
Facebook Really Is Spying on You, Just Not Through Your Phone's Mic - asclepi
https://www.wsj.com/articles/facebook-really-is-spying-on-you-just-not-through-your-phones-mic-1520448644
======
antiviral
I find this statement from Facebook in the article to be oddly worded, as if
it was carefully constructed by a lawyer to avoid getting caught in a lie:

"Facebook does not use your phone's microphone to inform ads or to change what
you see in News Feed."

OK... so they are saying they don't use your microphone to target ads. But how
about precisely enumerating how FB uses your microphone?

Do they use it for any purpose other than helping you communicate during a
call?

Do they try to infer any persona information about you, which can then be used
indirectly to make money from your data?

I too have had odd coincidences where eerily relevant ads show up after I have
had a conversation. If only FB was more transparent about what they do, I
might not be so paranoid about it.

~~~
linuxftw
I think you're on to something here about the indirection.

I too have witnessed the uncanny ads, but not even from my own phone (I don't
have Facebook on my phone). A friend mentioned a particular restaurant I have
never been to, been near, or searched for.

I can only assume my friend's conversation was geo-tagged either by my phone
(android, no non-system mic access), or the data was combined on the server
end to place both of us at the same place / same time, and used his recording
to market to me.

I'd also like to note, the 'amount of bandwidth needed' is almost nothing by
today's standards. Not to mention it can wait to transmit that data until on
wifi. 8khz audio (telephone quality) is just kilobytes per second. A
reasonably unsophisticated algorithm could trim the audio for an highs and
lows (IE, statistically, sound below or above some dB threshold is trimmed
because it won't be useful) and uploaded. We're talking about just a few kb
per conversation.

Of course, the Facebook app is a memory, storage, and cpu hog (IMO), so I
don't think it's unreasonable that given today's modern phone hardware some
word recognition software may be present on devices themselves.

~~~
SeanBoocock
Or consider another scenario: your friend went to said restaurant and paid for
something; read an article about the restaurant; viewed/interacted with an ad
for the restaurant; liked a social media post for the restaurant; or was geo-
tagged at or around the restaurant. Any of the above would be sufficient to
associate your friend and the restaurant, and I'd wager targeting your social
graph after you've interacted with a product/service would have a good ROI.

~~~
parthdesai
Alright here's another anecdotal experience. To preface it, i don't have Fb
app or messenger on my phone but have WhatsApp and Instagram. I opted out of
whatsapp's data sharing policy when you were able to do it.

So i was walking with co-workers for coffee and somehow we talked about a
college. Now i can assure you that i have never ever searched for that college
and i didn't even know it existed before that conversation took place. And 30
mins later, i'm browsing instagram at work and there is an ad of the said
college. If this isn't creepy af, i dunno what is.

~~~
dijit27
It might be creepy, but it might not be. It is possible that the conversation
influenced the ad shown. But it is also likely that ad would have been shown
no matter what the prior conversation was about. If the conversation hadn't
included talking about the college prior to seeing the ad it would have been a
non-event. But being primed in advance makes it at least feel like a freaky
coincidence or at worst nefariously creepy targeted advertising.

These kind of events happen by chance and have been happening well before
almost everyone started carrying mobile recording devices in their pockets and
even pre-internet.

I have no doubt that advertisers would love to have that kind of insight but I
can't help but feel that the anecdote of the form, we talked about A and A
showed up X minutes later, is too easily explain by coincidence. How many
topics were discussed, how many ads were shown? When I read something like
this I imagine the anecdote should read more along the lines of how we talked
about A, B, C, D, E and F and among the dozen or so ads I saw afterwords one
of them was topic A! Can you believe it? And yes, yes I can, that is a pretty
neat coincidence.

On the other hand if out of all 6 of the topics discussed all of the ads that
were shown afterward were related to them, maybe not all, but more than one or
two. That sounds like there is something fishy going on.

I don't mean to single out this particular example, it was to be a simple
comment that had more to say. So, thank you for the inspiration!

~~~
hvidgaard
The first time it happened to me, I considered it a coincidence. And the next
few times too. It must because the game is new, or they know I've been
searching for new floors on my computer, ect. But it keeps happening, and it's
always in the time following after it was talked about, but not searched for.
It has happened for things we talked about at friends place, that is
completely outside what my wife and I would do.

The most blatant I've experienced was on the Wii U. The controller with the
screen powers up and shows ads for new games every now and then. We actually
had a bit of fun with it, casually talking about new games and guess what
happened. An ad for that particular game was shown. I'm 100% certain now, that
it happens with smartphones as well.

~~~
digikata
It could be the ads came up a more conventional way - the makers are priming
the publicity for the game so it shows up in magazines and ad buys etc. If you
and your friends are avid gamers - you probably get some early exposure before
more general ad channels buys show up.

But to really answer this question, we could build a better experiment. Write
out a set of topics on index cards. You have to be careful that topics aren't
new product rollouts (otherwise you really have to think about how you decided
to write that topic down in the first place). Draw a card, don't talk about or
search the topic for some amount of time, then inject the topic where it might
be observed (talk about it and/or search for it somewhere), then for some
amount of time, see if it comes up.

~~~
devrelm
Also keep track of every time that you see references to each topic both
before and after bringing them up.

And have a control group that you simply don't bring up at all. Make sure to
have more than one, so that you still have more remaining if someone around
you brings up one of your control topics.

------
brandontreb
I did quite a bit of Jailbreak/tweak dev in the past, and I was curious if you
could just hook into AVAudioRecorder and show an alert any time it was
invoked.

So, I did this sort of thing years ago when I wrote a tweak for the InPulse
smartwatch (later became Pebble)
[https://github.com/brandontreb/inPulseNotifier](https://github.com/brandontreb/inPulseNotifier)
.I was able to hook into the system messaging, forward it to a custom
bluetooth stack (sending it to the watch) and forward the message up the stack
to be displayed by the system.

It would stand to reason that the same sort of process would be effective for
catching Facebook invoking audio recording. Once you hook into the
AVAudioRecorder's interface, you could theoretically observe the following:

1\. Open the Audio Recorder app and hit Record - An alert should show to prove
your tweak is working.

2\. Open the Facebook app. If you receive a similar alert at some point, you
could at least prove that FB is invoking the audio recorder at some point
without the user's expressed permission.

Am I crazy or could this test actually work?

~~~
sine
It's possible Facebook could be using an exclusive method to access hardware
more directly, much like how Uber had access to restricted developer debugging
tools which allowed them to record the screen even when the app was closed.

[https://thehackernews.com/2017/10/uber-screen-record-
iphone....](https://thehackernews.com/2017/10/uber-screen-record-iphone.html)

~~~
willstrafach
I have checked. Facebook does not do this.

~~~
logicallee
how have you checked (what do you have access to). if you work for Googe on
Android would be a good answer for example :)

~~~
traek
From his bio:

> information security research. ceo @ sudo security group
> ([https://verify.ly](https://verify.ly)).

> previously: founder of "Chronic Dev Team" responsible for many years of iOS
> jailbreaking solutions (24kPwn, absinthe, corona, greenpois0n, etc).

~~~
logicallee
I still think "how have you checked" is a fair question.

~~~
willstrafach
My company collects/analyzes apps from the App Store to test their security,
so I have pretty easy access to the machine code for apps.

Certainly a fair question.

------
minimaxir
It's worth nothing that the reason security researchers haven't just
intercepted the traffic from the Facebook apps to see if its transmitting
voice data is because the apps use Certificate Pinning, which prevents the SSL
traffic from being decrypted using the SSL certificate generated by
mitmproxy/Charles.

In light of that restriction, what might be interesting is looking at the
_amount of data_ transferred by the Facebook app with/without the
microphone/location services enabled. (this is a data project I have in the
pipeline)

~~~
pdpi
Facebook already has plenty of issues with people not trusting them. Lying
about this and then being caught red handed would be devastating from a public
opinion perspective. Even if you assume a completely amoral team that cares
about nothing but ad revenue, do you genuinely think they’d risk something as
dangerous as that? Especially given how much you can still achieve with the
data that is known to be collected?

~~~
pmoriarty
How devastating would it be, really?

It would likely be a blip in the news, and then people would move on, as
usual.

Remember the Sony rootkit fiasco? People still buy Sony, and most people
probably either never heard of that incident, don't remember, or don't care.
Buying whatever the new Sony gizmo of the day is is more important to them.

Microsoft has had endless spyware fiascos, and people still routinely buy
Windows, as long as they can play their games or run Office, that's all that
matters to most of them.

Then there have been scandals like Enron, where the execs knew that they were
doing something that was clearly illegal, and that their company really would
be devastated if what they did was ever revealed. These "smartest people in
the room" did it anyway.

Corporate history is full of just such deceptive and destructive practices.
I'm not sure I'd put Facebook above that sort of thing, a priori.

~~~
herogreen
Speaking of badware: last week I found Mac Afee installed on the laptop of a
relative that I manage. I assured me that he had not installed it himself (I
had not installed anything actually). Could it have come from windows updates
?

~~~
mynameisvlad
No, Windows Update doesn't distribute third party software. And even if it
did, MSE is technically a competitor to McAfee so there wouldn't really be a
solid reason to distribute it.

Your relative probably installed something and pressed "Next" through all the
dialogs including the ones asking if they want to install super helpful
bundled software.

------
hmhrex
Reply All did an episode on this that was really good:
[https://www.gimletmedia.com/reply-all/109-facebook-
spying#ep...](https://www.gimletmedia.com/reply-all/109-facebook-
spying#episode-player)

The thing I thought was interesting is just how adamant people are about FB
spying via mic.

They also had an update in their year-end episode:
[https://www.gimletmedia.com/reply-all/113-reply-alls-year-
en...](https://www.gimletmedia.com/reply-all/113-reply-alls-year-end-
extravaganza#episode-player)

Both worth a listen.

~~~
falcolas
> just how adamant people are about FB spying via mic

I'm of the opinion that it's easier for your average Jane/Joe to believe (and
maybe even preferable to believe) that someone is listening and responding to
your words than a computer piecing together a picture of you from unrelated
clues via some nebulous "machine learning algorithm".

Anybody can listen to your words and advertise to you based on them. It is, on
the other hand, not feasible for a human to look at a stream of unrelated
posts and figure out that you're pregnant.

~~~
Aunche
A lot of it is confirmation bias as well. People will remember when an ad is
creepily relevant, but they don't remember the dozens of times they were
completely irrelevant. It's like when my friends made me watch Stranger
Things, it felt like Stranger Things references suddenly started to appear
everywhere on the internet.

~~~
carlmr
Confirmation bias and the Baader Meinhof Effect. I've talked with friends
about topics I didn't know about before. Then I got fitting ads about it on my
phone. I wouldn't have noticed these ads if they weren't fitting. It seems
more creepy because it's new to me (consciously).

------
titzer
Hey Facebook, if you got nothing to hide, _show us the code._

We showed you our friends, our relationships, our interests, our intimate and
disarmed states, our rants, and probably half of the websites we visited. (in
retrospect, that was dumb)

Oh, your tin can and strings might show? Competitors might get ideas? Please.

Until then, not a fan of you, not clicking on your ads, and generally avoiding
your site. In fact I think I'll start deconstructing my profile as soon as I
can muster the courage to choke back my gag reflex.

Sincerely, A growing group of mugged social network burnouts.

~~~
bubblethink
Which code ? Server side code is unreasonable to expect. For client code, you
can just use the browser. It may not be as convenient or full featured as the
app, but it'll do the job if you absolutely must use FB. The situation is much
better with stuff like FB which is not that essential. It's more problematic
with Google Maps, where you can't get turn by turn navigation unless you use
the app.

~~~
kibwen
_> Server side code is unreasonable to expect._

Honest question: why would it be unreasonable for us to expect server-side
code to be open-source? Facebook's value lies in its brand and its
infrastructure, not in its code, so there's no risk of upstarts taking
Facebook's code and standing up a clone (which, even with the code, is way
easier said than done).

~~~
tzakrajs
First let's talk about value, because it is relative for different audiences
(and my take is obviously not canonical either). For Facebook's users, the
value is primarily the network. For Facebook's partners, the value is
converting sales from users engaging with advertisements.

Facebook must offer enough to the users that the network is still worth coming
back to while still giving advertisers a chance at having their eyes. A major
breach could cause user and partner abandonment because of security concerns.
Once the genie is out, there is no putting it back in. Their stock will fall
faster than they can rewrite the product.

It is unreasonable for us to expect open-source for server-side code because
it exposes Facebook (and potentially it's users) to a lot of risk for only a
small upside. 1) While open-source software has myriad benefits, those
benefits require the public at large to audit their code as it is being
continuously changed and deployed. Can we keep ahead of the criminals
exploiting freshly merged and deployed commits? 2) Knowing the source code is
one half the battle, the other half is knowing what is actually executing at
runtime. How would users verify this to get the value of open-source? 3) Open-
sourcing server side code of Facebook could have serious negative consequences
for users or Facebook in the event of a breach due to intimate knowledge of
the system only afforded by being privy to the source code.

Not a point, but a philosophical question: *) Where does this stop being
virtuous? Should Microsoft open-source SMB tomorrow? Would you feel
comfortable with that?

Edit: grammatical fixes

------
slededit
The claim of the article is that it would be technically infeasible - and they
go into how difficult it is to interpret context. However simple keyword
matching would be more than enough.

Facebook has a lot of compute resources, but they wouldn't have to use it.
Your smartphone is more than fast enough to do simple speech recognition. The
accuracy rate wouldn't have to be that high - you won't get mad if you see an
ad for a misheard keyword.

~~~
monocasa
Wouldn't that destroy your battery life?

~~~
jklinger410
Does the Assistant listening for OK Google destroy your battery life?

Your phone reads sensor data as a base state.

~~~
janoc
The Google Now only listens for the trigger phrase when idle - which is done
all locally, without needing to talk to the servers.

It has a battery impact but much less than sending all the voice data
continuously to a server somewhere. The biggest battery killer would be the
wifi or 3G transmitting non-stop in that case.

~~~
SilasX
It wouldn't have to transmit non-stop -- it could do some parsing/cleanup
locally, then queue it up and upload it periodically with other, expected FB
traffic.

------
alexandercrohde
If somebody wants to definitively answer this, there's no reason you couldn't
just say random advertising related words in front of your phone (1 per day)
and check how many come up in your search. There are basic statistical methods
to establish if the results can be explained by chance.

This would have the upside of not requiring any reverse-engineering.

~~~
remir
Yeah. For example, if you don't own a cat, you could just talk about cats and
brands of cat food in front of your phone for a while. If you end up with a
bunch of ads for cat products, then that would be seriously weird.

~~~
madeofpalk
In saying that, Twitter thinks I:

    
    
        * Own a cat, dog and other animal
        * Have between $100k- $999k liquid investible assets
        * Have a net worth between $1 and $1m
        * Am highly affluent
        * Am a high spender
        * Am a frugal spender
        * Own a house
        * Have multiple families
    

Yet none of these are true (well, I guess apart from the 'has income'
demographic I'm in).

I know Twitter isn't known for being an advertising powerhouse (esp. compared
to Facebook), but I wouldn't take too much stock in Facebook serving me up
irrelevant ads.

I moved to the other side of the world 2 months, updated my "living" location
on Facebook and have been tagged at multiple locations in my new city, yet
Facebook still serves me ads for buying an iPhone or Car back in my home town.

[https://imgur.com/a/HIkic](https://imgur.com/a/HIkic)

------
natch
I've seen stories where people could not explain why they were suddenly seeing
certain ads in their feeds, and they thought Facebook had recorded some
keywords from a conversation.

For example one guy had a buddy who had recently purchased a certain
motorcycle, and all of a sudden he started seeing ads for that motorcycle.

But... really there's a simpler explanation than the microphone. Although of
course it doesn't by itself rule out the microphone being used.

Facebook can just see when you are in the same location as some other people,
and see what things those other people are into, and then signal whatever ad
networks that you might also be a prospect for those things. Visit your buddy
and see his new bike? Start getting ads for the same bike. No audio needed,
just location services and some posts on FB from your buddy about his
motorcycle. And there are other sensors beyond that. A lot of things are
possible once the user has granted permission for use of various inputs.

Also if it _is_ the microphone as the story suggests it could be in some
cases, the evidence for it being any one particular app is thin. There are
other apps that get granted microphone access by users all the time, and some
of them should be looked at, not just Facebook. Not to defend Facebook here,
but the net should be cast wider than just one app, even if the ads are
appearing on Facebook, which itself is perfectly capable of gleaning interest
information from multiple sources including other ad networks fed by other
apps.

------
crsmith
A couple of weeks ago I search for (on Google) and played (on YouTube, logged
into my account) the Meow Mix song to play it for my 4 year old.

Less than an hour later, Instagram showed a Meow Mix advertisement on my
wife's account, on her phone.

We have no animals. We have never had animals. She probably (though maybe not)
has never logged into Instagram or Facebook on my browser.

It was too much of a coincidence.

~~~
1812Overture
IP address, or if you have any shared accounts you could have a cookie
identifying you as the same user. Ads also target connections of people who're
interested in a product so you could get the ad from being friends/following
someone who watched the videos. The ads will find you.

~~~
crsmith
Even if FB/Instagram knows my wife and I share an IP address or there were
both FB/Instagram and Google cookies on the same browser where I searched for
Meow Mix, how would Instagram know my Google/Youtube history?

~~~
1812Overture
That's easy. The ad network that serves you ads on YouTube also serves ads on
Facebook. They have a profile of you that connects your facebook and google
accounts.

------
imhoguy
The last thing to install on ones phone is FB app - technically one gives up
all privacy. If you need to use FB then stick to browser and clear browser
data afterwards.

~~~
harryf
It's potentially not just the app. The Facebook SDK is embedded in probably
50%+ of _all_ the apps we use e.g. In top 10 most popular cocoapods -
[https://libraries.io/search?order=desc&platforms=CocoaPods&s...](https://libraries.io/search?order=desc&platforms=CocoaPods&sort=rank)
\- the FBSDKCoreKit -
[https://libraries.io/cocoapods/FBSDKCoreKit](https://libraries.io/cocoapods/FBSDKCoreKit)

~~~
tzahola
But that’s open source and can be audited.

~~~
harryf
Yes but there's a gap between "can be audited" and "is being audited". If they
got caught doing anything malign they can just pull the "oooops we didn't mean
to" defence as they've done before[1] - their track record here says "if we
can find a way, we're at least going to experiment with it"

Also consider this in the light of recent EU rulings on Facebooks tracking of
non-users via the Like button on websites being an illegal violation of
privacy[2]. As usual the law lags the technology by many years - was the EU
even aware of the Facebook mobile SDK being wisely installed in many 3rd party
apps when they made this ruling? (edit: reading the report from the University
of Leuven it seems they were at least aware of the implications of things like
Facebooks Mobile Advertiser network)

[1]
[https://www.google.ch/amp/s/techcrunch.com/2015/10/22/facebo...](https://www.google.ch/amp/s/techcrunch.com/2015/10/22/facebook-
says-it-fixed-a-bug-that-caused-silent-audio-to-vampire-your-iphone-
battery/amp/)

[2]
[https://www.google.ch/amp/s/amp.theguardian.com/technology/2...](https://www.google.ch/amp/s/amp.theguardian.com/technology/2015/mar/31/facebook-
tracks-all-visitors-breaching-eu-law-report)

------
product50
I know we are all really concerned about privacy but we need to take a step
back here for a second. Facebook will continue to show you ads - that will
never stop. By following what the author mentions in his article, all that
will happen is that you will see less relevant and useless ads. Would you
rather less ads which are useful or those which are completely disconnected
from what you want? I have discovered some really nice SMB stores via FB ads -
that would have never happened otherwise.

Good luck to the author as now he will see generic AT&T and Galaxy S9 ads.
Privacy has its costs and one should make an informed decision eitherways.

~~~
jeena
It might be just me, but I rather see irellevant ads like on TV which don't
have that much power influencing my decisions on what to buy and what not to
buy than a really targeted ad which makes it almost impossible to resist to
spend my money on something I really don't need but just want.

~~~
product50
In that case, you should follow the author's steps. I personally love the ads
which FB and Google show - they are well targeted and look nice and some of
them are very influential which I think is a good thing. Otherwise, I will
still see ads but they aren't that helpful and just take up space.

~~~
confounded
This might sound snarky, but I don’t mean it to.

Why do you need help from targeted advertising?

What are the things where targeted advertising is a good way to get help?

Is targeted advertising on Instagram and Facebook the zenith of this help for
you? Can you imagine another way of getting this help?

~~~
product50
Let me give you an example. While I was furniture shopping for my house, FB
showed an ad of a nice boutique furniture store which opened less than a mile
from where I lived. Since this was a new store, it had no Yelp reviews and had
no word of mouth references. I visited the store and absolutely loved and
bought a number of large items from there. I believe this is a positive
development and these ads, at least to me, are a lot better than some of the
non targeted things I see.

------
MentallyRetired
Drove by a scion iM in a parking lot one time.. and I said out loud "Scion iM?
What the heck is that?" \-- ads on IG and FB for Scion iM when I got home 20
minutes later. No search, no associative info, no dealer info... I simply said
it.

I've had quite a few of those, and usually I can trace it back to me googling
something, etc. But this time, nada.

~~~
Johnny555
I'd blame this on confirmation bias - there must be dozens if not hundreds of
times you use or mention a product every day that you don't notice ads for,
but the rare time you do, it reinforces the belief that they are reacting to
what you said.

~~~
digitaltrees
Why don’t you run an experiment, say something totally random that you know
you’ve never searched and is out of the range of normal interests you have and
see what happens. I have done that on more than one occasion and it confirms
we are being recorded. It’s not just Facebook.

~~~
Johnny555
I did that experiment this morning -- before work at home and on the way to
work, my wife and I were discussing getting a new car, and spoke about a
particular car brand that a coworker just purchased.

I just asked her to check her Facebook and she doesn't see any car ads. I
checked too but didn't see any ads for cars or that brand, but I don't have
the Facebook app on my phone (she does) and our Facebook profiles aren't
strongly linked (i.e. she's not listed as my "wife", we just friend each
other). She uses her phone for navigation while driving, so it was in a
position to clearly hear us.

I haven't done any research on that car brand, but I suspect that once I do a
Google search, then the ads will start flooding in.

So maybe this is confirmation bias in the other direction, but I don't see any
evidence that Amazon Alexa, Facebook, or Google Assistant are spying on us.
Though it could just mean that this particular carmaker doesn't purchase ads
based on keyword spying

~~~
Spooky23
For experiments like this, use items that have high CPM. Gold, silver, niche
personals and preserved food are great canaries.

Try doing different things. I don’t think name brand vendors do pervasive
audio surveillance. I do think they broaden the scope of your intents. Use
GBoard dictation or similar tools to write. Write stuff down in different
contexts. Use apps in different ways.

Amazon and Facebook share in near real time. Anything you do in a consumer
Amazon property is feeding context to FB.

~~~
Johnny555
Sorry, I didn't mean to imply that I wanted to do this test, I just happened
to do it by accident this morning -- using a very similar term as the writer
of the parent post, he said he mentioned Scion, I mentioned another major car
brand that starts with S.

------
akouris
I think that one should consider the possibility of FB group indirectly
accessing this data.

They don't have to collect information only directly from their
FB/Instagram/WhatsApp apps: what they can do is buy information from other
companies that publish thousands of "free" apps on appstores.

You have to wonder how so many of these free apps seem to sustain themselves
since GDN advertising does not seem to be profitable enough.

FB group should be obligated to disclose whether they are buying information
from these kinds of third parties.

More importantly they should disclose whether the price they pay is illogical,
effectively making them silent partners in an indirect scheme to access your
camera/mic information, while at the same time maintaining the allegation that
"we do not access your mic through our apps".

~~~
1812Overture
They buy the info from massive data brokers, who buy data from other large and
small data brokers, who buy the data from app makers, services, etc.
User123@gmail.com expressed interest in buying kitty litter isn't exactly
sensitive information so there's probably not much in the way of auditable
logs maintained, probably impossible to determine the original provenance of
the data in many cases.

------
ggg9990
The notion that Facebook is secretly recording your microphone is beyond
idiotic and shows how ignorant the general population is (and consequently how
vulnerable). It is the fantasy of an aspiring but untalented screenwriter.

Facebook isn’t spying on your microphone because they don’t have to. They know
enough about you to monetize the shit out of you from things that are out in
the open. When the populace trusts Facebook and Google with nearly their
entire digital lives, and the DOJ lets these giants acquire the rest without a
fight, why would they need to resort to clumsy subterfuge?

------
XMorbius
I think people really underestimate the power of ad retargeting and
advertising analytics. Take in some location information and cross-reference
it with friends lists and their product searches and you can explain 90% of
these occurrences without voice data.

------
excalibur
> Data brokers run personal information through an algorithm before uploading
> so it’s not identifiable, Facebook says, but it still can be matched with
> Facebook account information.

You keep using that word...

~~~
MentallyRetired
Well, if you had known what you were looking for you would have seen it
written on my dorm room window.

------
chimmy_chonga
Ghostery found 39 trackers on that article. The irony is strong today.

~~~
cheeze
Doesn't Ghostery sell data to advertisers too?

~~~
herogreen
Privacy Badger is a good alternative.

~~~
wand3r
I use uBlock on safari but that's it. Can you recommend an alternative to
Privacy Badger (or a trustworthy implementation[0]) that works on Safari?
HTTPS everywhere and PB are not supported.

[0] Some company called softtonic has a "Privacy Badger" branded extension but
I am skeptical about downloading from an unofficial source.

~~~
rbritton
DuckDuckGo’s extension maybe? [https://spreadprivacy.com/privacy-
simplified/](https://spreadprivacy.com/privacy-simplified/)

------
Torai
Full article here:

[http://archive.is/dghhy](http://archive.is/dghhy)

~~~
tontonius
The real MVP is always in the comments

~~~
Torai
Thank you!

------
MR4D
Obligatory link:
[https://www.wsj.com/articles/SB121962391804567765](https://www.wsj.com/articles/SB121962391804567765)

Key quote (from 1999 - Scott McNealy): "You have zero privacy anyway. Get over
it."

Darn - I hate when they're right.

------
ainiriand
In my humble opinion, we are missing something here. I am not a Facebook user
since a long time. But something really interesting happens whenever me or my
girlfriend are talking about a particular product.

She gets related ads in the web wherever she goes. She has Facebook installed
in the phone while I don't.

But the interesting thing is that this is not happening to me. Never. I do not
get ads for scuba diving suits if we speak about it. She does. How can we
explain this?

~~~
sexy_seedbox
Does she scuba dive as well? Or she may have possibly mentioned that you scuba
dive in a message to a friend? Or somebody posted a photo of you related to
scuba diving without you knowing?

~~~
ainiriand
We don't scuba dive. But some people in her family does... Now it kind of
makes sense. _Removes tinfoil hat_

------
wpasc
Am I alone in not really caring about my privacy that much? I understand many
people care about theirs, and I fully respect their right to their privacy.
With that said, I could care less how much data Google/Facebook acquire on me.
For now, all it is for more targeted advertisements.

My tune would obviously change if that data were used in more malicious ways.
But as long as it is advertising targets, I personally don't care.

~~~
sverige
My question is whether I am alone in actually caring very much about my
privacy.

I don't consider myself to be paranoid, but I have never been willing to share
details of my life with strangers. I recognize that any online activity is
subject to surveillance, but I do what I can to minimize sharing that. There's
a lot you can do along those lines, with really fairly minimal effort --
though I consider "minimal" to include not having a facebook account and not
having any photos of myself on the internet, for example, which I know from
having these conversations in the past is for many people some insurmountable
hurdle.

Anyway, why would I want strangers to know the details of my personal
preferences and tastes? There's no benefit to sharing it as far as I can tell.
That is what has always stumped me when people say they don't care about their
privacy.

~~~
1812Overture
Not just online activity. Bank/credit card transactions. Utility/tax
information. Postal information. Subscriptions to anything. DMV records. A
detailed profile of you is for sale to anyone who cares to pay. Probably less
detailed than most people, since you're careful, but enough to be spooky.

------
mirimir
As my meatspace identity, I don't worry about this stuff very much. Indeed, it
would be an identifier for me to do so. In meatspace, I'm just a regular guy.
Mirimir, he's the privacy freak.

Anything that I want to keep private, I do as a compartmentalized persona.
Separate hardware. Separate LAN. Separate Internet connection path. No
overlapping Internet activity or interests.

~~~
exolymph
Hell yeah, OPSEC!

------
epx
I uninstalled FB from my phone because it cut the battery life in one third,
even if not used at all. One can imagine how busy it was behind the curtain to
need all these joules...

------
scottlegrand2
So I was trying to remember the buff old guy from Avatar, Stephen Lang. Once I
found him, I noticed that I am suddenly being recommended videos on YouTube
that include him.

Okeydokey, machine-learning, moving on.

------
nathanken
I've disabled auto update for all apps on my android. However, Facebook and
Messenger still updates automatically. This itself raises suspicion of
Facebook's control over my phone.

~~~
aylmao
1\. Some big features in Facebook/Messenger already exist in the app, and are
just enabled/disabled remotely. This is pretty common in most big apps, it's
how they can control rollouts. For example, the Snapchat design update: not
everyone got it at the same time because the code was living in the app and
they gradually enabled it for each user.

2\. Wouldn't surprise me if part of the app were heavily reliant on things
that can be updated remotely. Chunks of big apps will sometimes be just views
fetching some web components. Facebook created React Native, and iirc it can
be updated dynamically, like a web site.

When you have lots of people working on an app you have a high probability of
introducing bugs. I worked at a company that shipped a faulty update; it
looked OK to users, but it was essentially DDoS-ing the servers. Having to
wait for the App Store to approve your app to fix things like that is annoying
and costly, so people tend to look for alternatives.

------
ntxy
"How to limit the amount of data Facebook and advertisers are collecting about
you"

on wsj.com privacy badger and ublock origin go apeshit..

------
matthberg
[http://archive.is/iCnWG](http://archive.is/iCnWG) non paywalled link.

~~~
skjerns
thanks!

------
halayli
I have suspicion that at least instagram is listening. I started saying words
that I've never looked up for in the past, nor have I ever saw an ad related
to them like 'dog walker', 'babies'.. and over the course of minutes I started
seeing ads for both. Not sure how to explain this.

------
vadimberman
> Facebook works directly with six data brokers, all of which allow you to opt
> out from their sharing of your personal data, everything from your email to
> your purchase history.

And that sort of explains everything.

I kept wondering how the info that keep to the Google-verse (search, Gmail)
makes it to Facebook. Now I know.

Does it mean that Google collaborates with these data brokers? While it
doesn't harm them directly, it seems like a myopic thing to do, arming a
company that may undercut your sole major source of income. Yes, I imagine
they take it directly from the device, but doesn't Google have control over
the Android internals?

Also, I am in somewhat unique position. Being a Microsoft zealot, I still
carry a Windows phone (v8.1) with slowly dying services. I almost don't use
Facebook yet I still get these too relevant ads, mostly according to what I
google on my desktop.

~~~
gvurrdon
How much use do you make of Bing, if you don't mind me asking? Is it a case of
mainly using it (as you are a Microsoft fan) but occasionally needing to refer
to a Google search?

~~~
vadimberman
I am more used to Google which I use on the desktop, but when on the phone, I
use both interchangeably.

When it comes to the US and global content, there is virtually no difference
in the results. Google is much better in the local content and the knowledge
graph results though, as well as the maps. Video search is better in Bing.

------
foobaw
It's simply impossible for FB to record audio.

When I worked in the OEM industry, there were rigorous standards and
compliances that had to be met to ship our phones. If an app was invoking
audio recording without the proper permissions, this would be a huge red flag.
Google would never approve the phone to be shipped as it would be breaking
their CDD.

Also, if audio data was being transmitted using some obscure APN that does not
use mobile data or Wi-Fi, OEMs could still easily detect these from the modem
side, no matter how encrypted the data is. After all, the app is still JUST an
app, in the system folder with all the other apps like Candy Crush. Unless
this specific audio recording feature was built into the Android framework, I
will say it is 100% impossible.

Note: this is just for Android. I have no idea how iOS works.

~~~
mkonecny
> It's simply impossible for FB to record audio.

You should check your sources again - that statement is false.... You only
have to look at the release notes from the dev preview on Android P today to
see that was possible for any background app to access the camera and
microphone at _any_ time:

[https://developer.android.com/preview/behavior-
changes.html#...](https://developer.android.com/preview/behavior-
changes.html#all-apps)

> Android P strengthens privacy by limiting the ability of background apps to
> access user input and sensor data. If your app is running in the background
> on a device running Android P, the system applies the following restrictions
> to your app: Your app cannot access the microphone or camera.

~~~
foobaw
It says that apps in the "background" cannot access user input and sensor
data. This means that even if the app gains permission in the foreground, it
won't have access when the app is running in the background.

Note that this use case was extremely rare anyway, but I know Google did this
simply to ease people's minds (I know several people on the Android framework
team).

~~~
mkonecny
Ooops, I misread your message. You are stating they can't access your
microphone without the permission - I'm not refuting that

------
ShorsHammer
For all the perhaps unfounded paranoia here and elsewhere, still yet to see a
major manufacturer offer hardware camera/mic switches.

Call me cynical but surely there's some top-down pressure about adding a
simple $0.07 component to $1000+ devices.

------
cryptonector
Step 1: don't use Android. Step 2: don't use smartphones at all. Step 3:
black-hole FB and others at your router at home.

I personally skip step 2 because I'm addicted to being able to quickly search
for things, read blogs. But even so: a) don't login to any websites, b) clear
website data often, c) minimize use of apps, d) recall that when you browse
the web from an app you're using the same cookie jar and other state as the
main browser, and that you're letting the app track you.

~~~
paulie_a
I think this is the exact opposite approach to take, it is a cat and mouse
game to avoid being tracked, and you will always be the mouse.

If anything, go out of your way to ruin the creepy tracking, analytics and
bullshit metrics. Add as much noise as possible to their databases.

------
dav43
Signed up for Facebook Workplace trial and let it expire. They’ve now shared
our details with third party implantation consultants who are approaching us.
Not great.

~~~
jaaames
I know that's a typo, but let this comment age a few years and it may not be.

------
habosa
I work at Google and I'm a long time hobbyist Android developer. I have a lot
of non-technical friends ask me about this.

What I always say is that this would not be possible. To constantly listen for
audio, process it, and upload the results would use so much data and battery
that you'd notice. Only a plugged in laptop/desktop could get away with this.

Am I wrong? Would it even be technically feasible for Facebook to listen all
the time?

~~~
sattoshi
"OK Google" seems to handle it.

~~~
habosa
I'm pretty sure it's optimized to listen for a single hotword and then
initiate the network connection to process what comes next.

What people accuse Facebook of doing would require constant processing of the
audio stream for random interesting tokens. Either process on device and then
send metadata (more battery, less network) or send the raw stream and process
on the server (less battery, more network).

------
jokoon
I have an android 6, from archos, which is relatively clean in term of vendor
layer.

I regularly go in the storage part of apps, and despite the fact that I don't
use many apps, they still manage to generate megabytes of data, which are not
clean by the "clean cache" functionality.

I'm not using it for texts and calls, I only use it with wifi, but still, I
have low trust in the android ecosystem.

------
zamber
NetGuard
[https://play.google.com/store/apps/details?id=eu.faircode.ne...](https://play.google.com/store/apps/details?id=eu.faircode.netguard)
allows for blocking traffic for apps per-domain and per-app.

AFWall
[https://play.google.com/store/apps/details?id=dev.ukanth.ufi...](https://play.google.com/store/apps/details?id=dev.ukanth.ufirewall)
patches iptables to block domains used by apps that are not allowed network
access.

I did Android QA for a VPN/Proxy app. Had to benchmark battery usage and
verify that we upgraded to SPDY properly. A lot of rooting, and tcpdumping.
Eventually we got a WiFi network set up by sysadmins that mirrored traffic to
one Ethernet socket. Plugged it in on a local SSH-accessible machine and I
could tcpdump the whole WiFi traffic without fiddling with devices.

Facebook and Instagram are awful network hogs. Both send a lot of packets
every 5-10s when the screen is on to Facebooks tracking domains.

I removed both and haven't looked back since I saw that.

Google and other tracking companies of course are not better, hence the apps
mentioned at the top.

This is not a viable solution long-term though. They will find ways to
eventually circumvent these restrictions.

Now I'm thinking about setting up the same thing I had at work at home, just
to see what kind of crap goes through my network daily.

You're on Windows 10? Guess what Microsoft does. Install Wireshark and check
for yourself how much MS domain hits you get. Not to mention HTTP traffic from
random apps and/or websites that circumvent privacy protection domain lists.

The implication here is that you're the product but not for that company or
another. You're for all of them, ISP included. The more crap leaks on your
network the more they know and sell.

As a side note, I have no idea why DNS traffic still goes in pretty much
plaintext...

Have you heard about tracking data exchanges?

The overall problem is that everyone is spying on you on multiple levels
because there's money to be made on profiling. Facebook just grabs the
headlines. Apps listening to you are scary but the fact is you don't have to
speak to be heard by them.

------
newnewpdro
Am I alone in being horrified by the reality that many people today consume
most if not all of their news and entertainment holding a camera and
microphone on proprietary communication systems running software controlled by
the same entities producing the content?

How is this not the greatest threat to democracy in the entire history of
democracy?

~~~
jadedhacker
It's just another step in the long slow boiling of the pot. The mass media
already are nearly uniform in their interpretation of events with the
exception of how they inflame cultural grievance. The American public is the
most heavily propagandized in the world.

[https://medium.com/@caityjohnstone/no-there-will-not-be-
any-...](https://medium.com/@caityjohnstone/no-there-will-not-be-any-civil-
war-in-america-e7b76b9d8e09)

Edit: removed a section of this comment because it seemed too much to me.

~~~
distances
> Here's an example of someone that has encased himself inside of corporate
> propaganda so completely that it physically surrounds him at work, at home,
> and even his inner thoughts:

Interesting piece, but was the rent of that place $4800 per month? How does
that make any sense?

------
bitwize
This is why I like Caffè Nero's loyalty cards. They are little pieces of
cardstock with nine coffee cups printed on them. You get a stamp every time
you order. Once all nine cups are stamped, redeem the card for a free coffee.
There's no PII on the card and your name isn't going through an additional
computer (on top of the standard 17 a day, per Cereal Killer).

More places should do this.

~~~
tomcooks
This is the kebab shop business model in Europe, is it really that rare to
find simple loyalty cards with stamps where you live (assuming USA)?

~~~
bitwize
This is the USA we're talking about, where if an unethical way to wring out
more dollars doesn't have a law explicitly forbidding it (and there are
laughably few such laws here), it WILL be used against you.

I know of a few places that have simple stamp loyalty cards. Oftentimes they
are mom and pop shops, or chains still finding their footing. Most cards are
electronic and want a name and phone number associated with them.

~~~
marnett
App loyalty cards, while still having some information on you, are largely
about large merchants (ie starbucks) avoiding credit card interchange fees by
giving rewards for people who load money to the app and purchase from there.

So, all incentives are not against consumers. The merchants avoid the credit
card oligopoly fee and pass on the rewards to consumers.

~~~
EADGBE
Avoiding a credit card processing fee could be done the same with with a punch
card.

~~~
marnett
By having a punch card and forcing customers to use cash? While cash is making
a come back in many places, there are still plenty of potential customers who
would not buy if cash was required.

~~~
EADGBE
I wasn't aware a punch card was "cash-only".

~~~
marnett
At this point I think I am unaware what a punch card is. I was assuming a card
that gets punched each time you visit a place, and after N punches you get an
item for free. Is that right or totally off?

~~~
EADGBE
Lol! Yes. I think we're both confused. Let's just leave it.

------
k3a
GNU founder Stallman has a big page with many other reasons against using
Facebook. You should read it too..
[https://stallman.org/facebook.html](https://stallman.org/facebook.html)

------
debt
It seems to be pretty basic. They access the photos within the photo library
and the location of the device(both of which you've most likely granted
Facebook to access).

FB then cross reference with any other devices nearby and any identified
objects within the photos are cross referenced with their ad inventory.

------
thiagocsf
I find it hard to take this article without a truckload of salt, given the
Wall Street Journal is owned by News Corp.

Murdoch has money to make by gaining leverage over FB.

I haven’t had a Facebook account in almost 4 years and I block their traffic
on my router, so I have no love for them. But I seriously doubt this story’s
motives.

~~~
spinchange
FWIW (admitedly not very much, anecdotally from another rando HNer) The
newsroom side of the Journal is among the vanguard of quality journalism and
has largely remainined that way post-Murdoch. The editorial pages on the other
hand are extremely opinionated and seemingly in a completely different reality
than the newsroom.

------
sinemetu11
On desktop I use a custom hosts file redirecting all facebook and instagram
traffic to localhost. Can the same be done on my iphone?

A "like" or "instagram this" widget is all they need to track basically
everything you do even if you don't have fb.

------
akkartik
Already said a few months ago: [https://www.wired.com/story/facebooks-
listening-smartphone-m...](https://www.wired.com/story/facebooks-listening-
smartphone-microphone)

------
jackjeff
I find it amazing that people even notice. I don’t have an ad blocker on all
my browsers, and except for YouTube and interstitial ads that Chrome will soon
block, most ads are simply not registered by my brain.

~~~
zxcb1
Are you sure? Everyone says that they are “immune” to advertising (or
propaganda), and yet here we are where the collective result shows that it
works, surprisingly well too. Another theory could be that people just get the
causal order wrong:

ad display => subconscious influence, nudge => eventual product purchase,
mention etc => recognized ad => spooky feeling

~~~
jackjeff
Yes. I know it works. Why would these companies spend so much money if it was
not. And in addition they have good metrics to know which campaigns work. But
this flies in the face of my personal experience... Aside from YouTube, I
can’t remember when was the last time I saw and ad and what it was. Must have
been weeks ago.

------
username223
> I keyed in my phone number so I could get loyalty points.

Do this: lie. 234-567-8901 works at a lot of US stores. Sometimes you can even
use it for gas discounts.

~~~
EADGBE
I prefer 867-5309.

------
kylelibra
What is Facebook going to do about GDPR?

------
madmax96
Honest question:

If this behavior disturbs us so much, why does anyone continue using Facebook?

~~~
lucozade
I'd suggest it's because 'us' is a very small, and not exactly unbiased,
sample of 'anyone'.

------
aussieguy123
I just revoked the location permission on android, facebooks app still works
fine

------
megamindbrian2
I wish they would disable distractions while driving.

~~~
mmariani
It’s really too easy to tap the “I’m not driving” button. We have a global
cell-phone-use-while-driving epidemic going on that’s taking way too many
innocent lives. I wish tech companies would start sharing phone use data while
driving. That’s when people will start to care about the lives of others and
the rule of law, the moment they see their premiums going up things will get
better rather quickly.

------
intrasight
The only "app" I use to access Facebook and other social media is a well
locked down browser. IMHO if you use apps, then your a schmuck and a sitting
duck ;-) :-)

------
Karunamon
Similar Guardian article with no paywall:
[https://www.theguardian.com/technology/2017/nov/09/facebook-...](https://www.theguardian.com/technology/2017/nov/09/facebook-
spying-on-you-microphone-creepy-data-conspiracy-theories)

That said, this is a quite silly conspiracy theory. Believing the "recording"
theory requires you to believe that Apple and Google both are in cahoots with
Facebook to give them a rootkit-like API for mic and location access that
override all of the OS-level controls and warnings about when that hardware is
in use, and hide it from the data and battery usage stats on the phone.

This API, when (not if) found, would be a watershed moment for privacy
legislation directed at all three companies. Little to gain, potentially the
whole farm to lose.

~~~
CaptSpify
> requires you to believe that Apple and Google both are in cahoots with
> Facebook to give them a rootkit-like API for mic and location access that
> override all of the OS-level controls and warnings about when that hardware
> is in use, and hide it from the data and battery usage stats on the phone.

You mean like when they gave Uber special access to grab screenshots even when
the Uber app wasn't running? Yeah, totally impossible to believe.

~~~
Karunamon
You mean the access that had a completely legitimate reason to be used and was
trivially located by way of reading the app's manifest files?

~~~
CaptSpify
I don't know of any access to record my screen that I didn't authorize that is
legitimate, so you must be talking about something different.

~~~
Karunamon
Let's can the snark. That access was only ever used for screen rendering for a
flagship app on a flagship device, temporarily.

------
ppbutt
Any other source or way to get around the WSJ paywall?

~~~
jf
The best way to get around the WSJ paywall is to subscribe to the WSJ

------
odammit
Paywall?!

I assume they are doing it through toilet cams.

Is this a rehash of the Reply All episode?

[https://www.gimletmedia.com/reply-all/109-facebook-
spying](https://www.gimletmedia.com/reply-all/109-facebook-spying)

------
davidedicillo
1) FB doesn't listen to you. 2) Why are people getting so upset for seeing
relevant ads? Ads is what pays for many of the services we use for free, would
you rather see obnoxious irrelevant ads?

~~~
AlexandrB
In my experience most targeted ads are both creepy and irrelevant. It's quite
an achievement. After shopping for custom USB keys online I saw custom USB key
ads for _months_. Long after I had already found a supplier for them. The
experience is not unlike being followed around a mall by a really pushy
salesman after you glance at a toaster; because now he thinks all you want to
buy is more toasters.

If you bring this up with someone who works in adtech, the stock response is
that we need even _more_ tracking to fix it. It's like the adtech version of
"no true Scotsman".

Edit: That's not to mention what a huge waste of money this must be for the
client buying this ad space. After ordering something from an Adafruit-like
electronics shop, I saw ads for them around the web for quite a while. Often
trying to sell me the very thing I had just ordered.

How did I find them in the first place? Second or third page on Google search.

~~~
dllthomas
It's like there's an assumption of increasing marginal utility...

