
Zoom’s Use of Facebook’s SDK in iOS Client - patrickyevsukov
https://blog.zoom.us/wordpress/2020/03/27/zoom-use-of-facebook-sdk-in-ios-client/
======
mikenew
So it sounds like Zoom was using the Facebook SDK, and now they're not.

I've been and iOS developer for a long time. I can tell you from experience
that _everyone_ does this. I have never worked for anyone who didn't ask for
their app to include some combination of Facebook, Google, Flurry, AppCenter,
Segment, Intercom, Parse, or whatever other random analytics framework the PM
happens to be infatuated with.

Getting mad at Zoom for using the Facebook SDK is missing the point. They and
a million others are always going to be doing this. Get mad at Apple for not
letting you wireshark your own iPhone. Or having no way to package open source
software where you can actually see what's running. As long as you're running
binary blobs that can make whatever network connections they please, people
are going to take your data and send it to places you don't know about.

Yeah maybe you can pass laws about it. But is that really a great solution?
Who audits that? How do you determine what's legal and what's not? We should
be pushing for a platform that makes it obvious what the software you're
running is up to. The random pitchfork crusade against whatever company
happens to catch a bad news cycle just isn't going to get us anywhere.

~~~
nexuist
I don't want to live in a world where my parents and grandparents are expected
to pull up Wireshark to figure out if the app they're using will record their
front camera without consent.

Blaming Zoom and FB is entirely acceptable here, it is their responsibility to
keep my data private.

Blaming Apple? Why, when Zoom is on the Play Store as well?

[https://play.google.com/store/apps/details?id=us.zoom.videom...](https://play.google.com/store/apps/details?id=us.zoom.videomeetings&hl=en)

>As long as you're running binary blobs that can make whatever network
connections they please, people are going to take your data and send it to
places you don't know about.

Surely there are open source video chat solutions already? They haven't taken
off for one simple reason: video hosting is __expensive. __It 's quite
literally one of the most intensive network activities you can partake in,
rivaling torrenting.

It doesn't make sense economically to offer a video hosting platform without
collecting income from it. Nor does it make sense to attempt a peer-to-peer
solution knowing full well that one laggy peer wrecks the experience for
everyone else.

It's a very hard problem.

~~~
judge2020
> Blaming Apple? Why, when Zoom is on the Play Store as well?

Blame Apple because they constantly tout the iPhone as being "privacy
respecting" and "what happens on your iPhone stays on your iPhone"[0], while
they

A. Apple doesn't default to "limit tracking", or at least make "limit
tracking" an option on setup/iOS upgrade

B. Apple doesn't penalize developers for using Facebook's SDK with auto data
collection (ie. punishment by having text like "sends data to: facebook,
google, hotjar" on an app's install page)

C. Apple doesn't do any software stuff to limit and track the trackers. Having
a counter for # of total days a domain name was contacted would be an eye-
opener for many, and being able to toggle a "block" on the domain would be a
big step forward.

Facebook meets the standard for being included in apps (respects the user
resetting the usage ID), but that standard isn't the standard privacy-
conscious users want. Apple can do better, but whether it be industry pressure
or monetary pressure [google paying to be the default search engine], they
don't actually put privacy first.

0: [https://www.businessinsider.com/apples-ces-ad-las-vegas-
misl...](https://www.businessinsider.com/apples-ces-ad-las-vegas-
misleading-2019-1)

~~~
diminish
> the Facebook SDK was collecting device information unnecessary for us to
> provide our services.

Sorry state of Apple App security and privacy - all your apps are swarms of
data collection and privacy abuses.

Apple built this world - and Apple is to blame. Zoom is to blame too. And
finally individual app developers should also alert everyone on what's truly
happening in their apps.

~~~
girvo
While I have zero love for any given hyper capitalistic business like Apple,
Android is not any better on the whole in this space, and in some ways
measurably worse (especially when you take into account what devices actually
hold the largest market share)

~~~
tyingq
This is true, but Apple touts how much better they are about Privacy, and
charges a premium for it. Google is more up front that they make little money
on the initial sale, and are dependent on advertising to make money.

~~~
Justice4Yall
> Privacy is built in from the beginning. Our products and features include
> innovative privacy technologies and techniques designed to minimize how much
> of your data we — or anyone else — can access

[https://www.apple.com/privacy/features/](https://www.apple.com/privacy/features/)

Apple sells privacy, brags about privacy - yet Privacy is abused in from the
beginning in the store apps.

~~~
type0
And the lesson is - _you can 't buy privacy but you can sell it_.

------
pyt
I contacted LG last month regarding their use of the Facebook SDK's automatic
event collection in their ThinQ Android app. They responded and told me that
they're disabling it in an upcoming release (incidentally, today's). If a
single email is all it took to get a company with over $50 billion in revenue
to disable Facebook's tracking in one of their apps, I really don't think that
these companies are sharing data intentionally.

What justification does Facebook have for keeping automatic event collection
turned on by default in their SDKs? Why can't they enable it only when the the
user has explicitly opted in ([https://developers.facebook.com/docs/app-
events/gdpr-complia...](https://developers.facebook.com/docs/app-events/gdpr-
compliance/#disabling-automatic-event-collection))? They even say, "you need
to ensure that your SDK implementation meets these [GDPR] consent
requirements."

~~~
nh2
> I don't think these companies are sharing data with Facebook intentionally.

That would imply they are incompetent and negligent.

Would one not expect large companies like LG to have internal security and
privacy reviews of the software they publish, and know very well what they are
doing?

> What justification

Their core business.

~~~
kelnos
> _That would imply they are incompetent and negligent._

Not really.

Product Manager: I want to be able to support Facebook login for our app.

Developer: OK... [googles for how to do that] ... We can use the FB SDK for
that.

PM: Cool, let's do that.

Dev: [implements it]

Nobody really does much more due diligence than that most of the time. I
suppose you could argue that's negligent, but if that's the case, then pretty
much every company that has an app with login functionality is probably in
that boat.

~~~
saagarjha
> I suppose you could argue that's negligent, but if that's the case, then
> pretty much every company that has an app with login functionality is
> probably in that boat.

I think every company that does this is negligent. Audit your dependencies,
people!

~~~
asutekku
As nice as it would be, auditing everything you use is almost impossible,
especially for smaller teams.

~~~
nh2
Is this really a compelling argument for the given case? A detailed audit does
not seem necessary here:

This is not some surprising behaviour hidden in some random dependency.

This is the Facebook SDK, from Facebook, and _everybody_ knows what their
business is.

~~~
type0
> This is the Facebook SDK, from Facebook, and everybody knows what their
> business is.

Ignorance is a bliss. Talk to some people that still use fb after their
scandal and you'll get "who cares, everyone is tracking users and selling data
anyway" as an answer.

------
lultimouomo
Nice way to bury an innocuous "iOS Advertiser ID" in the middle of the list.
What "iOS Advertiser ID" means is, to a very good degree of approximation,
your deanonimized identity.

Also, that just linking the SDK in your app deanonimzes the user to Facebook
is very, very clear in its documentation. It's not like Zoom didn't notice
until someone told them. They made a decision, and now they're changing it
because they were called out.

~~~
andreasley
The Advertising Identifier is app-specific, and if Limit Ad Tracking is
enabled, it is set to all zeros. So it's not accurate to say that it's "your
deanonimized identity".

~~~
monocularvision
You are correct that users can disable it but incorrect to say it is app
specific:

[https://developer.apple.com/documentation/adsupport/asidenti...](https://developer.apple.com/documentation/adsupport/asidentifiermanager/1614151-advertisingidentifier)

You are thinking of “identifierForVendor”:

[https://developer.apple.com/documentation/uikit/uidevice/162...](https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor)

------
Hokusai
To use the Facebook SDK is a rocky mistake. It includes all kind of telemetry
that is send to Facebook, whenever the user is connected to Facebook or not.

In the company I worked for, they read the code, you have access to it, and
stripped that parts. It's not much work but its a pain.

The best approach is to use just the HTTP APIs and ignore the SDK. Your team
will better understand how Facebook works, your app will be lighter and you
are free from nasty surprises that a 3rd party may add to your app without
your knowledge.

~~~
mianos
This is kind of exactly what they said it didn't do.

------
dx87
It's good that they removed it, but it's also dissapointing that they had no
idea that it was happening until someone made a blog post about it. Do their
employees not vet any of the code they use, and just slap things together off
the internet and hope it's not doing anything their users don't like?

~~~
xiphias2
It’s the official SDK of one of the biggest companies. I can’t fault them on
not catching this. What Facebook does is ugly.

~~~
remarkEon
Yeah, this.

I really can't fault Zoom here. They used an existing tool provided by a
company that is, allegedly, reputable.

Though, thinking about it more perhaps Zoom should get some more scrutiny here
because this isn't the first time Facebook has said eff it to user privacy.
Distrust of Facebook should be the default.

~~~
xiphias2
Actually Apple and Google should not allow this in their app store policy. An
3rd party SDK sending data if it’s not needed should be a BIG no-no....I
expect at least Apple to require this.

There are probably thousands of other apps that have the same problem.

~~~
mgoblu3
Would be pretty hard to scan for, but I agree that there should be something
at least outlined. Privacy policies clearly are aren’t useful enough.

~~~
yjftsjthsd-h
Hard in the general case, but I'll bet it's trivial to scan for the Facebook
SDK, or any other blacklisted libraries, unless they're intentionally
obfuscated.

------
Ericsyuan
Dear all, I am the CEO of Zoom. First, I sincerely apologize about this
Facebook SDK issue. We learned a lesson, and we will do all we can to improve.
I also wrote a blog.

[https://blog.zoom.us/wordpress/2020/03/27/zoom-use-of-
facebo...](https://blog.zoom.us/wordpress/2020/03/27/zoom-use-of-facebook-sdk-
in-ios-client/)

Please take care and be safe.

~~~
ponsin
Hey, thank you for listening to security researchers and fixing a problem when
you became aware. I know this is not so much a problem, but rather a business
decision, but the product would be much more useable if it was possible to
connect without the app without having to use some tricks. There have been
many conferences that took much longer than expected to start because not
everyone had Zoom

~~~
Ericsyuan
Dear Ponsin,

You are right on! To focus on our service stability and security are our top 2
priorities. We will work as hard as we can to keep improving. Thank you for
your great support!

------
ccktlmazeltov
And so zoom crumbled from the social pressure, while every other service and
website is thinking "oof, they didn't realize that everybody does this to do
advertising"

~~~
floatingatoll
It's also possible they didn't listen to their app over the wire and see it
doing this. What lesson could we teach about "why you should mitmproxy your
app while it's in development?", so that people can start uncovering this in
_other_ apps — including their own?

------
narendranag
Considering how many apps are using Facebook's SDK, shouldn't this be
something that FB should be addressing? After all, they are the ones making an
SDK available to app developers to help with user-login. Shouldn't the
presumption of trust rest on FB?

~~~
designcode
I can’t see the big deal. We use the Facebook SDK specifically for the free
analytics. It’s just a default part of the SDK. It’s not sending anything any
other analytics package wouldn’t

~~~
yjftsjthsd-h
> It’s not sending anything any other analytics package wouldn’t

But the _where_ matters as much at the what; sending it to FB means that they
add it to their profile of your users.

------
dannyw
It’s not fair to be attacking zoom so much over this. They took prompt action
as soon as they were aware.

~~~
harry8
As soon as they were aware of the thing they themselves did.

So they don't know what they're doing? Really? How does that defense go in
criminal trials?

------
floatingatoll
Zoom's blog post about the removal of Facebook login and SDK:

[https://blog.zoom.us/wordpress/2020/03/27/zoom-use-of-
facebo...](https://blog.zoom.us/wordpress/2020/03/27/zoom-use-of-facebook-sdk-
in-ios-client/)

------
aurbano
What if mobile platforms (iOS, Android... ) changed the security/privacy
policy so that apps had to request the “network access” permission, either
whitelisting domains they want to talk to, or askingfor wildcard access?

Most apps shouldn’t need wildcard access, and the mobile device could include
a warning when an app does this teaching users that they should be careful
with the app.

This way at least when you installed Zoom for example, it would say something
like:

“Zoom is requesting network access to:

\- zoom.us \- analytics.tracker.example.com \- facebook.com “

And then at everyone would know. It still doesn’t solve the underlaying
problem, but it would probably make companies more reluctant to add third
party analytics and sdks.

~~~
saagarjha
Most apps are extremely chatty and prompts like these may not end up being
useful.

~~~
jmiserez
It worked for location access on iOS, and that was just adding a flashing blue
icon. Many apps stopped using the location all the time, and now there's a
popup every few days telling you how often the app requested your location in
the background.

------
shbooms
Headline should technically read:

"Zoom Removes Code That Sends Data to Facebook when you first open the app"

as per the article:

"Motherboard downloaded the update and verified that it does not send data to
Facebook upon opening."

It's a bit naive to just assume that just because they don't send the data
right away, that it's not getting sent at some point later on.

~~~
noahtallen
> we decided to remove the Facebook SDK in our iOS client and have
> reconfigured the feature so that users will still be able to log in with
> Facebook via their browser.

Since they removed the Facebook SDK entirely, whatever mechanism Facebook used
to collect the info doesn’t exist any more. Instead of being able to collect
the data at all times, wouldn’t FB only have a vector to do so through web
login? At that point, I assume they could do fingerprinting in the browser to
collect some info, but at least the cannot do it on the system level any more.

It still seems like this is a big improvement. Though, I imagine most folks
will have at least one other app using the FB SDK, so it’s not like the root
cause is fixed.

~~~
diebeforei485
On recent versions of iOS, in-app browsers do not share data with the Safari
browser. How effective would browser fingerprinting be? Everyone with the same
device, same language/locale and same timezone should have the same browser
fingerprint, I thought.

~~~
saagarjha
> On recent versions of iOS, in-app browsers do not share data with the Safari
> browser.

Specifically, SFSafariViewController does not share cookies or other data with
Safari anymore. Some bad actors got caught with their hands in the cookie jar,
literally, and out that sharing went.

~~~
greggman3
The do still share something. In response to this headline I installed the
Zoom app and picked to login with Facebook. A browser popped up showing the
facebook webpage and said "Login as Gregg Tavares?". Since I just installed
app how did Facebook know it was me? The only possibility that comes to mind
is that Safari was using cookies from some other app's embedded webview.

~~~
leesalminen
I believe the cookies passed into the webview are limited to a specific
domain. So the app developer says “open a webview for Facebook.com” and the
webview includes cookies only for the stated domain.

------
proactivesvcs
If Zoom "takes its users' privacy extremely seriously" and their "customers’
privacy is incredibly important" then why would they be releasing software
without a strong knowledge of what third party code they're adding in, and
what exfiltration might be happening as a result? They hold user privacy in
such high regard and yet are releasing a program without even hooking it up to
a network monitor for five minutes?

Someone's lying here.

~~~
ricardobeat
This is absolutely common. Business will require tracking/authentication/etc,
contracts will be signed, developers will implement the provided SDK. Nobody
will inspect the data being sent.

> releasing a program without even hooking it up to a network monitor for five
> minutes

How many times have you seen _anyone_ do that? Unfortunately that is the
reality - my personal take is to simply try to avoid vendor libraries at all
costs, but it's hard to sell.

~~~
gfodor
I guess this is another under-recognized benefit of developing for the web -
when doing so, you're staring at the Network tab all day, trying to grok
what's going on over the wire and to whom. I don't remember doing this nearly
as much on native.

~~~
kelnos
Yeah, that's the thing. I do very little web development, but I inevitably
find myself in the Network tab of dev tools debugging something. I do around
as little mobile (Android) development, and I'm not even really sure _how_ I'd
watch network traffic coming from an Android app. (I'm sure it's possible, but
I imagine it requires explicit setup, possibly with some third-party software
and/or the assistance of a laptop.)

~~~
fiddlerwoaroof
If you have a router running something like openwrt (or from a vendor that
uses openwrt and lets you get a root shell on the router) you can just use
tcpdump on the router with a filter to pick the host you want to monitor.

------
awinter-py
covid will shift the overton window on privacy

centralized location tracking in an infectious crisis (either mandatory or
mass voluntary) will normalize to 'good'

sleazy third-party phone home from apps considered key to surviving under
lockdown, apparently not ok now! good

the bad news is we'll normalize some bad practices, but the good news is we'll
make pragmatic compromises using actual information -- with covid taking up
moral panic cycles, privacy is a place we can be rational

also no business feels totally secure RN and people will do anything to win &
keep business -- even zoom

------
JumpCrisscross
Wouldn’t a meaningful win require a change to their privacy policy?

------
dylan604
That's great for iOS users, but it doesn't mention anything about the Android
client. Nor do they discuss the tracking that the webapp still does even
though they explicitly state they still allow FB login via browser. Isn't this
more of a sorry for getting caught rather than an actual apology?

------
ineedasername
They were made aware of the issue on the 25th... it seems like due diligence
would have revealed the issue at the outset. It should be no secret that FB
provides their authentication services with strings attached. At least they
fixed it quickly.

------
cexilevuanh
It seems that Facebook JS SDK also sends user behavior back to Facebook even
when user doesn't click on the "Sign in with Facebook" button:
[https://simplelogin.io/blog/do-not-use-facebook-
sdk/](https://simplelogin.io/blog/do-not-use-facebook-sdk/)

On the Web, it's recommended to use a generic OAuth library instead of
integrating Facebook JS SDK. On mobile, this is almost impossible though as
Facebook doesn't implement the OAuth PKCE flow.

------
jka
For anyone interested in Facebook's SDK behaviour on Android, there's a good
video[1] from 35C3 covering this topic, and a related HN discussion thread[2].

[1] -
[https://media.ccc.de/v/35c3-9941-how_facebook_tracks_you_on_...](https://media.ccc.de/v/35c3-9941-how_facebook_tracks_you_on_android/)

[2] -
[https://news.ycombinator.com/item?id=18788658](https://news.ycombinator.com/item?id=18788658)

------
Mave83
Thank you zoom.us for the best tool available right now with a fair and
acceptable price model. A special thank you also for the great Linux support,
that is absolutely unmatched from all other "solutions".

I am very sorry that so many bad publicity happens right now, but as far I
know even bad publicity is good in the end.

~~~
djsjejjdi324
well, you know, bad publicity because of bad practices.

------
intopieces
I'd like this to be independently verified. There were a lot of comments on
the other threads that "Of course Zoom was sending data to Facebook" because
they're using Facebook's SDK. It made it seem like such data leaks were
inevitable, when apparently they aren't.

~~~
mroche
From the article:

> Motherboard downloaded the update and verified that it does not send data to
> Facebook upon opening.

Edit: Fixing mental hiccup, nothing to see here.

~~~
starmftronajoll
This is the new article from Motherboard. Motherboard = Vice

~~~
mroche
Now I feel dumb. I completely forgot that connection, and skipped over the
blatant “Motherboard, Tech by Vice” in the title. It’s been a long week...

Don’t mind me, just fixing that mistake.

------
madwhitehatter
[https://www.theregister.co.uk/2020/03/27/doc_searls_zoom_pri...](https://www.theregister.co.uk/2020/03/27/doc_searls_zoom_privacy/)

------
dbg31415
Great, now if they would stop having an activity monitor that checked every
process running on your computer, or made their web interface work with
Firefox we’d be all set...

------
aledalgrande
Just curious about the IP being sent to FB, isn't that PII? How can FB do this
legally without the user agreeing to it first? Or did I miss something?

------
chmike
Is the data sent back to Facebook sent in clear text ? What if they used https
to send back the data ? Would the data content be detectable ?

------
benreesman
Evil privacy-invading shit is fucking _everywhere_. Why is it only news when
Facebook is somehow involved?

------
rbruggem
Zoom, you've handled this perfectly

~~~
ThePowerOfFuet
/s

------
tinus_hn
Is that list actually complete? It doesn’t sound like _that_ much of a deal.

------
xenonite
Let me ask how many of those who now argue in Zoom's favor have bought shares
or are invested in any other way, like having bought licenses directly or
indirectly for their company?

------
jbverschoor
Tooo little, too late. Try creating a Mac App Store version first

------
rawoke083600
Just uses jitsi

------
jbverschoor
I really don’t appreciate the downvoting mobs by certain companies.

------
jscholes
So did they just... remove Facebook login? Doesn't seem that likely. Maybe the
FB SDK has some flags you can set.

~~~
Operyl
> "We will be removing the Facebook SDK and reconfiguring the feature so that
> users will still be able to login with Facebook via their browser. ..."

It sounds like this they're just no longer flat out using the Facebook SDK
(which provides a slightly more "native" / "nicer" login flow for apps when
used). They're going to do what most (at least, from personal experience) apps
do and just show a webview with a redirect back into the app, which doesn't
call out to Facebook at all.

EDIT: That is, it doesn't call out to Facebook at all until you start the
login flow, which is just opening a browser view to the oauth2 flows..

------
mkchoi212
That is ridiculous that a company as big as Zoom wouldn't know what an API
they're using is doing with their customer's data. Is there not a
legal/privacy team at Zoom that is in charge of reading all the fine prints
and license agreements??

~~~
xiphias2
I guess you haven’t worked at a big company yet.

For me this would be much stranger at a tiny company.

------
anonu
I noticed today that the mic was "muted" on zoom. I chimed in on the video
call I was on and the window flashed a reminder that I was "muted".

So clearly the mic itself is not muted - the software is still listening.

Not sure how I felt about that given all the recent Zoom privacy revelations.

~~~
klyrs
Yeah, my light's still on when I'm not sharing video and I hate it

~~~
banana_giraffe
Interesting. The LED on my 2019 MBP's camera goes off when I stop Zoom's
video.

------
ababol
>> we were made aware on Wednesday, March 25, 2020, that the Facebook SDK was
collecting device information unnecessary

So Zoom is basically lying here

Come on, the developers who takes the responsibility to use the SDK were aware
of it, ok maybe the CEO of Zoom or the market guy was not but the tech team
is. They are not stupid.

You should have just apologise and assume your fault, that would be the
courageous position, not denying it.

Tbh I am ok with Zoom sending my data to FB (I mean, in my case I've
insta/messenger anyway) but not ok for Zoom taking everyone as naïve people
with this lying statement.

~~~
madwhitehatter
This is what scares most security analysts is the fact that the product was
developed and stores data in a place that has incredibly sketchy laws when it
comes to intellectual property.

I can't see why Zoom can't come out with a statement regarding why they are
collecting all of this sensitive data.

Big corporations might be sharing stuff unwittingly with people that they
don't want to share it with.

[https://www.sec.gov/Archives/edgar/data/1585521/000119312519...](https://www.sec.gov/Archives/edgar/data/1585521/000119312519083351/d642624ds1.htm)

Top of page 21 in their SEC filing:

"In addition, we have a high concentration of research and development
personnel in China, which could expose us to market scrutiny regarding the
integrity of our solution or data security features. Any security compromise
in our industry, whether actual or perceived, could harm our reputation, erode
confidence in the effectiveness of our security measures, negatively affect
our ability to attract new customers and hosts, cause existing customers to
elect not to renew their subscriptions or subject us to third-party lawsuits,
regulatory fines or other action or liability, which could harm our business."

------
greggman3
I'm happy the Zoom doesn't want to help Facebook spy on me. Unfortunately the
chosen solution is still a privacy nightmare. Basically they let you login to
Facebook via an in app browser. The problem is an app can spy on all activity
of an in app browser. That means you have to trust that Zoom is not recording
your facebook password as you type it in. We need a better system.

Also scary. I have never ever logged in to Facebook on my iPhone except via
the Facebook app and it was the first time I've installed Zoom. When I went
into the Zoom app and picked login via Facebook, somehow it knew who I was and
asked if I wanted to login as me. How is this possible? Is iOS sharing cookies
across apps? I feel like maybe I need to reset my phone. WTF

I also feel like the best solution for this case is to somehow login via the
facebook app. I know that used to be an option but it seems facebook
deprecated it. My argument would be (a) I don't have to worry Zoom (or any
other app) is getting my Facebook credentials (b) If actually do want to login
via Facebook it's almost guaranteed I have the app installed.

~~~
codesternews
Not in iOS. If they are using with webview or safariviewcontroller they can
not access the browser cookies or data or most of device information.

~~~
greggman3
Not true AFAICT. Given Chrome on iOS uses a webview and overrides all
networking and given Firefox can inject JavaScript it seems trivial to use
both of those features to spy on any webview activity

------
yingw787
I love $ZM, it works when nothing else does, and it's responsive to user
feedback and cares about user happiness. Most of the interactions I have today
are through $ZM and my life would be cut off almost entirely if $ZM didn't
exist. If I'm fortunate enough to run a company, I would love to have a
business relationship with $ZM, and I'll remember all this.

No, I'm not a paid shill, just a really tired and stressed out guy who gets
almost all of his social interaction through Zoom.

~~~
ThePowerOfFuet
Whereby works great for social interaction.

