
iOS 13’s privacy pop-ups of Facebook data grabs - metaphysics
https://techcrunch.com/2019/09/16/get-popcorn-for-ios-13s-privacy-pop-ups-of-creepy-facebook-data-grabs/
======
oflannabhra
I've been using the iOS 13 developer beta for a couple months, and I can
confirm that within the first week, several apps from the big 4 requested
permissions for things that should be absolutely unnecessary.

iOS 13 has several great privacy-focused changes:

\- WiFi SSID is protected behind location permissions (ie, an app must request
and be granted location permissions to be able to access the current SSID)

\- Bluetooth has additional permission prompts (as detailed in the article)

\- When an app has been using location data, the user is periodically prompted
to confirm continued background location use (with a map of locations the app
has used).

\- Safari has several on top of all these, like prompting a user to allow
cross-site cookie loading, etc

In some of these, Apple is catching up to Android, and in others, it is ahead.
Either way, it seems that most of these come from a directive from inside
Apple to clean up 3rd party app behavior, likely prompted by things like last
year's analytics & enterprise deployment scandals.

~~~
WA
Great! Now, one more thing I’d like to have added: get rid of photo library
access and separate this into several permissions:

\- write access

\- read access (all photos)

\- read access (through a special iOS picker that acts as a middle man)

The longer people have their phones, the more photos they have. And with them
a whole lot of meta data such as location etc.

I simply don’t trust most apps these days that they really don’t touch any of
that data.

Of course, you can already "share" a photo with an app, but this doesn’t let
you change a profile picture in Instagram for example.

The cynical person might say: why not stop using these apps in the first
place? Because it’s difficult to say who is exploiting photo library access
and who is not. Does VSCO do it? I’d think they have no interest, but it’s too
much based on trust vs. something I can control.

~~~
berti
> The longer people have their phones, the more photos they have. And with
> them a whole lot of meta data such as location etc.

Stripping location metadata before handing photos off to apps would be nice
too.

~~~
tinus_hn
IOS does this for apps that don't have photo library permissions and use the
system photo picker.

------
motohagiography
This article sold me in switching to iPhone. It's like everything about
Facebook dating seems like a eugenic program to favour people with a naive and
submissive tendency toward power and authorities.

As a technology change, online dating has become a "radical monopoly
(Illich)," in the sense that whether you use it or not, you are subject to it,
the way a cyclist is subject to the car, and any algorithmic bias or site
policy is in effect a eugenics program. Of course nobody criticizes something
when they are winning, and an ostensible losers view of dating is the very
popular definition of disgusting, but for a ubiquitous global company whose
business model reduces to selling ads on addictive pocket slot machines to
become a dominant player in the genetic selection game should give people at
least some pause.

~~~
rdtsc
I just switched two months ago. Been an Android users since 3.x days.

I switched mostly for privacy reasons as as well. The original idea of why I
liked Android: open source / Linux based, I developed apps for it, are not as
important as giving too much control and my data to Google at this point.

Been pretty happy with it as a new user. At first it was hard getting used to
not having a back button where I expected it but after a few days got used to
it.

I like that there is an Apple store I can go to.

The interface is slick and nice, however, I'd have have to say in recent years
Android mostly caught up in that regard.

But most of all, I like that Apple's primary business is not selling my info
so I am happy to pay a premium to have a bit more privacy.

~~~
bosie
> The interface is slick and nice, however, I'd have have to say in recent
> years Android mostly caught up in that regard.

How would you say are the apps in this regard? Are ios apps more standardized
than android's?

~~~
snazz
Yes and there seems to be more developer time invested in iOS apps than
Android apps for smoothness—developers know they make more money from their
iOS users even taking into account how many more Android devices there are.

You might miss not being able to set third-party apps as default for certain
actions, but I think this is a valid trade-off for maintaining standards and
share extensions are almost as good.

~~~
PossiblyKyle
There’s an app called Opener that lets you open third party apps in the
relevant pages quickly. Not as fluid as Android but still quick. Personally
I’ve been very happy with iOS since the switch a year ago. I’d like to point
out that the biggest charm of the gestures is that it’s essentially system
wide, including third party apps. Swipe to go back and tap to scroll up are
just too convenient and natural for me to go back.

------
lstamour
Huh, all that and I didn’t see an explicit call out to how Apple has changed
the location sharing in the background prompts to include a creepy map,
prompting you to wake up a bit instead of automatically hitting Allow location
sharing: [https://techcrunch.com/2019/07/18/ios-13-security-
privacy](https://techcrunch.com/2019/07/18/ios-13-security-privacy)

~~~
Someone1234
Wow. What's the opposite of an anti-pattern? Because in terms of visualizing
the privacy implications that deserves real praise and likely took quite a bit
of work.

They should be proud of that, and it makes it seem like their privacy push is
more than just a momentary marking-led move.

~~~
simonh
Oh it's definitely at least partially a marketing issue. They're very keen to
promote to users that iOS provides strong controls over privacy, it's a clear
differentiator and selling point.

I just don't think that's enough to explain it. Apple was all-in on user
privacy right for the beginning, back when their market cap was a small
fraction of what it is now, when Wall Street was salivating over the huge
profits to be made out of mining social graphs, and when Google was offering
big money for access to user data. Instead Apple decided to put up the finger
to Google, until then a close partner, and spent billions of dollars building
Apple Maps.

There is absolutely no way Apple could possibly have expected a marginal
marketing advantage, which was very minimal at first for many years, to
compensate for the very lucrative immediate opportunities they gave up. The
financial incentive argument just doesn't come close to adding up.

------
vincentriemer
Since installing the iOS 13 beta I've noticed a bunch of apps asking for
bluetooth access. I haven't kept track of every one but I do remember YouTube
and Netflix asking for it on their first launch. Thankfully, I haven't
witnessed any app failing to work by denying the request though.

~~~
bengotow
The Bird (scooter) iPhone app asked me for Bluetooth. It said something about
"nearby scooters" which I think is a flat out lie because you unlock them via
QR code? Probably also tracking...

~~~
skellera
Well let’s be realistic, it said nearby scooters. Not “unlock scooters.”

There is the completely valid use case of a scooter that isn’t able to send
it’s location to the app yet is close by to you. So it can be found with
Bluetooth.

That isn’t to say that the app is isn’t tracking where you go, it doesn’t need
the Bluetooth connection to its scooters because you need to turn GPS on to
find the scooters.

~~~
tru3_power
The app forsure is tracking where you go. There are some areas that are “slow
zones” where the scooter won’t go past a certain mph and is throttled. This is
done in real time.

------
Tepix
Tell your non-it friends to uninstall the facebook app and use the web browser
interface instead if they want to stay on facebook.

Preferably they also block all 3rd party cookies, use an ad-blocker and
occasionally delete all cookies and reset their Ad-Id.

~~~
uptown
Is there an alternative to the Messenger app? I've been unable to convince
some friends to move off of this.

~~~
guidopallemans
You can chat and browse on
[https://mbasic.facebook.com](https://mbasic.facebook.com) . It's html-only.

~~~
grecy
My old Andriod phone won't let me load that page. It force opens the Play
Store and wants me to install messenger. So I can load Facebook through
Chrome, but I can't chat to anyone.

~~~
Tepix
Have you tried a different browser?

------
makecheck
While this is great, it is really about 12.5 versions too late, isn’t it?
Something like a Facebook graph is already _huge_ , and they surely don’t care
quite so much if, all these _years_ later, restraints finally come into play
for _new_ information?

A far more damaging thing to these social networks would be mega-scale
winnowing and chaffing: where OSes and devices basically start to _lie through
their teeth_ when apps come calling. I am more than willing to “let” Facebook
_think_ that I went to 500 places I’ve never been, and I am willing to let
them think I am connected to hundreds of people that I don’t actually know.
Let us, please, ruin their entire graph: take what truth they have obtained
through questionable means, and pack it with garbage.

Of course, Facebook would also be smart enough to put a timestamp on what they
already know so you can’t just give them _new_ garbage. Let these devices give
every app and website “old” fake details, as well. For example, let them
pretend that _three years ago_ I was at a certain location, or that I was in
proximity to a certain person in the year 1999. I’m not so interested in
protecting current details, as I am with protecting my _entire history_ of
details.

~~~
pdimitar
Agreed. While I'm all for ending their undisputed free reign on collecting
personal information, I also think their well should be poisoned to the point
it becomes useless to them.

------
gigatexal
This is why I will continue to buy 1k iPhones and 3k laptops. Apple is really
making the surveillance inc companies afraid.

edit: spelling.

------
tobr
Funny, when trying to read this article, I got a privacy pop-up about creepy
data grabs from “the Oath family”.

~~~
thih9
Temporarily disabling JS helps.

I usually don't want / remember to do that though, in these cases I skip "Oath
family" articles. And I really dislike this popup, it links to 100+ privacy
policies and some of them return 404 errors already.

------
decoyworker
Why do applications have access to Bluetooth or WiFi ID's in the first place?
Seems too low-level for an app to have access to. Aren't these details better
left handled by the operating system?

~~~
lstamour
It’s helpful so Spotify can start playing music when I connect my headphones,
or so apps like Bose Connect can update my headphones. Most features with
privacy implications are also features that can add a ton of value if used
correctly. The problem is partially the lack of system messaging and partially
lack of morals...

~~~
ascagnel_
Spotify shouldn’t need BT access to play audio —- there’s a “blessed” API for
apps that need BT audio output that won’t require separate authorization.

Your headphone update app more reasonably will need that permission, as its
doing more than audio output.

~~~
lstamour
You misunderstand, it’s not for playing back audio as such, it’s for detecting
when the headphones connect as well as (maybe?) enabling easy set up of
speakers with Spotify Connect.

Similarly Dropcam had a setup mode via Bluetooth, Google Home as well.

~~~
fluffything
Spotify doesn't care whether your headphones are BT or not.

iOS should be doing audio device discovery and notifying the apps that request
it when a new device is found. Whether you plug some headphones or use
bluetooth or airplay or ... shouldn't matter here.

~~~
lstamour
Apple does do device discovery, but it then lets the app show the device
names, in fact it’s a requirement to play audio over Bluetooth and a key
usability feature of wireless headphones. If your music app doesn’t tell you
which device is connected, you’d potentially be surprised every time you hit
the Play button. So I’m 99% sure that Apple outright rejects apps that don’t
say if you’re connected to Bluetooth, just as they reject apps that don’t say
if you’re online. Bluetooth is also disabled for security purposes (if checked
in settings) when the phone is locked, including previously paired devices, so
it looks to me like they draw the line between security and privacy pretty
well, short of forcing all apps to use the same UI conventions.

~~~
ascagnel_
That’s 100% on Spotify and how they’re implementing playback. I have Sonos
speakers and Bluetooth headphones paired with my iPhone, and Overcast is able
to display the selected output without any Bluetooth permission requests.

Spotify Connect is likely why they need a permission request... but the
question for me is why they need it on app startup and not a one-time request
when starting the Connect pairing process. Good security procedures would have
the app requesting as few permissions as possible, for the shortest amount of
time.

~~~
lstamour
Again, all I can point to are the instances where I was playing music via
Spotify on my Alexa devices and thanks to Spotify connect when I connect my
headphones, Spotify starts playing automatically on my headphones. The
downside is that occasionally Overcast stops playing because Spotify wants so
much to take over and start playing. But it’s hard to say if that’s an iOS
beta thing. Similarly, the app still ships for iOS 12 right now, it’s possible
the iOS 13 version of the app will have a clearer explanation for the use of
Bluetooth.

------
codeisawesome
PSA for People here who are privacy conscious - don't forget to completely
turn off Background App Refresh in iOS. For all the talk about privacy, this
is my biggest gripe at the moment with iOS that this setting is hidden so well
in the Settings app. So many apps send needless information when you don't
even use them!

I have a pet paranoia that when apps have both Background App Refresh feature
as well as Photos access - well when the phone's connected to WiFi and
charging (both of which can be detected by the app) - what's to stop apps from
happily uploading everything? I'd be really happy to hear from someone that
this isn't actually possible tbh.

~~~
switch007
Do you know if disabling it affects messaging apps like WhatsApp?

~~~
pdimitar
Never in any messaging apps that I had. Notifications and the ability to wake
your device and do work on the background are separate services and they don't
affect each other.

You will not miss any notifications if you disable Background App Refresh.

------
kbos87
When you tell an app you explicitly don’t want to share your location with it
and they do something like this, how can you say that is anything other than a
gross breach of trust? Someone deserves jail time.

This also says so much about the culture at Facebook. They clearly don’t have
any respect for their users, principles, or limits. I’d personally think twice
about hiring someone from Facebook.

------
alanh
I was under the impression that any time an app allows you to play media and
send it to audio devices (including Bluetooth and AirPlay), iOS 13 gives a
scary prompt like this. I've been using the public beta and for this reason I
have granted the permission to YouTube (while hoping I am right and they are
not abusing the permission).

Does anyone know for a fact what Facebook is doing with Bluetooth permissions?
Am I right in my understanding of how innocent usage for media playback can
trigger this prompt?

------
ct0
How can facebook be in the business of Dating without a bias? If their outcome
variable is time on the site, then real lifelong connections actually put that
in jeopardy.

~~~
colejohnson66
Couldn’t that argument apply to all dating sites? Tinder was doing good enough
that they got bought.

------
joewee
One thing I found find suspect in iOS 13 is Apple automatically enables
collection of data of your usage of 3rd party apps. Any idea what this is for?

~~~
saagarjha
Doesn't it ask you during the setup process whether you'd like to share
analytics and usage data?

~~~
joewee
There is a per app sharing option. So perhaps they added granularity to what
usage data sharing to exclude sensitive applications.

------
tempodox
> “We’ll continue to make it easier for you to control how and when you share
> your location.”

Technically, that's true. The choice between “yes, always” and “yes, always”
is as easy as it gets, while of course also being totally misleading in
arrogating that users actually do have a choice.

~~~
sixstringtheory
If the _app_ gives you the choice

> between “yes, always” and “yes, always”

because they deliberately left out a viable option of “yes, only when in use
in the foreground” then I’d say the app developers are hostile and you should
consider uninstalling the app.

But this isn’t really on Apple. It’s the developers, managers, stakeholders
who deserve your ire.

~~~
tempodox
The quote at the start of my comment was the article quoting Facebook, not
Apple. I neglected to make that unmistakable for commenters who haven't
actually read the article.

