
Facebook Warns Investors to Expect 'Additional Incidents' of User Data Abuse - gerbilly
https://www.siliconvalley.com/2018/04/27/facebook-got-an-earnings-boost-but-heres-the-fine-print/
======
da_chicken
I told people ten years ago that they were doing this sort of thing and got
blown off. Now I've had some of the same people come to me and tell me to get
off Facebook in patronizing tones that reminded me of my grade school teachers
and irritated that I didn't warn them. I don't know if I've ever been so
infuriated at someone face-to-face in my whole life.

~~~
hownottowrite
Unsolicited advice: These are people you need to let go from your life.

~~~
nvr219
If you just let go people who irritate you once then you're going to die alone

~~~
hownottowrite
Sure but this doesn’t sound like a one time thing. And if it causes emotional
distress why hang on?

~~~
nvr219
the way da_chicken wrote it, it sounded like a one-time thing

~~~
da_chicken
Yes, it was a one-time thing. I've just had three different people do it one
time.

I assume the response was for the same reason relationship advice from
strangers is always "break up immediately." People are really bad at judging
things they know only one thing about.

------
yesforwhat
It's not abuse, it's what the platform was built for. Calling it "abuse" it
following the spin, don't do it.

~~~
mic47
There are two aspects: technical and legal.

Technical: companies got the data in a way that system was designed. No abuse
there.

Legal: companies didn't adhere to TOS and used data in a way that were not
supposed to. This is why is it called abuse.

~~~
cinquemb
TOS aren't necessarily enforceable legally[0], setting aside jurisdictional
issues. If you have an account, sure facebook may use such to disable/delete
it, but there are many ways to get data from facebook without having an
account.

[0] [https://www.eff.org/issues/terms-of-
abuse](https://www.eff.org/issues/terms-of-abuse)

~~~
mic47
It's still violated on agreed terms (even if not legally enforceable) so it
can be called abuse.

Also, how does the provided link support claim that they are not necessarily
enforceable legally? I read it but saw only criticism of TOS in general,
nothing about whether they are or are not legally enforceable.

~~~
cinquemb
> _It 's still violated on agreed terms (even if not legally enforceable) so
> it can be called abuse._

If you grab data hosted on facebook or any other website, without having an
account, where is the explicit contractual agreement? Are HTTP requests
contractual agreements? MITM/DPI'ing facebook users who connect via your
hardware contractual agreements?

The extent that is abuse, is that facebook (or any other site) service is
engineered in such a way that makes such information it collects available to
any degree in the first place. True, anyone can make dubious claims of abuse.

> _Also, how does the provided link support claim that they are not
> necessarily enforceable legally? I read it but saw only criticism of TOS in
> general, nothing about whether they are or are not legally enforceable._

"These "terms" are actually purported legal contracts between the user and the
online service provider (websites MMORPGs communication services etc.) despite
the fact that users never get a chance to negotiate their contents and can
often be entirely unaware of their existence."

purported legal contracts != legal contracts, i.e. just because someone says
it's a legal contract, doesn't mean it actually is.

~~~
mic47
> purported legal contracts != legal contracts

Oh, learned the new word today. Do they have also some analysis that say why
TOS should be purported legal contract and not valid legal contract?

> If you grab data hosted on facebook or any other website, without having an
> account, where is the explicit contractual agreement?

I assumed that we were about platform API abuse. In such case, each developer
had to agree with TOS before he is allowed to use the API. So in this case,
developer explicitly agreed to terms that subsequently broke. So I think it
can be called "abuse". It's not random HTTP request.

For random HTTP requests, that is much less clear. My stance on this is that
as long as you are respecting robots.txt, and not trying to circumvent any
blocking measures by the site you are using, everything is fair game (in
general, maybe there could be exceptions). I don't think it's right/moral to
violate those two. And whether it is legal, it depends on jurisdiction, who
you are scraping (I am assuming we talk about automated access), if you
respect robots.txt, if you try to go around blocks, ...

Two interesting cases in scraping I know about are these ones:
[https://en.wikipedia.org/wiki/Facebook,_Inc._v._Power_Ventur...](https://en.wikipedia.org/wiki/Facebook,_Inc._v._Power_Ventures,_Inc).
[https://arstechnica.com/tech-policy/2017/08/court-rejects-
li...](https://arstechnica.com/tech-policy/2017/08/court-rejects-linkedin-
claim-that-unauthorized-scraping-is-hacking/)

> MITM/DPI'ing facebook users who connect via your hardware contractual
> agreements?

I am no expert in law, but MITM/DPI to extract data sounds highly illegal. I
don't think that TOS have to handle this case.

> The extent that is abuse, is that facebook (or any other site) service is
> engineered in such a way that makes such information it collects available
> to any degree in the first place.

So you are arguing that Facebook should be walled garden, with minimal
possibilities for users to share their data with developers (not that I
disagree). I don't think this is problem with existence of these platform /
capabilities, but that the users are not understanding implications of what
they are allowing (but doing that is gargantuan task, they will probably
invent new nobel prize for anyone who manages doing that).

~~~
cinquemb
> _I assumed that we were about platform API abuse. In such case, each
> developer had to agree with TOS before he is allowed to use the API. So in
> this case, developer explicitly agreed to terms that subsequently broke. So
> I think it can be called "abuse". It's not random HTTP request._

Even assuming that, developers who check in their credentials to public repos,
third parties that use such never agreed to the terms. You can do this do
today, without agreeing to facebooks terms (i.e. go to github, get access
tokens, connect to "open graph", no accepting terms or creating accounts
needed).

> _Do they have also some analysis that say why TOS should be purported legal
> contract and not valid legal contract?… For random HTTP requests, that is
> much less clear…_

It's not really about random HTTP requests or not, it's that any of this will
have to be argued in courts. From the examples you have listed, in the US,
this is not really in Facebook's favor (unless they can scare people to stop
doing such before getting to the courts).

> _So you are arguing that Facebook should be walled garden, with minimal
> possibilities for users to share their data with developers (not that I
> disagree)…but that the users are not understanding implications of what they
> are allowing_

Personally, I don't think facebook should be this at all, and although they
may have sold developers on their platform, this has been less of the case
over all as time goes on (bait and switch). They say they want to connect the
world, but what they really mean is that they want to connect the world on
their terms (and they have every right too, but they can't necessarily stop
others from doing something).

I don't think it is facebook's responsibility to give its users any illusions
of privacy since any "friend" they have on the platform or any third party app
they connect with is just another attack surface agaisnt such: by design. I
think every user of any platform needs to take to protections in their own
hands, if they care about such, first and foremost. Expecting
governments/corporations/organizations to coddle them and provide everything
that they desire without doing anything for oneself, is just naive to how
humans have operated throughout history. It's been over a decade since
facebook has been around, people can keep saying that people just dont
understand, but I will think people will keep saying such even after another
decade (or more) if facebook is still around.

~~~
mic47
> . You can do this do today, without agreeing to facebooks terms (i.e. go to
> github, get access tokens, connect to "open graph", no accepting terms or
> creating accounts needed

if I go to pastebin and find login credentials dumps, i can login to those
services without accepting any TOS. Yet, I would probably go to jail of
caught. This seems to be similar case. but I doubt that user access token
(that you need to access that users data) is somewhere on github. app user
token sure (as sometimes you have to ship it with the app, or app can be
opensource), but user access tokens are like passwords, so they should not be
in the code.

------
dkrich
The most interesting part of this story to me is apparent divide between the
perception of how people should react to their data being mishandled and how
they actually react.

Anecdotally, most of the outrage I’ve seen has come from white men in their
50’s who don’t actively use the platform. I don’t mean this as a jab, I
literally have seen the most outrage from this group although I’m not sure
why. Perhaps it’s just coincidence or that is the most outspoken demographic.

Meanwhile, I haven’t seen any change in usage from those people I know who
actively use Facebook/Instagram/WhatsApp.

I think that people feel that this story should adversely affect the company
and it’s earnings, but there is no evidence that it actually will.

~~~
cirgue
> Meanwhile, I haven’t seen any change in usage from those people I know who
> actively use Facebook/Instagram/WhatsApp.

Over the last three years, the percentage of my friends who are active on
these platforms has dropped dramatically, like ~80% to ~20%. I think most of
the people who understood that Facebook and associated properties were toxic
tailed off using those services well before the Cambridge Analytica thing.

------
greggarious
I deleted my Facebook because I was using it mainly for messenger. I simply
didn't feel comfortable having my private conversations on their servers, so I
got my close friends to (begrudgingly) pivot to Signal.

Later, it would some out that Cambridge Analytica (and likely other bad
actors) had been siphoning up PMs:

[https://www.theverge.com/2018/4/10/17219606/cambridge-
analyt...](https://www.theverge.com/2018/4/10/17219606/cambridge-analytica-
private-facebook-messenger-messages)

------
curiousguy
That's no surprising. I already developed a game for Facebook a few years ago
and was amazing how many information about the user and his friends was
possible to collect. There were simple no restriction.

I try to imagine games like Farmville that were played by millions of people,
how many information they collected.

Nowadays, Facebook has Graph API. You need to specify exactly what information
about the user you want. And depending on the information, Facebook needs to
review in advance.

------
eveningcoffee
I think that they are preparing for the future where everyone will realize
that the whole Facebook is a user data abuse (and more because they are
tracking non users without their consent).

I think they have decided to take the hit rather now (in the stock price) than
in the future assuming that the hit now will be smaller now than later.

------
alex_young
I can think of at least a couple of startups I've come into contact with that
collect data from user profiles on FB and other social sites. Wouldn't
surprise me if there are hundreds of them out there.

~~~
greggarious
What sort of data? It's normal and expected to collect public facing stuff
like profile photo, name, gender. I'd be much more irritated if they're
scraping entire profiles.

------
rudimental
Do warnings like this have any impact on future lawsuits against Facebook?
Does it help Facebook in other ways?

~~~
bostik
I wouldn't dare to guess either way if I had to put money on it, but from what
I have learned of US investor reports -- companies are legally obligated to
list known and anticipated business risks in their filings.

Maybe not in those very words, but the concept comes up quite frequently in
Money Stuff[0]. Recently I've seen a recurring theme around "everything is
securities fraud". Which boils down to a very utilitarian and cynical core: if
you are a company and do X but don't disclose to your investors that doing X
may have an effect on the value of their investment, then the investors can
sue you for securities fraud and try to claw back whatever future profits they
feel they had been entitled to.

0: [https://www.bloomberg.com/view/topics/money-
stuff](https://www.bloomberg.com/view/topics/money-stuff)

------
originalsimba
Making such a warning should in no way reduce the consequences that Facebook
should be forced to face for their responsibility in dragging all of us
kicking and screaming to this place.

That is, of course, precisely why they spoke up. Their lawyers and accountants
determined that would be the least costly approach.

As an aside, why do we continue to tolerate this kind of behavior from
corporations? They aren't _really_ people and they don't deserve and should
not be afforded the freedom to experiment with their impact on our society and
our lives that real people are privileged to enjoy. Regulations and massive
punitive consequences are _good_ things to ensure corporate behavior serves
the public interest. And yet this has been going on for almost a century and
nothing ever happens to change it?

It's nothing but an evolution of the robber barons.

------
splitrocket
this is my surprised face.

