[openknot]

Not to defend the practice (because your case is a false positive for a new account), but rather to speculate on why your account was banned, it's likely due to an increase in impersonation on Instagram recently.

In other words, some accounts steal the pictures of real people and then send follow requests to friends, and try to get them to tap on links that can give the bad actor access to the friends' accounts or buy cryptocurrencies. It's been spiking recently over the past couple of months (one case in a Canadian news article at: https://www.cbc.ca/news/canada/manitoba/instagram-photos-sto...), with other prominent cases documented in the past (2019: https://www.cnbc.com/2019/09/24/how-i-stopped-someone-impers... and 2021: https://www.cnbc.com/2021/12/14/instagram-accounts-created-w...). Bleeping Computer published a deeper article on the most recent ongoing spike (describing the crypto and Onlyfans scams): https://www.bleepingcomputer.com/news/security/instagrams-da...

This doesn't justify at all the permanent deactivation of your completely new account, but just for curiosity's sake, I speculate that this is the reason your new account was banned (overly high security sensitivity on Instagram's end, due to a recent spike in false accounts that impersonate real people, to encourage others to buy cryptocurrency and/or click malicious links).

[thaeli]

And ironically, good security hygiene makes you look like a bad actor. While this "verification" is intrusive and unreasonable - I'm not defending it - often the root is creating an account from a VPN, or with minimal browser fingerprinting allowed, etc. An average user who doesn't take any precautions is likely to have a substantial activity profile already associated to their IP / cookies / etc. But run through a VPN? You trigger all the fraud checks. Use private browsing? Trigger all the fraud checks and hope you like filling out CAPTCHAs constantly on top of that. Tor? Likely to be blocked completely.

Seasoning fake accounts in realistic ways mostly isn't worth the effort, because bad actors can just compromise real accounts and use those instead. (There are some specific use cases, mostly with nation-state actors, where seasoned and aged fake accounts might make sense, but those are unusual.)

[prawn]

VPN is definitely one trigger. A friend with a completely genuine and tame account got blocked for months and the only non-standard thing he did was access it via a VPN.

Unfortunately, the non-spammers using VPNs are unlikely to be desirable users (high level of contribution, receptive to ads) so might be seen as acceptable collateral damage.

[jdthedisciple]

I registered in normal browsing mode using the brave browser and no VPN.

[_nalply]

If I were you, I'd use Google Chrome on Windows next. Surely this shouldn't really matter but... (throwing hands up)

[wallfacer120]

Um, you do realize that photographs don't actually take your soul right?

[kube-system]

This particular scheme has been a ridiculous plague among my circle of friends on instagram recently. People create accounts mimicking an existing user, add an underscore at the end of the username, and then spam follow requests to all of their connections. Most people get a notification from someone they know, and they accept it without even thinking about. It is insanely effective.

Reporting the accounts for impersonation seem to do nothing, instagram's responses to the support requests even say they don't have enough people to look at all of them, and so they didn't.

[openknot]

Yeah, unfortunately multiple reports of the impersonator's account doesn't work in practice, even though it really should. Another source confirming this is from the Bleeping Computer article (source: https://www.bleepingcomputer.com/news/security/instagrams-da...).

I read that the fastest way to take down the account is for the person getting impersonated to fill out a form (via Instagram's help page at https://help.instagram.com/370054663112398), which unfortunately requires a picture of the person's driver's license/government-issued ID.

[Beldin]

> which unfortunately requires a picture of the person's driver's license/government-issued ID.

They should move to something like IRMA (1). This would ensure they don't get data except for the government's certification that you're really who you claim to be.

(1) https://privacybydesign.foundation/irma-en/

[kube-system]

Works great for any government as long as your government is the Netherlands.

[ChrisMarshallNY]

> requires a picture of the person's driver's license/government-issued ID.

I have no idea whether or not it is illegal to ask for this, but it is generally considered dangerous to send photos of your state ID.

[ghaff]

Not quite the same thing but it's quite common for hotels (in Europe in particular) to make a copy of your passport, for auto dealerships (at least in the US) to make a copy of your driver's license for a test drive, and many many other situations. I'm sure I'm forgetting lots of other cases. (And Twitter requires for verified accounts.)

[marcosdumay]

Is this a US thing related to identity theft, or is there a deeper reason?

[bombcar]

It's usually an identify theft thing, because if I have all the information on your state ID I can make a copy that would be good enough for ... getting access to your instagram account I guess.

It's pretty hard to fake an ID in physical form, but one good enough for a webcam photo shouldn't be too hard.

[ChrisMarshallNY]

I just got my passport renewed.

The new US passport is pretty crazy. The photo page appears to be one giant NFC chip. The picture is barely visible. I suspect that it is meant to be inserted into some kind of reader machine, that will display a high-resolution version to the Customs agent.

[brk]

Facebook/Meta has how many thousands of general engineers, AI specialists, and massive amounts of hardware at their disposal, and they can't solve this in a more practical way?

Pushing their problems down to the user in this way feels shitty, at best.

[redmen]

Yes they have engineers but they're all nearsighted, uncreative and high hubris engineers with little to no empathy.

[rsync]

"Pushing their problems down to the user in this way feels shitty, at best ..."

You've identified exactly what is going on.

Platforms such as this are facing a brutal, relentless scam/spam onslaught and I think we can conclude that no, in fact, they do not have an elegant solution to it.

The closest things I have seen to real, elegant solutions to this problem are:

1) metafilter charging $5 per new registration - I think you can send them a five dollar bill

2) lobste.rs with their chained/linked account referral which puts the cost on the referrer and introduces some personal responsibility for new signups, etc.

The common solution is to demand a SIM identity - any SIM identity - "for your protection". That's the best solution they have come up with - any functioning truly mobile number (backed by a SIM card, not VOIP) is enough sand in the gears to slow down the onslaught ...

[EVa5I7bHFq9mnYK]

Not if you are constantly attacked by millions of scammers, bot nets and government-sponsored info-terrorists.

Same people that complain in this post about over-jealous verification, will complain in another post about misinformation and propaganda.

[brk]

I don’t buy that excuse.

If they cannot adequately protect against these scenarios they really should not be trying to collect and monetize so much granular user data. Clearly the organization is incapable of operating what they have built.

The reality, IMO, is that it is just not financially worthwhile for them to give a shit. People will jump through hoops for stupid validation purposes because they want access. Why spend engineering time solving a problem that is more easily handled by inconveniencing your users.

[kspacewalk2]

Your very insightful last paragraph makes the preceding ones an unnecessary appeal to high mindedness. They absolutely should be collecting granular user data if the user and the jurisdiction is willing to let them, and it makes them money. They absolutely are capable of operating what they've built if they're financially healthy despite being a dark pit of nothingness to randomly fucked users. Not prioritizing users can work as a business model for some time. Maybe that's the time horizon their shareholders care about. Don't judge.

[d110af5ccf]

> Same people that complain in this post about over-jealous verification, will complain in another post about misinformation and propaganda.

A bit tangential but actually I suspect those are nearly disjoint sets. In my experience the people who complain about misinformation and propaganda are okay with identity verification and censorship while those that want privacy (such as myself) typically dislike censorship and don't want a central authority getting involved to judge whether something is misinformation.

It largely comes down to trust in authority and centralized versus decentralized system design.

[notahacker]

This particular scam sounds like it ought to be relatively easy to algorithmically detect (high degree of similarity with a particular account name plus high volume of friend requests to that account name's friends). I guess you'll flag up a few false positives (family members with different initial.firstname accounts who naturally share circles of friends) but not many compared with heuristics involving user agents and geolocations and email providers and not-having-Facebook

[donmcronald]

> In other words, some accounts steal the pictures of real people and then send follow requests to friends, and try to get them to tap on links that can give the bad actor access to the friends' accounts or buy cryptocurrencies.

How would me sending them a picture change that when it says right in the email that:

> Even if this account does not contain and pictures of yourself or it represents somebody or something else, we can only help you when we receive a picture of you which fulfills these criteria.

So I can send Instagram a real picture and post someone else's picture all over the account.

[kube-system]

> How would me sending them a picture change that

It doesn't. It's just a barrier that inconveniences low effort scammers. Most scammers don't want to associate their face with their scams, and/or they aren't skilled enough to photoshop some other photo. Instagram is overwhelmed with garbage and it's logical to 80/20 rule as much as they can.

[nerdix]

Are you sure that you can just send in a picture? Had this happen recently and I had to install the iOS app and then the app took video of me with the front facing camera.

I think my account was flagged because I follow a lot of people but I don't have a profile picture, never post anything, and I only use the web app (and sometimes from a "suspicious" OS named Linux) so basically I look like a follow-bot.

[Retric]

This impersonation is only really useful when one person can create multiple fake accounts.

If Facebook can simply run image comparison between the the face used and other accounts while knowing that picture isn’t copied from elsewhere because it includes their onetime key it could prevent duplicate accounts.

In practice I doubt it’s more effective than a new CAPTCHA.

[notahacker]

Not to mention that scammers are relatively unlikely to want to show their face for ID purposes even if it's their only account (whereas ordinary people that want to join a service for posting pictures of themselves on the Internet generally don't mind), especially not when there's a wide world of other scams they can be getting on with that don't involve showing their face.

[lcnPylGDnU4H9OF]

> This doesn't justify at all the permanent deactivation your completely new account

It's hilarious that I'm reading this comment right before an article from the EFF titled, "Facebook says Apple is Too Powerful. They're Right." How refreshing it would be if Facebook bothered to say, "Meta is too powerful."

[gary_0]

It has been [27] years since the tech industry started looking for a good solution to spam and fraud. Although my sister just freaked out over a phone call from someone claiming to be a tax collector, so it's not just the Internet with this problem.

[jotm]

A practice dating back to MySpace, or even before it.

Facebook used to do the same "yo wait, you need to send us a photo of yourself to verify the account". You could send... any selfies, even ones already uploaded to the account.

The people or algos doing the verification didn't give a fuck/weren't advanced enough and the accounts could be verified with a high success rate, you could even retry with different photos.

Maybe they improved that.

[efreak]

That was when I stopped using Facebook. Facebook had a single edited photo of me that (at the time) was 10 years old, and I didn't care to give them another. I decided that I didn't use Facebook enough to care, so I just stopped. One of these days I need to go in and officially delete my account.