
Clearing Up a Few Things About Facebook’s Partners - pg_bot
https://newsroom.fb.com/news/2018/12/facebooks-partners/
======
mindgam3
“Did partners get access to messages? Yes. But people had to explicitly sign
in to Facebook first to use a partner’s messaging feature. Take Spotify for
example. After signing in to your Facebook account in Spotify’s desktop app,
you could then send and receive messages without ever leaving the app.”

Does anyone have a screenshot or remember what the opt in UX was like this for
this? I have been logged in to Spotify via Facebook since basically the very
beginning. I worked in tech as a dev, PM, and designer of flows. I never had
the understanding that my Facebook connect with Spotify gave them read/write
to all my messages. It’s certainly possible that this permission was requested
in an auth form that I quickly granted without realizing, which would make
this more of a dubious product decision that blatantly unethical. Anyone have
info?

~~~
jahlove
Looks like as of 07/2013 it was this:
[https://imgur.com/UdfzvGU](https://imgur.com/UdfzvGU)

Source:
[https://stackoverflow.com/q/17561784/9027089](https://stackoverflow.com/q/17561784/9027089)

~~~
SilasX
Nice, good find. That doesn't give permission to read (or even generate)
private messages, unless you interpret "my data" to mean something in the last
bullet point that's much broader than the three above.

~~~
bilbo0s
> _unless you interpret "my data" to mean something in the last bullet point
> that's much broader than the three above..._

Hmm. It seems this may sound weird to you and many others, but that's
_exactly_ how I interpreted it. When looking at that screen I was wondering
why anyone in their right mind would grant Spotify these rights?

The only thing Spotify does is play songs for you, right? They shouldn't
really need access to _any_ of your FB data to do that.

~~~
SilasX
Alright, I confess, your interpretation was the same as my immediate hot-take
reaction, but then I stopped and said waiiiiiit a sec, they can't literally
mean, all the data, right? They must mean, like, "my data" in the sense of
that stuff above, right?

Only now does FB reveal themselves to the be treacherous jerk they've always
been and abuse whatever leeway you give them. Use recovery phone number for
marketing? Why not!

~~~
russh
Only now!!! Where have you been?

~~~
SilasX
I agreed they’ve always been treacherous jerks, I meant about the
counterintuitive broad reading of “my data” on this page.

------
i_am_proteus
The language of this post seems _extremely_ carefully chosen and to present as
'let me explain why what Facebook did was fine' and 'Facebook is full of great
features that people use.' The language is somewhere in between reductive and
manipulative.

"this work was about helping people" and "people could have more social
experiences" and "People want to use Facebook features"

and then: "Our integration partners had to get authorization from people. You
would have had to sign in with your Facebook account to use the integration
offered by Apple, Amazon or another integration partner."

I read the last quote as "we used a dark pattern[1] to get your permission for
this"

[1][https://darkpatterns.org/](https://darkpatterns.org/)

~~~
jahlove
this isn't clear to you?
[https://i.imgur.com/UdfzvGU.png](https://i.imgur.com/UdfzvGU.png)

~~~
i_am_proteus
There's a reason the post wasn't worded as "you would have had to explicitly
give permission for Spotify to access all of your messages."

It is my opinion that Facebook recognizes exactly how unethical their behavior
was, as evidenced by the language they choose to use to describe their
behavior.

------
Humdeee
The whole article seems odd. I have no training in public relations, but I
assumed the narrative would try to at least seem sincere about end-user's
privacy concerns.

There's none of that at all, not that it would be believable at this point
anyhow. But it reads like a bully trying to justify to a teacher why he chose
to eat another kid's lunch. It's clear fb has no moral guilt here and actually
implies that all blame is shifted off of themselves.

~~~
adrr
It's extremely poor PR. I was caught up in the 2012 FTC investigation on
social networks and data brokers. Public just wants to hear how you are going
to protect their data. Doesn't matter if you're right or wrong. Pushing that
you weren't wrong narrative just alienates your users even more.

------
kerng
What did I just read? Is this a legitimate Facebook post? Are they actively
trying to defend and justify their actions? First step in crisis management
would be to acknowledge the crisis for what it is. Without that stage Facebook
will never get out of this. It's like Microsoft's security before Bill Gates's
trustworthy computing memo. Facebook you have to change.

------
zephyrnh
I assume someone at Facebook, hopefully the person that wrote this, or someone
who has more influence over this issue, is reading.

I am an engineer. I understand technology better than most of the general
population. When I sign in to my Facebook account to use Spotify, I am
absolutely not expecting that Spotify will now have access to read every
single one of my private messages. This is a gross violation of trust, and if
this is what happened, then the fact that you not only made this mistake, but
also then published this blog post defending it, marks a low point for
Facebook. Perhaps irrecoverably so for me.

"After signing in to your Facebook account in Spotify’s desktop app, you could
then send and receive messages without ever leaving the app. Our API provided
partners with access to the person’s messages in order to power this type of
feature."

This is a write permission. So you needed to give Spotify permission to create
a message. It seems that your system combines the read and write permissions,
since you just grouped them together by saying "access to the person's
messages". It also seems from your defense that you see absolutely no issue
with this. In order to share a song through Spotify, you are giving them
access to every single private message the user has ever written.

I find it hard to believe that Facebook refuses to acknowledge any fault in
this: The initial product decision, the upholding of this decision through
previous privacy investigations, and this PR response. Am I misinterpreting
the facts or scale of this?

~~~
marrone12
Well if you want to receive a message that someone sends you then you'd also
need to grant Spotify read permissions. In essence, you'd be using Spotify as
a client app for fb messenger. How else could that work without Spotify
getting read/write access to your messages?

~~~
zephyrnh
I assume the point here to send someone a message on FB with a Spotify link,
so they click on it in their messages and it opens up the Spotify app. If you
just want to send a message from one Spotify user directly to another in
Spotify, you don't need FB messages at all, right? Spotify has a list of all
your FB friend IDs already and knows which Spotify accounts each is connected
to

~~~
chillacy
I think the use case is closer to Spotify acting as an alternative client to
the messenger backend, much like Adium is an alternative client for Google
Chat. Which in this case you have to trust the client. It feels grosser
because Spotify isn’t just a desktop application, they could in theory have
stored and mined your chats.

------
40acres
I was too young to really keep abreast of the Microsoft anti-trust lawsuit,
but I've never seen a technology company come under so much sustained pressure
than Facebook over the past 18 months.

The New York Times in particular has definitely made it a mission to air out
all of Facebook's dirty laundry. Overall, I don't think that this will result
in users becoming more concerned about privacy (although their governments
may) but it does seem like Facebook from a product perspective is vulnerable,
even considering the amazing backstops that are Instagram and WhatsApp.

~~~
notacoward
> The New York Times in particular has definitely made it a mission to air out
> all of Facebook's dirty laundry.

There are two thoughts here that people here assume are mutually exclusive,
but they're really not.

(1) What NYT has reported is true, and highlights some serious issues that
Facebook needs to address.

(2) NYT _also_ , without saying anything untrue, takes negative news about
Facebook out of context and gives it more prominence/repetition than is
appropriate.

Both of these are possible simultaneously. I happen to believe both are true.
The "providing a platform" argument was much more relevant at the time most of
these actions occurred, even if that doesn't fully excuse them. And even if
this significant news, that might not justify burying other important stories
(e.g. imminent government shutdown) so that it can be top of the news multiple
times in the next week. As it surely will, even if there are no new
revelations.

As for the substance of the OP or the NYT story to which it responds: no
comment. Facebook PR is going to have to do this one without me. >:-(

~~~
jaabe
What?

Facebook has so far admitted to everything, or in other words, the gross
mishandling of privacy of a billion people for a decade and an unwillingness
to improve.

Is your point that we shouldn’t worry about Facebook being an evil company
because there are worse things out there?

Why can’t we worry about multiple things at once?

Even if we go down the road of whataboutism, don’t you think Facebook has
earned its place in the spotlight? Facebook has shown itself to be an
existential threat to liberal democracy and truth in recent years, it’s hard
to imagine a bigger threat than that. I mean, if it wasn’t for a gazillion
fake accounts gaming interest groups on Facebook, a lot less people would
think things like climate change was fake. Which means that at its very worst,
Facebook is being used to kill the planet.

Don’t get me wrong, I still think Facebook can be really good, at its best,
and that’s exactly why I think the focus on their missteps is welcome. We need
to tell them where the line is, so we can get more good and less bad.

~~~
chillacy
Mass communication is a threat to democracy? That somehow only more censorship
(fake news screening or whatever people want to call it) can fix? This is such
a profoundly anti-democratic position, with extra overtones of “these voters
didn’t know any better”.

~~~
rchaud
> Mass communication is a threat to democracy?

Why did you think that strawman would work on HN of all places? FB didn't
invent email, chatrooms, message boards, or the internet, things that actually
support mass communication.

~~~
chillacy
Curious how you can call that a strawman without knowing OP's actual position.
I mean to be fair I likely misrepresented his ideas but to do otherwise
requires a lot of back and forth questions to really understand the positions
at hand.

I hope we don't have a long internet argument about what "mass communication"
is, that would be a great waste of time.

I just suspect that if facebook didn't exist, message boards and chatrooms
would have launched Trump into the white house just the same, and we'd be
casting them as a "threat to democracy".

~~~
rchaud
> I hope we don't have a long internet argument about what "mass
> communication" is, that would be a great waste of time.

100% agree. That is why I don't bother reading the comments where the
discussion veers into the semantics of the label used ("socialism" and "market
forces" related stories being the worst offenders).Usually the story isn't
about that at all, but people seem to love rehashing their college-era debates
that ended nowhere.

> I just suspect that if facebook didn't exist, message boards and chatrooms
> would have launched Trump into the white house just the same

I partially disagree. Without FB, Twitter could still have spread mass
misinformation and divisive propaganda. Either way, the scale of either isn't
comparable to message boards of yore. Those allowed for total anonymity. You
weren't mandated to provide a real name. You weren't encouraged to share
details of your personal life (relationship status, alma mater, location).
Message boards also didn't have ad networks built into it that incentivized
data gathering on a mass scale. Finally, message boards were not built around
"sharing". That's what got fake news posts outside of your crazy uncle's FB
circle and into local news website comments page, etc, giving it visibility it
wouldn't have otherwise.

What were the biggest message boards back in the day? Something Awful? Digg?
4chan? A few million members max. FB has 2 billion + on a single network. A
single point of entry where the network gives you (as an advertiser/bad actor)
near-unprecedented targeting ability for promoted posts and ads. If you popped
into your local phpBB baseball forum and dropped off a meme showing Clinton
with the Star of David with no additional context, you'd get booted by a
moderator for being off-topic and thread would be locked. No way to spread it
to the outside world. Not so on social networks.

------
Teichopsia
It's hilarious. Facebook misbehaves like a three year old and lies to your
face about it. Fifteen years later and the same dysfunctional relationship
continues. In a few days, in a couple of weeks there will be some post from
their engineering department regarding some fantastic thing they are working
on, they released, whatever. And this hate love debate will dissipate to the
far end of your minds. When will you say enough?

------
PaybackTony
I think what they are failing to address here, and what is incredibly
misleading of them in this message, is that they fail to define what "public
information" or "public activity" means to them. They define this in their TOS
& Privacy Policy as pretty much anything you do on facebook, or a separate
property that integrates with them, that you don't EXPLICITLY set as private.
This statement tries to make it sound like they use very little data, when in
all actuality most of what you do on FB is considered "public" to them even if
they don't show this stuff publicly. That's not okay.

------
Havoc
So basically it's totally OK because someone clicked sign in with fb? I bet
the majority didn't realise that implied giving access to private messages.

Seems pretty dark pattern-y at best

>this work was about helping people do two things

One of the most disengenious things I've read in a while. Nothing about this
was about helping users.

I hope they get slaughtered on the markets tomorrow (again).

------
armini
There are 3 parts to a genuine apology. 1 we’re sorry 2 we messed up 3 here’s
what we’re doing to fix it

This is a poor attempt at an apology. It just shows how desperately they acted
to grow users with little to no regard for user privacy. That’s a typical
footprint for a mercenary company, not one who’s mission is to respect its
users.

Just look at how Apple apologized about their battery dilemma. Here’s a great
way to show you care about your users [https://www.apple.com/au/iphone-
battery-and-performance/](https://www.apple.com/au/iphone-battery-and-
performance/)

~~~
jhacker123

      > Just look at how Apple apologized about their battery dilemma. Here’s a great way to show you care about your users
    

In Apple's case, users are also customers and everybody take genuine care
about their customers.

In Fb's case, users are not their customers, they are product for them. and
product are meant to be for sell, and this is what they do.

------
etxm
> To personalize content, tailor and measure ads and provide a safer
> experience, we use cookies. By tapping on the site you agree to our use of
> cookies on and off Facebook. Learn more, including about controls: Cookie
> Policy

> By tapping on the site

> use of cookies on and off Facebook

So an accidental interaction when trying to navigate away after seeing your
cookie policy opts me into your cookie policy.

You bastards are full on assholes, huh?

~~~
eridius
There's no way "any interaction with the page" could possibly legally
constitute agreeing to any sort of policy. I hope someone sues them over this.

------
drugme
Do we have any reason to believe anything this company says about anything
anymore?

It's like they know they're in a very deep hole - yet with every press release
they just keep digging themselves in deeper.

------
m0zg
And now you know why Google is _really_ shutting down Google+ earlier than
planned. Someone should also take a look at Android, where there are some
insane permissions available, like accessing your messages and call log. I
wonder how much those have been abused by third parties far less trusted than
e.g. Spotify. Granted, you have to consent to all of this crap, but 99% of
users perceive this as a speed bump and click OK without reading, and the
remaining 1% won't touch Android with a 10 foot pole after seeing one of those
permission dialogs.

~~~
dirkgently
Ah the inevitable, "it's all Google's fault" reply.

~~~
m0zg
I don't see how you could misconstrue my comment in this way, but what I meant
to say is "Google should also receive scrutiny" for these very similar privacy
issues. I don't think anyone can argue with this in good faith.

------
kkhire
Can someone clear this up (preferably if you've worked with the FB API):

when NYT published that spotify and netflix have accessed to private messages,
isn't that simply for them to do a POST call for sharing a tv show or song?

~~~
ubernostrum
Facebook appears to have designed their system in such a way that permissions
were not granular enough to do things like "Spotify can only post certain
types of messages". Instead it had to be "Spotify has full read/write access
to all private messages".

Given Facebook's history it's hard to believe that the lack of granularity,
and resulting incentivizing of users to grant as much access to personal data
as possible, was an accidental oversight.

~~~
bduerst
Looking at the Spotify sign-in image from 2013 that jahlove found above,
Spotify didn't even ask for that auth permission.

The full messaging access seemed to be a hidden bonus for their larger
partners.

------
echevil
I think a very common problem with OAuth (way beyond Facebook) is that people
often underestimate the permission they are giving to a 3rd party. For
example, if you use some email client to manage your Gmail, the email client
would request permission to "manage your Gmail", exactly what you want, but
that actually gives the 3rd party permission not only to read all your mails,
but to send out emails on behalf of you.

------
bogomipz
The Title should be corrected. The title of post is actually:

"Let’s Clear Up a Few Things About Facebook’s Partners"

This distinction is notable for it's patronizing tone.

Of course the assumption that we all have it wrong. "There's nothing to see
here, please move along." Everything that was done was done to make the world
a more connected place and for us to have more "social interactions."

This post is a case study in how not to do PR. There's wasn't even a remote
hint of concern for what their users might be feeling in the wake of this
story. But perhaps it doesn't matter anyway since this company has zero
credibility at this point.

------
onetimemanytime
So CuteApp allows you to read FB messages and email from their app. They cut
deal with FB but you still need to want to do it and then enter your FB
credentials while in CuteApp. Unless messages are saved in the app, unsecured,
I see no problem. FB users read _his_ messages somewhere else but using their
FB credentials. (If I understood it correctly)

~~~
ameister14
No, CuteApp allows you to read FB messages and email from their app. They cut
a deal with FB and even if you don't use the service, CuteApp can still access
your messages. You don't actually know about the service - it isn't in the
permissions and you didn't give explicit consent for it. Doesn't matter.

~~~
justinsaccount
Do you have any evidence to back up these claims?

~~~
ameister14
Yes, actually. 1\. There is no record of an explicit permissions check, and
there are records of other checks.

2\. Facebook has acknowledged (multiple times, now) giving read/write access
as long as you were logged in through Facebook to one of these systems - you
don't have to explicitly enable it _and_ engage the message service, which is
what OP was saying.

3\. They say: "No third party was reading your private messages, or writing
messages to your friends without your permission." They aren't saying that no
third party was reading or writing messages, just that you gave it permission
to do so. Unfortunately, that permission was, again, not explicitly given. It
was a blanket (access data) permission. Facebook has a documented and admitted
history of obfuscating what permissions you are actually giving it - the
messaging app being one example.

~~~
justinsaccount
You said:

> even if you don't use the service, CuteApp can still access your messages.
> You don't actually know about the service

I don't disagree that permissions dialogs can be confusing and misleading, but
you were initially claiming that CuteApp could access your messages even if
you have never used it. Are you no longer making this claim?

~~~
ameister14
No, I am making the claim that you don't have to use the message service for
them to read your messages. I was unclear.

------
verdverm
Title seems aggressive, yes?

I spent an hour trying to remove all of the advertisement connections, have no
idea how far into it I got. Mostly realtors and car dealerships

------
jeromebaek
They are no good at all at apologizing. They somehow manage to be consistently
condescending. Facebookers, take this into account next time (or the next
dozen times) you have to write up an apology.
[https://news.ycombinator.com/item?id=6116544](https://news.ycombinator.com/item?id=6116544)

~~~
mrnobody_67
He's been apologizing since 2006... think they'd get better at it by now.

[https://www.fastcompany.com/40547045/a-brief-history-of-
mark...](https://www.fastcompany.com/40547045/a-brief-history-of-mark-
zuckerberg-apologizing-or-not-apologizing-for-stuff)

------
jpatokal
> Did partners get access to messages?

> Yes.

(o_O;

...and every time I think FB can't get any worse, it does.

Serious Q: is there a way to find out what services I've ever authorized into
using my Facebook account, and nuke those links/permissions? I haven't done
that in years, but who knows how many of these there are still lying around.

------
stonecraftwolf
Facebook can’t be regulated into the ground and then sued into a fine dust
fast enough.

It is really hard to overstate the ambient anger out there at a general sense
of exploitation. FB have made themselves a lightning rod for that anger.

Couldn’t happen to a more exploitive, manipulative company.

------
defterGoose
Remember when fb blog posts used to be about cool tech problems? How much more
unfun and 'last year' can this platform get?

------
objektif
Its funny how the article keeps repeating “people had to explicitly sign in”
to give access. Well that should not be enough let 3rd party apps read my
messages.

------
slics
It all boils down to convinience. People are so easy manipulated with just a
little incentive. Just keep one thing in mind. If at any given time there is a
product or service that has no cost or fee to use, the first thing should pop
in your head is: “There is nothing free in this world.” If you hit Accept / OK
for a free service / product the blame is on you/us, not them.

------
echevil
Is it just me that couldn't find the feature in Spotify desk app to actually
send a message to a friend from the app?

~~~
danabramov
These features were removed in 2015.

------
sidcool
If not the US, other nations should take stringent measures to reign in the
out of control Facebook horse. They have broken most ethical and moral
boundaries of trust. They not only treated users like a product, but exploited
them. I hope they find their day in the court of law.

------
dep_b
There's just one thing that really struck me:

"Apple, Amazon, Blackberry and Yahoo"

I think the person who wrote this piece first ordered those companies on
alphabetic order to look as neutral as possible, then somebody standing behind
the editor leaned over and said "Perhaps you could move Apple to the first
spot?"

There isn't a single comma accidental in this article.

Anyway: as somebody pointed out the dialog clearly stated that Spotify could
access your data even without using Spotify. I think people should be a bit
more conscious about what they trust to a third party to begin with. No,
you're not paranoid running your own mail server.

------
forapurpose
In case people want to read the original story and discussion:

[https://news.ycombinator.com/item?id=18712382](https://news.ycombinator.com/item?id=18712382)

------
chj
This has been the de facto practice for ages in API integration. Everyone is
doing it. When you grant Dropbox access to an app, can you say Dropbox is
colluding with app developer?

~~~
ummonk
That is what confuses me. It is a widespread issue in the industry, but
somehow Facebook is getting singled out for it. And the particular
integrations in question were disabled years ago.

------
dangerboysteve
Crisis management playbook in action.

------
sambroner
The FIRST thing I see when I visit this site (on mobile) is a popup telling me
this...

```To personalize content, tailor and measure ads and provide a safer
experience, we use cookies. By tapping on the site you agree to our use of
cookies on and off Facebook. Learn more, including about controls: Cookie
Policy. Cookie Policy```

I know they have to do that, and it was already there... but doesn't that feel
like a slap in the face?

------
dgzl
This is their remorse:

"Still, we recognize that we’ve needed tighter management over how partners
and developers can access information using our APIs"

------
sriku
I cannot proceed to reading the article because I refuse to accept fb's cookie
policy that doesn't seem to give a way to read the content without accepting a
cookie from them.

~~~
ummonk
Why not browse in incognito, so the cookies clear out when you close the
window?

------
bambax
> _Today, we’re facing questions about whether Facebook gave large tech
> companies access to people’s information and, if so, why we did this._

> _To put it simply, this work was about helping people..._

Putting it simply would be to answer YES to the first question instead of
sleazing your way into a thousand words false apology where you don't admit to
have ever done anything wrong besides leaving old APIs running for longer than
they should have (!)

Also, nothing Facebook does is about "helping people". That is not their
business. Their business is exploitation.

~~~
chillacy
Is all business exploitation? And capitalism is the problem?

Businesses have to have customers and users to survive, even tobacco companies
provide value to users even if their product kills them.

If Facebook provides 0 value, stop using them and all the other rational
people will too. If they provide a modicum of value, then people will use them
if the value delivered is below the cost (cost includes privacy violation and
bad trust).

------
AJRF
“Did partners get access to messages?

Yes.”

That’s all the article needed to be.

------
sys_64738
Why would I believe the fibs from an ad company?

------
Humdeee
> We’re already in the process of reviewing all our APIs and the partners who
> can access them.

Translation:

    
    
      chmod 777 *

------
AdmiralAsshat
> To be clear: none of these partnerships or features gave companies access to
> information without people’s permission, nor did they violate our 2012
> settlement with the FTC.

Always take note of the defense, "It was legal." It is the last defense of an
opponent who knows they have lost the moral battle.

------
cryoshon
there's nothing to clear up. the statement is a non-denial denial when you
read it closely.

~~~
askafriend
I don't understand your point.

It reads like a fairly clear and descriptive statement to me and in-line with
actual facts reported by the newsmedia (without the messy presentation of the
newsmedia).

------
ilovecaching
This is just more NYT slander to finish off their biggest advertising rival.
Nothing about this was out of the ordinary or hidden from the user. The next
article will be the NYT saying Zuck broke the public’s trust because Facebook
had this thing called an API which is totally evil and corrupt. It probably
stands for Anti-Privacy Interface.

