I'm currently in much the same limbo: some geezer with an IP from the other side of the world logged into my fb account, changed password and phone number and likely did a bunch of unsavory stuff that broke the fb "community guidelines".
My account has now been "under review" since Saturday which means I can't log in, and my messenger, my fb profile and the associated businesses and groups that I manage have all disappeared from fb.
Having googled around my initial hopes that it will soon be resolved has flatlined: there seems to have been a surge of this lately and nobody that I have seen have had their access back (the reviewers have been fired?). I will likely loose my WhatsApp as well, judging by the reports.
Of course I realize that as an unpaying user of Meta products people might say "serves you right for being stupid". But I don't buy that. Fb is the de facto online directory of ordinary people (not counting much of the HN crowd as "ordinary" here).
It's totally unreasonable (understatement) that fb can effectively erase me and my online history and business without recourse because their systems leak and they don't have manpower who can do a human review of the facts in the case.
In the short term I'll be looking for other solutions, in the longer term I'll be supporting calls for making services like fb a public utility, with certain legal obligations (like not erasing online presences).
Since you're admitting that there's lots and lots of people on Facebook, from where do you expect it to get the manpower required to review (properly) all the many cases that might appear?
from where do you expect it to get the manpower required to review (properly) all the many cases that might appear?
Meta had $116,610,000,000 in revenue last year. It can find a way.
It's always so baffling to see people on HN rush to defend these massive companies, pretending that they're resource-strapped like two guys in a startup working out of a garage.
It's always so baffling to see people on HN not understanding that the sole purpose of a business is to make money, lots of money. Also why are you talking about revenue and not profit? Last, but not least, let's not forget the recent lay offs.
1. Yes, businesses exist to make money, but if they can't provide good enough service then they will soon be out of business.
2. Revenue is how much money company can spend on various things, they just need to prioritize which things are the most important for them. Facebook obviously do not prioritize customer support.
3. Recent layoffs mean then now have more free cash to hire support people :)
It's always so baffling to see people on HN not understanding that the sole purpose of business is to make money, lots of money.
It's always so baffling to see people on HN parrot this line as if it was fact or truth, when it's far from either.
Yes, there are lots of businesses that exist only to make money. But there are millions more businesses that exist for other reasons. And, no, I'm not talking about non-profits. Kelloggs, for example, was founded to improve the nutrition of people at a health retreat.
The whole moustache-twirling moneybag-hoarding billionaire thing used to be a cartoon, because it was so misaligned with the reality of society. But in the Silicon Valley bubble, this has been turned on its head and elevated into some desirable goal, as if the only way to judge a company's value is by dollar signs. It is not.
(It wasn't even Silicon Valley that started this flip. It goes back to the 80's, as parodied by the character Gordon Gekko in the film Wall Street.)
What business model, the one where people and businesses don't have to pay (with cash) in order to communicate with friends or customers or advertise (present) themselves? You can't expect premium support when you haven't paid anything.
The business model is fine¹ in that they can support their customers: the advertisers. Their users and their customers are very different populations.
--
[1] For now at least. It is failing a bit and likely to fall off worse over time, that is why they are scrabbling for the next big thing (pinning their hopes on VR until something less “meh” comes along)
Hm. Perhaps their priority is people who are _just_ advertisers, maybe those who use their products for anything else are such a risk that they get rid at the slightest whim even if they are both sorts of user.
I would create a Emergency Appeal Service, it will be paid. The giants should offer this, offer many ways to pay and refund you if it was their moderators or AI mistake but take your money if you were the issue. The company could recover the mistakes money lost form the team that caused the mistake, this could insentivise those teams to do a better job instead of playing with latest cool shit.
Facebook reported $23.1 billion net profit in 2022, my guess is that reviewing people who went to the trouble of uploading a photo of the national id as requested might cost them $100 grand, tops. Plus they wouldn't risk the badwill and loss of business that sites like the linked one surely will lead to.
They must not be allowed to monopolize speech and just shut people down at random. If they can't get enough money, then the governments of the impacted people should just press them until they are bankrupt.
I believe there should be a law that if a companies makes money from their users, be it by showing ads, selling data, subs or sales, they should offer mandatory human support. If they don’t, hardcore fines. It will kill ads and data sales (they are hampered by every increasing privacy demands), which suck anyway. If your business cannot survive by treating people like people, then you have no business in my view.
And meta (etc) make more than enough profit to not be this bad. It’s just that view ‘if I don’t pay, I deserve nothing’; that really should only be true if the company makes nothing from the service (aka a charity).
There is more than one sort of support. If the support is of the nature of "I need help using your service", there's nothing wrong with charging for it.
If, however, the support is of the "you've modified or cancelled my account" type, that should just be counted as part of the cost of doing business.
I've been locked out of Facebook for so long (due to 2FA issues), I'd just like to delete my account. But that's not possible if I can't log in.
I've always wondered how someone who is locked out of a service like Facebook is supposed to delete their content.
Let's say that I'm a resident of some location with better-than-average digital privacy rights. If I can't log in to Facebook, how can I get my stuff deleted?
How do people handle this in places like the EU (or maybe California)?
Good. If anyone can get access to all my info by merely sending a photo of my passport, I would be very disappointed. Anyone could forge that with minimal effort.
Reddit is worse. They will just flat out ignore you.
HN isn't much better. I've emailed them asking for my data to be removed, as is my right as an EU citizen and dang simply refused saying it wouldn't be fair to other users. As if that overrides the law.
> Right to delete: You can request that businesses delete personal information they collected from you and tell their service providers to do the same, subject to certain exceptions (such as if the business is legally required to keep the information).
Yes, this is how legal jurisdictions work. He can receive one request from someone in Mississippi, one from someone in California, and one from someone in the EU, and provide three completely different responses.
One of my clients willingly applies GDPR to everyone, regardless of jurisdiction. If you want your data, you can get it. If you want your stuff deleted, you can do so. I think this is the ethical approach.
It is also, from what I know, the legal approach. The EU perhaps doesn't have jurisdiction over a service, but what they can do is ask all the ISPs in Europe to block access to it, for example.
If I'm not mistaking if your site operates in the EU as in it's accessible from the EU, you have to comply with GDPR. It's the reason I can't read some American websites. The infamous:
> Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market.
From this point of view, can the entire freedom of speech in the US be solved if a company simply moves the headquarters to the EU because at that point US laws no longer apply?
> Being accessible from the EU doesn't make your business subject to EU law. The EU doesn't claim universal jurisdiction.
Collecting data related to EU individuals does make you subject to the specific GDPR law though, unless I'm mistaken.
I believe he does have a cop-out if HN isn't selling to or marketed towards the EU, but I thank you for sharing your experience because I'm looking to shut my account in the near future.
>I believe he does have a cop-out if HN isn't selling to or marketed towards the EU
Nope, GDPR attaches regardless of whether you market in the EU/to EU residents, as long as you provide goods or services to people in the EU you're beholden to their rules.
Theoretically, a company that only offers services to US residents (mortgage/banking/legal) could still be beholden to GDPR, since their cardholders might access their website (i.e. be provided services) while in Europe, though as far as I know it's never been tested in court.
The EU has full jurisdiction within the EU, and zero without. The EU has no ability to demand action or inaction from an entity in the United States. They can ask all they want but it's just that - a request.
Respectfully, this is also not correct.
"The EU has full jurisdiction within the EU, and zero without" like in software there are always corner cases, as with e.g. Norway or Liechtenstein. Also on some more specific stuff via bilateral agreements. Has nothing to do with this case, but still your statement is false
Is it though? Isn't the enforcement authority in Norway still the Norwegian government and not the EU? Can't Norway vote to rescind that bilateral agreement?
EU/US laws aside, do you think, from a human perspective, to be unreasonable for me, as a human beign, to have the power to ask for my data to be deleted?
> HN isn't much better. I've emailed them asking for my data to be removed, as is my right as an EU citizen and dang simply refused saying it wouldn't be fair to other users. As if that overrides the law.
Please read this in good faith: If you want your data gone, why do you keep sending more (posting)? Is it about retention time?
I think dang might be covered under legitimate interest (unlike pretty much everyone who tries to claim the "legitimate interest" basis). Personal data, yeah, your interests probably override it – but blanket deletion of your posts, probably not.
If I were dang, I would disable your account so you can no longer log in and post. But the moment you’ve made an intentional public post on a public forum hosted in a foreign country, from my perspective you have lost any and all moral right to demand anything whatsoever in regards to your previous posts, no matter the absurd overreaching of your domestic regulators.
Yes, I’m pointing out that you are acting in bad faith and your continued presence on this site shouldn’t be tolerated given your repeated outbursts against the admins. Your perspective on my viewpoint is irrelevant.
Nah. Had the same thing happen to me. I once asked dang to delete my account, and he stated much the same to me. In his defence, he was polite, and offered to rename my account to a random name, dissociating me from it. He also
On the other hand, I agree with GP. It's surprising that you cannot delete an account. That HN stay "readable" without the [deleted] is clearly secondary to the possibility of having an account be deleteable. Imagine if I were part of an at-risk group.
I think the part that bothers me most is that you seem to have firmly decided the EU regulators aren't real human beings trying to solve a legitimate problem in a way you disagree with. That'd be too respectful and humanizing. They're pure evil?
If it is PII then EU laws like GDPR apply, but if it is posts more generally then they are not covered, and it would be unfair to people who have responded to them and those reading those responses later (sans context, if your post were removed). The right to be forgotten covers information about you, not information by you (with an edge-case that if somehow your words in a post unambiguously identify you, that post falls into the first category as well as the second so is covered).
I've got locked out of my instagram. Out of the blue after years & years, their algo detected "suspicious" activity. Not sure what, but they sent a recovery email, which I couldn't get to because I used some old gmail account to register long ago and lost access to that gmail account. And there is no way to recover without it, even though they have my telephone number, a facebook account is linked to it. And so, after a while I gave up and created a new instagram (and lost a bunch of followers), but the old one is still there, I have no way of taking it down.
> It's totally unreasonable (understatement) that fb can effectively erase me and my online history and business without recourse because their systems leak and they don't have manpower who can do a human review of the facts in the case.
What prevents you from recreating a new account? When I left facebook I did a backup of it. Why aren't you making regular backups if your business depend on it?
> In the short term I'll be looking for other solutions, in the loger term I'll be supporting calls for making services like fb a public utility, with certain legal obligations (like not erasing online presences).
Public utility? Really?
If anything it is contamination and pollution that prevent decent options of having room to be the public utility of choice.
Can we call a victim someone who decide to agree to stupid rules (Term of services)? Like we say, play stupid games, win stupid prizes. If my business rely on a service, I need a name for an account manager that can hear my complaints and activate whatever workflow to fix my problems.
When the power dynamic is one where one party is a multibillion corporation with tens of thousands of employees and the other is an individual, I would almost in every case call the individual the victim.
Simply put every business will behave in this manner eventually if not subjugated by monetary penalty of state regulation.
That or you can scurry around every year to a new provider as the company you're doing business with is bought up by monopoly movers in the market leaving an ever decreasing pool of choices.
Read the article. You get banned again if you make a new account. They likely have some complex digital fingerprinting that lets them re-id you. Maybe if you used entirely new hardware etc you might be able to pull it off, but the average user is just hosed if this happens to then.
I used a different phone number, a different email address, profile picture where you can't see my face, and used my middle name instead of my first name. It's likely that they use some combination of IP's that I logged in from, common friends, maybe cookies on one of my devices that I didn't think to clear first.
If you live in the EU or the UK, this might also be a personal data breach that Facebook must report to the relevant national data protection authority, because it gave your private data to an unauthorised third party (if the release of that data could risk your rights or freedoms). Failure to notify so can result in fines of up to 2% of global turnover. You may need to contact your national data protection authority directly if Facebook has not notified them.
> The most likely scenario is that my email password was compromised and there’s a backdoor to disable 2FA after doing a password reset request which is a huge security flaw that shouldn’t exist.
So you don't know if your gmail account was hacked or accessed? I would be worry about that.
Not gmail, I run my emails through a personal server. I can't find any evidence that it was compromised and I, stupidly, didn't check access logs before they cycled out. I just can't think of any other way that they were able to do the password reset without access to my email. Obviously I immediately changed my password.
The update near the bottom around problems with other sites that the author used Facebook sign-in for, is why I almost always avoid those SSO style logins.
SSO is handy for security until your SSO provider breaks or (as in this case) bans you. Given that most consumers have very limited recourse to fix issues with their account, I'd say that for most consumers they're possibly more of a risk than a benefit.
SSO is handy for security until your SSO provider breaks or (as in this case) bans you.
Imagine if one day Mr. Musk decided to kick everyone off of Twitter who didn't align with his politics or philosophy. Think of the millions of accounts that people suddenly got locked out of because they used "Sign in with Twitter."
These situations used to be so theoretical that they were dismissed as hyperbole. But it's a lot less outlandish a thought these days.
My rule for using SSO is that it's ok for apps and accounts you don't really care about but not ok for anything you rely on. Like for example I have a weather.com account through Apple Private Relay. If apple were to ban me and I lost access to my weather.com account, I wouldn't loose any sleep.
I doubt Meta cares. I manage social media pages for small / medium sized businesses for a living. They regularly break stuff that businesses rely on, even stuff related to advertising, and they don't care. Most recently, it was the rollout to "new pages experience" and meta business suite. It was slow, buggy, and broken. And they one day they forced it on practically everyone.
It's a pain to get something done in case anything decided by "the system" happens...
I've been unable to add my main email address in Facebook because "The account that owns the email address you entered has been disabled.". If I check my emails history, apparently someone named "Kyle" (not me) tried to create/activate an account in 2016 and now I'm prevented to use it... Forever?
> In other news, I’ve discovered a new level of this hell. Because I used Facebook as a login service for my account with the DMV I am now unable to pay my vehicle taxes nor renew my registration/tags online.
It's ironic that Jeff Atwood phrased OpenID/third party logins as an internet driver's license. 10 years later, we've learned the pitfalls of such a system, namely that your login is at the mercy of organizations without customer support, and they can turn you off for no personally attributable reason.
It’s not as bad if you control the domain as you could always setup a new provider. Note that I didn’t say “own” as the risk of the domain being seized will always be present.
All in all, it’s no different than delegating to your email provider to prove your identity via a password reset / login link.
Hum... Or maybe we should have the government arrange the logins for public services, since it's already in charge of tracking your identity and already has the procedures for it.
But well, that may be too radical an idea to be executed. I'm sure privatizing logins is the way to go.
> Work on developing BankID as a joint infrastructure started in 2000, and the first customers got BankID in 2004. In 2014, BankID Norway AS was established. In 2018 BankID merged with Vipps and BankAxept in order to improve product offering and prepare for competition against global tech firms.
I have both MinID and BankID and I can use either of them for things like taxes and such.
Statens Vegvesen, who are in charge of driver licenses and more, allow us to sign in with BankID and a couple of other methods, but not with MinID from what I can tell.
Norge.no, which is a guide developed by the Norwegian Digitalisation Agency, has the following to say about MinID and BankID:
> Electronic IDs are available at different security levels, and thus give access to slightly different types of services.
> MinID is at a medium-high security level ("Significant"), and can be used for many public services, but not for health services at helsenorge.no, for example.
> BankID, Buypass and Commfides, which can also be used for public services, are at the highest security level (“High”) and give access to all public services.
But those aren't by the government, or at BankID isn't. It's a proprietary application from a private company, owned by the banks, which only works on certain operating systems.
Estonia though has an electronic ID which uses X.509 certificates.
> those aren't by the government, or at BankID isn't
MinID is by the government. BankID is private.
> It's a proprietary application from a private company, owned by the banks, which only works on certain operating systems
If you want to use the BankID app to generate codes then you will need iOS or Android. But you don't need the BankID app to use BankID.
Instead of using the BankID app, you can use a physical dongle to generate codes.
The device that you sign in with needs nothing other than Internet and a modern web browser. You can sign in with BankID on Linux or whichever other platform you desire. This device does not need to run any proprietary code aside from maybe some JavaScript executed by the browser.
Very many years ago the device needed Java to sign in with BankID, but that has not been the case for many years.
That exists, but it's a PITA typing codes back and forth, and more importantly no place I've tried accepts it as a login method, other than the bank's own website (and it locks you out from some options when logging in like that). Some might work with the BankID application installed on PC (which also only works on some operating systems), and other places specifically requires mobile BankID.
So yes, you do need to use the BankID app, not just in case you "want" to use BankID, but in order to be able to log into some sites period.
You can set up OpenID on your domain and then delegate authentication elsewhere or run your own authenticator. Basically similar to having email on your domain. Also Jeff mentions that this is about sites which don't have an impact on you. So you will use it for some forum but not banks nor anything your real life depends on.
OpenID actually solved this problem by letting you use your own domain. Much like email it was possible to have this delegate to a 3rd party provider while retaining full control to seamlessly switch providors. Unfortunately OpenID never saw widespread adoption, and the OAuth based ID we're left with doesn't allow this.
But yes, in 2023 you probably shouldn't use 3rd party authentication. You're much better off combining email/password login with a password manager, which effectively allows you push authentication on a 3rd party while retaining full control.
...until someone breaks into LastPass and steals all vaults and you have to hope that your vault used the newer iteration settings. And those are just the cases we hear about because the attackers were careless. Cloud based password managers are simply an unimaginably attractive target for all kinds of threat actors, from individuals to groups all the way to nation states. I'd not be surprised if all the major ones already have backdoors installed - either on purpose with a gag order or even without the company's knowledge. Ironically, a simple text file on a well encrypted USB is probably one of the more secure ways to do this nowadays.
I use KeePass, but keep the file in cloud storage because I need to log in from multiple places and it's a tradeoff I'm willing to make. I don't want to excuse bad security practices, but in the end I've decided I'm safer with good passwords + cloud storage than I am with possibly bad passwords because I need to retype them all the time.
I feel like this is part of the reason we need real data protection laws in the US. There doesn't seem to be any downside for a company with lax security practices.
Same. keepass with the db on a cloud drive. keepass clients on both laptop and phone access the same cloud copy, and also each keep a local copy.
I intentionally don't let the clients integrate with the browser. I let the browser itself cache the unimportant stuff for convenience, and anything important I always paste from the password manager and have to get a code from the totp app also anyway.
I don't think anyone should use a fully 3rd party full featured password manager like lastpass or onepass.
I would say it is NOT better that they use that vs nothing. 'anything is better than nothing' is not true here. Some things are better than nothing, and some are not.
KeePassXC supports TOTPs out of the box and its browser integrations fill TOTP fields just like they do with password fields. I love that the browser integrations check logins by domain, and shows a popup when it finds one. Manually copying and pasting logins is susceptible to phished domains, even the lookalikes with visually similar/identical Unicode characters.
Don't let perfect be the enemy of the good. Many people won't use a password manager at all if it has no cross-device syncing, and that almost always means a cloud implementation. Sure, it's less secure than a pure local-only password manager, but it's way more secure than not using a password manager at all.
Bitwarden (and the Rust clone Vaultwarden) are both 100% open source and self-hostable. Vaultwarden runs great on an old raspberry pi or any low power SBC. All of the convenience of Bitwarden clients/extensions/integrations but the same tiny attack surface (encrypted db on one local machine) as keepassXC or a text file.
If you know what you're doing, that is definitely an option. But self-hosting is not something I would recommend to the general public. I wouldn't even recommend it to the average person in IT to be honest. If the people at LastPass already manage to screw up the configuration so many times (and they really ought to know better than 99.99% of the population by now), then you can guess how safe it would be íf the average Joe sets something like that up.
> ... by letting you use your own domain. Much like email ...
It's getting harder and harder to send email from your domain without being send to spam, bouncing, or the server just discarding your email without notice.
Sending it from your own domain isn’t hard, it’s self-hosting that domain which is hard. If you pay Microsoft or Google using your own domain works well.
I use smtp2go for sending, it's easy to setup your domain with them, and they are free for low volume (1000 emails/month) senders. Emails never get rejected, guess they know their game.
One of my litmus tests for whether a technical team knows what the hell they're doing is what happens when you sign up for a service with one 3rd party auth (e.g. Facebook) then try to sign in with another one, e.g. Google, with the same email. Top tier is having the accounts seamlessly merged, ideally with a notification along those lines. My favorite was getting an error because I was using a different service, but not telling me what that service was, and it somehow broke the login such that I had to restart the browser to be able to sign in.
The Epic Games launcher has a bizarre behaviour here. If you first sign in with your Xbox account, you can later sign in with the credentials of your Xbox account (email and password), as a 'native' account. I'm not sure what's shared, but that process made me uncomfortable.
My hope is it's a password hash or they forward the sign in request to MS servers, but who knows.
> Top tier is having the accounts seamlessly merged
Uhm, not without requiring you to log in with the other auth as well - otherwise your account security is as weak as the weakest supported auth instead of the just weakest auth you added.
Disagree, I don't think accounts should be automatically merged under any circumstances. It's definitely not expected behavior for me as a user and as mentioned in a sibling comment, it would negatively affect security.
If the service notices that an account with the same email already exists, you may ask me to login with the original provider again to link the accounts, and indeed, this would probably be my favorite solution. Second best would be to just create a second account without complaining.
Playing fast and loose with authentication processes in the way you're describing is a guaranteed way to lose me as a customer if your service handles any valuable personal/confidential information.
What if tomorrow a vulnerability is discovered where, say, Facebook provides the new unverified email address rather than the previous verified address during the OAuth login flow? It would immediately result in an arbitrary account takeover on your website. There are so many possible edge cases with this setup and the surface area increases with each new auth provider.
The rep is so awful, when I got my drivers license, my mom drove me out to a town about 45 minutes away, just because it was quieter, but also I probably waited less despite driving out farther, but also the driving test was less stressful than being in a more populated area, it was insanely calm.
Because I travel for work a lot my time actually at my place of business is important and valuable. Taking time off during a day that I'm there is something I avoid, but in this case I had to and you are right. In went in the middle of the afternoon and there was minimal line. I even got done some other items that I'd been putting off for literal years because I don't ever take time off work.
Ironic, because the solution that no one wants to hear is an actual internet driver's license, i.e. government-run openid. There's no final recourse more final than going to a place and talking to a person, and no other organization is going to build and staff enough brick-and-mortar offices.
One way of thinking about public vs private is, private companies are for cases where we care about efficiency more than fairness and government is for the opposite. Auth seems to have gotten to the "rural electrification" stage, where handling the corner cases fairly is more important than efficiency or innovation.
It's one of the things, that I would like government to regulate in some way. Sometime, loosing account looks like destroying someone's job or business by some random corporation without even explain or ability to dispute.
The author claims that he was permanently banned from all Meta products (including Facebook, Messenger, Instagram, and WhatsApp) due to a security flaw in Facebook's password recovery system.
Despite having two-factor authentication turned on, the author believes that his email password was compromised and there is a backdoor to disable 2FA after a password reset request.
The author has tried to resolve the issue and appeal the decision with no success and has lost his personal and business accounts. The author suggests having a backup admin for your Facebook page, and he has found other instances of similar bans happening to other people.
The text ends with an update, where someone from Meta reached out to the author on Reddit to help resolve the issue.
Also worth pointing out that Facebook's own communication doesn't mention any such thing, and claims simply to have banned the account for content reasons.
Which, given that the report here is anonymous, seems at least not implausible. There's a real name in one of the screenshots, but a quick search doesn't find any other content associated with it.
Folks need to recognize that this kind of content, presented without verification, tends strongly to be one-sided and at least partly misleading.
Banned for content reasons.... because somebody accessed my account and posted who-knows-what on it. Did you not see the screenshot showing a login attempt from Vietnam?
What other content would you like to find with my name on it? My website, jcforbes.com (which currently has nothing on it)? You could search my name with the NC department of commerce and find my business name easily.
I presented all evidence in form of screenshots... exactly what do you think I'm hiding?
Something similar is happening to my account.
One week ago, I was asked to reset my password which I did.
Two days later my account was suspended for the first time. I was asked to upload a face picture and my account was unblocked.
Yesterday my account was suspended again for the same reason and was unblocked today.
I use a password manager and 2FA so I doubt someone managed to access my account.
Looks like you are in us. Drag them into small court by claiming $9999 in damages. They will have to send a human or pay. I guess if they just pay, you can do it per product.
They would likely immediately file to dismiss based on the TOS. It would be an uphill battle to convince a judge that you shouldn’t go through arbitration first.
How would someone convince the court that you never agreed to the TOS?
For example, I created my account before there was a TOS, and FB used easily-bypassable ways to get users to agree to a TOS, and eventually they stopped asking me, leading me to believe they think I agreed. Without my wet signature on anything, how can they prove I agreed to something when they can just flip a bit and claim their records show I did?
I guess the user would get a notice that FB/Meta filed something and that they could respond saying that's not true?
Right. Keep in mind this is civil court so the standards of “proof” aren’t the same as criminal court. The judge only has to believe you more than them. It will be an uphill battle though because the judge probably doesn’t want to hear the case. They’re going to want you to try arbitration first.
The argument that you provably never read the EULA is apparently no form of legal defense, which I personally feel shits upon the letter and the spirit of the law, but that's an unfortunate consequence of living in a society where business is the pinnacle of everything.
Now I live in Europe and that sort of shit absolutely doesn't fly here - EULAs are not enforceable.
Something similar happened to my mom's account in 2019: someone created a new account trying to impersonate her, then somehow trigger either password recovery or some sort of report that ends up locking her out. And despite having 2FA AND submitted her passport as photo ID a couple of years prior, we ended up losing access to that account, along with 10 years of photos. At that time, our attempt at recovery went into limbo when support asked us to upload new photo + passport , which we did, and then nothing happened. The account was then suspened or something about 90 days later.
Since that account should still have alot of photos for us, I'd really appreciate if someone from meta can help us recover it. I wrote on HN asking for help back then: https://news.ycombinator.com/item?id=21234651 .
If you take one lesson away from this, it should be "you don't own it, or exercise even trivial control over it, unless it's sitting in your garage, on bare metal, in a state with permissive gun laws."
I also got locked out because of „suspicious activity” (browsing fb through mobile browser on ios).
Twice.
The first time around I got unbanned after several days, sending them my selfie etc.
The second time is now. They require phone number to send me a code, so I can „ask them to reconsider”.
But I don’t receive the code. After several tries the page says „too many requests, wait 24h”.
I obviously have 2FA using authenticator. Got no other email than „you got 30 days to take action”.
The only reason I’m even trying is messenger and a few sad groups that are funny from time to time. Meh.
> So there it is, a complete trifecta of business resources destroyed. Messenger chat history is gone, friends and contacts that I don’t even have phone numbers for are gone, and don’t even have a way to know that I’m alive until I hopefully run into them at work functions this year.
I would expect governments to step in when a flaw like this is detected. It could ruin thousands of lives.
It's not "could". It has ruined thousands of lives. How many depressed people out there have had their last little connection with humanity severed because of a dumb algorithm? How many small businesses have died because a random business account was shut down overnight with no recourse? I'm convinced that there's been at least some suicides over the problems caused to peoples' lives from the deliberate decision to not provide human customer service in some fashion from these Silicon Valley giants.
The really infuriating part is that this isn't even a selfish decision about money, which would be evil, but at least understandable on some level. Customer service can be revenue neutral or even a profit center if these companies were willing to charge a fee for actual good, human support to resolve the most important issues.
My take on this and other stories like this is that you really should never ever use a company like Facebook as a vital component of your business. There have been so many stories about this, just browse Reddit forums and other sources for experiences with Facebook's Kafkaesque advertising manager, for example. It can work for years and suddenly your account is cancelled. It's fine to use such companies and their services as one leg of a business with many legs, but never rely on them solely.
This is just a matter of common sense. The same applies to Amazon, Youtube, etc. Even if they're fine now they can and will unilaterally change their conditions and employ algorithms with false positives. Your business can become the victim of algorithmic discrimination and plain old bugs anytime.
Facebook is my e-commerce business' main avenue of customer acquisition. It wouldn't make any sense to avoid using something that is clearly a profoundly valuable asset because something could go wrong at some point. Even if they shut off my access tomorrow, I've still gained the thousands of customers who I acquired - they've already generated a profit for me, and I can keep reaching out to them via marketing emails to make more sales.
Same thing with Amazon - it's been one of the easiest ways to sell. I listed my stuff, spent a little on ads, and things have just been slowly and steadily up and to the right since then. Even if they kicked me off tomorrow, I've still made good money in a very time-efficient manner.
It's one thing to say you should get Fastmail instead of Gmail, but to just say you should avoid using services that are valuable for your business because you might lose access later is cutting off your nose to spite your face.
I think there is a slight nuance to what they wrote. They said, "you really should never ever use a company like Facebook as a vital component of your business." It sounds like FB and Amazon, while immensely valuable for you, are not 'vital'.
Yes. These companies will die without Google and Facebook ads. Not immediately mind you, but after 6-12 months of near-zero new customer acquisition they will be out of business.
> you really should never ever use a company like Facebook as a vital component of your business.
Like Facebook - by which you mean Facebook, Google and Twitter, I suppose?
So what are you supposed to do, exactly? Hand out fliers door to door? Create your own social network?
These large corporations have inserted themselves into every single part of our lives as a gatekeeper. They believe that they have no responsibility to actually treat their clients with fairness, and they have made sure of that by having no way to actually reach anyone who can change anything. And yet for a small business, they have no choice.
The system was designed entirely by these big companies to make sure that these big companies could do exactly as they pleased, giving us no recourse except legal action.
What you are doing is called blaming the victim and it isn't very nice. Morally, ethically, _and legally_, this system is wrong. Facebook is the villain here, not this man who used Facebook in exactly the way they advertise to us to do so.
I'm not blaming anyone, I'm advising people not to introduce single points of failure into their business. You need to either ensure that any dependencies can be replaced easily (which is hard) or diversify these dependencies in a way that failure of one of them is not catastrophic. For example, if you rely on advertising you need to diversify to Facebook, Google, Bing, Amazon, and other online advertisers instead of relying on only one of them. As I've said, it's common sense, so my apologies for stating the obvious.
It's common sense and obvious, yet whenever it gets mentioned, the messenger gets dunked on for victim blaming or whatever. Nobody's saying "don't use Facebook for your business". Rather, it's "Don't utterly rely on Facebook for your business to function (or on any other free service where you don't have a formal business arrangement with)." Somehow, this is a controversial opinion on HN.
Advertising only works if you advertise where the potential clients are. In my industry that means Instagram. I also do use Google ads and youtube, but the return there is a drop in the bucket compared to instagram, literally a rounding error.
> Thats it, done, finito, gone. I searched high and wide for further contact methods. For a way to talk to a human. There is none. At all.
I've experienced this as well. Facebook seem to have gone through some lengths to insulate themselves from interactions with the public. They're now too big to trust with anything important to you. You'll get no support if you get in trouble.
Some months after a family member passed away, his Facebook account was hacked and the thief started posting stuff. It's been almost a year that I've been trying to close that account, or at least memorialize it. I've provided everything requested by their circuitous knowledge base to prove that the person has indeed died and even personal documents proving that we're related. For reasons known only to them, the help desk decided that something is missing. They wouldn't say what and just became totally unresponsive. There's no way to talk to anyone.
Not for a minute defending Faceache; but to rely so heavily on one company (FB, Insta, WA) for services that are business-critical, but that you're not paying for, strikes me as reckless.
I don't mean to blame the victim; it's clearly not his fault. But placing so much reliance on a provider of free services that lacks a proper support channel, isn't a great plan. I also note that the author relies on gmail - which has very similar problems.
True but this take is a bit naive. I used to live in Brazil, where Whatsapp is the defacto communication method, for example. You might stand on principle all you want, but if you don't have that as a primary communication channel for a service/end-user oriented business -- even if you have all the alternatives imaginable!!! -- you are going to have a RIDICOUSLY hard time. Just on my personal life with folks there, if I were to just not participate in Whatsapp it is not an understatement that the social fabric of my life would significantly change. For the worse.
Facebook, Google, etc advertise their services to all of us, aggressively. They set up a system where they have crowded out most of the other ways to get the attention of potential customers, so businesses who choose not to use them are giving up most of their reach. They then set up these complex, automated systems that decide to destroy people's accounts; they have no support personnel and no one to ask; they refuse to follow even their own rules in these matters.
And yet the first person you blame is... the victim.
Blaming the victim is in fact defending Facebook.
> I also note that the author relies on gmail - which has very similar problems.
And your solution is... what?
For two decades, I ran my own mail server, just for this reason. I finally gave up this year, because Google finally made it impossible for me to deliver email to them no matter what I did.
Well, like you, I ran a personal mailserver for nearly 20 years. Initially I had trouble delivering to gmail and Hotmail; those problems resolved themselves after a few years. My ISP now hosts my mail, using the same infrastructure that I used to use: Postfix, SpamAssassin, Dovecot, Sieve. I use my own domain.
Obviously email isn't the same as social media. I never liked the social media landscape; I've always seen the internet as fundamentally distributed, and I always regarded MySpace/Facebook et al as a trap. I have an old Google account, but I never use it. Otherwise the only social media account I've ever had is HN.
I'm not in business, I'm not selling anything. Also I'm rather reclusive; I don't need a large circle of friends, about three has mostly been enough for me. So I'm not like everybody else, and I can see that for some people, there isn't much alternative to the giants.
I'm against designating them "critical infrastructure". That would simply deepen the moat. If they really are critical infrastructure, then they should be provided by the government. What they do that's useful isn't hard; what's hard is the part that isn't useful - advertising, and constant user-engagement.
I think something like Mastodon probably has the potential to defeat the giants. It's truly distributed, and not under central control. Mastodon seems to be designed as an alt-Twitter, based on short messages. That doesn't suit me, but I expect something like a long-form Mastodon will rock up sooner or later.
Regarding victim-blaming: this is like making a deal with gangsters. I have every sympathy with the victims; but if you place your business in the care of a giant, with no proper support channel, that don't take money off you for the service, then your only recourse is to ask for your money back (i.e. zero). You can't even sue for breach of contract. That's an extremely squishy foundation to build a business on.
Facebook has lasted rather well; Twitter seems to be going down the tubes. MySpace died a long time ago. But Facebook will fade away - they all fade away. What lasts isn't websites and services; it's protocols.
What exactly would you propose that I do? I have contacts in Europe who use WhatsApp and they provide that as their contact method. Am I to tell them "nah, I need you to sign up for an account on Signal". My Instagram was for promoting the business - should I have taken a Google AdSense ad out telling the world to switch to Imgur?
> In other news, I’ve discovered a new level of this hell. Because I used Facebook as a login service for my account with the DMV I am now unable to pay my vehicle taxes nor renew my registration/tags online. Obviously I can do this in person, but who wants to GO to the DMV? Not I, that’s for sure.
How does a government agency even allow something like "sign in with Facebook"? Sure it's convenient but this case shows why this is stupid. Also, isn't this a privacy issue? I'm not an american but it baffles me that something like this is possible.
I feel that all of these "locked out" reports - whether they are from Google or Facebook or something else, suffer from the same problem:
The problem is not, that a false positive happens, or the user does get locked out by an algorithm, etc. - that sort of thing is impossible to avoid entirely. You have to stop bad actors, and you'll never be 100% accurate with that.
Imho the big problem is, that people who get locked out wrongly, have no recourse. There's no support, neither free nor paid, no avenue, absolutely nothing they can do, to get help. THAT's the problem.
People have to resort to trying to go viral, because only then their problem will get fixed.
As a company, that's probably not what you want. To see your false positives cause waves all over the internet... You'd probably want to see those problems be solved silently. But that would require that you offer an avenue for the user to get their problem solved quietly - doesn't it?
I guess the problem is: If the company offers recourse for good actors, then bad actors would make use of it, too. So, to stop bad actors from using recourse, the company would need to be able to differentiate between bad actors and good actors. And if they could do that, they wouldn't have the problem in the first place.
First of all, I don't think bad actors are as willing to invest time/work into this as good actors - for them it's not worth the effort in most cases.
In this specific case, if keeping the account for a longer time had been the goal, the bad actor wouldn't have gotten the account suspended immediately by violating the Terms of Use, nor would they have used a Vietnam IP to do so.
Secondly - whenever such a thing does go viral, and Facebook comes under pressure - they all of sudden become very able to tell:
- that the person who has been using the account for years without incident, with an US IP address, who can provide 2FA codes, controls the original sign-up email, can produce credit card statements for payments the account made, sent in a copy of their drivers license, is probably the good actor
- that the person who (within just a few hours) reset the password, changed the email, disabled 2FA, and caused the suspension - all from a Vietnam IP - is probably the bad actor.
Facebook doesn't have that problem because they are unable to differentiate between bad actors and good actors... Facebook has that problem because they don't want to differentiate good and bad actors - because that costs man-hours and thus money.
The support teams dealing with that stuff are probably under-staffed, under-paid, lack the tools/knowledge for deeper investigation, and are being pressured to close as many tickets as fast as possible.
The poor state of identity management should give us all pause.
The condition for trust is a username/password pair.
I think that's not enough - and also too much!
Instead we should make a software application that lets each client generate a public/private keypair that never leaves the device.
Well, the public key part leaves.
No usernames, no signup, just encrypted messages sent from a public key to a public key, as God intended.
Unfortunately this tech requires special HW. It would be nice if I could just upload a key pair into a browser, name it, lock it with some password, and easily manage which key pair authorizes what accounts, create subkeys locally for access to specific limited list of accounts while traveling, etc. It would be a massive improvement over status quo and would pretty much end credential stuffing for once, but no. You have to buy expensive shit that gets lost easily or broken, that you can't backup online and recover in an instant you need it.
I just refuse to be forced into someone's idiotic security requirements that completely forego any other considerations user may have, other than this stupidly absolute focus on security.
Every time I imagine this glorious new world of webauthn replacing everything... it's just not appealing. I lose the HW key, so I need to buy a new one. I can do it online, except I can't because I need the lost HW key to confirm the card payment or login to my bank account and initiate a transfer. I have to go buy it to some physical shop or pay on delivery. Most don't carry it. Now this happens on a vacation, where it's generally easier to lose things, and gerneally impossible to buy things like HW security keys.
It would be possible to have a SW based solution, by emulating the USB FIDO interface, or whatever, but I really don't want to get locked into a solution where there's a constant threat that some services will just start requiring HW key attestation.
So, no. Security is important to me, but so is reasonably doable disaster recovery not requiring anything more than an internet connected computer and things I can remember.
Yet another reason to not use services that require to use one account for many completely unrelated things. You say something wrong on FB and now you can't log into a completely unrelated service.
This is why I will never use gmail. Yeah - my current email provider might scan my mailbox, but it will not ban me for saying something wrong on youtube or twitter.
And I never post anything on facebook to not lose access to my VR headset.
I was also banned by Facebook, but more so locked out by a shitty 2FA setup. I ported my old iPhone over to a new one, forgot the 2FA doesn’t come with google Authenticator, and even with the recovery codes in-hand, Facebook had no option to recover account.
I gave up on it for two years - finally, I reached out to a friend of mine who literally just started working there (I’m 19, he’s 21), and he raised an internal support ticket which generated temporary 2FA codes for me in 6 hours, and I was back in my account. Actually shocking how much nepotism can help you solve these problems.
206 comments
[ 2.5 ms ] story [ 246 ms ] threadMy account has now been "under review" since Saturday which means I can't log in, and my messenger, my fb profile and the associated businesses and groups that I manage have all disappeared from fb.
Having googled around my initial hopes that it will soon be resolved has flatlined: there seems to have been a surge of this lately and nobody that I have seen have had their access back (the reviewers have been fired?). I will likely loose my WhatsApp as well, judging by the reports.
Of course I realize that as an unpaying user of Meta products people might say "serves you right for being stupid". But I don't buy that. Fb is the de facto online directory of ordinary people (not counting much of the HN crowd as "ordinary" here).
It's totally unreasonable (understatement) that fb can effectively erase me and my online history and business without recourse because their systems leak and they don't have manpower who can do a human review of the facts in the case.
In the short term I'll be looking for other solutions, in the longer term I'll be supporting calls for making services like fb a public utility, with certain legal obligations (like not erasing online presences).
Meta had $116,610,000,000 in revenue last year. It can find a way.
It's always so baffling to see people on HN rush to defend these massive companies, pretending that they're resource-strapped like two guys in a startup working out of a garage.
2. Revenue is how much money company can spend on various things, they just need to prioritize which things are the most important for them. Facebook obviously do not prioritize customer support.
3. Recent layoffs mean then now have more free cash to hire support people :)
It's always so baffling to see people on HN parrot this line as if it was fact or truth, when it's far from either.
Yes, there are lots of businesses that exist only to make money. But there are millions more businesses that exist for other reasons. And, no, I'm not talking about non-profits. Kelloggs, for example, was founded to improve the nutrition of people at a health retreat.
The whole moustache-twirling moneybag-hoarding billionaire thing used to be a cartoon, because it was so misaligned with the reality of society. But in the Silicon Valley bubble, this has been turned on its head and elevated into some desirable goal, as if the only way to judge a company's value is by dollar signs. It is not.
(It wasn't even Silicon Valley that started this flip. It goes back to the 80's, as parodied by the character Gordon Gekko in the film Wall Street.)
--
[1] For now at least. It is failing a bit and likely to fall off worse over time, that is why they are scrabbling for the next big thing (pinning their hopes on VR until something less “meh” comes along)
Meta has announced a 40 Billion dollar stock buyback.
It's not like Meta is unprofitable or a starving scrappy small startup.
What is the issue?
It's their problem to solve.
And meta (etc) make more than enough profit to not be this bad. It’s just that view ‘if I don’t pay, I deserve nothing’; that really should only be true if the company makes nothing from the service (aka a charity).
"All of our agents are currently busy. Please hold and we will answer your call as soon as possible."
If, however, the support is of the "you've modified or cancelled my account" type, that should just be counted as part of the cost of doing business.
I've always wondered how someone who is locked out of a service like Facebook is supposed to delete their content.
Let's say that I'm a resident of some location with better-than-average digital privacy rights. If I can't log in to Facebook, how can I get my stuff deleted?
How do people handle this in places like the EU (or maybe California)?
Written requests to their privacy officer. datarequests@support.facebook.com
It can be a bit of a pain; https://ruben.verborgh.org/facebook/emails/2019-02-15-dpo/
HN isn't much better. I've emailed them asking for my data to be removed, as is my right as an EU citizen and dang simply refused saying it wouldn't be fair to other users. As if that overrides the law.
https://oag.ca.gov/privacy/ccpa
> Right to delete: You can request that businesses delete personal information they collected from you and tell their service providers to do the same, subject to certain exceptions (such as if the business is legally required to keep the information).
One of my clients willingly applies GDPR to everyone, regardless of jurisdiction. If you want your data, you can get it. If you want your stuff deleted, you can do so. I think this is the ethical approach.
> Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market.
Those US newspaper sites you can't access: well, you can access them via archive.org.
> Being accessible from the EU doesn't make your business subject to EU law. The EU doesn't claim universal jurisdiction.
Collecting data related to EU individuals does make you subject to the specific GDPR law though, unless I'm mistaken.
Nope, GDPR attaches regardless of whether you market in the EU/to EU residents, as long as you provide goods or services to people in the EU you're beholden to their rules.
Theoretically, a company that only offers services to US residents (mortgage/banking/legal) could still be beholden to GDPR, since their cardholders might access their website (i.e. be provided services) while in Europe, though as far as I know it's never been tested in court.
The EU has full jurisdiction within the EU, and zero without. The EU has no ability to demand action or inaction from an entity in the United States. They can ask all they want but it's just that - a request.
Please read this in good faith: If you want your data gone, why do you keep sending more (posting)? Is it about retention time?
On the other hand, I agree with GP. It's surprising that you cannot delete an account. That HN stay "readable" without the [deleted] is clearly secondary to the possibility of having an account be deleteable. Imagine if I were part of an at-risk group.
I think the part that bothers me most is that you seem to have firmly decided the EU regulators aren't real human beings trying to solve a legitimate problem in a way you disagree with. That'd be too respectful and humanizing. They're pure evil?
If it is PII then EU laws like GDPR apply, but if it is posts more generally then they are not covered, and it would be unfair to people who have responded to them and those reading those responses later (sans context, if your post were removed). The right to be forgotten covers information about you, not information by you (with an edge-case that if somehow your words in a post unambiguously identify you, that post falls into the first category as well as the second so is covered).
What prevents you from recreating a new account? When I left facebook I did a backup of it. Why aren't you making regular backups if your business depend on it?
> In the short term I'll be looking for other solutions, in the loger term I'll be supporting calls for making services like fb a public utility, with certain legal obligations (like not erasing online presences).
Public utility? Really?
If anything it is contamination and pollution that prevent decent options of having room to be the public utility of choice.
Can we please stop blaming the victim?
Simply put every business will behave in this manner eventually if not subjugated by monetary penalty of state regulation.
That or you can scurry around every year to a new provider as the company you're doing business with is bought up by monopoly movers in the market leaving an ever decreasing pool of choices.
Just that they're held to certain expectations with regards to service, as critical infrastructure basically.
They shouldn't be able to terminate an actual human's account unless they can provide a damn good reason
So you don't know if your gmail account was hacked or accessed? I would be worry about that.
SSO is handy for security until your SSO provider breaks or (as in this case) bans you. Given that most consumers have very limited recourse to fix issues with their account, I'd say that for most consumers they're possibly more of a risk than a benefit.
Imagine if one day Mr. Musk decided to kick everyone off of Twitter who didn't align with his politics or philosophy. Think of the millions of accounts that people suddenly got locked out of because they used "Sign in with Twitter."
These situations used to be so theoretical that they were dismissed as hyperbole. But it's a lot less outlandish a thought these days.
They already decided if the user should be locked out if some set of circumstances occurred.
I've been unable to add my main email address in Facebook because "The account that owns the email address you entered has been disabled.". If I check my emails history, apparently someone named "Kyle" (not me) tried to create/activate an account in 2016 and now I'm prevented to use it... Forever?
It's ironic that Jeff Atwood phrased OpenID/third party logins as an internet driver's license. 10 years later, we've learned the pitfalls of such a system, namely that your login is at the mercy of organizations without customer support, and they can turn you off for no personally attributable reason.
https://blog.codinghorror.com/your-internet-drivers-license/
All in all, it’s no different than delegating to your email provider to prove your identity via a password reset / login link.
But well, that may be too radical an idea to be executed. I'm sure privatizing logins is the way to go.
> MinID provides access to online public services at a substantial level of security (level 3).
https://eid.difi.no/en/minid
> MinID is issued by the Directorate of Digitization and can be ordered from the year you turn 13.
https://minid.no/en/about-minid/
There is also BankID which we can use in order to log in to all public services.
> BankID is an electronic credential for secure identification and signing on the web.
https://www.bankid.no/en/private/
> Work on developing BankID as a joint infrastructure started in 2000, and the first customers got BankID in 2004. In 2014, BankID Norway AS was established. In 2018 BankID merged with Vipps and BankAxept in order to improve product offering and prepare for competition against global tech firms.
https://www.bankid.no/en/private/about-us/
I have both MinID and BankID and I can use either of them for things like taxes and such.
Statens Vegvesen, who are in charge of driver licenses and more, allow us to sign in with BankID and a couple of other methods, but not with MinID from what I can tell.
Norge.no, which is a guide developed by the Norwegian Digitalisation Agency, has the following to say about MinID and BankID:
> Electronic IDs are available at different security levels, and thus give access to slightly different types of services.
> MinID is at a medium-high security level ("Significant"), and can be used for many public services, but not for health services at helsenorge.no, for example.
> BankID, Buypass and Commfides, which can also be used for public services, are at the highest security level (“High”) and give access to all public services.
https://www.norge.no/en/minid
Estonia though has an electronic ID which uses X.509 certificates.
MinID is by the government. BankID is private.
> It's a proprietary application from a private company, owned by the banks, which only works on certain operating systems
If you want to use the BankID app to generate codes then you will need iOS or Android. But you don't need the BankID app to use BankID.
Instead of using the BankID app, you can use a physical dongle to generate codes.
The device that you sign in with needs nothing other than Internet and a modern web browser. You can sign in with BankID on Linux or whichever other platform you desire. This device does not need to run any proprietary code aside from maybe some JavaScript executed by the browser.
Very many years ago the device needed Java to sign in with BankID, but that has not been the case for many years.
So yes, you do need to use the BankID app, not just in case you "want" to use BankID, but in order to be able to log into some sites period.
https://api.singpass.gov.sg/library/login/developers/overvie...
But yes, in 2023 you probably shouldn't use 3rd party authentication. You're much better off combining email/password login with a password manager, which effectively allows you push authentication on a 3rd party while retaining full control.
I feel like this is part of the reason we need real data protection laws in the US. There doesn't seem to be any downside for a company with lax security practices.
I intentionally don't let the clients integrate with the browser. I let the browser itself cache the unimportant stuff for convenience, and anything important I always paste from the password manager and have to get a code from the totp app also anyway.
I don't think anyone should use a fully 3rd party full featured password manager like lastpass or onepass.
I would say it is NOT better that they use that vs nothing. 'anything is better than nothing' is not true here. Some things are better than nothing, and some are not.
You misspelled "definitely" as "probably" here.
It's getting harder and harder to send email from your domain without being send to spam, bouncing, or the server just discarding your email without notice.
Currently using their lowest paid tier US$10/month, as that's 10k emails a month which is far more than we send. At least at this stage. ;)
Wish they'd occasionally look over the PR's submitted to their GitHub repo's though. ;)
eg: https://github.com/smtp2go-oss/smtp2go-go
My hope is it's a password hash or they forward the sign in request to MS servers, but who knows.
Uhm, not without requiring you to log in with the other auth as well - otherwise your account security is as weak as the weakest supported auth instead of the just weakest auth you added.
If the service notices that an account with the same email already exists, you may ask me to login with the original provider again to link the accounts, and indeed, this would probably be my favorite solution. Second best would be to just create a second account without complaining.
Playing fast and loose with authentication processes in the way you're describing is a guaranteed way to lose me as a customer if your service handles any valuable personal/confidential information.
What if tomorrow a vulnerability is discovered where, say, Facebook provides the new unverified email address rather than the previous verified address during the OAuth login flow? It would immediately result in an arbitrary account takeover on your website. There are so many possible edge cases with this setup and the surface area increases with each new auth provider.
Edit: I was not done reading and realized he addressed this.
Or - you can opportunistically pick a time when you drive by and there's no obvious line out the door.
One way of thinking about public vs private is, private companies are for cases where we care about efficiency more than fairness and government is for the opposite. Auth seems to have gotten to the "rural electrification" stage, where handling the corner cases fairly is more important than efficiency or innovation.
The author claims that he was permanently banned from all Meta products (including Facebook, Messenger, Instagram, and WhatsApp) due to a security flaw in Facebook's password recovery system.
Despite having two-factor authentication turned on, the author believes that his email password was compromised and there is a backdoor to disable 2FA after a password reset request.
The author has tried to resolve the issue and appeal the decision with no success and has lost his personal and business accounts. The author suggests having a backup admin for your Facebook page, and he has found other instances of similar bans happening to other people.
The text ends with an update, where someone from Meta reached out to the author on Reddit to help resolve the issue.
Which, given that the report here is anonymous, seems at least not implausible. There's a real name in one of the screenshots, but a quick search doesn't find any other content associated with it.
Folks need to recognize that this kind of content, presented without verification, tends strongly to be one-sided and at least partly misleading.
What other content would you like to find with my name on it? My website, jcforbes.com (which currently has nothing on it)? You could search my name with the NC department of commerce and find my business name easily.
I presented all evidence in form of screenshots... exactly what do you think I'm hiding?
Yesterday my account was suspended again for the same reason and was unblocked today.
I use a password manager and 2FA so I doubt someone managed to access my account.
I’m afraid to definitely lose my account
Class action might be possible as well
Indeed: https://www.shuchow.com/so-i-took-a-huge-corporation-to-arbi...
For example, I created my account before there was a TOS, and FB used easily-bypassable ways to get users to agree to a TOS, and eventually they stopped asking me, leading me to believe they think I agreed. Without my wet signature on anything, how can they prove I agreed to something when they can just flip a bit and claim their records show I did?
I guess the user would get a notice that FB/Meta filed something and that they could respond saying that's not true?
Right. Keep in mind this is civil court so the standards of “proof” aren’t the same as criminal court. The judge only has to believe you more than them. It will be an uphill battle though because the judge probably doesn’t want to hear the case. They’re going to want you to try arbitration first.
If you live in the US, it turns out that EULA (which TOS are a subset of) are completely valid: https://www.canlii.org/en/commentary/doc/2006CanLIIDocs118#!...
The argument that you provably never read the EULA is apparently no form of legal defense, which I personally feel shits upon the letter and the spirit of the law, but that's an unfortunate consequence of living in a society where business is the pinnacle of everything.
Now I live in Europe and that sort of shit absolutely doesn't fly here - EULAs are not enforceable.
"I've repeatedly tried to organise arbitration, however Facebook is refusing to do so."
Since that account should still have alot of photos for us, I'd really appreciate if someone from meta can help us recover it. I wrote on HN asking for help back then: https://news.ycombinator.com/item?id=21234651 .
The first time around I got unbanned after several days, sending them my selfie etc.
The second time is now. They require phone number to send me a code, so I can „ask them to reconsider”. But I don’t receive the code. After several tries the page says „too many requests, wait 24h”.
I obviously have 2FA using authenticator. Got no other email than „you got 30 days to take action”.
The only reason I’m even trying is messenger and a few sad groups that are funny from time to time. Meh.
I would expect governments to step in when a flaw like this is detected. It could ruin thousands of lives.
It's not "could". It has ruined thousands of lives. How many depressed people out there have had their last little connection with humanity severed because of a dumb algorithm? How many small businesses have died because a random business account was shut down overnight with no recourse? I'm convinced that there's been at least some suicides over the problems caused to peoples' lives from the deliberate decision to not provide human customer service in some fashion from these Silicon Valley giants.
The really infuriating part is that this isn't even a selfish decision about money, which would be evil, but at least understandable on some level. Customer service can be revenue neutral or even a profit center if these companies were willing to charge a fee for actual good, human support to resolve the most important issues.
This is just a matter of common sense. The same applies to Amazon, Youtube, etc. Even if they're fine now they can and will unilaterally change their conditions and employ algorithms with false positives. Your business can become the victim of algorithmic discrimination and plain old bugs anytime.
Same thing with Amazon - it's been one of the easiest ways to sell. I listed my stuff, spent a little on ads, and things have just been slowly and steadily up and to the right since then. Even if they kicked me off tomorrow, I've still made good money in a very time-efficient manner.
It's one thing to say you should get Fastmail instead of Gmail, but to just say you should avoid using services that are valuable for your business because you might lose access later is cutting off your nose to spite your face.
EVERY direct-to-consumer ecommerce company buys Facebook and Google ads. Every single one.
Like Facebook - by which you mean Facebook, Google and Twitter, I suppose?
So what are you supposed to do, exactly? Hand out fliers door to door? Create your own social network?
These large corporations have inserted themselves into every single part of our lives as a gatekeeper. They believe that they have no responsibility to actually treat their clients with fairness, and they have made sure of that by having no way to actually reach anyone who can change anything. And yet for a small business, they have no choice.
The system was designed entirely by these big companies to make sure that these big companies could do exactly as they pleased, giving us no recourse except legal action.
What you are doing is called blaming the victim and it isn't very nice. Morally, ethically, _and legally_, this system is wrong. Facebook is the villain here, not this man who used Facebook in exactly the way they advertise to us to do so.
I've experienced this as well. Facebook seem to have gone through some lengths to insulate themselves from interactions with the public. They're now too big to trust with anything important to you. You'll get no support if you get in trouble.
Some months after a family member passed away, his Facebook account was hacked and the thief started posting stuff. It's been almost a year that I've been trying to close that account, or at least memorialize it. I've provided everything requested by their circuitous knowledge base to prove that the person has indeed died and even personal documents proving that we're related. For reasons known only to them, the help desk decided that something is missing. They wouldn't say what and just became totally unresponsive. There's no way to talk to anyone.
We sent multiple requests via their page and nothing. It is really really depressing.
I don't mean to blame the victim; it's clearly not his fault. But placing so much reliance on a provider of free services that lacks a proper support channel, isn't a great plan. I also note that the author relies on gmail - which has very similar problems.
And yet the first person you blame is... the victim.
Blaming the victim is in fact defending Facebook.
> I also note that the author relies on gmail - which has very similar problems.
And your solution is... what?
For two decades, I ran my own mail server, just for this reason. I finally gave up this year, because Google finally made it impossible for me to deliver email to them no matter what I did.
I resent it bitterly.
Well, like you, I ran a personal mailserver for nearly 20 years. Initially I had trouble delivering to gmail and Hotmail; those problems resolved themselves after a few years. My ISP now hosts my mail, using the same infrastructure that I used to use: Postfix, SpamAssassin, Dovecot, Sieve. I use my own domain.
Obviously email isn't the same as social media. I never liked the social media landscape; I've always seen the internet as fundamentally distributed, and I always regarded MySpace/Facebook et al as a trap. I have an old Google account, but I never use it. Otherwise the only social media account I've ever had is HN.
I'm not in business, I'm not selling anything. Also I'm rather reclusive; I don't need a large circle of friends, about three has mostly been enough for me. So I'm not like everybody else, and I can see that for some people, there isn't much alternative to the giants.
I'm against designating them "critical infrastructure". That would simply deepen the moat. If they really are critical infrastructure, then they should be provided by the government. What they do that's useful isn't hard; what's hard is the part that isn't useful - advertising, and constant user-engagement.
I think something like Mastodon probably has the potential to defeat the giants. It's truly distributed, and not under central control. Mastodon seems to be designed as an alt-Twitter, based on short messages. That doesn't suit me, but I expect something like a long-form Mastodon will rock up sooner or later.
Regarding victim-blaming: this is like making a deal with gangsters. I have every sympathy with the victims; but if you place your business in the care of a giant, with no proper support channel, that don't take money off you for the service, then your only recourse is to ask for your money back (i.e. zero). You can't even sue for breach of contract. That's an extremely squishy foundation to build a business on.
Facebook has lasted rather well; Twitter seems to be going down the tubes. MySpace died a long time ago. But Facebook will fade away - they all fade away. What lasts isn't websites and services; it's protocols.
How does a government agency even allow something like "sign in with Facebook"? Sure it's convenient but this case shows why this is stupid. Also, isn't this a privacy issue? I'm not an american but it baffles me that something like this is possible.
The problem is not, that a false positive happens, or the user does get locked out by an algorithm, etc. - that sort of thing is impossible to avoid entirely. You have to stop bad actors, and you'll never be 100% accurate with that.
Imho the big problem is, that people who get locked out wrongly, have no recourse. There's no support, neither free nor paid, no avenue, absolutely nothing they can do, to get help. THAT's the problem.
People have to resort to trying to go viral, because only then their problem will get fixed.
As a company, that's probably not what you want. To see your false positives cause waves all over the internet... You'd probably want to see those problems be solved silently. But that would require that you offer an avenue for the user to get their problem solved quietly - doesn't it?
In this specific case, if keeping the account for a longer time had been the goal, the bad actor wouldn't have gotten the account suspended immediately by violating the Terms of Use, nor would they have used a Vietnam IP to do so.
Secondly - whenever such a thing does go viral, and Facebook comes under pressure - they all of sudden become very able to tell:
- that the person who has been using the account for years without incident, with an US IP address, who can provide 2FA codes, controls the original sign-up email, can produce credit card statements for payments the account made, sent in a copy of their drivers license, is probably the good actor
- that the person who (within just a few hours) reset the password, changed the email, disabled 2FA, and caused the suspension - all from a Vietnam IP - is probably the bad actor.
Facebook doesn't have that problem because they are unable to differentiate between bad actors and good actors... Facebook has that problem because they don't want to differentiate good and bad actors - because that costs man-hours and thus money.
The support teams dealing with that stuff are probably under-staffed, under-paid, lack the tools/knowledge for deeper investigation, and are being pressured to close as many tickets as fast as possible.
I just refuse to be forced into someone's idiotic security requirements that completely forego any other considerations user may have, other than this stupidly absolute focus on security.
Every time I imagine this glorious new world of webauthn replacing everything... it's just not appealing. I lose the HW key, so I need to buy a new one. I can do it online, except I can't because I need the lost HW key to confirm the card payment or login to my bank account and initiate a transfer. I have to go buy it to some physical shop or pay on delivery. Most don't carry it. Now this happens on a vacation, where it's generally easier to lose things, and gerneally impossible to buy things like HW security keys.
It would be possible to have a SW based solution, by emulating the USB FIDO interface, or whatever, but I really don't want to get locked into a solution where there's a constant threat that some services will just start requiring HW key attestation.
So, no. Security is important to me, but so is reasonably doable disaster recovery not requiring anything more than an internet connected computer and things I can remember.
This is why I will never use gmail. Yeah - my current email provider might scan my mailbox, but it will not ban me for saying something wrong on youtube or twitter.
And I never post anything on facebook to not lose access to my VR headset.
I gave up on it for two years - finally, I reached out to a friend of mine who literally just started working there (I’m 19, he’s 21), and he raised an internal support ticket which generated temporary 2FA codes for me in 6 hours, and I was back in my account. Actually shocking how much nepotism can help you solve these problems.
Good luck OP.