[HN Gopher] Personal Information of More Than 1.5B Facebook User...
___________________________________________________________________
Personal Information of More Than 1.5B Facebook Users Sold on
Hacker Forum
Author : comprev
Score : 462 points
Date : 2021-10-04 16:21 UTC (6 hours ago)
(HTM) web link (www.privacyaffairs.com)
(TXT) w3m dump (www.privacyaffairs.com)
| [deleted]
| Finster wrote:
| Is this why facebook is down?
| DevKoala wrote:
| What a broken product. There isn't 1.5B users with public
| profiles in FB, so whatever methods these guys used clearly went
| beyond regular data scrapping.
| mcintyre1994 wrote:
| Do you have a source for that? Facebook claim 2.9 billion MAUs,
| half of them having a public profile seems pretty likely to me.
| [deleted]
| hikerclimber1 wrote:
| Good. Hopefully more companies get hacked.
| TurkishPoptart wrote:
| I suspect today's outage (now resolved) was planned in some
| capacity in order to address what's in TFA here or the story
| regarding the recent whistleblower.
| rvz wrote:
| Another day, another selling of 1.5B Facebook users on a 'hacking
| forum'.
|
| There seems to be no end to the chaos around the Facebook mafia.
| afrcnc wrote:
| Fake news. Public data scrapped of a Facebook profile is not
| "personal information" if everyone can already see it
| smsm42 wrote:
| 1. You publish your information on a public site designed to
| disseminate information to as many people as possible.
|
| 2. Somebody sees this information and records it.
|
| 3. They publish this information on another site.
|
| 4. "Hackers stole my private data!!!!"
|
| Really?!
| dirigent wrote:
| Is there any real reason(s) to use facebook in 2021? Like, why
| bother? Are there any actual use case of owning facebook account
| now?
| paul7986 wrote:
| SearchPeopleFree<dot>com pretty much has a ton on a good majority
| of people. Get their phone number and if you want learn a lot
| about them. So it just compiles public information. No opinion
| whether it's a good or bad thing here from me just pointing it
| out.
| subsubzero wrote:
| Facebook is having a very bad day today, You have this hack
| announced today, all their sites are apparently down due to a bgp
| issue they are dealing with, and then the bombshell allegations
| of them intentionally creating toxicity on their platform to
| enrich themselves at the expense of society. Zuck's world is
| slowly collapsing in on him, expect heavy regulation and the
| beginning of the end of facebook as we know it.
| driverdan wrote:
| This is not a hack, it's web scraping.
| i_like_apis wrote:
| I was with you right up until the end. I don't think fb is
| going anywhere soon.
|
| The whistle-blower situation is interesting though, I see what
| you mean that there could be regulation inbound... but how can
| they be regulated?
| throwaway78981 wrote:
| Some might laugh this off as 'oh it's just scraping'. But I
| remember reading some comments in HN that there are apps that can
| scan faces and pull personal info including where they live, work
| etc. So each leak uncovers a person little by little.
|
| This vindicates the stance taken by Signal to not even collect
| metadata.
|
| Edit: I mean surreptitiously scan the face of a stranger you see
| in public and the app will tell you about them. Don't know names
| of the apps.
| Sephr wrote:
| > there are apps that can scan faces and pull personal info
| including where they live, work etc
|
| Note that these services are also powered by scraping public
| data.
| dutchbrit wrote:
| https://pimeyes.com does just that, I just posted it here on
| HN.
| throwawayy293 wrote:
| https://www.wikipedia.org/wiki/Clearview_AI already does that
| too
| jrs235 wrote:
| So this might explain why I've suddenly gotten a huge increase in
| SPAM text messages that know my name.
| cududa wrote:
| I like to error on the side of coincidence but holy shit I've
| gotten like 12 spam phone calls today and almost never get any
| jrs235 wrote:
| I started getting about 6 SPAM texts a day starting a few
| days ago AND they knew my name!
| Alex3917 wrote:
| I know everyone on HN loves to hate on Facebook, but the fact
| that HN's servers are getting crushed when FB is down perhaps
| shows a revealed preference.
| jkbyc wrote:
| It could be more than that. Vodafone broadband Internet (used
| to be UPC) is down in all of Czech Republic since about an
| hour. Their website is down (vodafone.cz), their mobile
| Internet seems slow. Coincidence?
| jurajmlich wrote:
| If you change your DNS servers, it works! Their DNS servers
| probably crashed due to FB's DNS not resolving!
| (https://twitter.com/BlazejKrajnak)
| IlliOnato wrote:
| I tried changing DNS server, including 8.8.8.8 and 1.1.1.1,
| nothing doing.
|
| I looked up Facebook IP address and tried to go there
| directly, bypassing the DNS. No response.
|
| (I don't care about Facebook much, it was a test. WhatsApp
| though I have to use to communicate with relatives.)
| sakopov wrote:
| Are you suggesting that HN being under a greater load has
| something to do with people hopping on HN instead of Facebook
| as they'd normally do? That seems like a reach.
| paulpauper wrote:
| Not really. I noticed a lot of greyed-out comments cheering on
| Facebook being down
| 0x4d464d48 wrote:
| I think it's mix of signalling respect for the people
| impacted by this, the people who work there and are just
| trying to be decent and of course the fan boys.
|
| The first place my mind went to after I read this was "dumb
| fucks" (Google this with Zuckerberg for context) but as good
| as the schadenfreude feels it doesn't change the very real
| and negative impacts from all of this.
| 0x4d464d48 wrote:
| I'm more of a 'shit on Facebook' man myself but I'm not above
| hate.
|
| I find it hard to find fault with people expressing disgust
| with how knowingly predatory and exploitative the company's
| leadership have proven themselves to be.
|
| Exhibit A: https://www.bbc.com/news/technology-58678332
| jjulius wrote:
| Or it could be as simple as everyone wants to discuss one of
| the biggest tech companies suffering such a massive outage,
| combined with the aforementioned FB-haters basking in this
| moment.
| Alex3917 wrote:
| As the CEO of a social network with more active users than
| Facebook, I am very confident in my analysis.
| tomrod wrote:
| LOL. I haven't come across you before today (so, not sure
| if this is a joke), but for the past few hours every social
| network has more active users than Facebook.
| glitchcrab wrote:
| > for the past few hours every social network has more
| active users than Facebook
|
| That's literally the joke.
| KoftaBob wrote:
| I see what you did there
| BrianOnHN wrote:
| Following Twitter, HN is top 2 places to check during an
| outage.
| jaywalk wrote:
| I don't use Facebook, but I'm very curious about why it's down.
| I'm sure I'm not alone in my curiosity about one of the biggest
| tech companies in the world.
| [deleted]
| wyldfire wrote:
| I was afraid that it meant HN depended on Facebook
| infrastructure somehow. If the explanation is "Facebook is more
| popular and people flock to HN when it's down" -- that is a
| relief. I don't think that is the best explanation, though.
|
| But maybe it's a failure with wider scope than just Facebook's
| DNS. Or an attack that targeted both FB and HN (and others)?
| Wild speculation at this point.
| zeven7 wrote:
| I'm not a Facebook user, and I'm a casual HN user. I heard
| Facebook was down, so I checked HN. I bet that's the source
| of the problem. If you know about HN and you hear Facebook's
| down, you check HN to see what people are saying.
| Program_Install wrote:
| Expected in all honesty, data these days is a currency to be
| bartered. I despise facebooks and everything it stands for, I
| wish people would take themselves more seriously. This need to
| fill a void with nonsense, is just simply unbecoming. So, suffer
| the consequences.
| zohvek wrote:
| Facebook is having one hellva last 48 hours I tell you what.
| drclau wrote:
| (just a wild theory)
|
| Is the downtime (at the time of writing) their way of blocking a
| known ongoing attack that can't be stopped fast and safely enough
| by other means?
|
| Something like: 1) take everything down, 2) fix the bug, 3)
| deploy everywhere, 4) start everything up.
|
| And, to stop clients from connecting, take down the DNS too. DNS
| is also a great scapegoat.
| [deleted]
| Seredo wrote:
| Apparently the data was collected through scraping, so probably
| just a coincidence.
| johntiger1 wrote:
| Also thinking that these two events are not independent...
| toast0 wrote:
| I worked at WhatsApp until 2019; I don't remember any disaster
| plans where taking everything down was an option (although I'm
| sure they exist), but dropping BGP sessions is probably not the
| best way to do it, because it's hard to reverse and hard to
| inspect the system without BGP.
|
| Over in WA land, we'd probably just kill all the frontend
| servers if needed. For all of FB infrastructure, killing all
| the loadbalancers would probably work, and also the outgoing
| proxy hosts, as appropriate. No need to mess with DNS or BGP.
| y4mi wrote:
| I agree that it's highly unlikely to be a deliberate action,
| but your listed mitigations would only help against security
| issues that impact the web services.
|
| It _could_ be the only way to go in the highly unlikely
| scenario that attackers are able to compromise the management
| APIs of various infrastructure devices like routers,
| baremetal servers etc.
|
| These APIs are usually on airgapped networks though, which
| makes this _extremely_ unlikely
| dheera wrote:
| I'm glad I never gave FB my real phone number or birthday. Nobody
| should. I predicted this would happen some day. It's always just
| a matter of probability and time.
| fortuna86 wrote:
| The day Facebook locked me out and asked for photo ID to get
| back in, that was the last day I used FB.
| [deleted]
| dheera wrote:
| IANAL but is it legal to just use a fake ID with photoshopped
| numbers, considering there is no legal or financial damage
| done in doing so in the FB case? You aren't causing someone
| to serve alcohol to minors, you aren't giving it to the
| government, you're just telling a social media giant that
| they have no right to that information.
|
| I'm looking at this
|
| https://www.shouselaw.com/ca/defense/vehicle-code/470b/
|
| and IANAL but it seems that possession of a fake ID of itself
| isn't illegal and I don't think "using Facebook" falls under
| the intent to defraud, i.e. "in order to cause loss or damage
| to a legal, financial, or property right".
| dane-pgp wrote:
| > "in order to cause loss or damage to a legal, financial,
| or property right".
|
| It would be a stretch, but perhaps an imaginative
| prosecutor could claim that the user is trying to diminish
| Facebook's finances/property by generating web responses
| (using CPU time and electricity) which it otherwise
| wouldn't.
|
| That's discounting all the expansive interpretations of the
| CFAA which would deem any breach of Facebook's terms of
| service to be an act of illegal hacking, not to mention an
| interpretation of copyright law that asserted that the user
| was receiving unlicensed copies of Facebook's intellectual
| property (e.g. their HTML).
| dheera wrote:
| IANAL but is it legal to just use a fake ID with photoshopped
| numbers, considering there is no legal or financial damage
| done in doing so in the FB case? You aren't causing someone
| to serve alcohol to minors, you aren't giving it to the
| government, you're just telling a social media giant that
| they have no right to that information.
| slig wrote:
| Do you have any friends that might have used any FB app? If so,
| chances are high they uploaded their contact list and FB has
| your name and phone number.
| Loughla wrote:
| And this is exactly why this is a problem. I have never
| consented to facebook having my information. I have never had
| an account linked to anything real about me. I had one in
| 2004 or so to learn about college parties. I used a pseudonym
| and deleted in once I graduated.
|
| But I guarantee they still have my information because people
| I know use their app.
|
| This is not okay.
| dheera wrote:
| I mean, I usually just tell friends to call me on FB
| messenger (or WeChat) rather than giving them one of my 10+
| phone numbers, so FB probably wouldn't have gotten it that
| way. I'm not on very many people's phone contact lists. The
| few that do have a virtual number that I can just change.
|
| Name, yes, but that's public.
| beagle3 wrote:
| Never gave mine either, but that's the strength of FB: you
| don't even need to have an account. They know everything about
| you because your friends, family and colleagues gave them that
| information.
| jaywalk wrote:
| If you want to talk about a matter of probability, your real
| phone number and birthday are almost certainly already out
| there.
| dheera wrote:
| I have a fake birthday I use consistently across most of the
| internet.
|
| I don't have a consistent "real" phone number -- I change it
| periodically. I then have virtual numbers that redirect to
| those, which I change from time to time as well.
| blitzar wrote:
| Its a web scrape ... Public Information of More Than 1.5B
| Facebook Users Sold on Hacker Forum
| throwaway3975 wrote:
| "The traders claim to have obtained the data by scraping rather
| than hacking or compromising individual users' accounts."
| 1270018080 wrote:
| I think they're just riding the Facebook wave for more clicks.
| This is hardly news.
| mzs wrote:
| doubts about veracity:
|
| https://twitter.com/AricToler/status/1445100884740935686
| animanoir wrote:
| I honestly ask myself how the f Zuck has the guts and ego to
| still talk about a "metaverse" with a company and product so
| wrong, so poisonous and evil to humanity. I really can't wait to
| see him in jail already.
| spywaregorilla wrote:
| Any particular reason you think a metaverse is incompatible
| with an evil organization?
|
| The evil co. in Ready Player One, the movie, literally
| imprisoned people and used them for forced labor.
|
| (then, somehow, the CEO gets arrested by regular cops, lol).
| iszomer wrote:
| > (then, somehow, the CEO gets arrested by regular cops,
| lol).
|
| Because he had a gun in hand not because of his forced labor
| practices.
| spywaregorilla wrote:
| You're not wrong, but on some level given his freedom to
| enslave and murder people, it is surprising that in
| universe he is vulnerable to normal cops
| throw_m239339 wrote:
| I'm not a big fan of Facebook but the hatred toward that
| company here is getting out of hand. You want to see Zuck in
| jail for what crime exactly? How is Twitter, Youtube, TikTok or
| Reddit any better than Facebook when it comes to being
| "poisonous" or "evil"? Youtube was literally financing
| terrorist groups with ad money 10 years ago. Twitter gives a
| platform to anti-Semites and the Taliban.
| h0p3 wrote:
| Perhaps those in power tend to be evil and don't deserve the
| air they breathe.
|
| Why do you think it is out of hand, and what exactly do you
| mean by that? I will have a careful, lengthy discussion with
| you, if you'd like.
|
| I'll open with the claim that what is moral is not
| necessarily what is legal.
| mihaaly wrote:
| And some wonder why I'm not letting myself forced into dual
| authentication providing them with real phone number. Actually I
| am very reluctant to log into Facebook at all, twice a year
| perhaps seeing old friends making an attempt to communicate with
| me, then only from private browsing, perhaps VPN too. I do not
| trust them with any shred of additional info on me to that they
| do not have already from earlier. I miss a lot of links sent to
| me pointing to facebook post or something, no, actually I do not
| miss a little thing, I rather do not care about cute animals or
| strange people or thoughts, it is invaluable in 99,999% of the
| cases, for the rest I can take the loss.
| dqpb wrote:
| Is it just me or do attacks on Facebook come in waves?
| mdoms wrote:
| I don't consider my name, date of birth or the city I live in to
| be personal information.
| guessmyname wrote:
| > _I don 't consider my name, date of birth or the city I live
| in to be personal information._
|
| Of course it is personal information.
|
| I think what you are trying to say is that you do not consider
| this data to be sensitive personal information. Emphasis on
| sensitive.
| hn_throwaway_99 wrote:
| I feel like we need to start differentiating between "public"
| personal information and more sensitive personal information
| (like social security numbers or other government ID numbers).
| The breach lists this info:
|
| Name Email Location Gender Phone number User ID
|
| So basically, everything I _used_ to be able to get in a phone
| book. Honestly, at this point all of that information should just
| be considered public, because it obviously is.
|
| If anything I think people are grappling with the fact that the
| Internet just makes data scraping and processing possible on a
| scale previously unimaginable, and that's really what people have
| an issue with, but I don't think there's a great answer to that.
| I mean, it's one thing to say the front of my house is public
| info because anyone can come by and take a picture, but it sure
| feels different when a high resolution photo (or heck, video
| feed) can be posted online that is instantly available to
| billions of people.
| spansoa wrote:
| > and more sensitive personal information (like social security
| numbers)
|
| Well I consider SSNs public knowledge at this stage. You can
| reliably dox anyone in the US now and find out their SSNs.
| Also: I used to have a sticker on my laptop that had my SSN on
| it, and brought it to conferences, as a PR stunt for my
| consultancy.
| intricatedetail wrote:
| Problem is user id link. From there you can get much more info.
| Facebook should be legally forced to reindex users and void all
| current user ids.
| gizdan wrote:
| > So basically, everything I used to be able to get in a phone
| book. Honestly, at this point all of that information should
| just be considered public, because it obviously is.
|
| With a phonebook (at least back in the day), you didn't risk
| having your account exposed and sold for a few dollars. Nor did
| that risk someone getting access to thousands, if not more,
| bank accounts or whatever through automation. In addition, a
| phonebook is easy to opt out of making things public. Facebook
| gives you the illusion that you can opt out of this data being
| public.
|
| Edit: opt of -> opt out of
| chillee wrote:
| > Facebook gives you the illusion that you can opt of this
| data being public.
|
| What makes you think that that isn't the case here? It sounds
| like they just scraped all the public profiles they could
| find. It's not a database "leak" or something like that.
| gizdan wrote:
| Right, that's what I mean with "Facebook gives you the
| illusion that you can opt out of this data being public".
|
| I recall when I still had Facebook, many people would
| randomly add you and pretend to be random people, sometimes
| famous, sometimes they "just want to be friends". I know
| most people have some settings along the lines of "no one
| except friends can see all this data". This is an issue,
| because people will add these "friends" and forget about
| these permissions. These "friends" can easily be attackers
| like these that suddenly have access to all your data.
| Hence the "illusion".
|
| With a phonebook on the other hand, when you opt out,
| you've opted out.
| skinnymuch wrote:
| Many people added you like that? Just asked a few people.
| No one gets many FB rando requests that aren't super
| obviously fake. It isn't that common.
|
| I've had FB since 2007. Don't recall there ever being a
| surge.
| [deleted]
| azta6521 wrote:
| True, but my last paper phone book did not have 1,500,000,000
| entries.
| hn_throwaway_99 wrote:
| Yes, that's literally my exact point in my last paragraph.
| ramblenode wrote:
| In the past "public" did not mean a single, all-encompassing
| global village of information that anyone on earth with a
| computer could get access to. People then operated within local
| shells of information, extending outward from the neighborhood
| block to the city to the country and maybe finally to the
| world.
|
| What time you walk your dog each day would be neighborhood
| level public info. Phone numbers would be city level. For
| greater reach than that you usually had to put the info out
| there yourself or be someone of media prominence.
|
| Nowadays the time you walk your dog is out on the internet
| because it was leaked from some Amazon S3 bucket collecting
| pings from your dog's smart collar. And what more it's been
| joined with your name, phone number, and other personal info to
| create an automated profile of you by interested groups.
|
| That's a whole different ball game, and not one that many
| people expect despite living their lives (in their minds) the
| same way as before.
| dragonwriter wrote:
| > So basically, everything I used to be able to get in a phone
| book.
|
| Even if people didn't have unlisted numbers, phone books would
| allow listing only last name and first initial of one person in
| the household, without any location data beyond the phone book
| service area (you could provide more if you wanted to be
| found), and didn't include gender.
| mankyd wrote:
| > If anything I think people are grappling with the fact that
| the Internet just makes data scraping and processing possible
| on a scale previously unimaginable,
|
| Agreed.
|
| I remember way back when FB first launched the "feed". Folks on
| Slashdot (yes, that long ago) had great outcry about how much
| of a violation of privacy it was. I countered that all it was
| doing was collating all the posts that people were making on
| their "walls". Nothing new was necessarily being exposed.
|
| People still didn't like it. Someone argued that the extra
| steps necessary to visit each "friends" wall was a valuable
| impediment. Obviously, that's a weak position to take, but it
| reinforces your point: data scraping is easier than anyone
| seems to be willing to acknowledge. Anything you write in any
| "semi-public" space should simply be considered entirely
| public.
| asdff wrote:
| Wait until HN readers find out what these faceless companies
| that appear around election time and mail me junk are able to
| gleam from public voting registration data.
| DebtDeflation wrote:
| >I feel like we need to start differentiating between "public"
| personal information and more sensitive personal information
| (like social security numbers or other government ID numbers).
|
| The flipside of this is that we need to make it such that
| simply knowing someone's Name, Address, DOB, and SSN is not
| adequate to fraudulently assume their financial identity and
| incur debts in their name.
| micromacrofoot wrote:
| the 1.5B number leads me to believe that these aren't all
| public accounts though, so it's a bit broader than the phone
| book comparison
|
| also at this point there have been enough large leaks that
| cross-referencing the data can probably paint a very complete
| picture of many people
| _moof wrote:
| > everything I used to be able to get in a phone book
|
| Fair, although you could opt out of the phone book. (And I
| don't think they had location/address, though it's been so long
| now that I can't remember for sure.)
|
| > I think people are grappling with the fact that the Internet
| just makes data scraping and processing possible on a scale
| previously unimaginable
|
| This is it right here. The scale and ease of access are
| terrifying. It's true that in the olden days, someone could
| follow me around and write down everywhere I went, everyone I
| talked to, what stores I went to, my hobbies, and so on. But
| someone would actually have to _do_ that, and they would have
| to single me out, and even then the information they collected
| would be in a notebook, not distributed to virtually every
| human on the planet.
|
| Now we are all being followed, all the time, and all of that
| information is available to anyone with almost no cost or
| effort. This is a sea change, and personally I find it
| horrifying. There are very, very few people I would trust with
| that much information. I definitely don't trust the whole world
| with it.
| cvs268 wrote:
| > And I don't think they had location/address, >
| though it's been so long now that I can't remember for sure
|
| Same here. initially i too couldn't remember for sure.
|
| Then i remembered the scene from Terminator 2 (1991) in which
| it looks up Sarah Connor's phone-number and home-address in a
| phone-book! :-)
| Strs2FillMyDrms wrote:
| I believe the LGR channel has shown some DOS programs from
| before 1990 that had the entire catalogue of the US
| phonebook available in a neat DOS UI, where you just choose
| a location/state (or non at all) then enter a letter and it
| would filter every entry on the chosen filter...
|
| (Name was ProPhone 1993, so not really pre 90's)
| https://youtu.be/yBupNdYe08g?t=1078
| alfiedotwtf wrote:
| Yep, they were called Reverse Pages. You would buy the
| CD, and then just read the database yourself. This
| allowed you to type an address and you could get their
| phone number etc
| alfiedotwtf wrote:
| Yep, they were called Reverse Grey Pages. You would buy
| the CD, and then just read the database yourself. This
| allowed you to type an address and you could get their
| phone number etc
| alfiedotwtf wrote:
| The ones in Australia where one way - you could search
| for a name and it would give you a phone and address...
| but if you a programmer, you could read the database
| directly, so search on a phone number and get back the
| address and name, or search an address and get back name
| and phone number.
|
| There were a few services in the early 2000s doing this,
| they were called Reverse Grey Pages
| kingaillas wrote:
| It was earlier - the 1984 movie (Terminator) had the scene
| where he rips out the page from the phone book, looking for
| the Sarah Connors listed there. :)
| rzzzt wrote:
| K-anonymity in action. (The only thing you need to do is
| change your name to someone else's name.)
| drfuchs wrote:
| Home addresses were absolutely shown in Bell Telephone White
| Pages phone books delivered to just about every domicile in
| the USA each year; you could not opt out of receiving the
| White and Yellow pages, though for a fee you could be
| "unlisted" and not appear in them.
| hn_throwaway_99 wrote:
| Yeah, strong agree from me.
|
| What is weird to me are so many of the responses to my
| comment are along the lines of "But the real danger now is
| that all of this data can be correlated with other sources of
| info, and it's all instantly searchable." It's weird to me
| because that's the point I was trying to make in my last
| paragraph, to explain that that really has nothing to do with
| Facebook. The "hackers" aren't even claiming there was a
| breach, just information they screen scraped. The ability to
| amass giant databases of information and make it available to
| the world to search is something fundamentally inherent to
| the Internet.
| PeterCorless wrote:
| All listed numbers in the White Pages had street addresses.
| Having an _unlisted_ number was a premium service -- you had
| to _pay_ to be private.
| p49k wrote:
| Sure, but you weren't in the white pages if you weren't
| already paying for a phone. At that point the question of
| whether you're getting a discount for agreeing to be in the
| book, or paying not to be in the book is just an arbitrary
| distinction.
| aazaa wrote:
| > And I don't think they had location/address
|
| They most definitely did have addresses.
| pvaldes wrote:
| This info had a logical purpose also. Phone books without
| location and address would be mostly useless because lots
| of people share the same name.
|
| To find the phone number of a friend having just "John
| Smith, USA" would be impossible (or would annoy thousands
| of people and require months of calls).
| jiveturkey wrote:
| > you could opt out of the phone book.
|
| Which cost money! Being listed was gratis.
| tiernano wrote:
| > Fair, although you could opt out of the phone book. (And I
| don't think they had location/address, though it's been so
| long now that I can't remember for sure.)
|
| you can opt out of Facebook too... and Irish phone books had
| addresses...
| reaperducer wrote:
| _you can opt out of Facebook too_
|
| This is not true.
|
| Facebook builds profiles about millions of people who have
| never had a Facebook account. For example, people who
| happened to be in the background of a photograph taken by a
| stranger. Another example: people who installed an app on
| their phone without knowing that it included a Facebook SDK
| that was tracking them.
|
| This is nothing new. It's been discussed in public, and
| even before the U.S. congress.
|
| Personally, I'd love to opt out of Facebook. But I can't.
| Because I can't log in to my Facebook account, and Facebook
| ignores my requests for access. I even did the "send in a
| picture of your government ID" route, and nothing happened.
| So please inform me how I can opt out of Facebook's data
| gathering.
| r00fus wrote:
| Yes, shadow profiles exist and really show how shallow
| Facebook's promises of privacy are:
|
| https://www.theverge.com/2018/4/11/17225482/facebook-
| shadow-...
| _moof wrote:
| It's not just Facebook. Your phone is tattling on you 24/7.
| ALPRs are recording where you drive. Browser fingerprinting
| is creating a profile on you even if you block ads and
| trackers. Short of never using a computer, there is no opt
| out anymore.
| mitchitized wrote:
| "Ooh, lookit that funny car over there!" - points phone
| almost at your face, takes picture - uploads picture to
| Facebook
|
| You'd literally have to have the kind of Momma that would
| dig a hole and hide you in it at birth to really be "off
| the grid" at this point.
| admax88qqq wrote:
| That's a little different thought and I think you know
| it.
|
| There's a difference between information that government
| and big tech is scraping and storing, vs information that
| is publicly available to literally any random person
| online to scrape.
|
| Both are problems, but those are different discussions
| and we started with talking about the issue of truly
| publicly available information. I think that's an
| interesting topic that merits its own discussion without
| falling into the surveillance discussion once again.
| debaserab2 wrote:
| The former can become the latter pretty easily though and
| without any consent through both illegal (hacking) and
| legal (company acquisition) ways. Corporate surveillance
| very much is a part of the problem and you can't talk
| about one without talking about the other.
| _moof wrote:
| A little different, yes, but what I'm saying is that it's
| not substantially different. Once data is collected, it
| won't be uncollected, and all it takes is one hack to
| permanently turn a private database into a public one.
| And the data that's being collected in these private
| databases is often justified on the grounds that it's not
| private information--i.e., if you're outside, you have no
| expectation of privacy. So in that sense it is "truly
| public" information. But what I'm saying is that the
| meaning of public/private has fundamentally changed
| because of the kind of differences of scale we're talking
| about here. In other words, there was a degree of
| implicit privacy afforded by the level of effort required
| to catalog and search "public" data. Whether that data
| comes from public or private _databases_ is, I think, not
| particularly relevant.
| tyingq wrote:
| > And I don't think they had location/address
|
| I lived in a lot of different places in the US in the 70s and
| 80s. All the phone books had residential addresses listed.
|
| This is the format and font I remember: https://groovyhistory
| .com/content/50602/01af8c322a21e50d0b81...
| JohnFen wrote:
| Yes, they did (at least in my part of the US).
|
| But... you could tell the phone company not to list your
| address, and then they wouldn't.
|
| If you wanted to pay a monthly fee for even more privacy,
| you could have your number unlisted entirely.
| Aerroon wrote:
| And because families shared a phone only some family
| members would be listed in it.
| cafard wrote:
| They did have one's address in the phone book. Now, you had
| to have a decent city map, and some sense of the city
| numbering scheme to know where that address was.
| [deleted]
| pelotox wrote:
| This happens in data regulatory contexts. There are varying
| degrees of PII (Personally Identifiable Information) and
| different rules around securing it.
| [deleted]
| loudmax wrote:
| > more sensitive personal information (like social security
| numbers or other government ID numbers)
|
| I tend to think that there should be a publicly accessible,
| unique, and more or less immutable ID number for every citizen
| or resident. This ID would have pointers to our name, birth
| date and a few other identifiers that shouldn't really be
| considered secret.
|
| My concern is that the absence of such a unique ID leads to a
| mess of overlapping systems in which only large organizations
| with the resources to track everyone will be able to uniquely
| identify people. So we'll have a degree of anonymity from
| random other individuals, not not from banks, tech corporations
| or the government. Computing power is becoming too cheap and
| ubiquitous to effectively hide information that isn't
| explicitly confidential. That is, as a society we need to
| adjust to a paradigm in which it is more expensive to keep
| information confidential than to allow it to be public.
| Especially keeping information private from those with deep
| pockets.
| Aerroon wrote:
| And why exactly would everyone being easier to track be
| helpful to the actual people themselves? I don't want
| Facebook to have that information. I'm even less interested
| in some random small business having it.
| moolcool wrote:
| I think that information increased in sensitivity because
| technology that gives us instant access to it also allows it to
| be exploited in different new ways. Like there's no machine
| that can take a paper phonebook and call everyone in it with
| customized spam messages, but you can trivially do that with a
| CSV file and 20 lines of python.
| lmilcin wrote:
| > So basically, everything I used to be able to get in a phone
| book. Honestly, at this point all of that information should
| just be considered public, because it obviously is.
|
| I am honestly shocked at your proposal.
|
| In a real paper book you had a choice not to get your number
| published.
|
| Have you put any thought about people who are maybe running
| from abusive spouse or any other people who have reason not to
| have their location data to be broadcasted to entire world?
| imglorp wrote:
| Strong disagree.
|
| > Name Email Location Gender Phone number User ID
|
| It's never about one item of information released: it's about
| the aggregation and linking potential. Name/location/phone
| together form a pretty decent unique identifier. FB obviously
| gives you friends, interests, hangouts, and most importantly,
| photographs; none of which you had before.
|
| Ater aggregating with other databases is when the harm comes.
| slyrus wrote:
| The new phone books are here!!
| dataflow wrote:
| > So basically, everything I used to be able to get in a phone
| book.
|
| Your phone books had your login usernames and emails?
| throwaway78981 wrote:
| This isn't true. The phonebook we had had only Name, Phone
| number and very broad location. Also those days, phone number
| was just that - a phone number. Nowadays it's a unique
| identifier for lots and lots of things including government
| stuff. Some government stuff even uses it for
| authentication/authorization.
|
| Also I guess user ID means it gives access to their fb profile
| page I guess? From there one can scrape pics etc (public ones).
| 1vuio0pswjnm7 wrote:
| "So basically everything I used to be able to get in a phone
| book."
|
| Assuming you had phone books from every city/region in every
| country. Thats a lot of phone books so you must have had a
| large warehouse to store them all. Then there is the fact that
| phone books did not list number for every individual. Multiple
| persons routinely shared the same number.
|
| The comparison sounds apt in theory but in practice it isn't.
| Try looking these Facebook users up in the phone books of their
| respective locales, via the telcos' online phone books or
| directory assistance. Then, using what you find, tell me their
| email address, gender and Facebook user ID.
|
| Good luck.
|
| The problem with this argument, "all email addresses are
| public", which I see regularly on HN, is that information does
| not become "public" and lose its "private" designation if it is
| published without consent or lawful purpose. If someone steals
| secrets and publishes them, they are still secrets.
|
| Whether this information from Facebook is truly "private" I
| cannot say but I do think it is possible to have email
| addresses that are not made public.
|
| The recent NSO iMessage story was interesting because the
| exploit seemed to rely on NSO getting lists of mobile phone
| numbers for the targets. Not email addresses. Yet iMessage will
| work without a phone number, with no SIM inserted. Perhaps the
| targets chose to use phone numbers for iMessage, not email
| addresses.
|
| Consider what happens if someone creates a Gmail address but
| never uses it to send mail, and never shares the address with
| anyone, except Facebook. If this person does not make their
| Facebook profile public, how is this address public
| information. Google does not publish a list of every Gmail
| address. According to the logic of the parent comment, they
| might just as well. Email addresses are "public", right.
| Because some HN commenters think they are.
|
| What happened when someone scraped Apple's servers to obtain
| the email addresses of Apple iPad users. Did federal
| prosecutors think the information was "public" or "private".
| The media called the incident "theft of e-mail addresses".^1
|
| 1. http://www.nbcnews.com/id/41196595
| twobitshifter wrote:
| With a land line phone number from a phonebook, criminals can't
| do much. With a smartphone number they can hack phones,
| potentially steal bank accounts, track their location and on
| and on.
| StringyBob wrote:
| As an example, my parents have been bombarded with calls from
| a scammer who it seems only has their phone number and email
| address, but that's enough to give away their full names and
| the name of the ISP, so the scammer is using it to call and
| pretend to be the ISP support trying to trick them into
| giving up 2FA codes from password reset attempts they do at
| the same time while calling that phone. You don't need much
| info to go a long way!
| barbazoo wrote:
| Sounds a bit like moving the goal posts to me.
|
| You were able to opt out of phone books and they also didn't
| contain email and gender.
| ChainOfFools wrote:
| also, older FB accounts (and maybe even some recently created
| ones?) could easily use handles instead of real names or even
| real initials. this leak can therefore establish or confirm a
| mapping between someone's online and offline identities,
| which wasn't a risk associated with phone book listings.
| robbyking wrote:
| Absolutely. Most engineers who work with sensitive data already
| know that there are tiers of data sensitivity (Public,
| Personal, Private), and that info like SSN and CCN are _more_
| private than, say, gender or marital status.
| paulpauper wrote:
| Couldn't a social security number be easily bruteforced anyway
| jeffbee wrote:
| Yes. SSNs are distributed by year in blocks that are granted
| to hospitals. If you know a person's year and place of birth
| you can brute force them. For example if you wanted to
| generate plausible identities you could just use a common
| Jewish last name and get the SSN block from a major hospital
| in NYC for a high birth year. Say, 1955. The odds that you
| will be able to guess the SSN for Abraham Goldstein born in
| Manhattan in 1955 are going to be pretty good, especially if
| you have some oracle that will let you guess several times.
| robbedpeter wrote:
| 10,000 is probably going to be the largest number of
| guesses needed, and if you have prior knowledge, like a
| distributed set of ssns from the same year and location,
| you can reduce the practical effective number of guesses to
| a few dozen.
|
| The freely available databases of pii in the wild can be
| used to infer anything missing from releases like this, and
| that stuff can be used to inform probabilistic password
| guesses, and so on. It's only a matter of time before deep
| learning models make most common password based security
| measures completely transparent and obsolete.
| themdonuts wrote:
| The comment is good, but your username is excellent.
| LeifCarrotson wrote:
| > _If anything I think people are grappling with the fact that
| the Internet just makes data scraping and processing possible
| on a scale previously unimaginable, and that 's really what
| people have an issue with, but I don't think there's a great
| answer to that. I mean, it's one thing to say the front of my
| house is public info because anyone can come by and take a
| picture, but it sure feels different when a high resolution
| photo (or heck, video feed) can be posted online that is
| instantly available to billions of people._
|
| From your example, it's another thing to have a high resolution
| photo or video feed of _everyone 's houses_ and to, say, send
| them ads for painting services if the trim looks out of shape.
|
| I think the important thing to get in the public consciousness
| is that scale alone is sufficient to make information
| processing fundamentally different than a human interacting
| with a single data point. Looking up one person in the phone
| book and calling them or sending them a letter is different
| than scanning the entire book, robocalling everyone in it, and
| sending junk mail to all of them. The fact that the former is
| accepted and that the later is merely the former repeated a
| million times does not make the latter permissible. The former
| was accepted because the way the world worked meant that it was
| simply intractable - an economic nonstarter, a physical and
| logical impossibility, humanly infeasible - to abuse it into
| spamming a million people.
|
| For another example, license plates are public, required to be
| visible on your vehicle on public roads. Prior to license plate
| scanning technology, a cop could have tailed a suspect and
| radioed their vehicle description and license plate to have
| other detectives and officers disperse to intersections and
| track a vehicle through a city, and depending on the nature of
| the problem, they could spend a few hundred dollars to dispatch
| a helicopter to chase it across the freeway. They could
| conceivably tail a non-suspect, but that wouldn't make any
| sense, they were constrained by limited resources to only use
| this ability for a select few vehicles. That was how the world
| worked. Later, automated license plate readers were developed.
| With cameras deployed across every intersection in a city, it
| would be feasible to track all motions of every vehicle at all
| times; it would likely be cheaper and easier to do so than one
| year's expenses of deploying personnel to do so manually.
|
| That information should be considered public, because it
| obviously is, but what a person is allowed to do with public
| information should not be limited only by what they're able to
| do with it.
| sabellito wrote:
| Perhaps this insanity you're describing is true for the US. It
| doesn't necessarily account for the remaining... 1.2B people
| who had their info leaked.
| normaler wrote:
| My neighbour who is 87 years old has all the phone books from
| tbe Lage 50s-mid 60s. I checked my grandfather and it listed
| bis adress, phone and occupation.
| suyash wrote:
| Best thing everyone who has account in any of FB related
| properties is to change your password soon as it's back. Then
| don't use the old password anywhere, if you do, change those too.
___________________________________________________________________
(page generated 2021-10-04 23:01 UTC)