Email or username:

Password:

Forgot your password?
Top-level
BrianKrebs

I mean, think about this for just a sec: LinkedIn, Twitter, SnapChat, Instagram, the list goes on and on. The VERY first thing these platforms will do after you've installed the app and logged in is to ask you to share all of the information in your address book. Ever wonder how these social networks got so big so fast? It's remarkable how much of their growth is based on convincing everyone it's totally fine and normal to give away all of the contact information given to them by friends, family and acquaintances.

101 comments
Jurjen Heeck :mastodon:

@briankrebs The one & only reason I refuse to use or even install those apps on devices containing address information. I only have an Instagram app on a tablet with zero contacts.

Christian Fomm

@jurjen_heeck @briankrebs

Even if you have never been registered on Facebook etc.: Facebook knows your mobile number and mail address because other people have already uploaded them.

You can delete your phone number/mail address from meta's database via the following website:

facebook.com/contacts/removal

Shannon

@fomm @jurjen_heeck @briankrebs is there one for LinkedIn? I purposely deleted my original LinkedIn account to get a fresh restart with no connections. When I created a new LinkedIn account and instructed it not to be found via email or phone, I was still located by people who had my contact info.

Jurjen Heeck :mastodon:

@shecantech @fomm @briankrebs Same issue. Linkedin occasionally pushes me to invite people to join LinkedIn based on such network knowledge.

Shaun Dyer

@jurjen_heeck @briankrebs @fomm Thanks for the link that’s really useful. I wonder if the other big tech companies have something similar

David Penfold :verified:

@fomm @jurjen_heeck @briankrebs it seems to work for mobiles and landlines, but refuses to allow me to select email (FF on Android)

Jan Schaumann

@fomm @jurjen_heeck @briankrebs

Fun fact: the mail server(s) Meta uses to send the confirmation email are in Spamhaus's Block List...

Eric Beaudry

@fomm @jurjen_heeck @briankrebs is this trustable? Or is it only a new way to get more emails & phone numbers? I was just about to submit my phone number when that “internal skeptical me” got a hold of my thumb.

Gomphotherium

@EricBeaudry @fomm @jurjen_heeck @briankrebs I clicked on the provided link and, at least in german, it says that if you request your phone number or email to be removed, they "have to keep a copy in their blocklist" so they will not be uploaded again by another user.

I wonder if thats legal? (EU?)

My phone number would just change the database (maybe idk, they talk about blocklists), how can I trust them that its only used for blocking? And what if I just want them to absoulutely not have it?

Chris

@EricBeaudry @fomm @jurjen_heeck @briankrebs

I did this last year and tbh, I was skeptical but I knew they already had it so if submitting it this way can stop others uploading it and it being used then it was worth a try

It's not like I was giving facebook any information that they hadn't already stolen from friends and colleagues

Jack Yan (甄爵恩)

@fomm Thank you, that is immensely useful. I gave my cell number to my dentist (Lumino) a few years ago, as they insisted I could not use my land line, then found through their contractorʼs T&Cs (which I was never shown at the time) that my personal data had been sold. Itʼs a number no one outside of family and friends should have. This is a start in getting rid of it from databases.

@jurjen_heeck @briankrebs

skry

@fomm @jurjen_heeck @briankrebs

This page isn't sending me the text message required before it will remove my phone number. Just one more disservice from FB.

Phil Landmeier

@fomm @jurjen_heeck @briankrebs Um, ten years ago, Facebook stated that they never, ever delete anything. Deleting your account, which I did eleven years ago does nothing but de-activate the account. Nothing is deleted. Facebook said that its systems are designed in such a way that they are unable to actually delete anything, nor any mechanisms in place to enable them to determine what needed to be deleted.

Deletion is not a thing at Facebook.

JudeNunga

@fomm @jurjen_heeck @briankrebs

lol if they FB didn't know it before, they will when you give it to them to find out if they have it. How would you know if it's actually been deleted? It's not like FB is the most trustworthy of businesses.

DELETED

@fomm And with this you add it to another Meta database... 🤔
@jurjen_heeck @briankrebs

Louis Ingenthron

@jurjen_heeck With modern phones, you can just deny them the permission to access the data.

Callisto

@jurjen_heeck @briankrebs Yup. I created an Insta account a few years ago to follow some local organizations, but never posted until they started letting you do that from the web.

imdat celeste of Tau Ceti :v_nb: :v_tg: [NaG • NaB]

@jurjen_heeck (A little advertising, please bear with me)

With our messenger “Ginlo” (@ginlo) we thought very long about this.

We also ask your permission to check if any of your contacts have Ginlo accounts. But we do it this way:

When someone creates a Ginlo account and provides contact information (they don’t have to, but they can) such as a phone or mobile number, we store that information on the server only for the briefest of times to confirm it (send a code to that mobile or email). Then we destroy it on our servers. Instead, we generate a `bcrypt`-hash with a salt out of that contact information (never reversible to the contact-data back) and store it linked to this ginlo account on the server.

If then someone else creates an account and they give us permission to check if any of their Adressbook-contacts exist on Ginlo, we create similar hashes for each mobile phone and email address from those contacts LOCALLY ON THE USER’S DEVICE and send only these bcrypt-hashes to the server.

The server then responds with the hash + account-guid if it could find any account matching that.

The server NEVER EVER stores those hashes from your adressbook (and even if it did, they are just hashes, meaning one-way only).

This way, you *can* (if you want) let ginlo check if any of your contacts have a ginlo account WITHOUT EVER HAVING TO FEAR that we save any of those contacts on the server. We don’t want that, because we have no tracking, no ads, no nonsense. Ginlo Private is free of charge. The company makes money with the “Ginlo Business”-Version where companies or business pay a monthly fee.

Of course, with this approach we cannot tell you “Hey, your contact ‘X’ has joined Ginlo” … but that’s a really cheap price to pay.

To us, your are definitely NOT the product. The product we sell is “Ginlo Business” (and yes, many business customers require a free private version because they want to be able to talk to their customers, and yes, the business version has a few more perks, but only mostly things businesses need)

@briankrebs

@jurjen_heeck (A little advertising, please bear with me)

With our messenger “Ginlo” (@ginlo) we thought very long about this.

We also ask your permission to check if any of your contacts have Ginlo accounts. But we do it this way:

When someone creates a Ginlo account and provides contact information (they don’t have to, but they can) such as a phone or mobile number, we store that information on the server only for the briefest of times to confirm it (send a code to that mobile or email). Then we...

J$

@briankrebs This is exactly what turned my stomach immediately, and then strengthened my resolve. I’ve also made myself impopular by raising an eyebrow here and there when actual friends just started giving away my personal info without even as much as a single thought.

DELETED

@js @briankrebs well. Sue them. You have not given consent ...

John Gordon

@briankrebs

There was a brief time that printed White Pages went digital and even national. That was mind blowing. I could see contact information for everyone in the US.

It only lasted a few months I think. Then gradually all White Pages went away.

So the process can reverse.

Francisca Sinn

@briankrebs and how many people say “yes” to sharing that information without a thought.

Karsten Johansson

@fsinn @briankrebs It's done under the guise of finding out who in your contacts also use the app or site. So I'd hazard to say pretty much everyone.

Of course it is used for that, but oh so much more, too.

Francisca Sinn

@ksaj @briankrebs Oh I understand what they say it’s for, I’ve just never said yes, so as to protect both my info and that of my contacts.

Francisca Sinn

@quotesofnote @briankrebs I guess so. I recognize that I’m an outlier, but I’ve never said yes.

DELETED

@fsinn @briankrebs OK, I think "everyone" is too strong. I would dial that back to "far, far too many". I am appalled by how much of their own personal information so many people will give away without a second thought, and really disturbed that someone else gives away my contact information (with or without a thought).

I have never said "yes" to providing contacts, but then again, I haven't even signed up for things like facebook, linkedin, etc.

DELETED

@fsinn @briankrebs And I am aware that despite my attempt to avoid it, most of my "data" is harvested/shared with various actors on-line (when it isn't outright hacked or stolen).

OctoFloofy :Splattershot: :tower_badge: :callie_badge:
@quotesofnote @fsinn @briankrebs as you all mention that i probably allowed too many apps that specific permission already and i don't know if they even still have that. Should probably go around looking which have it and remove it.
Elias Mårtenson

@fsinn @briankrebs I accidentally answered yes for LinkedIn. I wanted to see who in my adress book had linkedin accounts, but what happened instead was that they sent a contact request to every single person in my address book.

I think they got sued for that thing later.

joy larkin 🌺✨

@briankrebs One thing about this ever persistent social graph building... I'm just more (or less) shocked by the number of long-ago exes who apparently still have my number in their contact lists.

dawnfry

@joy
I keep some of these types of numbers in my phone so I know not to pick up if they call, and I have a heads-up before listening to any message they might leave.

AardvarkSagus

@briankrebs and that’s something I’ve not given any app the rights to.

Dr James J Teeth

@briankrebs

I generally avoid apps unless they provide me a utility that isn’t available through a browser. And then the utility needs to be significant. Social media data mining of devices is a big driver of that.

Proxima Centauri

@jernej__s @briankrebs

Mikko is here in spirit: @mikko the reality is that the Finnish elite and most of the European elite too aren't as bothered by Elon.

In here, Elon news isn't as well covered.

Proxima Centauri

@jernej__s @briankrebs @mikko

That said, they would jump ship like rats when the US Democratic party jump ships.

If US Democratic party elite for some reason finds their way to Mastodon rest of the world elite follows, they aren't that fond of Republican-only Twitter at that point.

jo

@briankrebs And that's the reason I don't use Signal. Doesn't matter how great the crypto is. The app part of it is shit.
(Not to mention relying on phone numbers for identifiers...)

corq

@briankrebs @viss Cool, since we're all the last bastion of good examples, none of us use that tech at all, amirite?

2xfo

@briankrebs I shared my contact details with LinkedIn once because I didn't realize they had scrapped that from me somehow and those people weren't already on the service. I felt pretty used when I realized it sent them invites on my behalf.

I never allowed a service to do that again. I care about the privacy of my contacts as much as my own. (I mean, I guess it's still my privacy too.)

Picardy Security

@briankrebs You mean like Zoominfo (which at one point had billboards in California airports) building it's business model on people sharing their outlook contact forever via a plugin for access to searching everyone else's aggregated outlook contact info?

Robbie Coleman

@briankrebs it's also the feature that I believe was responsible for Facebook's ability to take the lead from MySpace in late 2009.

Kohan Ikin

@briankrebs You can add Viber to that list! I blocked it from accessing my Android contacts, and yet within seconds of providing my number (and no other details yet, not even name or photo, hadn't finished signup), I started getting Viber messages from old friends who have my number.

Viber insists they don't upload numbers and that what I describe couldn't have happened. Never figured who to report that privacy breach to... but it wouldn't get anywhere anyway, right?

Michel Salim :fedora: :debian:

@syneryder @briankrebs they don't upload your contacts but I bet they let other people who have your number saved find you 🤒

Dave

@briankrebs Remember MCI's Friends and Family campaign and how many hated the spam? Tobe social media was taking notes to improve on MCI's mistakes.

Grant Denkinson

@briankrebs Indeed. I'd never want to do that without explicit permission from every single person and I'm not likely to ever want to ask that. Feels like some apps are not helpful but tripwires to do something bad by accident. They shouldn't be and my operating system should help protect from such leaks by disabling the capability. I do want my contacts manager to let me try to contact someone via a service.

OldHound

@briankrebs I don’t think I’ve ever shared my contacts with any platform. It’s one thing for me to consent to give some of my personal information to these patrons, but completely another if I sell out family and friends without router consent. 🤷🏻‍♂️

Sam Gross

@briankrebs the big weird is that everyone acts like it’s *their* data to share when it really is *mine*

DELETED

@briankrebs in the middle ages the inquisition used to have to torture people for their contact list... Torquemada wishes he had been alive in these times!

Nantucket E-Books

@briankrebs Your post prompted me to delete my Instagram account, which I haven't used in several months. Then I was reminded Facebook makes it almost impossible to delete accounts.

I deleted my LinkedIn a couple years ago.

Michel Salim :fedora: :debian:

@nantucketebooks @briankrebs it should delete as long as you don't log back in during the cool off period right?

Michael

@briankrebs Smells like a story that media outlets should be digging into. Society needs to understand the depravity.

Maddad The Friendly Ghost 👻

@briankrebs

Ya, they are terrible for that. Its one reason I don't have a lot of apps on my phone. Why does a weather app need my contact info ?
🤔

DELETED

@briankrebs You have identified the reasons that I do not interact with any of those entities.

alisonborealis

@briankrebs
This was the point where I stopped using Facebook.
When their mobile app made it mandatory to connect with my contact list and messages, I deleted it.
Nobody gets my address book. I wish others were as careful.

Thad

@briankrebs Back when Facebook was starting to get big, I got an e-mail trying to get me to sign up, and giving me a list of people who I might know.

One of them was the father of the girl I'd dated in high school.

I get how that happened -- people shared their address books, and several people I knew would have had the two of us in common -- but it creeped me the hell out. Felt invasive. A sign of things to come.

I never did sign up for Facebook.

wonofone

@briankrebs

if the service is free,
the user is the product

Geoff McGhee

@briankrebs and when I refuse to share contacts WhatsApp only shows my messages by their photo and phone number as a punishment. Fine!

SlightlyCyberpunk

@briankrebs I think these sites have done a lot of damage to peoples' understanding of privacy and security online with these kinds of tactics. Normalizing over-sharing while also normalizing secrecy. Recently there's been some fuss on here about Mastodon posts being indexed for search...and I've seen several people upset that the posts that they explicitly chose to make "public" are being made available to others. WTF do you think "public" means?? But if you look at traditional social network sites, public posts and public pages AREN'T public. At best they might let you see a short snippet before requiring a login so they can track you and regulate your access to "their" content.

Mastodon is a social network that is actually social.
On Mastodon, public posts are public.
Amazing how foreign those two concepts have become...

@briankrebs I think these sites have done a lot of damage to peoples' understanding of privacy and security online with these kinds of tactics. Normalizing over-sharing while also normalizing secrecy. Recently there's been some fuss on here about Mastodon posts being indexed for search...and I've seen several people upset that the posts that they explicitly chose to make "public" are being made available to others. WTF do you think "public" means?? But if you look at traditional social network sites,...

Carnildo

@briankrebs Back in 2015, I registered a throwaway Facebook account, and did my best to isolate it from everything else about me: single-purpose email address, only connected over Tor from a browser in a dedicated virtual machine. I guess I succeeded, because Facebook spent the next year and a half harassing that account for a copy of my address book or any other sort of connection to other people.

Carnildo

@briankrebs And I do mean harassment: I've got nearly a thousand emails in my inbox telling me that I "have more friends on Facebook than you think" asking for a copy of my address book, an average of three a day.

Michel Salim :fedora: :debian:

@briankrebs and the Chinese owned WeChat takes the cake: it won't start unless you grant it permission. If you run it in a sandboxed work profile? Your account gets terminated

michel-slm.name/posts/2020-12-

tale

@briankrebs For sadly large values of "everyone" but fortunately not actually "everyone". I bet the various platforms have metrics on how many people agree to it. I wonder whether it is a majority or not; even with a minority doing such sharing, they still suck in a LOT of people's information.

Digital Untertauchen-🤿 🤿

@briankrebs that’s why I stored my contacts for a long time in KeePass on my devices, amidst not using any of the services.
But I am known to them, maybe as honey, or best friend or whatever nick my friends gave me.
Remember: In the first years, facebook loaded the address book without needing permissions. Too late for long term friends.

furranium

@briankrebs told them no every damn time.

The only one that didn’t ask…Signal.

furranium

@briankrebs and by didn’t ask, I mean it went to scraping contacts without consent.

MizzBassie

@briankrebs Everyone always asks for all the information in your address book and asks to track you (at least now they have to ask, before they just did it, permission or not). It’s time to pass some laws about that.

Mikal with a k

@briankrebs
I refer to it as "snitching out all your contacts to surveillance capitalists." Same with installing spyware like Google Analytics on your site. It's snitching and should be thought of and treated as such. And, fuck, you don't even get a lighter sentence for it!

phi1997

@briankrebs That explains why I was confused by the toot that started the thread. I never bother with the official app for any website, and typically don't bother with an app at all.

Sukima (Wiket)

@briankrebs For me it speaks volumes that device manufacturers have to place a share contacts permission prompt in the first place. People don’t typically show up at the town center and start handing out full address books but Tech CEOs sure do. WTH happened to humanity? 😢

Mad A. Argon :qurio:

@briankrebs It is the reason I currently don't share phone number with most people. I know it would be send to crappy apps most phones have. LinkedIn, only corporate service I use, tries to get my number. Every time I log in (I don't often do it anyway) I see these annoying popup windows. They have also something to "import contacts" from e-mail address, luckily it couldn't scrap anything from Protonmail, even if I accidentally click this or if they would decide to do it automatic way.

lippyduck

@briankrebs I've been saying the same thing. It's crazy. Surely there's a case for a privacy law to ban it.

Steve Torrente

@briankrebs I still remember those Friendster emails...

™Sıɹ ∀upʎ 🇬🇧

@briankrebs yeah, and I don't do that. Never have, never will. I also do not use and Google products.

Hunteress

@briankrebs I didn't and I don't. There's a reason, why I don't confirm YouTube. Don't use a smartie (this horrible phone where everyone can "see" and hear you). And so on. It's enough, that banks sell customers data. Or insurence companies.

Sören

@briankrebs wild that there hasn’t been a notable lawsuit on this

Penny Penguin 🐧

@briankrebs it's shocking how they get to do that, when I download those apps I don't let them get access to my contacts but cause I said no I'm not sure if those apps can still get access to my contacts though

Jana

@briankrebs What I absolutely hate is how I can't even install some applications with consenting to give up all information I have ever know, know, I will know, to allow all accesses and give up your left kidney.

CatSalad🐈🥗 (D.Burch) :blobcatrainbow:

@briankrebs @Infrapink
Pretty sure some of those used to download, then ask... So-and-so is also on FB/Snapchat/etc, send and invite?

Matthieu Weber 🇫🇷/🇫🇮

@briankrebs
I was about to write that LinkedIn never asked me that, but it's because I've never installed any smartphone app for those services.
And regarding Mastodon, what you notice is that Mastodon is not run by a company, so it does not has incentives to monetize everything it can.

Markus Vuorio

@matthieu @briankrebs LI did this too early on. I think they even asked for one's email password in the beginning, to harvest the contacts efficiently.

Matthieu Weber 🇫🇷/🇫🇮

@maakuth @briankrebs That's just wrong 😞. Anyone asking for your password does not deserve your trust.

Matt Stein

@briankrebs I think because Mastodon is built for you to use as you please. The other examples are built for someone else to use you.

I’m surprised we’re not collectively a bit more tired of being the product. 🤷‍♂️

Drezil :butterfly_trans:

@briankrebs Most interesting thing: with gdpr you have to get permission from everyone in your adressbook to share that information..
But .. well.. you can drag your friends to court over it 🤷‍♀️
Because usually there is a note or checkbox that you confirm you are allowed to share 😅

Exandra

@briankrebs I still recall with pain and shame agreeing to share the contacts of 5 people with LinkedIn to then find out that it shared every address in my address book.

There was no undo.

Chris

@briankrebs

there was a time where I was considering refusing to give my number to friends, colleagues and even some family if they had any facebook products on their phones but I noticed that the problem is bigger than just facebook and its not feasible to stop people having your number on the basis of if they have certain apps on their phones or not because most apps are privacy invasive

even keeping a number for personal use is problematic because close family have twitter, snap etc

Chris

@briankrebs

I had a thought on the contact sharing issue

I remember seeing an app on F-Droid called Open Contacts that supposedly puts you contacts into a sand boxed database that other apps couldn't access

I've never tried it but it might be worth me having a look at

It wouldn't stop others uploading my details but may lock things down on my end

Kio

@briankrebs@infosec.exchange Hey uh
Brian

Rq
can i have access to your contacts list

Das

@briankrebs as far as possible I try not to use app if there is a website/ browser version and not giving access to my contact list, address book to some stranger

RubeWOW LLC

@briankrebs mastodon doesn't want the contact information of the other people who believe in Jewish space lasers and Chinese moon bases

Magenta Rocks

@briankrebs

I have been very fortunate my friends and family have not done this to me except for once early on with LinkedIn. I'm actually surprised they all have not done so.

Go Up