
Facebook gave Spotify and Netflix access to users’ private messages - staz
https://www.theverge.com/2018/12/18/18147616/facebook-user-data-giveaway-nyt-apple-amazon-spotify-netflix
======
dang
[https://news.ycombinator.com/item?id=18712382](https://news.ycombinator.com/item?id=18712382)

------
Puer
1) This is just a duplicate of the NYT article already on the front page

2) NYT seems to intentionally not elaborating on the "access to users' private
messages" part and conflating app permissions to actually scanning, parsing,
storing, deleting, modifying individual messages. Until disproven, it sounds
like these are just standard app permissions needed to implement functions
like song sharing in Messenger chat (in the case of Spotify), or sending
payments over chat (in the case of RBC).

This is disappointing journalism, to be honest. FB has done a lot of bad
things and they deserve the negative press, but it does seem like NYT has some
kind of personal agenda against the company and they aren't afraid of
exploiting the tech ignorance of their readers to accomplish that goal.

This is like publishing "Popular privacy extension uBlock Origin 'Accesses
your tabs and browsing history'". Yeah. Because it needs those things to
function:

[https://github.com/gorhill/uBlock/wiki/Permissions](https://github.com/gorhill/uBlock/wiki/Permissions)

Anyone who's ever written an Android app or a Chrome extension should see
right through this sensationalism.

~~~
catacombs
> FB has done a lot of bad things and they deserve the negative press, but it
> does seem like NYT has some kind of personal agenda against the company and
> they aren't afraid of exploiting the tech ignorance of their readers to
> accomplish that goal.

To say The New York Times and the multiple reporters covering the Facebook
scandals all have a personal agenda to make Facebook look bad is delusional.

The scandals started with Facebook, and the NYT, as well as other news
organizations covering this story, are there to write about it.

Moreover, the Times spoke to nearly 60 current and former employees. You'd
think if they had an agenda they wouldn't talk to that many people to
corroborate the facts.

If the paper wanted to do a "hit piece," they'd just grab one of their
columnists to write it and slap OPINION at the top of the story. A reminder
for some people: Opinion is not the same as News. They are different
departments that, in most newsrooms, do not dip in each others work.

The Times' investigations team is one of the best in American journalism. I
highly doubt the editors would publish a story as a middle finger to Facebook.
If you think otherwise, I welcome specific examples of agenda- pushing
stories, with exactly the thing they're pushing out that benefits them and not
the public.

Again, the scandals started with Facebook, and they're out now for every one
to see.

The old saying goes, "Don't do anything that you'd wouldn't want published on
the front page of The New York Times."

~~~
stickfigure
"Facebook gave your personal information to Netflix/Spotify/etc without your
consent" is a scandal.

"Facebook gave your personal information to Netflix/Spotify/etc when you
installed their app and approved the permission request" is NOT a scandal.

The NYT article makes it sound like the former, not the later. This is either
incompetence or malicious intent.

~~~
paganel
>"Facebook gave your personal information to Netflix/Spotify/etc when you
installed their app and approved the permission request" is NOT a scandal.

It is definitely a scandal, 99% of the users generally approving
TOSes/permission request screens (including myself) have no idea what it's in
there, we generally rely on the goodwill of the companies that wrote out those
TOSes/permission request screens.

~~~
catacombs
Agreed.

This tweet about the issue with TOS sum things up nicely:

"If you were to describe a contract that

\- no one has read

\- it doesn’t matter if you read because you can’t bargain over the terms

\- can be unilaterally changed at any time

\- does not explicitly describe the consideration you provide (data!)

You’d fail your 1L contracts class"

~~~
stickfigure
Nonsense - these are not 10-page EULAs we're talking about. The permission
dialogs are clear and explicit about what they will share and who they will
share it with. And you always have the option of _not installing the app_.

~~~
paganel
Did that message explicitly say "we are going to give access to your private
messages to external companies like X, Y, Z" or was it a more convoluted
message like "Facebook has direct access to your private messages (of course
it has, I'm on FB, ain't I?) and as such it might process your private data
with another external entity"?

Either way, many, many of the users would have clicked OK on the confirmation
screen even if it had said something like "Facebook is going to sacrifice your
first-born child", that's why hiding behind confirmation screens/TOSes when
doing nasty stuff like what's described in the article is not enough.

~~~
stickfigure
When you installed the Spotify app, the message said "This will share your
messages with Spotify".

You get similar messages when you install most mobile apps. What exactly are
you looking for? If you want to install apps, and the apps are going to do
anything useful with data, you need permissions.

 _nasty stuff like what 's described in the article_

This thread is about how the article is false and misleading. You can't use
the article to justify the article.

~~~
paganel
> You can't use the article to justify the article.

What I'm saying is that giving access to FB private messages to entities
outside of FB even with apparent user consent is not ok. Yes, I received that
information from the article, but even if I had heard it from a neighbor down
the hallway I would have thought the same thing.

> You get similar messages when you install most mobile apps. What exactly are
> you looking for?

I'm saying those user consent messages don't absolve FB or any such entity of
anything when it comes to them sharing private user data with third-parties.
I'm looking at them to not share private messages with 3rd party entities,
even if that stands against some of the "usefulness" you mention.

------
petermcneeley
"Giving Spotify, Netflix, and the Royal Bank of Canada the ability to read
users’ private Facebook messages."

Its RBC that is the interesting one here. Did anyone think we would live in a
world where your bank has the ability to read your private messages between
your friends?

EDIT: Puer mentions below that this might just be a permissions issue and it
doesnt mean that they actually read your private messages.

~~~
agglomerative
And what, pray tell, were they checking up on?

My gut is telling me it wasn't just about prospective credit worthiness
analysis or placing advertising for retail products and services.

Maybe debt collection and finding new ways to hunt down delinquent loan
recipients? What else?

~~~
Puer
They needed those permissions to allow for sending/receiving of payments over
Messenger. NYT is being intentionally misleading with what "permissions" mean
here.

~~~
IfOnlyYouKnew
They had access to those messages. That is what they wrote, and it is entirely
correct.

Nowhere does the article say they used that access in improper ways. The
accusation isn’t that your neighbor stole money from your bank account. It’s
that your roommate gave them your card and pin, without your consent or even
knowledge. If you draw conclusions the journalists consciously did not make,
that’s your error in reasoning, not theirs.

To then claim insights into the thought process of an action that did not
happen, I. e. your accusation of intent, just heightens the absurdity.

~~~
Puer
News organizations as established as NYT understand the weight of their words
because every single one is scrutinized by a board of editors.

"Facebook also allowed Spotify, Netflix and the Royal Bank of Canada to read,
write and delete users’ private messages, and to see all participants on a
thread — privileges that appeared to go beyond what the companies needed to
integrate Facebook into their systems, the records show."

I find it highly unlikely that these companies actually had the power to
delete individual's users private messages. There's a distinct difference
between needing general read/write permissions so that Spotify can insert a
song into your message and Spotify actually having the power to delete your
individual messages, read them, or write them on your behalf to their fullest
wishes.

I claim "intent" because how an article will be interpreted, especially for a
story of this scale, is no accident. Hacker News has a much more tech literate
population than the NYT's general readership, and yet even here there are
people misunderstanding what permissions Spotify, Netflix, RBC actually had
because NYT framed the information to be interpreted that way.

~~~
ryanmonroe
So it sounds like your complaint is not that they are being misleading, but
that they made factually incorrect statements. Do you have any reason to
believe that statement is incorrect other than "I find it highly unlikely"?

~~~
Puer
I apologize if my argument wasn't clear enough. My issue isn't that they
aren't being factually incorrect, it's that they're seemingly using "facts" to
be misleading.

Example: Saying Spotify has full editorial control over your messages is a
very different narrative from "If you connect your FB account to Spotify, you
can then send FB messages to your friends from Spotify's desktop app."[1] In
one, the implication is that Spotify as a company somehow has the power to
directly modify a users' private message. In the other, the user has the power
--through Spotify's app--to modify their own private FB messages.

NYT is being factually correct with their reporting, but they're also being
misleading, and my argument is that at a news organization of their size and
stature this is no accident. Just read the comments from their readers and
you'll quickly see how many of them are misinterpreting the above information.

[1] [https://newsroom.fb.com/news/2018/12/facebooks-
partners/](https://newsroom.fb.com/news/2018/12/facebooks-partners/)

~~~
detaro
The latter includes the former, unless there's specific safeguards in place?

I think that's the crux of it: what communication/disclosure has to happen
around granting a company access level X, even when they only hold it to
implement feature Y which doesn't do all the bad things you could do with that
access level, and who gets trusted with that and who doesn't? (I haven't seen
the details of the precise example, so I don't have a detailed opinion on it,
but would like to note that a design process aiming to reduce this exposure
would maybe have removed or restricted the ability to _read_ messages,
allowing only to send recommendations or only read responses to sent
recommendations)

~~~
Puer
Well in the latter the user specifically gives permission to Spotify when they
_choose_ to connect their FB account to Spotify's desktop app. NYT's wording
makes it sound like they have unilateral control regardless of user consent.
You can revoke Spotify's access whenever you want from your FB account
settings.

~~~
detaro
I haven't seen the specific prompts - if anyone has good info on them I'd like
to see it.

Facebook in their response to this says:

> _Did partners get access to messages?

Yes. But people had to explicitly sign in to Facebook first to use a partner’s
messaging feature. Take Spotify for example. After signing in to your Facebook
account in Spotify’s desktop app, you could then send and receive messages
without ever leaving the app. Our API provided partners with access to the
person’s messages in order to power this type of feature._

What does _explicitly sign in_ mean here? For a while, signing in with
Facebook was the only way to create a Spotify account, and _sign in with X_ is
a common pattern in apps for authentication purposes only. Did it explicitly
ask for permission? (what permissions?) Could you use your Facebook-bound
Spotify account without granting this permission? I wish both sides in this
would publish _screenshots_...

------
lourenchord
So basically all of silicon valley is colluding together. Maybe it is time to
regulate them and break them up.

~~~
justaman
I think the major tech companies should be broken up. However its not 1982
anymore. The global market(mainly China) threw a money wrench into the system.
If you break up Google, that's mostly to the benefit of the CPC which will
results in a market that's potentially worse than the one we have now.

~~~
ardy42
> If you break up Google, that's mostly to the benefit of the CPC which will
> results in a market that's potentially worse than the one we have now.

[https://www.nytimes.com/2018/12/10/opinion/facebook-china-
te...](https://www.nytimes.com/2018/12/10/opinion/facebook-china-tech-
competition.html):

> Don’t Fall for Facebook’s ‘China Argument’

> America’s global dominance in technology requires fierce competition at
> home, not the coddling of monopolies.

Also, the Great Firewall is a massive trade barrier, which I think would
justify trade-retaliation against the companies protected by it if they
somehow they gained ground in the US due to domestic tech-company regulation.

~~~
nindalf
How would trade retaliation even work? Software isn't that straightforward to
tax. For example, say you 2 video games, one of which is Chinese owned (say
League of Legends), the other is American owned (say Dota 2). Tell me what
justified trade retaliation you would use to promote one over the other? Would
you add a $0.01 tax to cosmetics?

You can't do it. Of course it doesn't matter to the CPC what Tencent does with
this game, because games are inconsequential. But if this wasn't Tencent's
LoL, but rather WeChat we were talking about? At that point CPC policies,
including censorship will be applied by Tencent. And what "trade-retaliation"
will you use then?

------
kbos87
I have a problem with the way NYT is reporting on this whole thing. The most
egregious sounding parts of this (eg giving Spotify and Netflix the ability to
read your messages) sounds like it was entirely tangential to what those
agreements were all about. It’s definitely something Facebook should be
getting heat for, but there wasn’t some colluding agreement to let RBC mine
their customers’ messages, as NYT makes it sound.

~~~
IfOnlyYouKnew
Where does it say that RBC was mining customers’ messages?

And how do you know they did not, when apparently they don’t care enough about
users’ privacy to even inform them, and continued said practice even after
getting lots of uncomfortable questions?

~~~
kbos87
They don’t need to say it. The way the headline reads and the story is
architected is designed to hook readers by implying the worst.

~~~
IfOnlyYouKnew
So you’re now just making stuff up, then accusing the New York Times for lying
to you?

------
gdfasfklshg4
Ironic that the site hosting this article does not give a real opt out to
intrusive tracking (their privacy policy refers you to your browsers help menu
to learn how to block their cookies!).

Is this GDPR compliant?

------
jonathanehrlich
(disclosure: i used to work for FB). This article left out words like
"publicly available information" and "user consent". Why?

~~~
IfOnlyYouKnew
Yes: why? Or better: what. As in: what are you trying to tell us? That private
messages are publicly available information, anyway? Or friends list, when set
to private?

But to fulfill your yearning, the original NYT report mentions “consent” 12
times: [https://www.nytimes.com/2018/12/18/technology/facebook-
priva...](https://www.nytimes.com/2018/12/18/technology/facebook-privacy.html)

(Although two of those mentions are in the context of “consent decree”, which
arguably doesn’t make it look any better)

A taste:

 _“This is just giving third parties permission to harvest data without you
being informed of it or giving consent to it,” said David Vladeck, who
formerly ran the F.T.C.’s consumer protection bureau. “I don’t understand how
this unconsented-to data harvesting can at all be justified under the consent
decree.”_

~~~
jonathanehrlich
No where in this article do they say users gave consent to have their
information shared which they were required to do before such services could
be implemented. At best, that's bad reporting and misleading at worst it's an
agenda.

~~~
IfOnlyYouKnew
I really don’t think you are doing your employer any favors by your
transparently obtuse attempts to misrepresent the actual content of the
accusations.

~~~
jonathanehrlich
i don't work for FB anymore. The content of the accusation leave out two
critical pieces. 1. Users gave consent to share private information. 2. Only
publicly available information was shared these partners. Those are pretty
important omissions in my opinion.

~~~
IfOnlyYouKnew
The article clearly says users did not consent. And even if they did, that
would presumably clash with your other assertion, namely that “only publicly
available information was shared”.

So I stand by my accusation that you are pretending to be stupid, because no
person working at Facebook would really be unable to find the accusation of
private data being shared in an article titled “Facebook gave Spotify and
Netflix access to users’ _private messages”_

------
cantthinkofone
My assumption, my hope really, is that FB gave away private messages in some
sanitized and anonymized manner, because Spotify and Netflix was happy to pay
for any insider marketing data they could receive about what relevant chat
histories have to say about music or movies.

NYT seems to be on the attack against FB out of some ideological motivation
but the details they are presenting leaves out contextual information about
how the data was processed before it was handed off.

There's no question FB has been nothing but elusive and ink-spraying about
this whole set of ordeals. It's one level of uncomfortable if FB is simply
handing away sanitized data, it's another thing if you can just pay them and
they will give you all the private posts of any given user without any sort of
identity protection.

The fact of the matter is FB's terms basically allow them absolute possession
of whatever data you give them. So there is so much grey area and legal
ambiguity that it has been allowed to work with, especially in the US which
matters most for a US company.

Europe has come around to the concept of citizen's rights to their own data.
In some countries you can't even use websites unless they inform you they
store cookies. At the end of the day, it's your responsibility who you give
your data to.

~~~
bogomipz
>"NYT seems to be on the attack against FB out of some ideological motivation"

What ideology is that? The ideology of truth? The ideology of facts? The
ideology of accountability and transparency? The ideology that one of the most
power corporations in the world willfully failed to comply with a federal
consent decree? Or that they lied to congress? You mean those ideologies? Did
you miss the entire news story about how FB was used to influence the 2016
election?

And as such it is very much a public interest story. And you want to suggest
that reporting on such a public interest story by a newspaper of record is "an
attack"?

------
kjar
FB selling user's private information again: I feign surprise. This is getting
old - It is their business model, what did you expect?

------
the_unknown
...and RBC still won't let me use Google Pay - I have to download their apps
and do tap-to-pay using it. Best part is that all my other cards are in Google
Pay so I'm constantly needing to switch the 'default' tap app because of this.

RBC - get out of the way!

------
korax
Here is a point that I think hasn't been raised yet:

You need consent from all parties messaging back and forth.

One party consenting to Netflix/Spotify/etc accessing your chat messages, is
not enough.

I would hypothesize, that they didn't only grant access when all sides had
consented, as the API was (supposedly) primarily used to share media with your
friends, something that's pretty innocuous and shouldn't require "chat message
read" access at all.

------
cryptonector
I wonder if Spotify and Netflix look at prospective hires' personal messages.
That would be something else.

That FB would give lots of user data to third parties is hardly surprising,
nor is it shocking. That they'd give private messages to third parties
(barring warrants) is shocking, though still not surprising.

------
0xmohit
Although Zuckerberg might refrain from calling users "dumb fucks" any longer,
it is evident that he continues to consider them so.

It shouldn't be surprising that such networks will continue to _monetize_
whatever they can.

> "They trust me — dumb fucks," says Zuckerberg in one of the instant
> messages, first published by former Valleywag Nicholas Carlson at Silicon
> Alley Insider, and now confirmed by Zuckerberg himself in Jose Antonio
> Vargas's New Yorker piece. Zuckerberg now tells Vargas, "I think I've grown
> and learned a lot" since those instant messages.

Source: [https://gawker.com/5636765/facebook-ceo-admits-to-calling-
us...](https://gawker.com/5636765/facebook-ceo-admits-to-calling-users-dumb-
fucks)

