
Facebook’s Onavo Gives Social-Media Firm Inside Peek at Rivals’ Users - daenney
https://www.wsj.com/articles/facebooks-onavo-gives-social-media-firm-inside-peek-at-rivals-users-1502622003
======
irpapakons
It's ethically dubious that the advertised function of the app is a VPN to
"keep you and your data safe", while the reason it exists is so that all phone
traffic goes to Facebook.

This is not clear from the app description -- there is only a generic message
about monitored app use, to which users are so used as to not pay any
attention.

> "The app's privacy policy says it may share information with "affiliates"
> that include its owner, Facebook. "As part of this process, Onavo receives
> and analyzes information about your mobile data and app use"

> A Facebook spokesman said it is clear when people download Onavo what
> information it collects and how it is used. "Websites and apps have used
> market-research services for years," the spokesman said, noting that the
> company also uses outside services to help it understand the market and
> improve services.

Then Facebook can attack the competition by seeing in real time how usage of
competitive apps varies in response to new features and inform acquisition
decisions.

> Onavo's data paved the way for the purchase of WhatsApp for $22 billion.
> Onavo showed the messaging app was installed on 99% of all Android phones in
> Spain -- showing WhatsApp was changing how an entire country communicated,
> the people said.

~~~
teej
I once sat in on a pitch from an antivirus software company who was selling
the ability to look at the full browsing history of people who had visited
your website. You could see all of their searches, if they visited
competitors, and more. Most of the time I get annoyed of the FUD of "they're
selling my data!" but this was different. It was true and it was scary.

~~~
afandian
Why not name them?

~~~
devrandomguy
That would identify the GP to within a small group (the meeting). They
probably worked under an NDA.

It would be great if an unrelated leak were to happen, though.

~~~
teej
I'm not anonymous. You can identify me by going to my profile if you'd like.

To be completely honest, I don't remember. It was 2 years ago and I sit on
lots of these pitches. I remember pushing back on them about the methodology,
hearing how the sausage was made, and noping right out.

I want my team to be able to spend marketing dollars efficiently but I would
never compromise my ethics to do so. Luckily I work somewhere that I can give
a justified 'no' and keep my job.

~~~
javajosh
_> Luckily I work somewhere that I can give a justified 'no' and keep my job._

That is lucky! Where do you work?

~~~
softawre
> You can identify me by going to my profile if you'd like.

~~~
javajosh
Actually, I can't identify you from your HN profile. I guess I could google
your username or something, but I'm a little unclear why you wouldn't just,
you know, say where you work.

~~~
ucaetano
[https://news.ycombinator.com/user?id=teej](https://news.ycombinator.com/user?id=teej)

Currently - head of data engineering at Minted

------
samsolomon
A comment on the WSJ brings up an interesting point—if Zuckerberg were to run
for president, would he have access to this information? What else could he
have access to?

Given the amount of data Facebook has about everybody, I find that possibility
worrisome. It seems obvious that a campaign strategist could segment
individual states, regions and cities. They could target people based on likes
and interests. They could get very granular with messaging—advertisers can do
this through Facebook right now.

But what other information could be used that advertisers don't have access
to? Application usage, website visits, WhatsApp message keywords?

~~~
sethrin
Well, as I've read on this, there is good news and bad news. The good news is
that the best predictors of how you're going to vote are already public. Wait,
maybe that's the bad news. Either way, as you say one can already do very
granular advertising through FB already, but having more data is not
necessarily equivalent to having better information, and you're not
necessarily trying to market optimally to every potentially identifiable
segment. If you knew that peanut-related political ads played really well with
left-handed leftist lecturers in LA, you might still not consider that worth
taking action on. For most people things like age, income, education, party
registration, and parent's party registration are sufficiently predictive.

~~~
Method-X
This is about influencing peoples _current_ bias. Preaching to the choir won't
win an election; changing the opinion of the opposition will.

------
LeoNatan25
This was a bad idea when the app was standalone—a no-name Israeli startup
snooping into all your traffic—and now it's spyware. This is one major (if not
THE) reason not to trust small startups with unclear privacy policies—they are
often bought in order to (ab)use the data they have collected and continue
abusing it from unsuspecting users. Terrible.

~~~
devrandomguy
So, as the first tech hire/partner, what can we do to protect our users?

\- Expire non-critical data after 30 - 90 days, e.g. activity data, not
account data.

\- When feasible, have the client encrypt the really private user data, only
store encrypted blobs on the server (Protonmail does this).

\- Send out a positively worded, subtle email notice to warn the more savvy
users of a pending acquisition, as soon as that news is no longer private. Let
them disseminate the real sitrep on social media and in the news. We did build
a community, after all.

\- Propose a data architecture update for great efficiency, in which redundant
and superfluous data is cleaned and aggregated, before the big handover.

Are there any other suggestions? I am particularly curious if the laws of any
one user's country could be used to complicate or thwart a bulk handover of
private user data to a new owner. Europeans, I'm looking at you for advice.

~~~
pdkl95
By far the most important protection you can provide is to bind your future
abilities with a "Ulysses pact"[1]. Cory Doctorow ave a great talk[2] last
year about how important it is to create these limitations when you _don 't_
need them, because there is a good chance you won't be strong enough to resist
temptation when problems start accumulating. In some situations, it may not
even be your choice.

[1]
[https://en.wikipedia.org/wiki/Ulysses_pact](https://en.wikipedia.org/wiki/Ulysses_pact)

[2]
[https://www.youtube.com/watch?v=D8ukyKQuNmY](https://www.youtube.com/watch?v=D8ukyKQuNmY)

------
abalone
I'm glad WSJ followed up on their previous Onavo-Facebook story[1], but they
didn't go far enough. They still didn't investigate the claims in many app
store reviews of deceptive marketing that gets people to install this in the
first place, i.e. "Your phone is infected by a virus, install this now!!" And
yes, probably those ads can't be directly traced to Onavo/Facebook, but it's a
free app with no affiliate commissions so they're only one with an incentive.

 _> A Facebook spokesman said it is clear when people download Onavo what
information it collects and how it is used. “Websites and apps have used
market-research services for years,” the spokesman said..._

This is such a bullshit, disingenuous statement. It is not at all clear how
Onavo uses your information. They have just one line in their description:
"Onavo receives and analyzes information about your mobile data and app use."
Here's why this is deceptive:

1\. It is buried. It is the last line, below the "more..." fold so most users
don't see it. Something this privacy-invasive should have a prominent, clear
disclaimer at the top.

2\. It is misleading. Even for the users that see it, they make no mention of
using your data for market research. They prominently advertise a feature that
reports on your overall data usage -- to _you_ , the user. So this statement
is _just vague enough_ to imply that's what they're doing, without setting off
alarm that they're spying on your every move for their own purposes.

And then they have the nerve to equate it with "market-research services" that
everyone uses.. no big deal.. move along, nothing to see here.. What baloney.
Typical market-research services do not involve spyware that you trick people
into installing. Participants are supposed to know exactly what they're
participating in. That is clearly not the case with this deceptive, exploitive
app.

[1] Some previous discussion:
[https://news.ycombinator.com/item?id=14970877](https://news.ycombinator.com/item?id=14970877)

------
netsharc
Having Xposed and XPrivacy on my old phone, it's really interesting what
permissions apps request. For example FB Messenger requests the permission to
enumerate installed packages: [https://wroot.org/posts/enumerating-android-
installed-applic...](https://wroot.org/posts/enumerating-android-installed-
applications-without-special-permissions/)

and IIRC also enumerates running tasks. So it's probably simple to do
analytics for the whole phone...

~~~
bogomipz
>"Having Xposed and XPrivacy on my old phone,"

I would be curious to hear your feed back on Xposed oand Xprivacy. Also it
sounds like you stopped using them, maybe you could say why? Cheers.

~~~
netsharc
I now have a phone with Nougat, according to the Xposed developers, Xposed
doesn't yet work reliably with it. On Marshmallow it worked very well,
Xprivacy would show pop-ups when an app tries to do something, you can either
allow this, refuse this or allow/refuse for a period of time.

Otherwise, Xprivacy's UI is a bit of a pain, but it's usable...

~~~
krackers
Do you remember what the performance impact of xprivacy was? I'm currently
doing something similar with cyanogenmod's privacy guard + xposed app ops
which allows statically revoking permissions, but Xprivacy seems to have a
better little-snitch like ui

~~~
netsharc
I never really compared it with and without Xprivacy.

------
hedgew
This is obviously unethical. That it might not be illegal is our failing. They
provide false solutions to a fear that they themselves create.

What's next? Giving every child a free phone on their 13th birthday? They
already "gifted" the world's poorest with free internet. It's easiest to abuse
those who have the least power to fight back.

"By accepting this gift, you agree to our Terms and Conditions and Privacy
Policy."

------
wisepass
The same article from alternative source
[https://outline.com/WnGGRk](https://outline.com/WnGGRk)

~~~
dublinben
If you prepend "facebook.com/l.php?u=" to a wsj link, it will let you read the
full article. Like so:

[https://facebook.com/l.php?u=https://www.wsj.com/articles/fa...](https://facebook.com/l.php?u=https://www.wsj.com/articles/facebooks-
onavo-gives-social-media-firm-inside-peek-at-rivals-users-1502622003)

~~~
ballenf
How meta: a solution to let FB know that you're very motivated to read an
article about FB going to great lengths to snoop on user data!

Maybe that's the kind of data they need to reconsider their approach to
privacy.

------
pdog
How is Onavo a "data-security app" if it lets Facebook track everything you
do, including encrypted traffic?

~~~
lightbyte
They forgot to mention that the one being secured is Facebook, not the user.

~~~
jklein11
If you aren't paying for it, you aren't the user. You are the product.

------
yohann305
Now THIS is a glimpse of what could happen if internet service providers such
as AT&T or Comcast are allowed to snoop on traffic. This could happen in
large-scale if we don't keep an eye on internet data privacy. Let's stay
vigilant. Upvote to spread the words

------
greenwalls
App Annie purchased Mobidia in 2015 which has an app called "My Data Manager"
that is similar to Onavo. I think it is used in a similar way.
[https://techcrunch.com/2015/05/06/app-annie-acquires-
mobile-...](https://techcrunch.com/2015/05/06/app-annie-acquires-mobile-
measurement-service-mobidia/)

[http://www.mydatamanagerapp.com/privacy-
policy/](http://www.mydatamanagerapp.com/privacy-policy/)

I wonder how many apps like this are out there?

------
RSchaeffer
"Alphabet Inc., through its Google Android operating system for smartphones,
and Apple Inc. also have the ability to monitor how rivals' apps perform on
their mobile platforms, but it isn't clear whether they use that information
to shape their product road maps."

Does anyone have any other sources that can confirm or deny whether
Google/Apple use their mobile OSes like Facebook uses Onavo?

~~~
telcodud
I'd imagine that platform companies have greater obligations towards their
developers.

------
wonder_bread
Sounds a lot like Amazon owning Alexa (the website service), Google owning
double click, etc.

~~~
mpcovcd
I don't think that's a reasonable comparison. Alexa data is public, most of it
can be accessed for free, and the rest at a reasonable price. Doubleclick is
an advertising platform, it doesn't give insight into competitors metrics
unless those competitors choose to share that information.

~~~
j_s
Does Google not monitor/monetize Google Fi, Google Fiber, Google Play
Services, Google DNS, Google Chrome, Google Safe Browing, and on and on and
on... (Google Maps, Google Location Services)

~~~
mpcovcd
None of those are marketed as a VPN or data security apps.

~~~
j_s
Sorry, which goalpost am I aiming for? This one seems to be moving...

Although not quoting until now (my mistake), my reply was specifically in
response to your previous point:

 _I don 't think that's a reasonable comparison [...] it doesn't give insight
into competitors metrics unless those competitors choose to share that
information_

The lines begin to blur especially when discussing means of accessing the
internet (especially most efficiently/safely) and/or core (semi-artificially-
required) mobile phone operating system components!

If nothing else they offer the path of least resistance. Any best-of-breed
solution (GMail, Google Docs, Chrome - all somehwat a matter of opinion) or de
facto monopoly-ish position (search, free analytics, Google Play Services?) by
Google offers the potential for them to gain info on competitors in much the
same way Amazon can take over succesful verticals originally occupied by a
third party.

------
slackoverflower
Facebook is very very evil, much more so than Google. SEC/DOJ/whoever needs to
step in and stop Zuckerberg.

~~~
52-6F-62
I recently tried to log into their mobile, javascript-less site, and in order
to let me continue to log in they required a photo of my face and my phone
number.

I've had to submit photos for online financial services/compliance, but not a
social network that is tied into all kinds of other data.

And that's what they asked because I wasn't running javascript. It raised my
concerns about what they do when I do have javascript enabled on their
services. And I work in a company that collects data from its clients -- but
nowhere near their scale.

~~~
ballenf
Is this satire? Holy shit if not. Did you try fooling it?

Wonder what their TOS allows them to do with just that data.

~~~
52-6F-62
Quite real. Yeah I tried skirting the SMS/phone number feature but I didn't
test the photo bit. I was too creeped out.

If you can't replicate it through a standard browser, try through a VPN or TOR
browser.

------
rubatuga
I was considering using this app about 2 years ago, since I wanted to try out
a VPN and this was near the top of the list in the Apple App Store. However,
one glance at the fact that it was owned by Facebook made me “nope” out
immediately. I’m glad to have made the right decision.

------
grwthckrmstr
It's brilliant in a way. But makes me cringe in a way as well.

------
marinman
From a pure strategy perspective, it's also quite brilliant. Without a real
app store of its own, they don't have the directional data that the App Store
or Google Play have.

It's also incredibly shady.

------
eyeball
I really need to get my family to abandon whatsapp. I'm willing to bet
facecrook is using that to spy on everything my phone does.

------
AznHisoka
This type of "spying" has been going on for a long long time [1]. It's just
that people have conveniently ignored it, and the companies that use this data
have not been outed. See SimilarWeb, Jumpshot and other clickstream companies
that buy Google extensions and keep track of every single URL you visit.

[1] [https://www.howtogeek.com/180175/warning-your-browser-
extens...](https://www.howtogeek.com/180175/warning-your-browser-extensions-
are-spying-on-you/)

~~~
adjkant
I think the reason you see the objection more here is the consolidation of
information Facebook is going for.

------
striking
If you can't get by the paywall, Onavo isn't the only thing Facebook will let
you get an inside peek at...

[https://www.facebook.com/l.php?u=https://www.wsj.com/article...](https://www.facebook.com/l.php?u=https://www.wsj.com/articles/facebooks-
onavo-gives-social-media-firm-inside-peek-at-rivals-users-1502622003)

~~~
cbaleanu
Interesting find, by using that link, I gave FB some metrics about me and in
return they sponsored my visit to the wsj article.

------
daenney
Here's the archive.is link if you hit the WSJ paywall:
[http://archive.is/r7GhC](http://archive.is/r7GhC)

------
pier25
Whenever I see stuff like this I wonder if Mark Zuckerberg is even aware of
such things.

I work in a small company of less than 50 people and different teams/depts.
barely know what each other is working on.

------
tehlike
there is a reason why there are so many battery cleaner & anti virus apps with
almost-god permissions.

------
bhhaskin
It's really scary the amount of power we free give companies like Facebook and
Google.

------
jgalt212
Onavo is similar, but more comprehensive than the now "fixed" css history
leak.

[https://blog.mozilla.org/security/2010/03/31/plugging-the-
cs...](https://blog.mozilla.org/security/2010/03/31/plugging-the-css-history-
leak/)

