious of my activity. This is both annoying and logical; a site's confidence in my existence / non-malevolence is much decreased when I don't appear from a consistent IP and the IPs that I appear from have a non-zero quantity of bad actors from which I must now be disambiguated.
This seems a classic example of a challenging problem of balancing privacy (wanting an option to be anonymous in my use of a service, including ones where I can post information or message others) with security (wanting to be sure that my counterparties are real humans unlikely to be malevolent or misrepresenting themselves). Service providers get slammed for errors on both sides.
That's not to give up on trying to solve it or suggest that the current status quo is optimal.
Going out on a limb here, I could imagine a solution where e.g. Private Relay users had egress from a special set of IPs that indicate to service providers that the originating user had indeed been identified/validated by Apple as authentic. Traffic inbound from these IPs could have a slightly relaxed threat posture. This is roughly in line with what Apple has been trying to do with Login With Apple; not just making it easier for users to sign in but helping reduce automated signups. An ideal component missing here would be a way to backchannel to Apple from a service provider "Hey, user $UID did a Bad Thing just FYI" to allow Apple to better risk-score Apple profiles/activity, obviously weighted by Apple for believability on the part of the service provider.
There would then also be presumably a way to interrogate a proxy for reporting back bad actions of a user by a service provider, with those attestations also signed by the service provider. (FLAGGED_AS_BOT, CHILD_PORN_TAKEDOWN, FINANCIAL_FRAUD, SPAMMING, OTHER_TOS_VIOLATION, etc) The service provider would pass in the UUID connection identifier which the proxy could then map back to the known user, weighted by the degree to which the proxy trusts the service provider's reports.
It's not that crazy if you think about it. Apple's user base is a juicy target demographic. Apple's "privacy focused" approach is reducing the insights of every other tech company. If they can get it to the point where the other big tech companies have nothing to distinguish legitimate users from bad actors they can make a huge identity and reputation play.
I doubt it would be private IPs or anything though. I think it's more likely that Apple assigns some type of trust/relationship score to each user based on Apple's view of them and then let's users opt in to some type of system where Apple vouches for them. Ex: I ask Apple for a short-lived token to attest to facebook.com or microsoft.com that I'm not a bad actor.
Apple's userbase would eat that up because they already think they're better than everyone else and now they'll be "rewarded" for that by getting a premium experience online.
That would also position Apple as the only company that could do super targeted advertising like Facebook does now.
From a couple of days ago: https://news.ycombinator.com/item?id=31751203
When using your accounts, never use Firefox, since it's down to like 2% marketshare, and automatically suspicious, and never use privacy-oriented plugins like uBlock, which suspiciously alter how and how much your browser communicates with these sites. Also never buy anything online late at night (like after 1 AM). Apparently that's suspicious, since a lot of fraudsters are international.
It's incredible that these shitty ML hueristic systems are the best these "genius" FAANG developers, who get paid $150-300k a year, can come up with up. I love it when they or their loved ones get ensnared by these systems, like the Googler who threw a Twittertantrum when they locked his and his husband's Google Photos (or whatever they call it) account for "suspicious activity," and they lost thousands of photos. Pure lifefuel:
https://news.ycombinator.com/item?id=24791357
I think it gets personalized / fingerprinted fairly quickly TBH. For example, I have 2 identical (Linux + Firefox + uBlock Origin) VMs that I use over the same VPN connection. One of them gets almost no captcha challenges and the other gets them continuously. My subjective experience is that it's based on what you're searching for on Google or maybe due to hitting sites that Google might have flagged as malicious (guilt by association). It's tough to tell, but it sure feels like there's some type of cumulative score based on activity.
Or build a better Instagram.
https://fediverse.party/en/pixelfed/
In fact, early Internet users typically had true names associated with universities, companies, and the government.
it's just the normie networks that want real names
https://en.wikipedia.org/wiki/Ring_of_Gyges
IMHO anonymous internet account names were fine with just universities and nerds and big smart tech companies. As soon as we forced everyone's cousins and uncles and grandpas on to the network we needed "real-names" because those new people... love 'em, but they're not baptized in punch cards.
Glory to Arstotzka! Cause no trouble.
I just want to delete the account at this point, but I can't, since trying to access the deletion link returns an error telling me to open the (unresponsive) app to regain access to my account.
I've contacted a lawyer who works in the field, since I'm pretty sure preventing me from deleting my account is a violation of their TOS. Who knows if that will go anywhere. I'm kind of at my wit's end here. If anyone has any better ideas, I'm all ears.
If you're in the EU, it's also a violation of "the right to be forgotten" and you can contact your ICO.
I decided twitter wasn't worth that kind of identity theft risk. Same thing this happening with instagram - I'm not sure why anyone would want to volunteer this information to these companies whose whole finance model is abusing your personal information.
I personally don't think any of these social media companies are worth sending pictures or ID to.
Your account appears, for whatever reason, bulk-created. For example maybe you were creating it from a network that somebody had used for a lot of IG account creation, or you created it with Firefox on Linux and 99% of their Firefox+Linux registrations are from spammers since it's easy to automate and run on a cloud server, etc.
It's actually pretty friendly from them to notify you immediately, rather than wait until you have gotten attached to the account.
> Are there really no less intrusive ways than the above to prove ones ownership of account??
Your ownership of the account is obviously not really under question. It's a freshly created account, it can't possibly have been hijacked yet. But is it your first account or the thousandth? Email addresses can be minted for free. Phone numbers for pennies. Since phone-verified, US-IP Instagram accounts seem to be selling for about $7 in bulk, those pennies are not much of an obstacle.
But it's pretty hard for you to get selfies from a lot of people in an automated way. (Sure, you could go to a parking lot and pay people to do the selfie for you. But that's a much higher bar.)
And then if suspicion remains, it allows IG to ask for either a second selfie or a picture of a government ID, and verify that your identity has actually stayed stable.
side note: I still can't edit wikipedia because my block of IP addresses has been banned for some reason. I just moved to a new house and can only edit if I go to a coffee shop!
I'm so tired of people insisting on using IP addresses for things that aren't packet routing.
And? What is your proposal instead that is practical?
I think none of us fully understand the extreme levels of abuse a service like Insta (and several other services) have to deal with. It's abuse at scale and ever-changing, hence an endless cat and mouse game where non-transparent heuristics create false positives.
By the way, your method of verification (holding up a sign) is also common at porn sites. That's what my friend told me anyway.
Ended up losing my IG account and learned valuable lesson that if I am not in control of my data I am not calling the shots either.