> "You can ask us to confirm whether we have your phone number or email address," the firm states. "If we do, you can request that we delete it from our address book database. To prevent it from being uploaded to this database again through someone's address book, we need to keep a copy in our block list."

I wouldn't doubt if they remove your information from their "address book database" and add it to one or more others where they keep it forever. There's zero oversight, and zero accountability. It makes no sense at all to just assume that facebook will do anything they aren't forced to when not doing that thing could make them money. Facebook doesn't care about you, your privacy, or even the law. Facebook cares only about facebook.

Not too dissimilar from Google Analytics official global opt-out browser extension. It injects a consistent/unchanging item into the global window scope of every single page you visit.

https://tools.google.com/dlpage/gaoptout/index.html

License prohibits sharing its code so I won't - setting a good example for our artificially intelligent friends :)

Fuck the license, here's the code it injects:

  /* Copyright 2010 Google Inc. All Rights Reserved. http://tools.google.com/dlpage/gaoptout/intl/en/eula_text.html */ (function () {
    var a = document.createElement("script");
    a.type = "text/javascript";
    a.innerText =
      'window["_gaUserPrefs"] = { ioo : function() { return true; } }';
    document.documentElement.insertBefore(a, document.documentElement.firstChild);
  })();

Looks like a really convoluted way to add a "tracking disabled" mark. But I don't see any more than a bit of information on it.

> Fuck the license

Exactly. If you don’t want it shared, then don’t inject it in the first place.

"License prohibits sharing its code so I won't - setting a good example for our artifically intelligent friends :)"

What if the person sharing it is not a licensee. License terms would only bind licensees, assuming the purported licensee has properly assented to the license terms.

In which case that person would have no license to use it at all.

posting code to a forum isn't using it though since the code isn't executed

It's actually the other way around. Copyright doesn't regulate use, but it does regulate distribution. Posting it without permission is a copyright violation.

change a couple of var names, and you're good to go

also, fair use would definitely apply in this case as it's not the entire work and is a small sample. nothing different than playing a small clip/scene from a movie in a review write up. and commentary is definitely being had around said snippet

Exactly - Google themselves have been making use of fair use for a while with news exerts…

There's also the pages of the books they scanned and made available was pretty egregious. The snippets of webpages they display in search results so that users never actually have to click through to the actual website so they can get those precious impressions.

Just Googs being dicks to everyone, essentially

I'm sure are artificially intelligent friends give precisely zero fucks what you do and will steal your shit with impunity. If you do crime on a large enough scale, it's called innovation.

> It injects a consistent/unchanging item into the global window scope of every single page you visit

Confused, are you saying they inject a unique ID or something? Do you have an example of what they insert?

Would you mind explaining what's wrong with that code? I'm especially confused how it's similar to Facebook saving purportedly your info when you opt for erasure.

There's nothing wrong with that code, though it is a potential fingerprinting vector.

> we need to keep a copy in our block list.

If only there was a function that was deterministic, but somehow incredibly difficult to invert, that would sure make a hash of this requirement to store things you're required not to store.

Sure, there are hashing functions, but with a search space that is as small as a 10 digit phone number it is easy to create rainbow tables that covers them all.

Signal has spent some time thinking about this problem, see https://signal.org/blog/private-contact-discovery/

Multiple hashing rounds or bcrypt would likely be a fine solution for this

Even if you tweak your hashing algorithm to take 1 second on a fast CPU, you get 31 years of CPU time to search the entire space. That's simply not enough! And going beyond 1 second is probably also not practical.

Pray tell the details.

Yeah I initially thought as GP, perhaps some salting, hence my comment above. But the only salt worth its salt (sorry, had to) would be the number itself. Otherwise, you’d need a database associating the number with its salt. And if you use the number itself as the salt, then rainbow tables it is.

Apple does this. It is even more frustrating! If you ever had two Apple accounts, and close one, you can _never_ add the e-mail from the deleted account as an alias to the remaining account.

You can imagine the headaches this causes.

I ran into this myself. It's even more frustrating that they don't warn you about it upfront when closing the account (at least they didn't back when I ran into this).

I was hoping to start over with a fresh account and instead ended up having to create a new email alias in Outlook to use to create a new Apple account - luckily I used an alias the first time as well so the impact wasn't as bad.

Apple support suggested I "simply change my e-mail address". Sure! I will just contact everyone I have ever known, and ask them to update it. Oh and every website I have ever created an account on! sigh

Hash functions are only incredibly difficult to invert when the input domain is large, which is not the case with phone numbers. Even if you use a password hashing function that takes 1s to run (and if you need to frequently compare the hash, that's on the high side), you could practically invert the hash of an individual phone number. For this use case making it relatively expensive to obtain a single number in the clear would probably be good enough though.

Salting exists for this reason.

How would that work if someone re-uploads your phone number? If it's not hashed with the same salt, then that wouldn't be blocked?

Well, quite :) I don't see how the thing is supposed to work, given that people get other people's phone numbers when they change number. The only way to actually fix it is to stop uploading a user's contacts to their servers in the first place.

And how exactly would salting fit into matching plaintext phone numbers against a large blacklist?

even with salting it'd be trivial

Spot on, “need a copy for blocking purposes” just preys on public computer illiteracy.[1]

In the devil’s defense, the explanation was probably written by a computer illiterate person.

Then again, there may very well have been this one meeting, where a dev went “hold on, I got an idea to avoid storing the number!”, before being politely but briskly advised to stfu. Not impossible.

[1] littera : illiteracy :: numera : innumeracy :: digita : ildigitacy? Iddigitacy?

Go and calculate how much time would it take to hash every 9-11 digit number...

Salts are a thing for this very reason. And some hashes like scrypt can be parametrized to take time no matter what.

There is no rainbow table entry for 0123456789+=i=i_fy82dnuf720g%2+70)(k$0@*qsijyn9&19n@1r0-l4ee) with 10000 scrypt rounds.

We are not in 2005 anymore, and we have better tools than md5, or even sha1 to do the job.

Salting won't work in this particular case. You need to match plaintext against a blacklist. Salt per entry is too expensive, salt per blacklist is exploitable.

Were it be a small company, we would try sharding salts + increasing the number of rounds of scrypt or some mix with a bloom filter.

However, this is facebook. It's not too expensive for them.

how does a salt help?

a salt for a password is when we know the username and the salt so can combine the salt and provided password to compare against the generated hash value.

in this case all we know is the phone number, how does a salt help us look up a given phone number in a set of salted / hashes if we dont know what salt to combine it with?

You shard the number into groups with a salt for each, until you reach a number of combinations that is computable for FB size on a check request, but way too long pre-generate. You can combine it with some bloom like filter to increase efficiency.

Can you more explain that as an example. I understand the words, but doesn't extend to me seeing the design of it.

you are forgetting that this is not just a technical problem.

For GDPR you need to legally prove that you have taken reasonable steps to remove and keep out of your system, the data the user has requested. This means that you need to be able to legally prove you've got a system in place.

Keeping a hash is fine technically, but its a pain in the dick to defend in court, especially as its really simple to shower a jury/judge with FUD to make it look like its not a reasonable step.

Of course, it's not a technical problem. They could keep a hash instead of a copy. But I'm sure people who find the 'hidden tool' and request to have their information removed are interested in specific products, so a list of these people is very valuable to train machine learning models on..

Hashes of phone numbers is unfortunately not actually useful in almost any circumstance. You can trivially reverse them by iterating through every phone number and computing the hash.

Hashes of emails is not quite as useless, but not far off (consider 90+% of emails are at like ~3 domains, and also that lists of vaguely ~valid email addresses aren't hard to get).

This is the same reason hashing a SSN is purely security through obscurity. Anyone with a couple GB of space to spare for a text file can easily perform a reverse lookup.

https://gist.github.com/stouset/4322307

This is why any business that uses SSN as authentication should be liable for any losses that result from fraudulent usage of the SSN, as opposed to the SSN’s owner being liable.

Slow hash function + salt would solve this.. e.g. you'd be lucky to do more than 10 hashes a minute with bcrypt and 20 salt rounds.

Yeah but with hashcat supporting cracking with multiple GPUs, even bcrypts can be cracked quickly now. There are also a ton of cloud cracking services like GPUHash.me and entire cracking forums where ppl crowdsource and help out like HashKiller.

You can try that, but it's really difficult to tune so it's useful. The amount of time the server has to waste computing hashes is too close to the amount of time an attacker has to waste to break at least some of them.

It's just not hard enough to guess a potentially valid phone number. With passwords, hashing only helps because the probability of a valid password is _very_ low, and because you don't need to look up a password, only check if it's the right one for joeblow (so you can salt them individually).

"You can trivially reverse them by iterating through every phone number and computing the hash."

Well yes and no. What exactly is your understanding of a phone number 8)

Not everyone is blessed with the NANP. I'm a Brit and we have an eye wateringly complicated nonsense of a numbering plan and our's isn't the worst.

What do you hash? Perhaps the standardised international representation or one of them (no that is not a joke - telephony is weird). For a laugh you could try one of the many colloquialisms. For example a UK number might be 00441395112233 or 441395112233 or +44 (0)1395 112233 - the final part might be displayed as 112 233 or 112-233. Imagine if the database works by operating on all numbers in locally correct colloquial mode and hashes that!

Now let's really get silly: There are hashes that are nasty to compute but easy to check and vv. We'll use whatever is indicated.

Anyway this is all a very well researched problem, there is no need for silly games: passwords.

This data is normalized before it's even saved to the database.

You cannot send an sms to "+44 (0)1395 112-233", so they remove the stuff in parenthesis, the dashes, spaces, etc. first, and then store.

Phone numbers get complicated, yeah, but US numbers are pretty trivial (and so are they in several other places, and even for UK it's just more annoying, not really computationally harder).

So at _best_ the security analysis is: "okay, all US phone numbers and a bunch from other places might as well be in cleartext", which is already broken enough that it's basically useless.

So normalise the data first? Your comment literally makes no sense at all.

Hash and salt

While a secret salt is effective in the short term, it's an un-rotatable value. Which means, if the salt gets leaked, you are screwed (or rebuilding the entire table by brute forcing it, or adding another layer of salting - not great!).

For a company operating at Facebook's scale, with their kind of scrutiny around handling PII, this is unfortunately functionally useless.

For some data types where hashing isn't super effective, and where associative identifying information is attached (such as a user id), a more effective mechanism might be to encrypt the data with a strong random value appended, and decrypt to do the lookup. This would require a correctly provisioned HSM to do properly - the private key secrets should NEVER be exported.

While hashing seems like a good idea, it's actually particularly and deceptively tricky for these kinds of use cases.

I would say it's better than doing nothing though.

It's complicated. Your local security engineer might be wringing their hands about this. Definitely an avoid at any cost kinda situation.

If you salt, then either you can't lookup a number, or you've only changed the problem to: iterate over all the possible phone numbers, _add the salt_ and hash them. No big difference.

The salt doesn't buy you anything, given that Facebook also knows the salt.

There are only about 3 billion valid US phone numbers. How many hashes can your GPU compute per second?

Back of the hand math, and some benchmarking, suggests that a consumer laptop GPU from about 2015 could bang it out in a month. And, that's being (extremely) pessimistic.

(Assuming a GPU takes .001s to do a sha3 hash, which is more than double the actual benchmarks).

I would estimate that a single, high end GPU from the last or current generation could probably chew through it in under a week.

One can easily devise a hash function that a GPU can only compute once per second. Or per year, even, although that would be impractical.

Most people crack with multiple GPUs. For example, I have a 5 GPU (3080s) rig that I used for mining ETH but now can use to crack with hashcat. tl;dr crack fast af boiii.

How could I match an incoming unhashed value to an existing salted hash?

I wonder what happens if someone blocks their phone number, then switches it.

Will the re-used number be blacklisted forever with a hash scheme?

That's my thought as well. Maybe they should just stop using phone numbers for discovery purposes.

They used to backup to Blu-Ray, so there's that.

http://www.businessinsider.com/facebook-uses-10000-blu-rays-...

it's like cookies. to refuse cookies you "have to" accept a cookie saying you refuse the other cookies.

the difference between the "address book" and the "block list" is that one can be used for marketing/targeting purpose. the other one presumably is on the other side of a chinese wall (could easily be so under FTC condition) where FB can't use it for said purpose. this would generally serve the intended purpose of "removing" your phone number.

your other contacts that felt they should upload an address book in the first place may find surprise or random inconvenience that they can't upload your number.

It most probably flips a boolean flag in their db. is_hidden=True. Done.

> To prevent it from being uploaded to this database again through someone's address book, we need to keep a copy in our block list.

Don't they know hashing at facebook?

To be fair, hashing phone numbers is mostly pointless since the search space is too small.

They also seem to care about fighting windmills in VR.

Yeah, I have a better idea: They should be mandated to not collect PII from third parties. They have no business giving you my phone number or email, and Facebook has no business hanging on to it.

The "third parties" are usually Whatsapp users who have your phone number in their contacts on their phones (Whatsapp belongs to Facebook). This is how Whatsapp can automatically connect with everyone you have in the contact list.

So, if you do that, Whatsapp will stop working.

> The "third parties" are usually Whatsapp users who have your phone number in their contacts on their phones (Whatsapp belongs to Facebook). This is how Whatsapp can automatically connect with everyone you have in the contact list. > > So, if you do that, Whatsapp will stop working.

Not really.

Whatsapp should access your contacts on your local devices without sending them to servers. There is no valid reason to do it any differently. It is up to the users to make sure their contacts are in sync on all their devices.

Well, there will be no business sense for Facebook in deploying a free service like that if it doesn't bring along some business value.

Then Facebook should cease to exist. Nothing of value will be lost. Seriously: People should stop making excuses for the Free Market For Surveillance. Anyone who "needs" to violate my privacy to make a buck needs to get a job instead.

In all seriousness: Society had an advertising industry for well over a century that didn't require jamming a porkoscope up your ass and everyone got along just fine. Just because one can invade the privacy of billions with impunity nowadays does not by any means imply that you should.

Yes, and people were happily reading news in newspapers for centuries.

Targeted advertising exists, it is legal everywhere, and we are way past the point it could be put back in the bottle. What still can (and should) be regulated is privately identifying information management, and so far things are improving in this direction.

Targeted advertising is invasive of my privacy, and it doesn't matter if it's legal everywhere -- lots of things are legal everywhere and remain ethically abhorrent -- and insofar as every single user retains control of their individual machines we can put that genie back in the bottle right now just by installing an ad blocker which, in case you haven't noticed, more and more people are doing precisely because of this entitled attitude towards users' personal information. As long as people think that they are entitled to my information I will continue to both use an ad blocker and recommend ad blockers to everyone I know. Stop being nosy.

Whatsapp can continue working just fine without this. All you have to do if you want to connect with me on Whatsapp (or anything else) is email me and ask what my account name is, and I either give it to you or I do not. Problem. Fucking. Solved. There is no justification for violating my privacy.

I love the idea. Now we need to convince lawmakers.

Already done in Europe.

Digital Markets Act will start going into enforcement next year.

The concept of some big tech company having your first name, last name, email address and phone number just because one of your friends or acquaintances or casual business contacts was dumb enough to click "yes, I agree" and share the entire contents of their address book needs to have a full stop put to it. By law if necessary.

This is the same thing as when people install the LinkedIn app on their phone and allow it to trawl through their entire contacts list. Even if you have no relationship with LinkedIn at all and refuse to use on general principles, surprise, now they know who you are.

You realize everyone who has a Google account on their phone (90+% IMO) have already shared this and a lot more with GOOG, right ?

> Something went wrong

> We were unable to process your request. Please try again.

  {
    "data": {
      "xfb_contact_removal_send_confirmation_code": "VERIFY_NOTIFICATION_SENT_ERROR"
    },
    "extensions": {
      "is_final": true
    }
  }

I'm guessing this is not a service they planned on scaling.

Removing my phone number worked (it was there even though I deleted my FB long time ago), but I am getting the same error for email removal.

It looks like a scam. I never confirmed my number, but they need to send a sms to it so they can confirm it.

This instantly reminded me of this: https://i.imgur.com/nAoc3cO.jpeg

Nice thing about this is how easy it is to implement. But if it ever says 'no' then there is a bug.

>I never confirmed my number

you don't need to. they probably got your number by scraping your friends/acquaintance's contact lists.

>Someone may have uploaded their address book to Facebook, Messenger or Instagram with your contact information in it. You can ask us to confirm whether we have your phone number or email address.

sufficiently advanced or trick-the-user FAANG data privacy violation methods are indistinguishable from scams.

If they didn't have it before, they sure as hell have it now after you just put into that form ;)

It's not a secret. You can google any product name plus "CCPA" and you'll get an email address for a legally binding request to delete data.

For some reason https://www.facebook.com/legal/policy/ccpa doesn't open for me. Is this only for California residents?

Different page for different parts of the world:

Most of the world sees this: https://imgur.com/a/gGw9nOD

EU sees this (same empty nothing under this): https://imgur.com/a/iJhdgmD

And the US sees this (at least from all AWS regions): https://imgur.com/a/2DCrNFd

It opens for me in California, so I can't refute your hypothesis.

Not in California, doesn't open for me.

More anecdata suggesting FB only does things they are forced to do.

I wonder though how they know I don't reside in California. They don't have my address, maybe information about where I log in from?

Probably IP geolocation? Try on Safari with the privacy vpn-like thing?

I've read the CCPA sections of privacy policies, and it's (designed to be?) completely unclear what and how to request stuff. There is probably a lot they can be required to do they don't tell you.

I'd love to see a website that details what you can do, and step-by-step how to do it.

There's actually a spec for this, but only like 20% of companies follow it

https://github.com/InteractiveAdvertisingBureau/USPrivacy/bl...

There's also a requirement that you have to delete data from downstream vendors that you've shared customer data with. That being said, I wouldn't trust for a minute that companies are complying with 3rd party deletions

Providers have gotten creative now requiring you provide an identity proving you live in California and an ominous warning suggesting that it is a felony to state you live somewhere you do not.

This is cool, but Facebook already leaked my phone number in 2021, forcing me to stop accepting calls from unknown numbers. It’s too late for deletion now.

I'm going to bet that data isn't just from people who gave access to their address book, it's probably from advertisers as well.

Advertisers can upload a list of mobile phones, email address and names to Facebook to ask them not to target these people (for example, existing customers).

Seems broken anyway. I requested it look for my phone number but never received a confirmation code.

Well, they now have your phone number.

Hahaha yes indeed! Although I'm pretty sure they know everything there is to know about me anyway.

It's safe to assume that your data go anywhere and everywhere.

Is that tool really deleting all traces of your phone number from all FB services and data stores or is it just making it invisible for some usages?

Is there an independent audit verifying that the phone number is gone for good from their servers?

Mh, so to delete my phone number you need to keep it? That's a nice way to harvest data from those who care about them and do not think...

A bit like a potential usage for HaveYouBeenPwned...

They don't know who the number belongs to. You can just generate phone numbers and try to call them, they have a fixed format...

The site looks like elaborate scam to get your phone number lmao

Never registered mine with a phone number to Facebook.

But it got deleted shortly afterward about 2 years ago due to adding a virtual landline phone number.

lol so you can basically ask to drop a column from a contacts table and have it be added to a blocked table instead.

I find it hilarious how you will "voluntarily" enter your phone number or email into their service to check if it already exists! I might be paranoid, but what prevents FB from storing this new data if it is not already there?! I think this sort of behavior should be clearly articulated in the next update of the GDPR if it is not already addressed.

Well they do in fact store it. They even tell you they will store it in a block list.

update users set phone=null, email=null where id = <id>

Shouldn't they delete your posts and likes too?

An outer join?

Cool, you just deleted every event you attended and every photo you commented.

Deleting stuff is complicated work :-)

Is that bad for FB?

To answer your question:

Why would they, if they didn't have to?