[HN Gopher] 533M Facebook users' phone numbers and personal data...
___________________________________________________________________
533M Facebook users' phone numbers and personal data have been
leaked online
Author : cjbprime
Score : 885 points
Date : 2021-04-03 15:49 UTC (7 hours ago)
(HTM) web link (www.businessinsider.com)
(TXT) w3m dump (www.businessinsider.com)
| timdaub wrote:
| Great, and while you can get sued into oblivion for downloading a
| Metallica album, all our personal data is downloadable from a
| public website for 3EUR.
|
| Like for real, it took me 2mins to find the leak myself...
| hh3k0 wrote:
| Can you link it? I'd like to check if I am affected.
|
| Regrettably, I was forced to create a FB account for work.
| Exuma wrote:
| Where did you get the data leak, I want to check too.
| malaya_zemlya wrote:
| https://t.me/freedomf0x/12553
|
| I haven't checked the content myself, but this tg channel is
| usually legit
| OkGoDoIt wrote:
| Thanks. I'm just getting a "Please open Telegram to view
| this post from @freedomf0x" message. Any way to access this
| without signing up for Telegram? The irony of giving my
| personal info to another 3rd party just to check if my
| personal info was leaked by a different party is too
| much...
| hosteur wrote:
| Yeah I assume that the data is not actually hosted in
| Telegram so would be really nice with a direct link or
| magnet or similar.
| happyhardcore wrote:
| the telegram has a text file with links to links by
| country, I've just stuck that at
| https://pastebin.com/3SvG1FJ0
| Nerada wrote:
| Is there an alternative to ufile?
|
| I've tried three different browsers and none can get the
| download to work. It's possible I'm blocking some
| tracking domain at the router-level that's integral to
| the download functioning.
|
| Edit: Turns out I was blocking Google's captcha.
| scorcoran wrote:
| Goes without saying, do not use the link above. Downloads
| malware.
| matsemann wrote:
| Which link? The ufiles? Why does it go without saying?
| Not like stuff is instantly executed by downloading. All
| I got for my selected country was a plain text file.
| somedude895 wrote:
| Thanks. Was just able to verify I'm not affected (deleted
| my acc years ago), but it's crazy how many of my friends'
| names plus phone number are on there.
| mbirth wrote:
| From the initial tweet the source is this:
|
| https://raidforums.com/Thread-SELLING-Free-
| FaceBook-533M-rec...
|
| However, the comments in that forum suggest that it's not
| "free" and/or not there.
| hn_throwaway_99 wrote:
| I mean, at this point I think everyone should just accept that
| at the very least their name, age, address(es), email(s), phone
| number(s) and screen name(s) have been fully leaked if you have
| ever had any kind of online presence. Not saying that's right
| or good, but at this point it's just a fact.
|
| So if that's the case, I think we should move beyond really
| even trying to think of this info as private or a marker of
| identity, and we need to move _everyone_ to more secure forms
| of identity verification.
|
| As has been pointed out on HN before, "identity theft" is a
| made-up concept to make it seem as if you had something stolen
| from you, when the real problem is banks and other service
| providers do an absolute shit job of identity verification.
| _They 're_ the ones at fault, and they try to shift the onus
| onto you to fix things when they screw up.
|
| Indeed, a social security number is pretty much the only
| additional piece of data to the stuff above that one would need
| to open up a bank account in someone else's name, and those
| have been leaked plenty of times too.
|
| The government needs to make harsher penalties for banks and
| others that can ruin your credit, etc. because they accept all
| this leaked info as "proof" of identity.
| ubertoop wrote:
| The scary thing is how much ones phone number (a somewhat
| ephemeral thing) is actually bound to your IDENTITY.
|
| Considering your phone number is more and more being used in
| 2FA ... if you were to ever change your number and someone
| else got it, this would pose a serious security risk if you
| failed to change over ALL of your internet accounts 2FA to
| the new number.
| ourcat wrote:
| I've always thought the most scary thing about this
| practice is that your (unique) phone number is a powerful
| "foreign key" which could potentially join data from many
| other leaked databases, forming an even larger dataset on
| you.
|
| There are plently of other places we give our phone numbers
| to, which might not have anywhere near the protections that
| Facebook say they provide.
| anticristi wrote:
| Like really? Don't you have to walk to a bank or show some
| ID?
|
| I live in the EU and I do operate under the assumption that
| banks take reasonable measures to ensure an account is linked
| to a legal identity.
| hn_throwaway_99 wrote:
| No. Many online services will let you open a bank account
| with name, address, phone, DOB and social security number.
| iso1210 wrote:
| Without sending a confirmation letter to the address and
| SMS to the phone?
| brendoelfrendo wrote:
| If you're the fraudster, you're providing the address and
| phone number.
| iso1210 wrote:
| In which case it surely wouldn't match with credit report
| databases?
| seaman1921 wrote:
| s/if you have ever had any kind of online presence./if you,
| your friends, your family, your cleaning lady etc. has ever
| had any kind of online presence.
| cblconfederate wrote:
| At this point i don't see why only facebook and the thieves
| should have access to this data. If the data is public it loses
| its value
| somethingwitty1 wrote:
| What about this data being public causes it to lose value? It
| seems like it would be a boon for lots of companies even if
| every other company has it.
| Moeancurly wrote:
| I believe they mean it can't effectively be sold if
| everyone has it. It loses value as a commodity if anyone
| can access it, but the value of the data is still in tact.
| kabes wrote:
| But facebook is not in the business of selling your data.
| It's in the business of selling your attention and it
| uses data to do so. There's nothing about this leak that
| changes Facebook's position in this market in this
| regard.
| lostlogin wrote:
| > But facebook is not in the business of selling your
| data.
|
| There are an awful lot of arguments against this stance
| and the argument supporting the claim appear to split
| hairs in a very convenient manner.
| mhh__ wrote:
| Value to whom?
| skizm wrote:
| Why would the data being public stop robo-callers from using
| the list?
| BenchDwarf wrote:
| Source?
| egberts wrote:
| That's why you never use your real name nor birthdate ... on
| social media.
| canada_dry wrote:
| Except... that's only the tip of the iceberg.
|
| Facebook/Google (et al) farms data from everyone! There really
| is no escaping it in today's unregulated privacy free-for-all.
|
| Friends/family/associates will provide your personal info in
| their contact/meta data.
|
| Companies (and their 3rd parties) you've done business with
| willingly sell/provide your personal info.
| saos wrote:
| Ha and WhatsApp want me to accept their new policy.
|
| Absolutely not
| ruph123 wrote:
| Does anyone know if there is a way to check if one's data is
| included in that leak, a la haveibeenpwned?
| mhh__ wrote:
| grep the download?
|
| Search for :YourFirstName:YourLastName:YourGender
| ipnon wrote:
| And yet it is still considered audaciously paranoid among the
| general public to protect your privacy by not having a
| Facebook/LinkedIn/Google/... account.
| permo-w wrote:
| I've noticed that some people who don't have personalised
| social media seem to assume that other people do because
| they're mentally deficient or ignorant.
|
| It's the same as how unsympathetic people ask why fat people
| don't just stop eating, or drug users stop getting high, or the
| cyberbullied don't just turn off their phone.
|
| It's a lot more complicated than "just don't use facebook".
| sachdevap wrote:
| But parent is not talking about calling out people for having
| social media accounts. He/She is talking about those having a
| social media account judging those not having one as
| paranoid. You've just propped up a straw man here without
| addressing the point the parent comment made.
| i_have_an_idea wrote:
| There's not much to see here.
|
| Someone scraped some public profiles. Someone then brute forced a
| poorly implemented "look up by phone number" feature. They linked
| the two datasets on the unique facebook user id.
|
| Leaking data that is or was in the public domain is not much of a
| leak. The only noteworthy thing would be the leak of the non-
| public phone number, however that vulnerability has been widely
| known since 2019 (and has been resolved by Facebook), so there's
| nothing new here?
| QUFB wrote:
| Not much to see? Not noteworthy?
|
| Where could I, or any Internet user, trivially download these
| details on 533M Facebook users prior to this dump? If nothing
| else, it seems extremely noteworthy that someone was not only
| able to obtain the data through scraping or some attack, but
| has shared with the world.
| i_have_an_idea wrote:
| > Where could I, or any Internet user, trivially download
| these details on 533M Facebook users prior to this dump?
|
| On Facebook. Literally. You can scrape any public profile
| info. It's against ToS, but it's not illegal (some caveats
| apply, see the hiQ Labs v. LinkedIn case for more info).
|
| The only noteworthy thing is the phone number vuln. Except
| that's been known since 2019, so it's certainly not news.
| azeirah wrote:
| There's a difference between programming a scraper capable
| of scraping 500 million records, running it and storing the
| results without getting caught by Facebook and downloading
| a file.
| prox wrote:
| How hard is it to change phone numbers? So say I release my old
| number and take a new one, how do I make sure I am not
| forgetting any 2FA services I signed up for?
| tnolet wrote:
| Interesting numbers in the linked tweet in the article. 5M
| accounts for the Netherlands exposed. Almost 1/3 of the
| population. Compared to Germany where "only" 6M are leaked, not
| even 10%.
| djokkataja wrote:
| They've also got Tunisia in the list twice, and the number for
| the first instance is 39.5M, when the population of Tunisia is
| not even 12M.
| bellyfullofbac wrote:
| I wonder if Tunisia is famous for FB click farms?
|
| A quick google indicates "maybe":
| https://about.fb.com/news/2020/06/may-cib-report/
| [deleted]
| r721 wrote:
| Liz Bourgeois, @Facebook comms:
|
| >This is old data that was previously reported on in 2019. We
| found and fixed this issue in August 2019.
|
| https://twitter.com/Liz_Shepherd/status/1378398011747938305
| gpm wrote:
| 1/16th the worlds population, assuming no duplication.
| throwaway29303 wrote:
| Interesting. Every time Facebook is hacked I remember this
| Anonymous' threat[0].
|
| [0] - https://venturebeat.com/2011/08/09/hacker-group-anonymous-
| th...
| mgerullis wrote:
| Wasn't Facebook just trying to lecture apple about privacy?
| annadane wrote:
| Right? They're masters at adopting the (supposedly) moral high
| ground and acting all hurt when others criticize them - you'll
| hear 'we need to be better' but there's this overriding sense
| of, how dare people differ from what we feel is best?
| amelius wrote:
| Can we take away the incentive and just ban online targeted ads
| already?
| baybal2 wrote:
| This does not look like scraping. A prima fascie database leak,
| and an invalidation of Facebook's claims of them not using your
| phone number past the validation, as well as them claiming using
| encryption at rest.
| mhh__ wrote:
| I've had a play with the data for a few people whose phone
| numbers I actually know, and they all seem old enough users
| that they just have the number on the account anyway. I could
| be wrong but I haven't found anyone my age who's number I can
| confirm.
| Tenoke wrote:
| As far as I can tell it's a combination of the 2020 phone
| number exploit linked to scraped data for public accounts
| (likely using the public id).
| spicybright wrote:
| The phone number point may still be true though, they have to
| store the phone number somewhere.
| noxer wrote:
| They could store a salted hash instead for almost everything
| except using the number as actual phone number (call/SMS)
| xyzzy123 wrote:
| You need to do a bit more than that; a one-way transform
| with no secrets isn't good enough for easily brute-
| forceable data like phone numbers, SSNs, passport numbers,
| credit card numbers etc. There's just not enough entropy in
| the data.
|
| There are ways to do these things though so the spirit of
| your comment is correct.
| zepto wrote:
| This seems like it would not be obvious to many people
| here, and so is a very salient comment.
|
| Do you have a link to anything that explains why, and
| what the ways are to do these things?
| mikeiz404 wrote:
| What are some of the ways?
|
| I'd assume encryption wouldn't help much since wouldn't
| the key most likely be available if the database was
| compromised?
|
| I would have thought hashing would work if it's made more
| expensive such as by choosing an expensive hash function
| and increasing the number of rounds.
|
| Edit: Would first encrypting the value with the salt and
| then hashing the encrypted value and salt add more
| entropy and make hash collisions less revealing?
| xyzzy123 wrote:
| To protect "sensitive, low-entropy data", the main things
| I've seen people do are encryption, tokenizing, or
| anchored hashing. I'm certain there's a bunch of academic
| work out there I'm not across so I'm writing from the
| limited perspective of "things I've seen people do in
| industry".
|
| The best thing to do tends to depend on how you need to
| use the data, exactly.
|
| With hashing alone there's just no reasonable cost
| function that will provide (say) 1 year of security in
| the event of database exfil, but also not DoS your
| service computing it :/ The problem is being offline-
| attackable.
|
| Encryption is one possible answer and I think most HNers
| understand the tradeoffs. Generally the less transparent
| it is, the more effective it is. Volume encryption or
| transparent database encryption are good to turn on, but
| don't protect you much. Keys available at application
| level only (let's say some fields are KMS'd) are better
| and will be of use under common failure scenarios (SQLi /
| DB exfil). You still have to get key management and
| application security right though and it turns out those
| are hard to do at scale. Your encrypted fields will also
| not be efficiently searchable unless you are using
| deterministic encryption.
|
| The tokenize pattern replaces sensitive data with a
| random value which is mastered in a centralised,
| controlled service. This really only makes sense if you
| can set things up so that almost all operations can be
| performed using the token.If you allow too many things to
| do token -> value lookups then it's pointless. Also all
| your eggs are now in basket so you have to _watch that
| basket_. Operations look like:
|
| - Exchange sensitive value for token
|
| - Compare tokens for equality (optional, but usually
| handy)
|
| - "Domain operations on token". For credit card, "bill
| the user", for phone numbers your domain operations might
| be "send SMS" or "robocall".
|
| - Exchange token for value (controls go here; limit
| access to customer service staff only, auditing, rate
| limits etc. The value should ideally only come out if a
| human has to look at it, and you should be able to
| definitely say who looked at what).
|
| This is a general technique, mostly used for credit
| cards. There's a whole industry around it. https://en.wik
| ipedia.org/wiki/Tokenization_(data_security)
|
| Anchored hashing uses a secret value in your "hash"
| operation. Keeping this value actually secret is hard, so
| an "industrial strength" implementation will use an HSM
| or other hardware to do the operation. This means any
| brute-forcing has to happen inside your network where you
| can see it. You ideally want a bit more entropy than with
| tokenization to make this work, but with appropriate
| rate-limits against attack from inside your
| infrastructure, it has legs. It's hashing, so works well
| for "have I seen this sensitive data before". The main
| advantage of this pattern is that it doesn't have to keep
| state.
|
| A decent write up of "anchoring" is here:
| https://diogomonica.com/2017/10/08/crypto-anchors-
| exfiltrati...
| noxer wrote:
| You can not prevent the phone number form being found
| eventually but that's not the goal you just need to make
| it more expensive than a phone number could ever be worth
| to someone.
|
| If you use a secret you have the same problem as before
| the legit system need to have access to the secret but an
| attacker should never get it. So if an attacker gets
| hashes and the secret(s) he has everything.
| emayljames wrote:
| Amalgamation of data before encryption?, encrypt full
| rows of data? etc.
| jpeter wrote:
| Maybe it's from whatsapp
| onetimemanytime wrote:
| I still go with the assumption that everything that is sitting
| somewhere in some server will be leaked. Having unnecessary data
| is the problem
| mensetmanusman wrote:
| My actual phone number has net negative value. I mostly only get
| scam texts and phone calls.
|
| Everyone I know uses messaging apps and contacts me that way.
|
| I can't believe Apple hasn't offered a way to white list when
| your phone rings.
| jdjdjdjdjd wrote:
| They have. Settings > Phone > Silence Unknown Callers
| maxc01 wrote:
| Before a leak: xxx is a shit company and is notorious for how it
| treating user's data. Everyone, stop using its app now.
|
| After a leak: ok that's life
| impostervt wrote:
| https://haveibeenpwned.com/
|
| I've been pwned 33 times. At this point, it's just noise. My
| passwords are all unique (password manager). Honest question -
| What should I worry about?
| prophesi wrote:
| It's much more of a threat to those who don't use cryptographic
| randomly generated passwords. And if you add PII to your
| accounts.
| newman8r wrote:
| well it might be embarrassing if someone found out you used
| facebook.
|
| I guess I could envision a scenario where you're being
| investigated, and these leaks provide a roadmap of services to
| subpoena.
| retox wrote:
| You should work about being a smug cunt.
| codethief wrote:
| Maybe your phone number, relationship status or Facebook bio?
| doubler wrote:
| This news is from jan29
| https://www.theverge.com/platform/amp/2021/1/25/22249571/fac...
| doubler wrote:
| This is from jan29
| https://www.theverge.com/platform/amp/2021/1/25/22249571/fac...
| offtop5 wrote:
| I would love this to spur some serious regulation of social
| media.
|
| The cats sorta out of the bag, but one can dream.
| anticristi wrote:
| Let's start by classifying them properly: FB is an ad network.
| kwertyoowiyop wrote:
| Don't worry, Facebook will soon put out a press release including
| the phrase "we need to do better."
| poqegjrioe wrote:
| I work in the security field and let me tell you something I
| realized: nobody cares about security. If someone cares about
| security, it's because they've had many many incidents in the
| past. We humans are not a species that is good at preventing,
| we are good at reacting.
|
| the security handbook[^1] has a chapter on that actually, and
| they basically say that role playing is the only way of not
| getting burned. Humans are excellent at role playing, and it
| can help you prevent a lot of catastrophe without having
| experienced them before.
|
| [^1]: https://securityhandbook.io/
| RachelF wrote:
| The problem is that companies don't care about securing their
| data, because the data is not theirs, it is about their
| users.
|
| Mark Zuckerberg probably spends more on personal and family
| security and privacy than Facebook spends on their users'
| security.
| anticristi wrote:
| I think part of the problem is that many orgs see security as
| an overhead that engineers do to sleep well at night. A few
| more breaches, a few more fines and it will finally be seen
| as a feature to keep the CEO out of jail.
| kevmo wrote:
| Probably 2/3 of billionaires belong in jail.
| aloisdg wrote:
| Probably most of them if not all.
| hunter-gatherer wrote:
| This is just it. I also work in the security industry, and
| the fact of the matter is that we (security professionals)
| can't give guarantees. I don't know what exotic exploit or
| bug will exist tomorrow. Security professions basically
| offer what (to me) seems like a crappy insurance policy.
| Depending on your orgs threat model, it is often just
| cheaper to deal with the breaches. --- I am not saying
| facebook falls into this category. ---
| esnard wrote:
| "This is old data that was previously reported on in 2019. We
| found and fixed this issue in August 2019."
|
| https://twitter.com/Liz_Shepherd/status/1378398417450377222
| varispeed wrote:
| What a pathetic response. Does it mean users changed where
| they live? Change their names? Deleted and started a new
| account so the ID is different?
| mrweasel wrote:
| That kinda sad, because that is what's going to happen and then
| we'll nothing more.
|
| At this point I'm not really sure what it will take for
| companies, like Facebook, to understand that you need to not
| fuck around with peoples private data.
| BoiledCabbage wrote:
| Put a monetary cost of holding user data, and a steep
| monetary cost on losing user data.
|
| Ex, pay x amount per month in perpetuity for each piece of
| information about a user your keep. And have to pay the "net
| present value" of those payments if you lose the data.
|
| Having to pay for hoarding user personal data changes the
| incentives from gobble up as much as possible, to instead
| only pay for a users data that is worth the cost to your
| business.
|
| And as an extra incentive to not hold unneeded user data,
| know the costs you'd pay if it was breached.
| mrweasel wrote:
| Who would get this money? I agree that it needs to be some
| solution involving a cost, given that most of these
| companies have shown multiple times that profit isn't just
| their main concern, it's the only concern.
| pharke wrote:
| Think of it like a class action lawsuit on behalf of
| investors. Instead of entrusting their savings to a
| company, people are entrusting them with their personal
| information. If there is gross negligence on part of the
| company leading to that data being leaked then all of the
| people whose data was stolen should be able to claim
| monetary damages. If a legal precedent is established so
| that these claims can be pursued whenever this happens it
| should provide enough motivation for these companies to
| take preventative measures.
| gpm wrote:
| The government typically... who might in turn do
| something like a tax rebate (write a check to everyone,
| ontario has been doing with the carbon tax) or just stick
| it into the general pool of taxes (reducing everyone's
| taxes).
| 29083011397778 wrote:
| So the American government gets a cheque for every other
| nations citizens that use FB, or FB has to determine
| where each of their users reside?
|
| Respectfully, I'm not sure either of these lead to
| outcomes we want
| anticristi wrote:
| Sounds interesting. Shall we call it "GDPR"?
| mrweasel wrote:
| Honestly the EU need to finans a organisation to deal
| with GDPR violation, hell it could finans it self. The
| GDPR is the single best piece of legislation ever
| written, in term of privacy, but enforcement is lacking.
| kristianc wrote:
| Interested to know the GDPR implications of this for Facebook.
| This seems like one of those occasions where the regulator might
| be tempted to impose the maximum fine...
| Nextgrid wrote:
| See my other comments on this thread about Facebook's situation
| with the GDPR: https://news.ycombinator.com/item?id=26682200
|
| Long story short, regulators already have more than enough
| evidence about Facebook's lack of GDPR compliance so they
| could've already imposed large fines if they wanted to. The
| fact that it hasn't happened yet shows there's no motivation to
| actually enforce the regulation.
| anticristi wrote:
| I wish I were Irish. Imagine 3 billion dollars extra taxes!
| It's like a second COVID-19 relief package.
| lordnacho wrote:
| Does anyone know if there's a GDPR fine on its way?
| Nextgrid wrote:
| Facebook already breaches the GDPR in many ways and has yet to
| see significant consequences, so this is unlikely.
|
| (before you post a link to enforcementtracker.com please first
| compare the fine amounts with Facebook's revenue)
| yokaze wrote:
| > Facebook already breaches the GDPR in many ways and has yet
| to see significant consequences, so this is unlikely.
|
| Not having the data encrypted at rest seems to me a different
| infraction than the previous ones. The scale also matters,
| and that it isn't the first infraction.
|
| And as I read it, not encrypting at rest is a breach of
| Article 6 and fined under Article 83 (5)
| (https://www.privacy-regulation.eu/en/article-83-general-
| cond...), which puts the fine limit at 4% of the annual turn-
| over.
|
| Yes, it doesn't mean they have to fine as much, but the point
| remains, that this is in the category of the most severe
| infractions.
| Nextgrid wrote:
| Facebook's tracking consent flow has been in breach since
| the regulation went into effect in 2018, and has affected
| millions of people, both users and non-users. Keep in mind
| that had Facebook been compliant with the GDPR, the recent
| Apple changes regarding tracking consent on iOS wouldn't
| have been an issue for them at all.
|
| I'd argue this is a much bigger issue than the lack of at-
| rest data encryption, and yet nothing has been done.
|
| They also appear to be ignoring Subject Access Requests
| with total impunity: https://ruben.verborgh.org/facebook/
| KaiserPro wrote:
| > the existence of appropriate safeguards, which may
| include encryption or pseudonymisation.
|
| which is not the same as data much be encrypted at rest.
| iso1210 wrote:
| Facebook annual revenue is 86 billion. I'd be happy to see
| an end-fine anywhere over $1b
| pixelpoet wrote:
| Great, so we get the worst of both worlds: outrageously
| obnoxious opt-out games (which, if skipped, implies free
| rein) and non-compliance as a cost of doing business.
| Wonderful.
| Nextgrid wrote:
| The obnoxious opt-outs are actually in breach of the GDPR
| as well, but are allowed to proliferate due to the lack of
| enforcement.
| dan-robertson wrote:
| Obviously it is bad if your personal data is compromised after
| you (or some else) upload it to an online service like Facebook.
|
| But in this case, it's important to remember that phone companies
| used to regularly leak most of their customer's phone numbers
| (and names) in the form of a telephone directory. So a question
| to consider is: suppose that the white pages were still commonly
| produced and contained most people's numbers. How would you then
| feel about something like this.
|
| Personally I feel like the problem with phone numbers being
| leaked is mostly the epidemic of spam calls (especially in the
| US) rather than some particular breach of privacy.
|
| Aside: I think it is good to consider these counterfactuals in
| general for questions about information privacy, for example how
| would you feel if everyone's tax returns were published publicly
| like they are in Sweden?
| joshspankit wrote:
| I agree, but also we've made it more complicated by using phone
| numbers as 2FA credentials.
|
| Now suddenly a "white pages of cell numbers" becomes a very
| convenient tool for getting in to people's accounts.
| ajross wrote:
| Only if you can hijack their number. Knowing a phone number
| seems like by far the easiest part of breaking SMS 2FA...
| eightysixfour wrote:
| The "new" risk with phone numbers is the overreliance on them
| for login and 2fa and the relative easy of taking one over. I
| use security keys but still have accounts I can't remove the
| phone 2fa from despite having two keys tied in.
| allworknoplay wrote:
| This is insane. Phone companies published numbers because it
| was generally considered helpful and the costs of unsolicited
| calling were relatively high. By the 70s delisting was an
| option, and by the late 90s it was very common (in the US). The
| internet made this a no-brainer, and to suggest that it's
| somehow ok just because it used to be (in a totally different
| world) is beyond ridiculous.
|
| We don't have the option here -- people provide their number to
| a service to be able to use it, and the numbers are then
| compromised, in breach of that contract and because of the
| service's failures.
|
| The two are not remotely alike, what the fuck are you even
| talking about.
| dudul wrote:
| As far as I can remember, the white pages don't include
| "biographical information". The kind of details used for
| idiotic "security questions" on websites too lazy to implement
| 2FA (your mom's maiden name, your first school, the name of
| your first pet, etc).
|
| As for public tax returns in Scandinavia, first of all it has
| guardrails - searches are recorded with _your_ information when
| you lookup someone - and second, countries have different
| culture and History for a reason.
| groby_b wrote:
| Spam calls are likely not even affected by leaked numbers.
| Source of suspicion: My partner and I have phone numbers in
| close numeric vicinity, and deliberately use one for public
| purposes and the other one is not known outside of a very close
| circle of family.
|
| We still get spam on both numbers within short time frames - so
| I'd say it's likely spammers just auto-dial through.
| coldcode wrote:
| That's been going on for many years. Brute force calling
| costs nothing. I've always wondered if charging 5 cents per
| call would stop them cold, but I am sure no one wants to
| implement that now.
| [deleted]
| [deleted]
| varispeed wrote:
| You can't compare that at all! They leaked IDs and from that
| you can go to user profile and learn more about them. You
| cannot do that from a phone company leak.
| dan-robertson wrote:
| Phone companies didn't leak phone numbers in the conventional
| sense of the word. I used it to try to draw a comparison.
| Phone numbers used to be printed in big books and you could
| usually look someone's phone number up if you knew their name
| and rough location. That is, phone numbers were not
| considered to be particularly private information at all.
|
| I think the comments I most agree with talk about the
| different security threats people face today with current
| usage of phones.
| throwawinsider wrote:
| Russians are doing god's work hacking and leaking proprietary
| data
| 0x_rs wrote:
| Personally, I wish Facebook would finally get slammed with the
| long overdue consequences of questionable practices when it comes
| to data handling and transparency, let alone minuscule control
| users have on own account and PII. This leak may have been
| preventable for a vast number of individuals. I suppose many are
| familiar with the old account "deletion" process that would --
| years later, too -- prove itself not to be a real removal, but a
| mere deactivation, waiting to return from their graveyard
| whenever pinged by the simplest of login attemps by bots or ill
| intentioned individuals. At this point in time, considering the
| sheer amount of I believe accounts struck in a limbo, a dedicated
| fast track deletion process should be _enforced_ on Facebook. I
| have, in my little knowledge, not found any case of GDPR requests
| granting one 's wishes to see old accounts (that did not accept
| their newer ToS and cannot be authenticated in any possible
| manner permitted currently, in which registration and connected
| e-mails are not) be permanently removed from their systems. My
| attemps, at least, have come short.
| gpm wrote:
| Is it possible to download this without giving money to
| criminals? (The article says free, but my 2 minutes of googling
| hasn't found it, somewhat unsurprisingly).
|
| Is doing so legal?
|
| If the answer to both of those questions are yes... I'd like to
| take a peak. Mostly to check whether or not some numbers I _know_
| haven 't been directly give to fb are there.
| emayljames wrote:
| https://t.me/freedomf0x/12553 Is the download link in the
| channel. Has all files by country, zipped in .txt files.
| megous wrote:
| I'm also wondering if number I asked them to delete 5 years ago
| is in this 2019 leak. :)
| mhh__ wrote:
| Yes. Legal? no idea.
| bitcharmer wrote:
| These events are not a matter of if but when. And since the
| overwhelming majority of the people in my social circles has zero
| understanding of the real nature of the relationship between them
| - FB users and FB I just hope this will become increasingly
| frequent and painful experience for them. As in: I really hope
| this will get FB users in trouble as a result of identity theft
| etc.
|
| This may sound extremely cynical but at this point it's the only
| way for the non-technical folk to understand the implications of
| giving away your privacy so that you can share cat pictures with
| other people.
| asdfasgasdgasdg wrote:
| > people in my social circles ... I just hope this will become
| increasingly frequent and painful experience for them.
|
| Very strange to wish harm upon your friends with the hope that
| that will convince them to join your side in a political fight!
| I would suggest instead that you only wish that _if_ it becomes
| a painful experience, they would realize why and renegotiate
| their relationship with FB. Typically wishing pain on your
| friends is not a good stance.
| smolder wrote:
| It's a pretty minor harm and it's one somewhat like ripping a
| band-aid off. The pain will come sooner or later since we (at
| least in the US) aren't addressing the irresponsible data
| practices in industry. The sooner people detach themselves
| from the likes of FB, the better off they'll be when leaks
| happen.
| brettermeier wrote:
| true
| sidlls wrote:
| Not that strange. The whole "rock bottom" concept for addicts
| is similar, right? Sometimes you have to see a friend or
| family member truly experience real pain to get them to want
| to change. People are like that.
| nonbirithm wrote:
| The sad fact is that as much as I wanted to believe that
| positive reinforcement was "better" for me because it was
| supposedly "better" for people in general, in practice it's
| only ever been negative reinforcement that has enacted any
| change in my life. Trying to deny that fact for so long
| only accomplished setting my life back by several years.
| Even the simplest things like dental hygiene only became
| habits because I suffered catastrophic losses from
| neglecting them.
|
| I think it's because my imagination of the failing scenario
| will never compare to the experience of the failure itself.
| Whereas if there's no singular point at which the failure
| becomes obvious and decidedly life-changing, then...
| ve55 wrote:
| I think it would take more than this to be leaked, particularly
| if users had their 'private' messages on services leaked,
| _then_ they would start to realize it.
|
| I think most normal people acknowledge that so many companies
| know their phone number and name that they may be past caring.
| KMag wrote:
| It became necessary to destroy the town to save it?
| rikkipitt wrote:
| I've been getting a lot of automated/unsolicited calls recently.
| Begs the question if this might be the source of my woes.
|
| Is there a trustworthy phone number version of
| https://haveibeenpwned.com?
| fourier456 wrote:
| This also started a few weeks back for me, more unsolicited
| calls/texts.
| spicyramen wrote:
| Same here, i started recieving both calls and SMS which the
| last i find more annoying. I do use Android and these ones
| haven't been able to be detected as spam
| rikkipitt wrote:
| I'm on iOS and don't think there's a way of blocking
| unsolicited calls until after the fact... I hope to be proven
| wrong though!
|
| The odd thing is, the calls often come through having a
| caller ID very similar to my own number.
| thechao wrote:
| The best I've found is to simply reject all calls not in my
| contacts. Real callers leave a voicemail, which gets
| transcribed.
| ajanuary wrote:
| Not natively, but there is an API that apps can use to do
| it for you. I use Mr. Number because it's literally the
| first one I found and it's worked good enough for me.
| coldcode wrote:
| Those are usually generated, they call numbers in area
| code/exchange randomly, assuming you will pick up something
| that seems familiar. Jokes on them, I moved to another
| state, easy for me to tell.
| JoshTko wrote:
| on iOS there is a lifesaving phone setting of sending
| unknown callers straight to voicemail.
| rikkipitt wrote:
| I toyed with that for a while but I kept missing
| important work calls. I might have a look for an app
| later, but I have a feeling it might not exist...
| ghaff wrote:
| Yeah. I tend not to pick up calls that are in the "Who
| would be calling me from Texas?" vein. But while it's
| annoying to have to look at my phone when it rings, I do
| get calls from locations that seem plausible and they
| usually are legit. I'm not really willing to make myself
| harder to reach for legitimate and even important reasons
| because of the occasional junk call.
| Nextgrid wrote:
| I wonder if you can get a VoIP number from a different
| country (where good regulation means spam is less
| prevalent) and use that for work calls?
| ronsor wrote:
| I'm almost 100% sure your employer wouldn't want to make
| an international call every time they wanted to contact
| you by phone.
| lanstin wrote:
| Work uses slack/teams/Webex. One person sends me Signal.
| No one has ever used telephony, except I use it to call
| he dial in numbers because my phone audio is better than
| Bluetooth / virus agent laden laptop displaying ten
| videos of peoples homes thru vpn.
| OminousWeapons wrote:
| Not really an answer to your question, but one partial solution
| to the problem of having your number leaked or sold is to setup
| a service like Twilio to act like a phone proxy. You can have
| Twilio forward calls it receives on a different number ("spam
| number") to your actual phone number ("real number"). You
| provide spam number to anyone who isn't a business or personal
| contact. Every few months, you rotate spam number. If your spam
| number is leaked, you don't care because its only a transient
| number which isn't more permanently associated with you.
|
| You can also have more permanent proxy numbers for services or
| people that may need to get in touch with you long term.
| Phenomenit wrote:
| Is this available to people outside of the US as well and is
| there a guide for setting this up? Last time I used twilio
| for a basic sms gateway there was a lot of clicking and
| typing.
| OminousWeapons wrote:
| I think it is available for people outside the US.
|
| https://support.twilio.com/hc/en-
| us/articles/223179908-Setti...
|
| I would recommend using the Studio workflow which is GUI
| based and easy.
|
| https://support.twilio.com/hc/en-
| us/articles/115016033048-Fo...
| 29083011397778 wrote:
| I've been using voip.ms in Canada to great success. Even
| SMS codes from banks and Whatsapp work correctly. Excellent
| service, highly recommend, especially with voicemail auto-
| transcription (then sent to email) and SMS from desktop via
| email.
| procombo wrote:
| It's what I have done for years. Only costs $1/mo for the
| number and a couple hours learning their API.
|
| Your existing cell number can be ported over to Twilio if you
| are patient.
|
| The only problem is trying to use the number for 2fa. A
| growing number of banks (like Capital One) block Twilio
| services from recieving their SMS.
| criddell wrote:
| I've been getting a lot more recently as well and I figured it
| was due to the phone companies promising to get rid of caller
| id spoofing this year so scammers are working overtime until
| they can't anymore.
| zeta0134 wrote:
| Oh, is that a real thing that's happening? Caller ID spoofing
| is the main reason I hold onto my phone number from [small
| town] Texas, since only my immediate family ever calls me
| from there, so I somewhat reliably know anything else from
| that area code is a scammer.
| criddell wrote:
| I hope so. I believe it's this:
|
| https://en.wikipedia.org/wiki/STIR/SHAKEN
| tyingq wrote:
| _" Is there a trustworthy phone number version of
| https://haveibeenpwned.com?"_
|
| An "exact" google search excluding adjacent phone numbers seems
| to work well for my numbers, and culls a lot (not all) of the
| autogen pages. So if your number was 212-555-1239, search
| Google with these strings: "(212)555-1239"
| -1240 -1238 "212-555-1239" -1240 -1238
| rikkipitt wrote:
| Good idea, I'll give that a whirl later. Great tip to filter
| out those auto-generated list sites. Thanks.
| dreadlordbone wrote:
| you genius
| neogodless wrote:
| Dear god, fastpeoplesearch.com is a horribly obnoxious
| treasure trove of information.
| brodericjduncan wrote:
| so if I search my phone number, it brings me to my name and
| everything. But if I search my name it doesn't get my phone
| number right. Any ideas why it's like that?
| tyingq wrote:
| Tried it, you're right. Got 6 of my past addresses, 9 past
| phone numbers, 8 relatives, all correct. Some incorrect
| info, but not much as a percentage.
|
| If you reverse search the PO Box address listed on the site
| contact page, you'll find an Amateur Radio license listed
| to a person that is probably the owner of the site, based
| on his past experience.
| tyingq wrote:
| Also, searching for their Adsense publisher id reveals
| some other sites they own: peoplesearchnow.com,
| fastbackgroundcheck.com, smartbackgroundchecks.com
|
| Those sites have new and different PO Boxes in other
| cities, etc.
| JoshGlazebrook wrote:
| Interesting. The email they have for me is the one I use
| for all of my domain name contact info. I wonder how they
| connected that to my actual "profile" when I always have
| paid for domain privacy.
| randerson wrote:
| Just submitted a removal request for myself, a flow full of
| dark patterns (in fact the Remove button didn't even show
| up until I disabled my Pi-Hole). Remains to be seen whether
| all I did was make the data more valuable by confirming my
| email address. The page recommends signing up at
| BrandYourself to prevent various other data brokers from
| showing the same data. How is this not extortion?
| tyingq wrote:
| _" The page recommends signing up at BrandYourself"_
|
| Is is a link? BrandYourself has an affiliate program, so
| they are probably making money on referrals.
| tnolet wrote:
| European here. What are these bot calls exactly? Never had one
| as I guess it's forbidden where I live.
| henadzit wrote:
| Telemarketing or political campaigns. Check out the Robocall
| article on wiki. In Europe it depends on the country. In
| Poland I receive a few calls daily but they are people
| calling me, not bots. Never received a robocall here.
| timdaub wrote:
| intelx.io
|
| Can't say too much about trustworthyness though.
|
| U could also just download the set from e.g. raid forum to
| check for yourself.
| rikkipitt wrote:
| Might have to I think.
| rvz wrote:
| So when are we going to stop companies from accessing your
| address book and 'uploading it' as part of the sign up process?
| Or even using Facebook and its services in general.
|
| Well the biggest offender now has leaked the data of hundreds of
| millions of users who have attached their phone numbers and full
| names.
|
| Now let's see if the users REALLY care this time that when they
| signed up to Mark Zuckerbergs website, it wasn't a good idea to
| sign up with a phone number in order to 'stop bots'. They did not
| learn with the Cambridge Analytica scandal, are they finally
| going to learn?
| xupybd wrote:
| Any tools around to search this database? I'm keen to find out if
| I've had data leaked.
| villgax wrote:
| Can't have shit on the Internet
| FukHN wrote:
| Be careful HN will shadow ban you.. HN loves FB
| afinlayson wrote:
| Why can't we have a private/public key phone number ... that'd
| fix this problem... We gotta stop using integers to identify
| people.
| ve55 wrote:
| This could be the first large breach we've seen from FB like
| this. Most past breaches were of a much different and smaller
| nature (scraping or API access abuse), and seeing a _real_ leak
| like this could change the landscape for FB quite a bit, since
| historically companies like Facebook and Google have been very
| good with preventing them. I don 't know a ton about FB's
| specifics, but there's a chance this data could be 'public' from
| people with the given privacy settings, if perhaps 25% of users
| have that turned on. If that is not the case though, then this
| would be the first serious breach from FB imo.
|
| Either way at this point I operate under the expectation that
| most information I input into a database may be leaked at some
| point. This is particularly rough for services that demand and
| track a lot of things, but it cannot be helped.
| retox wrote:
| Will the EU impose a fine per person? Maybe we'll see in 8 years
| time.
| one2three4 wrote:
| (Apologies if the link is in the commends already. I can't seem
| to locate it.) Where is the list?
| iso1210 wrote:
| Is Zuck's number there? How about Bezos? Biden? Putin?
| bellyfullofbac wrote:
| Last night I was browsing Facebook, and all of a sudden, it said
| there's been suspicious activity and I've been locked out of my
| account. To unlock it, I had to review the email address and
| phone number I associated with my account (in case the hijacker
| added their own contact info), but all it had were my info that I
| added in 2011 (before I knew what a piece of shit Zuck was). Then
| it asked me to change my super-complicated password because it
| said the password is no longer secure.
|
| So, can I assume this leak is related to this strange event?
| i_have_an_idea wrote:
| Highly unlikely to be related. It's not a password leak. It's
| also not really a leak, someone scraped some public profile
| info and then used the phone number lookup feature to match up
| the two.
| AlphaWeaver wrote:
| Has this breach made it onto HIBP yet?
| banana_giraffe wrote:
| Dunno, but if the US dataset is anything to go on, an import
| into HIBP won't catch much. Less than 1% of the entries have an
| email address.
| antibland wrote:
| I'm curious about the pool of Facebook users who seldom use the
| product, retaining it solely for groups and to keep in touch with
| family. Will this event loosen that final brick and drive these
| users to delete their accounts?
| flas9sd wrote:
| "keep in touch with family" can be subsumed by chat apps. But
| for discussion groups and special interests, facebook is still
| the most accessible site to run (small) groups in, or am I
| mistaken?
| banana_giraffe wrote:
| Looking at the leak others have pointed to, there are a
| surprising number of people working in a particular imaginary
| company: sqlite> select company, count(*) as c
| from usa where length(company) > 0 group by company order by c
| desc limit 10; company
| c ---------------------------------------- ----------
| Self-Employed 459119 Facebook
| 181013 Retired 71210
| The Krusty Krab 61550 Hollister
| Co. 42304 U.S. Army
| 39682 Stay-at-home parent 33095
| Walmart 31600
| McDonald's 30792 Student
| 25326
| gbear605 wrote:
| I definitely know real people (especially highschoolers or
| college students) who put fictional jobs in their profile. Also
| common is using some fake name, like that of a fictional
| character.
| uyt wrote:
| Can you link me to where you found the data?
| banana_giraffe wrote:
| https://news.ycombinator.com/item?id=26682774
| b212 wrote:
| Could you please tell me how did you convert it to sqlite? I've
| got a huge 1 GB txt file that crashes my comp every time I try
| to search for myself there :( Thank you!
| banana_giraffe wrote:
| Super hacky python script I used to turn the text files into
| a sqlite database:
|
| https://pastebin.com/gBWhCVGz
| datavirtue wrote:
| Try Ultra Edit, free trial. It can read and search massive
| text files without crashing. Quite responsive.on 10GB files.
| knolan wrote:
| Firstly don't do something like open it in notepad. 1GB text
| files are not exactly difficult to work with once you use a
| proper text editor or parsing tools.
| dunham wrote:
| What's the count of people who elected not to enter their
| company?
| banana_giraffe wrote:
| sqlite> select count(*) from usa where length(company) = 0;
| 22209703 sqlite> select count(*) from usa;
| 32315270
| bredren wrote:
| May be test users. Iirc, the Flinstones were common test users.
| yalogin wrote:
| How is it a leak? There is no information how the data leaked. My
| bet would be that it's hoarded through FB api and passed around.
| Nothing new happened here is my guess
| Daviey wrote:
| Somewhat ironically, Mark Zuckerberg (and 2 other FB founders)
| are in the dataset - along with phone numbers.
|
| Hopefully this disaster will be the catalyst for better data
| privacy controls.
| nly wrote:
| What Facebook user id is Mark? Is it #1?
| Jan454 wrote:
| I really hope they now have to pay that 4% ransom due to
| violation of the GDPR .. for each stolen account of course ;-)
| russdpale wrote:
| I guess if you use facebook you just deserve all the shit you
| get. What sucks is that the rest of us have to live with it too.
| I suppose we shall just keeping waiting for that darn market to
| correct itself!
| I_am_tiberius wrote:
| Would like to know if non Facebook users are included because
| Facebook has non Facebook user's phone numbers due to the fact
| that Whatsapp uploads the entire phonebook to Whatsapp. That
| means Facebook is likely to know your phone number although you
| don't use Facebook or Whatsapp.
| dheera wrote:
| This is why I don't use my real phone number with apps and HATE
| apps using phone numbers as a proxy for a user id.
|
| Get a virtual phone number if any service requires a phone
| number from you. Don't submit to this nonsense.
| afinlayson wrote:
| It's not about the information you give, it's all those
| friends and family who signed up for it and uploaded their
| address book... They now have your phone number and email
| probably your date of birth, and even some photos of you.
|
| They are like the credit companies, they have information on
| you whether you allow them to or not.
| zerof1l wrote:
| I have WhatsApp and you can deny access to your phonebook.
| Everything works just fine
| tito wrote:
| You can't start a group chat, only individual chats.
| tito wrote:
| Without Contact access in iOS, WhatsApp blocks you from
| starting a group chat, but allows individual chats.
| unicornporn wrote:
| Last time I tried (a year ago or so) I couldn't add new
| people to chat to. They had to contact me first.
| IG_Semmelweiss wrote:
| How are you able to send whatsapps to people you don't have a
| prior conversation with ?
|
| I am doing the same boat...and was working fine until i lost
| & replaced my old phone. All conversations were lost, and
| this makes it challenging to use whatsapp for any non-group
| conversations (since I can't start any).
| TrianguloY wrote:
| You can start a conversation with any WhatsApp number by
| opening the url wa.me/number. The number must include the
| country prefix.
|
| There are also some apps and webpages that helps with this
| process (Disclaimer: I'm the author of one of them for
| Android [0])
|
| [0] https://play.google.com/store/apps/details?id=com.trian
| guloy...
| luckylion wrote:
| Others can still allow access to their phone book and the
| information stored in them about you will be transmitted and
| saved at Facebook, won't it? Is there a way to disable that?
| croes wrote:
| You need an account to ask FB to delete your data.
| rvz wrote:
| > Is there a way to disable that?
|
| No.
| godelski wrote:
| Exactly this. I recently started a twitter for my academic
| career. Didn't share my contacts or anything (I only follow
| academic twitter too). I get tons of suggestions of people
| I know and several have followed me. The information is
| from their contact list because twitter knows my number and
| connected us. There's a clear benefit to this, but there's
| also privacy concerns too. The lack of control over this is
| what is concerning.
| tpush wrote:
| Whatsapp doesn't share phone book data with Facebook.
| solarkraft wrote:
| Yet.
|
| And since it's a Facebook controlled company a leak like this
| happening again isn't that improbable.
| darig wrote:
| Facebook doesn't share phone book data with hackers either.
| spinny wrote:
| Just like Kelly Loeffler didn't share any info with her
| portfolio manager
| Nextgrid wrote:
| It _claims_ not to, which isn 't a guarantee. After all, they
| also _claimed_ not to use phone numbers given to them for 2FA
| for anything else, and yet ended up using them for ad
| targeting.
| [deleted]
| superjan wrote:
| Hi, how do you know? It is of personal interest to me as I
| don't use FB but do use WhatsApp. It may also reduce the
| piling of downvoters.
| tpush wrote:
| Here's the source:
| https://www.spiegel.de/international/business/whatsapp-
| ceo-o...
|
| Quote:
|
| "Cathcart: It's true that we do have some information about
| how people use WhatsApp and that we do know, for example,
| the device ID. We collect this only to secure our services
| and protect from attacks. When you use WhatsApp and allow
| access to your phone book, we only see the phone numbers,
| not the name.
|
| DER SPIEGEL: Do you share these numbers with your parent
| company Facebook?
|
| Cathcart: No, we don't. The updated privacy policies will
| actually not change anything globally in our ability to
| share data with Facebook."
| Someone wrote:
| _"The updated privacy policies will actually not change
| anything globally in our ability to share data with
| Facebook."_
|
| I don't see how that "globally" can be true. If one
| compares the WhatsApp terms of service in the EEA
| (https://www.whatsapp.com/legal/updates/terms-of-service-
| eea/...) with those elsewhere
| (https://www.whatsapp.com/legal/updates/terms-of-
| service/?lan...), you'll see the latter adds:
|
| _Affiliated Companies. We are part of the Facebook
| Companies. As part of the Facebook Companies, WhatsApp
| receives information from, and shares information with,
| the Facebook Companies as described in WhatsApp 's
| Privacy Policy, including to provide integrations which
| enable you to connect your WhatsApp experience with other
| Facebook Company Products; to ensure security, safety,
| and integrity across the Facebook Company Products; and
| to improve your ads and products experience across the
| Facebook Company Products. Learn more about the Facebook
| Companies and their terms and policies here._
|
| AFAIK, that addition was what caused the uproar earlier
| this year.
|
| (Also note the dark pattern in both terms of service that
| seed confusion as to which are the ones that apply to the
| EU. In the first sentence, _"If you live in the European
| Region, WhatsApp Ireland Limited provides the Services to
| you under this Terms of Service and Privacy Policy."_ ,
| 'this' doesn't refer to the text you're reading, but to
| the texts behind the hyperlinks)
| [deleted]
| [deleted]
| egwor wrote:
| That doesn't seem to be correct, although what does 'phone
| numbers' mean in this context?
|
| Quote: "WhatsApp, which was acquired by Facebook in 2014,
| does share some limited data with Facebook, including phone
| numbers. However, the firm has reassured users that messages
| will always be protected by end-t0-end encryption, which
| means neither WhatsApp or Facebook can see these private
| conversations"
|
| Source: https://www.forbes.com/sites/carlypage/2021/01/15/wha
| tsapp-d...
| toxik wrote:
| As always, the spying agencies are NOT particularly
| interested in your actual messages, but your metadata.
|
| They want to know who talks to who. Limited data? What a
| bunch of horseshit.
| julianlam wrote:
| "Limited" is a weasel word, as it can mean anything. e.g.
| a "limited time offer" can mean it lasts for 2 days or 2
| years, because it is not unlimited.
|
| Likewise, sharing a limited amount of information with
| Facebook simply means they don't hoover up every single
| bit. Perhaps Facebook is not interested in those
| automated texts you get confirming haircut
| appointments...
| gbear605 wrote:
| On the other hand, if you just got a haircut, then they
| know that you'll be looking for another one in a set
| amount of time (based on your hairstyle, which they also
| know from photos), and they could advertise hairsalons to
| you then.
|
| I'm not sure their algorithm is this refined, but it's
| not impossible.
| dannyr wrote:
| That's what Facebook says.
|
| But Facebook has no history of lying right? /s
| 153791098c wrote:
| It goes so much further than this and it is absolutely
| frighting. The following sketched situations applies if you
| don't use Facebook at ALL.
|
| 99+% of every single person you meet has either FB, IG or WA
| installed on their phones and shares their phonebooks with them
| (assuming you live in [insert western country here]). There is
| also a very big chance at least some have your full name and
| address in their phonebook. Facebook not only knows who you
| are, but also who you are in contact with, when you meet new
| people and who they are. They also collect phone and text
| records with their apps so they also know the frequency that
| you have contact with them and they can even read the content
| of text messages (most people these permissions to the apps
| because it will automatically verify the associated phone
| number). Add all the location data, ssid/mac address collection
| and countless of other datapoints to it and they can draw out
| your entire life even when you don't use anything from
| facebook. There is no escape.
| djhn wrote:
| As a counterpoint I can think of dozens of personal
| acquaintances who are happily non-users and never interact
| with Facebook properties (retirees not into tech, busy
| executives, to cool for Facebook hipsters). If your country
| or social circle doesn't use WhatsApp, Facebook itself is
| already dying and Instagram is getting their lunch eaten by
| Tiktok.
| lostlogin wrote:
| I don't use Facebook or their other apps (eg WhatsApp).
| Facebook has my email address as I used to get regular invites
| to sign up. Facebook also knows what I look like from friends
| tagging me in pictures, and seems knows my date of birth as
| people tell me that they were notified by Facebook. So even if
| you have avoided all their stuff, you aren't immune.
| gwid0n wrote:
| Anecdata: I've never provided my phone number to FB, I provided
| it to Messenger App and Whatsapp, it's not on in the file for
| my country.
| wrycoder wrote:
| https://kieranhealy.org/blog/archives/2013/06/09/using-metad...
| hourislate wrote:
| It's sick that they are allowed to get away with this. It's
| basically a botnet stealing information.
| matheusmoreira wrote:
| The difference between malware and "legitimate" software is
| whether there's a "legitimate" company behind it and whether
| that company has a "legitimate" interest in the information.
| Sad but that's how it is. Just like how governments give
| themselves the right to crack computer security and surveil
| everyone but throw citizens in jail if they do the same
| thing.
| macintux wrote:
| Every time someone argues that people can avoid the privacy
| problems of Facebook by simply not using it, I point out this
| issue (plus the shadow accounts).
| Guest42 wrote:
| I recently purchased a phone that had the Facebook app
| preinstalled. If I had to guess, the mere act of connecting
| to WiFi caused a whole slew of info to get sent.
| reddotX wrote:
| FFFFFFFFFFFFFUUUUUUUUUUUUUUUUUUUUU
| drewmol wrote:
| Obligatory mention: mbasic.facebook.com it's like a clean
| needle exchange for Facebook.
| Guest42 wrote:
| That's nice. I deleted my fb but sometimes groups will
| require it for events and discussion boards.
| lostlogin wrote:
| There was a dark phase when it looked as if the only way
| to sign up for various services was going to be Facebook.
| If memory serves, there was a time when Spotify sign up
| required Facebook.
| macintux wrote:
| I would think not, but my cluefulness regarding Android
| security/privacy is effectively nil.
| Guest42 wrote:
| I didn't check what permissions it was given by default
| but hopefully not too many and with those not much
| spying. It would be nice to have a clear map of what data
| can be obtained with what permissions.
| timhigins wrote:
| Actually Android devices (especially older ones) are
| known for in many cases sending extensive data to the
| manufacturer on network connect. See for example:
| https://www.nytimes.com/2016/11/16/us/politics/china-
| phones-..., https://balagetech.com/android-app-phones-
| home-china/
| 533_bot wrote:
| How to buy the leaked data? Please share telegram bot link or
| raid website link
| cpv wrote:
| Tried to lookup some info, but it's not there. Maybe it's from
| some web scrapper which collected public info, or other means
| (some ambiguous mobile app which had access to contacts?). Or the
| leaked files are incomplete.
| uniqueid wrote:
| We should start thinking of these breaches in terms of their
| _accumulated_ impact. It 's not the 1990s anymore, where data is
| difficult to store and networking too slow to move it.
|
| We should assume the leaked data doesn't go away; that instead
| people out there are consolidating Equifax data with Vastaamo
| data, adding data from Exchange hacks and the Accellion hack, to
| cross-reference with data from Facebook... it's like water
| flooding a levee now, instead of evaporating.
|
| Not the first time I've harped here about this (ie:
| https://news.ycombinator.com/item?id=26604753,
| https://news.ycombinator.com/item?id=24586258), but I hope we
| start planning for that kind of future.
| uyt wrote:
| Honestly sounds like a fun job for future historians. By
| aggregating all the leaks over a long period, how much of a
| person can you reconstruct?
|
| For example even though I am using a throwaway account, HN's
| logs might one day get compromised. So now they can join the IP
| address to other compromised sites that I was logged into using
| my usual email. And from my email they already have my name,
| SSN, address, phone number, usernames, passwords, etc, exposed
| from prior breaches. But now they know about my shitposts too.
| varispeed wrote:
| At this point Facebook should be closed down immediately, only
| leaving an option to download your own personal data. I think
| they shouldn't be able to reopen until the whole thing is
| regulated, severe fine applied and damages to all affected users
| paid.
| nly wrote:
| Found myself in the data set, but didn't find several people I
| expected to find. Seems to be only those who added their mobile
| number (I did so for account recovery purposes only).
| zlib wrote:
| So, how do I see if my data is in this?
| anonymousiam wrote:
| The root of the problem is not the privacy policy or the system
| security. The root of the problem is the collection itself. All
| large businesses, health care providers, and governments maintain
| databases. Every one of them will eventually be leaked. All it
| takes is a corruptible trusted insider.
| TheRealDunkirk wrote:
| > Every one of them will eventually be leaked.
|
| Equifax has more at stake than most. And they've been hacked.
| Repeatedly. The government has been hacked. Yahoo was
| COMPLETELY owned. I mean, if someone would put together a list,
| it would make for shocking reading. It's become so common, that
| we go, "Oh no! Anyway."
| xtracto wrote:
| This.
|
| I don't trust in the government, but I think digital "personal
| data" should be only available for "confirmation" to companies
| that need it. Say, a government entity could have an API that
| allow you to send _hashed_ personal data that they can verify
| is right. This way companies will ask the user for their data
| and hash it client-side. Then they can send the hashes (hashed
| with a custom provided salt to the entity (government, maybe
| private) who will basically reply with a True or False on the
| verification of the different data.
|
| It may even be an interesting use case for a public blockcahin,
| where your personal data is stored in a Merkle Tree type of
| data structure, so that one can verify that certain pesonal
| data of a person is true, without disclosing the data.
| tomComb wrote:
| Google has a huge number of activist (and surely some
| corruptible) employees, and yet the incidents of users data
| getting out are very close to zero.
|
| I think this demonstrates that user data can be managed safely
| and effectively.
|
| Usually the incidents reports on user data leaks show that the
| company seemed to barely be trying - We need laws that force
| them (even small companies) to put serious effort into it.
| varispeed wrote:
| You don't know that. While the publicly available data leaks
| are indeed rare, you cannot know if they don't use the data
| for trading or other purposes for their personal gain without
| disclosing it to the public.
| tomComb wrote:
| There are infinite things we can't know - opening the
| discussion up to that really makes anything possible, but
| the discussion wasn't even about what they might do with
| the data beyond leaking or selling it.
| Judgmentality wrote:
| Sure, but if you have no evidence of it happening you have
| a fairly weak argument.
| HenryKissinger wrote:
| > Every one of them will eventually be leaked.
|
| [X] Doubt
| HighlandSpring wrote:
| On a long enough timeline everything and everyone can be
| compromised (or the institution fails before then)
| hobs wrote:
| Exactly - either the data is basically not valuable at all
| (the category for which PII rarely fits) or else when the
| company collapses or is bought, the data moves too.
|
| There's always an incentive to steal or leak it to other
| companies for money; so as long as the incentives are
| aligned with GATHER ALL DATA and KEEP IT FOREVER then yes,
| it will just be a matter of a time before each data store
| is compromised by mistake or purposefully.
| allworknoplay wrote:
| Why on earth did you pick this username
| BobbyJo wrote:
| I doubt the claim, but the sentiment I think is valid. If you
| think about what data these entities are holding, it's not
| unique to a single database or entity. Your
| name/address/phone/ssn/etc. Is likely stored in so many
| places that the probability it gets leaked from at least one
| eventually I'd say is very nearly, if not 100%.
| sachdevap wrote:
| Can someone please guide me on how to check this leak to verify
| if my info was leaked?
| throwawaybchr wrote:
| Is Mark Zuckerberg's number one of them?
| idlewords wrote:
| Should make it easier to jump-start a competitor!
| xyst wrote:
| I removed my phone number from Facebook when it was reported that
| Facebook used this as some sort of tracking mechanism across
| third party vendors - specifically with purchases from merchants
| - in order to serve more "relevant ads". From what I recall, if
| the merchant is somehow hooked up into FB APIs then regardless of
| whether you signed up for their rewards program using an e-mail +
| password or via FB SSO, then they would send back "anonymized"
| data back to FB for each purchase(s).
|
| I wonder if my phone number still persists (aka "soft delete")
| bartread wrote:
| When did you remove your phone number? Looks like this relates
| to a vulnerability that was patched in 2019.
|
| I'm slightly concerned about this myself. I'm also seriously
| ticked off with Zuckerberg and co. I can tolerate the fact that
| internally they do scumbaggy things with my data. I tend to
| have less forbearance when they let my data out into the wild.
| londons_explore wrote:
| Looks like this is the "To match users to their friends by phone
| number, you need an API which can take as input a phone number,
| and return information about if that number has an associated
| account" problem.
|
| There is no way to let a user find their friends on a service
| without such an API. Yet if you have such an API, someone can
| simply brute force all phone numbers worldwide (there are only
| 10^10), and now they have a database of all users...
|
| Rate limits can help defend, but considering many users might
| have 1000 phone numbers in their address book, you can't set the
| rate limit very low without impacting user experience. Attackers
| can reduce the search space dramatically by only checking phone
| numbers that resolve to an active line (using VoIP stuff to test
| a number).
|
| The only real solution is for your app not to have a "Here is a
| list of your friends already in the app" screen... But as you can
| imagine that means you won't get any user growth or VC funding...
| Scoundreller wrote:
| And now you know how those cell phone farming programs were
| able to pay people a couple bucks a month to run crap on arrays
| of dozens of phones.
| amluto wrote:
| This is the same fallacy that leads to apps asking for
| permission to access your whole picture library.
|
| Facebook could have an API by which an app can prompt its user
| to show a list of all of that user's friends who have the app
| installed. The app would only learn the identities of people
| whom the user explicitly selects, and phone numbers would not
| be part of that identity.
| progval wrote:
| It works for photos because the threat model is about
| protecting local files against malicious apps.
|
| But for phone numbers, you about protecting Facebook API
| (which is publicly available via the internet) against
| arbitrary devices, which Facebook has no way to tell from
| legitimate ones
| amluto wrote:
| What I mean is: Facebook should remove that API entirely.
| Apps do _not_ need a way to look up a phone number in
| Facebook's database. The "find my friends using this app"
| feature does not require this capability.
| progval wrote:
| What you are proposing is that third-party apps should
| ask Facebook's app to find the friends, right?
|
| But Facebook's app needs to access Facebook's database
| somehow; and anyone can impersonate Facebook's app and
| query that database too.
| varispeed wrote:
| I think it should be illegal for apps to help find
| friends. If you genuinely meet someone offline, then they
| could generate you a token that then you could enter on
| the site to "connect".
| noxer wrote:
| Telegram had this issue too and they made a setting "who can
| find me by my number" you set it to "my contacts" so only
| mutual contacts can find each other.
| Someone wrote:
| I think there are way more than 10^10 phone numbers in the
| world. I think there are 10^10 combinations in the USA alone
| (filtering by unused area code, etc will decrease that number,
| but even then
| https://www.ck12.org/c/probability/permutation/rwa/Wrong-Num...
| says almost 8x109 remain)
|
| Also, at least some countries have longer phone numbers
| (Germany, the UK and China have 11-digit ones, for example),
| and the international public telecommunication numbering plan
| says plan-conforming numbers are limited to a maximum of 15
| digits, excluding the international call prefix
| (https://en.wikipedia.org/wiki/E.164), so the search space,
| potentially, is a lot larger.
| gregmac wrote:
| Are there immediate actions people should be taking at this
| point?
|
| A lot of password reset flows work via username + SMS using
| "we've sent a code to your phone number (xxx) xxx-xx12". This
| database unmasks that phone number, so my assumption is this
| makes sms hijacking more viable, but perhaps someone more
| knowledgeable can weigh in.
|
| Does Facebook allow password resets like this, and can that be
| disabled?
| diogenescynic wrote:
| I hope the class action bankrupts Facebook, but I know it won't/
| rpastuszak wrote:
| I don't have FB or or WhatsApp but my Insta account (using a
| separate email address and no personal details) keeps
| recommending my therapist to me. How are we still ok with this
| shit?
|
| The sooner we get rid of the cancer that FB is, the better. I
| didn't share my contact book with FB apps either. It was probably
| her--a person in her 70s, not necessarily experienced with tech.
|
| The main reason this company exists, or that ad tech can maintain
| a facade of not being a mainly bullshit industry with made up
| metrics, is the lack of informed consent.
|
| It's almost funny how we accept the current situation as normal.
| Because, I think that we'll look back at these times with
| disbelief of reckless we were and how cheap we'd sell ourselves.
| vmception wrote:
| There should be informed consent and there should also be
| revokable consent
|
| There should also be transparency of who has the consent right
| (data licensee and sublicensee)
|
| And there should be a way to make easy consequences for people
| not having it
|
| Release forms and licenses are used this way, data should
| inherit that. (Both systems should be better)
| dlandis wrote:
| > The main reason this company exists, or that ad tech can
| maintain a facade of not being a mainly bullshit industry with
| made up metrics, is the lack of informed consent.
|
| Exactly, the industry is built on a foundation of obfuscating
| the myriad ways in which they are using people's personal data.
| Uninformed consent is the cornerstone of their business model.
| yoaviram wrote:
| Suggest you send Facebook a CCPA or GDPR data deletion request
| (even if you don't live in California or the EU) for your real
| identity.
|
| Cases like yours is why we created
| https://yourdigitalrights.org/d/facebook.com, which makes its
| dead simple to send such requests. Free & open source.
| rpastuszak wrote:
| Thanks, I'll check it out. I've used similar tools in the
| past but this one looks more comprehensive.
| Nextgrid wrote:
| Note that Facebook happily ignores Subject Access Requests
| with complete impunity: https://ruben.verborgh.org/facebook/
| throw14082020 wrote:
| Yes, I submitted GDPR (Article 17) right to erasure
| requests, and I got utter garbage (please use the UI)
|
| Facebook:
|
| > Thank you for contacting Facebook. We have reviewed your
| report and it appears you would like to delete your
| Facebook account.
|
| >
|
| > Please note, for security reasons, we are unable to
| delete accounts on behalf of users so you will need to log
| into your account and delete it yourself. We have put in
| place a very quick and easy process for people to schedule
| the permanent deletion of their Facebook account.
|
| >
|
| > Before permanently deleting your account, you may want to
| log in and download a copy of your information from
| Facebook. Once your account has been deleted, it cannot be
| recovered.
|
| However, after back and forth with them for a few weeks, I
| got this:
|
| Hi,
|
| Thank you for contacting Facebook. Based on the information
| you've provided, it looks like you're trying to request the
| erasure of certain personal data under Article 17 of the
| General Data Protection Regulation (GDPR).
|
| If you wish to ask for personal data relating to you to be
| erased in accordance with the GDPR, please use the
| following form: https://www.facebook.com/help/contact/25951
| 8714718624?ref=cr
|
| Additionally, as per your request, your account has been
| scheduled to be deleted.
|
| Please keep in mind that you have up to 30 days to cancel
| the deletion. Once your account has been processed for
| deletion, it may take up to 90 days for all of your
| information to be permanently deleted.
|
| For more details, please visit the Help Center article
| below:
|
| https://www.facebook.com/help/224562897555674
|
| We store data until it is no longer necessary to provide
| our services and Facebook Products, or until your account
| is deleted, whichever comes first. This is a case-by-case
| determination that depends on things like the nature of the
| data, why it is collected and processed, and relevant legal
| or operational retention needs. For example, when you
| search for something on Facebook, you can access and delete
| that query from within your search history at any time, but
| the log of that search is deleted after 6 months. If you
| submit a copy of your government-issued ID for account
| verification purposes, we delete that copy 30 days after
| submission.
|
| Learn more about deletion of content you have shared
| (https://www.facebook.com/help/356107851084108?ref=cr) and
| cookie data obtained through social plugins
| (https://www.facebook.com/help/206635839404055?ref=cr).
|
| When you delete your account, we delete things you have
| posted, such as your photos and status updates, and you
| won't be able to recover that information later.
| Information that others have shared about you isn't part of
| your account and won't be deleted.
|
| If you have another question or concern, please visit
| Privacy Basics
| (https://www.facebook.com/about/basics?ref=cr) or our Help
| Center (https://www.facebook.com/help?ref=cr) for
| additional information.If you have more questions about our
| Data Policy (https://www.facebook.com/policy.php?ref=cr),
| please reply to this message.
|
| Thanks, Privacy Operations
| yoaviram wrote:
| Nice (and detailed) blog post. In such a case there is a
| clear escalation path (in the EU). Either email your DPA
| (Data Protection Agency) or take legal action. Here are the
| emails addresses of the various DPAs:
| https://edpb.europa.eu/about-edpb/board/members_en
|
| We are working on automating the escalation to the DPA part
| as well.
| codethief wrote:
| > my Insta account (using a separate email address and no
| personal details) keeps recommending my therapist to me
|
| What about your phone number? Does your therapist have it?
| Maybe your therapist granted Instagram/Facebook access to her
| contacts?
|
| Or maybe you yourself granted Instagram access and your
| therapist is in your phone's contact list?
| rpastuszak wrote:
| Yup, I don't share my contacts with FB or insta, but I think
| that she did. I don't blame her, she's not a very "technical"
| person and the UX is not meant to help her make a conscious
| choice.
| thatcat wrote:
| There are many other ways this could happen, did you google
| her address on your phone browser or something like that?
| IG always seems to give recommendations based on what I've
| watched on youtube recently or looked up somehow.
| rpastuszak wrote:
| I'm using DDG and a browser with 3p cookie blocking so
| this is less likely, but something might've slipped
| through cracks.
| disgruntledphd2 wrote:
| Honestly, it's almost certainly either her uploading her
| contacts, or location. I know that I normally get FB
| friend suggestions for people I've been at parties with.
| sn_master wrote:
| I had the same problem but figured it out at last. The
| Instagram recommendations are based on who is on your phone
| contacts. Anytime I add a new contact number, they show up on
| my Instagram recommendations even if we never interacted in
| anyway not even by the phone.
| DSingularity wrote:
| The reason we are here is because the one subset of the
| population which can do something about it has sold out. Is it
| the congressmen? No, it is us. Also the professors that taught
| us and the departments that accredited us. Either we did
| nothing to fight back or we are ourselves complicit and helped
| them build this world we live in.
| rpastuszak wrote:
| I see what you mean but I think it's a bit more complicated
| than that. It's hard to make the right choice when most of
| the information you receive comes from the entities in whose
| interest is you _not_ making the right choice (e.g. Google,
| FB).
|
| An average HN reader is in a very comfortable situation
| compared to the remaining 99.9% of the population, who might
| not have time to think about this.
|
| Unless, and I might've misunderstood you, by "us" you mean
| the people who work on those platforms, and have the time and
| resources to think about these matters, in which case I'd say
| that I agree with your statement. What's worse is how much
| brain power we're wasting on solving problems that shouldn't
| exist in the first place.
|
| "The best minds of my generation are thinking about how to
| make people click ads"
| DSingularity wrote:
| Yeah but that doesn't vindicate them. If professors
| boycotted these institutions it would have made a
| difference. Still might.
| Moeancurly wrote:
| What's being sold as convenience is really just creepy spying
| xyzzy21 wrote:
| I'm not happy with ANY of it which is why I have no social
| media accounts and I've been seriously considering a "dumb
| phone" to replace my smart phone. I simply don't use most of
| the features and it's a security/surveillance threat anyway.
| anonymouse008 wrote:
| You do know how this happened right? Wifi SSIDs with similar
| strengths reveal if people are in the same area, then just
| correlate timestamps and viola!
|
| I wouldn't throw the elder person under the bus on this one,
| the tactics are sophisticated, and honestly, just a precursor
| to what will happen with AR.
|
| To give a bit more of how it's implemented (at least how I
| would propose it in iOS), Insta/FB/Whats queries available wifi
| SSIDs as a background process (or whatever they have for
| notifications/networking etc), and does the same to your
| therapist since you both have insta / fb / whats ... and based
| on the signal strength, can say with confidence you two were in
| the same room because XYZ Wifi strength is -Xdb just like yours
| (walls are strong signal augmenters), and you are both there
| for some time based on the background thread timestamp.
| rpastuszak wrote:
| haha, that's a good point, but in this case I think it's more
| trivial than that: she probably shared her contact book with
| FB or Insta (still, not her fault imho).
|
| But, at the same time I've worked with FB SDK which was just
| one big shit show. It's hard even to describe it without
| turning a comment into an essay, so I'll pick the two I found
| somewhat amusing: sending data to FB before the developer
| could pass user consent (or thereof), sending hashes of the
| (non-FB) libraries installed on your phone to FB servers.
|
| Minor tangent: The best thing about the web is that user
| agents are still pretty good at fighting some of the tracking
| practices (ETP/ITP, cross origin security, etc...). It's
| actually quite impressive. Then, native is just one big black
| hole. This is why the current browser changes, although
| positive overall (less $$ from 3p tracking), are a double
| edged sword (pushing people towards walled gardens).
| krrrh wrote:
| It's almost certainly just the phone number. Recently
| Instagram told me that a former business partner of mine
| had joined and I was surprised to learn that his account
| was an hair braiding service in Atlanta for women with
| African lineage (we're both Canadian men with European
| ancestors). We figured out that years ago we had taken a
| business trip there and picked up temporary SIM cards back
| when Canadian cell phone plans charged injurious roaming
| fees. I still had that phone number in my contacts for him
| when I joined Instagram, and it had finally been recycled
| and used to create an account.
|
| It's a cool thought experiment for nerds and paranoiacs to
| imagine how you might use relative wi-fi strengths,
| bluetooth beacons and complex interaction patterns, but
| it's less sophisticated than that.
| rpastuszak wrote:
| Yeah, my first thought reading the parent comment was two
| words: "Occam's razor". But, I still find it amusing that
| companies like FB want to project the image of "informed
| consent" whereas we have a bunch of developers here
| trying to figure out what the hell happened and coming up
| with plausible solutions.
|
| What's interesting thought (and I know that from my
| professional experience in ad tech) is that the
| "cookiegeddon" did push companies towards non-
| deterministic, more fuzzy ways of cross-device targeting
| (and we're talking about people who already think that
| fingerprinting is ethical).
|
| The upside is that metrics are mostly bullshit anyway.
| smhost wrote:
| > It's almost certainly this one thing, and not the other
| thing.
|
| No, they dragnet every possible identifier and dump
| everything into a pattern recognizer.
| anonymouse008 wrote:
| > It's a cool thought experiment for nerds and paranoiacs
| to imagine how you might use relative wi-fi strengths
|
| I'm honored to be called a nerd on HN... I'll ignore the
| latter ;)
|
| Though while I agree the phone number is _absolutely_
| used, I don 't think it's the _only_. Trying to get out
| ahead of the public 's changing privacy tastes is a must
| for any advertiser that collects social-graph-like data.
| So strategically, if FB is not doing this, I would pull
| any FB investments because they aren't trying to do their
| job.
| clort wrote:
| is it even legal for a _therapist_ to share their clients
| contact details with a third party?
|
| certainly I would expect that a person who works as a
| therapist would be aware that the concept of client
| confidentiality exists and that they should not share their
| clients details
| Nextgrid wrote:
| It's not like Facebook is being transparent with what
| data they collect and how it's going to be used.
| Furthermore they don't understand the concept of "no" and
| will keep asking, hoping to catch you off-guard as you
| press the wrong button and give them access.
| hanspeter wrote:
| Not sure why you're suggesting shenanigans like wifi SSID
| tricks (and others jumping the bandwagon), when the actual
| thing that happened here is obvious:
|
| GP visited their therapist's website, the website had FB/IG
| advertising tracker installed, the therapist had a campaign
| running that targeted all visitors from their site.
| anonymouse008 wrote:
| I appreciate that idea, however, I've been testing my own
| 'friend suggestions' and keep a strong track of my
| antics... also, it's become a hobby of mine to debunk each
| time someone says 'they're listening to my microphone!!!'
|
| Most of the time the 'listening to me' conversations are
| based on origin IP to insta/fb/whatsapp servers. One person
| talks about idea X, another person looks it up (either in
| the room or later at home by themselves), and now everyone
| who was at that IP together will get ads for X.
|
| What's more, Google maps uses Wifi SSIDs to get better
| location data when GPS gets a bit spotty... so, I'd venture
| to say it's a small step to associate accounts and make
| friends.
| KaiserPro wrote:
| > You do know how this happened right? Wifi SSIDs with
| similar strengths reveal if people are in the same area, then
| just correlate timestamps and viola!
|
| I mean yeah, they _could_ do that, but thats a pain in the
| arse to do. Its far easier to do it on contact lists,
| interests and implied location from business page follows.
|
| I don't think iOS allows you to track SSIDs, which explains
| the lack of wifi scanning utilities in the app store.
| MR4D wrote:
| WiFi SSIDs have one very nice attribute - they tend not to
| move around much.
|
| So every time you see a Google maps car ( or a Nuro car or
| a ...), your SSID is getting geomapped.
|
| Now, your IP, SSID, geolocation, and who knows what else is
| now sitting in a lookup table somewhere.
|
| So if they get all the other stuff that you just mentioned,
| they now know more about you than you do!
| [deleted]
| rhizome wrote:
| > _You do know how this happened right? Wifi SSIDs with
| similar strengths reveal if people are in the same area, then
| just correlate timestamps and viola!_
|
| The problem is that someone decided to correlate them, not to
| mention _without asking._
| scalableUnicon wrote:
| It is possible to opt-out of Google's Wi-Fi network
| location mapping by appending "_nomap" to SSID[1], I'm not
| sure if it works with other providers. Although I think
| this should have been opt-in instead of opt-out, the least
| we deserve is a standard, guaranteed way to universally
| opt-out.
|
| [1] https://www.tomshardware.com/news/Google-Maps-Wi-Fi-
| Location...
| sildur wrote:
| Why it's always us who have to do the work to avoid being
| harassed by google? If I don't want to have my site
| harvested for snippets I have to add a no-snippet tag. If
| I don't want my WiFi data harvested I have to append an
| ugly nomap to my SSID. What about being it opt-in, as you
| said? I'm tired of doing Google's dirty work...
|
| By the way, quoting from the article:
|
| > "Specifically, this approach helps protect against
| others opting out your access point without your
| permission."
|
| Oh, thank you for your kindness, Google. Yes, the idea of
| another person denying me the joy of having my WiFi data
| harvested by you is terrifying. Thanks, Google. You
| really know how to be helpful...
| Schnitz wrote:
| Especially because Google mapping your WiFi comes with
| real downsides for you. Two years ago a random stranger
| rung my doorbell and told me their Android phone got
| stolen and according to Find My Device, the device was
| inside my house and even showed it to me live. I told
| them to wait on the street and checked the roof and yard,
| but didn't find the device. I simply told them I can't
| help further and they luckily took it well, thanked me
| and left. Imagine how easily such a situation can get
| ugly though. A day or so later i realized that my Wifi
| router happens to be at an oddly open corner of my house,
| facing the backyard, and visible for much further than
| you'd expect since there are also no other structures for
| quite a distance. I bet his phone was somewhere there but
| saw my WiFi and so it erroneously located itself in my
| house. Thanks Google!
| nunez wrote:
| That's ridiculous, IMO. This is also confirmed by
| Google's support document on this feature: https://suppor
| t.google.com/maps/answer/1725632?hl=en#zippy=%...
|
| Changing one's SSID after the fact can be extremely
| annoying depending on the number of devices that need to
| be updated.
|
| There has to be a better way.
| Nextgrid wrote:
| This isn't relevant - we're not talking about building a
| map of SSID to location, we're talking about using SSIDs
| to infer relationships between people; the SSIDs don't
| even have to be in any kind of location DB for that, what
| allowed Facebook to infer this relationship is that both
| the author's and their therapist's device regularly saw
| the same SSIDs.
| mrfusion wrote:
| Are apps allowed to do that on iOS? I can't think of any good
| reason besides for a wifi diagnostic app.
| JumpCrisscross wrote:
| > _and viola_
|
| I love this typo.
| therein wrote:
| > Then they query the adjacent SSIDs and their signal
| strength in a background thread, and bam, Viola is your
| aunt, all your privacy is violated!
| craftinator wrote:
| I could play Hot Cross Buns on this typo.
| chrischen wrote:
| Phone GPS already uses Wifi for improved accuracy. So if fb
| has location access permissions it already does this for them
| implicitly.
| yabadubakta wrote:
| Once people accept that there's no such thing as a free (as in
| beer) app or service. In addition to there needs to be serious
| laws put in place that gives users control of their data. And
| they should be getting paid for facebooks profits--not the
| share holders.
| bob_page wrote:
| The notion that there's no such thing as free (as in beer)
| app is keeping people away from free (as in freedom and beer)
| software. Sometimes you can have your cake and eat it,
| although it would be nice if more people volunteered to bake
| the cake. Or you could donate to the bakery.
|
| Software is weird, the best software is both free as in beer
| AND free as in freedom.
| Nextgrid wrote:
| The problem is less about whether people accept to pay for
| services and more that it's currently more profitable to
| provide ad-supported services (paid for by non-consensual
| data collection) than paid ones.
|
| Regulation that forbids non-consensual data collection such
| as the GDPR ought to fix that, but its lack of enforcement
| means it didn't have any effect on the market. Once
| regulation starts being enforced, it will rebalance the
| market where paid services will start to be viable because
| free services would no longer be profitable.
| cmoscoso wrote:
| Stop use any social networks from Facebook Inc.?
|
| I know it's not easy if you are addicted to it but it's doable.
| mancerayder wrote:
| > I don't have FB or or WhatsApp but my Insta account (using a
| separate email address and no personal details) keeps
| recommending my therapist to me. How are we still ok with this
| shit?
|
| I'm no attorney, but isn't there a doctor-patient
| confidentiality breach (in the U.S.) if a
| psychologist/iatrist's rolodex gets Facebooked out to the ad
| tech bidding systems?
| Barrin92 wrote:
| > is the lack of informed consent.
|
| what's making it possible is the lack of privacy regulation.
| People by and large don't care enough about privacy,it's too
| diffuse, too complicated, the damage to oneself and others is
| too intangible etc.
|
| Only way to end this is to destroy the business models that
| make it possible. What stands in the way of it is the mindset
| that this somehow harms innovation. (Innovating who can drive
| the titanic faster into the iceberg isn't innovation), that the
| government has no right to regulate private companies, and so
| on. The main problem is that people are trying to incrementally
| fix a broken thing, as Peter Ducker said
|
| _" There's a difference between doing things right and doing
| the right thing. Doing the right thing is wisdom, and
| effectiveness. Doing things right is efficiency. The curious
| thing is the righter you do the wrong thing the wronger you
| become. If you're doing the wrong thing and you make a mistake
| and correct it you become wronger. So it's better to do the
| right thing wrong than the wrong thing right. Almost every
| major social problem that confronts us today is a consequence
| of trying to do the wrong things righter"_
| rpastuszak wrote:
| Yes, we need better laws, opt-in consent and alternatives to
| ad tech (such as better ways for supporting publishers). The
| issues are systemic, going deeper than ad tech itself (e.g.
| conflicting incentives even within same publishing org,
| metrics being mostly nonsense, Goodhart's law).
|
| I think that the existing incentives can be moved, but we
| will need a chance in mentality that might require a
| generational shift, or who knows what how many fucks-ups. I'm
| becoming more and more pessimistic wrt to the latter.
| rhizome wrote:
| > _People by and large don 't care enough about privacy_
|
| Not to play dumb or sealion, but what opportunities are they
| given to do so? How often have those opportunities been one-
| and-done, "if you don't do something to protect your privacy
| in this particular instance at this particular moment, it's
| gone forever?"
| kelnos wrote:
| > _How often have those opportunities been one-and-done,
| "if you don't do something to protect your privacy in this
| particular instance at this particular moment, it's gone
| forever?"_
|
| I don't think that question really captures it, because an
| easy response to that is "Why do I care? Why is my privacy
| so important that it's a problem that it's gone forever?"
| To some of us that might seem like an absurd question; we
| see privacy as an obviously valuable thing that we are
| struggling to maintain.
|
| But I don't think that's the case for most people; I think
| most people adopt the "I have nothing to hide, so what does
| it matter?" attitude. Especially when they (likely
| correctly) believe that online services that are central to
| their lives (like GMail or GDocs or Facebook or Instagram
| or WhatsApp) wouldn't be free to use if they didn't give up
| their data (and privacy) in return for the service.
|
| You can try to point to data breaches, but, even then, most
| of those don't have a tangible effect on people. 533M
| Facebook users' phone numbers and personal data leaked?
| Most of those 533M probably won't notice anything bad
| happening because of it, and any bad stuff that does
| happen... well, they probably won't be able to draw a
| causal line from the FB breach to the bad things.
| mmaunder wrote:
| The metastasis is companies and organizations that have FB
| groups and insist that's the only way to get data or
| collaborate with them and their members or customers.
| disgruntledphd2 wrote:
| Because it's so easy to set up a page, and get people to
| follow it. People run businesses on FB because it works, and
| everyone is there.
|
| If the web had made things easier, this would have happened
| less, but web developers didn't care enough, and FB ate their
| lunch.
| badjeans wrote:
| > I don't have FB or or WhatsApp but my Insta account (using a
| separate email address and no personal details) keeps
| recommending my therapist to me.
|
| So what? What's the harm?
|
| People sure like to write emotionally charged posts arguing for
| privacy, but they're always suspiciously low on details on what
| bad things (actually) happened.
|
| Even in this case with phone numbers and other data leaked, so
| what? What harm do data leaks cause?
|
| Seems like making a fuss about nothing.
|
| > How are we still ok with this shit?
|
| We're ok with a lot of shit. I think if we were to make a list
| of shit this would rank pretty low.
| rpastuszak wrote:
| > People sure like to write emotionally charged posts arguing
| for privacy, but they're always suspiciously low on details
| on what bad things (actually) happened.
|
| Two bad things (random selection, because the comments below
| already make some really good points):
|
| 1. targeted behavioural advertising is proven to increase
| polarisation, literally turning people against each other.
|
| A single instance of violating someone's privacy doesn't
| matter as much as your single vote won't shift the result of
| elections. But a single vote does matter, because is a part
| of a bigger whole.
|
| 2. My family member suffers from PTSD acquired because of
| living in an abusive relationship for 2 decades. That person
| started a new life, but ads targeted at her and her partner
| more than once triggered actual panic attacks. I know this
| might sound ridiculous without the context. This is because
| that person didn't understand how clever the tech behind
| targeting was and assumed that the ads were related to their
| partner cheating on them. It's irrational, I know, but we're
| talking about someone who is psychologically vulnerable.
|
| I'd still say that 1. is a more important argument here, 2.
| just follows the line of thinking presented in your comment.
| (the main problem behind 2. is that person's mental state and
| the actions of their abuser, yet the amount of suffering that
| could've been removed is not negligible.)
|
| > Even in this case with phone numbers and other data leaked,
| so what? What harm do data leaks cause?
|
| Cambridge Analytica, voter manipulation, bias in behavioural
| targeting, increased polarisation in media--please Google
| these queries and educate yourself. There's a tonne of
| resources on the subject, including peer reviewed academic
| papers.
| kelnos wrote:
| I guarantee you that the majority of the population does
| not understand or care about your #1.
|
| And I expect that the majority of the population has not
| experienced the horror of your #2.
|
| If the majority (in this case, likely vast majority)
| doesn't care about something, there probably is not going
| to end up being any public policy protecting against it.
| disgruntledphd2 wrote:
| > targeted behavioural advertising is proven to increase
| polarisation, literally turning people against each other.
|
| Can you provide some evidence for this please? Certainly,
| filter bubbles make it easier for people to radicalise
| themselves, but I've not seen very much evidence that it's
| specifically the _advertising_.
|
| And polarisation in (US) media has been underway since long
| before Mark Zuckerberg left elementary school.
| cookiengineer wrote:
| You've obviously never been a victim of identity fraud,
| stalking or psychological terror.
|
| As long as the legal justice system hasn't caught up with
| that (in the sense of efficiency and prevention of financial
| problems) every data point that's leaked about you is a
| potential threat.
|
| > fuss about nothing
|
| Ever heard about rape victims? Ever heard about stalkers?
| Ever heard about psychological threats? Ever heard about
| someone being forced to do something they don't want? Ever
| heard about the fappening? How do you think those things have
| happened in the past and literally ruined people's lives?
| kelnos wrote:
| > _You 've obviously never been a victim of identity fraud,
| stalking or psychological terror._
|
| And that's the point: most people haven't, and many who
| have probably weren't able to link it to something specific
| like "Facebook vacuumed up all my data and then lost it".
| And "most people" are the people who influence and make
| policy.
| YarickR2 wrote:
| Do you compare FB to SS and Stazi ?
| seaman1921 wrote:
| Post your personal phone number right here and I will show
| you what harm it can cause.
| YarickR2 wrote:
| +79254646793 shoot
| cookiengineer wrote:
| Also @badjeans should give you all passwords for all email
| accounts, and all encryption keys.
|
| Because you know, what does it matter, right?
| YarickR2 wrote:
| you're confusing security, privacy, and personal details
| cookiengineer wrote:
| Please elaborate. If security is not a measurement to
| uphold and defend the right to privacy, then what is it?
| andrepd wrote:
| What's the harm of people watching you while you shower?
| Everybody does it, you won't get hurt, so what's the harm of
| stealing your nude pictures?
|
| > they're always suspiciously low on details on what bad
| things (actually) happened.
|
| - Hyper-targeted advertising
|
| - Voter manipulation
|
| - Surveillance of dissent
|
| - Arresting dissidents
|
| - Leaking sensitive medical data
|
| - Leaking private pictures, videos, conversations
|
| - Leaking your home and work address (hello stalkers and
| jealous ex-husbands!)
|
| - Being refused medical treatment or having premiums
| skyrocket
|
| But yeah, nothing serious, why are you so paranoid man?
| Conform, citizen!
| ordu wrote:
| _> Even in this case with phone numbers and other data
| leaked, so what? What harm do data leaks cause?_
|
| Lets imagine a situation. You've got an officially looking
| letter, from unknown to you organization, claiming that for
| example, your lawn is infected by a grass variant of COVID-19
| and must be disinfected, and this organization could do it in
| a jiffy for a mere $1k.
|
| Probably it is a scam, isn't it? How do you judge it? One of
| the sign of a scam is a lack of personal information in the
| letter. But if you see that letter contains your name,
| address, phone number, lawn dimensions, then you probably
| shouldn't throw letter to a garbage bin, you should find some
| other kind of test to judge is it a scam. Isn't it?
|
| So when you made your personal information public, scam
| detection is going to impose bigger costs on you. Even if we
| assume that you are perfect scam detector and will not let
| any of scam to pass you undetected, then the lot of people
| are not perfect in this regard. So the more difficult
| detection is, the more prey for scammers. It impose costs for
| a society overall, because society start to give money to
| scammers, to finance all that activity that is counter
| productive for an economic growth.
|
| But as for me it is just a nuisance to decipher such letters
| trying to spend as little time on a scam detection as
| possible while having no false positives.
| 14 wrote:
| The technology is just creepy. I recently experienced a wtf
| moment the other day when a friend stopped by and her new bf
| was in the car. We said hello and they soon left (I sell eggs).
| Later that day he is being suggested as a possible friend. I
| have my location services off but Facebook knew somehow.
| yuliyp wrote:
| Or FB knew that this person was your friend's boyfriend and
| decided to show them as a possibility. You might have even
| seen them there before and didn't know them and thus ignored
| them.
| godmode2019 wrote:
| The boyfriend probably went to your Facebook to see if you
| are a threat and what type of relationship you have with his
| new girlfriend.
___________________________________________________________________
(page generated 2021-04-03 23:00 UTC)