
Unethical Growth Hacking from YayView - luu
https://lord.io/blog/2016/yayview/
======
rmc
And you wonder why the European Courts have started to strongly enforce the
right to data protection.

Us in the tech world need to be honest, we're bad at privacy.

~~~
Mahn
See, I don't get this. Europe is acting as if it had a duty to protect its
people from the bad companies that steal your privacy while you sleep, whereas
in reality nothing happens if you don't explicitly give consent first. Don't
want Facebook to use your personal data to sell you ads? Don't put it on
Facebook. Don't want YayView to access your location at all times? Then don't
give it access to it, it's asking you right there, even if it's being shady
about it.

It's a little bit like if people had trouble using forks without stabbing
themselves, and the proposed solution was to ban all forks in the country.
Well perhaps more work should go towards teaching people how to use a fork,
since they can be useful for meals, rather than banning them?

Don't get me wrong, it's a shame that companies like YayView exploit dark
patterns to trick people into doing things they don't fully understand, but
let's not ban all the things because of it.

~~~
mcguire
Consent shouldn't necessarily be regarded as transitive. The problem in this
case isn't Facebook sending you ads, it is Facebook and other data sources
allowing others to correlate all data about you.

~~~
davb
> Consent shouldn't necessarily be regarded as transitive

I think you're on to something with this statement.

I'd feel much better if selling/transferring customer data was disallowed with
explicit consent from the user for _each_ company the data will be transferred
to.

[] I consent to Facebook storing and using my personal data

[] I consent to Facebook transferring/selling my personal data to people and
companies I add to my "friends list"

[ ] I consent to Facebook transferring/selling my personal data to Ad Tracker
Network Inc

[ ] I consent to Facebook transferring/selling my personal data to User Data
Broker Limited

With personal data being broadly defined to include anything that could
correlate activity with an individual user (tracking ID, session cookie ID,
name, location, etc).

I think the average person's understanding of how much they're being tracked
would drastically improve if they seen this list of (opt-in) checkboxes when
signing up to services.

------
natch
Searching for YayView on the app store, nothing comes up.

To find the app, search for these keywords:

    
    
        view meet your classmates
    

A possible connection to an app called Highlight is further indicated by the
fact that the AWS landing page for the View app contains the string
highlig.ht.

Any App Store user can report a problem with an app by first downloading the
app (no need to actually run it, and it can't do any damage without being
run), then visiting
[https://reportaproblem.apple.com](https://reportaproblem.apple.com) and
signing in. The app will appear at the top of the list of downloaded apps, and
next to the app is a "Report a Problem" button.

~~~
Flow
> no need to actually run it, and it can't do any damage without being run

How sure about this are you?

Some common apps like Hangout and Facebook misuse iOS features to run in the
background despite Background App Refresh is turned off, AFAIK.

~~~
jayvanguard
Up to iOS 7 at least, there was no way to run in the background without the
app being launched at least once. I haven't worked with the latest two
versions though.

------
spacefight
That is not only unethical that is also illegal in some countries.

Also, this is the reason why you should have FB platform a) turned off and b)
disallow that your friends "bring your data with them when they use apps".

~~~
nyc640
For anyone curious on how to do this:

    
    
        1) Click the down arrow (▼) in the top right, then go to 'Settings'.
        2) Click 'Apps' in the bar on the left side.
        3) Click 'Edit' under 'Apps, Websites, and Plugins' then 'Turn Off'
        4) Click 'Edit' under 'Apps Others Use' and uncheck everything, then 'Save'.

~~~
Cub3
Thanks, just did this, really useful info :)

------
hboon
> How did it get his photos? Well, he has friends who signed up with Facebook.
> View scans its user’s Facebook friends for other students, and creates fake
> View profiles

I thought the Facebook API does not allow pulling the complete friends list
anymore. i.e. it excludes those friends that do not already have the
corresponding Facebook app installed, precisely to stop this tactic?

~~~
lgas
The API docs don't mention any such restriction:

[https://developers.facebook.com/docs/graph-
api/reference/fri...](https://developers.facebook.com/docs/graph-
api/reference/friend-list/)

~~~
fittom
> Friend list now only returns friends who also use your app: The list of
> friends returned via the /me/friends endpoint is now limited to the list of
> friends that have authorized your app.

source:
[https://developers.facebook.com/docs/apps/changelog](https://developers.facebook.com/docs/apps/changelog)

~~~
japaw
Maybe web scraping then? It would not be so hard to make a focused scraper
that scrapes the friends of anyone using the app.

Edit: I did a quick test and at looks like I can see the friend list of many
users that is not in my immediate network as long as I am logged in to
Facebook. It should then be easy to use something like Perls WWW::Mecanize to
make a scraper that log inn and scrapes the profiles you want, as long as one
do not need so many that Facebook detects and banns you.

~~~
hboon
But I presume they don't have the users' passwords to login with.

~~~
japaw
No they probably do not have the users Facebook password, but they do not need
it for scraping, because they can just use their own use for that.

I have looked around on Facebook and it looks like one can see other users
friend list, even if you are not in their immediate network.

Even if Facebook has a limitation, like you can only see the friend list of
friends of friends the company behind this app could probably make some fake
Facebook users and befriends someone on each university to get an ok coverage.

~~~
TeMPOraL
It depends on the privacy settings. Though the several iterations of privacy
scaremongering and Facebook changing defaults resulted in people locking up
their accounts like crazy, friend lists seem to still be visible semi-publicly
for quite a lot of people. With more news like that, this will probably change
too, though.

~~~
kuschku
> Though the several iterations of privacy scaremongering

I'd argue that this is another case which shows that the privacy
scaremongering isn't scaremongering, but the privacy issues are real.

~~~
TeMPOraL
It's totally a POV issue IMO, that's why I phrased it that way :).

For me, half of the Facebook's utility was the ability to check people out
without having to commit to a relation with them first. A publishing platform,
a little bit like personal pages of old, but much more streamlined and
accessible to the mainstream. But it turned out there's enough bad actors
around (stalkers, marketers) that people voted against this, and so Facebook
is now a very locked down place. _I_ think most of those fears people have are
overblown, but well, that's only my opinion and it seems that most people
disagree.

------
trymas
<rant>

It's not the first time I will rant about this, but why use the word 'hacking'
here?

YayView sort of exploited the system by automatically creating users from
freely available data on the social networks, but is it 'hacking' per se? I
think that YayView is not a hacker company, and just a startup using very
unethical business tactics.

IMHO, term `hacking` is used everywhere to raise `click-bait-itness`, no
matter it fits there or not.

</rant>

~~~
digbyloftus
Hacker in this context means someone who quickly and cheaply creates new
things, as in "it's hacked together". Like how we're on Hacker News, it's not
a security website, it's a website for people interested in startup news.
Growth hacking basically means any form of growth that doesn't come from a fat
marketing budget or traditional brand growing methods. I definitely think
their method counts.

~~~
TeMPOraL
I disagree. "Growth hacking" refers to "hacking" as in "the thing programmers
do that make them oh so important in the XXI century". It's marketers doing
collective "me too", they want to bask in the same glory, capture some of that
positive halo that was created by IT companies that diluted the meaning of
word "hacker". The word that itself doesn't mean much anymore within the
commercial world.

~~~
digbyloftus
Plenty of what programmers are doing isn't hacking. A team of top cs men
making some process in google 0.1% more efficient doesn't seem very hacky even
if it results in oodles of profit. What's more is this type of marketing is
very much the result of hacker programming. Scraping social media profiles and
then automatically email spamming the recipients is a system that was
programmed, they aren't manually doing it (I hope!).

~~~
TeMPOraL
Of course! Most programming, and especially most professional programming, has
nothing to do with hacking. It's a different culture. But it's also totally
different culture to what "growth hacking" is doing to marketing. Astroturfing
the hell out of your service doesn't make you a hacker. It makes you an
unsophisticated asshole.

~~~
digbyloftus
I mean, if all you do for a living is email spam then I wouldn't call that
hacking, but seeing as this is a programming based startup and the marketing
attempt required programming skill, I'm imagining this was put together by the
same guy/guys that are on other days making new product features. If slapping
together a marketing scheme that quickly lets you reach a lot of people
without you needing to spend a lot of time optimising or upkeeping it isn't
hacking then I just straight up don't understand how the day setting up a new
feature and a day setting up the new spam bot are different conceptually.

I don't think being an unsophisticated asshole and a hacker are mutually
exclusive. Plenty of hacking is unsophisticated and most people are assholes,
hacker or otherwise.

------
coldcode
This app also violate numerous App Store rules, but getting Apple to do
something about it takes an act of Congress. Still you hope someone at Apple
reads Hacker News.

~~~
natch
Fortunately, in case Congress is out of session, they do have a URL that can
help: [https://reportaproblem.apple.com](https://reportaproblem.apple.com)

------
sidcool
This reminds of an app that made reservations on your behalf in restaurants.
The unethical part was that it made fake reservations before hand (with fake
names) and then auctioned the name.

------
bakhy
totally unethical, i agree. the part about the investment really surprised me.
do investors have a responsibility to study the legality of that which they
are supporting with their capital?

~~~
mathgeek
> do investors have a responsibility to study the legality of that which they
> are supporting with their capital?

Perhaps, but we all know there is plenty of money to be had for a company that
toes the line in terms of legality. "This may be illegal" is not the same as
it being so.

~~~
TeMPOraL
_Especially_ that throwing investor money at lawyers to ensure laws aren't
enforced can be sometimes a viable strategy for a company trying to disrupt an
existing market - like, say, transportation.

------
jv22222
I guess a good term to describe this is - dark hat growth hacking.

------
richerlariviere
I would be curious to capture all the network requests done by this app. Maybe
we didn't see all the iceberg.

------
the_watcher
Won't View just get their Facebook authorization yanked now that this has come
out? This is sort of a worst use possible in terms of disclosure and user-
privacy to Facebook.

------
EGreg
"View scans its user’s Facebook friends for other students, and creates fake
View profiles that anybody can edit, "

"This is never disclosed to the user"

I thought that the Facebook API no longer exposed ANY friend info to apps,
without special permission that the user grants! And that permission has to be
reviewed by facebook.

------
chris_wot
If any Australians get caught up in this, I sure hope that YayView or their
parent company don't have an Australian side to their business. One call to
the Australia Privacy Commissioner, and they're toast.

------
quantumpotato_
Well, that's what happen when you use Facebook..

------
ericflo
Other than creating profiles for users that didn't sign up, which is over the
line, the rest of this seems like just solid product marketing and user
onboarding.

~~~
zazpowered
What about email spam

~~~
mintplant
Indeed. I'm no lawyer, but isn't this likely a violation of the CAN-SPAM Act?

~~~
corobo
Also not a lawyer (and in the UK) - I tried to dig out a loophole for example
"Your friend technically sent the message to you not us!" sort of thing

But no, as a layman I can't see how this is getting by the CAN-SPAM act. It
doesn't give you the option to not send it and sends it anonymously. From the
recipient point of view it's just a random unsolicited email. I guess it's one
of those it's easier to ask forgiveness than permission things.

My guess is the moment someone with potential legal clout challenges this the
invites will be changed to a "Do you want to invite your friend yes/no" system

------
pmcgrathm
It is surprising to me that this feels so negative to you. Every large social
tech company - Facebook, Linkedin, Twitter, Groupon, LivingSocial (RIP),
Tinder - have all used tactics similar to what you label 'dark patterns' to
bootstrap their businesses.

If I am building a network driven product like a dating app or social network,
you better be damn sure that it is going to be using 'growth hacking'
(read:scraping) methods to increase the viral coefficient per user.

Would it also be news to you if I told you that 719 singles in your zip code
did not, actually, want to see you tonight?

~~~
MereInterest
And no matter how big LinkedIn gets, I will not forgive them for spamming me
five years ago when they were just starting. It was unacceptable then, it is
unacceptable now, and it informed me right away that they are not the sort of
company that I want to interact with.

~~~
jacquesm
And, more importantly, it is a company that you do not want to ruin _your_
contacts view of you.

