Printing metal on glass with lasers [video] (youtube.com)
1 points by surprisetalk 1h ago 1 comments
AI Audiobooks are not accessible (sightlessscribbles.com)
1 points by surprisetalk 1h ago 0 comments
Google shared my phone number
462 luu 167 5/26/2025, 5:34:38 AM danq.me ↗
I don't think it's unexpected when you use one phone number as both personal and business number.
Initially I still felt like it wasn't correct of Google to publish this as public phone number, but I think Google Play clearly asked what phone number customers can use to contact you.
And then one day then decided to publish the one I'd given them for an identity check... in search results. I don't yet know why.
Since it was published by you as public contact information for your business on Google, either a customer or one of the contractors Google employs to update phone numbers in Maps listings then added it to Maps.
My post was about the Business Profile one. Which started (seemingly randomly) containing the same phone number.
Honestly, this policy seems absolutely backwards to me. I'm fine for customers to contact me via e-mail or my website, but why do Google get to suddenly mandate that I need to provide 24/7 global phone support to anyone (who doesn't even need to me my customer)?
But none of them (except the Google Play one, which I'm fixing) are associated with the business or were provided for the purpose of sharing when people search for a business that I happen to be involved with!
(I'm sure you wouldn't want your phone number to turn up every time anybody searched for your employer, even if you were happy for your phone number to appear on your personal website, right?)
I'm not claiming that my personal phone number shouldn't be online anywhere. There are plenty of places it's pretty easy to find!
I'm just saying that I didn't put my personal phone number onto a public Business Profile (only providing it for identity verification, many years ago). But then, randomly, one day Google decided to start publishing it to anybody who searched for that company name.
One day my neighbor call me, and i had not register his number, so Samsung shows "<his name> GRINDER", because someone else had him like that in their contacts ^^.
He was openly gay within the neightborhood but he was also working as some sales representant for real estate and he was not exactly happy when i told him Samsung was broadcasting his sexual orientation to unknown people he would call >< (not to mention he told me hadn't used grinder in like 7 years).
No comments yet
That doesn't really sound like it was any users input.
Didn't some food delivery service get their own phone numbers listed for various restaurants a few years ago?
If they are registered, the request goes to the business owner to approve in my experience. We used to get lots of phantom requests telling us our opening hours had changed but if you're registered you can just decline them.
Local Guides are ordinary unpaid Google accounts who submit reviews, photos, and other edits as I’ve detailed here. We are sometimes prompted to answer questions, but only with a blank to fill in.
https://support.google.com/maps/answer/7084895?hl=en
Google says "We review all the edits you make."
Google Maps actually processes historical data about how busy the location is throughout the hours and each day of the week.
You can find this rendered as a little bar graph with a blurb describing the current estimate.
This is believed to be aggregated from everyone’s Android devices reporting their locations in a very small radius.
Also, Maps asks its users to answer extended questions about amenities. Such as: parking types, accessibility features, kid-friendly, vegan/vegetarian.
When I am on board a bus or light rail train, there is information about how full it is, what temperature, accessibility, etc. They are tracked in real time because the transit authority shares their live telemetry with Google. Once, Google had demonstrably wrong schedule information and I discovered that it reflected the official website’s version. (It was reporting every train canceled, but they were actually running.)
When I worked in an office in 2012, we were trying to get our arms around various listings in 3rd party "Yellow Pages" publications, on paper and online. It seems that compiling business listings has been around a long time. And every business needs a Social Media manager to be aware of their footprint and manage multiple sites like this. Yelp, TripAdvisor, you name it.
Laws are useless when you live in a country that doesn't care about enforcing them.
A few years ago I worked for a company that no longer exists today. They had, among other things, a job search service connected to their ID system. I was also doing my own project at the same time and needed Python developers. I was young and naive and thought I could find a junior and train him quickly. So I posted a vacancy on this job board: "Looking for a Python developer without experience." It turned out that they showed my phone number and it couldn't be turned off.
I received about 3-4 calls from very strange people who demanded to know how to become programmers. For some reason, they all started calling at about 5am. I even gave some useful advice to the first one, because I was taken aback by such impudence.
Today I use about 4 different phone numbers to separate my private life and data leaks like that.
My guess is the reason is they're from one particular geographical area, where 5am your time is their "start of business day" o'clock?
I wonder what geographical area that is.
In Germany, lieferando (subsidiary of takeaway.com) registers domains in the form of restaurantname-city.de, points them to their lieferando cloudflare account, and claims ownership for the google business entry where they set the phone number to their own call center.
Then they call the business owner and _force them_ to sign the contract with them, because effectively the owner knows they cannot be found anymore via google, and everyone that wants to order something will reach the call center hotline and leave a negative review after the hotline tells them wrong number, effectively destroying their business. And the people working for lieferando via Zeitarbeitsfirmen know this, and mention this in the call to pressure the restaurant owners to get their sales provision.
Crimeflare before it got taken down had around 130k domains that were pointing to the lieferando website using this kind of scheme, I helped provide the dataset for a couple of local business owners that were extorted this way and refused to abide by that scheme.
Guess what happened, nobody could be sued and the financial damages were too small to escalate it on the European court level. Sadly, class-action lawsuits don't work the same way as in the US, apparently.
Effectively Google does not abide by the laws and gets away with it due to their financial structures of their holding companies.
And they certainly know about this, they just don't give a single fvck.
I remember a growing amount of articles and on-line discussions about restaurants being extorted this way; then the pandemic came and removed the need for extortion by making delivery necessary for restaurants' survival. It's probably why the whole thing isn't talked about anymore these days.
It is absolutely insane that organizations are weaponizing this.
> Doesn't Google have any way to dispute the business ownership?
I can only speak for the US and it’s been a few years since I’ve done it, but yes Google does have a way. You can report an issue, and “claim” a business. Google will literally send a postcard with a unique ID to the registered physical address, and whoever gets that postcard can take ownership.
> Can I take over any business on the maps by just registering a domain that contains the business name?
Absolutely not (at least legally I assume). It’s probably trademark infringement and potentially fraud to misrepresent that business, and also Google has other methods to verify ownership (see above).
When you say "registered address", do you mean the actual business registered address (as in on Companies House in the UK, for example) or the address which was used to register the business with Google? Because if it's the latter, I think I see a problem ...
Believe it or not, someone spent at least a few hours thinking about this.
The address is physical address that a customer would go to when they look up the business on the map. If it's a restaurant, it's the address that has the tables and food and drinks.
If the address is different than the address of the shop-owner, then how would a user who uses google maps get to the shop? And why wouldn't the shop owner just create a new, correct listing?
I reported it, of course, (as someone else mentioned, Suggest an Edit) and they got changed, but I haven't checked to see if he changed them back.
yes, as long as the business doesn't have that already. And that's the point - many small restaurants, takeaways etc simply don't have a website because they think they don't need one, until they're fucked by Lieferando.
Plus, many restaurant owners are immigrants, and undocumented/underpaid labor is blooming as well. The last thing they want is to attract the eyes of the government.
Their entire business model seems to be centered around extorting businesses. I stopped giving them money after they inaccurately posted that a certain restaurant delivers to my location and got a phonecall from the place that this was the case so I agreed to pay extra to fulfill the order anyway, because Lieferando certainly wouldn't take responsibility.
Nowadays I use them only for discovery, but call the place directly or use the webpage if the business provides online ordering.
It appears that their initial value proposition to businesses was substituting delivery services so that restaurants could scale that up without hiring more staff. Of course enshittification made that service worse than just walking/driving/taking public transport there.
So the real number of those domains is likely to be much much larger if you would have the same dataset like crimeflare had. You can find articles about it with the keyword "Schattenwebsites lieferando" because that's what the press seems to have settled on. Different press teams counted different amount of websites because of that. Another team where I knew people from the CCC that helped them confirmed the 120k number though.
Our final number in Q4 of 2021 was 130k domains that we found out about, and we were trying to contact a bunch of other business owners to be able to escalate the lawsuit onto the Landsgerichtsebene (so that it can go into the Bundesgerichtshofsebene afterwards, and then to the EU court).
[1] https://www.stern.de/wirtschaft/lieferando-lockt-kundschaft-...
[2] https://notizlo.ch/wie-man-gegen-lieferando-domains-arbeitet...
[3] https://t3n.de/news/lieferando-restaurants-schattenwebsites-...
[4] https://www.trendingtopics.eu/lieferando-provisionszahlungen...
[5] https://www.deutschlandfunknova.de/beitrag/schattenwebseiten...
It seems like Lieferando is the problem here. How comes that company is still in business? It seems like obvious identity theft to me, if anything Google is only guilty of trusting Lieferando too much.
> There's no such thing as identity theft, it's all bank fraud or in this case student aid fraud. "Identity theft" is a term coined by banks to try to make it sound like random people should have to deal with the fallout of the banks' bad identity verification practices.
https://news.ycombinator.com/item?id=43923179
In this case, the ”identity theft” happens because Google trusts someone they shouldn’t. If they didn’t, the scam wouldn’t be possible. Yes, the scammer is the problem, but Google are providing them the opportunity, and leave it to each victim to deal with the situation.
"Beware of scammers!!!111!". No, _you_ beware of scammers, that's what I pay you for.
Extortion.
[0]: https://en.wikipedia.org/wiki/Unregistered_trademark
I guess there might not be an equivalent in Germany.
> Strafgesetzbuch (StGB)
> § 263 Betrug
> (1) Wer in der Absicht, sich oder einem Dritten einen rechtswidrigen Vermögensvorteil zu verschaffen, das Vermögen eines anderen dadurch beschädigt, daß er durch Vorspiegelung falscher oder durch Entstellung oder Unterdrückung wahrer Tatsachen einen Irrtum erregt oder unterhält, wird mit Freiheitsstrafe bis zu fünf Jahren oder mit Geldstrafe bestraft.
> (2) Der Versuch ist strafbar.
> [...]
> (5) Mit Freiheitsstrafe von einem Jahr bis zu zehn Jahren, in minder schweren Fällen mit Freiheitsstrafe von sechs Monaten bis zu fünf Jahren wird bestraft, wer den Betrug als Mitglied einer Bande, die sich zur fortgesetzten Begehung von Straftaten nach den §§ 263 bis 264 oder 267 bis 269 verbunden hat, gewerbsmäßig begeht.
> § 263a Computerbetrug
> (1) Wer in der Absicht, sich oder einem Dritten einen rechtswidrigen Vermögensvorteil zu verschaffen, das Vermögen eines anderen dadurch beschädigt, daß er das Ergebnis eines Datenverarbeitungsvorgangs durch unrichtige Gestaltung des Programms, durch Verwendung unrichtiger oder unvollständiger Daten, durch unbefugte Verwendung von Daten oder sonst durch unbefugte Einwirkung auf den Ablauf beeinflußt, wird mit Freiheitsstrafe bis zu fünf Jahren oder mit Geldstrafe bestraft.
> [...]
My rough translations:
> Book of criminal law
> § 263 Fraud
> (1) Everyone who, with the intent to create an illegal estate gain for himself or a third party, diminishes the estate of another through the presentation of untrue facts, or the misrepresentation or suppression of true facts to create or sustain an error, shall be punished by incarceration up to 5 years or monetary penalty.
> (2) The attempt is punishable.
> [...]
> (5) With incarceration from one to ten years, in cases of minor severity from six months to five years, shall be punished whoever commits the fraud as the member of a gang, which has banded together to continuously commit crimes as in §263-264 and 267-269, in a business-like fashion.
> § 263a Computer Fraud
> (1) Everyone who, with the intent to create an illegal estate gain for himself or a third party, diminishes the estate of another by influencing the result of a data processing operation through incorrect design of the program, use of incorrect or incomplete data, through unauthorized use of data or through other unauthorized influence upon the operation, shall be punished by incarceration up to five years or monetary penalty.
This is a government-level issue. It's a clear breach of gdpr, but I get the feeling this guy is in America.
Under US law I can see a few different things that would make the Lieferando behavior you describe illegal, whereas all Google is doing is being the unwitting vector for their illegal activity.
It's always more difficult to pin fault for a crime on unwitting enablers even when their negligence arguably rises to the level of a crime. The big question here is why businesses haven't successfully fought back against the ones doing the actual crime?
Applying Occam's Razor here, the explanation given in the post seems like possibly the least likely option.
One way to shed some light on this would be to use Takeout to get a copy of data held and see if they still have the number and what they hold it for.
If it was your personal account, I really don't see how a personal verification ends up on a business account. I'm not saying it's not possible, but it seems like it would introduce extremely bad data. I've verified my phone number, but (personal speculation) I doubt Google would want my number showing up on my employer's business profile.
If it was for your business account... I can see how that would be unexpected, but also the point of verifying that would I guess be to increase the level of trust that customers could have in the business based on it being verified, and I can see how that might lead to that number being public. It also sounds like this is what you did with Play too, and as a user I would expect that Play's company data aligns with data on Google Search.
I can empathise with the shock here, I've had people call me up from google searches and finding my number on my CV, but I am struggling to find a link here that doesn't make sense.
I wanted to take control of the Google Business Profile (back then: Google My Business) listing. To do that, Google asked for a phone number they could call. I provided one, and then double-checked that they hadn't put it on the public profile (they hadn't).
They emailed me about once a year after that to suggest that I might like to put a phone number on the business profile. I declined. But I always checked, and sure enough: they hadn't put one on there. All was good.
Then one day, randomly, my phone number started appearing on the public profile/being served to search users. That's the whole story here.
I don't yet know how or why it started appearing. A few ideas have been posed here and elsewhere, including:
1. Some runaway automated process at Google, trying to "fix" the absence of a business phone number, took the one that was previously used to ID the business contact. (Some folks seem to think that this is what I'm claiming happened, but I'm only putting it forward as a possibility.)
2. Google "joined the dots" from the Google Play profile and the Google Business Profile. This currently seems like the most-likely explanation, to me. I'm getting the former corrected anyway; we'll see what comes out of it.
3. Some third-party Google user added it. That seems possible, but in my experience once you've verified and own a Google Business Profile, you get an email to confirm any "suggested changes" and I didn't see any such email.
4. Some kind of user error by me or by somebody else who has access to the profile. I obviously can't rule this out, but I've checked and I personally haven't even logged into it in over a year (and I've had emails since that confirm that a phone number wasn't listed), so it seems unlikely. Also, the message said that Google had updated the phone number (not me).
I have to be careful about what I say, and very much cannot say in this case, nor do I know anything specific to the business profile area, but my experience of data at Google is that one does not simply join a table and fill in the blanks. In my experience there's a lot of privacy and legal review, and that's only after someone thinks it would be a good product idea (which in this case feels unlikely). At a technical level, there are many safety checks that are intended to prevent things like this from happening unless all that review and sign-off has happened.
There should be laws against this sort of thing.
https://www.google.com/search?q=Three+Rings+CIC&hl=en#irp=ph
This is probably linked to the process for Search. It's called "crowdsourcing".
https://support.google.com/business/answer/3038311
The article mentions having control of the Google Business Profile. It was sometimes called "Google My Business". You can register and verify that you're the owner, and then you'll have tools to reply to reviews and manage your own Maps entry, etc.
https://business.google.com/us/business-profile/
That number isn't mine, and will never belong to anybody!
Love it.
But sometimes I've done the same thing in other places and gone further, sometimes concealing "fun" messages. In my post about Halifax putting the wrong names on a letter to me (https://danq.me/halifax-dun-goofed), I changed my address to a message along the lines of "what, you think I'd put my actual address here, like it's my first day on the Internet" and then blurred that.
Incidentally, I think that one was the first times that anybody contacted me to say that they'd noticed the unblurrability of my images, but I've been using this approach for years!
It's like how they blur nipples on TV. We all know what nipples look like! But they're blurred to say "yeah, but maybe you shouldn't be looking".
Blurring makes sense as a way to say "this is private". It's almost lampshading, in this case, because it's the bit I want you to look at!
But blurring doesn't make sense from a privacy perspective, because unblurring is pretty easy. So I modified the number to a known-fake, will-never-be-valid one.
But if I just did that, people would probably try to call it, or would say "but you've put it back online here", or similar. Or else would say "that number's fake anyway, why are you worried?". Blurring it as well achieved the best of all worlds: it lampshades the bit I'm talking about, and it indicates that the kind of data stored there should be considered private, and it prevents the actual extraction of the (real) private data from the image. Win, win, win.
Unless the question "why bother" was to imply that blurring was hard to do? Because it definitely wasn't. Changing the number took much more effort! The blur was just two clicks; significantly less effort than, say, explaining why I chose to do so! :-D
And yes, your comments re blur have plenty of precedent.
But in this instance, it’s trivially easy to read the numbers even without any fancy software.
@author, if your reason for blurring was to protect your identity, then you should update that image asap because you’re not succeeding at hiding your number.
In that case, the developer provided Google with a way for Three Rings customers to reach them and they then published that number.
I don't know why the app's developers decided to use their personal phone number for their Google Play business contact information, but that seems like the most reasonable explanation to me.
If the author did not provide that phone number to Google Play, then he will need to also update his information there to get the phone number delisted, or it will be a matter of time before it appears on the Google Search page again.
During my consultation, the team I was helping keep talking about "Our App", "Our Process", "Our Use", "How do we get this data into our System?" I had to ask them multiple times, "How does your users or customers outside of your company uses them?" "Have you thought of how people usually do these kind of steps?"
On a day off work, I got a cold call to my personal mobile. This salesperson called me by my name and then tried to flog something relevant to my job. Being hugely irritated, I shared my thoughts with the caller demanded to know where they'd found my number. They were at least a little bit apologetic, and said they found it on LinkedIn using a plugin called "Lusha".
Lusha's website has claims about being GDPR compliant, but at the same time being a "crowsourced data community". They do at least publish a "Privacy Policy" and some contact details for a data controller.
I emailed them with a Subject Access Request, which they responded to two weeks later in a very cagey manner. Actually, I did some sleuthing of my own. I found an unlisted link for a broken OneTrust request form. This didn't seem to be linked anywhere on the website and I literally guessed the URL for it. After some poking around in the debugging console, I recieve a more fully furnished copy of my profile.
The data source for my email was... "Lusha's email guess algorithm" - now, one of the downsides of working for a small business and getting a firstname@domain.com is that guessing it isn't particularly difficult.
The data source for my phone number was more interesting. "L.S Mobile Apps Holdings Ltd." a company I'd never heard of, but eventually found an App Store[0] and Play Store[1] listing under a very similar name.
Looking at the apps published by this company, you can immediately see where this is going: a "Caller ID" and an even more transparent "Contacts Backup" app - both having complete access to all your contacts. At this point it becomes clear where my contact information has actually come from: someone I probably work with has created a contact in their phone with both my email and personal phone number, then used one or two of these apps.
I decided to pick the Contacts backup app to take a closer look. Installing the app on a wiped phone, I explored the UI, disassembled code and snooped the requests to their servers to see where exactly this mysterious "GDPR Compliance" was. The primary functionality is of course to create an account, upload all your contacts, and let you sign in on another phone to download them. There was some effort to make this work for most users, workarounds for edge cases, etc. It was more than the low-effort app I was expecting.
All the sharing functionality was checked behind a "consent" dialogue (and I use that term extremely loosely). The deal was that app would helpfully hydrate my entire contacts book with missing details! All I had to do was share it in turn. What I found peculiar about this was it simply didn't work. It seemed as through not only would the server not populate the missing data, but the code that handled this client-side was unfinished.
If you're wondering what the link between Lusha & L.S Mobile Apps is, they're effectively the same company. Yoni Tserruya, the co-founder of Lusha, has their fingerprints all over the the certificates used to sign the Android LSM Apps. It's clear this app's data is what they've built their company on.
Now, both Google and Apple have well known to display "Data Sharing" information as part of the store pages. The Play Store page explicitly says "No data shared with third parties", whereas the App Store omits the usual section you'd see when data is shared with third parties.
I contacted both Apple and Google with full details about what I'd found, and in the least surprising event to my saga, they did nothing.
Sadly, instead of having any satisfying conclusion, what I saw was what I already knew. I even got angry when reading their privacy policy, and how completely clear that all this "GDPR Compliance" labelling they have is there to sell their product to EU customers and they're clearly not compliant.
Here's some ragebait for the rest of HN who cares about their data:
- French DPA (CNIL) says Lusha is full of shit, but they can't do anything because they're based in Israel[2]
- Lusha doesn't think consent is important[3]
I’d really rather not provide it. But we don’t have many good options to demonstrate you’re a real human to computer systems.
Related submission: https://news.ycombinator.com/item?id=44084677
Meanwhile people who actually want privacy get screwed, because the spammer's account is going to get banned for spamming in less than a month either way, but a normal user would want to keep the same account indefinitely, and then the site demands that they keep access to the same phone number indefinitely. So then the honest users are stuck paying a monthly fee at the retail rate for a separate phone number for each service in order to avoid giving them all the same phone number to correlate with you. Whereas the spammers pay the wholesale rate once and then more than break even.
The anti-spam value of phone number verification is not just zero but actually negative. Its purpose is to harvest phone numbers from honest people for mass surveillance, and anyone requiring it is making the spam problem worse.
Do you have any ideas against bots, or perhaps even spam? Or do we even need any verification to begin with? There are ways to prevent both, at different layers, but I am not sure what would be the best way, especially something that does not sacrifice privacy.
But then banning spammers and bots gets a lot easier because it becomes trivial to trace where they got their invite codes and then shut off that account's ability to give them any more, and you have something to investigate if you see large numbers of accounts getting invite codes from the same account.
They can also be used as an alternative to other forms of verification. So to create an account you can either get an invite code, or provide something even more scarce than a phone number, like payment info. Either you have an invite code or you pay $5. Then most people don't have to pay anything because they get a code, people who want in but don't know anyone there yet can pay a nominal fee, and the spammers and bots can't easily do either of these things at scale.
The nice thing about payments is that it makes an excellent fallback option, because spammers can't use it. It's not even about identifying the user, you can accept cryptocurrency and allow them to stay anonymous because someone who is going to have their account banned after only a few hours regardless can't invest even $5 in it, so it's about the money rather than the identity. And then it's not supposed to be the default option, but it can exist as an option for anyone the other options aren't working for.