
Facebook Still Tracks People on Yelp, Duolingo, Indeed - hadrien01
https://privacyinternational.org/blog/2758/guess-what-facebook-still-tracks-you-android-apps-even-if-you-dont-have-facebook-account
======
elagost
Hacker News is a pretty small bubble, but news about Facebook being awful is
pretty mainstream at this point. It surprises me that the majority of my
family can still tolerate Facebook (and instagram/whatsapp etc.) despite what
is known.

I'm pretty vocal among my family about data security/privacy, as I'd like to
keep information about me and my family safe from prying eyes, but it takes a
lot of effort and know-how to put up walls against the sort of electronic
creepiness that's default-on for most of us. It's been almost 3 years, and
most of my friends/family still don't have content blockers installed for
Safari on iOS. None of my family or friends have made any moves to ditch
Facebook, instagram, whatsapp, etc. even though the barrier to entry for new
services is so low.

It's frustrating to know that despite how bad they are, despite every new
discovery of terribleness, nothing's going to change, and they're just going
to get bigger.

~~~
smallgovt
The unfortunate explanation for the phenomena that you're observing is that
most people simply don't care about their privacy -- at least not nearly as
much as you do.

~~~
cloudsinthesky
> The unfortunate explanation for the phenomena that you're observing is that
> most people simply don't care about their privacy -- at least not nearly as
> much as you do.

I don't think that is a fair assessment. Even if that is true technically, it
is missing the spirit of the question at hand. I think many people are
misinformed about what is happening in data collection and processing, and if
they were well-informed, would care more about their privacy. Given that
people are intentionally being misled about the implications of giving up
their privacy - via various propaganda about how it's not-that-bad, etc - I
think it is unfair to state that people "simply don't care about their privacy
... as much as you do".

I think if people knew what was at stake, they would care more. Stating that
they "simply don't care" is basically ending the conversation preemptively,
such that the only possible future is that there is no privacy.

But I think people are misinformed, greatly. Very few people have any idea how
intense FB's data collection efforts are, or how insecure the data is when it
goes there, etc. Even NYT pieces do not reach that many Americans. And NYT or
other publications are careful and methodical about their writing, barely able
to reach into the future and question out loud the future FB is building.

Democracy is at stake. This is more than a question of individual privacy:
people need to understand that our society is crumbling due to lack of
privacy, because wealthy and powerful institutions are using that intense
violation into private American lives to brainwash targeted people with
conspiracy theories and other dangerous society-damaging things.

Privacy matters to everyone, I'd wager even to those who think they don't
value their individual privacy.

~~~
smallgovt
>> I think many people are misinformed about what is happening in data
collection and processing, and if they were well-informed, would care more
about their privacy.

Yea, people are uninformed. But, I think you're overestimating people's
capacity to care about issues that will have no real consequence on their
life. The average person just wants to spend time with their family/friends,
gossip, and enjoy their hobbies. Facebook helps them do just that.

>> But I think people are misinformed, greatly. Very few people have any idea
how intense FB's data collection efforts are, or how insecure the data is when
it goes there, etc.

This is exactly the type of information that people don't care about. "So,
you're telling me FB knows I'm browsing Groupon for wedding gift deals and
looking at cat pictures on Reddit? O, and other people could have access to
that data?" Shoulder shrug...

>> Democracy is at stake. This is more than a question of individual privacy:
people need to understand that our society is crumbling due to lack of
privacy.

I guess this is the type of argument people actually care about. The problem
is that their uninstalling Facebook isn't going to change anything, other than
making their lives less fun. If there's a real threat to democracy, the
solutions need to come via regulation.

~~~
cloudsinthesky
> But, I think you're overestimating people's capacity to care about issues
> that will have no real consequence on their life.

Why do you think that this has no real consequence on their lives? I would
state unequivocally that privacy violations have a direct consequence on
people's lives. And they see that consequence, too, it's not some hidden
thing. I would blame a lack of privacy culture on the election of a lying,
cheating government that has directly caused pain to individual Americans.
This is happening presently and I believe that if we had valued privacy
significantly more over the last two decades, there would be far less physical
pain intentionally caused on targeted people.

> This is exactly the type of information that people don't care about. "So,
> you're telling me FB knows I'm browsing Groupon for house cleaning deals and
> looking at cat pictures on Reddit? O, and other people could have access to
> that data?" Shoulder shrug...

What do you mean? I'm not talking about that _at all_. I'm talking about how
when you go to the grocery store and someone snaps a selfie with you in the
background, FB knows. They know when you take the subway and where you go,
they [will] know pretty much every single detail of your life even if you
don't have an account.

I'm not talking about browsing the web. By the way, that privacy violation is
real and serious, not something to shrug off.

> The problem is that their uninstalling Facebook isn't going to change
> anything, other than making their lives less fun

What do you mean by this? Uninstalling Facebook isn't going to change anything
because FB spies out the wazoo anyway! And anecdotally, I think that people
are generally happier when they spend less time on Facebook, not less happy.

> If there's a real threat to democracy, the solutions need to come via
> regulation.

Sure - but with the way laws are written, FB's lawyers will write those laws
and nothing meaningful will change. More than legislation has to happen, a
cultural shift into caring about privacy is needed.

~~~
smallgovt
>> What do you mean? I'm not talking about that at all. I'm talking about how
when you go to the grocery store and someone snaps a selfie with you in the
background, FB knows. They know when you take the subway and where you go.

"I don't care if FB knows I was at the grocery store, or at the mall, or on
the subway. I care about not missing the invite to my niece's birthday party."

>> They [will] know pretty much every single detail of your life even if you
don't have an account.

Imo, this is fearmongering...

------
tombert
I hate this data tracking as much as everyone else here, but is this really a
surprise to anyone? I used to put Google Analytics on my blog, and I thought
most of the people here were pretty aware of how gigantic the Facebook
advertising claws stretched.

I feel like until we have an internet that isn't dependent on ad-networks,
this is an inevitability. Targeted ads perform better, and you cannot expect
these giant megacorporations to act ethically when it will cut into their
profits and while they're technically not violating any laws.

~~~
SaulOfTheJungle
> I used to put Google Analytics on my blog

Have you found a viable alternative or removed analytics from your blog
altogether?

~~~
guitarbill
Not OP, but personally I removed it and don't miss it. But then I'm not trying
to monetise everything, so analytics seem more about the ego boost in
retrospect. A bit shameful I was willing to compromise my readers' privacy for
that.

Depending on your needs, it's pretty easy and interesting to hack something
together yourself though.

~~~
SaulOfTheJungle
I think I will resort to looking at the Apache access logs.

I just want to know the number of daily unique visitors and where they are
located (geographically).

------
HenryBemis
Oh the number of apps that EVERY TIME are ran try to talk to FB... Even my
phone banking apps. I understand that from a game or a selfie app. They are
'silly' by nature. But why the F... would my bank want to notify FB that I am
using their app?

The same applies for EVERY airline app I have used over the last 5 years.

NoRoot Firewall for Android, and put a global Deny rule for 31.13.x.x and
problem is solved.

~~~
badfrog
> But why the F... would my bank want to notify FB that I am using their app?

It's not that they want to notify Facebook. It's that they get useful
functionality from libraries that Facebook makes available. And they've either
decided that sharing your info with Facebook is a worthwhile tradeoff for the
engineering time, or they don't realize it's happening.

~~~
wodenokoto
What services are you thinking of?

~~~
badfrog
If you click through to the original PI investigation [1], it says:

> _Facebook routinely tracks users, non-users and logged-out users outside its
> platform through Facebook Business Tools. App developers share data with
> Facebook through the Facebook Software Development Kit (SDK), a set of
> software development tools that help developers build apps for a specific
> operating system._

I don't have more info than that

[1]
[https://privacyinternational.org/appdata](https://privacyinternational.org/appdata)

------
morningmoon
How many people here track their users? How many people here track where their
users come from, what they click on, who they are, etc?

The constant articles deriding Facebook ring hollow considering most of HN’s
audience is engaged in similar behavior.

~~~
confounded
There’s a very large difference between:

\- Tracking the behavior of your own users on your own app, for product
improvement purposes (which most users will expect)

\- Sending the behavior of your own users on your app to an advertising
surveillance company, with an ID that can be used to correlate that behavior
with behavior elsewhere, without their knowledge, consent, or reasonable
expectation

And before anyone says it, no, a generic line about third-party service
partners in a sadistically long TOS/Privacy-policy does not count as
meaningful consent. Even Supreme Court justices admit that they don’t read
them.

~~~
OnlyLys
I'm not too up to date on the news, but isn't FB building a shadow profile of
everyone?

So even if you're not a user, you get tracked and your data gets sold. That to
me was a step too far, and got me to really scale back what I share on the
Internet.

~~~
morningmoon
They don't have shadow profiles. That was FUD spread by the news, and articles
like the one we're commenting on now that constantly get voted up to the front
page.

Here's Facebook's post explaining what they collect for people who haven't
registered: [https://newsroom.fb.com/news/2018/04/data-off-
facebook/](https://newsroom.fb.com/news/2018/04/data-off-facebook/)

TLDR: They collect what Google and all the analytics and ad-network companies
collect, in order to target ads, along with incidental "user data" like IP
address, etc.

------
hadrien01
Changed the title from 'Guess what? Facebook still tracks you on Android apps
(even if you don't have a Facebook account)' (too long for HN and missing
details)

~~~
dwighttk
might be worth leaving Android in there though...

~~~
gsa
From the article:

> Since we published our report, mobilsicher.de could also confirm that apps
> on iOS exhibit similar behaviour.

------
h3ckr
And Google tracks people on ALL websites, without any consent. When are we
talking about that?

~~~
delecti
Whataboutism isn't helping anything. Google doing something doesn't make it
okay that Facebook does it. And Google's tracking is being discussed in this
very thread, so it's not even accurate whataboutism.

~~~
50656E6973
Hushing people who are pointing out the larger context isn't helping anything.

The root problem is not any one single company.

~~~
delecti
There's always a larger context though. Who cares about Facebook or Google
when the NSA is tracking everything we do? Who cares about anyone being
tracked when the global climate is on track to destabilize society? Who cares
about society when we're not doing anything about the inevitable heat death of
the universe?

Pointing out the larger context isn't automatically helpful. I believe the
GP's comment is an example of unhelpful whataboutism.

~~~
50656E6973
>Who cares about Facebook or Google when the NSA is tracking everything we do?
Who cares about anyone being tracked when the global climate is on track to
destabilize society? Who cares about society when we're not doing anything
about the inevitable heat death of the universe?

Your hyperbole isn't helping anything, and you still havent explained why
delecti shouldnt point out the similar practices of other companies like GOOG.

NSA tracking could be considered relevant, seeing as how they get much of
their data from FB and GOOG tracking, but you're being silly and disengenuous
by asking what about climate change and physics being relevant, that's an
obvious strawman argument that isn't even close to what delecti or anyone here
is talking about.

~~~
delecti
Calling out google's practices is valid, but doing it in a thread about
facebook's practices is whataboutism. It's just not on-topic.

~~~
50656E6973
You're wrong, that's not whataboutism.

>Whataboutism (also known as whataboutery) is a variant of the tu quoque
logical fallacy that attempts to discredit an opponent's position by charging
them with hypocrisy without directly refuting or disproving their
argument,[1][2][3] which in the United States is particularly associated with
Soviet and Russian propaganda.

OP did not "attempt to discredit an opponent's position by charging them with
hypocrisy". Please stop trying to stifle genuine intellectual discussion with
erroneous assertions.

------
diminish
When shall we have a "distro" of fair, open source, free apps produced by the
open source community guaranteed to run with minimal permissions without
privacy abuse?

~~~
r3bl
I believe you're describing F-Droid.

~~~
Datenstrom
That solves the "app store" problem, the OS is still hostile though, and even
using Replicant the Baseband OS is still a threat.

Not using F-Droid wouldn't be better, it is just that it really seams hopeless
for a complete solution without a major movement like what spawned GNU-Linux.
All these problems need way more devs involved.

~~~
jhasse
Why is the OS still hostile when using an AOSP based ROM?

~~~
Datenstrom
From what I understand it isn't possible to run AOSP on the vast majority of
hardware. You still need proprietary binary blobs for the drivers and the
baseband OS.

~~~
bittercynic
You don't need it to run on the majority of hardware. Just need one device
that runs AOSP and meets whatever other requirements you may have.

~~~
Faark
I agree, but it's a pain. I tried to run AOSP on an Xperia XA2. You are
missing so much. Sony doesn't offer much software for your hardware on AOSP.
F-Droid has like three orders of magnitude less apps than the play store. Even
the many apps that don't rely on google features, hell even competitors like
Microsoft offer e.g. their Word for Android nowhere else. In the end, you
probably will install google services non the less, but this time from less
trustworthy sources since google doesn't officially want or will help you
getting their stuff run on ASOP.

The system was generally unstable. I finally gave up when I noticed video
playback in landscape mode turns the screen green, but works fine in vertical
(Different apps, even ASOP stock apps, even after fresh re-compile)

I'm now going the other route... using a sony image and rip out everything
unnecessary. Neither seems worth the time for average consumers. Learned a
lot, though.

------
echevil
Isn't that similar to Google Analytics and Mixpanel, Segment.io and so many
other tracking tools?

~~~
criddell
Did you like the giant image at the top of the article?

~~~
echevil
Yeah, I don't think it's a problem and I'm not convinced by the article at
all. Also, if an app/website don't track user behavior and improve themselves
based on data, they are most likely going to be defeated by their competitors
soon enough.

~~~
criddell
They aren't sending the data to Facebook to improve themselves.

------
miki123211
> Apps, especially those with millions of installs, need to take the privacy
> of their users seriously.

This is wrong. So, so wrong. This leads to the "I'm a small dev so I don't
have to care, I don't have millions of installs, right?" believ.

------
confounded
Out of interest, why do developers use the SDK and send these events?

Is it just for ‘sign in with Facebook’? I’m surprised at the specificity of
the event-data; do they offer an analytics interface like for GA?

Do they give you any cash or other benefits for all the data?

I’m very surprised that companies like banks are including it, when I’d assume
they have their own analytics and identity systems.

~~~
matwood
They have analytics like GA. In particular, they track conversions, etc... So
if a company runs an ad on FB, putting the FB analytics on their site and in
their apps lets them tracking the effectiveness of the ad they ran.

There is nothing nefarious from the company other than they are trying to
figure out what their FB ad spend is worth. FB OTOH is probably using the data
for tons of other reasons. Are those reasons dissimilar from GA/Google? I do
not know.

~~~
JohnFen
> There is nothing nefarious from the company other than they are trying to
> figure out what their FB ad spend is worth.

I call exposing users to the likes of Facebook, Google, etc. "nefarious" all
on its own. At the very least, it's treating users with a degree of contempt.

------
Iknown0thing
Like with tobacco may be privacy invading permissions need to be regulated a
bit. May be a clear warning on what happens with your data will make consumers
think a little bit more about prompts to handover your data.

Also, it might be interesting to see if certain permissions can have parental
control. That is you need to be with your parent/guardian to allow certain
data access.

Might be great to make it slightly difficult to gain sensitive permissions for
everyone. Requiring to input your password/pin at the permission box. We
already has these on desktop computers where you need to be able to input your
password for admin access to apps. This may not deter companies to ask for
permissions, but my hypothesis is that it will show up in their conversion
funnels and eventually they will stop asking for blanket permissions to all
your data.

------
cmsonger
Facebook still doing something ethically questionable. Must be a day ending in
'Y'.

------
dontbenebby
This is one of the reasons I use a VPN - I can set it up to disallow contact
with Facebook and other trackers at the DNS level, rather than fiddle with
content blockers on all of my devices.

~~~
snr
But then again, unless you're setting up your own VPN infra, I don't trust
anyone with my data.

If you've set up your own infra, deets please!

~~~
dontbenebby
I self host on Digital Ocean with Algo:

[https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)

------
arlogilbert
Wow, this is super ugly. Not to hijack the thread, but we just launched
yesterday at [https://www.privacymonitor.com](https://www.privacymonitor.com)
\- The stuff we find about what companies bury in their privacy policies is
pretty frightening.

------
GuillaumeBrdet
Is this even a surprise though? Where don't they track you would be a more
interesting headline.

------
gorkemcetin
Reminds me of this presentation:
[https://media.ccc.de/v/35c3-9941-how_facebook_tracks_you_on_...](https://media.ccc.de/v/35c3-9941-how_facebook_tracks_you_on_android/)

~~~
richardhod
That'll be mostly because they gave this talk and they link to it in the
article!

------
throwaway-1283
And if you use a cellphone you're tracked 24/7 by the gov't...

------
superkuh
Part of the problem here is the entire smartphone and app culture of walled
gardens. No native desktop applications try to pull this shit excepting the
webapp as 'native' electron-based fakes.

~~~
codetrotter
That’s not how I remember it.

I remember that malware was rampant on Windows back in the 90’s and early
00’s.

And some of that malware probably did collect information on you.

Either way, the point I am trying to make is that desktop software is not as
benign as you are making it out to be.

And even some of the desktop operating systems have been doing telemetry or
advertising related things in the OS itself.

Ubuntu. [https://www.gnu.org/philosophy/ubuntu-
spyware.en.html](https://www.gnu.org/philosophy/ubuntu-spyware.en.html)

Windows 7 and 8.1 telemetry. [https://mspoweruser.com/microsoft-makes-
telemetry-updates-fo...](https://mspoweruser.com/microsoft-makes-telemetry-
updates-for-windows-7-and-8-1-critical-updates/)

Windows 10 built-in advertising. [https://www.howtogeek.com/269331/how-to-
disable-all-of-windo...](https://www.howtogeek.com/269331/how-to-disable-all-
of-windows-10s-built-in-advertising/)

I don’t get why or how people put up with this bullshit.

~~~
darkpuma
Back then it was widely recognized as malware, that wasn't a controversial
classification. These days if you categorize such software as spyware/malware,
you get a ton of pushback. It's become normalized.

When did this happen? Obviously it was a gradual change, but when about was
the inflection point? I'd estimate sometime around 2007.

~~~
lotu
Malware and spyware wasn't generally sophisticated enough to do this type of
data collection and targeting. This is a ton of work, as evidenced by the 10s
(maybe 100s?) of thousands of engineers employed doing it today.

The data Malware and spyware went after was your credit card number, and bank
account & passwords. Which they then used to steal money from you.

No one ever was worried that malware would build a profile of them and sell it
to internet advertisers who would send them more relevant ads.

------
justusthane
Is there an easy way on Android to, for example, block all traffic to
Facebook? Sort of a Little Snitch for Facebook?

I know this could be done via VPN, but I'm looking for an on-device solution.

------
pweissbrod
Is anyone aware of a respectable security rating system for android apps we
can look up before installing something from the play store?

------
balls187
Is there a tool that shows you if you are being tracked, and by whom?

EU compatriots--looking at your general direction here.

------
spinach
I block Facebook's domain on my laptop, I wish it was as easy to do on mobile.

------
ddtaylor
A reminder to use Privacy Badger from the Electronic Frontier Foundation (EFF)

------
Mc_Big_G
Maybe we need a law that simply makes it illegal to track any user on any
network for any reason. Is there any legitimate reason to track a users that
is purely in their own interests? Also, how many of these articles does it
take before people stop using Facebook?

~~~
badfrog
> Also, how many of these articles does it take before people stop using
> Facebook?

Infinite. The majority of people won't see these articles. And the majority of
people who do see them won't care enough to change their behavior.

~~~
tayo42
Yeah? Why should I care about tracking? Why is what you click on so secret and
guarded and why should I care. Sites have been tracking forever. I was 8 and
putting counters on my geocities sites

Is the problem just Facebook and Google? The retail clothes store I used to
work for tracked everything. Where's the outrage?

~~~
darkarmani
> I was 8 and putting counters on my geocities sites

How is a hit counter at all related to tracking users?

~~~
tayo42
Why would you say it's not. It's the begging of tracking to get information
about what's happening on your website

------
dilyevsky
Bigger question is - why would anyone use yelp?

~~~
CharlesColeman
> Bigger question is - why would anyone use yelp?

Because they're looking for a good place to eat, possibly in an unfamiliar
area?

------
titanix2
At least for Duolingo there is an easy fix: don’t use it. I’m currently
reading a researcher paper written by an employee and while the paper is
interested the app itself is abysmally bad. I just tried the app again today
just to be sure my opinion wasn’t a mistake but it reinforced it instead.

That app have no lesson, nothing is explained, there is just quizzes slapped
on your face until you remember the good answer. The distractors are bad (you
can find answer using capitalization in some case), sentences seems to have
been generated automatically etc. I cannot fathom how one can learn anything
with that nor why it is so popular.

~~~
SaulOfTheJungle
I've been learning Japanese with it for the past 2 years.

Although I haven't tried other apps (so I don't have a baseline for
comparison), their methodology has proven quite effective for me.

~~~
trophycase
Japanese conforms extremely poorly to the duolingo format. As someone who is
also learning Japanese, I'm very surprised you've stuck with Duolingo this
long. My experience was that it explained nothing. No explanation of
particles, the different between hiragana and katakana, no other grammar
explanations, etc.

~~~
barry-cotter
How useful is explicitly learning about the difference in use of hiragana and
katakana, really? As far as I’m aware the research on language learning is
pretty clear on teaching grammar; teaching it explicitly is no more effective
than teaching implicitly. This example is right, that one isn’t is how we
learn to speak our native tongues and we faultlessly follow rules we can’t
teach all the time, e.g. adjective order in English is opinion, size, physical
quality, shape, age, colour, origin, material, type, purpose.

[https://dictionary.cambridge.org/grammar/british-
grammar/abo...](https://dictionary.cambridge.org/grammar/british-
grammar/about-adjectives-and-adverbs/adjectives-order)

~~~
titanix2
Do you have a link to a paper or two supporting that claim?

Sure as children we learned our natives language by hearing it for years but
the point is you can't magically have ten years of everyday language input
when learning a foreign language. So then as adult it is way more efficient to
learn the underlying rules. If there really was a more efficient method
universities would have ditched their curricula for it. But from my
experiences they don't and they don't recommend Duolingo either.

------
enibundo
I'm sorry to be that guy, but if after all the shitty news about Facebook
tracking and selling your information you are still using Facebook than you
deserve to be tracked and sold.

~~~
werbel
I'm sorry to be that guy, but if you properly read even just the submission
title you'd know it's not about people that are still using Facebook but
people that are using other apps like Yelp. That might include you.

~~~
enibundo
oh my bad then. but yeah, is this news? don't we know fb already.

------
trumped
I wonder if Zuck is stupid enough to use Facebook? or does he have a special
build just for himself?

