So you want to receive WhatsApp messages?

Max Baumann

Note: All of this happened a few months ago, when I also drafted this post. Since, I did some large revisions so it becomes less of a rant.

Our apartment hosted a party last week (and despite the following two thousand words, it was great!). We have a TV mounted in the hallway, which usually displays status pages, bus connections, the weather and other useful information. For said party, we wanted to set up a wall of images on the TV, where guests can post images to and show just how much fun they have. As we had already invited everyone using a WhatsApp group1, we wanted to set up a WhatsApp bot. To it, you could send your images to, which will then show up on the big screen. The rationale for this was, that people will likely share these images with each other anyway, and additionally selecting the bot when sharing will pose the lowest barrier to entry.

That idea lingered around for a while, and as ideas tend to do, it did that until someone feels responsible to realize it. This time, that someone was me, which lead me down a path of unreasonableness I could not possibly foresee.

Staring at a mixture of listicles and seo-optimized advertisements posing as blog posts, I recalled that Google search has become utterly useless. But I have used Twilio for a different project some years ago, and recalled they had a WhatsApp offering.

So I signed up for a new Twilio account and got to work. In theory, the rest is now pretty straight forward. First: "Buy" 2 a number managed by Twilio. Whenever a new message arrives at this number, Twilio will call a webhook. Now we throw together a Firebase Function, which extracts the media, uploads it to Firebase Storage, writes the URL to a Firebase Database and then finally listen to changes on the frontend. Done. Easy. Took an hour.

Now I only have to move it out of the Twilio sandbox. That can not take that long!

Foreshadowing is a narrative device.

According to the docs, we need three things first:

  • the aforementioned Twilio number
  • a Meta Business Manager ID and a WhatsApp Business Account
  • Legal Name, Display Name, and so on

You can "buy" Twilio numbers from a wide range of countries. Unfortunately, no German number supports SMS services, which are needed to receive the verification code from WhatsApp. All German Twilio numbers do support Fax though, which is just so German. Other European countries? Greece! There is exactly one number available and it is dirt cheap. But it turns out, I can't buy that one without providing a (I assume Greek) Business ID and all other kinds of regulatory information. F*ck it, the location of the number does not matter as we use WhatsApp anyway, so let's just pick up a US number. In the land 🇺🇸 of the free 🗽, we don't 🦅 have to comply with any 🗣️regulatory requirements 📢. One step down, one more to go.

In Germany, Facebook is an old people platform, for which I did not have an account. What I do have is an Instagram account! And with that I can create a Meta Business Account, right? Yes! But that, obviously? requires my Instagram Account to become public, and I don't want that. I will later find out, that the Instagram account would have to be connected to a Facebook Page anyway.

New Facebook account it is. Now we head over to the Meta Business Page and convert it into a Business Account. Oh wait, never mind! We need to wait "an hour" before we can create a Business account. Sure, let's wait a few minutes and try again.

Screenshot of a Facebook Error Message: 'Unable to Create Account: Your account is too new to create a business account. Try again in an hour.'

...

And again.

...

And again.

...

Let's try a different Business name. Nope, use the old one again (my name).

Screenshot of a Facebook Error Message: 'Unable to Create Account: Your Advertising Access is Restricted'

⚠️ Advertising is restricted on our Facebook Account.

wat.jpg

After waiting a few minutes, I also received an E-Mail. If I didn't expect it I would have flaged it as a phishing attempt. With a big blue "Fix this Issue" button and everything. I would not have clicked on this, if I hadn't seen the error message prior.

Screenshot of a Facebook UI Element: 'Upload your ID.'

After sending Facebook a picture of my driver's licenses, they pretty quickly reversed their decision. I did not break any community guidelines (they determined this using my driver's license)! German driver's licenses actually only have relatively little information on them. The most insane thing I have read all week was the little disclaimer text at the bottom of that screen. By default, they reserve the right to retain A PICTURE OF YOUR GOVERNMENTAL ID for up to ONE YEAR. I needed to disable this first on a different settings page, which perfectly matches what I think about Facebook and their business practices.

Ok, we are back and can do unlimited adverting now! Let's check back in tomorrow, I am tired.

At bit less than 24 hours later, I log back into the Facebook account to finally kick off the conversion into a Business Account.

⚠️ Your Facebook Account is restricted.

Screenshot of an E-Mail from Facebook: 'Max, you have 180 days to take action. Your Facebook account has been suspended.'

Oh, come on. What do they want from me now?

Upload a selfie of yourself, so we can verify it's you

They already have a picture of me on my driver's license. I assume they want to do some automatic cross-checking against profile picture and previously posted selfies and so on. But I remind you, there are neither. I made this account yesterday. But who cares, and so I did. After an average "bit more than a day"... My account got... fully restricted?

Screenshot of an E-Mail from Facebook: 'We disabled your account. You cannot request another review of this decision.'

Amazing. Absolute cinema.

Next try: An account that has existed for a while. I used the helpwave Facebook account (h/t Felix for letting me use it).

Long story short (no, like actually a long story): It got the same treatment. This time they were even faster in restricting me.

Before we keep going, let's take a step back. Why did this happen? What made one of the industry leaders in Artificial Intelligence think I am a malicious actor? It might be that I am (in Facebook's eyes) a walking red flag:

  • Non-standard browser, I used Brave
  • Non-standard E-Mail, I used my @bmn.dev instead of some gmail address
  • Non-standard Operating System, I use Linux
  • Weird user behavior: Normal users probably set up a profile picture, set a bio and post something. I just went straight to the business manager.
  • Non-standard IP setup, we have a static IPv4
  • Non-standard time, like all good side-projects, this one came to life in the middle of the night
  • Language does not match Country, I'm in Germany, but my browser is set to English
  • Weird country, most traffic does not come from Germany, but mine does
  • Weird name, most people are not named Max
  • Weird constellation of the stars, Venus is in Cancer and enters Leo3

Facebook is obviously under pressure here. Russian Bots are going rampant on Meta Platforms, and let's not kid ourselves, they are likely not the only (state) actors engaging in massive disinformation campaigns. Facebook Ads are the perfect way to find the idiots4. If they don't look like they do something about it, it might call regulators into action. And we can't have that, obviously. That's bad for the stock!

So, to some degree: I really do get it. But after you had my Phone Number, Driver's License and a selfie from the same person, I think it's time to stop. You did your due diligence, now unchain me from the burden of my now apparently radioactive IP Address! I would have paid you money to save me from this bullshit. But then again, pay-walling does not prevent bot campaigns either, look at the current state of Twitter.

After this quick breeze of reason in this post, let's head back into the abyss of insanity.

A new strategy was needed. And with the rise of dusk over Aachen, we were ready. We were determined to create a Meta Business Account, and if it was the last thing we did. This time we were more conscious, some would say paranoid, about the possible signals that may be used in anomaly detection. I say "we" here because my roommate Max did the heavy lifting. After two hours of attempting to get the other accounts to work, we did it. A MacBook, Safari, Telekom 5G, a profile picture and a believable cover story: The ingredients to success.

And there it was: Running flawlessly. The code I wrote in the middle of the night and have not touched since trying to break out of the sandbox just... worked?

I was in the midst of preparing this blog post, and then the empire struck back. Back in the office, after attending ATEC, Max, who wrote the majority of the frontend for the TV, casually mentioned, that the Firebase function had stopped uploading pictures.

They had restricted the f*cking account again.

This time, only the WhatsApp Business Account was restricted for non-compliance with the WhatsApp Business Terms (WABT). Now that was straight up wrong. We did not violate the WABT at all, as the Account has not and will never send a single message. The whole point of it is to receive messages. Also, we are, surprise, surprise, not dealing arms, drugs or humans. But they know. The people responsible were probably just too busy to display an error message, which would actually make any sense. The button next to it suggested that we should complete our Business Profile (Name, Address, Phone Number, ...) and re-apply. More concretely, the Website we provided (the link to the Facebook profile of the account), was not a sufficient proof for the fact, that we did in fact operate the business in question.

If you need more information from us, couldn't you just ask for it in the onboarding of A) the Facebook Account, B) the Facebook Business Account, or C) the WhatsApp Business Account, instead of asking for it 24 hours later? What if you set up WhatsApp as a communication channel for your business, told everyone about it, paid for advertisements and so on, just so people can not reach you on the second day? Also, as a small-business owner that is not listed in the "Handelsregister", I don't think there is an easy way to prove that I run my business to others. In what world, does a link to a website suffices as proof for anything? Facebook never wanted me to prove that I control the website. What is the point of this?

I threw together a basic website using Notion and linked to it in the WhatsApp Business Manager. Or was it the Facebook Business Manager? I don't quite recall.

Screenshot of the Website I threw together using Notion. Turnup43 - Upcoming Event Planner in the greater Aachen Area.

And so we re-applied.

It's time for a contingency plan. I built an ultra simple frontend, where users can upload images directly into the Firebase Storage Bucket. There is a Firebase Extension that resizes and compresses images automatically, we need this now as WhatsApp does not do that for us anymore.

The first guests will arrive at 9 PM, only a few hours left. If we want Plan A to work, the next re-application must go through. Twilio also needs some time to pick up the connection again. It's all or nothing. We created and connected a Facebook Page with all kinds of information, updated the website once more, and re-applied.

An hour later, our appeal was denied again.

It's Plan B time. The first people have arrived while Felix finalized the dashboard's CSS.

In the end, the image wall was a success. Over the course of the evening, more than 400 photos were uploaded. It took about an hour before the first people started uploading their shitty memes to it, and another one before they've discovered animated contend (gifs, webp) was supported.

Photo of the image wall in use

There were so many more pain points than I could get into in this post. The Twilio Facebook connect button was dead for a while, the Raspberry Pi that should have powered the actual image wall was running out of memory and/or had hardware issues, and I know way too much about the Chrome CLI arguments now.

I had already drafted a paragraph about possible learnings for projects like this, but have since reconsidered. Take nothing from this. Just be mad about this hellscape we have built, where computers are trying to detect other computers. A hellscape where automated systems are reviewing your ID, and its decisions are final. A hellscape where the only support staff you have access to is a poorly auto-translated help page. Just recognize that this is just going to get worse. As long as there is an incentive for bad actors to abuse social media platforms, these will become worse and worse in detecting them, while they will also collect more and more data about you in an attempt to identify bots.

  1. WhatsApp is an extremely popular Messaging App in Europe operated by Facebook.
  2. Given that in 2024 everything is "as a service", the word "buying" has become so meaningless, that Twilio decided to redefine it. It now means "to rent".
  3. I don't know the first thing about astrology. I'm really just taking this bit ad absurdum here. Wth. is a "Venus"??
  4. I remember this being a quote from someone that operated a massive scam campaign on Facebook. Unfortunately, I could not find the documentary where I got it from anymore.