This is a great case for using iCloud “hide my email.” Curiously, I tried using it with “sign in with Apple” on slack and slack rejected it as a “hidden email.” I was able to circumvent that by using the regular sign in flow with a pre-generated “hide my email” address.
People are constantly trying to use any service for illicit purposes. A somewhat-easy way to deal with that is to just ban them. Because an email address is used as username and an email address usually maps 1:1 to a person, this means you just got rid of a Bad Person.
This breaks if access to new email addresses is trivial. You now have to invest actual effort into validating that a new account isn't someone trying to do bad stuff.
Or you can just block all the services providing easy access to email addresses and outsource the issue to big providers like GMail and Apple. It's a lot less effort, and you'll lose near-zero legitimate customers...
True, but Apple's hidden emails are tied to a real credit card (not free) and can't be generated in bulk (AFAIK).
I'm not inclined to give any service the benefit of the doubt here until there is some evidence that Apple emails are indeed being used for this purpose. I haven't seen any such evidence (but I'm open to it).
Slack gets used as Command and Control servers for malware and bot networks -- same as Discord. They are commonly installed so their network traffic isn't suspicious. They're also free. Blocking "hidden email" services is an easy first line of defense. You also can't register with mailinator.com email, for example.
I think only those users use Apple’s HideMyEmail who have promised themselves to forever use Apple devices and forever having the paid plan, and never want to start a mail conversation from any of those emails.
For others a domain, a mail provider works best with catch-all.
How can they tell any iCloud address is a “hide my email” address? They generally use real words plus a number. Something like coffee_bike57@icloud.com. That seems like something a real human could also think up.
> If you want to opt out of this - and you trust the IAB to handle your data safely - you can submit your email address and phone number to https://transparentadvertising.org/.
It is "email address OR phone number" which is a little better...at least not giving them a free correlation. Though I suspect they usually already have it.
Given they likely have everyone's Gmail address anyway, I have no problem opting mine out. I won't bother opting out my other addresses though; I doubt they correlate them all to the same person, since they are all different domains.
It seems more like a move to make things work in a more effective way rather than a move in order to subtle ignore your will. The former can be a side effect, not so terrible if there is transparency and the ability to opt-out the tracking. I should be able to defend my privacy with some switches in a sort of "Manage cookie preferences" page/banner way and to going nuts adding some special chars in my email address.
I run with a custom domain and a catch-all email rule, so all inbound mail goes to the same inbox, so I can use whatever@domain.com. Maybe it's still trackable but at least helps identify leaks.
Not parent, but I'm doing the same thing and I have had 5 leaks out of (currently) 387 accounts over the past 4 years (which is when I started doing this).
Oh and none of the involved entities ever acknowledged the leaks. I'd also be highly interested in the rates other people encounter.
Could be. If they sold the email addresses, that is one reason they would not "disclose" it, it was just routine business (and not business they are eager to disclose, although I suppose it's mentioned in some fine print in their privacy statement somewhere, hypothetically, maybe).
I've been doing the same over a similar time span. 5 years for me. However, i am yet to find any leaks.
I get a ton of spam, but they ALL are sent to my publicly listed email address in my git commits. I'm seriously considering turning that email into a honey pot.
I've been doing the same thing for nearly 20 years. In that time I've helped two site owners identify data breaches they were unaware of. I can also see evidence of several of the compromises identified in the "Have I Been Pwned" data set.
I have been doing the same for ~30 years now, and having an email address that established has its downsides - I’ve lost track of the number of times the trap has sprung. The most-recent was Tesla, though.
I did a lot of work on iCloud’s “Hide My Email”, and I’m involved (the DRI for) quite heavily in other privacy-focused work at iCloud. It’s something I feel strongly about.
You will notice a complete dearth of detail in the above on anything not already known outside of Apple...
It's generally fine to talk about something already public, and say you worked on it - there are projects that haven't released yet that I've worked on, and I absolutely will not talk about those until they are :)
I just started doing the same (~ a month ago). Within a week of creating an account for bestbuy, I started receiving spam to that address. Do you do anything when you catch someone, or just note it to yourself, block the address, and move on?
I've been doing this for maybe 10 or 15 years. It has given me evidence of several database breaches (such as Avvo, who still deny it) but as far as selling my data, I think I've only seen that happen with a Kickstarter campaign.
Surprisingly zero on one domain. Not because it's ineffective, but because it hasn't leaked as far as I can tell.
The other however has leaked, but that's because it's designed to - it's for social media where the email is available for use and has been abused by third parties.
I don't relish the prospect of getting tons of mail to <random-name>@mydomain. I do actually check my spam folder; I'm afraid that if I used a catch-all, that would become impractical.
Maybe it's just me, but I rarely receive catchall spam. I think some scummy company guessed mail@domain.tld but other than that the spam has only come to account names I've actually registered with.
I have aliased all the email addresses I know leaked to a special mail box that marks every email it receives as spam. The rest just ends up in the normal mail filtering system.
Probably should move towards random usernames instead of service@domain.tld at some point, oh well.
I worried about this as well (after I had set it up and started relying on it) but in practice I've only gotten spam to a handful of addresses that I didn't make up myself. Into a filter they go.
I get surprisingly little. There's about 15 addresses that are persistent, and they're all caught by the spam filters. The most important job is to set up SPF and DKIM properly so spammers can't impersonate your domain and send as though FROM you, rather than TO you.
Am I missing something here? I understand the "The IAB loves tracking users." part of the title, but where is the part about "But it hates users tracking them."? Based on the title, I would have expected an exception in their standard for themselves, or a story about how their own user tracking technology was used against them.
However, there is none of that. Just that the IAB does not want to make it easier for users to escape their tracking (which, given their purpose, is unfortunately entirely expected). What justifies "But it hates users tracking them."?
It was a quicker way of me writing "but hates users being able to track what their members are doing with user data".
The reason my email address for this site is `+ycombinator@...` is that I can track when dang decides to go rogue and sell my email to a Nigerian Prince.
Have you ever received any spam addressed to that account? I've signed up for countless services over the past decade, the only ones to ever spam me were university consulting groups back from the time I was applying to grad school.
I suspect that part of the title is referring to the section that discusses using different email addresses for different services, so you can tell who sold your email address.
>> What justifies "But it hates users tracking them."?
Users can tell which site gave away their email address by using the variants discussed. It's not tracking in the same sense, but it does allow tracking who respects privacy. It also allows throwing away junk mail where someone required an email address just to (for example) make a sale or use their wifi.
The later part refers to the plus addressing, like "han.solo+github@gmail.com", which people use to so that "If they later start receiving spam to that address, they know the service has leaked or sold their info.". Now the IAB requests that advertisers should normalise such addresses by dropping the part after the plus sign, and therefore effectively stopping users from "tracking" the advertisers.
nobody cares, email, along the majority of the internet as "computers talking protocols", is dead. The absolute majority of email is handled by gmail or microsoft, accounting for >80% of MX servers in the wild by the data i had five years back. I'd imagine the share of the duopoly is even larger today, considering how difficult it is to get into inbox these days.
(Web) developers have gotten lazier and simply don't care anymore. The fact of the matter is that if you don't host your email with one of the big three, some services are probably not working anyway. I'd also like websites to show me things like news and recipes without having them run javascript, but apparently this means I deserve white pages because writing HTML is too much of a hassle for the modern web developer.
It's quite sad to see. It's also the reason I'm using somethingunique@domain.tld;, if cyberstalkers start normalising to a domain, they'll only hurt their own business.
> I'd also like websites to show me things like news and recipes without having them run javascript, but apparently this means I deserve white pages because writing HTML is too much of a hassle for the modern web developer.
Often enough the content is there but just hidden until the JS loads for ... reasons, idk.
>and therefore effectively stopping users from "tracking" the advertisers.
I guess that's the nefarious explanation, but there's a more benign one: if you want to correlate user behavior, you need some sort of normalization, otherwise john.doe+apple@example.com and john.doe+amazon@example.com would show up as different "people" and cause match rates to suffer. Sure, getting tracked isn't great, but it's not exactly the hypocrisy rage-bait that the OP is implying.
Of course that's the goal. The IAB isn't an NSA front. The problem with advertising is not the primary goal, but all the secondary things that can happen.
If it's the goal, you'd expect ads to be actually be more relevant and useful to users.
They don't, which has been shown in studies. What has been shown is that showing the same things people already bought give people regret which increases total amount of purchases.
In other word, the goal is to not to give users a good experiences watching ad's. It is to make them buy more, which is an orthogonal goal.
Let’s say you’re DHS. You contact some person and have a conversation like this
Govt: “I need IP addresses, ideally cellular and known public wifi, of a person using this email address”.
Data broker: “Here’s the list including the most recent cellular IP address associated with that person at this timestamp and their most used public wifi locations.”
Govt: “Hey, cellular provider, where is this subscriber right now?”
Provider: “Here’s the lat/long, last seen 1 second ago. Happy hunting!”
How does that contradict what the parent poster is saying? Even though ad-tech companies make tracking individuals easier, it doesn't change the fact that it's still largely funded by advertising itself, not through some shady government shell company.
lokedhs said "ostensibly" because the internet advertising industry has long maintained the pretence that tracking users and showing them relevant ads is helpful to the user, when the truth is the advertising industry cares about the opinion of users like the thanksgiving industry cares about the opinion of turkeys - which is to say, not at all.
There's a reason these things are opt-out rather than opt-in.
The answer to marcus0x62's question - why would a person want advertisers to correlate their behavior - is that they wouldn't, and if they want to advocate for their own self-interest they should install an ad blocker.
I disagree: The main problem with advertising is with its primary goal, which is manipulting people into excess consumption. There are of course other secondary issues as well, but even without them ads are already a net negative for society.
In a logical world it would mean that you see fewer ads. If your matches increase, your price per ad goes up so the service needs to show you fewer ads to hit their ad revenue target for you.
But if you think that will happen I have an East River transportation startup in New York that is seeking an angel investor.
> the service needs to show you fewer ads to hit their ad revenue target for you.
In a logical world, yes.
In a capitalist world, that revenue target goes up every year. Apple became the richest company on earth selling hardware, yet here they are now drowning their software with ads.
I've come to the conclusion that we should just ban all advertising, completely. Any possible positives to allowing advertising are entirely dwarfed by the negatives.
I would love it if there were no ads. Seems like a dream though. Has any government tried it? If so, what kind of sneaky ads posing as content emerged? "Native ads" posing as content already exist. At least it's easy to tell the difference when the ad is out in the open and marked clearly.
I think this new sort of AI-powered language model assistant search will be interesting once it trickles into end user control. Injecting ads requires the model output to be under central control where the they can inject ads. But when we get to the point that we can just automate our browsers to fetch 1000 pages and generate summaries locally, ads will be toast. There is a massive battle for control over generalized computing brewing because the ad networks need to force us to not build.
So would you ban shop signs? What about a shop-sign that simply said "Cafe"? Or "Meals"? That would be the end of chain stores (which I would not regret).
I don't mind shop signs; I do mind posters all over the street-scene.
The Post Office delivers about 4X as much unaddressed junk advertising pizzas and estate agents than real mail, and I object to that. In this country (UK), anyone can stuff whatever junk they like in your mailbox; in the US, I believe only USPS can put anything in your mailbox. Are USPS allowed to deliver unaddressed pizza fliers?
The best argument in favour of advertising is that it makes it possible for a new entrant to a market to make an impression; without it, markets would always be dominated by incumbents, give or take the occasional surprise. I don't know how to capture that benefit, without ending up with the whole world covered in billboards.
We already regulate shop signs - compare e.g. streets in Asia vs. Europe. Completely different what is tolerated. Tolerating informative signage (e.g. non flashy signs telling you what shop you are looking at) is not incompatible with banning advertisements.
> The best argument in favour of advertising is that it makes it possible for a new entrant to a market to make an impression; without it, markets would always be dominated by incumbents, give or take the occasional surprise. I don't know how to capture that benefit, without ending up with the whole world covered in billboards.
I don't think that argument holds much water as ads require a big capital investment. The main reason new entrants need to advertise is because the incumbents are already advertising so you neeed to compete there just to get back the base level of engagement.
While that's true, the questions was specifically about the claim they are "drowning their software with ads". Providing a single example doesn't really support that claim.
You can get ads for their services (mostly Music an Arcade) in iOS settings (and IIRC System Settings on MacOS), unsolicited push notifications from App Store etc.
GP is exaggerating, but they definitely do seem to be increasing the number of ads in apps. Apple News (even the paid News+) has tons of ads, often after a single sentence in an article. In AppleTV+ (a service I love!) they’ve removed the image cards of shows in your up next queue on the “What to Watch” page and replaced them with a big auto-playing audio and video preview of one of their shows that’s not in your list. There’s no way to get the old functionality back. I’ve stopped using the app other than from the Home Screen where I have it set to show my “Up Next” queue. It’s really disgusting that they’re making these changes and it’s really turning me off of their services which I loved until recently.
Yeah; that's not benign. I don't want my behavior being "correlated" by a shady group of companies whose sole purpose is learning how to better manipulate me for their own profit.
I genuinely thought that the title meant that trying to request comments or positions about ad technologies to IAB will result to basically "I cannot reach IAB", but the content is not that.
Now, on the topic, this basically violates GDPR (anything that would reasonably allow individual identification needs consent and the user must be able to object to it).
Also, I'm not saying the workaround here, but assuming that you still want to use GMail (seriously?) this can still be frustrated (hint: Garfield Mail).
> As part of the UID2 API they specifically describe how an advertiser must "normalise" their users' email addresses.
>
> This means h.a.n.solo+iab@gmail.com becomes plain old hansolo@gmail.com
It seemed to be completely obvious to me even decades back, that the + scheme would be trivially parsed and reversed.
So I don't use it and just keep on making completely new aliases. So amazon gets amazon@example.com. If I'm not going to pay for anything on this account it also gets a random name from a random piece of well known media, like "Donald Duck", and all the data filled in randomly to ensure that it's not googleable, and doesn't correlate with any accounts anywhere else.
The bigger issue I see is the desire to link everything to a phone number. Even stuff made for privacy, like Signal.
Careful, if you use that at amazon, it's also completely trivial for amazon to notice and package you up as "@example.com" and flag "@example.com" on a central watchlist so others do the same.
Although a trick could be if you setup your service to run "service+username@example.com" then depending on how they implement their normalization, they'll chop off the username for you and track themselves.
What are you suggesting they would use such a central watchlist for? It's not like they're going to deny service to those who have "amazon" in their email address.
And what kind of centralization are you talking about? Sharing it with other companies? I'm as pessimistic about these things as they come but even to me that seems incredibly unlikely.
The scheme they're designing is for selling ads. Every site using their scheme has a rule to clean gmail addresses (thIs.is.mY.email+extRastUFf@gmail.com) to be "thisismyemail@gmail.com" then they hash that clean form to obtain "UNIQUEID#123232". Then they use the hash to ask the ad network "who wants to pay the most to show an ad to UNIQUEID#123232?". All the sites you login to and ad networks they use will know this same id.
If you do something obvious like use amazon@example.com at amazon, you should expect them to add a rule that blah_blah_anything@example.com gets cleaned up to "@example.com"
That can't be avoided short of having a mail service with plentiful full aliases on a shared domain. They could just use the heuristic that unless you're at one of the well known email providers like Gmail, your domain name might be personal and therefore count as part of your global identity, without even considering what comes before the @.
So it doesn't really matter much whether I go with amazon@example.com, or john.random@example.com.
To deal with that for good you'd need a pretty large set of domain names to use for this purpose.
There are already a growing number of services that won't even allow you to sign up unless you have an email at one of the large services. I never noticed until I started using my personal domain to separate work/personal after changing jobs recently.
When I tried signing up for the SNL app a few years ago with snlnbc@[mydomain.com], and then [randomnickname]@[mydomain.com], it failed, but then worked with a GMail address.
Which is all kinds of ironic, because I'm old enough to remember when free emails like hotmail.com and gmail.com were rejected by a lot of sites!
> If you do something obvious like use amazon@example.com at amazon, you should expect them to add a rule that blah_blah_anything@example.com gets cleaned up to "@example.com"
It seems like a very error prone thing to do automatically, while reaping little in return for the effort. How much do advertisers stand to gain by adding special case heuristics for "people who might be using an unshared email domain with a per-site local-part?"
If I give my email as me+amazon@gmail.com, normalizing it to me@gmail.com is just applying a bit of common knowledge about how an email service with billion(s?) of users handles the + sign in the local-part of an address. It's a carve out, but it's totally deterministic (for Gmail at least) and applies to a lot of users.
If I give my email as amazon@2d0d4809.com, normalizing it to @2d0d4809.com involves guesswork about that specific domain. I don't think normalizing away the + sign in the first case implies we should expect the latter to get normalized into a single identity as well.
I really don't know anything about the ad space but the linked project seems to indicate that ids get grouped into value classes. It describes IDs built off of normalized emails and also off of phone numbers to create identity-validated IDs which are of higher value in the ad market. Obviously phone numbers will be the most useful of the validated IDs and emails normalized.
Of course if you have "@gmail.com" that's not going to have any value vs the identity-validated alternative. But at the bargain bin end of the ad selling universe does "amazon@2d0d4809.com" that has never been seen anywhere except amazon have more value than "@2d0d4809.com" that has been seen recently in a handful of other places consistent with use by a single person? It's obviously not an identity-validated ID class, so it's not going to demand identity-validated bids. But having a tracking history might add a tiny bit to the bid. So I wouldn't put it past people to use that rule.
I don't even think the Heuristics would need to be that complex. Big email still uses reputation lists to determine if they should junk an email, so applying sender reputation, or lack thereof, to the domain part could be good enough to safely hash as an identity.
If you own your own domain, it's trivial for them to notice that it's a vanity domain for a single user or small group.
The only way to hide is to have thousands of friends with diverse interests using your domain.
Not really - in practice the tracking system can have a list of email providers and treat every other domain as one user (especially ones with catch-all setups).
I don't think it's trivial at all? I sign up with random first names and last names, my email address doesn't have the actual company name and I don't think there's that many people with vanity domains to justify adding code to track this use case.
Fastmail supports subdomain addressing, such that instead of "user+service@domain.com" you would use "service@user.subdomain.com", which will forward the message to "user@subdomain.com" and even file it into a folder for "service".
My solution to this is to always use '+' email addresses - IE: "fabs+hulu@domain.com" - and I filter out all e-mails that don't have the '+' suffix as the recipient.
This way dropping the suffix drops those e-mails in my spam folder. Them normalizing the address makes my spam filter more efficient - and I would like to thank them for it.
It's not about sending email. They hash the normalized email and use the hash to track activity across websites and services to build user profiles for real-time ad bids.
Facebook (of all places!) is one of the few companies that makes this transparent.
If you have a Facebook account, and live in GDPR-land, go check which companies illegally passed on your data (https://www.facebook.com/adpreferences/ad_settings -> Audience based advertising) and report them!
Back when I actually used my Gmail account, I found LOTS of sites that would refuse to accept an email address with a + in it. I attributed this to a mixture of incompetence and active malice.
These days I host my own mail server and use . as the sseparator, which has been working well for years.
Isn't it up to the email provider whether `+` and `.` are ignored in email addresses, won't removing them to "normalize" end up sometimes mapping different email addresses to the same identifier?
I guess maybe that edge case is not nearly as bad for the advertisers as failing to link the same person, so it's tolerable?
There is an RFC but it just mentions + as an example of a possible sub-address separator when discussing sub-addresses in Sieve filters. Whether or not + acts as a sub-address separator is server-dependent.
It’s even up to the email provider to make the local part completely or partially case-sensitive if they wish, but tell that to most government websites in the world. Probably a lost case at this point.
Periods are more of a Gmail-specific thing, but as you mention merging two people once in a blue moon is not a terrible price to pay for an analytics system, it’s not like it’s going to send mail to these addresses.
This. Have been doing this for years as whilst it's been very handy to prevent password leakage etc, it's also very interesting to see where my spam comes from; facebook@ is the biggest culprit.
LinkedIn, too. I get a bunch of recruiter spam addressed to my old LinkedIn email that was probably compromised in the big hack/scraping incident from a few years back. Good way to flag the sketchiest recruiters.
>The bigger issue I see is the desire to link everything to a phone number.
Yep, I've had my youtube account since before Google bought youtube in 2006. Just this week I noticed that I am no longer able to put URLs in the descriptions of videos I upload to youtube. I have to "verify" by giving them my phone number before any clickable URLs are allowed in descriptions. But apparently all URLs are clickable URLs. Additionally, even videos I uploaded in 2008, if I go to edit their descriptions now and I originally included a URL, I cannot submit it.
Phone number "verification" is nasty. I suppose this is the end of my almost 2 decades of using youtube to host videos.
As for email spam prevention, I've run my own mailserver with a domain since 2011. I give each service an actual unique email address and then just catch-all emails sent to my domain. It works great.
I think youtube's hegemony is past; it WAS the main point to upload your videos at some point because storage and bandwidth was expensive, and on-demand video conversion difficult and resource-intensive. But nowadays anyone can host videos on a $5/month shared server, with software to handle things like video conversion.
Youtube pivoted from "just" hosting videos to a community though, to the point where you won't get any views unless you are on youtube and play by their rules and network effects.
Depends on the videos, I think if you want someone to watch your 1080p@60fps without stutter like they do on youtube anywhere in the world you need edge architecture designed for video no? If so, I'd like to know the service which can do that for $5.
For static video you pretty much just need to serve it in a format browsers support with the correct MIME types, and make sure you have enough bandwidth.
Where it gets hairy is when you want to do live streaming…
This really doesn't work very well for a great many users.
You can have all the bandwidth in the world, but the magic that Youtube does is mainly dealing with the users' bandwidth, for example, it switches video resolution on the fly when it notices that frames are going to have to be dropped soon.
If only browsers would natively support adaptive quality video streaming. Perhaps we should ask the biggest browser vendor to implement that, surely they won't have any conflict of interest there.
Depends on the resolution. For short-ish clips with reasonable sizes it is not that much at all - as can be seen with the Fediverse as well as commercial social networks all having their own video hosting.
> to put URLs in the descriptions [...] Phone number "verification" is nasty
Spam is a huge problem for any large platform with free accounts, and there aren't a lot of good options to prevent it. One set of mitigations is around increasing the cost of an identity. Email addresses are infinite and free, but working phone numbers are limited and usually cost money. So gating spammer-desired activities on phone numbers makes sense from their perspective. They could get a similar effect by requiring a credit card number, but people hate that even more.
If you'd like to work around this, I'd suggest getting another number for just this. Google Voice will give you one for free, and the Burner app will do it for $5/month if you sign up via web. Or in my case, my ISP gives me a free landline number with my internet service, which is great for this sort of thing.
I get your point, but I have to pick my battles. I disagree with quite a lot of business practices. If I wanted ethical purity under capitalism, in short order I'd be subsistence farming and living the grim life of a preindustrial peasant. Which would be then giving up any power I might have to change the system. That strikes me as even less ethical, however pure it might be.
Heck, if I wanted ethical purity, I wouldn't be here contributing free content to YC. But I think the net good outweighs the net harm, so here I am.
> Email addresses are infinite and free, but working phone numbers are limited and usually cost money.
In many parts of the world, getting a phone number requires recording your government ID with the carrier (and burners are illegal, though usually for the carrier not the consumer), so the calculus then becomes “to prove you’re not a spammer, give up everything about your identity that was or ever will be known”. Which, no.
(There’s a reason why Russian democracy activists are divided between a “use Signal, everybody else is dodgy as all get out” camp and a “fuck no, don’t use Signal, doxxing you will be slipping $20 to a random SIM card salesman” camp. But parts of Western Europe are the same, and some are even ahead on e.g. unavailability of anonymous stored-value cards for transport or mandating testimony against yourself wrt encrypted storage.)
This is somewhat of a bullshit argument. Not on your part! But on those who typically use it as justification.
Because there are two independent components to such a system: {increase cost of identity} + {protect privacy of identity}
When it's offered/justified to combat spam... the implication is that the solution will deliver both promises.
In reality, the first (concept of identity) gets built, marketing/sales realizes they can abuse the hell out of it for their ends, the second (privacy protection) gets overruled at the VP/C* level, and any privacy protections are quietly never implemented.
This happens again. And again. And again.
Google is probably the best case ethical scenario here, in regards to having standards around privacy data stewardship, and even they abuse it frequently when the profit is too large to ignore.
The only reasonable takeaway is that any system that permits mass tracking is too dangerous to privacy to allow to exist, and all should be opposed.
Or, as GDPR does, render companies liable for omissions from a privacy perspective.
That is another possible mitigation, but is also not a perfect one. Valuing old accounts increases the incentive to steal old accounts and to create sleeper spam accounts that you let age until you're past the bar.
Ignoring the good in pursuit of the perfect is a cause of many ills. Consider the gross loss of trust when someone who has had an account for 16 years, almost since the establishment of the platform, is treated with suspicion. Businesses owe some accountability to their customers, including free users whose data they sell.
Advertising and tracking a bigger problems than spam IMO.
The most ridiculous part of this phone-verification BS is that many companies (e.g. Twitter, Discord) let you create an account without it but will then demand a number at some point later. This only hurts real users because spammers can just switch IPs and create a new account that they can use for a while.
> Google Voice will give you one for free
And what information do you have to give Google for that number so that you can avoid giving your phone number to Google?
> 1. Some people do not own phones, or do not wish to provide you with their telephone number when asked. Do not require a user to provide a phone number unless it is essential, and whenever possible try to provide a fallback to accommodate these users.
> Do not require a user to provide a phone number unless it is essential
And note that a phone number is the number for calling a telephone, not some jumped-up pager. They want a mobile number so they can send you SMS messages. I hate SMS, and I deplore it's use as a part of any kind of security protocol.
If you don't intend to speak to me, you don't need my phone number. If you do, then my (VOIP) landline will serve you fine.
Is "your policies must be fully consistent with any advice given in any of your open source repos" really a standard we should hold big companies to? Because if we treat open-sourcing a text file of recommendations as the company making a statement or commitment to that effect, companies will be way more limited in what they allow their engineers to make public this way. With chilling effects that go beyond semi-humorous recommendations. ("Do you really want to try to open-source this library? You know how frustrating Legal and PR can be to deal with...")
I'm using it metaphorically here, perhaps inappropriately.
What I'm trying to say is that there is a thing that is positive and we'd like to see more of (companies releasing things as open source) and there is an adjacent thing that we are considering pushing back against (companies including things in their repos which conflict with their actions). While it should be possible to discourage only the latter, in practice the effect would spill over to the former.
I think calling them out is fine! If a company has a harmful policy, definitely go ahead and say so. I'm specifically objecting here to calling them out as hypocrites, for having a policy that is in conflict with advice in one of their open source repos.
> I suppose this is the end of my almost 2 decades of using youtube to host videos.
As a user I can only hope that more people do stop using YouTube, preferrably choosing something that serves video files directly instead.
> As for email spam prevention, I've run my own mailserver with a domain since 2011. I give each service an actual unique email address and then just catch-all emails sent to my domain. It works great.
This works but only because running your own mail server is too uncommon for anyone to care about. If it was more common, the advertisers or other privacy violators would specifically check for catch-all domains and then strip the entire local part of the email for your user id.
Re: phone numbers, the blocking of google voice style numbers is pretty dirty. Even openai requires a number that supports advertising in order to sign up for ChatGPT.
The problem with most of those tricks is that they can be countered in some way, so I feel this is one of the areas where your security has to rely to some extent on obscurity (or the fact that it's too rare in the wild to be worth countering).
But I do have a question, have you found a programmatic way to create aliases / a provider that offers an API for that? Because that seems like one of the main usability downsides to your approach.
That's why for Firefox Relay [1], we recommend using random email masks, and why I use it over my own catch-all domain for unimportant things.
We do support your own catch-all subdomain, but that is just to cover the use case of having to come up with an email mask on-the-spot. If you are filling in a web form, best to use an email address that looks exactly like the email addresses of other Relay users.
Yep, credit cards are definitely of interest to us too, but unfortunately we haven't been able to find a way to do so in a privacy-friendly manner yet, which is the entire point.
I do the alias thing, but I've been getting spam email lately that simply doesn't have my email anywhere within it, and I'm not sure how to deal with it. Honestly I'd expect it to be dropped at somewhere in the pipeline, but I can't find an option to deal with it in Thunderbird at the least.
The raw email received almost certainly does have your email in it. Your problem is your client isn't displaying it to you. In fact email has a lot of redundant information in it to administrators debug problems, and just about all of it won't be displayed by your typical email client as it would be confusing to most people.
Some clients will display the "raw, as received" email if you ask them too. GMail has a "Show Original" menu item for example. In there, you will find "Received: ... for <XXXXXX@gmail.com>". The exact form does vary between systems, but it's almost always there.
Also, the character that might be used to delineate aliases can be defined, at least if you have control of the email host. Some hosts will complain about their name as part of the email address, but usually some near-match will suffice.
> It seemed to be completely obvious to me even decades back, that the + scheme would be trivially parsed and reversed.
I was expecting to see that, too but in more than 15 years of running my own mailserver i don't think i have had an attacker that has removed the suffix when trying to phish me. These attacks are automated. Your address is just one of many that is being harvested and sold to someone else who conducts the phishing campaign.
I honesty think the only way to deal with organisations like this is to publicly post their names and addresses and encourage the general public to follow them around in real life, everywhere they go. Crowds of people following them round the supermarket watching what they put in their basket might finally make them realise what they're doing.
> There's a reason these people live in gated communities and don't let their kids use their apps.
Given the turmoil that the "Elon Jet Tracker" created it seems like tracking still pisses these people off despite their wealth and gated communities/etc.
Time for trackers for pro-tracking execs, politicians and incompetent regulators (such as the previous head of UK's privacy regulator who did zero substantial enforcement during 4 years of blatant GDPR breaches, or whoever is heading the corrupt Irish DPA who's in cahoots with Facebook)?
Fastmail's masked email, in addition to iCloud's hide my email, are great alternatives to massaging your address with a . or a + ... Both of those require payment. I'm really really happy with Fastmail (and use iCloud too), but wonder what the allure of Gmail still is (other than cost)?
> what the allure of Gmail still is (other than cost)?
You need one to use Play Store on Android. At least I think you need a GMail one. Even if not, the Play Store and the Android OS itself make it seem like you need one, from the second you turn a brand new phone on. The funneling is quite heavy here.
(Heavy enough that almost everyone in my family uses a GMail account mostly just for the Play Store. My wife and I pay for Fastmail, some of other members of my immediate family have primary e-mail with a local free mail provider, but everyone found it easier to use an old (or make a new) Google account with their Android phones, instead of figuring out how to make it work with non-Google e-mail.)
> UID2 is a framework that enables deterministic identity for advertising opportunities on the open internet for many participants across the advertising ecosystem.
Can we get stochastic therapeutic benefit from watching them thrive as a tight knit community in cutting edge plexiglass dormitories, please?
I used google's "+" addresses for a while, but it was obvious that this wouldn't last. Apple's disposable email addresses are a great tool to solve this once and for all.
What happens if you stop paying for the iCloud service? Obviously you won't be able to create new hidden addresses, but do the old ones continue to receive mail?
It's not a Google-specific feature; it's part of the email spec (albeit an optional one). iCloud email supports them too, and I've been using them on both my Gmail and iCloud emails for a while now.
Back in the invite-only beta days, I signed up for a firstName.lastName@gmail.com address. It appears that years later someone else signed up using the same first and last name but without the dot, and that they are distinct gmail accounts.
In my situation, "the other guy" ends up using MY first.last@g as HIS spam email; this has led to some embarrassing FWDs to his wife [from me], as he mistakenly provided their home phone number in to one of his spammers (so I got it, as he had used my email [instead of his] to keep spam out of his inbox).
Too much fun, telling his wife about his porn-viewing habits and other miscellaneous secrets.
I don't use email anymore, but I maintain this account just because it pisses him off... I think this high-up at some tech company (that shares my same name) secretly expects me to just hand over the account I signed up for fifteen years ago, now... not happening, Mr. S.
Here we have a great example of an advantage of running your own mail server. You like subaddressing? Just use a different "recipient_delimiter" in your configuration - almost endless possibilities!
PSA: many (most?) paid email providers allow catch-all email addresses on your own domain. I use this to give ever vendor their own personal email address:
hn@foobar.com, github@foobar.com, twitter@foobar.com, homedepot@foobar.com, etc.
I currently use Protonmail and have been very happy with them, though I’ve been eyeing Hey!.
And they allow arbitrary rules for processing incoming mail, so you can use characters other than the plus sign. And you can also take addresses that have been compromised by spammers and route them right to your spam trainer, so that spammers help improve your defenses.
I have a catch-all setup so any email sent to my domain, that is not a registered email, goes to a specific account. Then I just create a new email for each site. I also use Sieve rules (Fastmail) to process emails. Each email address for a specific site uses that site's dns name (amazon.com@foo.tld). If an email is sent to an address and the sender's domain doesn't match the left side of the "@" (with or without dots) than it's considered spam and I send myself an email saying someone likely sold my data.
Works great with Bitwarden's new username generation feature. I can create new accounts in a push of a button now.
Here is the relevant part of my sieve rule. Just know that you can switch the :contains to :is this would make it so the localpart would have to match the sender domain exactly. I'd do this but I initially wasn't using the full dns name for my localparts:
# Account sorting
set "domain_name" "acct.ninja";
if address :domain "To" "${domain_name}" {
if address :localpart :matches "To" "+" {
set :lower :upperfirst "addr" "${1}";
set :lower :upperfirst "subaddr" "${2}";
if not address :domain :contains "From" "${addr}" {
fileinto :create "SPAM";
} else {
fileinto :create "INBOX.Accounts.${addr}.${subaddr}";
}
stop;
} elsif address :localpart :matches "To" "*" {
set :lower :upperfirst "addr" "${1}";
if not address :domain :contains "From" "${addr}" {
fileinto :create "SPAM";
} else {
fileinto :create "INBOX.Accounts.${addr}";
}
stop;
}
}
Very interesting! I hadn't thought of having specific folders by the tag. I'll have to look carefully at my incoming mail and see how I can adapt this. Thanks!
In addition to this kind of tracking (unless explicitly opt-in with a compliant consent flow without any dark patterns) being in breach of the GDPR, I wonder if such mangling of the e-mail address would also be in breach of the right to rectification?
Let's assume you willingly opt-in to tracking but for whatever reason want to be tracked under "h.a.n.solo+iab@example.com" and not "hansolo@example.com" (because maybe example.com doesn't strip out + and . characters, so the two addresses are actually separate users), them not allowing you to change it back to your real address (without their normalisation process) might be a breach of the right to rectification as they'd be holding inaccurate personal data about you.
Of course this is all completely philosophical as GDPR enforcement is not only severely lacking but is nowhere near technical enough to dig into such detail.
I imagine you can't rectify a UUID I associate with your account. The same way, you can't rectify a normalized email field that has the correct email, but normalized.
this isn’t just IAB, this was noted as standard behavior for large data brokers by a privacy researcher [1] years ago
Email and phone number matching is part of their core service offered by Oracle’s Bluekai, one the largest data-broker platforms in the world [2]. They have most large global companies using their platform.
> You can convert users' email addresses and phone numbers to SHA-256 hashed IDs called oHashes and send them to the platform. They will be synchronized with the network of user profiles that are linked together in the Oracle ID Graph, which is used to manage IDs and user attributes for all Oracle Data Cloud platform customers.
> This synchronization optimizes the targeting and communication of your users across desktop and mobile devices and media execution platforms. oHashes enable you to increase your offline to online match rates, connect your Responsys platform to the Oracle Data Cloud platform, and execute cross-device targeting.
…
> the [normalization / oHash] function enforces UTF-8 character encoding, lowercases all characters in the email address, verifies that it has the “@” symbol, and removes all special characters, punctuation, and spaces.
…
Both Google and FaceBook also expect clients to send phone + email (hashed) to build retargeting lists from customer data. They each have a different name for the feature [3]
I wonder if there is a way to poison the system. E.g., flood it with accounts that look very attractive to bidders so they pay a lot for adverts that never pay anything.
I'm fine with context-based adverts based on and next to the content I'm reading, and have actually found some good products & services that way. But the tracking is not ok in any form (and from what I've read, basically doesn't work and is also defrauding the advertisers), so anything to destroy that model would be a net benefit to society.
The only real solution is an ad blocker. I worked at an ad tech company. We all ran ad blockers. The hypocrisy is through the roof.
This is the best solution because it severely negatively affects the ecosystem.
Publishers make less, so they crank up the ad density for the remaining users. That increases user resentment and suppresses the per-ad cost, enabling much crappier ads to run on the website. That also increases user resentment and suppresses the per-ad cost, and the glorious cycle continues.
Wouldn't something like AdNauseam be better? Even if the anti-abuse mechanisms successfully detect it, it would still consume resources, which seems better than simply blocking the ads? Plus if your IP/browser fingerprint gets blacklisted you may end up in a situation where you get banned from further ads and may not even need as much blocking/etc as advertisers preemptively block you?
While I love the idea, I decided against AdNauseam because I was worried about Google AI labeling my account and/or IP as perpetrator of click fraud and banning my (or others') personal or work accounts in retaliation. It's not something I ever want to deal with or have to explain to someone else.
Run it if you want. But if you run AdNauseam, people are still getting paid. The publisher, the ad network, the ad agency.
The advertiser is getting screwed, but the other parties will work really hard to explain it away to them. "You're getting great engagement with the creative -- you clearly just need to improve the landing page experience."
For me, my balance is that I'll run an ad blocker and whitelist sites that (a) create original content and (b) don't abuse me as a viewer.
> The only real solution is an ad blocker. I worked at an ad tech company. We all ran ad blockers. The hypocrisy is through the roof.
I used to run a website that made money off of ads, and specifically ran an adblocker to avoid being banned by Google for mistakenly clicking on my own ads. Worked so well that I just left it on everywhere else.
Yup, already doing that (FFox, NoScript, it's a bit of a pain to maintain on a new install, but seems pretty effective).
I was thinking of something like the Blue Frog anti-spam system that automated complaints to get people taken off the system. I know they generated so much heat that they became retaliation & DDOS targets and shut down, but it seems something along the lines of automating complaints & defensive actions might have a role...
IAB will try to do everything to go pre-GDPR, where it could track users across the whole web. Without explicit consent, forwarding an ID like e-mail address is illegal, of course.
Once upon a time, i used a catchall @domain and it was trivial to track email disclosures. I think it's more private to maintain an individual alias as a throwaway proxy address per service, but it's more work.
I was hoping "tracking the IAB" meant names and addresses of its key members. Fighting an amorphous organization is hopeless - targeting people is far more effective.
Well, if you know which users are part of this GitHub organisation (their public member list is empty, ironically), you might be able to grab their real emails from their Git commits. What you do with them I'll leave up to your imagination...
The specific user who responded with "we thought long about this update and ultimately as it stands today it is not a change we would like to add" uses their @users.noreply.github.com email for Git, but their employer and hometown are public on their profile, and a quick search gives you the mail address. While I live nearby, I don't intend on paying them a visit, plus it seems to be a shared office highrise, but I might just write them a strongly-worded letter.
274 comments
[ 4.3 ms ] story [ 295 ms ] threadWow, that's pretty scummy behaviour! I wonder what the rationale is behind this?
People are constantly trying to use any service for illicit purposes. A somewhat-easy way to deal with that is to just ban them. Because an email address is used as username and an email address usually maps 1:1 to a person, this means you just got rid of a Bad Person.
This breaks if access to new email addresses is trivial. You now have to invest actual effort into validating that a new account isn't someone trying to do bad stuff.
Or you can just block all the services providing easy access to email addresses and outsource the issue to big providers like GMail and Apple. It's a lot less effort, and you'll lose near-zero legitimate customers...
I'm not inclined to give any service the benefit of the doubt here until there is some evidence that Apple emails are indeed being used for this purpose. I haven't seen any such evidence (but I'm open to it).
For others a domain, a mail provider works best with catch-all.
What does HN say, do we trust them for this?
It displays this caution twice:
"Note: this choice may limit your ability to access ad supported content."
You are talking about IAB. At no point in the process is IAB is concerned about you, the user. This move is intentional.
BTW they've already been fined for other scummy behaviour https://proprivacy.com/privacy-news/iab-consent-popups-ruled...
Oh and none of the involved entities ever acknowledged the leaks. I'd also be highly interested in the rates other people encounter.
I get a ton of spam, but they ALL are sent to my publicly listed email address in my git commits. I'm seriously considering turning that email into a honey pot.
I did a lot of work on iCloud’s “Hide My Email”, and I’m involved (the DRI for) quite heavily in other privacy-focused work at iCloud. It’s something I feel strongly about.
It's generally fine to talk about something already public, and say you worked on it - there are projects that haven't released yet that I've worked on, and I absolutely will not talk about those until they are :)
It's not worth trying to retaliate because these things come from addresses that aren't monitored, for the 99% case...
I do make a point of telling people how shitty the company is though.. Like Tesla for example :)
The other however has leaked, but that's because it's designed to - it's for social media where the email is available for use and has been abused by third parties.
I don't relish the prospect of getting tons of mail to <random-name>@mydomain. I do actually check my spam folder; I'm afraid that if I used a catch-all, that would become impractical.
I have aliased all the email addresses I know leaked to a special mail box that marks every email it receives as spam. The rest just ends up in the normal mail filtering system.
Probably should move towards random usernames instead of service@domain.tld at some point, oh well.
However, there is none of that. Just that the IAB does not want to make it easier for users to escape their tracking (which, given their purpose, is unfortunately entirely expected). What justifies "But it hates users tracking them."?
The reason my email address for this site is `+ycombinator@...` is that I can track when dang decides to go rogue and sell my email to a Nigerian Prince.
Think of it like sousveillance.
Even some big companies aren't immune to a dodgy contractor walking off with a contact list.
Then when you receive spam/unsolicited marketing emails, you can see to which email the spam was sent, and therefore which company sold your data.
This suggests the only way to keep this behaviour is to have your own email hosted and use a truly different email per service.
Users can tell which site gave away their email address by using the variants discussed. It's not tracking in the same sense, but it does allow tracking who respects privacy. It also allows throwing away junk mail where someone required an email address just to (for example) make a sale or use their wifi.
Defeatism here helps noone.
It's quite sad to see. It's also the reason I'm using somethingunique@domain.tld;, if cyberstalkers start normalising to a domain, they'll only hurt their own business.
Often enough the content is there but just hidden until the JS loads for ... reasons, idk.
I guess that's the nefarious explanation, but there's a more benign one: if you want to correlate user behavior, you need some sort of normalization, otherwise john.doe+apple@example.com and john.doe+amazon@example.com would show up as different "people" and cause match rates to suffer. Sure, getting tracked isn't great, but it's not exactly the hypocrisy rage-bait that the OP is implying.
In practice, it's not of course, but that's the answer you'd get if you ask them.
They don't, which has been shown in studies. What has been shown is that showing the same things people already bought give people regret which increases total amount of purchases.
In other word, the goal is to not to give users a good experiences watching ad's. It is to make them buy more, which is an orthogonal goal.
Govt: “I need IP addresses, ideally cellular and known public wifi, of a person using this email address”.
Data broker: “Here’s the list including the most recent cellular IP address associated with that person at this timestamp and their most used public wifi locations.”
Govt: “Hey, cellular provider, where is this subscriber right now?”
Provider: “Here’s the lat/long, last seen 1 second ago. Happy hunting!”
There's a reason these things are opt-out rather than opt-in.
The answer to marcus0x62's question - why would a person want advertisers to correlate their behavior - is that they wouldn't, and if they want to advocate for their own self-interest they should install an ad blocker.
Nobody asks for the steak’s opinion when planning a BBQ.
But if you think that will happen I have an East River transportation startup in New York that is seeking an angel investor.
In a logical world, yes.
In a capitalist world, that revenue target goes up every year. Apple became the richest company on earth selling hardware, yet here they are now drowning their software with ads.
So would I; they're disfiguring ugly.
So would you ban shop signs? What about a shop-sign that simply said "Cafe"? Or "Meals"? That would be the end of chain stores (which I would not regret).
I don't mind shop signs; I do mind posters all over the street-scene.
The Post Office delivers about 4X as much unaddressed junk advertising pizzas and estate agents than real mail, and I object to that. In this country (UK), anyone can stuff whatever junk they like in your mailbox; in the US, I believe only USPS can put anything in your mailbox. Are USPS allowed to deliver unaddressed pizza fliers?
The best argument in favour of advertising is that it makes it possible for a new entrant to a market to make an impression; without it, markets would always be dominated by incumbents, give or take the occasional surprise. I don't know how to capture that benefit, without ending up with the whole world covered in billboards.
> The best argument in favour of advertising is that it makes it possible for a new entrant to a market to make an impression; without it, markets would always be dominated by incumbents, give or take the occasional surprise. I don't know how to capture that benefit, without ending up with the whole world covered in billboards.
I don't think that argument holds much water as ads require a big capital investment. The main reason new entrants need to advertise is because the incumbents are already advertising so you neeed to compete there just to get back the base level of engagement.
Where? I use Apple hardware basically exclusively. Are they that good in hiding the ads, or are you exaggerating a bit?
- App Store (biggest offender)
- Apple News
- Stocks
This year they'll be rolling them out into Apple Maps as well.
So you want to keep cost per impression up. You would not want to saturate and devalue.
Better to play 10 ads at 10c each vs 20 ads at 4 or 5c, as high ad load impacts users propensity to return to the service.
>Sure, getting tracked isn't great, but it's not exactly the hypocrisy rage-bait that the OP is implying.
That in and of itself is nefarious.
Ultimately they cannot win this fight.
Nothing, I think, since there’s no indication the normalized email will be used to send email.
The normalization is for connecting together identities against the wish of the user, which is a different issue.
Now, on the topic, this basically violates GDPR (anything that would reasonably allow individual identification needs consent and the user must be able to object to it).
Also, I'm not saying the workaround here, but assuming that you still want to use GMail (seriously?) this can still be frustrated (hint: Garfield Mail).
https://github.com/IABTechLab/uid2docs/tree/main/api#email-a...
It seemed to be completely obvious to me even decades back, that the + scheme would be trivially parsed and reversed.
So I don't use it and just keep on making completely new aliases. So amazon gets amazon@example.com. If I'm not going to pay for anything on this account it also gets a random name from a random piece of well known media, like "Donald Duck", and all the data filled in randomly to ensure that it's not googleable, and doesn't correlate with any accounts anywhere else.
The bigger issue I see is the desire to link everything to a phone number. Even stuff made for privacy, like Signal.
Although a trick could be if you setup your service to run "service+username@example.com" then depending on how they implement their normalization, they'll chop off the username for you and track themselves.
And it still has the advantage that I can remove an alias and it's not obvious what the main account it leads to is.
And what kind of centralization are you talking about? Sharing it with other companies? I'm as pessimistic about these things as they come but even to me that seems incredibly unlikely.
If you do something obvious like use amazon@example.com at amazon, you should expect them to add a rule that blah_blah_anything@example.com gets cleaned up to "@example.com"
So it doesn't really matter much whether I go with amazon@example.com, or john.random@example.com.
To deal with that for good you'd need a pretty large set of domain names to use for this purpose.
I’ve been using my own domain since the late 90s, and I’ve never run into this.
Which is all kinds of ironic, because I'm old enough to remember when free emails like hotmail.com and gmail.com were rejected by a lot of sites!
It seems like a very error prone thing to do automatically, while reaping little in return for the effort. How much do advertisers stand to gain by adding special case heuristics for "people who might be using an unshared email domain with a per-site local-part?"
If I give my email as me+amazon@gmail.com, normalizing it to me@gmail.com is just applying a bit of common knowledge about how an email service with billion(s?) of users handles the + sign in the local-part of an address. It's a carve out, but it's totally deterministic (for Gmail at least) and applies to a lot of users.
If I give my email as amazon@2d0d4809.com, normalizing it to @2d0d4809.com involves guesswork about that specific domain. I don't think normalizing away the + sign in the first case implies we should expect the latter to get normalized into a single identity as well.
Of course if you have "@gmail.com" that's not going to have any value vs the identity-validated alternative. But at the bargain bin end of the ad selling universe does "amazon@2d0d4809.com" that has never been seen anywhere except amazon have more value than "@2d0d4809.com" that has been seen recently in a handful of other places consistent with use by a single person? It's obviously not an identity-validated ID class, so it's not going to demand identity-validated bids. But having a tracking history might add a tiny bit to the bid. So I wouldn't put it past people to use that rule.
This way dropping the suffix drops those e-mails in my spam folder. Them normalizing the address makes my spam filter more efficient - and I would like to thank them for it.
And of course with such a small fine it's basically guaranteed they will continue breaching it since it makes them way more money.
I'm sure there's a lot of "underground" data transactions happening where the source of data is obfuscated.
If you have a Facebook account, and live in GDPR-land, go check which companies illegally passed on your data (https://www.facebook.com/adpreferences/ad_settings -> Audience based advertising) and report them!
These days I host my own mail server and use . as the sseparator, which has been working well for years.
I guess maybe that edge case is not nearly as bad for the advertisers as failing to link the same person, so it's tolerable?
However it appears the IAB UID2 README says to only normalize pluses/periods for gmail.com addresses: https://github.com/IABTechLab/uid2docs/blob/main/api/README....
Periods are more of a Gmail-specific thing, but as you mention merging two people once in a blue moon is not a terrible price to pay for an analytics system, it’s not like it’s going to send mail to these addresses.
Yep, I've had my youtube account since before Google bought youtube in 2006. Just this week I noticed that I am no longer able to put URLs in the descriptions of videos I upload to youtube. I have to "verify" by giving them my phone number before any clickable URLs are allowed in descriptions. But apparently all URLs are clickable URLs. Additionally, even videos I uploaded in 2008, if I go to edit their descriptions now and I originally included a URL, I cannot submit it.
Phone number "verification" is nasty. I suppose this is the end of my almost 2 decades of using youtube to host videos.
As for email spam prevention, I've run my own mailserver with a domain since 2011. I give each service an actual unique email address and then just catch-all emails sent to my domain. It works great.
Youtube pivoted from "just" hosting videos to a community though, to the point where you won't get any views unless you are on youtube and play by their rules and network effects.
Where it gets hairy is when you want to do live streaming…
linux?
a $5 vps running any webserver and an sftp client on your phone will do.
You can have all the bandwidth in the world, but the magic that Youtube does is mainly dealing with the users' bandwidth, for example, it switches video resolution on the fly when it notices that frames are going to have to be dropped soon.
> to put URLs in the descriptions [...] Phone number "verification" is nasty
Spam is a huge problem for any large platform with free accounts, and there aren't a lot of good options to prevent it. One set of mitigations is around increasing the cost of an identity. Email addresses are infinite and free, but working phone numbers are limited and usually cost money. So gating spammer-desired activities on phone numbers makes sense from their perspective. They could get a similar effect by requiring a credit card number, but people hate that even more.
If you'd like to work around this, I'd suggest getting another number for just this. Google Voice will give you one for free, and the Burner app will do it for $5/month if you sign up via web. Or in my case, my ISP gives me a free landline number with my internet service, which is great for this sort of thing.
Beyond the moral argument, it’s easy to be in a situation where you get locked out because you no longer have access to a temporary phone number etc.
Heck, if I wanted ethical purity, I wouldn't be here contributing free content to YC. But I think the net good outweighs the net harm, so here I am.
In many parts of the world, getting a phone number requires recording your government ID with the carrier (and burners are illegal, though usually for the carrier not the consumer), so the calculus then becomes “to prove you’re not a spammer, give up everything about your identity that was or ever will be known”. Which, no.
(There’s a reason why Russian democracy activists are divided between a “use Signal, everybody else is dodgy as all get out” camp and a “fuck no, don’t use Signal, doxxing you will be slipping $20 to a random SIM card salesman” camp. But parts of Western Europe are the same, and some are even ahead on e.g. unavailability of anonymous stored-value cards for transport or mandating testimony against yourself wrt encrypted storage.)
1. Despite this, spam thrives on Google.
2. What happened to using AI to fight spam? Trained and intelligent humans can discern spam without knowing identity.
3. This still won’t prevent other email providers sending spam to Gmail.
4. Safety is often used as justification for more $$$.
Because there are two independent components to such a system: {increase cost of identity} + {protect privacy of identity}
When it's offered/justified to combat spam... the implication is that the solution will deliver both promises.
In reality, the first (concept of identity) gets built, marketing/sales realizes they can abuse the hell out of it for their ends, the second (privacy protection) gets overruled at the VP/C* level, and any privacy protections are quietly never implemented.
This happens again. And again. And again.
Google is probably the best case ethical scenario here, in regards to having standards around privacy data stewardship, and even they abuse it frequently when the profit is too large to ignore.
The only reasonable takeaway is that any system that permits mass tracking is too dangerous to privacy to allow to exist, and all should be opposed.
Or, as GDPR does, render companies liable for omissions from a privacy perspective.
The most ridiculous part of this phone-verification BS is that many companies (e.g. Twitter, Discord) let you create an account without it but will then demand a number at some point later. This only hurts real users because spammers can just switch IPs and create a new account that they can use for a while.
> Google Voice will give you one for free
And what information do you have to give Google for that number so that you can avoid giving your phone number to Google?
> 1. Some people do not own phones, or do not wish to provide you with their telephone number when asked. Do not require a user to provide a phone number unless it is essential, and whenever possible try to provide a fallback to accommodate these users.
What a bunch of hypocrites.
And note that a phone number is the number for calling a telephone, not some jumped-up pager. They want a mobile number so they can send you SMS messages. I hate SMS, and I deplore it's use as a part of any kind of security protocol.
If you don't intend to speak to me, you don't need my phone number. If you do, then my (VOIP) landline will serve you fine.
I would amend that just a little: If I don't intend to have you speak to me, you don't need my phone number.
Is "your policies must be fully consistent with any advice given in any of your open source repos" really a standard we should hold big companies to? Because if we treat open-sourcing a text file of recommendations as the company making a statement or commitment to that effect, companies will be way more limited in what they allow their engineers to make public this way. With chilling effects that go beyond semi-humorous recommendations. ("Do you really want to try to open-source this library? You know how frustrating Legal and PR can be to deal with...")
I don't think that term means what you think it means.
What I'm trying to say is that there is a thing that is positive and we'd like to see more of (companies releasing things as open source) and there is an adjacent thing that we are considering pushing back against (companies including things in their repos which conflict with their actions). While it should be possible to discourage only the latter, in practice the effect would spill over to the former.
As a user I can only hope that more people do stop using YouTube, preferrably choosing something that serves video files directly instead.
> As for email spam prevention, I've run my own mailserver with a domain since 2011. I give each service an actual unique email address and then just catch-all emails sent to my domain. It works great.
This works but only because running your own mail server is too uncommon for anyone to care about. If it was more common, the advertisers or other privacy violators would specifically check for catch-all domains and then strip the entire local part of the email for your user id.
[0] https://www.spamex.com
That it also prevents ad tracking is even better.
The problem with most of those tricks is that they can be countered in some way, so I feel this is one of the areas where your security has to rely to some extent on obscurity (or the fact that it's too rare in the wild to be worth countering).
But I do have a question, have you found a programmatic way to create aliases / a provider that offers an API for that? Because that seems like one of the main usability downsides to your approach.
I’ve had quite a lot of third party junk mail with this kind of stuff on it over the years.
We do support your own catch-all subdomain, but that is just to cover the use case of having to come up with an email mask on-the-spot. If you are filling in a web form, best to use an email address that looks exactly like the email addresses of other Relay users.
[1] https://relay.firefox.com/
Some clients will display the "raw, as received" email if you ask them too. GMail has a "Show Original" menu item for example. In there, you will find "Received: ... for <XXXXXX@gmail.com>". The exact form does vary between systems, but it's almost always there.
I have a throwaway SIM for that
I was expecting to see that, too but in more than 15 years of running my own mailserver i don't think i have had an attacker that has removed the suffix when trying to phish me. These attacks are automated. Your address is just one of many that is being harvested and sold to someone else who conducts the phishing campaign.
All bills which gather or correlate data must be applied such that their provisions first be applied to legislators.
Or something like that
There's a reason these people live in gated communities and don't let their kids use their apps.
Given the turmoil that the "Elon Jet Tracker" created it seems like tracking still pisses these people off despite their wealth and gated communities/etc.
Time for trackers for pro-tracking execs, politicians and incompetent regulators (such as the previous head of UK's privacy regulator who did zero substantial enforcement during 4 years of blatant GDPR breaches, or whoever is heading the corrupt Irish DPA who's in cahoots with Facebook)?
https://www.iab.com/our-story/
You need one to use Play Store on Android. At least I think you need a GMail one. Even if not, the Play Store and the Android OS itself make it seem like you need one, from the second you turn a brand new phone on. The funneling is quite heavy here.
(Heavy enough that almost everyone in my family uses a GMail account mostly just for the Play Store. My wife and I pay for Fastmail, some of other members of my immediate family have primary e-mail with a local free mail provider, but everyone found it easier to use an old (or make a new) Google account with their Android phones, instead of figuring out how to make it work with non-Google e-mail.)
This greatly confuses the Gmail and Outlook web UI but the accounts work.
> UID2 is a framework that enables deterministic identity for advertising opportunities on the open internet for many participants across the advertising ecosystem.
Can we get stochastic therapeutic benefit from watching them thrive as a tight knit community in cutting edge plexiglass dormitories, please?
UID2 came from TTD IIRC.
Back in the invite-only beta days, I signed up for a firstName.lastName@gmail.com address. It appears that years later someone else signed up using the same first and last name but without the dot, and that they are distinct gmail accounts.
https://support.google.com/mail/answer/7436150?hl=en
This account has become my junk address, because I can’t trust it.
Too much fun, telling his wife about his porn-viewing habits and other miscellaneous secrets.
I don't use email anymore, but I maintain this account just because it pisses him off... I think this high-up at some tech company (that shares my same name) secretly expects me to just hand over the account I signed up for fifteen years ago, now... not happening, Mr. S.
hn@foobar.com, github@foobar.com, twitter@foobar.com, homedepot@foobar.com, etc.
I currently use Protonmail and have been very happy with them, though I’ve been eyeing Hey!.
It’s so easy to add/filter/map/organize many domains/aliases per account.
And they allow arbitrary rules for processing incoming mail, so you can use characters other than the plus sign. And you can also take addresses that have been compromised by spammers and route them right to your spam trainer, so that spammers help improve your defenses.
Works great with Bitwarden's new username generation feature. I can create new accounts in a push of a button now.
# Account sorting set "domain_name" "acct.ninja"; if address :domain "To" "${domain_name}" { if address :localpart :matches "To" "+" { set :lower :upperfirst "addr" "${1}"; set :lower :upperfirst "subaddr" "${2}"; if not address :domain :contains "From" "${addr}" { fileinto :create "SPAM"; } else { fileinto :create "INBOX.Accounts.${addr}.${subaddr}"; } stop; } elsif address :localpart :matches "To" "*" { set :lower :upperfirst "addr" "${1}"; if not address :domain :contains "From" "${addr}" { fileinto :create "SPAM"; } else { fileinto :create "INBOX.Accounts.${addr}"; } stop; } }
Let's assume you willingly opt-in to tracking but for whatever reason want to be tracked under "h.a.n.solo+iab@example.com" and not "hansolo@example.com" (because maybe example.com doesn't strip out + and . characters, so the two addresses are actually separate users), them not allowing you to change it back to your real address (without their normalisation process) might be a breach of the right to rectification as they'd be holding inaccurate personal data about you.
Of course this is all completely philosophical as GDPR enforcement is not only severely lacking but is nowhere near technical enough to dig into such detail.
https://spreadprivacy.com/protect-your-inbox-with-duckduckgo...
Email and phone number matching is part of their core service offered by Oracle’s Bluekai, one the largest data-broker platforms in the world [2]. They have most large global companies using their platform.
> You can convert users' email addresses and phone numbers to SHA-256 hashed IDs called oHashes and send them to the platform. They will be synchronized with the network of user profiles that are linked together in the Oracle ID Graph, which is used to manage IDs and user attributes for all Oracle Data Cloud platform customers.
> This synchronization optimizes the targeting and communication of your users across desktop and mobile devices and media execution platforms. oHashes enable you to increase your offline to online match rates, connect your Responsys platform to the Oracle Data Cloud platform, and execute cross-device targeting.
…
> the [normalization / oHash] function enforces UTF-8 character encoding, lowercases all characters in the email address, verifies that it has the “@” symbol, and removes all special characters, punctuation, and spaces.
…
Both Google and FaceBook also expect clients to send phone + email (hashed) to build retargeting lists from customer data. They each have a different name for the feature [3]
[1]https://twitter.com/WolfieChristl/status/1288467207333318656...
[3] https://twitter.com/WolfieChristl/status/1288252803341783041...
[2]https://docs.oracle.com/en/cloud/saas/data-cloud/data-cloud-...
I'm fine with context-based adverts based on and next to the content I'm reading, and have actually found some good products & services that way. But the tracking is not ok in any form (and from what I've read, basically doesn't work and is also defrauding the advertisers), so anything to destroy that model would be a net benefit to society.
This is the best solution because it severely negatively affects the ecosystem.
Publishers make less, so they crank up the ad density for the remaining users. That increases user resentment and suppresses the per-ad cost, enabling much crappier ads to run on the website. That also increases user resentment and suppresses the per-ad cost, and the glorious cycle continues.
The advertiser is getting screwed, but the other parties will work really hard to explain it away to them. "You're getting great engagement with the creative -- you clearly just need to improve the landing page experience."
For me, my balance is that I'll run an ad blocker and whitelist sites that (a) create original content and (b) don't abuse me as a viewer.
I used to run a website that made money off of ads, and specifically ran an adblocker to avoid being banned by Google for mistakenly clicking on my own ads. Worked so well that I just left it on everywhere else.
I was thinking of something like the Blue Frog anti-spam system that automated complaints to get people taken off the system. I know they generated so much heat that they became retaliation & DDOS targets and shut down, but it seems something along the lines of automating complaints & defensive actions might have a role...
The specific user who responded with "we thought long about this update and ultimately as it stands today it is not a change we would like to add" uses their @users.noreply.github.com email for Git, but their employer and hometown are public on their profile, and a quick search gives you the mail address. While I live nearby, I don't intend on paying them a visit, plus it seems to be a shared office highrise, but I might just write them a strongly-worded letter.