
U.S. lawmaker: 'Sure looks like Zuckerberg lied to Congress' - JumpCrisscross
http://www.latimes.com/business/technology/la-fi-tn-facebook-data-20180604-story.html
======
varenc
I don’t get some of the concerns about this.

Take the Facebook app that Huawei built using their special API access to
offer Facebook on their devices. Their implementation was supposed to store
the Facebook data locally on the phone. Of course, there’s a concern here that
Huawei, a company with strong ties to the Chinese government, could still be
siphoning Facebook data off the phone despite that breaking their agreement
with Facebook.

But if you don’t trust the device manufacturer and their operating system,
what does it matter? If Facebook existed solely as a mobile web app on the
phones or as a Facebook Inc produced app, you still have to trust Huawei to
not be siphoning off that data. If you don’t trust Huawei, you’re at risk
regardless of whoever made the software you use on their phones.

(The device manufacturer FB implementations that stored data on non-FB servers
are a different situation though...)

~~~
thisisit
This is one of the strangest defenses for Facebook - everything works as
expected.

Cambridge Analytica downloaded data? The API worked as expected and people
should have been smarter to not share data.

Facebook has special APIs for phone manufacturers? The API works as expected
and people shouldn't buy phones from the manufacturers they don't trust.

But, here's the thing - FB shouldn't have allowed this at all. In one part,
security is about making things harder for people to break-in. Currently,
manufacturers can use official API to siphon off data to non-FB servers. Sure,
manufacturers could run some kind of MITM attack to achieve something similar.
But having an official API is a strict no.

~~~
zethraeus
>> people shouldn't buy phones from the manufacturers they don't trust.

You're literally hosting your life on it. You should indeed not do this.

~~~
osrec
True, but let's say you bought a DSLR camera, wouldn't it irritate you if the
manufacturer was secretly uploading your pictures elsewhere for others to use
against you? To most, such practises would seem beyond intrusive. I sort of
feel that this is what's happened here, albeit, in a subtler manner.

~~~
archgoon
Is there any evidence that has happened? That sounds like it goes directly
against the APIs terms of service. If device manufacturers are doing that,
they could equally upload your passwords from the browser.

~~~
yayana
>. If device manufacturers are doing that, they could equally upload your
passwords from the browser.

And then fb should tell you about unusual accesses to your account unless the
phone vendor is also your Telco and extremely careful.

In OSes you can theoretically attack any app, but it is a pain to even debug
them with different versions, changes to their custom storage formats, etc..
Unless they build an ABI, document which parts are stable and give it to you.

~~~
cornholio
FB can tell you about it but there is no law mandating anti-hijack security
features. Nevermind that the spyware can be inserted in the client itself or
in the official gateway supplied by Huawei, necessary "for technical reasons",
making it completely invisible.

Once the manufacturer goes outside the licensed API and uses your credentials
to do more than Facebook allows, it commits an actual crime against you in
most jurisdictions.

~~~
yayana
I'm sure people will be investigating and finding a few examples of on phone
API violations then transferred.

My bet: no criminal cases. Facebook charging less than 50k for violation of an
API contract on data that isn't theirs, if numbers are disclosed. No standing
for users except in a class action that get $5 or less on a new phone or $2 or
less as a check.

------
bo1024
I'm in the camp that this anger at Facebook is largely misdirected, even
though I'm very privacy-oriented. It's very interesting seeing nontechnical
reactions to this news.

As technical users, we all know that every layer of software down to the
hardware potentially has access to the data flowing on top of it. If you're
running X browser on Y operating system on Z device and you log in to
Facebook, you've just trusted X, Y, and Z with your FB username, password, and
data. (An API works the same.)

But nontechnical users are just now realizing this as privacy and data
security become hot. They're lashing out at Facebook, but I think the scrutiny
absolutely should be leveled at the software and hardware vendors. People
should be asking phone companies: why can I trust your phone enough to type my
facebook username/password into it?

An ideal outcome would be a huge push toward open source (and also toward free
software), but that's probably too optimistic.

~~~
dorgo
>An ideal outcome would be a huge push toward open source (and also toward
free software)

how much does open source improve security? (And does it at all?) In my
experience nobody reads the source code before executing it. Maybe the
situation is different for big project with many users. On the other hand for
example smart contracts (which are open source) had security issues several
times in the past which were discovered too late.

~~~
matheusmoreira
I read the source code of programs I use often, mostly for learning purposes.
The first thing I do when I want to evaluate the security of a program I don't
trust is look at the system calls it performs, especially those related to
I/O.

Since I don't need to reverse engineer binaries, open source code allows me to
spot malicious code much faster. More importantly, it allows me to more easily
_remove_ that code from the program.

The rate of vulnerabilities caused by honest mistakes is probably the same.

~~~
jf22
Yeah, everybody is going to start reading the entire source code of the apps
they use.

~~~
Djvacto
There's still a benefit even if only a small amount of people read it, because
they can call it out. You don't go to the production areas of packaged food
you buy to make sure you know they're not making any mistakes/pumping sawdust
into the food, but you trust that because everyone else is buying it and no
one is getting sick that there's a fair chance you won't either.

~~~
dTal
You broke your analogy a bit there. You don't go to the production areas of
packaged food companies because you assume that others are doing so -
specifically, state regulators. It's not that no one is obviously getting sick
- they might be getting sick in subtle ways they can't pin on the food, like
long term heavy metal poisoning, in the same way that malicious software can
be very quiet about it.

~~~
Djvacto
That's a good point. It's not a 1-1 analogy, but I think the overall principle
applies. If it's open source, more people can regulate it, as opposed to less.

~~~
dTal
Oh no, it's a fine analogy! I just thought you muddled it a little at the end
with the 'no one getting sick' part. It's important that source code be
available for the same reason that food preparation not be done behind locked
doors with secret ingredients - not so much so that _everyone_ can see for
themselves, but so that _someone_ can, and raise the alarm for the rest of us
if anything is amiss.

The 'getting sick' part actually works too - it's important to be able to
review the process precisely _because_ it's not always immediately obvious if
something is wrong.

------
justinsaccount
This article and the nyt one are almost completly bullshit.

They do not understand the difference between "apps" on phones that integrate
with Facebook for sharing purposes, and "facebook apps" like the quiz crap
that Cambridge analytica abused.

There IS the potential that your phone OS vendor used the FB API access and
your credentials to steal your data, but does anyone seriously think apple or
blackberry did such a thing?

This whole thing is insane. You might as well accuse Google, Apple, Mozilla,
and Microsoft of stealing users data because you use their browsers to access
facebook.

~~~
shakna
> There IS the potential that your phone OS vendor used the FB API access and
> your credentials to steal your data, but does anyone seriously think apple
> or blackberry did such a thing?

Huawei, Xiaomi, and others are a risk for this.

~~~
justinsaccount
True, and if they wanted to steal all of your data they could do so with
rootkits and modified TLS libraries.

If device manufacturers are stealing users information, at what point are they
held accountable instead of FB?

~~~
smt88
They are held accountable when FB doesn't help them do it

------
Niten
There wasn't much substance to the New York Times's report, and as an
outsider, Facebook's official reply--corroborated by Tim Cook's statement
about Apple's actual use of the reported APIs--seems perfectly reasonable to
me.

But dogpiling on Facebook is popular right now, whether it's deserved
(Cambridge Analytica) or not (this), so the actual facts of the matter will be
secondary when politicians evaluate whether to hop on the bandwagon.

~~~
sjg007
Well it looks like a lie and smells like a lie if these device manufacturers
got these info deals from Facebook. It means that the user doesn’t have
complete control. This of course hinges on what we mean by complete control. I
imagine Zuckerberg is going to become a major campaign donor now going
forward... if he isn’t already. I’d expect Facebook lobbying efforts to
intensify as well.

~~~
Niten
I just don't see any evidence of a "lie" in the New York Times article. And if
I add my Facebook account to iOS, of course I realize that I'm trusting Apple
in that scenario.

This whole controversy feels manufactured.

~~~
sjg007
The irony in that Facebook shares data with Chinese companies despite Facebook
being blocked in China.

[https://www.reuters.com/article/us-facebook-privacy-
congress...](https://www.reuters.com/article/us-facebook-privacy-
congress/facebook-confirms-data-sharing-with-chinese-companies-idUSKCN1J11TY)

------
phwd
The nuances for what a "3rd party entity" vs a "3rd party app" represents in
Facebook is really what's at hand here. Anyone who spent time in Facebook
developer platform knows this.

NYT's watered down article for the lowest denominator and maximum clicks (imo)
vs Facebook's way too technical explanation for the maximum PR defense. None
of this is going to help US/EU/World lawmakers understand the permission scope
that was set in Graph API for hardware vendors.

It will take anyone with an HTTP listener Charles, Burp, Cycript whatever your
choice... 5 minutes to see where and how the access token was used.

If only we were discussing the data and HTTP requests and not the way
reporters and PR play with words to fit their agendas.

~~~
forapurpose
> None of this is going to help US/EU/World lawmakers understand the
> permission scope that was set in Graph API for hardware vendors.

> It will take anyone with an HTTP listener Charles, Burp, Cycript whatever
> your choice... 5 minutes to see where and how the access token was used.

If you know these things, would you please share with us?

~~~
ainiriand
You have to set up any of those apps and use the provided proxy in your
browser. Now when you visit some site you can take a look at which site is
using the token saved by fb in your last visit. That is the gist of it.

------
Bucephalus355
Earlier today people are Hacker News were talking about if Mark Zuckerberg
committed treason due to the data-sharing with the Chinese (as well as the
creepy fact that he offered to name his first born after the supreme leader of
China).

Looks like it won’t be a good week for him.

~~~
whatshisface
What's strange to me is that Zuck isn't the only person who works for
Facebook, and Facebook isn't the only company that works in the NSAdtech
market. Hopefully he's not just the ablative heat shield.

~~~
drb91
Why hopefully? It seems appropriate the CEO and owner takes liabilty for his
company.

It’s not like he’ll face any real consequences. CEOs get easily payable fines,
not prison time.

~~~
monocasa
It would be unfortunate to have a Skreli situation where we just randomly take
out the one with the most punchable face rather than dealing with the
structural issues that have created a whole industry doing what he was doing.

~~~
rhizome
Shkreli was by no measure a dominant player in anything other than the tiny
niche he exploited for a short time.

~~~
monocasa
Sure, he just had the most punchable face.

~~~
Declanomous
Shkreli messed up by continually taunting US law enforcement. He probably
wouldn't have had the book thrown at him if he wasn't constantly talking about
how great it was to be an evil capitalist, and instead gave the mealy-mouthed
platitudes that every other CEO of pharma companies does.

~~~
benatkin
Yep, he's the poster boy for "play stupid games, win stupid prizes."

------
zaroth
This seems like a political attack on Facebook. Willful ignorance of technical
reality on HN... no wonder lawmakers are claiming Zuckerberg lies.

Facebook functionality ran on a phone using source code not written by
Facebook. Anyone who equates that with Cambridge Analytica simply has an axe
to grind with FB.

If a device manufacturer wants to betray the trust of their users and siphon
data off the phone, they can surely do that in any case, and it’s not even
hard to do seeing as how they own the network stack.

Can you think of any other codebase which is used to provide Facebook
functionality on our devices using special APIs? Chrome. Mozilla. Safari.

If we can’t distinguish between a user agent and a 3rd party app having access
to a Facebook API then I don’t see how this is debating in good faith.

We are taking about the _device manufacturers_ embedding social functionality
into the operating system. They also write the rest of the OS you know, if you
don’t trust them to render your friend feed then I have bad news for you about
your SMS, call history, location data, not to mention you’re carrying around a
microphone they can access at any time...

~~~
jmcqk6
You're trying to argue technicalities that most people not only don't
understand, but don't care about. The key question is: Did facebook give
information about you to other people without your control?

You're basically arguing that yes they did, but it's okay because of the way
they did it. Facebook is responsible for communicating that nuance, and they
failed to do so. They offered an absolute, and whether they were lying or not,
what Zuck said was not accurate.

~~~
zaroth
In this instance it’s quite clear to me that Facebook did not give information
about anyone to anyone except to the user who was viewing their own feed.

Would you claim that Facebook is giving information about me to my _monitor
manufacturer_ because their pixels are being used to display the information
to my eyes?

Would you claim Facebook is giving my information the the people who wrote the
code to implement the TLS stack?

Would you claim Facebook is giving my information to Apple because they
developed iOS? Or to Chrome because they wrote my browser?

The fundamental archichture of our computing devices is not a technicality. If
you equate the fact that our software works using abstraction layers to
achieve desired effects with Facebook leaking your information to every layer
of software that lives below it, it can only be because you are either grossly
misinformed about how software actually works or you are blinded by hatred of
Facebook.

You know what, here’s another good analogy. The software which powers the
_voice calls_ I make on my iPhone is written by Apple, and one layer below
that, Qualcomm. The voice call is only made possible by special APIs provided
by my service provider (AT&T) codified through 3GPP. This is like claiming
AT&T should be liable for improperly sharing my voice comms with Apple and
Qualcomm simply because they helped write the software which allows the call
to be made.

Could Apple and Qualcomm be taping my calls? Surely they could be. And if they
were, I sure as hell would be angry, but not at AT&T. And if AT&T testified
that they had _not_ given my call data to Apple and Qualcomm, they would not
have been lying.

The NYT took a Facebook user agent rendering a friend feed, intercepted the
network messages, and then gasped, “Look, see, Facebook is sending all your
friend information to _Blackberry_ ,” as if this was some great conspiracy.
Good grief.

------
thinkcomp
Mark has lied consistently, and in public, since at least 2005. My first post
on Hacker News was a warning. It's a shame no one listened.

[https://www.quora.com/How-did-Zuckerberg-code-Facebook-so-
fa...](https://www.quora.com/How-did-Zuckerberg-code-Facebook-so-
fast-2/answer/Aaron-Greenspan)

[https://www.huffingtonpost.com/entry/open-to-attack-and-
conn...](https://www.huffingtonpost.com/entry/open-to-attack-and-connected-to-
the-kremlin_us_59c9ec1ce4b08d661550457d)

~~~
tomcam
Um... downvoters should read these submissions. This guy isn’t a troll, he’s
Aaron Greenspan, the creator of Facebook’s predecessor, code for which seems
magically to have appeared in FB. There was a settlement:
[https://en.m.wikipedia.org/wiki/Criticism_of_Facebook#Aaron_...](https://en.m.wikipedia.org/wiki/Criticism_of_Facebook#Aaron_Greenspan_and_houseSYSTEM)

~~~
varenc
I downvoted because the comment just doesn't seem like a good comment. Here
are some HN guidelines I feel it breaks or comes close to breaking:

    
    
      - Avoid unrelated controversies and generic tangents.
      - When disagreeing, please reply to the argument instead of calling names.
      - Be civil. Don't say things you wouldn't say face-to-face. Don't be snarky.
      - Please don't post shallow dismissals, especially of other people's work.
    

Though Aaron, given the history I do understand why you'd have strong feelings
about Zuck's integrity.

(of course, I'm also breaking this guideline in my own comment! _Please don 't
comment about the voting on comments. It never does any good, and it makes
boring reading._)

~~~
acobster
Lying in public seems pretty relevant to an article about lying to Congress.

He didn't call anyone a name, he mentioned specific actions: namely, lying.

I obviously can't speak to whether he'd say these things face to face, but you
can't either. It sure seems like he made a good faith effort to raise his
concerns, though.

The articles he linked to are well reasoned and anything but shallow. Your
argument, on the other hand, seems like a pretty shallow dismissal.

------
CWuestefeld
I know it's a tangent, but I have trouble assigning any significance to this
after the James Clapper thing. If he can lie to Congress with impunity, about
things that are clearly within Congressional purview, then why should anyone
else worry about such things?

~~~
arbitrage
James Clapper doesn't lie on the record. He constructs his statements so
carefully that he isn't technically lying, but actually saying something
completely different than what you think he is.

The issue here is that Congress is too weak to call him out on it. Clapper
started playing this game years ago, and now others are emulating him, to
great effect.

------
sidcool
I am glad Apple is taking proactive steps in Safari to block tracking and
fingerprinting by social platforms. It's a disease and needs to be dealt with.
Thanks Apple.

------
timvdalen
I can't believe I have to say this, but here is a Google Cache mirror for
Europeans:
[http://webcache.googleusercontent.com/search?q=cache:http://...](http://webcache.googleusercontent.com/search?q=cache:http://www.latimes.com/business/technology/la-
fi-tn-facebook-data-20180604-story.html)

~~~
happertiger
So. Much. Irony.

------
paulie_a
He absolutely lied to Congress and it was obvious from the get go. I'm sure he
will apologize and nothing will happen.

------
sandov
The privacy discussion is misguided.

I don't care how much you make facebook, google et al promise not to "abuse"
its users data.

What I care about is educating people so that they choose software and
companies that respect them.

We should stop treating users & citizens as complete morons who need daddy
state to take care of them.

~~~
forapurpose
> We should stop treating users & citizens as complete morons who need daddy
> state to take care of them.

We're treating them as intelligent human beings who can't possibly master
knowledge of all the technology, confidentiality, and its implications in a
world of analytics and adtech. Even I can only imagine some of it.

Should we educate users to choose safe anesthesia and surgical techniques? To
choose proper exotic financial instruments? I think we should require doctors
to provide safe anesthesia, Wall Street to provide safe investments, and
anyone handling user data to provide confidentiality and end-user control.

~~~
tikkabhuna
Doesn't this all depend on how often you would be using that knowledge?
Average computer literacy is horrendous and we use them every day. These
devices are used for everything and becoming more and more integral to
society.

Surgical techniques and how to handle exotic financial instruments are
specialist topics that are useful in extremely niche situations. In those
situations you will speak to someone who is knowledgeable on them.

------
beenBoutIT
America needs to redefine literacy and replace these obsolete lawmakers with
lawmakers who are coding literate. This is not at all unlike a group of
illiterate lawmakers speculating about what a book they cannot read says after
interviewing its author.

------
yawz
"...and the data mostly remained on phones that accessed it. "

Mostly?!?

------
sjcsjc
"Unfortunately, our website is currently unavailable in most European
countries. We are engaged on the issue and committed to looking at options
that support our full range of digital offerings to the EU market. We continue
to identify technical compliance solutions that will provide all readers with
our award-winning journalism."

~~~
matheusmoreira
So, the fragmentation of the internet has begun...

~~~
zingmars
Begun? Surely you remember Youtube region locking videos. Or companies that
don't offer their services (or have different) outside of their region opening
international sites that have different content in different regions.

This is nothing new.

~~~
the_af
Even worse, and more surprising and alarming, a few weeks ago the Humble
Bundle was selling region-locked EBOOKS! Someone explain that one for me,
please. This means I wanted to buy a bundle of sci-fi books -- that's _buy_ ,
not read for free -- and all of the most interesting books (old classics, by
the way) were "not available in your region".

edit: a clarification: the ebooks themselves don't have DRM, but Humble Bundle
will refuse to sell them to you if you're in whatever region they (or the
publishers) don't want to support at the time.

~~~
chaosite
Say what now?

And did Humble Bundle support fix your issue?

Man, I remember when a major Humble Bundle selling point was being DRM free...

~~~
mrec
If it's like previous times I've seen this, the ebooks themselves will still
be DRM-free, HB just won't sell some of them to you i.e. they won't be
included in the bundle you get.

~~~
the_af
Yes, thanks for clarifying. This is still tremendously disappointing. They
show you the books in the bundle, but refuse to sell them to you. I wonder how
this is a thing. It certainly lowered my faith in the Humble Bundle.

~~~
SketchySeaBeast
I'm sure it's a distribution rights issue - probably someone who didn't want
to deal with Humble Bundle owns the book rights in those regions. As a non-
American I see it all the time with media.

~~~
mrec
I'm sure it is too, but IMO Humble Bundle should refuse to carry books with
those restrictions.

------
bastijn
To circumvent GDPR blockage in EU:
[https://outline.com/http://www.latimes.com/business/technolo...](https://outline.com/http://www.latimes.com/business/technology/la-
fi-tn-facebook-data-20180604-story.html)

~~~
megaman22
How long until HN needs a GPDR link, like the web one?

~~~
bausshf
Never

------
geraltofrivia
Latimes still hasn't sorted it's shit and blocked your friends from across the
ocean. Can you guys post a plaintext of the article here?

~~~
sir_kin
[https://pastebin.com/raw/Nmr5E8JU](https://pastebin.com/raw/Nmr5E8JU)

------
mdrzn
More than a week after the GDPR (and two years after it has been announced),
the LA Times still can't serve its content to EU viewers. Can we add a "GDPR"
link near the web one, or drop the kind of website that act like this?

~~~
wjoe
I have to wonder what questionable things LA Times are doing, if the only way
they can comply with GDPR is to block an entire continent from reading news
articles on their site.

------
hyprCoin
Both left and right news organizations seem to want to blast Zuckerberg. That
makes me like him more, a nerdy comp sci guy who changed how everyone
communicates has political ambitions? SHUT IT DOWN

------
curiousgal
So?

------
dxxvi
"Sure" and "looks like" are in the same sentence. What does that mean?

~~~
lftl
"It definitely appears to be the case that..."

------
readhn
Imagine Zuckerberg in jail...?

~~~
sfifs
Imagine as president which is a lot more likely :-)

~~~
readhn
Oh I hope not. It's going to be worse than Trump.

