Huan Truong

Notes from a developer

Github

Thoughts on service abuse prevention by phone numbers

Lately, I see a trend in services requiring users verifying phone numbers to register, such as Gmail. Giving Google (and many other services that do it) the benefit of the doubt, I think the requirement is because phone numbers seem to be a pretty good proxy to prevent service abuse. Phone numbers are a limited resource yet they are practically free for almost everyone. An abusive person can't easily/cheaply get a lot of new numbers once their numbers are banned. However, one of the (unintended?) consequences of requiring a phone number for an account is the entanglement of a single account to a single phone number, thus a single person.

About 10-15 years ago, I had the opportunity to administer and maintain one rather curious Vietnamese speaking web-based bulletin board which had hundreds of active members every day at its height. It was a lighthearted hangout place much like Something Awful. The bulletin board was an attraction to several kinds of people: Students studying abroad as well as domestic writers, artists, and intellectuals. They shared several characters: They had lots of time and loved to write. There are several reasons for that. Before smartphones and Facebook became ubiquitous, many students studying abroad were rather lonely and bored. Imagine you being the only student from your country in a cold, quiet winter day trapped in a dorm room – you'd want to go online to write and look for some shared human sympathy. In fact, there have been writers, translators, and books coming in and out from people hanging out in that little hole. In addition to that, because the internet in Vietnam wasn't as widely available until about 2010 or so, the unaffordability of an internet connection and the unfriendliness of computers were sort of a natural filter for the more intelligent kinds. In general, even though the registration was free for all, we didn't have many people spamming things, shilling for products, saying disgusting things, etc. We only had to deal with bots, which could be kept under control by CAPTCHAs.

But… the trouble came from rather clever people having a lot of time at their disposal. People tried a lot of clever tricks to be entertained, which many could be categorized as abuse today. It amazed me how far people were willing to go, even if they are without any commercial intention. There are many more issues, but I hope to give you a taste of what it used to be.

Some would register tens of different nicknames on the board. They would then use different nicknames depending on their mood each day. Some would go on a topic and debate with their own self. Some would log on to different nicknames to reply to their own posts to approve of their argument and boost their popularity (we have a phrase for that kind of self-promotion/shilling as "fondling with your own balls"). The other extreme is that half a dozen people who know each other IRL would share one account and act as one person. Sometimes a nickname of a person who posted hints as a female young study abroad student could be actually a student, a journalist, a photographer, and a Schizophrenic poet – all using the same pseudonym. We would have to figure out if they are fictitious or not. We would have to decide to ban them all based on a post that one of them made that violated a certain rule. If we decided to ban the nickname, for how long – do we want them or any of them to return or not. And there were people who shared a pool of nicknames, too, creating a many-to-many mapping.

Some were OCD about posting. They would not violate any rule but would create an obscene amount of pointless posts about just random topics. I have heard that one of the people who did that was a bored bachelor guy working in IT, who was well paid and had a lot of free time at work. He would be banned and would register another nickname on another IP from another country and appear to be another person. After a day or two, it would become apparent that the new member was "that guy" and we would ban him again. After a while, it drove us insane and we decided to create for those people a separate designated shitposting forum for him to post whatever he liked. There were several people who came and went like him. It actually worked: The "disciplined" people were happy in their boxes and we were happy we don't have to delete their posts or ban them.

What I learned from the experience administering that little bulletin board was that there were a lot of intricate details to what constitute an abuse of service and how to deal with abuse. Account abusing and spamming existed then and they are scary now, but is tying one account to one person the only way out? Nowadays, when approaching the idea of our online accounts, we often base our assumption on one account representing one identity: a person or a company. That way, it is easier to control people whom we don't want. We don't want the person keep coming back so we ask our users to verify the phone numbers which they can't easily change.

But I tend to think what we want to tie to an account online and how we do it influences how people react. Maybe the way it happened with the bulletin board was just an accident, an artifact of the limitations we had, but I'm convinced that many wonderful things would not have happened if we had that one-account-to-one-identity assumption. I tend to agree with how moot put it, "Google and Facebook would have you believe that you’re a mirror, but in fact, we're more like diamonds." – multi-faceted. It does not mean that we all have to be anons, but I really hate to see that now I'd be seen as unusual or suspicious if I don't tie myself to only that account.

I understand that Google nowadays, for example, is just dealing with abuse on a global scale, with people in real life who actually have ill intentions. We can't control spammers if you trust everyone by default, which a phone number is a relatively good, free, not-too-invasive solution. But maybe we can verify it differently for folks who like to verify their legitimacy and good intention without disclosing their phone numbers. Maybe allowing them to make a bitcoin transaction of a non-trivial amount (say, $5) which you then donate to a charity?

I'd like to hear everyone's thoughts on this.