
Facebook Hit by Apple’s Crackdown on Messaging Feature - tareqak
https://www.theinformation.com/articles/facebook-hit-by-apples-crackdown-on-messaging-feature?pu=hackernews8g0mjb&utm_source=hackernews&utm_medium=unlock
======
codeulike
I've noticed something sneaky about Facebook on my phone. I refuse to install
their apps but I do use Facebook a bit so I use it via the phone Browser (in
my case, Chrome on Android).

I've noticed that sometimes Facebook shows a fake 'youve got a message' icon
to try and trick you into installing their messenger app.

To re-produce this behaviour: (this works best if you dont get a lot of
facebook messages. Also you need a phone with no facebook apps installed)

\- On your desktop PC, use facebook to send a message to someone

\- Then switch to your phone, using facebook in the browser

\- After about an hour, the little speechbubble message icon at the top will
go red, showing you've got a message

\- If you click on this from a phone browser, it redirects you to install
messenger. (normally, phone-browser facebook doesnt do messenger features)

\- Instead of that, switch on 'request desktop site' (not sure what iOS calls
this option) to make your phone display the desktop version of facebook. And
then you can (usually) read your messages in the browser

\- But you will find that there is no new message, and the new message icon
will no longer be lit up.

I've had this happen five or six times now - supposedly new messages have
arrived but when you look there are none. It always happens about an hour
after sending a message. I'm pretty convinced its deliberate behaviour on the
phone browser version of facebook to get you to install their messenger app.

~~~
rosser
I don't think it's an attempt to get you to install messenger so much as it's
a cheap tactic to drive engagement, generally. I _do_ have Messenger installed
on a device, and it _also_ shows unread notifications for conversations where
I sent the last message, a bit (I've never timed how long) after the message
was sent.

I assumed it was just some shitty dark pattern, that (enough) people are
Pavlov-ing at unread notifications to pad their usage metrics nicely, because
someone thought, "Let's poke people's brains to make the graphs look better!"
or something. I mean, it _is_ Facebook.

EDIT: Phrasing

~~~
IfOnlyYouKnew
FWIW this has never happened to me.

It also strikes me as suboptimal even as a "dark pattern": Clicking on
conversations when you have the app open already, and not seeing new messages
you expect, is frustrating without any conceivable payoff for Facebook. The
pattern mentioned above–the app icon showing activity, which gets you to open
the app–seems far more plausible.

~~~
dspillett
I've seen in happen, particularly when switching between devices (there are
times when this means I'm switching network completely, not just between
devices on the same LAN) so I've assumed it is an artifact of "eventually
consistency" between Facebook's many clusters and frontend nodes.

------
brianpgordon
> “To be clear—we are using the PushKit VoIP API to deliver a world-class,
> private messaging experience, not for the purpose of collecting data."

I think we must be at the point where it's arguably irresponsible journalism
for The Information to broadcast a claim like that from Facebook without
immediately pointing out the occasions in the past when identical claims about
data collection have turned out to be barefaced lies. Not every reader is
going to have that context when reading the article, and they need to be
equipped with the appropriate skepticism.

I'm not saying we need to dredge up the 90s any time Microsoft speaks publicly
about open source. But the Facebook thing is an ongoing issue, and it hasn't
been that long since their absolute worst abusive behavior, and there's been
no change in management since then. I think it's reasonable that any quote
from Facebook denying privacy abuses should be positively _dripping_ with
disclaimers.

(By the way, I'm loving the articles from The Information when they hit HN.
Quality content.)

~~~
SeanBoocock
> "I think we must be at the point where it's arguably irresponsible
> journalism for The Information to broadcast a claim like that from Facebook
> without immediately pointing out the occasions in the past when identical
> claims about data collection have turned out to be barefaced lies."

I am struggling to recall any unambiguous instances like you suggest,
especially anything rising to the level of "barefaced lies". What would be the
best examples?

I agree that journalists should give sufficient context about Facebook's
history around data and privacy, but I also expect anyone that is subscribing
to The Information doesn't need it rehashed for them.

~~~
shakna
The time they collected phone numbers for express reason of 2FA, and then
began using them to lookup and connect contacts?

~~~
SeanBoocock
Do you have any links with contemporaneous public messaging from Facebook
about that? I am curious because the OP made a strong claim: that Facebook
deliberately and specifically misled the public; and that there have been so
many instances of this exposed that any journalist who fails to cite them is
negligent.

~~~
shakna
Gizmodo [0] did the original reporting on what I've mentioned, based on the
work of Alan Mislove amongst others.

Facebook's official statement when 2FA numbers started being made available
for other purposes was:

> “We outline the information we receive and use for ads in our data policy,
> and give people control over their ads experience including custom
> audiences, via their ad preferences,” said a spokesperson by email. “For
> more information about how to manage your preferences and the type of data
> we use to show people ads see this post.”

They saw no reason to deny it. Any information handed to Facebook may be used
for any purpose, even if it is not apparent to the user that they will exploit
data given under one function for another unrelated function.

As a sibling has pointed out with several sources - this isn't new behaviour
for Facebook.

[0] [https://www.gizmodo.com.au/2018/09/facebook-is-giving-
advert...](https://www.gizmodo.com.au/2018/09/facebook-is-giving-advertisers-
access-to-your-shadow-contact-information/)

[1] [https://mislove.org/publications/PII-
PETS.pdf](https://mislove.org/publications/PII-PETS.pdf)

~~~
miracle2k
But a general collection of potentially unethical or unseemly behavior is not
the thing that we are looking for. The claim was that Facebook is known to
engage in that behavior while then also lying about it when questioned.

~~~
shakna
> The claim was that Facebook is known to engage in that behavior while then
> also lying about it when questioned.

That is not how I read the parent.

Facebook asked for a phone number for 2FA (purpose).

Facebook then supplied that information for ad-targetting (definitely not what
the user expects or agreed to).

There was nothing on the page when filling in the phone number that it might
then be used for something other than 2FA. Just a general statement in their
inhuman ToS that they can repurpose data.

That can very reasonably be construed that Facebook lied to the user - they
weren't adequately informed. It certainly wouldn't be informed consent in most
contexts.

\---

But! If we are to take the view of whether Facebook has said one thing while
actively doing another... Then the Cambridge Analytica scandal had it's own
moment of that.

> “Every piece of content that you share on Facebook you own,” he [Zuckerberg]
> testified. ”You have complete control over who sees it and how you share
> it.”

> Facebook’s view that the device makers are not outsiders lets the partners
> go even further, The Times found: They can obtain data about a user’s
> Facebook friends, even those who have denied Facebook permission to share
> information with any third parties.

So, Facebook's official position was that you control your data, and who has
access to it - but they didn't view device makers as a third party, and thus
any device maker could overrule a user's choice and see their data if they
wished.

As to the scale of the information a device maker can access...

> After connecting to Facebook, the BlackBerry Hub app was able to retrieve
> detailed data on 556 of Mr. LaForgia's friends, including relationship
> status, religious and political leanings and events they planned to attend.
> Facebook has said that it cut off third parties' access to this type of
> information in 2015, but that it does not consider BlackBerry a third party
> in this case.

------
bertman
The article focuses on making calls, but moxie (from Signal) had this to say:

"PushKit is the only way to do e2e encrypted messaging in iOS. If they take
that away, they're disabling the ability for messaging apps to function with
e2e encryption. I don't see how Apple can frame that as "enhancing user
privacy and security?" "

[https://twitter.com/moxie/status/1158852855291269120](https://twitter.com/moxie/status/1158852855291269120)
So it's not only about being able to answer calls quickly.

~~~
lm2s
I don't understand this commentary by Moxie. Why does removing PushKit
functionality removes the ability for apps to do E2EE?

The only thing I can think of, is notifications maybe not being encrypted? But
that seems like a bit of stretch to say you can't do E2EE messaging.

~~~
lm2s
After a quick research* , the conclusion I arrive at is that Moxie stretched
the truth. Removing PushKit functionality does not removes the ability for
apps to do E2EE messaging.

From what I understood: with PushKit, it's possible to send a signal
notification to the app. The app then fetches and decrypts new messages and
generates appropriate notifications locally.

This is also possible to do with regular (silent) Push Notifications. The key
difference seems to be that they are low priority and might not be delivered
(thus no notification will be generated), and with PushKit it would.

So AFAIK this seems to be more an UX issue.

* I might be understanding something incorrectly.

~~~
thepangolino
Don't take my word for it but I believe that's the approach Telegrarm has.

------
hart_russell
+1 to Apple's track record for user privacy.

I do not regret switching from Android to iOS (even if siri is woefully behind
the voice assistant game)

~~~
charlesju
What voice assistant features do you miss? I've never used Android so I'm
curious.

~~~
usefulcat
I use it all the time to set reminders. "Ok Google. At 2 PM next Tuesday
remind me to <insert pretty much anything here>".

~~~
sib
I use Siri to do the same. Is it an issue of better ASR or NLP that makes the
difference for you?

~~~
a254613e
Google assistant is so much better to look up information and understand what
you want.

I use Alexa, Siri, and google assistant. And others don't come even close to
assistant when it comes to understanding what you mean and the context. Or
even understanding what I've said.

You can ask it stuff like "What's the name of the blonde actress from that new
tarantino movie" and you will get the result (works on google.com too), then
you can ask follow up questions about her.

This also carries over into setting reminders, controlling smart home devices.
"Set a timer", "No, you know what, cancel it". It feels like talking to a
person. And it sounds more like a person too.

The ONLY reason I use assistant the least of the 3, is the wake word.

------
buildzr
Am I reading this right? If WhatsApp and similar are no longer able to
implement End-To-End crypto because they have to use an Apple API which
supports only specific protocols, this is going to be a huge loss for users.

I've considered switching to an iOS device, but stuff like this keeps me away,
I'm very glad I can keep direct SIP, SSH, IMAP and XMPP connections open at
all hours of the day.

~~~
dep_b
Not being able to lurk in the background does not have anything to do with
security. I don’t think Signal uses it and they’re generally considered
secure. You can check out their source.

~~~
makomk
The current Apple VoIP APIs don't actually let apps run in the background all
the time anyway. What they provide is a way to instantly remotely wake up an
app, let it connect to your server in the background, do some local
processing, and then create and display a notification. This is exactly what
end-to-end encrypted messaging needs, but Apple is killing off the ability to
use the VoIP APIs in this way in iOS 13.

Signal uses the exact same PushKit VoIP API that Facebook does, by the way -
check PushRegistrationManager.swift in their source. I'm not sure if they use
it for text chat as well as voice, but I assume so since there's no references
to the newer API they could use in their code and they still support iOS 9
which doesn't have it (as do Facebook Messenger and WhatsApp). Edit: I think
it's safe to say that Signal does this, given that Moxie Marlinspike isn't
aware of any other way to do it:
[https://twitter.com/moxie/status/1158852855291269120](https://twitter.com/moxie/status/1158852855291269120)

(Well, they don't intentionally let apps run all the time in the background.
They're quite lax about how long apps can run for in the the background after
being woken up in order to support voice calls, but that's not the feature
messaging apps need from them.)

~~~
dep_b
This is what is confusing about this article anyway. You used to be able to
run your VoIP application in the background all of the time. This has been
closed for longer. But WhatsApp and Facebook are really old apps, supporting
pretty ancient versions of iOS (last time I checked). They might have
inherited the capabilities back from the time it was the only way to have
VoIP?

The intended way VoIP application should work is using PushKit and CallKit to
show a native call screen after receiving a special VoIP push notification
message. Only when the user accepts the actual application will open.

"Background App Refresh" is used for silent push notifications, which should
be used to download content when the application is not running. It could be
used to download images in messages ahead of time, though could be abused just
as well. "Background App Refresh" is not a reliable way to deliver
notifications to an application since they're dropped pretty easily.

~~~
makomk
VoIP apps built against the iOS 9 SDK and earlier can still run in the
background all the time, but we know WhatsApp and Facebook Messenger have used
iOS SDK 10 or higher since 2016 because they introduced support for CallKik
back then which requires that version. Also, the current version of their apps
only support iOS 9 and newer and PushKit has been available since 8. As far as
I can tell, the media coverage is just misleading in a way that pushes their
existing narratives about Facebook and Apple.

------
therealmarv
Essence from this site (from my understanding, read the whole article):

WhatsApp is using VoIP iOS features to display end2end encrypted notifications
in iOS. This loophole will be closed on iOS13. So either WhatsApp does not
display any notifications text on iOS13 with WhatsApp or WhatsApp will remove
end2end encryption for the sake of having notifications with text on iOS.

This is really alarming for privacy. Seems Apple does not care about privacy
and comfort unless it's software from Apple.

I just hope WhatsApp will stay strong and never give up on end2end encryption.

~~~
acdha
It has nothing to do with end-to-end encryption: they’re abusing the VoIP
feature to stay running in the background, which is trading battery life for
better surveillance of your activities. Apple is doing it to _protect_ privacy
by closing one of the ways unscrupulous app developers keep trackers running.

~~~
makomk
It has everything to do with end-to-end encryption. Prior to iOS 10, the only
way to display notifications for end-to-end encrypted chat without giving
Apple a plaintext copy of everything in the notification was to abuse the VoIP
feature. More specifically, the "PushKit VoIP API" Facebook's spokesperson
mentioned allowed services to push down an opaque blob of data and have their
apps immediately wake up in the background, do some processing (such as
decryption), maybe get more data from the network, and create a notification.
This was intended to support incoming voice calls but worked great for end-to-
end encrypted text chat. Now Apple are cracking down on the use of that VoIP
background functionality for anything but voice calls.

It might be possible for companies like Facebook to rewrite their code to use
an iOS 10+ Notification Service app extension to decrypt the notifications
instead, but that requires major code changes and has additional limitations.

Also, from what I can tell Facebook Messenger etc haven't had access to the
old APIs which just let VoIP apps run in the background all the time since
about 2016. That's not available for apps linked to the iOS 10 API and they've
been using the iOS-10-only CallKit since about that time.

~~~
comex
> It might be possible for companies like Facebook to rewrite their code to
> use an iOS 10+ Notification Service app extension to decrypt the
> notifications instead, but that requires major code changes and has
> additional limitations.

Perhaps, but iOS 10 is now 3 years old; Facebook has had plenty of time to
make those major code changes, as opposed to continuing to use VoIP push
notifications for things other than VoIP.

~~~
dan-robertson
Facebook aren’t obliged to make a change just because they can. Taking
something that works and changing it for its own sake is something people very
often get annoyed about.

~~~
acdha
> Taking something that works and changing it for its own sake

That's a somewhat misleading way to characterize this: VoIP apps are still
going to be just fine using the VoIP API. The question is whether legacy code
should preclude Apple taking steps to act on their users' behalf. Given the
number of people I know who uninstalled Messenger so their phone could make it
through the workday without a charge, I'm pretty sure most people will shed no
tears for someone at Facebook having to do the job they are very well paid to
do.

~~~
dan-robertson
I don’t get what you’re trying to say? The GP says the new api which Facebook
should use has been available 3 years, implying that fb ought to have made the
change long ago. I say they had no reason to make the change in the last three
years [because Apple are dropping support for the old api now and only
announced this recently]. And you say that’s wrong (so FB should have made the
change 3 years ago) because ... the app will have been fine? Or because Apple
behave nobly? I don’t see how it follows.

~~~
acdha
I’m saying that Facebook was using an API for something other than what it was
designed for, and thus I don’t feel much sympathy for them having to change
their code when the API contract is more strictly enforced. It’s just a cost
of doing business at that point.

------
_bxg1
It's a shame that in today's world we have to choose between platforms that
are open-ended and platforms whose software respects its users. But given that
choice, I support this outcome.

~~~
medecau
It's very hard to provide both as abusive software (malware) tends to take
advantage of the open-endedness of platformas to abuse the users.

~~~
simonh
It’s worse than that even. Open platforms that are popular get commoditised
easily, which squeezes margins for vendors, increasing pressure to monetize by
any means possible.

The race to the bottom does benefit customers in terms of prices, but there
are real costs in terms of the quality and trustworthiness of the products.
The cheapest products are most likely to be monetising in shady ways.

------
stelabouras
For anyone interested in the technical side of the changes getting introduced
in iOS 13 regarding messaging apps, the 707 session 'Advances in App
Background Execution' of WWDC 2019 is really helpful:
[https://developer.apple.com/videos/play/wwdc2019/707/](https://developer.apple.com/videos/play/wwdc2019/707/)

------
yipeedipee
Ars just covered it: [https://arstechnica.com/gadgets/2019/08/ios-13-privacy-
featu...](https://arstechnica.com/gadgets/2019/08/ios-13-privacy-feature-will-
force-total-overhaul-for-facebook-apps/)

~~~
dang
Normally we'd switch to something like that so everyone can read it, but since
The Information just unlocked this one for HN, we can stick with the original
source this time.

~~~
makomk
Probably for the best, since the Ars Technica article seems rather confused.

------
b_tterc_p
Messenger app initiated a conversation between me and a random friend so we
could talk about our 5 year friendship anniversary. Couldn’t fathom who
thought that would work.

~~~
distances
I've been getting these notifications now for a year at least. It's extremely
annoying, and I haven't found any way to toggle it off. Such a colossal
misfeature.

I nowadays only use mbasic.facebook.com to check messages every two to four
weeks, as FB is still kind of a backup contact platform for many people if
everything else fails.

------
bubble_talk
Facebook engineers know exactly what is going on, and I don't think they
actually care.

If you want to see exactly how creepy the whole thing is going to get in the
future, you just have to take a look at the transcripts from the Software
Engineering Daily podcast where a group of engineers from FB were interviewed
recently. The interviewer _never once mentioned_ the word privacy in the
entire interview across all the five interviews (with pretty senior FB folks
who have been there for quite a while). Or for that matter, there wasn't
really a single question across all the five interviews which left me thinking
"Well, at least there is someone inside Facebook who disagrees at least
minimally with company policies".

You can search for this in the transcripts yourself.

[https://softwareengineeringdaily.com/wp-
content/uploads/2019...](https://softwareengineeringdaily.com/wp-
content/uploads/2019/07/SEDFB04-Facebook-GraphQL.pdf)

[https://softwareengineeringdaily.com/wp-
content/uploads/2019...](https://softwareengineeringdaily.com/wp-
content/uploads/2019/07/SEDFB10-Facebook-Open-Source-Management.pdf)

[https://softwareengineeringdaily.com/wp-
content/uploads/2019...](https://softwareengineeringdaily.com/wp-
content/uploads/2019/07/SED874-Facebook-Data-Infrastructure.pdf)

[https://softwareengineeringdaily.com/wp-
content/uploads/2019...](https://softwareengineeringdaily.com/wp-
content/uploads/2019/07/SED873-Facebook-Engineering-Culture.pdf)

[https://softwareengineeringdaily.com/wp-
content/uploads/2019...](https://softwareengineeringdaily.com/wp-
content/uploads/2019/07/SED872-Facebook-PHP.pdf)

~~~
tjpnz
>Facebook engineers know exactly what is going on, and I don't think they
actually care.

I know of founders who would need to think carefully about even interviewing
someone with Facebook on their resume. And I totally get these concerns given
the attitude Facebook has towards the privacy of users.

~~~
utouq
What a witch hunt. This is akin to persecuting people for their politics.

~~~
holstvoogd
Well, engineers can have a lot of ethical responsibility. A resume that show
you have no scruples doing unethical things is a fine way to gauge if someone
is a suitable match.

Not much different then background checks for working in schools or what ever.

------
EGreg
What are the details? What will change?

We will still have VoIP Push Notifications? We personally rely on them to
encrypt the notification payloads and increase privacy so our servers can’t
read the plaintext of the notification. Is that now going away?

------
workingpatrick
If you don't want to provide your email address I put the article here
[https://pastebin.com/kKSNFnm8](https://pastebin.com/kKSNFnm8)

------
killjoywashere
That last line though:

> more of a focus on privacy from the operating systems, and the impact that
> that can have on measurements and also on targeting.

That could have been lifted from an NSA brief. I don't think people realize
just how much "targeting" really is indistinguishable from military targeting.

~~~
fourthark
Could just be the editing, but that line read like them admitting, "yeah we're
listening all the time, it makes us money".

------
justapassenger
According to signal devs this is required to do e2ee. I worry apple is
starting to use “privacy” as an excuse for any changes. Especially given that
they build competing product (iMessage), that’s has all the access rights in
the world.

------
segmondy
Well this sucks, I'm using this same feature for a privacy app that I'm
working on. It's a useful feature to have. Like all tools it can be used for
good or bad. Folks will find ways to circumvent restrictions. Apple should
enforce with policy, if someone violates. Remove their app. That hurts more.
It's like blackhat SEO, Google delists you, it hurts and many people just
don't anymore.

------
saagarjha
> The impact on battery life briefly made it into the headlines back in 2015
> when it was discovered that the main Facebook app was using the voice-
> calling feature to run in the background.

I thought they were just running silent audio?

------
dwighttk
Good. This sort of thing why I don’t have Facebook on my phone.

------
dang
The submitted URL was [https://www.theinformation.com/articles/facebook-hit-
by-appl...](https://www.theinformation.com/articles/facebook-hit-by-apples-
crackdown-on-messaging-feature), which was hard-paywalled. But The Information
has been unlocking many of their articles for HN readers. I asked if they
would do that for this one and they said yes, so everyone who clicks on the
link above should be able to read it now.

~~~
rwc
Nice, thank you! And thank you to The Information for sharing quality
journalism with the HN community.

~~~
ballmers_peak
No problem!

~~~
icpmacdo
It seems like a smart win win situation for you. I bet if the WSJ ect. did the
same it would drive non trivial growth

------
kingo55
What's with the login wall to read the article? Does every random site need my
personal information now?

~~~
codazoda
I wish these types of sites were not allowed on Hacker News. I'm not paying
for every little news site I read on here (or the big ones). I usually click
on the link, realize it's got this crap on it, and bail back out. I don't want
to read it and would rather it didn't even show up.

For a while I had updated my CSS setup so that these sites would have a strike
through on them and I'd go strait to the comments instead of trying to read
the story.

~~~
dang
If there's a workaround, it's ok. Users usually post workarounds in the
thread. This is in the FAQ at
[https://news.ycombinator.com/newsfaq.html](https://news.ycombinator.com/newsfaq.html)
and there's more explanation here:
[https://news.ycombinator.com/item?id=10178989](https://news.ycombinator.com/item?id=10178989)
and
[https://hn.algolia.com/?query=by:dang%20paywall&sort=byDate&...](https://hn.algolia.com/?query=by:dang%20paywall&sort=byDate&dateRange=all&type=comment&storyText=false&prefix&page=0)

The Information doesn't have a workaround, but they do unlock many articles
for HN readers. I asked them to unlock this one and they did, so everyone who
clicks on it from HN can read it now.

