[HN Gopher] 533M Facebook users' phone numbers and personal data... ___________________________________________________________________ 533M Facebook users' phone numbers and personal data have been leaked online Author : cjbprime Score : 885 points Date : 2021-04-03 15:49 UTC (7 hours ago) (HTM) web link (www.businessinsider.com) (TXT) w3m dump (www.businessinsider.com) | timdaub wrote: | Great, and while you can get sued into oblivion for downloading a | Metallica album, all our personal data is downloadable from a | public website for 3EUR. | | Like for real, it took me 2mins to find the leak myself... | hh3k0 wrote: | Can you link it? I'd like to check if I am affected. | | Regrettably, I was forced to create a FB account for work. | Exuma wrote: | Where did you get the data leak, I want to check too. | malaya_zemlya wrote: | https://t.me/freedomf0x/12553 | | I haven't checked the content myself, but this tg channel is | usually legit | OkGoDoIt wrote: | Thanks. I'm just getting a "Please open Telegram to view | this post from @freedomf0x" message. Any way to access this | without signing up for Telegram? The irony of giving my | personal info to another 3rd party just to check if my | personal info was leaked by a different party is too | much... | hosteur wrote: | Yeah I assume that the data is not actually hosted in | Telegram so would be really nice with a direct link or | magnet or similar. | happyhardcore wrote: | the telegram has a text file with links to links by | country, I've just stuck that at | https://pastebin.com/3SvG1FJ0 | Nerada wrote: | Is there an alternative to ufile? | | I've tried three different browsers and none can get the | download to work. It's possible I'm blocking some | tracking domain at the router-level that's integral to | the download functioning. | | Edit: Turns out I was blocking Google's captcha. | scorcoran wrote: | Goes without saying, do not use the link above. Downloads | malware. | matsemann wrote: | Which link? The ufiles? Why does it go without saying? | Not like stuff is instantly executed by downloading. All | I got for my selected country was a plain text file. | somedude895 wrote: | Thanks. Was just able to verify I'm not affected (deleted | my acc years ago), but it's crazy how many of my friends' | names plus phone number are on there. | mbirth wrote: | From the initial tweet the source is this: | | https://raidforums.com/Thread-SELLING-Free- | FaceBook-533M-rec... | | However, the comments in that forum suggest that it's not | "free" and/or not there. | hn_throwaway_99 wrote: | I mean, at this point I think everyone should just accept that | at the very least their name, age, address(es), email(s), phone | number(s) and screen name(s) have been fully leaked if you have | ever had any kind of online presence. Not saying that's right | or good, but at this point it's just a fact. | | So if that's the case, I think we should move beyond really | even trying to think of this info as private or a marker of | identity, and we need to move _everyone_ to more secure forms | of identity verification. | | As has been pointed out on HN before, "identity theft" is a | made-up concept to make it seem as if you had something stolen | from you, when the real problem is banks and other service | providers do an absolute shit job of identity verification. | _They 're_ the ones at fault, and they try to shift the onus | onto you to fix things when they screw up. | | Indeed, a social security number is pretty much the only | additional piece of data to the stuff above that one would need | to open up a bank account in someone else's name, and those | have been leaked plenty of times too. | | The government needs to make harsher penalties for banks and | others that can ruin your credit, etc. because they accept all | this leaked info as "proof" of identity. | ubertoop wrote: | The scary thing is how much ones phone number (a somewhat | ephemeral thing) is actually bound to your IDENTITY. | | Considering your phone number is more and more being used in | 2FA ... if you were to ever change your number and someone | else got it, this would pose a serious security risk if you | failed to change over ALL of your internet accounts 2FA to | the new number. | ourcat wrote: | I've always thought the most scary thing about this | practice is that your (unique) phone number is a powerful | "foreign key" which could potentially join data from many | other leaked databases, forming an even larger dataset on | you. | | There are plently of other places we give our phone numbers | to, which might not have anywhere near the protections that | Facebook say they provide. | anticristi wrote: | Like really? Don't you have to walk to a bank or show some | ID? | | I live in the EU and I do operate under the assumption that | banks take reasonable measures to ensure an account is linked | to a legal identity. | hn_throwaway_99 wrote: | No. Many online services will let you open a bank account | with name, address, phone, DOB and social security number. | iso1210 wrote: | Without sending a confirmation letter to the address and | SMS to the phone? | brendoelfrendo wrote: | If you're the fraudster, you're providing the address and | phone number. | iso1210 wrote: | In which case it surely wouldn't match with credit report | databases? | seaman1921 wrote: | s/if you have ever had any kind of online presence./if you, | your friends, your family, your cleaning lady etc. has ever | had any kind of online presence. | cblconfederate wrote: | At this point i don't see why only facebook and the thieves | should have access to this data. If the data is public it loses | its value | somethingwitty1 wrote: | What about this data being public causes it to lose value? It | seems like it would be a boon for lots of companies even if | every other company has it. | Moeancurly wrote: | I believe they mean it can't effectively be sold if | everyone has it. It loses value as a commodity if anyone | can access it, but the value of the data is still in tact. | kabes wrote: | But facebook is not in the business of selling your data. | It's in the business of selling your attention and it | uses data to do so. There's nothing about this leak that | changes Facebook's position in this market in this | regard. | lostlogin wrote: | > But facebook is not in the business of selling your | data. | | There are an awful lot of arguments against this stance | and the argument supporting the claim appear to split | hairs in a very convenient manner. | mhh__ wrote: | Value to whom? | skizm wrote: | Why would the data being public stop robo-callers from using | the list? | BenchDwarf wrote: | Source? | egberts wrote: | That's why you never use your real name nor birthdate ... on | social media. | canada_dry wrote: | Except... that's only the tip of the iceberg. | | Facebook/Google (et al) farms data from everyone! There really | is no escaping it in today's unregulated privacy free-for-all. | | Friends/family/associates will provide your personal info in | their contact/meta data. | | Companies (and their 3rd parties) you've done business with | willingly sell/provide your personal info. | saos wrote: | Ha and WhatsApp want me to accept their new policy. | | Absolutely not | ruph123 wrote: | Does anyone know if there is a way to check if one's data is | included in that leak, a la haveibeenpwned? | mhh__ wrote: | grep the download? | | Search for :YourFirstName:YourLastName:YourGender | ipnon wrote: | And yet it is still considered audaciously paranoid among the | general public to protect your privacy by not having a | Facebook/LinkedIn/Google/... account. | permo-w wrote: | I've noticed that some people who don't have personalised | social media seem to assume that other people do because | they're mentally deficient or ignorant. | | It's the same as how unsympathetic people ask why fat people | don't just stop eating, or drug users stop getting high, or the | cyberbullied don't just turn off their phone. | | It's a lot more complicated than "just don't use facebook". | sachdevap wrote: | But parent is not talking about calling out people for having | social media accounts. He/She is talking about those having a | social media account judging those not having one as | paranoid. You've just propped up a straw man here without | addressing the point the parent comment made. | i_have_an_idea wrote: | There's not much to see here. | | Someone scraped some public profiles. Someone then brute forced a | poorly implemented "look up by phone number" feature. They linked | the two datasets on the unique facebook user id. | | Leaking data that is or was in the public domain is not much of a | leak. The only noteworthy thing would be the leak of the non- | public phone number, however that vulnerability has been widely | known since 2019 (and has been resolved by Facebook), so there's | nothing new here? | QUFB wrote: | Not much to see? Not noteworthy? | | Where could I, or any Internet user, trivially download these | details on 533M Facebook users prior to this dump? If nothing | else, it seems extremely noteworthy that someone was not only | able to obtain the data through scraping or some attack, but | has shared with the world. | i_have_an_idea wrote: | > Where could I, or any Internet user, trivially download | these details on 533M Facebook users prior to this dump? | | On Facebook. Literally. You can scrape any public profile | info. It's against ToS, but it's not illegal (some caveats | apply, see the hiQ Labs v. LinkedIn case for more info). | | The only noteworthy thing is the phone number vuln. Except | that's been known since 2019, so it's certainly not news. | azeirah wrote: | There's a difference between programming a scraper capable | of scraping 500 million records, running it and storing the | results without getting caught by Facebook and downloading | a file. | prox wrote: | How hard is it to change phone numbers? So say I release my old | number and take a new one, how do I make sure I am not | forgetting any 2FA services I signed up for? | tnolet wrote: | Interesting numbers in the linked tweet in the article. 5M | accounts for the Netherlands exposed. Almost 1/3 of the | population. Compared to Germany where "only" 6M are leaked, not | even 10%. | djokkataja wrote: | They've also got Tunisia in the list twice, and the number for | the first instance is 39.5M, when the population of Tunisia is | not even 12M. | bellyfullofbac wrote: | I wonder if Tunisia is famous for FB click farms? | | A quick google indicates "maybe": | https://about.fb.com/news/2020/06/may-cib-report/ | [deleted] | r721 wrote: | Liz Bourgeois, @Facebook comms: | | >This is old data that was previously reported on in 2019. We | found and fixed this issue in August 2019. | | https://twitter.com/Liz_Shepherd/status/1378398011747938305 | gpm wrote: | 1/16th the worlds population, assuming no duplication. | throwaway29303 wrote: | Interesting. Every time Facebook is hacked I remember this | Anonymous' threat[0]. | | [0] - https://venturebeat.com/2011/08/09/hacker-group-anonymous- | th... | mgerullis wrote: | Wasn't Facebook just trying to lecture apple about privacy? | annadane wrote: | Right? They're masters at adopting the (supposedly) moral high | ground and acting all hurt when others criticize them - you'll | hear 'we need to be better' but there's this overriding sense | of, how dare people differ from what we feel is best? | amelius wrote: | Can we take away the incentive and just ban online targeted ads | already? | baybal2 wrote: | This does not look like scraping. A prima fascie database leak, | and an invalidation of Facebook's claims of them not using your | phone number past the validation, as well as them claiming using | encryption at rest. | mhh__ wrote: | I've had a play with the data for a few people whose phone | numbers I actually know, and they all seem old enough users | that they just have the number on the account anyway. I could | be wrong but I haven't found anyone my age who's number I can | confirm. | Tenoke wrote: | As far as I can tell it's a combination of the 2020 phone | number exploit linked to scraped data for public accounts | (likely using the public id). | spicybright wrote: | The phone number point may still be true though, they have to | store the phone number somewhere. | noxer wrote: | They could store a salted hash instead for almost everything | except using the number as actual phone number (call/SMS) | xyzzy123 wrote: | You need to do a bit more than that; a one-way transform | with no secrets isn't good enough for easily brute- | forceable data like phone numbers, SSNs, passport numbers, | credit card numbers etc. There's just not enough entropy in | the data. | | There are ways to do these things though so the spirit of | your comment is correct. | zepto wrote: | This seems like it would not be obvious to many people | here, and so is a very salient comment. | | Do you have a link to anything that explains why, and | what the ways are to do these things? | mikeiz404 wrote: | What are some of the ways? | | I'd assume encryption wouldn't help much since wouldn't | the key most likely be available if the database was | compromised? | | I would have thought hashing would work if it's made more | expensive such as by choosing an expensive hash function | and increasing the number of rounds. | | Edit: Would first encrypting the value with the salt and | then hashing the encrypted value and salt add more | entropy and make hash collisions less revealing? | xyzzy123 wrote: | To protect "sensitive, low-entropy data", the main things | I've seen people do are encryption, tokenizing, or | anchored hashing. I'm certain there's a bunch of academic | work out there I'm not across so I'm writing from the | limited perspective of "things I've seen people do in | industry". | | The best thing to do tends to depend on how you need to | use the data, exactly. | | With hashing alone there's just no reasonable cost | function that will provide (say) 1 year of security in | the event of database exfil, but also not DoS your | service computing it :/ The problem is being offline- | attackable. | | Encryption is one possible answer and I think most HNers | understand the tradeoffs. Generally the less transparent | it is, the more effective it is. Volume encryption or | transparent database encryption are good to turn on, but | don't protect you much. Keys available at application | level only (let's say some fields are KMS'd) are better | and will be of use under common failure scenarios (SQLi / | DB exfil). You still have to get key management and | application security right though and it turns out those | are hard to do at scale. Your encrypted fields will also | not be efficiently searchable unless you are using | deterministic encryption. | | The tokenize pattern replaces sensitive data with a | random value which is mastered in a centralised, | controlled service. This really only makes sense if you | can set things up so that almost all operations can be | performed using the token.If you allow too many things to | do token -> value lookups then it's pointless. Also all | your eggs are now in basket so you have to _watch that | basket_. Operations look like: | | - Exchange sensitive value for token | | - Compare tokens for equality (optional, but usually | handy) | | - "Domain operations on token". For credit card, "bill | the user", for phone numbers your domain operations might | be "send SMS" or "robocall". | | - Exchange token for value (controls go here; limit | access to customer service staff only, auditing, rate | limits etc. The value should ideally only come out if a | human has to look at it, and you should be able to | definitely say who looked at what). | | This is a general technique, mostly used for credit | cards. There's a whole industry around it. https://en.wik | ipedia.org/wiki/Tokenization_(data_security) | | Anchored hashing uses a secret value in your "hash" | operation. Keeping this value actually secret is hard, so | an "industrial strength" implementation will use an HSM | or other hardware to do the operation. This means any | brute-forcing has to happen inside your network where you | can see it. You ideally want a bit more entropy than with | tokenization to make this work, but with appropriate | rate-limits against attack from inside your | infrastructure, it has legs. It's hashing, so works well | for "have I seen this sensitive data before". The main | advantage of this pattern is that it doesn't have to keep | state. | | A decent write up of "anchoring" is here: | https://diogomonica.com/2017/10/08/crypto-anchors- | exfiltrati... | noxer wrote: | You can not prevent the phone number form being found | eventually but that's not the goal you just need to make | it more expensive than a phone number could ever be worth | to someone. | | If you use a secret you have the same problem as before | the legit system need to have access to the secret but an | attacker should never get it. So if an attacker gets | hashes and the secret(s) he has everything. | emayljames wrote: | Amalgamation of data before encryption?, encrypt full | rows of data? etc. | jpeter wrote: | Maybe it's from whatsapp | onetimemanytime wrote: | I still go with the assumption that everything that is sitting | somewhere in some server will be leaked. Having unnecessary data | is the problem | mensetmanusman wrote: | My actual phone number has net negative value. I mostly only get | scam texts and phone calls. | | Everyone I know uses messaging apps and contacts me that way. | | I can't believe Apple hasn't offered a way to white list when | your phone rings. | jdjdjdjdjd wrote: | They have. Settings > Phone > Silence Unknown Callers | maxc01 wrote: | Before a leak: xxx is a shit company and is notorious for how it | treating user's data. Everyone, stop using its app now. | | After a leak: ok that's life | impostervt wrote: | https://haveibeenpwned.com/ | | I've been pwned 33 times. At this point, it's just noise. My | passwords are all unique (password manager). Honest question - | What should I worry about? | prophesi wrote: | It's much more of a threat to those who don't use cryptographic | randomly generated passwords. And if you add PII to your | accounts. | newman8r wrote: | well it might be embarrassing if someone found out you used | facebook. | | I guess I could envision a scenario where you're being | investigated, and these leaks provide a roadmap of services to | subpoena. | retox wrote: | You should work about being a smug cunt. | codethief wrote: | Maybe your phone number, relationship status or Facebook bio? | doubler wrote: | This news is from jan29 | https://www.theverge.com/platform/amp/2021/1/25/22249571/fac... | doubler wrote: | This is from jan29 | https://www.theverge.com/platform/amp/2021/1/25/22249571/fac... | offtop5 wrote: | I would love this to spur some serious regulation of social | media. | | The cats sorta out of the bag, but one can dream. | anticristi wrote: | Let's start by classifying them properly: FB is an ad network. | kwertyoowiyop wrote: | Don't worry, Facebook will soon put out a press release including | the phrase "we need to do better." | poqegjrioe wrote: | I work in the security field and let me tell you something I | realized: nobody cares about security. If someone cares about | security, it's because they've had many many incidents in the | past. We humans are not a species that is good at preventing, | we are good at reacting. | | the security handbook[^1] has a chapter on that actually, and | they basically say that role playing is the only way of not | getting burned. Humans are excellent at role playing, and it | can help you prevent a lot of catastrophe without having | experienced them before. | | [^1]: https://securityhandbook.io/ | RachelF wrote: | The problem is that companies don't care about securing their | data, because the data is not theirs, it is about their | users. | | Mark Zuckerberg probably spends more on personal and family | security and privacy than Facebook spends on their users' | security. | anticristi wrote: | I think part of the problem is that many orgs see security as | an overhead that engineers do to sleep well at night. A few | more breaches, a few more fines and it will finally be seen | as a feature to keep the CEO out of jail. | kevmo wrote: | Probably 2/3 of billionaires belong in jail. | aloisdg wrote: | Probably most of them if not all. | hunter-gatherer wrote: | This is just it. I also work in the security industry, and | the fact of the matter is that we (security professionals) | can't give guarantees. I don't know what exotic exploit or | bug will exist tomorrow. Security professions basically | offer what (to me) seems like a crappy insurance policy. | Depending on your orgs threat model, it is often just | cheaper to deal with the breaches. --- I am not saying | facebook falls into this category. --- | esnard wrote: | "This is old data that was previously reported on in 2019. We | found and fixed this issue in August 2019." | | https://twitter.com/Liz_Shepherd/status/1378398417450377222 | varispeed wrote: | What a pathetic response. Does it mean users changed where | they live? Change their names? Deleted and started a new | account so the ID is different? | mrweasel wrote: | That kinda sad, because that is what's going to happen and then | we'll nothing more. | | At this point I'm not really sure what it will take for | companies, like Facebook, to understand that you need to not | fuck around with peoples private data. | BoiledCabbage wrote: | Put a monetary cost of holding user data, and a steep | monetary cost on losing user data. | | Ex, pay x amount per month in perpetuity for each piece of | information about a user your keep. And have to pay the "net | present value" of those payments if you lose the data. | | Having to pay for hoarding user personal data changes the | incentives from gobble up as much as possible, to instead | only pay for a users data that is worth the cost to your | business. | | And as an extra incentive to not hold unneeded user data, | know the costs you'd pay if it was breached. | mrweasel wrote: | Who would get this money? I agree that it needs to be some | solution involving a cost, given that most of these | companies have shown multiple times that profit isn't just | their main concern, it's the only concern. | pharke wrote: | Think of it like a class action lawsuit on behalf of | investors. Instead of entrusting their savings to a | company, people are entrusting them with their personal | information. If there is gross negligence on part of the | company leading to that data being leaked then all of the | people whose data was stolen should be able to claim | monetary damages. If a legal precedent is established so | that these claims can be pursued whenever this happens it | should provide enough motivation for these companies to | take preventative measures. | gpm wrote: | The government typically... who might in turn do | something like a tax rebate (write a check to everyone, | ontario has been doing with the carbon tax) or just stick | it into the general pool of taxes (reducing everyone's | taxes). | 29083011397778 wrote: | So the American government gets a cheque for every other | nations citizens that use FB, or FB has to determine | where each of their users reside? | | Respectfully, I'm not sure either of these lead to | outcomes we want | anticristi wrote: | Sounds interesting. Shall we call it "GDPR"? | mrweasel wrote: | Honestly the EU need to finans a organisation to deal | with GDPR violation, hell it could finans it self. The | GDPR is the single best piece of legislation ever | written, in term of privacy, but enforcement is lacking. | kristianc wrote: | Interested to know the GDPR implications of this for Facebook. | This seems like one of those occasions where the regulator might | be tempted to impose the maximum fine... | Nextgrid wrote: | See my other comments on this thread about Facebook's situation | with the GDPR: https://news.ycombinator.com/item?id=26682200 | | Long story short, regulators already have more than enough | evidence about Facebook's lack of GDPR compliance so they | could've already imposed large fines if they wanted to. The | fact that it hasn't happened yet shows there's no motivation to | actually enforce the regulation. | anticristi wrote: | I wish I were Irish. Imagine 3 billion dollars extra taxes! | It's like a second COVID-19 relief package. | lordnacho wrote: | Does anyone know if there's a GDPR fine on its way? | Nextgrid wrote: | Facebook already breaches the GDPR in many ways and has yet to | see significant consequences, so this is unlikely. | | (before you post a link to enforcementtracker.com please first | compare the fine amounts with Facebook's revenue) | yokaze wrote: | > Facebook already breaches the GDPR in many ways and has yet | to see significant consequences, so this is unlikely. | | Not having the data encrypted at rest seems to me a different | infraction than the previous ones. The scale also matters, | and that it isn't the first infraction. | | And as I read it, not encrypting at rest is a breach of | Article 6 and fined under Article 83 (5) | (https://www.privacy-regulation.eu/en/article-83-general- | cond...), which puts the fine limit at 4% of the annual turn- | over. | | Yes, it doesn't mean they have to fine as much, but the point | remains, that this is in the category of the most severe | infractions. | Nextgrid wrote: | Facebook's tracking consent flow has been in breach since | the regulation went into effect in 2018, and has affected | millions of people, both users and non-users. Keep in mind | that had Facebook been compliant with the GDPR, the recent | Apple changes regarding tracking consent on iOS wouldn't | have been an issue for them at all. | | I'd argue this is a much bigger issue than the lack of at- | rest data encryption, and yet nothing has been done. | | They also appear to be ignoring Subject Access Requests | with total impunity: https://ruben.verborgh.org/facebook/ | KaiserPro wrote: | > the existence of appropriate safeguards, which may | include encryption or pseudonymisation. | | which is not the same as data much be encrypted at rest. | iso1210 wrote: | Facebook annual revenue is 86 billion. I'd be happy to see | an end-fine anywhere over $1b | pixelpoet wrote: | Great, so we get the worst of both worlds: outrageously | obnoxious opt-out games (which, if skipped, implies free | rein) and non-compliance as a cost of doing business. | Wonderful. | Nextgrid wrote: | The obnoxious opt-outs are actually in breach of the GDPR | as well, but are allowed to proliferate due to the lack of | enforcement. | dan-robertson wrote: | Obviously it is bad if your personal data is compromised after | you (or some else) upload it to an online service like Facebook. | | But in this case, it's important to remember that phone companies | used to regularly leak most of their customer's phone numbers | (and names) in the form of a telephone directory. So a question | to consider is: suppose that the white pages were still commonly | produced and contained most people's numbers. How would you then | feel about something like this. | | Personally I feel like the problem with phone numbers being | leaked is mostly the epidemic of spam calls (especially in the | US) rather than some particular breach of privacy. | | Aside: I think it is good to consider these counterfactuals in | general for questions about information privacy, for example how | would you feel if everyone's tax returns were published publicly | like they are in Sweden? | joshspankit wrote: | I agree, but also we've made it more complicated by using phone | numbers as 2FA credentials. | | Now suddenly a "white pages of cell numbers" becomes a very | convenient tool for getting in to people's accounts. | ajross wrote: | Only if you can hijack their number. Knowing a phone number | seems like by far the easiest part of breaking SMS 2FA... | eightysixfour wrote: | The "new" risk with phone numbers is the overreliance on them | for login and 2fa and the relative easy of taking one over. I | use security keys but still have accounts I can't remove the | phone 2fa from despite having two keys tied in. | allworknoplay wrote: | This is insane. Phone companies published numbers because it | was generally considered helpful and the costs of unsolicited | calling were relatively high. By the 70s delisting was an | option, and by the late 90s it was very common (in the US). The | internet made this a no-brainer, and to suggest that it's | somehow ok just because it used to be (in a totally different | world) is beyond ridiculous. | | We don't have the option here -- people provide their number to | a service to be able to use it, and the numbers are then | compromised, in breach of that contract and because of the | service's failures. | | The two are not remotely alike, what the fuck are you even | talking about. | dudul wrote: | As far as I can remember, the white pages don't include | "biographical information". The kind of details used for | idiotic "security questions" on websites too lazy to implement | 2FA (your mom's maiden name, your first school, the name of | your first pet, etc). | | As for public tax returns in Scandinavia, first of all it has | guardrails - searches are recorded with _your_ information when | you lookup someone - and second, countries have different | culture and History for a reason. | groby_b wrote: | Spam calls are likely not even affected by leaked numbers. | Source of suspicion: My partner and I have phone numbers in | close numeric vicinity, and deliberately use one for public | purposes and the other one is not known outside of a very close | circle of family. | | We still get spam on both numbers within short time frames - so | I'd say it's likely spammers just auto-dial through. | coldcode wrote: | That's been going on for many years. Brute force calling | costs nothing. I've always wondered if charging 5 cents per | call would stop them cold, but I am sure no one wants to | implement that now. | [deleted] | [deleted] | varispeed wrote: | You can't compare that at all! They leaked IDs and from that | you can go to user profile and learn more about them. You | cannot do that from a phone company leak. | dan-robertson wrote: | Phone companies didn't leak phone numbers in the conventional | sense of the word. I used it to try to draw a comparison. | Phone numbers used to be printed in big books and you could | usually look someone's phone number up if you knew their name | and rough location. That is, phone numbers were not | considered to be particularly private information at all. | | I think the comments I most agree with talk about the | different security threats people face today with current | usage of phones. | throwawinsider wrote: | Russians are doing god's work hacking and leaking proprietary | data | 0x_rs wrote: | Personally, I wish Facebook would finally get slammed with the | long overdue consequences of questionable practices when it comes | to data handling and transparency, let alone minuscule control | users have on own account and PII. This leak may have been | preventable for a vast number of individuals. I suppose many are | familiar with the old account "deletion" process that would -- | years later, too -- prove itself not to be a real removal, but a | mere deactivation, waiting to return from their graveyard | whenever pinged by the simplest of login attemps by bots or ill | intentioned individuals. At this point in time, considering the | sheer amount of I believe accounts struck in a limbo, a dedicated | fast track deletion process should be _enforced_ on Facebook. I | have, in my little knowledge, not found any case of GDPR requests | granting one 's wishes to see old accounts (that did not accept | their newer ToS and cannot be authenticated in any possible | manner permitted currently, in which registration and connected | e-mails are not) be permanently removed from their systems. My | attemps, at least, have come short. | gpm wrote: | Is it possible to download this without giving money to | criminals? (The article says free, but my 2 minutes of googling | hasn't found it, somewhat unsurprisingly). | | Is doing so legal? | | If the answer to both of those questions are yes... I'd like to | take a peak. Mostly to check whether or not some numbers I _know_ | haven 't been directly give to fb are there. | emayljames wrote: | https://t.me/freedomf0x/12553 Is the download link in the | channel. Has all files by country, zipped in .txt files. | megous wrote: | I'm also wondering if number I asked them to delete 5 years ago | is in this 2019 leak. :) | mhh__ wrote: | Yes. Legal? no idea. | bitcharmer wrote: | These events are not a matter of if but when. And since the | overwhelming majority of the people in my social circles has zero | understanding of the real nature of the relationship between them | - FB users and FB I just hope this will become increasingly | frequent and painful experience for them. As in: I really hope | this will get FB users in trouble as a result of identity theft | etc. | | This may sound extremely cynical but at this point it's the only | way for the non-technical folk to understand the implications of | giving away your privacy so that you can share cat pictures with | other people. | asdfasgasdgasdg wrote: | > people in my social circles ... I just hope this will become | increasingly frequent and painful experience for them. | | Very strange to wish harm upon your friends with the hope that | that will convince them to join your side in a political fight! | I would suggest instead that you only wish that _if_ it becomes | a painful experience, they would realize why and renegotiate | their relationship with FB. Typically wishing pain on your | friends is not a good stance. | smolder wrote: | It's a pretty minor harm and it's one somewhat like ripping a | band-aid off. The pain will come sooner or later since we (at | least in the US) aren't addressing the irresponsible data | practices in industry. The sooner people detach themselves | from the likes of FB, the better off they'll be when leaks | happen. | brettermeier wrote: | true | sidlls wrote: | Not that strange. The whole "rock bottom" concept for addicts | is similar, right? Sometimes you have to see a friend or | family member truly experience real pain to get them to want | to change. People are like that. | nonbirithm wrote: | The sad fact is that as much as I wanted to believe that | positive reinforcement was "better" for me because it was | supposedly "better" for people in general, in practice it's | only ever been negative reinforcement that has enacted any | change in my life. Trying to deny that fact for so long | only accomplished setting my life back by several years. | Even the simplest things like dental hygiene only became | habits because I suffered catastrophic losses from | neglecting them. | | I think it's because my imagination of the failing scenario | will never compare to the experience of the failure itself. | Whereas if there's no singular point at which the failure | becomes obvious and decidedly life-changing, then... | ve55 wrote: | I think it would take more than this to be leaked, particularly | if users had their 'private' messages on services leaked, | _then_ they would start to realize it. | | I think most normal people acknowledge that so many companies | know their phone number and name that they may be past caring. | KMag wrote: | It became necessary to destroy the town to save it? | rikkipitt wrote: | I've been getting a lot of automated/unsolicited calls recently. | Begs the question if this might be the source of my woes. | | Is there a trustworthy phone number version of | https://haveibeenpwned.com? | fourier456 wrote: | This also started a few weeks back for me, more unsolicited | calls/texts. | spicyramen wrote: | Same here, i started recieving both calls and SMS which the | last i find more annoying. I do use Android and these ones | haven't been able to be detected as spam | rikkipitt wrote: | I'm on iOS and don't think there's a way of blocking | unsolicited calls until after the fact... I hope to be proven | wrong though! | | The odd thing is, the calls often come through having a | caller ID very similar to my own number. | thechao wrote: | The best I've found is to simply reject all calls not in my | contacts. Real callers leave a voicemail, which gets | transcribed. | ajanuary wrote: | Not natively, but there is an API that apps can use to do | it for you. I use Mr. Number because it's literally the | first one I found and it's worked good enough for me. | coldcode wrote: | Those are usually generated, they call numbers in area | code/exchange randomly, assuming you will pick up something | that seems familiar. Jokes on them, I moved to another | state, easy for me to tell. | JoshTko wrote: | on iOS there is a lifesaving phone setting of sending | unknown callers straight to voicemail. | rikkipitt wrote: | I toyed with that for a while but I kept missing | important work calls. I might have a look for an app | later, but I have a feeling it might not exist... | ghaff wrote: | Yeah. I tend not to pick up calls that are in the "Who | would be calling me from Texas?" vein. But while it's | annoying to have to look at my phone when it rings, I do | get calls from locations that seem plausible and they | usually are legit. I'm not really willing to make myself | harder to reach for legitimate and even important reasons | because of the occasional junk call. | Nextgrid wrote: | I wonder if you can get a VoIP number from a different | country (where good regulation means spam is less | prevalent) and use that for work calls? | ronsor wrote: | I'm almost 100% sure your employer wouldn't want to make | an international call every time they wanted to contact | you by phone. | lanstin wrote: | Work uses slack/teams/Webex. One person sends me Signal. | No one has ever used telephony, except I use it to call | he dial in numbers because my phone audio is better than | Bluetooth / virus agent laden laptop displaying ten | videos of peoples homes thru vpn. | OminousWeapons wrote: | Not really an answer to your question, but one partial solution | to the problem of having your number leaked or sold is to setup | a service like Twilio to act like a phone proxy. You can have | Twilio forward calls it receives on a different number ("spam | number") to your actual phone number ("real number"). You | provide spam number to anyone who isn't a business or personal | contact. Every few months, you rotate spam number. If your spam | number is leaked, you don't care because its only a transient | number which isn't more permanently associated with you. | | You can also have more permanent proxy numbers for services or | people that may need to get in touch with you long term. | Phenomenit wrote: | Is this available to people outside of the US as well and is | there a guide for setting this up? Last time I used twilio | for a basic sms gateway there was a lot of clicking and | typing. | OminousWeapons wrote: | I think it is available for people outside the US. | | https://support.twilio.com/hc/en- | us/articles/223179908-Setti... | | I would recommend using the Studio workflow which is GUI | based and easy. | | https://support.twilio.com/hc/en- | us/articles/115016033048-Fo... | 29083011397778 wrote: | I've been using voip.ms in Canada to great success. Even | SMS codes from banks and Whatsapp work correctly. Excellent | service, highly recommend, especially with voicemail auto- | transcription (then sent to email) and SMS from desktop via | email. | procombo wrote: | It's what I have done for years. Only costs $1/mo for the | number and a couple hours learning their API. | | Your existing cell number can be ported over to Twilio if you | are patient. | | The only problem is trying to use the number for 2fa. A | growing number of banks (like Capital One) block Twilio | services from recieving their SMS. | criddell wrote: | I've been getting a lot more recently as well and I figured it | was due to the phone companies promising to get rid of caller | id spoofing this year so scammers are working overtime until | they can't anymore. | zeta0134 wrote: | Oh, is that a real thing that's happening? Caller ID spoofing | is the main reason I hold onto my phone number from [small | town] Texas, since only my immediate family ever calls me | from there, so I somewhat reliably know anything else from | that area code is a scammer. | criddell wrote: | I hope so. I believe it's this: | | https://en.wikipedia.org/wiki/STIR/SHAKEN | tyingq wrote: | _" Is there a trustworthy phone number version of | https://haveibeenpwned.com?"_ | | An "exact" google search excluding adjacent phone numbers seems | to work well for my numbers, and culls a lot (not all) of the | autogen pages. So if your number was 212-555-1239, search | Google with these strings: "(212)555-1239" | -1240 -1238 "212-555-1239" -1240 -1238 | rikkipitt wrote: | Good idea, I'll give that a whirl later. Great tip to filter | out those auto-generated list sites. Thanks. | dreadlordbone wrote: | you genius | neogodless wrote: | Dear god, fastpeoplesearch.com is a horribly obnoxious | treasure trove of information. | brodericjduncan wrote: | so if I search my phone number, it brings me to my name and | everything. But if I search my name it doesn't get my phone | number right. Any ideas why it's like that? | tyingq wrote: | Tried it, you're right. Got 6 of my past addresses, 9 past | phone numbers, 8 relatives, all correct. Some incorrect | info, but not much as a percentage. | | If you reverse search the PO Box address listed on the site | contact page, you'll find an Amateur Radio license listed | to a person that is probably the owner of the site, based | on his past experience. | tyingq wrote: | Also, searching for their Adsense publisher id reveals | some other sites they own: peoplesearchnow.com, | fastbackgroundcheck.com, smartbackgroundchecks.com | | Those sites have new and different PO Boxes in other | cities, etc. | JoshGlazebrook wrote: | Interesting. The email they have for me is the one I use | for all of my domain name contact info. I wonder how they | connected that to my actual "profile" when I always have | paid for domain privacy. | randerson wrote: | Just submitted a removal request for myself, a flow full of | dark patterns (in fact the Remove button didn't even show | up until I disabled my Pi-Hole). Remains to be seen whether | all I did was make the data more valuable by confirming my | email address. The page recommends signing up at | BrandYourself to prevent various other data brokers from | showing the same data. How is this not extortion? | tyingq wrote: | _" The page recommends signing up at BrandYourself"_ | | Is is a link? BrandYourself has an affiliate program, so | they are probably making money on referrals. | tnolet wrote: | European here. What are these bot calls exactly? Never had one | as I guess it's forbidden where I live. | henadzit wrote: | Telemarketing or political campaigns. Check out the Robocall | article on wiki. In Europe it depends on the country. In | Poland I receive a few calls daily but they are people | calling me, not bots. Never received a robocall here. | timdaub wrote: | intelx.io | | Can't say too much about trustworthyness though. | | U could also just download the set from e.g. raid forum to | check for yourself. | rikkipitt wrote: | Might have to I think. | rvz wrote: | So when are we going to stop companies from accessing your | address book and 'uploading it' as part of the sign up process? | Or even using Facebook and its services in general. | | Well the biggest offender now has leaked the data of hundreds of | millions of users who have attached their phone numbers and full | names. | | Now let's see if the users REALLY care this time that when they | signed up to Mark Zuckerbergs website, it wasn't a good idea to | sign up with a phone number in order to 'stop bots'. They did not | learn with the Cambridge Analytica scandal, are they finally | going to learn? | xupybd wrote: | Any tools around to search this database? I'm keen to find out if | I've had data leaked. | villgax wrote: | Can't have shit on the Internet | FukHN wrote: | Be careful HN will shadow ban you.. HN loves FB | afinlayson wrote: | Why can't we have a private/public key phone number ... that'd | fix this problem... We gotta stop using integers to identify | people. | ve55 wrote: | This could be the first large breach we've seen from FB like | this. Most past breaches were of a much different and smaller | nature (scraping or API access abuse), and seeing a _real_ leak | like this could change the landscape for FB quite a bit, since | historically companies like Facebook and Google have been very | good with preventing them. I don 't know a ton about FB's | specifics, but there's a chance this data could be 'public' from | people with the given privacy settings, if perhaps 25% of users | have that turned on. If that is not the case though, then this | would be the first serious breach from FB imo. | | Either way at this point I operate under the expectation that | most information I input into a database may be leaked at some | point. This is particularly rough for services that demand and | track a lot of things, but it cannot be helped. | retox wrote: | Will the EU impose a fine per person? Maybe we'll see in 8 years | time. | one2three4 wrote: | (Apologies if the link is in the commends already. I can't seem | to locate it.) Where is the list? | iso1210 wrote: | Is Zuck's number there? How about Bezos? Biden? Putin? | bellyfullofbac wrote: | Last night I was browsing Facebook, and all of a sudden, it said | there's been suspicious activity and I've been locked out of my | account. To unlock it, I had to review the email address and | phone number I associated with my account (in case the hijacker | added their own contact info), but all it had were my info that I | added in 2011 (before I knew what a piece of shit Zuck was). Then | it asked me to change my super-complicated password because it | said the password is no longer secure. | | So, can I assume this leak is related to this strange event? | i_have_an_idea wrote: | Highly unlikely to be related. It's not a password leak. It's | also not really a leak, someone scraped some public profile | info and then used the phone number lookup feature to match up | the two. | AlphaWeaver wrote: | Has this breach made it onto HIBP yet? | banana_giraffe wrote: | Dunno, but if the US dataset is anything to go on, an import | into HIBP won't catch much. Less than 1% of the entries have an | email address. | antibland wrote: | I'm curious about the pool of Facebook users who seldom use the | product, retaining it solely for groups and to keep in touch with | family. Will this event loosen that final brick and drive these | users to delete their accounts? | flas9sd wrote: | "keep in touch with family" can be subsumed by chat apps. But | for discussion groups and special interests, facebook is still | the most accessible site to run (small) groups in, or am I | mistaken? | banana_giraffe wrote: | Looking at the leak others have pointed to, there are a | surprising number of people working in a particular imaginary | company: sqlite> select company, count(*) as c | from usa where length(company) > 0 group by company order by c | desc limit 10; company | c ---------------------------------------- ---------- | Self-Employed 459119 Facebook | 181013 Retired 71210 | The Krusty Krab 61550 Hollister | Co. 42304 U.S. Army | 39682 Stay-at-home parent 33095 | Walmart 31600 | McDonald's 30792 Student | 25326 | gbear605 wrote: | I definitely know real people (especially highschoolers or | college students) who put fictional jobs in their profile. Also | common is using some fake name, like that of a fictional | character. | uyt wrote: | Can you link me to where you found the data? | banana_giraffe wrote: | https://news.ycombinator.com/item?id=26682774 | b212 wrote: | Could you please tell me how did you convert it to sqlite? I've | got a huge 1 GB txt file that crashes my comp every time I try | to search for myself there :( Thank you! | banana_giraffe wrote: | Super hacky python script I used to turn the text files into | a sqlite database: | | https://pastebin.com/gBWhCVGz | datavirtue wrote: | Try Ultra Edit, free trial. It can read and search massive | text files without crashing. Quite responsive.on 10GB files. | knolan wrote: | Firstly don't do something like open it in notepad. 1GB text | files are not exactly difficult to work with once you use a | proper text editor or parsing tools. | dunham wrote: | What's the count of people who elected not to enter their | company? | banana_giraffe wrote: | sqlite> select count(*) from usa where length(company) = 0; | 22209703 sqlite> select count(*) from usa; | 32315270 | bredren wrote: | May be test users. Iirc, the Flinstones were common test users. | yalogin wrote: | How is it a leak? There is no information how the data leaked. My | bet would be that it's hoarded through FB api and passed around. | Nothing new happened here is my guess | Daviey wrote: | Somewhat ironically, Mark Zuckerberg (and 2 other FB founders) | are in the dataset - along with phone numbers. | | Hopefully this disaster will be the catalyst for better data | privacy controls. | nly wrote: | What Facebook user id is Mark? Is it #1? | Jan454 wrote: | I really hope they now have to pay that 4% ransom due to | violation of the GDPR .. for each stolen account of course ;-) | russdpale wrote: | I guess if you use facebook you just deserve all the shit you | get. What sucks is that the rest of us have to live with it too. | I suppose we shall just keeping waiting for that darn market to | correct itself! | I_am_tiberius wrote: | Would like to know if non Facebook users are included because | Facebook has non Facebook user's phone numbers due to the fact | that Whatsapp uploads the entire phonebook to Whatsapp. That | means Facebook is likely to know your phone number although you | don't use Facebook or Whatsapp. | dheera wrote: | This is why I don't use my real phone number with apps and HATE | apps using phone numbers as a proxy for a user id. | | Get a virtual phone number if any service requires a phone | number from you. Don't submit to this nonsense. | afinlayson wrote: | It's not about the information you give, it's all those | friends and family who signed up for it and uploaded their | address book... They now have your phone number and email | probably your date of birth, and even some photos of you. | | They are like the credit companies, they have information on | you whether you allow them to or not. | zerof1l wrote: | I have WhatsApp and you can deny access to your phonebook. | Everything works just fine | tito wrote: | You can't start a group chat, only individual chats. | tito wrote: | Without Contact access in iOS, WhatsApp blocks you from | starting a group chat, but allows individual chats. | unicornporn wrote: | Last time I tried (a year ago or so) I couldn't add new | people to chat to. They had to contact me first. | IG_Semmelweiss wrote: | How are you able to send whatsapps to people you don't have a | prior conversation with ? | | I am doing the same boat...and was working fine until i lost | & replaced my old phone. All conversations were lost, and | this makes it challenging to use whatsapp for any non-group | conversations (since I can't start any). | TrianguloY wrote: | You can start a conversation with any WhatsApp number by | opening the url wa.me/number. The number must include the | country prefix. | | There are also some apps and webpages that helps with this | process (Disclaimer: I'm the author of one of them for | Android [0]) | | [0] https://play.google.com/store/apps/details?id=com.trian | guloy... | luckylion wrote: | Others can still allow access to their phone book and the | information stored in them about you will be transmitted and | saved at Facebook, won't it? Is there a way to disable that? | croes wrote: | You need an account to ask FB to delete your data. | rvz wrote: | > Is there a way to disable that? | | No. | godelski wrote: | Exactly this. I recently started a twitter for my academic | career. Didn't share my contacts or anything (I only follow | academic twitter too). I get tons of suggestions of people | I know and several have followed me. The information is | from their contact list because twitter knows my number and | connected us. There's a clear benefit to this, but there's | also privacy concerns too. The lack of control over this is | what is concerning. | tpush wrote: | Whatsapp doesn't share phone book data with Facebook. | solarkraft wrote: | Yet. | | And since it's a Facebook controlled company a leak like this | happening again isn't that improbable. | darig wrote: | Facebook doesn't share phone book data with hackers either. | spinny wrote: | Just like Kelly Loeffler didn't share any info with her | portfolio manager | Nextgrid wrote: | It _claims_ not to, which isn 't a guarantee. After all, they | also _claimed_ not to use phone numbers given to them for 2FA | for anything else, and yet ended up using them for ad | targeting. | [deleted] | superjan wrote: | Hi, how do you know? It is of personal interest to me as I | don't use FB but do use WhatsApp. It may also reduce the | piling of downvoters. | tpush wrote: | Here's the source: | https://www.spiegel.de/international/business/whatsapp- | ceo-o... | | Quote: | | "Cathcart: It's true that we do have some information about | how people use WhatsApp and that we do know, for example, | the device ID. We collect this only to secure our services | and protect from attacks. When you use WhatsApp and allow | access to your phone book, we only see the phone numbers, | not the name. | | DER SPIEGEL: Do you share these numbers with your parent | company Facebook? | | Cathcart: No, we don't. The updated privacy policies will | actually not change anything globally in our ability to | share data with Facebook." | Someone wrote: | _"The updated privacy policies will actually not change | anything globally in our ability to share data with | Facebook."_ | | I don't see how that "globally" can be true. If one | compares the WhatsApp terms of service in the EEA | (https://www.whatsapp.com/legal/updates/terms-of-service- | eea/...) with those elsewhere | (https://www.whatsapp.com/legal/updates/terms-of- | service/?lan...), you'll see the latter adds: | | _Affiliated Companies. We are part of the Facebook | Companies. As part of the Facebook Companies, WhatsApp | receives information from, and shares information with, | the Facebook Companies as described in WhatsApp 's | Privacy Policy, including to provide integrations which | enable you to connect your WhatsApp experience with other | Facebook Company Products; to ensure security, safety, | and integrity across the Facebook Company Products; and | to improve your ads and products experience across the | Facebook Company Products. Learn more about the Facebook | Companies and their terms and policies here._ | | AFAIK, that addition was what caused the uproar earlier | this year. | | (Also note the dark pattern in both terms of service that | seed confusion as to which are the ones that apply to the | EU. In the first sentence, _"If you live in the European | Region, WhatsApp Ireland Limited provides the Services to | you under this Terms of Service and Privacy Policy."_ , | 'this' doesn't refer to the text you're reading, but to | the texts behind the hyperlinks) | [deleted] | [deleted] | egwor wrote: | That doesn't seem to be correct, although what does 'phone | numbers' mean in this context? | | Quote: "WhatsApp, which was acquired by Facebook in 2014, | does share some limited data with Facebook, including phone | numbers. However, the firm has reassured users that messages | will always be protected by end-t0-end encryption, which | means neither WhatsApp or Facebook can see these private | conversations" | | Source: https://www.forbes.com/sites/carlypage/2021/01/15/wha | tsapp-d... | toxik wrote: | As always, the spying agencies are NOT particularly | interested in your actual messages, but your metadata. | | They want to know who talks to who. Limited data? What a | bunch of horseshit. | julianlam wrote: | "Limited" is a weasel word, as it can mean anything. e.g. | a "limited time offer" can mean it lasts for 2 days or 2 | years, because it is not unlimited. | | Likewise, sharing a limited amount of information with | Facebook simply means they don't hoover up every single | bit. Perhaps Facebook is not interested in those | automated texts you get confirming haircut | appointments... | gbear605 wrote: | On the other hand, if you just got a haircut, then they | know that you'll be looking for another one in a set | amount of time (based on your hairstyle, which they also | know from photos), and they could advertise hairsalons to | you then. | | I'm not sure their algorithm is this refined, but it's | not impossible. | dannyr wrote: | That's what Facebook says. | | But Facebook has no history of lying right? /s | 153791098c wrote: | It goes so much further than this and it is absolutely | frighting. The following sketched situations applies if you | don't use Facebook at ALL. | | 99+% of every single person you meet has either FB, IG or WA | installed on their phones and shares their phonebooks with them | (assuming you live in [insert western country here]). There is | also a very big chance at least some have your full name and | address in their phonebook. Facebook not only knows who you | are, but also who you are in contact with, when you meet new | people and who they are. They also collect phone and text | records with their apps so they also know the frequency that | you have contact with them and they can even read the content | of text messages (most people these permissions to the apps | because it will automatically verify the associated phone | number). Add all the location data, ssid/mac address collection | and countless of other datapoints to it and they can draw out | your entire life even when you don't use anything from | facebook. There is no escape. | djhn wrote: | As a counterpoint I can think of dozens of personal | acquaintances who are happily non-users and never interact | with Facebook properties (retirees not into tech, busy | executives, to cool for Facebook hipsters). If your country | or social circle doesn't use WhatsApp, Facebook itself is | already dying and Instagram is getting their lunch eaten by | Tiktok. | lostlogin wrote: | I don't use Facebook or their other apps (eg WhatsApp). | Facebook has my email address as I used to get regular invites | to sign up. Facebook also knows what I look like from friends | tagging me in pictures, and seems knows my date of birth as | people tell me that they were notified by Facebook. So even if | you have avoided all their stuff, you aren't immune. | gwid0n wrote: | Anecdata: I've never provided my phone number to FB, I provided | it to Messenger App and Whatsapp, it's not on in the file for | my country. | wrycoder wrote: | https://kieranhealy.org/blog/archives/2013/06/09/using-metad... | hourislate wrote: | It's sick that they are allowed to get away with this. It's | basically a botnet stealing information. | matheusmoreira wrote: | The difference between malware and "legitimate" software is | whether there's a "legitimate" company behind it and whether | that company has a "legitimate" interest in the information. | Sad but that's how it is. Just like how governments give | themselves the right to crack computer security and surveil | everyone but throw citizens in jail if they do the same | thing. | macintux wrote: | Every time someone argues that people can avoid the privacy | problems of Facebook by simply not using it, I point out this | issue (plus the shadow accounts). | Guest42 wrote: | I recently purchased a phone that had the Facebook app | preinstalled. If I had to guess, the mere act of connecting | to WiFi caused a whole slew of info to get sent. | reddotX wrote: | FFFFFFFFFFFFFUUUUUUUUUUUUUUUUUUUUU | drewmol wrote: | Obligatory mention: mbasic.facebook.com it's like a clean | needle exchange for Facebook. | Guest42 wrote: | That's nice. I deleted my fb but sometimes groups will | require it for events and discussion boards. | lostlogin wrote: | There was a dark phase when it looked as if the only way | to sign up for various services was going to be Facebook. | If memory serves, there was a time when Spotify sign up | required Facebook. | macintux wrote: | I would think not, but my cluefulness regarding Android | security/privacy is effectively nil. | Guest42 wrote: | I didn't check what permissions it was given by default | but hopefully not too many and with those not much | spying. It would be nice to have a clear map of what data | can be obtained with what permissions. | timhigins wrote: | Actually Android devices (especially older ones) are | known for in many cases sending extensive data to the | manufacturer on network connect. See for example: | https://www.nytimes.com/2016/11/16/us/politics/china- | phones-..., https://balagetech.com/android-app-phones- | home-china/ | 533_bot wrote: | How to buy the leaked data? Please share telegram bot link or | raid website link | cpv wrote: | Tried to lookup some info, but it's not there. Maybe it's from | some web scrapper which collected public info, or other means | (some ambiguous mobile app which had access to contacts?). Or the | leaked files are incomplete. | uniqueid wrote: | We should start thinking of these breaches in terms of their | _accumulated_ impact. It 's not the 1990s anymore, where data is | difficult to store and networking too slow to move it. | | We should assume the leaked data doesn't go away; that instead | people out there are consolidating Equifax data with Vastaamo | data, adding data from Exchange hacks and the Accellion hack, to | cross-reference with data from Facebook... it's like water | flooding a levee now, instead of evaporating. | | Not the first time I've harped here about this (ie: | https://news.ycombinator.com/item?id=26604753, | https://news.ycombinator.com/item?id=24586258), but I hope we | start planning for that kind of future. | uyt wrote: | Honestly sounds like a fun job for future historians. By | aggregating all the leaks over a long period, how much of a | person can you reconstruct? | | For example even though I am using a throwaway account, HN's | logs might one day get compromised. So now they can join the IP | address to other compromised sites that I was logged into using | my usual email. And from my email they already have my name, | SSN, address, phone number, usernames, passwords, etc, exposed | from prior breaches. But now they know about my shitposts too. | varispeed wrote: | At this point Facebook should be closed down immediately, only | leaving an option to download your own personal data. I think | they shouldn't be able to reopen until the whole thing is | regulated, severe fine applied and damages to all affected users | paid. | nly wrote: | Found myself in the data set, but didn't find several people I | expected to find. Seems to be only those who added their mobile | number (I did so for account recovery purposes only). | zlib wrote: | So, how do I see if my data is in this? | anonymousiam wrote: | The root of the problem is not the privacy policy or the system | security. The root of the problem is the collection itself. All | large businesses, health care providers, and governments maintain | databases. Every one of them will eventually be leaked. All it | takes is a corruptible trusted insider. | TheRealDunkirk wrote: | > Every one of them will eventually be leaked. | | Equifax has more at stake than most. And they've been hacked. | Repeatedly. The government has been hacked. Yahoo was | COMPLETELY owned. I mean, if someone would put together a list, | it would make for shocking reading. It's become so common, that | we go, "Oh no! Anyway." | xtracto wrote: | This. | | I don't trust in the government, but I think digital "personal | data" should be only available for "confirmation" to companies | that need it. Say, a government entity could have an API that | allow you to send _hashed_ personal data that they can verify | is right. This way companies will ask the user for their data | and hash it client-side. Then they can send the hashes (hashed | with a custom provided salt to the entity (government, maybe | private) who will basically reply with a True or False on the | verification of the different data. | | It may even be an interesting use case for a public blockcahin, | where your personal data is stored in a Merkle Tree type of | data structure, so that one can verify that certain pesonal | data of a person is true, without disclosing the data. | tomComb wrote: | Google has a huge number of activist (and surely some | corruptible) employees, and yet the incidents of users data | getting out are very close to zero. | | I think this demonstrates that user data can be managed safely | and effectively. | | Usually the incidents reports on user data leaks show that the | company seemed to barely be trying - We need laws that force | them (even small companies) to put serious effort into it. | varispeed wrote: | You don't know that. While the publicly available data leaks | are indeed rare, you cannot know if they don't use the data | for trading or other purposes for their personal gain without | disclosing it to the public. | tomComb wrote: | There are infinite things we can't know - opening the | discussion up to that really makes anything possible, but | the discussion wasn't even about what they might do with | the data beyond leaking or selling it. | Judgmentality wrote: | Sure, but if you have no evidence of it happening you have | a fairly weak argument. | HenryKissinger wrote: | > Every one of them will eventually be leaked. | | [X] Doubt | HighlandSpring wrote: | On a long enough timeline everything and everyone can be | compromised (or the institution fails before then) | hobs wrote: | Exactly - either the data is basically not valuable at all | (the category for which PII rarely fits) or else when the | company collapses or is bought, the data moves too. | | There's always an incentive to steal or leak it to other | companies for money; so as long as the incentives are | aligned with GATHER ALL DATA and KEEP IT FOREVER then yes, | it will just be a matter of a time before each data store | is compromised by mistake or purposefully. | allworknoplay wrote: | Why on earth did you pick this username | BobbyJo wrote: | I doubt the claim, but the sentiment I think is valid. If you | think about what data these entities are holding, it's not | unique to a single database or entity. Your | name/address/phone/ssn/etc. Is likely stored in so many | places that the probability it gets leaked from at least one | eventually I'd say is very nearly, if not 100%. | sachdevap wrote: | Can someone please guide me on how to check this leak to verify | if my info was leaked? | throwawaybchr wrote: | Is Mark Zuckerberg's number one of them? | idlewords wrote: | Should make it easier to jump-start a competitor! | xyst wrote: | I removed my phone number from Facebook when it was reported that | Facebook used this as some sort of tracking mechanism across | third party vendors - specifically with purchases from merchants | - in order to serve more "relevant ads". From what I recall, if | the merchant is somehow hooked up into FB APIs then regardless of | whether you signed up for their rewards program using an e-mail + | password or via FB SSO, then they would send back "anonymized" | data back to FB for each purchase(s). | | I wonder if my phone number still persists (aka "soft delete") | bartread wrote: | When did you remove your phone number? Looks like this relates | to a vulnerability that was patched in 2019. | | I'm slightly concerned about this myself. I'm also seriously | ticked off with Zuckerberg and co. I can tolerate the fact that | internally they do scumbaggy things with my data. I tend to | have less forbearance when they let my data out into the wild. | londons_explore wrote: | Looks like this is the "To match users to their friends by phone | number, you need an API which can take as input a phone number, | and return information about if that number has an associated | account" problem. | | There is no way to let a user find their friends on a service | without such an API. Yet if you have such an API, someone can | simply brute force all phone numbers worldwide (there are only | 10^10), and now they have a database of all users... | | Rate limits can help defend, but considering many users might | have 1000 phone numbers in their address book, you can't set the | rate limit very low without impacting user experience. Attackers | can reduce the search space dramatically by only checking phone | numbers that resolve to an active line (using VoIP stuff to test | a number). | | The only real solution is for your app not to have a "Here is a | list of your friends already in the app" screen... But as you can | imagine that means you won't get any user growth or VC funding... | Scoundreller wrote: | And now you know how those cell phone farming programs were | able to pay people a couple bucks a month to run crap on arrays | of dozens of phones. | amluto wrote: | This is the same fallacy that leads to apps asking for | permission to access your whole picture library. | | Facebook could have an API by which an app can prompt its user | to show a list of all of that user's friends who have the app | installed. The app would only learn the identities of people | whom the user explicitly selects, and phone numbers would not | be part of that identity. | progval wrote: | It works for photos because the threat model is about | protecting local files against malicious apps. | | But for phone numbers, you about protecting Facebook API | (which is publicly available via the internet) against | arbitrary devices, which Facebook has no way to tell from | legitimate ones | amluto wrote: | What I mean is: Facebook should remove that API entirely. | Apps do _not_ need a way to look up a phone number in | Facebook's database. The "find my friends using this app" | feature does not require this capability. | progval wrote: | What you are proposing is that third-party apps should | ask Facebook's app to find the friends, right? | | But Facebook's app needs to access Facebook's database | somehow; and anyone can impersonate Facebook's app and | query that database too. | varispeed wrote: | I think it should be illegal for apps to help find | friends. If you genuinely meet someone offline, then they | could generate you a token that then you could enter on | the site to "connect". | noxer wrote: | Telegram had this issue too and they made a setting "who can | find me by my number" you set it to "my contacts" so only | mutual contacts can find each other. | Someone wrote: | I think there are way more than 10^10 phone numbers in the | world. I think there are 10^10 combinations in the USA alone | (filtering by unused area code, etc will decrease that number, | but even then | https://www.ck12.org/c/probability/permutation/rwa/Wrong-Num... | says almost 8x109 remain) | | Also, at least some countries have longer phone numbers | (Germany, the UK and China have 11-digit ones, for example), | and the international public telecommunication numbering plan | says plan-conforming numbers are limited to a maximum of 15 | digits, excluding the international call prefix | (https://en.wikipedia.org/wiki/E.164), so the search space, | potentially, is a lot larger. | gregmac wrote: | Are there immediate actions people should be taking at this | point? | | A lot of password reset flows work via username + SMS using | "we've sent a code to your phone number (xxx) xxx-xx12". This | database unmasks that phone number, so my assumption is this | makes sms hijacking more viable, but perhaps someone more | knowledgeable can weigh in. | | Does Facebook allow password resets like this, and can that be | disabled? | diogenescynic wrote: | I hope the class action bankrupts Facebook, but I know it won't/ | rpastuszak wrote: | I don't have FB or or WhatsApp but my Insta account (using a | separate email address and no personal details) keeps | recommending my therapist to me. How are we still ok with this | shit? | | The sooner we get rid of the cancer that FB is, the better. I | didn't share my contact book with FB apps either. It was probably | her--a person in her 70s, not necessarily experienced with tech. | | The main reason this company exists, or that ad tech can maintain | a facade of not being a mainly bullshit industry with made up | metrics, is the lack of informed consent. | | It's almost funny how we accept the current situation as normal. | Because, I think that we'll look back at these times with | disbelief of reckless we were and how cheap we'd sell ourselves. | vmception wrote: | There should be informed consent and there should also be | revokable consent | | There should also be transparency of who has the consent right | (data licensee and sublicensee) | | And there should be a way to make easy consequences for people | not having it | | Release forms and licenses are used this way, data should | inherit that. (Both systems should be better) | dlandis wrote: | > The main reason this company exists, or that ad tech can | maintain a facade of not being a mainly bullshit industry with | made up metrics, is the lack of informed consent. | | Exactly, the industry is built on a foundation of obfuscating | the myriad ways in which they are using people's personal data. | Uninformed consent is the cornerstone of their business model. | yoaviram wrote: | Suggest you send Facebook a CCPA or GDPR data deletion request | (even if you don't live in California or the EU) for your real | identity. | | Cases like yours is why we created | https://yourdigitalrights.org/d/facebook.com, which makes its | dead simple to send such requests. Free & open source. | rpastuszak wrote: | Thanks, I'll check it out. I've used similar tools in the | past but this one looks more comprehensive. | Nextgrid wrote: | Note that Facebook happily ignores Subject Access Requests | with complete impunity: https://ruben.verborgh.org/facebook/ | throw14082020 wrote: | Yes, I submitted GDPR (Article 17) right to erasure | requests, and I got utter garbage (please use the UI) | | Facebook: | | > Thank you for contacting Facebook. We have reviewed your | report and it appears you would like to delete your | Facebook account. | | > | | > Please note, for security reasons, we are unable to | delete accounts on behalf of users so you will need to log | into your account and delete it yourself. We have put in | place a very quick and easy process for people to schedule | the permanent deletion of their Facebook account. | | > | | > Before permanently deleting your account, you may want to | log in and download a copy of your information from | Facebook. Once your account has been deleted, it cannot be | recovered. | | However, after back and forth with them for a few weeks, I | got this: | | Hi, | | Thank you for contacting Facebook. Based on the information | you've provided, it looks like you're trying to request the | erasure of certain personal data under Article 17 of the | General Data Protection Regulation (GDPR). | | If you wish to ask for personal data relating to you to be | erased in accordance with the GDPR, please use the | following form: https://www.facebook.com/help/contact/25951 | 8714718624?ref=cr | | Additionally, as per your request, your account has been | scheduled to be deleted. | | Please keep in mind that you have up to 30 days to cancel | the deletion. Once your account has been processed for | deletion, it may take up to 90 days for all of your | information to be permanently deleted. | | For more details, please visit the Help Center article | below: | | https://www.facebook.com/help/224562897555674 | | We store data until it is no longer necessary to provide | our services and Facebook Products, or until your account | is deleted, whichever comes first. This is a case-by-case | determination that depends on things like the nature of the | data, why it is collected and processed, and relevant legal | or operational retention needs. For example, when you | search for something on Facebook, you can access and delete | that query from within your search history at any time, but | the log of that search is deleted after 6 months. If you | submit a copy of your government-issued ID for account | verification purposes, we delete that copy 30 days after | submission. | | Learn more about deletion of content you have shared | (https://www.facebook.com/help/356107851084108?ref=cr) and | cookie data obtained through social plugins | (https://www.facebook.com/help/206635839404055?ref=cr). | | When you delete your account, we delete things you have | posted, such as your photos and status updates, and you | won't be able to recover that information later. | Information that others have shared about you isn't part of | your account and won't be deleted. | | If you have another question or concern, please visit | Privacy Basics | (https://www.facebook.com/about/basics?ref=cr) or our Help | Center (https://www.facebook.com/help?ref=cr) for | additional information.If you have more questions about our | Data Policy (https://www.facebook.com/policy.php?ref=cr), | please reply to this message. | | Thanks, Privacy Operations | yoaviram wrote: | Nice (and detailed) blog post. In such a case there is a | clear escalation path (in the EU). Either email your DPA | (Data Protection Agency) or take legal action. Here are the | emails addresses of the various DPAs: | https://edpb.europa.eu/about-edpb/board/members_en | | We are working on automating the escalation to the DPA part | as well. | codethief wrote: | > my Insta account (using a separate email address and no | personal details) keeps recommending my therapist to me | | What about your phone number? Does your therapist have it? | Maybe your therapist granted Instagram/Facebook access to her | contacts? | | Or maybe you yourself granted Instagram access and your | therapist is in your phone's contact list? | rpastuszak wrote: | Yup, I don't share my contacts with FB or insta, but I think | that she did. I don't blame her, she's not a very "technical" | person and the UX is not meant to help her make a conscious | choice. | thatcat wrote: | There are many other ways this could happen, did you google | her address on your phone browser or something like that? | IG always seems to give recommendations based on what I've | watched on youtube recently or looked up somehow. | rpastuszak wrote: | I'm using DDG and a browser with 3p cookie blocking so | this is less likely, but something might've slipped | through cracks. | disgruntledphd2 wrote: | Honestly, it's almost certainly either her uploading her | contacts, or location. I know that I normally get FB | friend suggestions for people I've been at parties with. | sn_master wrote: | I had the same problem but figured it out at last. The | Instagram recommendations are based on who is on your phone | contacts. Anytime I add a new contact number, they show up on | my Instagram recommendations even if we never interacted in | anyway not even by the phone. | DSingularity wrote: | The reason we are here is because the one subset of the | population which can do something about it has sold out. Is it | the congressmen? No, it is us. Also the professors that taught | us and the departments that accredited us. Either we did | nothing to fight back or we are ourselves complicit and helped | them build this world we live in. | rpastuszak wrote: | I see what you mean but I think it's a bit more complicated | than that. It's hard to make the right choice when most of | the information you receive comes from the entities in whose | interest is you _not_ making the right choice (e.g. Google, | FB). | | An average HN reader is in a very comfortable situation | compared to the remaining 99.9% of the population, who might | not have time to think about this. | | Unless, and I might've misunderstood you, by "us" you mean | the people who work on those platforms, and have the time and | resources to think about these matters, in which case I'd say | that I agree with your statement. What's worse is how much | brain power we're wasting on solving problems that shouldn't | exist in the first place. | | "The best minds of my generation are thinking about how to | make people click ads" | DSingularity wrote: | Yeah but that doesn't vindicate them. If professors | boycotted these institutions it would have made a | difference. Still might. | Moeancurly wrote: | What's being sold as convenience is really just creepy spying | xyzzy21 wrote: | I'm not happy with ANY of it which is why I have no social | media accounts and I've been seriously considering a "dumb | phone" to replace my smart phone. I simply don't use most of | the features and it's a security/surveillance threat anyway. | anonymouse008 wrote: | You do know how this happened right? Wifi SSIDs with similar | strengths reveal if people are in the same area, then just | correlate timestamps and viola! | | I wouldn't throw the elder person under the bus on this one, | the tactics are sophisticated, and honestly, just a precursor | to what will happen with AR. | | To give a bit more of how it's implemented (at least how I | would propose it in iOS), Insta/FB/Whats queries available wifi | SSIDs as a background process (or whatever they have for | notifications/networking etc), and does the same to your | therapist since you both have insta / fb / whats ... and based | on the signal strength, can say with confidence you two were in | the same room because XYZ Wifi strength is -Xdb just like yours | (walls are strong signal augmenters), and you are both there | for some time based on the background thread timestamp. | rpastuszak wrote: | haha, that's a good point, but in this case I think it's more | trivial than that: she probably shared her contact book with | FB or Insta (still, not her fault imho). | | But, at the same time I've worked with FB SDK which was just | one big shit show. It's hard even to describe it without | turning a comment into an essay, so I'll pick the two I found | somewhat amusing: sending data to FB before the developer | could pass user consent (or thereof), sending hashes of the | (non-FB) libraries installed on your phone to FB servers. | | Minor tangent: The best thing about the web is that user | agents are still pretty good at fighting some of the tracking | practices (ETP/ITP, cross origin security, etc...). It's | actually quite impressive. Then, native is just one big black | hole. This is why the current browser changes, although | positive overall (less $$ from 3p tracking), are a double | edged sword (pushing people towards walled gardens). | krrrh wrote: | It's almost certainly just the phone number. Recently | Instagram told me that a former business partner of mine | had joined and I was surprised to learn that his account | was an hair braiding service in Atlanta for women with | African lineage (we're both Canadian men with European | ancestors). We figured out that years ago we had taken a | business trip there and picked up temporary SIM cards back | when Canadian cell phone plans charged injurious roaming | fees. I still had that phone number in my contacts for him | when I joined Instagram, and it had finally been recycled | and used to create an account. | | It's a cool thought experiment for nerds and paranoiacs to | imagine how you might use relative wi-fi strengths, | bluetooth beacons and complex interaction patterns, but | it's less sophisticated than that. | rpastuszak wrote: | Yeah, my first thought reading the parent comment was two | words: "Occam's razor". But, I still find it amusing that | companies like FB want to project the image of "informed | consent" whereas we have a bunch of developers here | trying to figure out what the hell happened and coming up | with plausible solutions. | | What's interesting thought (and I know that from my | professional experience in ad tech) is that the | "cookiegeddon" did push companies towards non- | deterministic, more fuzzy ways of cross-device targeting | (and we're talking about people who already think that | fingerprinting is ethical). | | The upside is that metrics are mostly bullshit anyway. | smhost wrote: | > It's almost certainly this one thing, and not the other | thing. | | No, they dragnet every possible identifier and dump | everything into a pattern recognizer. | anonymouse008 wrote: | > It's a cool thought experiment for nerds and paranoiacs | to imagine how you might use relative wi-fi strengths | | I'm honored to be called a nerd on HN... I'll ignore the | latter ;) | | Though while I agree the phone number is _absolutely_ | used, I don 't think it's the _only_. Trying to get out | ahead of the public 's changing privacy tastes is a must | for any advertiser that collects social-graph-like data. | So strategically, if FB is not doing this, I would pull | any FB investments because they aren't trying to do their | job. | clort wrote: | is it even legal for a _therapist_ to share their clients | contact details with a third party? | | certainly I would expect that a person who works as a | therapist would be aware that the concept of client | confidentiality exists and that they should not share their | clients details | Nextgrid wrote: | It's not like Facebook is being transparent with what | data they collect and how it's going to be used. | Furthermore they don't understand the concept of "no" and | will keep asking, hoping to catch you off-guard as you | press the wrong button and give them access. | hanspeter wrote: | Not sure why you're suggesting shenanigans like wifi SSID | tricks (and others jumping the bandwagon), when the actual | thing that happened here is obvious: | | GP visited their therapist's website, the website had FB/IG | advertising tracker installed, the therapist had a campaign | running that targeted all visitors from their site. | anonymouse008 wrote: | I appreciate that idea, however, I've been testing my own | 'friend suggestions' and keep a strong track of my | antics... also, it's become a hobby of mine to debunk each | time someone says 'they're listening to my microphone!!!' | | Most of the time the 'listening to me' conversations are | based on origin IP to insta/fb/whatsapp servers. One person | talks about idea X, another person looks it up (either in | the room or later at home by themselves), and now everyone | who was at that IP together will get ads for X. | | What's more, Google maps uses Wifi SSIDs to get better | location data when GPS gets a bit spotty... so, I'd venture | to say it's a small step to associate accounts and make | friends. | KaiserPro wrote: | > You do know how this happened right? Wifi SSIDs with | similar strengths reveal if people are in the same area, then | just correlate timestamps and viola! | | I mean yeah, they _could_ do that, but thats a pain in the | arse to do. Its far easier to do it on contact lists, | interests and implied location from business page follows. | | I don't think iOS allows you to track SSIDs, which explains | the lack of wifi scanning utilities in the app store. | MR4D wrote: | WiFi SSIDs have one very nice attribute - they tend not to | move around much. | | So every time you see a Google maps car ( or a Nuro car or | a ...), your SSID is getting geomapped. | | Now, your IP, SSID, geolocation, and who knows what else is | now sitting in a lookup table somewhere. | | So if they get all the other stuff that you just mentioned, | they now know more about you than you do! | [deleted] | rhizome wrote: | > _You do know how this happened right? Wifi SSIDs with | similar strengths reveal if people are in the same area, then | just correlate timestamps and viola!_ | | The problem is that someone decided to correlate them, not to | mention _without asking._ | scalableUnicon wrote: | It is possible to opt-out of Google's Wi-Fi network | location mapping by appending "_nomap" to SSID[1], I'm not | sure if it works with other providers. Although I think | this should have been opt-in instead of opt-out, the least | we deserve is a standard, guaranteed way to universally | opt-out. | | [1] https://www.tomshardware.com/news/Google-Maps-Wi-Fi- | Location... | sildur wrote: | Why it's always us who have to do the work to avoid being | harassed by google? If I don't want to have my site | harvested for snippets I have to add a no-snippet tag. If | I don't want my WiFi data harvested I have to append an | ugly nomap to my SSID. What about being it opt-in, as you | said? I'm tired of doing Google's dirty work... | | By the way, quoting from the article: | | > "Specifically, this approach helps protect against | others opting out your access point without your | permission." | | Oh, thank you for your kindness, Google. Yes, the idea of | another person denying me the joy of having my WiFi data | harvested by you is terrifying. Thanks, Google. You | really know how to be helpful... | Schnitz wrote: | Especially because Google mapping your WiFi comes with | real downsides for you. Two years ago a random stranger | rung my doorbell and told me their Android phone got | stolen and according to Find My Device, the device was | inside my house and even showed it to me live. I told | them to wait on the street and checked the roof and yard, | but didn't find the device. I simply told them I can't | help further and they luckily took it well, thanked me | and left. Imagine how easily such a situation can get | ugly though. A day or so later i realized that my Wifi | router happens to be at an oddly open corner of my house, | facing the backyard, and visible for much further than | you'd expect since there are also no other structures for | quite a distance. I bet his phone was somewhere there but | saw my WiFi and so it erroneously located itself in my | house. Thanks Google! | nunez wrote: | That's ridiculous, IMO. This is also confirmed by | Google's support document on this feature: https://suppor | t.google.com/maps/answer/1725632?hl=en#zippy=%... | | Changing one's SSID after the fact can be extremely | annoying depending on the number of devices that need to | be updated. | | There has to be a better way. | Nextgrid wrote: | This isn't relevant - we're not talking about building a | map of SSID to location, we're talking about using SSIDs | to infer relationships between people; the SSIDs don't | even have to be in any kind of location DB for that, what | allowed Facebook to infer this relationship is that both | the author's and their therapist's device regularly saw | the same SSIDs. | mrfusion wrote: | Are apps allowed to do that on iOS? I can't think of any good | reason besides for a wifi diagnostic app. | JumpCrisscross wrote: | > _and viola_ | | I love this typo. | therein wrote: | > Then they query the adjacent SSIDs and their signal | strength in a background thread, and bam, Viola is your | aunt, all your privacy is violated! | craftinator wrote: | I could play Hot Cross Buns on this typo. | chrischen wrote: | Phone GPS already uses Wifi for improved accuracy. So if fb | has location access permissions it already does this for them | implicitly. | yabadubakta wrote: | Once people accept that there's no such thing as a free (as in | beer) app or service. In addition to there needs to be serious | laws put in place that gives users control of their data. And | they should be getting paid for facebooks profits--not the | share holders. | bob_page wrote: | The notion that there's no such thing as free (as in beer) | app is keeping people away from free (as in freedom and beer) | software. Sometimes you can have your cake and eat it, | although it would be nice if more people volunteered to bake | the cake. Or you could donate to the bakery. | | Software is weird, the best software is both free as in beer | AND free as in freedom. | Nextgrid wrote: | The problem is less about whether people accept to pay for | services and more that it's currently more profitable to | provide ad-supported services (paid for by non-consensual | data collection) than paid ones. | | Regulation that forbids non-consensual data collection such | as the GDPR ought to fix that, but its lack of enforcement | means it didn't have any effect on the market. Once | regulation starts being enforced, it will rebalance the | market where paid services will start to be viable because | free services would no longer be profitable. | cmoscoso wrote: | Stop use any social networks from Facebook Inc.? | | I know it's not easy if you are addicted to it but it's doable. | mancerayder wrote: | > I don't have FB or or WhatsApp but my Insta account (using a | separate email address and no personal details) keeps | recommending my therapist to me. How are we still ok with this | shit? | | I'm no attorney, but isn't there a doctor-patient | confidentiality breach (in the U.S.) if a | psychologist/iatrist's rolodex gets Facebooked out to the ad | tech bidding systems? | Barrin92 wrote: | > is the lack of informed consent. | | what's making it possible is the lack of privacy regulation. | People by and large don't care enough about privacy,it's too | diffuse, too complicated, the damage to oneself and others is | too intangible etc. | | Only way to end this is to destroy the business models that | make it possible. What stands in the way of it is the mindset | that this somehow harms innovation. (Innovating who can drive | the titanic faster into the iceberg isn't innovation), that the | government has no right to regulate private companies, and so | on. The main problem is that people are trying to incrementally | fix a broken thing, as Peter Ducker said | | _" There's a difference between doing things right and doing | the right thing. Doing the right thing is wisdom, and | effectiveness. Doing things right is efficiency. The curious | thing is the righter you do the wrong thing the wronger you | become. If you're doing the wrong thing and you make a mistake | and correct it you become wronger. So it's better to do the | right thing wrong than the wrong thing right. Almost every | major social problem that confronts us today is a consequence | of trying to do the wrong things righter"_ | rpastuszak wrote: | Yes, we need better laws, opt-in consent and alternatives to | ad tech (such as better ways for supporting publishers). The | issues are systemic, going deeper than ad tech itself (e.g. | conflicting incentives even within same publishing org, | metrics being mostly nonsense, Goodhart's law). | | I think that the existing incentives can be moved, but we | will need a chance in mentality that might require a | generational shift, or who knows what how many fucks-ups. I'm | becoming more and more pessimistic wrt to the latter. | rhizome wrote: | > _People by and large don 't care enough about privacy_ | | Not to play dumb or sealion, but what opportunities are they | given to do so? How often have those opportunities been one- | and-done, "if you don't do something to protect your privacy | in this particular instance at this particular moment, it's | gone forever?" | kelnos wrote: | > _How often have those opportunities been one-and-done, | "if you don't do something to protect your privacy in this | particular instance at this particular moment, it's gone | forever?"_ | | I don't think that question really captures it, because an | easy response to that is "Why do I care? Why is my privacy | so important that it's a problem that it's gone forever?" | To some of us that might seem like an absurd question; we | see privacy as an obviously valuable thing that we are | struggling to maintain. | | But I don't think that's the case for most people; I think | most people adopt the "I have nothing to hide, so what does | it matter?" attitude. Especially when they (likely | correctly) believe that online services that are central to | their lives (like GMail or GDocs or Facebook or Instagram | or WhatsApp) wouldn't be free to use if they didn't give up | their data (and privacy) in return for the service. | | You can try to point to data breaches, but, even then, most | of those don't have a tangible effect on people. 533M | Facebook users' phone numbers and personal data leaked? | Most of those 533M probably won't notice anything bad | happening because of it, and any bad stuff that does | happen... well, they probably won't be able to draw a | causal line from the FB breach to the bad things. | mmaunder wrote: | The metastasis is companies and organizations that have FB | groups and insist that's the only way to get data or | collaborate with them and their members or customers. | disgruntledphd2 wrote: | Because it's so easy to set up a page, and get people to | follow it. People run businesses on FB because it works, and | everyone is there. | | If the web had made things easier, this would have happened | less, but web developers didn't care enough, and FB ate their | lunch. | badjeans wrote: | > I don't have FB or or WhatsApp but my Insta account (using a | separate email address and no personal details) keeps | recommending my therapist to me. | | So what? What's the harm? | | People sure like to write emotionally charged posts arguing for | privacy, but they're always suspiciously low on details on what | bad things (actually) happened. | | Even in this case with phone numbers and other data leaked, so | what? What harm do data leaks cause? | | Seems like making a fuss about nothing. | | > How are we still ok with this shit? | | We're ok with a lot of shit. I think if we were to make a list | of shit this would rank pretty low. | rpastuszak wrote: | > People sure like to write emotionally charged posts arguing | for privacy, but they're always suspiciously low on details | on what bad things (actually) happened. | | Two bad things (random selection, because the comments below | already make some really good points): | | 1. targeted behavioural advertising is proven to increase | polarisation, literally turning people against each other. | | A single instance of violating someone's privacy doesn't | matter as much as your single vote won't shift the result of | elections. But a single vote does matter, because is a part | of a bigger whole. | | 2. My family member suffers from PTSD acquired because of | living in an abusive relationship for 2 decades. That person | started a new life, but ads targeted at her and her partner | more than once triggered actual panic attacks. I know this | might sound ridiculous without the context. This is because | that person didn't understand how clever the tech behind | targeting was and assumed that the ads were related to their | partner cheating on them. It's irrational, I know, but we're | talking about someone who is psychologically vulnerable. | | I'd still say that 1. is a more important argument here, 2. | just follows the line of thinking presented in your comment. | (the main problem behind 2. is that person's mental state and | the actions of their abuser, yet the amount of suffering that | could've been removed is not negligible.) | | > Even in this case with phone numbers and other data leaked, | so what? What harm do data leaks cause? | | Cambridge Analytica, voter manipulation, bias in behavioural | targeting, increased polarisation in media--please Google | these queries and educate yourself. There's a tonne of | resources on the subject, including peer reviewed academic | papers. | kelnos wrote: | I guarantee you that the majority of the population does | not understand or care about your #1. | | And I expect that the majority of the population has not | experienced the horror of your #2. | | If the majority (in this case, likely vast majority) | doesn't care about something, there probably is not going | to end up being any public policy protecting against it. | disgruntledphd2 wrote: | > targeted behavioural advertising is proven to increase | polarisation, literally turning people against each other. | | Can you provide some evidence for this please? Certainly, | filter bubbles make it easier for people to radicalise | themselves, but I've not seen very much evidence that it's | specifically the _advertising_. | | And polarisation in (US) media has been underway since long | before Mark Zuckerberg left elementary school. | cookiengineer wrote: | You've obviously never been a victim of identity fraud, | stalking or psychological terror. | | As long as the legal justice system hasn't caught up with | that (in the sense of efficiency and prevention of financial | problems) every data point that's leaked about you is a | potential threat. | | > fuss about nothing | | Ever heard about rape victims? Ever heard about stalkers? | Ever heard about psychological threats? Ever heard about | someone being forced to do something they don't want? Ever | heard about the fappening? How do you think those things have | happened in the past and literally ruined people's lives? | kelnos wrote: | > _You 've obviously never been a victim of identity fraud, | stalking or psychological terror._ | | And that's the point: most people haven't, and many who | have probably weren't able to link it to something specific | like "Facebook vacuumed up all my data and then lost it". | And "most people" are the people who influence and make | policy. | YarickR2 wrote: | Do you compare FB to SS and Stazi ? | seaman1921 wrote: | Post your personal phone number right here and I will show | you what harm it can cause. | YarickR2 wrote: | +79254646793 shoot | cookiengineer wrote: | Also @badjeans should give you all passwords for all email | accounts, and all encryption keys. | | Because you know, what does it matter, right? | YarickR2 wrote: | you're confusing security, privacy, and personal details | cookiengineer wrote: | Please elaborate. If security is not a measurement to | uphold and defend the right to privacy, then what is it? | andrepd wrote: | What's the harm of people watching you while you shower? | Everybody does it, you won't get hurt, so what's the harm of | stealing your nude pictures? | | > they're always suspiciously low on details on what bad | things (actually) happened. | | - Hyper-targeted advertising | | - Voter manipulation | | - Surveillance of dissent | | - Arresting dissidents | | - Leaking sensitive medical data | | - Leaking private pictures, videos, conversations | | - Leaking your home and work address (hello stalkers and | jealous ex-husbands!) | | - Being refused medical treatment or having premiums | skyrocket | | But yeah, nothing serious, why are you so paranoid man? | Conform, citizen! | ordu wrote: | _> Even in this case with phone numbers and other data | leaked, so what? What harm do data leaks cause?_ | | Lets imagine a situation. You've got an officially looking | letter, from unknown to you organization, claiming that for | example, your lawn is infected by a grass variant of COVID-19 | and must be disinfected, and this organization could do it in | a jiffy for a mere $1k. | | Probably it is a scam, isn't it? How do you judge it? One of | the sign of a scam is a lack of personal information in the | letter. But if you see that letter contains your name, | address, phone number, lawn dimensions, then you probably | shouldn't throw letter to a garbage bin, you should find some | other kind of test to judge is it a scam. Isn't it? | | So when you made your personal information public, scam | detection is going to impose bigger costs on you. Even if we | assume that you are perfect scam detector and will not let | any of scam to pass you undetected, then the lot of people | are not perfect in this regard. So the more difficult | detection is, the more prey for scammers. It impose costs for | a society overall, because society start to give money to | scammers, to finance all that activity that is counter | productive for an economic growth. | | But as for me it is just a nuisance to decipher such letters | trying to spend as little time on a scam detection as | possible while having no false positives. | 14 wrote: | The technology is just creepy. I recently experienced a wtf | moment the other day when a friend stopped by and her new bf | was in the car. We said hello and they soon left (I sell eggs). | Later that day he is being suggested as a possible friend. I | have my location services off but Facebook knew somehow. | yuliyp wrote: | Or FB knew that this person was your friend's boyfriend and | decided to show them as a possibility. You might have even | seen them there before and didn't know them and thus ignored | them. | godmode2019 wrote: | The boyfriend probably went to your Facebook to see if you | are a threat and what type of relationship you have with his | new girlfriend. ___________________________________________________________________ (page generated 2021-04-03 23:00 UTC)