[HN Gopher] Tell HN: Instagram demands I send a picture of mysel...
___________________________________________________________________
Tell HN: Instagram demands I send a picture of myself to prove I
own my account
So I tried to create an Instagram account yesterday. After
registering, I was immediately told my account was disabled for
suspicious activity, but that if I wished they would review it
within 24 hours. Weird, I thought, but maybe it's just some rare
false positive that can be triggered and I'm just unlucky. So I
waited, patiently. After 24 hours I tried to log in again and to
my surprise, my account wasn't just temporarily disabled anymore
but permanently deactivated and I was met with this message: >
Your account has been disabled for violating our terms. Learn how
you may be able to restore your account.
https://help.instagram.com/521372114683554 How can I allegedly
have broken Instagram terms when I just created the account and
even verified it by phone? So I visited that link and asked them to
restore it. What I get is an email by facebook that demands I send
them a picture of myself holding a paper that I wrote a specific
code on. Verbatim the email is this: > Hello, thank you for
contacting us. Before we can help you, you must confirm that you
are the owner of the account. Please respond to this email and
attach a photograph of yourself, where you hold a piece of paper
with the following, handwritten code on it: *** Please make sure
that the photo fulfills the following criteria: - shows the above
mentioned, handwritten code on a clean piece of paper, followed by
your full name and username - shows both of your hands holding the
paper as well as your complete face - it is well-lit and not too
small, dark or blurred - is attached as a JPEG-file to your
response E-Mail Note: Even if this account does not contain and
pictures of yourself or it represents somebody or something else,
we can only help you when we receive a picture of you which
fulfills these criteria. Am I the only one who finds this
incredibly intrusive? I know I might be partially beating a dead
horse here, as everyone knows Meta is pure evil. But this email
really "gave me the rest". I wouldn't use IG for posting pictures
of myself anyway but now I won't ever be using anything from Meta
even for business reasons. Are there really no less intrusive ways
than the above to prove ones ownership of account?? Why is email
and phone verification not enough anymore these days? Is this the
type of "progress" happening at FAANG? LOL
Author : jdthedisciple
Score : 177 points
Date : 2022-06-20 17:50 UTC (5 hours ago)
| dk79XuL9 wrote:
| They won't do anything after you've sent a selfie anyway. Same
| thing happened to me. They'll ignore all of your contact
| attempts. IG support is pretty much non-existent.
| andrew_ wrote:
| They also won't act on trademark claims until a suit is filed.
| Been down that rabbit hole too.
| kube-system wrote:
| Doesn't that mean they lose liability protections under the
| DMCA?
|
| edit: whoops, I misread the parent. I swear I know the
| difference between various IP types!
| kelnos wrote:
| The DMCA covers copyright violations, not trademark.
| Dylan16807 wrote:
| I don't think DMCA touches trademark.
|
| And depending on what you mean by "lose liability
| protections" for ignoring valid takedowns, I'm pretty sure
| that applies to the specific item and they don't stop being
| a safe harbor in general.
| annadane wrote:
| Zuckerberg is a problem. He exists only to buy out everyone else
| and will not stop until everybody is destroyed
| fritigern wrote:
| We should stop using Instagram or any Facebook service.
| dweekly wrote:
| Sadly, email and phone verification have never been particularly
| effective methods of proving personhood/identity/non-malevolent
| intent. Witness the dozens of spam phone calls / pig butchering
| texts / Gmail-originating spam emails one gets a day.
|
| I noticed that after enabling iCloud Private Relay on my phone, I
| get a _lot_ more CAPTCHAs very suspicious of my activity. This is
| both annoying and logical; a site's confidence in my existence /
| non-malevolence is much decreased when I don't appear from a
| consistent IP and the IPs that I appear from have a non-zero
| quantity of bad actors from which I must now be disambiguated.
|
| This seems a classic example of a challenging problem of
| balancing privacy (wanting an option to be anonymous in my use of
| a service, including ones where I can post information or message
| others) with security (wanting to be sure that my counterparties
| are real humans unlikely to be malevolent or misrepresenting
| themselves). Service providers get slammed for errors on both
| sides.
|
| That's not to give up on trying to solve it or suggest that the
| current status quo is optimal.
|
| Going out on a limb here, I could imagine a solution where e.g.
| Private Relay users had egress from a special set of IPs that
| indicate to service providers that the originating user had
| indeed been identified/validated by Apple as authentic. Traffic
| inbound from these IPs could have a slightly relaxed threat
| posture. This is roughly in line with what Apple has been trying
| to do with Login With Apple; not just making it easier for users
| to sign in but helping reduce automated signups. An ideal
| component missing here would be a way to backchannel to Apple
| from a service provider "Hey, user $UID did a Bad Thing just FYI"
| to allow Apple to better risk-score Apple profiles/activity,
| obviously weighted by Apple for believability on the part of the
| service provider.
| donmcronald wrote:
| > Going out on a limb here, I could imagine a solution where
| e.g. Private Relay users had egress from a special set of IPs
| that indicate to service providers that the originating user
| had indeed been identified/validated by Apple as authentic.
|
| It's not _that_ crazy if you think about it. Apple 's user base
| is a juicy target demographic. Apple's "privacy focused"
| approach is reducing the insights of every other tech company.
| If they can get it to the point where the other big tech
| companies have _nothing_ to distinguish legitimate users from
| bad actors they can make a huge identity and reputation play.
|
| I doubt it would be private IPs or anything though. I think
| it's more likely that Apple assigns some type of
| trust/relationship score to each user based on Apple's view of
| them and then let's users opt in to some type of system where
| Apple vouches for them. Ex: I ask Apple for a short-lived token
| to attest to facebook.com or microsoft.com that I'm not a bad
| actor.
|
| Apple's userbase would eat that up because they already think
| they're better than everyone else and now they'll be "rewarded"
| for that by getting a premium experience online.
|
| That would also position Apple as the only company that could
| do super targeted advertising like Facebook does now.
| cesarb wrote:
| > Ex: I ask Apple for a short-lived token to attest to
| facebook.com or microsoft.com that I'm not a bad actor.
|
| From a couple of days ago:
| https://news.ycombinator.com/item?id=31751203
| soco wrote:
| What you propose there could be built on the basis of identity
| federation, right?
| dweekly wrote:
| In theory, yes, and ideally any of this would be implemented
| as a standard, for instance as a segment of a TLS ClientHello
| added by a forwarding proxy (such as Private Relay) that
| includes a UUID connection identifier, a risk category for
| the user, the identity of the proxy, and the proxy's
| signature for the whole of the ClientHello packet.
|
| There would then also be presumably a way to interrogate a
| proxy for reporting back bad actions of a user by a service
| provider, with those attestations also signed by the service
| provider. (FLAGGED_AS_BOT, CHILD_PORN_TAKEDOWN,
| FINANCIAL_FRAUD, SPAMMING, OTHER_TOS_VIOLATION, etc) The
| service provider would pass in the UUID connection identifier
| which the proxy could then map back to the known user,
| weighted by the degree to which the proxy trusts the service
| provider's reports.
| aeyes wrote:
| This happened to me multiple times on Facebook when trying to
| open new accounts to view some walled garden content, each time I
| used a different mail address on a domain I control in an
| incognito browser session. The accounts would just get blocked
| after a day.
|
| On the last attempt I thought that I should feed the ML model
| with more data so I liked some pages and posted some random stuff
| to the profile. The account still works without any further
| activity besides using it to view content once very couple of
| moons.
|
| I came to the conclusion that creating an account and not
| immediately using it is a ban. Just another reason to not use
| these platforms, they don't even want our business.
| EVa5I7bHFq9mnYK wrote:
| I went a different way. I bought 10 facebook accounts from a
| web site that specializes in that stuff. Each worked for some
| time, but eventually after a year all got banned. I didn't post
| anything, just visited neighborhood forums.
| 3327 wrote:
| reaperducer wrote:
| _handwritten code on a clean piece of paper, followed by your
| full name and username - shows both of your hands holding the
| paper_
|
| This is how Instagram finds out that I have only one finger on
| each hand. The middle ones.
| [deleted]
| atum47 wrote:
| Is like they trying to get people to delete their account at this
| point.
|
| My feed only shows pictures of people that I don't know
|
| https://news.ycombinator.com/item?id=31755825
| foepys wrote:
| It seems that we are only one step away from "verified by
| Ancestry.com".
| acaloiar wrote:
| In a somewhat related response to your question: "Is this the
| type of "progress" happening at FAANG?"
|
| I recently had a similar experience with Robinhood. I found that
| if you use their "Logout all devices" feature, you have to re-
| verify your account with them. They allow you to deposit and
| place trades, but as soon as you attempt a withdrawal, they
| notify you that you have to re-verify your identity with them.
| After two weeks and three denied attempts to verify my identity,
| I got the SEC involved. Within minutes of the SEC notifying me
| that they contacted Robinhood on my behalf, my account was
| verified without further action from me.
|
| I withdrew all funds, closed all positions, and deactivated the
| account out of principle. It shouldn't take SEC action to get
| access to your funds. And Robinhood shouldn't notify their users
| that identity verification is required only when a withdrawal is
| attempted.
|
| Robinhood obviously isn't FAANG, but apparently this is the
| progress in tech more generally.
| tiffanyh wrote:
| Robinhood is required by regulation to KYC their new account
| holders. Which typically is accomplished via doc auth.
|
| This is applicable to all financial service companies, in the
| US at least.
| acaloiar wrote:
| I'm familiar with KYC. KYC is actually the very reason why
| Robinhood customers should _not_ be required to re-verify
| their identity because it stipulates that institutions both
| acquire and _retain_ the identity information of their
| customers.
|
| With that said, my qualms are not with the fact that I had to
| re-verify; simply the manner in which it happened.
|
| The fact that they re-requested my identity tells you that
| this verification process was not in support of their KYC
| obligation, but likely a fraud-prevention mechanism. Which
| puts the manner in which it happened entirely within their
| control from a product perspective.
| malux85 wrote:
| So KYC them when you onboard them, NOT when they try to
| withdraw.
|
| "Oh no, that might hurt our signup and trading figures?! "
|
| Well, DUH, but anything to fudge the numbers right?!
|
| Maybe if they make withdrawals even more difficult a
| percentage of users will abandon and then our assets under
| management numbers look better.
|
| This is exactly what's happening, stop forgiving the dark
| pattern behaviour under the guise of compliance.
| EVa5I7bHFq9mnYK wrote:
| That's why you should always start with small amounts,
| deposit $10, withdraw $10. If it works, repeat with $100
| etc. Never keep large amounts there, withdraw as soon as
| trade is complete.
| raunak wrote:
| Any guidance on the SEC link? Robinhood is currently royally
| boning me in the exact same way, and I want to get my money out
| as soon as possible. I already threatened to get the SEC
| involved a week ago, and still no response, so now time to
| actually do it. Would love a pointer in the right direction.
| izzydata wrote:
| I highly dislike this forced real identity thing on the internet.
| What is the problem with using internet aliases to post internet
| stuff in a manner entirely unrelated to your personal life?
| ghaff wrote:
| Because, while extremely imperfect, making a modicum of effort
| to make sure someone is a real person still screens out a lot
| of bots and anonymous scammers--which is at least a start.
| jotm wrote:
| The problem is you're adamant on using these platforms. The
| Internet exists outside them and still works fine. In fact,
| Google and Chrome are a bigger danger as they can force people
| to do whatever at the very point of entry to the Internet.
| Smart Kants.
| gus_massa wrote:
| My wife had to send a photo of herself, her ID, herself, her ID,
| herself, her ID, and after the third of fourth cycle, her account
| was marked as legit.
|
| I only can wish you good look against whatever "algorithm" they
| are using.
| jazzyjackson wrote:
| so we're at the point where the steps to prove you're human are
| so arduous only a bot will have the patience to create a new
| account
|
| someone should try using "photograph of yourself, where you
| hold a piece of paper with the following, handwritten code on
| it: **" as a prompt on DALL-E/imagen
| duskwuff wrote:
| Dall-E and its relatives are still pretty awful at text, at
| least for now. They have a decent idea of how individual
| letters are shaped, but trying to produce a specific word or
| phrase is generally pretty hopeless. Dall-E can sometimes
| correctly reproduce words that appear frequently in its
| training data, like "PIZZA", but its success rate on less
| common words is dismally low, especially when they're
| appearing out of context.
|
| Some pretty convincing examples of this behavior can be seen
| at:
| https://twitter.com/JanelleCShane/status/1531624303770279937
| mixmastamyk wrote:
| Why on earth would someone go through with this?
| openknot wrote:
| Instagram can have useful business purposes. Some personal
| trainers/consultants/very small businesses only have an
| Instagram account, and seem to be doing well. Canada's public
| broadcaster published an article about this a while back, and
| the consequences when such business owners were locked out of
| their account due to an outage:
| https://www.cbc.ca/news/business/facebook-instagram-
| outage-b...
|
| Otherwise, in certain social groups (especially young
| adults), Instagram is the main way to stay to stay in touch
| with friends, even just for the messaging app. So, not having
| an account means missing out on significant social connection
| for some (e.g. if it's the platform where the group chats are
| hosted).
|
| It really depends on your friend group, though; for many
| people, their social groups just aren't on Instagram or
| social media very much or at all, so it's easier to quit
| because there's nothing to miss out on (so for these people,
| the verification would hardly be worth it).
| jedberg wrote:
| Instagram is important to me for keeping up with family
| because all my cousins post stories of their kids on there,
| so it's how I keep up with them and what their kids are up
| to. Same with a bunch of my friends. It's replaced Facebook
| which replaced family mailing lists and newsletters. It's
| also how they keep up with what I'm doing.
|
| Also a bunch of my younger ex-coworkers and I are only
| connected on Instagram, and even some of my business
| contacts. I literally just got an investment lead via
| Instagram.
| Nextgrid wrote:
| Because Facebook and their various properties have a monopoly
| on humanity's social fabric in a lot of places. Not
| participating can put you at a severe disadvantage.
| the_only_law wrote:
| One of those stupid dating apps has decided that I am not
| myself and I cannot upload pictures of myself because it's not
| me.
| poorlyknit wrote:
| Did she have to upload her full ID or was she allowed to redact
| some info like the number or such? I'd be really careful
| handing out my PI like that.
| kka_dev wrote:
| Bit similar happened to me. I had account for about 3 years,
| posted like once a month, followed friends and some celebs -
| nothing out of ordinary. Then some day I was greeted via form
| that I needed to give my birthday as I apparently had not done
| that yet. I just threw in random date as I thought it is none of
| their business. Well turns out now that due to me "being under
| 13" my account is marked for deletion and I have 30 days to
| appeal with similar requirement. I tried to write them but got
| automated response.
|
| Ended up losing my IG account and learned valuable lesson that if
| I am not in control of my data I am not calling the shots either.
| KajMagnus wrote:
| What's happening to Meta/Facebook and Instagram? Are they
| destroying themselves from inside, when they cannot get their
| stuff together enough to fix their bugs preventing new people
| from joining?
|
| My years old Instagram blocked, although I had never posted
| anything, just looked at other people's posts some years ago.
|
| There was an error message about me having violated their terms
| of service. Although it worked the last time I used it, and
| thereafter I did nothing for many years.
|
| So I tried to create a new account. First I got "Internal Error,
| try again". And then, (I tried again), _after_ having chosen a
| password and verified my email (a new address for a new account),
| there was an error like "Seems you're using an open proxy. If
| you think this is not the case ... blah blah".
| jotm wrote:
| They're doing you a favor, just quit that garbage.
| jsnell wrote:
| > How can I allegedly have broken Instagram terms when I just
| created the account and even verified it by phone?
|
| Your account appears, for whatever reason, bulk-created. For
| example maybe you were creating it from a network that somebody
| had used for a lot of IG account creation, or you created it with
| Firefox on Linux and 99% of their Firefox+Linux registrations are
| from spammers since it's easy to automate and run on a cloud
| server, etc.
|
| It's actually pretty friendly from them to notify you
| immediately, rather than wait until you have gotten attached to
| the account.
|
| > Are there really no less intrusive ways than the above to prove
| ones ownership of account??
|
| Your ownership of the account is obviously not really under
| question. It's a freshly created account, it can't possibly have
| been hijacked yet. But is it your first account or the
| thousandth? Email addresses can be minted for free. Phone numbers
| for pennies. Since phone-verified, US-IP Instagram accounts seem
| to be selling for about $7 in bulk, those pennies are not much of
| an obstacle.
|
| But it's pretty hard for you to get selfies from a lot of people
| in an automated way. (Sure, you could go to a parking lot and pay
| people to do the selfie for you. But that's a much higher bar.)
|
| And then if suspicion remains, it allows IG to ask for either a
| second selfie or a picture of a government ID, and verify that
| your identity has actually stayed stable.
| sbf501 wrote:
| > from a network that somebody had used for a lot
|
| side note: I still can't edit wikipedia because my block of IP
| addresses has been banned for some reason. I just moved to a
| new house and can only edit if I go to a coffee shop!
| colejohnson66 wrote:
| Normally you can make an account while on a non-blocked IP,
| then use that account on the blocked-IP.
| lizardactivist wrote:
| I can't even complete registration of an account there. Despite
| never visiting or using the service, it says it has detected
| suspicious activity from my private, single-user residential IP
| number.
|
| But fewer Instagram accounts in this world is probably a good
| thing.
| ergonaught wrote:
| I had a similar experience creating a FB account. Before I could
| even fully log in, it was suspended for violating whatever.
| djsamseng wrote:
| A possible solution? Would love to hear any feedback - please
| shoot this down with any flaws you find!
|
| What if we had a centralized certificate authority that verified
| a person? Imagine you walk up to the DMV and get a private key
| (password). When you go to a website you generate a public key
| and send it to the website you visit. That website uses the
| public key it received to send a message to the certificate
| authority to verify you (true/false). Now Instagram knows you are
| real, but are you faking? I claim to be "First Last" to
| Instagram. Instagram encrypts "First Last" using the public key
| and sends it to the certificate authority. If the certificate
| authority is able to decode "First Last" using the private key
| then it returns (true/false).
|
| Could we extend this to solve user privacy? What if users said
| "Track me all you want as long as you don't know who I am".
| Websites can still serve targeted ads but users get the privacy
| that you are incognito. Instagram now knows your name but they
| also want to be able to identify you across the internet. So
| Instagram could also ask the certificate authority for a
| "personId" that identifies the person across the internet. But
| now you say, wait now Instagram knows my name and all my activity
| through my "personId". This is where the Engineers come in. We
| would have to make any code or action that connects "personId" to
| a human _illegal_. You write the code, you go to jail. This
| burden would only fall on websites that ask for someone's human
| identifiers (name, address, common geolocations, etc.). But that
| code isn't needed anyway! There is no reason to store "personId"
| and "First Last" together because you can always get a "personId"
| when the user gives the public key to the website. So if someone
| ever writes that code / uses that data query it's punishable by
| law.
|
| So now we have 1. Every website knows it's users are real 2.
| Every website can know a user is who they say they are 3. Every
| website can track unique visitors and their internet activity
| (while not knowing who they actually are) 4. Every user is
| completely "anonymous". Yes the information could get out, but
| only temporarily because any code (even a news article or blog)
| that contains this connection is illegal.
| gtourist wrote:
| I have a rule of only ever using Edge on Windows with no plugins
| (does Edge even have that?) when interacting with Google or
| Amazon account services, to avoid this "your account has been
| locked due to suspicious activity" nonsense, knowing that it only
| results in a hopeless black hole of canned email responses asking
| for information to unlock the account, only for it to remain
| locked after said information is provided.
|
| When using your accounts, never use Firefox, since it's down to
| like 2% marketshare, and automatically suspicious, and never use
| privacy-oriented plugins like uBlock, which suspiciously alter
| how and how much your browser communicates with these sites. Also
| never buy anything online late at night (like after 1 AM).
| Apparently that's suspicious, since a lot of fraudsters are
| international.
|
| It's incredible that these shitty ML hueristic systems are the
| best these "genius" FAANG developers, who get paid $150-300k a
| year, can come up with up. I love it when they or their loved
| ones get ensnared by these systems, like the Googler who threw a
| Twittertantrum when they locked his and his husband's Google
| Photos (or whatever they call it) account for "suspicious
| activity," and they lost thousands of photos. Pure lifefuel:
|
| https://news.ycombinator.com/item?id=24791357
| donmcronald wrote:
| > It's incredible that these shitty ML hueristic systems are
| the best these "genius" FAANG developers, who get paid
| $150-300k a year, can come up with up.
|
| I think it gets personalized / fingerprinted fairly quickly
| TBH. For example, I have 2 identical (Linux + Firefox + uBlock
| Origin) VMs that I use over the same VPN connection. One of
| them gets almost no captcha challenges and the other gets them
| continuously. My subjective experience is that it's based on
| what you're searching for on Google or maybe due to hitting
| sites that Google might have flagged as malicious (guilt by
| association). It's tough to tell, but it sure feels like
| there's some type of cumulative score based on activity.
| uoaei wrote:
| My account was discontinued because I refused to add a phone
| number, use an adblocker, and access from browser only.
| Apparently this makes my account look "suspicious".
| rdxm wrote:
| [deleted]
| openknot wrote:
| Not to defend the practice (because your case is a false positive
| for a new account), but rather to speculate on why your account
| was banned, it's likely due to an increase in impersonation on
| Instagram recently.
|
| In other words, some accounts steal the pictures of real people
| and then send follow requests to friends, and try to get them to
| tap on links that can give the bad actor access to the friends'
| accounts or buy cryptocurrencies. It's been spiking recently over
| the past couple of months (one case in a Canadian news article
| at: https://www.cbc.ca/news/canada/manitoba/instagram-photos-
| sto...), with other prominent cases documented in the past (2019:
| https://www.cnbc.com/2019/09/24/how-i-stopped-someone-impers...
| and 2021: https://www.cnbc.com/2021/12/14/instagram-accounts-
| created-w...). Bleeping Computer published a deeper article on
| the most recent ongoing spike (describing the crypto and Onlyfans
| scams):
| https://www.bleepingcomputer.com/news/security/instagrams-da...
|
| This doesn't justify at all the permanent deactivation of your
| completely new account, but just for curiosity's sake, I
| speculate that this is the reason your new account was banned
| (overly high security sensitivity on Instagram's end, due to a
| recent spike in false accounts that impersonate real people, to
| encourage others to buy cryptocurrency and/or click malicious
| links).
| donmcronald wrote:
| > In other words, some accounts steal the pictures of real
| people and then send follow requests to friends, and try to get
| them to tap on links that can give the bad actor access to the
| friends' accounts or buy cryptocurrencies.
|
| How would me sending them a picture change that when it says
| right in the email that:
|
| > Even if this account does not contain and pictures of
| yourself or it represents somebody or something else, we can
| only help you when we receive a picture of you which fulfills
| these criteria.
|
| So I can send Instagram a real picture and post someone else's
| picture all over the account.
| Retric wrote:
| This impersonation is only really useful when one person can
| create multiple fake accounts.
|
| If Facebook can simply run image comparison between the the
| face used and other accounts while knowing that picture isn't
| copied from elsewhere because it includes their onetime key
| it could prevent duplicate accounts.
|
| In practice I doubt it's more effective than a new CAPTCHA.
| notahacker wrote:
| Not to mention that scammers are relatively unlikely to
| want to show their face for ID purposes even if it's their
| only account (whereas ordinary people that want to join a
| service for posting pictures of themselves on the Internet
| generally don't mind), especially not when there's a wide
| world of other scams they can be getting on with that don't
| involve showing their face.
| kube-system wrote:
| > How would me sending them a picture change that
|
| It doesn't. It's just a barrier that inconveniences low
| effort scammers. Most scammers don't want to associate their
| face with their scams, and/or they aren't skilled enough to
| photoshop some other photo. Instagram is overwhelmed with
| garbage and it's logical to 80/20 rule as much as they can.
| nerdix wrote:
| Are you sure that you can just send in a picture? Had this
| happen recently and I had to install the iOS app and then the
| app took video of me with the front facing camera.
|
| I think my account was flagged because I follow a lot of
| people but I don't have a profile picture, never post
| anything, and I only use the web app (and sometimes from a
| "suspicious" OS named Linux) so basically I look like a
| follow-bot.
| gary_0 wrote:
| It has been [27] years since the tech industry started looking
| for a good solution to spam and fraud. Although my sister just
| freaked out over a phone call from someone claiming to be a tax
| collector, so it's not just the Internet with this problem.
| notahacker wrote:
| This particular scam sounds like it ought to be relatively easy
| to algorithmically detect (high degree of similarity with a
| particular account name plus high volume of friend requests to
| that account name's friends). I guess you'll flag up a _few_
| false positives (family members with different
| initial.firstname accounts who naturally share circles of
| friends) but not many compared with heuristics involving user
| agents and geolocations and email providers and not-having-
| Facebook
| brk wrote:
| Facebook/Meta has how many thousands of general engineers, AI
| specialists, and massive amounts of hardware at their disposal,
| and they can't solve this in a more practical way?
|
| Pushing their problems down to the user in this way feels
| shitty, at best.
| EVa5I7bHFq9mnYK wrote:
| Not if you are constantly attacked by millions of scammers,
| bot nets and government-sponsored info-terrorists.
|
| Same people that complain in this post about over-jealous
| verification, will complain in another post about
| misinformation and propaganda.
| thaeli wrote:
| And ironically, good security hygiene makes you look like a bad
| actor. While this "verification" is intrusive and unreasonable
| - I'm not defending it - often the root is creating an account
| from a VPN, or with minimal browser fingerprinting allowed,
| etc. An average user who doesn't take any precautions is likely
| to have a substantial activity profile already associated to
| their IP / cookies / etc. But run through a VPN? You trigger
| all the fraud checks. Use private browsing? Trigger all the
| fraud checks and hope you like filling out CAPTCHAs constantly
| on top of that. Tor? Likely to be blocked completely.
|
| Seasoning fake accounts in realistic ways mostly isn't worth
| the effort, because bad actors can just compromise real
| accounts and use those instead. (There are some specific use
| cases, mostly with nation-state actors, where seasoned and aged
| fake accounts might make sense, but those are unusual.)
| lcnPylGDnU4H9OF wrote:
| > This doesn't justify at all the permanent deactivation your
| completely new account
|
| It's hilarious that I'm reading this comment right before an
| article from the EFF titled, "Facebook says Apple is Too
| Powerful. They're Right." How refreshing it would be if
| Facebook bothered to say, "Meta is too powerful."
| jotm wrote:
| A practice dating back to MySpace, or even before it.
|
| Facebook used to do the same "yo wait, you need to send us a
| photo of yourself to verify the account". You could send... any
| selfies, even ones already uploaded to the account.
|
| The people or algos doing the verification didn't give a
| fuck/weren't advanced enough and the accounts could be verified
| with a high success rate, you could even retry with different
| photos.
|
| Maybe they improved that.
| kube-system wrote:
| This particular scheme has been a ridiculous plague among my
| circle of friends on instagram recently. People create accounts
| mimicking an existing user, add an underscore at the end of the
| username, and then spam follow requests to all of their
| connections. Most people get a notification from someone they
| know, and they accept it without even thinking about. It is
| insanely effective.
|
| Reporting the accounts for impersonation seem to do nothing,
| instagram's responses to the support requests even say they
| don't have enough people to look at all of them, and so they
| didn't.
| itronitron wrote:
| Hopefully eventually your friends will collectively grow a
| brain cell.
| openknot wrote:
| Yeah, unfortunately multiple reports of the impersonator's
| account doesn't work in practice, even though it really
| should. Another source confirming this is from the Bleeping
| Computer article (source:
| https://www.bleepingcomputer.com/news/security/instagrams-
| da...).
|
| I read that the fastest way to take down the account is for
| the person getting impersonated to fill out a form (via
| Instagram's help page at
| https://help.instagram.com/370054663112398), which
| unfortunately requires a picture of the person's driver's
| license/government-issued ID.
| Beldin wrote:
| > _which unfortunately requires a picture of the person 's
| driver's license/government-issued ID._
|
| They should move to something like IRMA (1). This would
| ensure they don't get data except for the government's
| certification that you're really who you claim to be.
|
| (1) https://privacybydesign.foundation/irma-en/
| kube-system wrote:
| Works great for any government as long as your government
| is the Netherlands.
| ChrisMarshallNY wrote:
| _> requires a picture of the person 's driver's
| license/government-issued ID._
|
| I have no idea whether or not it is illegal to ask for
| this, but it is generally considered dangerous to send
| photos of your state ID.
| marcosdumay wrote:
| Is this a US thing related to identity theft, or is there
| a deeper reason?
| bombcar wrote:
| It's usually an identify theft thing, because if I have
| all the information on your state ID I can make a copy
| that would be good enough for ... getting access to your
| instagram account I guess.
|
| It's pretty _hard_ to fake an ID in physical form, but
| one good enough for a webcam photo shouldn 't be too
| hard.
| ChrisMarshallNY wrote:
| I just got my passport renewed.
|
| The new US passport is pretty crazy. The photo page
| appears to be one giant NFC chip. The picture is barely
| visible. I suspect that it is meant to be inserted into
| some kind of reader machine, that will display a high-
| resolution version to the Customs agent.
| kube-system wrote:
| The new ones in 2021 added more features (the photo page
| is polycarbonate instead of paper), but they've had RFID
| embedded in the cover since 2006
|
| https://en.wikipedia.org/wiki/United_States_passport#Biom
| etr...
| ghaff wrote:
| Not quite the same thing but it's quite common for hotels
| (in Europe in particular) to make a copy of your
| passport, for auto dealerships (at least in the US) to
| make a copy of your driver's license for a test drive,
| and many many other situations. I'm sure I'm forgetting
| lots of other cases. (And Twitter requires for verified
| accounts.)
| dorkwood wrote:
| Be thankful that they've given you a way to restore your account.
| They didn't to me. I suspect I was supposed to be thrown into the
| same verification pipeline as you, but something got messed up
| along the way and now I have a completely unresponsive app (black
| screen with a refresh button that does nothing) with no
| instructions on how to fix it. I thought maybe it was some weird
| Android bug, so I bought an iPhone and logged in on that only to
| find that it is also unresponsive.
|
| I just want to delete the account at this point, but I can't,
| since trying to access the deletion link returns an error telling
| me to open the (unresponsive) app to regain access to my account.
|
| I've contacted a lawyer who works in the field, since I'm pretty
| sure preventing me from deleting my account is a violation of
| their TOS. Who knows if that will go anywhere. I'm kind of at my
| wit's end here. If anyone has any better ideas, I'm all ears.
| sofixa wrote:
| > I've contacted a lawyer who works in the field, since I'm
| pretty sure preventing me from deleting my account is a
| violation of their TOS
|
| If you're in the EU, it's also a violation of "the right to be
| forgotten" and you can contact your ICO.
| klyrs wrote:
| ADA lawsuit opportunity here for anybody without two hands...
| hansword wrote:
| Simple rule: Don't use meta products. Shame everyone who attempts
| to copy their business practices.
| xtracto wrote:
| Right... people should just stop using services that are
| aggressive. Remember you are the product, unless you pay them.
| So they dont care about you.
|
| Just dont use them. If o go to a restaurant and they let me
| waiting standing up more than 20 minutes, I'll just go
| somewhere else. Why do people treat internet websites any
| different? (You dont lose anything for not having Meta)
| ls15 wrote:
| > If o go to a restaurant and they let me waiting standing up
| more than 20 minutes, I'll just go somewhere else. Why do
| people treat internet websites any different?
|
| What if that restaurant is the one where all your friends and
| family are waiting for you? Somehow over the last couple of
| years, your friends and family just gave up on all the other
| restaurants and only gather in this restaurant, even though
| everyone agrees that the food isn't very good, but out of
| convenience everyone settled for this one (and for the
| promotions that they had in earlier days). Actually many of
| the other restaurants closed because of these network effects
| and the owner of the famous restaurant got rich and arrogant,
| but now that everyone goes to this restaurant, it is hard to
| convince people to try something else.
| allarm wrote:
| It is a weak argument imo. If you're important to them they
| will follow. If not, there's no point to keep in touch. I
| understand that there's edge cases when it's really
| difficult to switch or use an alternative platform (i.e.
| because of age), but overall it's not that hard. At least
| it wasn't in my case. And yeah, it is possible to eat in
| multiple restaurants at the same time, when it comes to
| social platforms.
| xtracto wrote:
| >What if that restaurant is the one where all your friends
| and family are waiting for you?
|
| If friends/family are already there, and as I said the
| restaurant is keeping me waiting at the door for more than
| 20 minutes? I'll freaking leave and SMS my friends to see
| them somewhere else.
|
| Shit, if I HAD a job interview in said restaurant, the
| interviewer was waiting for me there and the restaurant
| blocked me from entering , I'll just call the interviewer
| to tell them the fact, and maybe even recommend the taco
| stand in the corner.
|
| No freaking service is worth it. Not even Google, and I
| have all my emails since 2004 and docs in gdrive there. I'm
| a heavy FB user, but the moment they font want my
| data/usage to show me ads, I wont shed a tear.
| oblib wrote:
| I went to the Instagram sign-up page and filled out some info and
| submitted it and then decided not to submit whatever it was they
| were asking for next.
|
| Since then when I click on a link to an Instagram post shared on
| FB they blocked me and demand I set up an account. But if I use a
| different web browser I can view those posts.
|
| I rarely do that though. I just cannot give them the hit.
| fleddr wrote:
| Your experience sucks but it's too simplistic to consider this
| malice/evil.
|
| I think none of us fully understand the extreme levels of abuse a
| service like Insta (and several other services) have to deal
| with. It's abuse at scale and ever-changing, hence an endless cat
| and mouse game where non-transparent heuristics create false
| positives.
|
| By the way, your method of verification (holding up a sign) is
| also common at porn sites. That's what my friend told me anyway.
| dylan604 wrote:
| Sadly, for a side hustle, an Insta account is seemingly in my
| future. For someone like me that has never had an Insta account
| nor have I logged into my FB account for over 8 years, how does
| one create an account without this happening?
|
| Also, these kinds of stories fit well within the narrative of
| Meta === EvilCorp#1, but I always feel like there's a lot more
| going on than what is being told in these Ask HN/Tweets/etc.
| Like, how many accounts were attempted to be made in what time
| period coming from the same device/IP address/etc? Are the algos
| at Meta/FB/Insta so bad that legit users are honestly getting
| flagged like this?
| openknot wrote:
| >"For someone like me that has never had an Insta account nor
| have I logged into my FB account for over 8 years, how does one
| create an account without this happening?"
|
| This is speculative, but probably try to recover your Facebook
| account first (because it's already verified), and then choose
| the option to try and create an Instagram account based on your
| logged-in Facebook account.
|
| I haven't tried this in practice as I haven't created a new
| account in a long time, so there's no guarantee this will work.
| If it doesn't, then unfortunately you would have to block off
| time to persistently follow the instructions as closely as you
| can (sending your photo and a note), likely over several days
| to create the account.
| hk1337 wrote:
| It's silly since it's a brand new account, what do they have to
| compare it to to confirm it's you?
| LegitShady wrote:
| I made a twitter account, followed a few accounts, and then it
| was locked and twitter demanded I send them a scan of my
| government issued ID to prove I was a real person.
|
| I decided twitter wasn't worth that kind of identity theft risk.
| Same thing this happening with instagram - I'm not sure why
| anyone would want to volunteer this information to these
| companies whose whole finance model is abusing your personal
| information.
|
| I personally don't think any of these social media companies are
| worth sending pictures or ID to.
| dmitrygr wrote:
| Look at it from their viewpoint. It is hard to do what they do.
| How else would they collect sellable info on you, without your
| assistance?
| kazinator wrote:
| > "photograph of yourself, where you hold a piece of paper with
| the following, handwritten code on it"
|
| Wow, these people sure know how to write nice prompts for AI-
| driven image generation!
| donmcronald wrote:
| > Even if this account does not contain and pictures of yourself
| or it represents somebody or something else, we can only help you
| when we receive a picture of you which fulfills these criteria.
|
| That's the part that makes me wonder what they're trying to
| accomplish. I had the same thing happen in 2019, so it's been
| going on for a long time. For me it happened with a handle that
| matches a decent .com domain I own when I was going around and
| registering accounts at every site I could think of (ie: brand
| protection).
|
| As far as I'm concerned they got _nothing_ that helps them
| determine whether or not I 'm going to use the account for
| legitimate purposes. I also did _not_ violate their terms of
| service because it was a brand new registration. I didn 't even
| get an email. I had to figure out where to send the request to
| have my account reactivated.
|
| I didn't like the idea of sending them a photo, but felt forced
| into it to make sure no one else could come along and squat on
| the handle that matches my brand. I don't have trademarks (yet)
| and, even if I did, claiming someone is violating a trademark is
| going to be a significant amount of effort vs sending them the
| photo they want.
|
| So, I capitulated even though I have no idea what they're using
| my photo for. My best guess is that Mark has it framed and
| hanging in his private art studio.
|
| I think there's a good chance that eventually big tech is going
| to run on massive facial recognition databases that were built
| against our will. I think Facebook, Google, Apple, and Microsoft
| should be chopped into about 10 different companies each and the
| government shouldn't give _any_ consideration to the impact it
| has on their business. They have no respect for us. We shouldn 't
| have any respect for them IMO.
| mistrial9 wrote:
| > I think there's a good chance that eventually big tech is
| going to run on massive facial recognition databases that were
| built against our will.
|
| too late - this is an active industry with lots of funding.
| Further I believe that "metaverse" is an attempt to link that
| auto-ID to place, with tracking and profiles of all sorts of
| meat-scale interactions. The calls to boycott "metaverse" in
| the USA could not come soon enough.
| dogleash wrote:
| >I think there's a good chance that eventually big tech is
| going to run on massive facial recognition databases that were
| built against our will.
|
| >eventually
|
| Already does. It's just not a bread and butter component of
| every company's business yet.
|
| We're already past the time where, in a few years, people will
| start pointing back and saying "well, if you don't like it, you
| should have done something then."
| kube-system wrote:
| My guess is that they get more utility out of the photo as a
| boolean metric for prioritizing support requests than as an
| authentication method.
| swasheck wrote:
| this happened to both me and my wife. never heard back. account
| remains unavailable. multiple follow ups went to black holes.
| izzydata wrote:
| Do they even want users? What is their motive?
| cma wrote:
| By normalizing this, scammers may start impersonating Meta and
| easily convincing people to send them a photo holding their
| license etc. and maybe even trick them into holding up a social
| security card.
| Animats wrote:
| Papers, please.
|
| Glory to Arstotzka! Cause no trouble.
| drexlspivey wrote:
| For the curious https://youtu.be/8XcyZ-ls9_Y
| CosmicShadow wrote:
| I opened a business account and had this happen instantly. It
| asked for my age, which as a company was 1, so I put that and it
| instabanned me for being underage. It also didn't help that the
| website signup didn't work well and lastpass kept trying to
| autolog me in every step of the way making me look like a spam
| bot.
|
| I had to send the same pic of me holding license thing, it was
| intrusive. It took a few weeks to get through and eventually the
| replies just started coming back in Bangladeshi, and I could tell
| from the signatures where the support was taking place (as if the
| translate wasn't enough). I have an account now, but what a
| bullshit experience. Why not be more clear on requirements (i.e.
| age) and not even allow someone to put 1?
| givemeethekeys wrote:
| You want a free account? Bend over. You want to host your own
| photos and share with your friends? Go ahead and figure it out on
| your own.
|
| Or build a better Instagram.
| fsflover wrote:
| > Or build a better Instagram.
|
| https://fediverse.party/en/pixelfed/
___________________________________________________________________
(page generated 2022-06-20 23:01 UTC)