
Facebook Gave Data Access to Huawei - pera
https://www.nytimes.com/2018/06/05/technology/facebook-device-partnerships-china.html
======
seibelj
Considering that real, verified information about people and their social
network is so valuable, it seems so weird that FB gave it all away so easily.
If you have 50,000 users in America and can get the entire list of friends and
friends of friends, and the personal / political information about them, you
basically have the entire country.

Now wait until someone gets this information and dumps it in a torrent. Will
be abused for decades.

~~~
adamnemecek
I wonder if this is because FB is trying really hard to get into China. IIRC
Zuckerberg offered Xi to name his first born child.

[https://mashable.com/2017/09/18/zuckerberg-chinese-
president...](https://mashable.com/2017/09/18/zuckerberg-chinese-president-
baby-names/)

My cringe muscles are getting such a workout these days.

~~~
JackCh
Yeah, Xi turned down the offer too. Probably the most bizarre Zuckerberg story
I've read yet, which is saying quite a bit.

[https://www.telegraph.co.uk/news/worldnews/asia/china/119106...](https://www.telegraph.co.uk/news/worldnews/asia/china/11910668/Chinese-
president-snubs-Mark-Zuckerbergs-request-for-baby-name.html)

~~~
joering2
Can you imagine asking Adolph Hitler or Stalin for the name for your child?

"It was an honour to meet President Xi [...]"

I threw up a little...

~~~
adamnemecek
They need them clicks.

------
saagarjha
> Facebook officials said that the data shared with Huawei stayed on its
> phone, not the company’s servers.

Can they prove this, though?

~~~
lazaroclapp
No. But could they prove it with the standard FB app either? I mean, you are
typing your user name and password on that phone, if you assume the
manufacturer is outright malicious, then official API access doesn't really
matter one way or the other. An API used to create a third party client is
generally a good thing and doesn't actually change this (unless I am missing
something here).

You could, however, with some trouble, check which data is going where on your
own device, as long as that API isn't meant for direct connection between FB
servers and those of a third party.

~~~
makomk
Not only could you check which data is going where on your own device, the
journalists behind this reporting did in fact do this with a Blackberry for
their previous story:
[https://twitter.com/laforgia_/status/1003619319736143872](https://twitter.com/laforgia_/status/1003619319736143872)

They sniffed the network access of the Blackberry as they logged into Facebook
via the built-in support, saw it pulling down a bunch of information direct
from Facebook to the local device and nothing else, and wrote it up as though
it were somehow scandalous and a breach of privacy that Facebook didn't see
this as giving a third party access to that information. They didn't let the
fact that they knew the third party wasn't receiving that data get in the way
of fearmongering then, and I doubt they would here either.

------
Trundle
Non-developer here. Can someone check my understanding of this situation for
me please.

Facebook or any other website has information that ideally only I should have
access to. I don't visit Facebook hq with my id in hand to get it, I use a
computing device to talk to their computing device. they don't _really_ know
if it's me using that device, just that it knows information only I should
have (password). The device is also my choice, they just provide general
instructions for talking to theirs, or rather just comply with standards.
Meaning html or whatever the total information sent from browsers and back
again is called. Some browsers being difficult, they even have some code in
there for them specifically. Mostly css for ie and mobile safari.

Because me visiting the Facebook building every time I want to see something
or like something is ridiculous and something no one thinks happens, when
these browsers request information as me they're then referred to as me, or my
agent. So if data goes from Facebook to a macbook with chrome on it that knows
my password, it's for all intents and purposes a two party relatiinship. No
one sees that chrome, osx, my ISP, my router, my whatever; and goes "Facebook
is giving data access to third parties!"

Enter mobile devices, or more accurately old mobile devices. Complying with
those standards I mentioned above /html /building a quality full functionality
browser is hard given their tech. They still want you to be able to use
facebook, facebook still wants you using it, and you want to use it. So the
device manufacturer and Facebook come up with a communication method they
_can_ use. Basically the same information sent and received as if you were
using a browser and facebooks standard html, facebooks still just assuming
you're on the other end because the device knows your password, but the syntax
of their messages is different. Basically a more extreme version of having
some funky css in there to make old IE work.

Terminology aside, am I on the right track? If so, what exactly is newsworthy
about this? Is there a practical difference from a data security viewpoint
between Facebook -> my Huawei phone -> me, and Facebook -> my Huawei phone ->
chrome -> me?

If my user agent - the hardware /software I choose to use to talk to facebook
- is hostile to me, I'm fucked either way aren't I?

~~~
makomk
You're exactly right, and there is no practical difference from a data
security viewpoint. Except web access is probably worse in practice: many of
the older mobile devices funnelled all web browsing through manufacturer-
provided or third party servers, this is still an option in Chrome on Android,
and desktop browsers are plagued by malicious extensions.

The New York Times is arguing that allowing users to access Facebook with
third-party apps running on hardware the users own is the same as giving those
third parties access to the data, that the setting which blocked third parties
like Zynga and Cambridge Analytica from accessing this data should block those
apps too, and that not doing so is a betrayal of user privacy. There's a
Twitter thread by one of the journalists behind this that's even more clear
about this:
[https://twitter.com/laforgia_/status/1003619629355413504](https://twitter.com/laforgia_/status/1003619629355413504)

Like, I'm not exaggerating here, the journalist who's writing this series of
articles really does think that if Facebook respected user privacy they
should've made the setting which blocks every random quiz and game your
friends use from scraping your data also force your friends to install the
Facebook app to interact with you. (I don't think he's grasped that web
browsers are third-party software though.)

~~~
Trundle
Thanks! Pretty concerning that a lot of hn commenters seem to be with the
nytimes on this.

 _I 'm_ the filthy saas salesman that should be tainting this place with their
ignorance. Everyone else is meant to be more informed on these things so I can
get a more educated perspective!

~~~
heurist
As a software developer who is familiar with Facebook's APIs I have not been
happy at all with the recent NYT coverage. It's mostly been the kind of
coverage I'd expect from the National Enquirer.

------
adamnemecek
Haha, is this treason yet?

~~~
briandear
I my opinion, it’s very close. Providing data to a foreign intelligence
service certainly meets the definition. Arguing that Huawei is not part of
Chinese intelligence is like saying Air America was an airline for package
tourists.

~~~
daveguy
To meet the definition of treason they would have to share it with an entity
we are in open conflict with. It would be tough/impossible to prove that China
meets the criteria. With all of the colluding with foreign governments going
on lately there should probably be some law against providing information to a
foreign intelligence agency. Maybe that falls in the category of "undeclared
foreign agent".

~~~
briandear
I stand corrected. Thus, under that same standard, the claim that Donald Trump
committed treason is also bogus since we aren’t in open conflict with Russia.

~~~
daveguy
True, but I don't think anyone is making a legal case against Trump and his
campaign for treason. The case being made is for obstruction of justice and
conspiracy to "obstruct the lawful functions of the United States government
through fraud and deceit".

Fortunately no one is above the law and Trump can't pardon himself for
shooting Comey or commiting fraud and obstruction.

We'll see what evidence Mueller has at the end of his investigation. The whole
thing -- all the Russians and campaign members indicted may have nothing to do
with Trump. But considering how much the Trump campaign has already lied about
Russian contacts and how loudly Trump is squealing like a cowardly pig, I
expect the result of the investigation will not be favorable for him.

------
sqdbps
Give it a rest already NYT.

1\. they are mischaracterizing the nature of that "access".

2\. they could've reported this tidbit in yesterday's story, clearly they are
trying to squeeze every last drop from that pebble.

~~~
jimjimjim
Give it a rest already Facebook.

------
spunker540
This is so overblown. Its not a far leap by NYT standards here to say that
Facebook also "gave data access" to every screen manufacturer that ever
displayed a Facebook page.

The bottom line is when people have data on FB and they have hundreds (in some
cases thousands) of friends who all have the privilege to view their data,
then the data is really not all that private to begin with.

------
briandear
There are Huawei facilities outside of Suzhou that are inside military
restricted areas. Basically if you use Huawei, assume the MSS has access to
anything touching their hardware. That may not be 100% true all the time, but
it’s definitely true at least much of the time.

We can cue up the obligatory whataboutisn with the NSA as well, however, NSA
isn’t stealing data from American companies and providing it to competitors,
while China absolutely engages in industrial espionage against US and European
companies.

[https://www.thecipherbrief.com/chinese-industrial-spies-
cast...](https://www.thecipherbrief.com/chinese-industrial-spies-cast-a-wider-
net)

~~~
JackCh
>NSA isn’t stealing data from _ _American_ _ companies and providing it to
competitors

That's quite the qualification, since the NSA _has_ been accused of industrial
espionage against foreign companies, including German companies.

[https://en.wikipedia.org/wiki/Industrial_espionage#Germany](https://en.wikipedia.org/wiki/Industrial_espionage#Germany)

------
debt
Man, there's a massive war about to go down between the press and tech and
other tech companies.

Apple is starting to reign in the attention-grabbing machine that is Facebook
and it's properties. Now the press, particularly, the NYT is pushing story
after story of FB's nearly total lack of policy around consumer data
protections. I'm sure they'll have their sights set on Apple/Google very soon.

Facebook fires back by shutting down the trending widget which I'm sure is a
huge source of traffic for the NYT.

Elon nearly shuts down an earnings call because the questions are too pointed;
he acquires the Onion. Thiel shuts down Gawker.

Bezos takes WaPo to protect Amazon.

Samsung and Apple have been at it forever.

It's only going to get uglier.

~~~
JumpCrisscross
> _Bezos takes WaPo to protect Amazon_

What?

~~~
debt
[http://www.businessinsider.com/amazon-ceo-jeff-bezos-
bought-...](http://www.businessinsider.com/amazon-ceo-jeff-bezos-bought-
washington-post-with-no-due-diligence-2016-3)

~~~
JumpCrisscross
Non sequitur. You claimed "Bezos [acquired the] WaPo to protect Amazon." The
article you link to [1] comments on his light pre-transaction diligence.
Warren Buffett, too, is known for high light DD and simple acquisition
paperwork. For a well-known brand purchased to have "a political watchdog for
the public's good," the diligence makes sense without resorting to harebrained
conspiracy.

[1] [http://www.businessinsider.com/amazon-ceo-jeff-bezos-
bought-...](http://www.businessinsider.com/amazon-ceo-jeff-bezos-bought-
washington-post-with-no-due-diligence-2016-3)

