Hacker News new | past | comments | ask | show | jobs | submit login
Facebook Doesn’t Tell Users Everything It Really Knows About Them (propublica.org)
438 points by colinprince on Dec 29, 2016 | hide | past | web | favorite | 267 comments

There must be many HNers who work at Facebook. Anyone willing to make a throwaway account and tell us how it feels from the inside for Facebook to be one the wrong side of so many ethical issues? It just seems like in so many dimensions they've been caught saying wrong things or appearing to outright lie, and I'm curious how developers who work for them think about aiding a company that seems to be so compromised at the moment. Now that it's fairly clear that the service doesn't serve any unique, unambiguously positive purpose, what world-changing mission can you possibly decide that Facebook is achieving these days?

It's easy to forget on HN, but there is far from universal buy-in for the notion that having or collecting data on people is unethical. Some may even consider it noble to optimize and perfect the world and its institutions (including commerce, via efficient advertising) using large-scale personal data.

The impulse to make something better by applying a database engine that you might feel for business processes, can just as easily be felt for customer interactions or the world at large.

For an interesting (and very critical) look at this philosophy I recommend The Circle by Dave Eggers.

It's not even just unethical, it's also illegal in many places. Facebook (and Google and many others) are constantly violating European privacy laws and hide behind the Irish government who protects them against the rest of the EU. As an example, in Germany, data privacy is a basic human right and in theory things like the FB Like Button or Google Analytics just collecting data in the background without a user knowing is illegal. In theory, any site using Social Plugins/Google Analytics would need users to opt-into the data collection, but of course nobody does this and going against FB/Google for these kinds of things is near impossible right now. See http://europe-v-facebook.org/ for more information and examples.

The current EU data privacy guideline will be replaced by a regulation in 2018 and Safe Harbor has just been replaced by Privacy Shield for EU->US data transfer, but it will probably not change much.

Compared to the EU, in the US data privacy is hardly existent but people seem to accept it.

edit This is not even touching on the fact that all the data these US companies mine of European citizens is also accessible by the NSA in one form or another (no, Privacy Shield does not effectively prevent this) and the implications that arise from this.

> in Germany, data privacy is a basic human right

This! Seriously, there's moral relativism and there's squabbling whether a human right "would be nice to have". They/we don't call it a human right lightly. It's to shine a spotlight on something very important that people otherwise don't realise.

> This is not even touching on the fact that all the data these US companies mine of European citizens is also accessible by the NSA

Well in a way, it does. Total surveillance by governments that openly admit you have zero rights in their eyes (as do their citizens, by the way, many times, even on HN ...) is one of the many terrible implications of the existence of these databases.

The US doesn't have the privacy parts is WWII in memory. Where govt workers had to scramble to destroy what data they could before it was seized, where fire fighters let document storage burn as long as possible because it had census data, where others where forced to go through govt. Data to sentence neighbors to death, and similar hero/horror stories.

I feel that the IT world is irresponsible in its collection of data, and doesn't treat it as the liability it is.

(What's the proper word for old data/information before computers)?

> I feel that the IT world is irresponsible in its collection of data, and doesn't treat it as the liability it is.

A lot of that is due to a lack of training. There's two major ways new people come into programming.

1. Go to college, get a computer science or engineering degree.

2. Self taught.

Neither of those prepares you to deal with the ethics of information storage.

I happened to have an entire course on the topic but only because I took an Information Science minor with my Computer Science major. That course wasn't even an optional elective for me otherwise.

A computer science degree trains you for thinking how to do something. It doesn't teach you how to figure if you should do something.

You can be lucky if a college education in CS/SE teaches you about open source licensing, even more so if it deals with privacy in any way.

IMO every SE curriculum should contain a mandatory course looking into historical precedents how information was used in genocides and oppressive regimes (Nazi Germany and the German Democratic Republic are two of the most obvious examples but there are plenty others).

It's ridiculous how it took Trump to get elected for the liberal techies in my Twitter stream to realise that the US government has the power to do really bad things with all the data FB & friends have been collecting.

What literature did the course provide? I would like to teach myself more too. The lack of any so far in my programme is making me really pessimistic.

If the ability to enumerate targets for holocaust is our concern, then tech companies are a bizarre place to start caring. The institutions we should be attacking are the DMV, voter registration, and the Social Security Administration

Why that? The data collection you're talking about is relatively constrained and transparent - all those institutions have a well-defined range of data they are allowed to collect, using well-known procedures.

On the other hand, the data private organisations collect is not restricted - neither what data is collected, nor how or from who.

If voter registration started to ask for skin color, there would be immediate public outrage. If credit scoring services include skin color as a scoring factor, it's a trade secret...

Why does the subject knowing about it make it any less useful for genocidal purposes?

You pretty much need a state ID or drivers license, which lists your skin color. Political contributions are a matter of public record for anticurruption purposes. Vital records offices are more than sufficient for tracing ancestry. Welfare offices know who is poor and medically needy. Telecoms and the post office knew who you communicated with.

There was more than enough information to mount a holocaust on any of those axes long before the current crop of tech companies.

Different, though: Now its all in one place, stored forever, and in much more detail: your cell phone leaks your location continuously and in real-time, your photos and videos provide detail we are only just learning to harvest, your formerly secret or at least hard to track written communication is now trivial to record and analyze, and with the coming of IoT all this is just getting a bit more minuscule. Future governments seeking for unwanted persons will have an unprecedented dataset to profile whomever they might not agree with.

Again, this worst case scenario may not happen, but the fact that it can, even if only with a small chance, makes this massive data collection totally irresponsible.

Skin colour, religious and sexual preferences ... One can only hope the next dictator shares your lack of imagination.

Also it's a bit of a bizarre argument that tech companies are doing data collection on such a massively intrusive scale, we should really look at the government databases first because they're already more than enough to screw us over with? It's not even a "but they're doing it more!" ...

>(What's the proper word for old data/information before computers)?


Yep. I also remember hearing "records" in addition to "files" back in "the day". The reason, of course, these terms have come into computing is by analogy with their "old-world" counterparts.

That said, I wouldn't consider it wrong, per se, to call it data or information these days. Strictly-speaking, old files and records do constitute data, whether they happen to be digitized or not.

The problem is misleading the public about the nature of the information gathered and the shady ways that the information is sometimes used. If Facebook were only gathering information necessary to improve the experience of its users, and were not selling that information or lying about it, I don't think you'd see the same backlash.

> If Facebook were only gathering information necessary to improve the experience of its users, and were not selling that information or lying about it, I don't think you'd see the same backlash.

Facebook doesn't sell information, it sells ads. That's not the same thing.

They sell ads by offering this information in the form of targeting.

I've worked at an ad-serving company. Clients couldn't get our data out, it's behind the scenes to them. Business-wise, it would be undermining our own product to offer anyone's personal information. There are other companies that do this focusing just on the collection side, which sounds like what FB is buying - but for FB to protect their position they're going to try to keep lids on that.

The companies that try to sell those types of profiles, by IP or cookie syncing or whatever, seemed to get it wildly, wildly wrong - but the role of accuracy/auditing in the ads business is another discussion. FB seems to be buying a different sort of data than we were, since they know so much more (first/last/birthdate, etc).

Anyway, this is a problem that doesn't start or stop with FB, and the brokers are the dangerous part.

I worked for a few years at a company that provided a SaaS IVR product. Think call centre call routing, and PBX features on any dumb phone.

As people shy away from phone calls, and with the competition of VoIP, we gradually saw the erosion of the price per minute we could charge (roughly 40% drop over the course of 5 years).

The company tried to shift by looking at the data we had available. Millions of phone calls, and we knew exactly what kind of service was being called. Banks, airlines, airports, sex lines, restaurants, customer support, whatever. We could see when people called most, for how long, and we even knew which service inside the call centre they were talking to.

It wasn't long before the company wanted to exploit this, and they started working on the ability to play ads while people were waiting to get in touch with a service representative. Targeted ads.

Based on phone habits, we could tell whether the person calling was a stay-at-home parent, retiree, teen, young professional, etc. We could also tell their gender, in 60-70% of cases.

Because of the technology, we had access to actual phone number, even when people called with restricted identity. It's just how it works when you are registered as a "network operator".

This shift from "let's provide an amazing service" to "let's mine the crap out of everyone" definitely contributed in my leaving the company.

Starting a database with personal information on a large amount of personae. Without them knowing about it. Refusing to share the gathered information. All of this is legal in the US? In the EU???

The EU has restrictions on this kind of stuff - http://ec.europa.eu/justice/data-protection/data-collection/...

> I've worked at an ad-serving company. Clients couldn't get our data out

That's not really possible. Proof: Say Alice is your client, and her ad targets gay people (even though the ad or the advertised product itself is not necessarily related to being gay). Then using your data about sexual preference, you serve the ads only to gay people. Only gay people will see the ad, and thus only gay people will reach Alice's website. Hence Alice got the data out. QED.

They have to make money somehow, don't they?

The mafia defense? Really?

Why not, you are using their "free" services, and if you would care to read every word of the user agreements then it lays out exactly what they information they "collect". What they "collect" and what they "know" are two different things, using data analysis they can speculate many other aspects of a user with a pretty high degree of accuracy. They should not have to disclose this, the user has given them the data as agreed. If the media and privacy nuts didn't always put an evil spin on it people might actually realise that things in life aren't free. I know many people who enjoy using facebook for free, so why shouldn't Facebook make money from that. Just because they know alot about you doesn't mean that you absolve responsibility for giving out so much information in the first place.

Giving information directly to facebook is one thing. The article is about FB gathering info not directly given to them.

Imagine the government put a policeman on every corner and they recorded the movements of every person in the neighborhood at all times. 4:36pm Mr. Jones walked to newsstand, 4:43pm Mrs Jones opens front door, looks around, closes front door. 4:45pm Mr. Smith dog starts barking. 4:51pm Unknown man shows up at Mr. and Mrs Miller's house. Mr Miller is not home. She invites him in. 5:01pm Mrs Wayne tends to her tomato garden.

Many (most?) people would feel creeped out to know they are being constantly watched and all activities logged. And yet Microsoft, Apple, Google, Facebook and a bunch of others are trying to do exactly that through your computer, your online activity and through your phone and eventually they'll probably also do it with cameras and mics

It is rumored that some metro systems are utilizing face recognition technology. Also, I'm pretty sure our license plates are scanned and recorded as we drive throughout cities.

mafia is free as well... you could not use their "service" but suddenly you realize you can't, because you're cut out (depending on where you live in Italy this could be literally true, you're just cut into pieces) if you don't.

If you want your client/user/customer to be aware of something you put it on your front page or packaging in plain language and a large, legible font. T&Cs/TOS is where you obfuscate information that you're legally obliged to 'inform' people of, but you really wish you didn't have to and you hope they'll never see it. Nobody reads the T&Cs of every product they use. I know this, you know this, everyone knows this. To suggest otherwise is either naive or disingenuous. It may be commonplace but it's really not ok and we shouldn't accept it. To defend companies doing this is enabling and shameful IMO.

Surveillance could indeed have many beneficial uses in a benevolent, voluntarist sort of society. Unfortunately we don't live there. The world is still largely run by warlords, narcissists, and sociopaths.

The "standard" counterargument here is that warlords, narcissists, and sociopaths can only operate effectively in private, and their capabilities would be severely limited in a world where secrets are hard to keep.

I understand you don't necessarily buy into that argument, but allow me to offer a counter-counter.

That argument relies on the collected data being closer to the truth, than the absence of it. I think that may be true for (statistically) normal people. But for narcissists and sociopaths, it may also be a helpful tool for someone creating a fake alter ego of benevolence and 'harmlessness'.

Why would the warlords, narcissists and sociopaths get rid of their own privacy? Zuckerberg seems very keen on preserving his...

Most likely simply don't think about it in enough depth to form a view either way. Collecting data to make the app make connections better is the "acceptable" view. The artificial bubbling is probably widely known - as it's recently hit mainstream thanks to all the fake news.

The implications and other uses and data transfers are not talked, or often known about. Just like when you look into food production or global supply chains you find many inconvenient truths there too. As age is so often correlated with cynicism it's probable that many tech applicants (to FB or anywhere) are simply not adequately cynical yet. There's quite a few cases of high profile techies suddenly and surprisingly (well according to reportage anyway :) becoming rather anti.

btw I thought The Circle far too gentle, and simplistic, about the criticism.

Perhaps it's the "cynical Brit" perspective as I felt very much the same about Black Mirror after arrival at Netflix.

It's not because one doesn't think it's unethical that it is ethical. The very existence of the question implies that there is an ethical issue here.

Moreover, in the age of information, the one who knows more about the other becomes a potential predator (every country has secret services and spies).

Facebook (and others) knows a lot more about me than I do myself because their computers don't forget, because they analyze what I do in a way I don't.

Moreover Facebook can be tied to other companies or institutions with my consent.

So although the optimization might seem like a good idea, I think it also needs to be put in context. Is this really a good idea. Is optimizing advertisement a noble goal ? It's useful for the advertisers, true. But is it useful for their targets ?

The problem I have with it is that Facebook decides what "improve" means -- it tries to groom me like cattle rather than ask me how I want to experience it or who I want to be "optimized" in to being.

And that's okay, so far as they're open about it. But I don't think they are, especially the sophistication of their psychology research (and experimentation).

I appreciate that, but most people don't know how they want to experience it. E.g. people will say they want to see everything in their feed, but if they do get everything, they complain about how much crap there is

The assumption being that this is not how people want to experience it?

If there's so much crap, maybe I want to be able to complain about it.

People might act on the tsunami of crap in manners that may not be profitable for Facebook.

The solution to undesirable, stupid, homeless, uneducated, etc etc isn't to hide it from your vision.

If you don't like Facebook, don't use Facebook.

Not an option. They have a shadow profile about you anyway.

Aside from that this is as silly as "If you don't like organized crime don't buy stuff from the mafia and there's no problem."

I think the problem rests more on the fact that as it stands Facebook profits regardless as to whether or not you use it. The same collection happens across numerous non-Facebook sites and apps, from data other people reveal about you, from apps and companies that are bought up by Facebook, and so on. The idea of "if you don't like it just don't use Facebook" becomes very difficult to implement when modern existence feeds into Facebook it seems.

It's the involuntary participation in facebook's arrangement that people are bothered by.

> If you don't like Facebook, don't use Facebook.

And don't use any site with the Facebook "Like" thumbs-up thingy, which is tracking what sites you visit.

I blocked those pesky buttons using Ublock no social list.

Actually, if you don't like Facebook, litter it with disinformation until it becomes an unreliable and undesirable source.

About twenty years ago we probably surpassed Orwell's 1984. Until ten years ago, the secret services of the world's governments would have done just about anything to get this kind of personal data. Five years ago, Facebook & co (twenti in Spain, vkontake in Russia, etc.) started to convince people to hand that info over for free. Today people are saying that somehow improves their lives, or that they have "nothing to hide". What do you think will happen when, in a few decades in the future, your personal, detailed history ends up in the hands of a government that is rattled by debt, ever increasing poverty and unemployment, and political instability, in a world much like in the 1930s? Not that that scenario must happen, but it can, given today's outlook, and history tends to repeat itself...

The Circle was an interesting idea wrapped in a really terrible book. Every page was full of terribly-paced plot development, one dimensional characters and cliched rip-offs of 1984.

The Circle is due to be released as a movie in April.


> Some may even consider it noble to optimize and perfect the world and its institutions (including commerce, via efficient advertising) using large-scale personal data.

Data they don't own. So I suppose, "noble" in the Robin Hood kind of way.

Also, "efficient" in what way? What metric do they optimize that lets advertising benefit society?

Seconded. I would gladly hand over my personal data if it means improved FB/search experience. I think there's a large number of people who share my viewpoint. If someone is concerned about protecting their online privacy they have the option of not using those services. (I know about trackers on third-party websites. It's pretty trivial to block them.)

So how do I prevent my friends from uploading my phone number when they share their contacts? What do I do when they take pictures at a party and upload them? Should I have to jump out of view every time somebody takes a phone out of their pocket? Give only "trusted people" my phone number?

You don't, and can't. Not beyond perhaps choosing better friends.

Information about you is not necessarily owned by you.

mostly agreed. i would be okay of 1) the data never left facebook, 2) i had access to all the data, and 3) conversation content and contact data was specifically excluded.

> Some may even consider it noble to optimize and perfect the world and its institutions (including commerce, via efficient advertising) using large-scale personal data.

That's all great, but how can I opt-out? Even without a facebook account, they are collecting my data.

yes it's always unethical. even more if you don't ask me or hide the fact that you're doing it. it's only acceptable if it is for public research.

lmao the mental olympics needed to arrive at the conclusion "data collection to improve advertising efficiency" is noble.

Reminds me of one of the recorded AOL customer service calls from someone trying to end service.

AOL: Hi, this is John at AOL. How may I help you today?

Ferrari: I want to cancel my account.

AOL: OK. I mean, is there a problem with the software itself?

Ferrari: No. I don't use it. I don't need it. I don't want it.

John disputes Ferrari's claim that he never uses the account.

AOL: Last year, last month it was 545 hours of usage.

Ferrari: I don't know how to make it any clearer. So I'm just gonna say it one last time. Cancel the account.

AOL: Well, explain to me what is wrong.

Ferrari: I'm not explaining anything to you. Cancel the account.

It goes on like this for 5 minutes.

Ferrari: Cancel my account. Cancel the account. Cancel the account.

From: http://www.nbcnews.com/id/13447232/ns/business-cnbc_tv/t/how...

IIRC, from the audio the AOL rep. just goes on about how he's "just there to help you". To me, this is the same. "We just want to give you the best advertising that is relevant to you!" So possibly these people just take them at face value. Which is usually a bad idea when there's a profit motive.

In the end, it all boils down to persons and personalities, and most important uglyness and shortcomings. Part of their surface pretends to think it's noble, their real self know how they are inside, they live with themselves 24/7, and they know it's the shriek of a ghoul scrambling away from the light. They want a glove to interact with the world, not because the world is dirty, but because they are, and cannot face themselves. So we will make them for them.

It may be good, but it's not democratic.

NSA recruiters came to a class I had in college. I imagine Facebook employees would have the same sort of party line drilled into them.

Yes the NSA takes privacy very seriously. The NSA spies on everyone else but doesn't spy on Americans, period. Oh, well yeah of course we collect data from Americans but if we find out we are looking at an American's data we're supposed to throw it away immediately.

Throw in a harmless joke about "big scary NSA" to lighten the mood. Nice salary, nice benefits. Most of the students ask for applications after class, it's a career forum for area studies majors and this is by far the most lucrative job presented in the semester.

It's honestly pretty easy to make a deal with the devil, especially if you're smart enough to argue that he's not the devil.

I never got why HN are angry at NSA since they spy on Americans. Spying on me (non-American) is okay, but spying on an American is wrong?

I feel just as violated as any American by the thought of NSA spying me.

What astonishes me the most is the absolute double standards US government has on this issue. you are US government and it is perfectly fine spying and collecting data from people and organizations outside US jurisdiction. You are a person outside US jurisdiction and have an unauthorized look on US government data, and US government tries to get you extradicted to US and to face charges?!?[1] That just makes morally zero sense to me.

[1] https://en.wikipedia.org/wiki/Lauri_Love

It's the same with drone strikes. If you look at the recent controversies about the drone program in the US, it's all about how Obama authorized drone strikes on an American. Illegally assassinating non Americans without any form of trial or due process is perfectly fine.

1. An American is anyone living in America, (?citizen or not?).

2. A US entity is tasked with info collection on the rest of the world (and is good at it).

3. US entities funded by the US have rules that prevent them from spying on those who fund them.

Completely understandable and predictable.

We are discussing morality and ethics here. Almost all such scenarios can be explained and accounted for by the unsymmetrical distribution of power, including that of the spying of US agencies on American citizens. Indeed, it is completely understandable and predictable given the way the US government is structured. Governments(or any institutions for that matter) tend to act in their own self interest first and foremost, not of their citizens.

> The NSA spies on everyone else but doesn't spy on Americans, period.

Ah, so that's settled then. So, spying on normal people and prying into their private lives is ethical - as long as they aren't American?

What about American expats? How does the NSA distinguish between them and non-Americans?

What about the Five Eyes? Perhaps the NSA doesn't read about your juicy personal life but GCHQ does because the NSA handed Americans' private data over to them?

You'd have to be pretty blind to not see they in fact are the devil.

I'm thinking a lot of people misread GP

> if we find out we are looking at an American's data we're —supposed— to throw it away.

Keyword emphasized, and anyway ahat safeguards are there to ensure that they won't turn against "undesirable" Americans at any point in the future?

Like how the American citizens of Japanese origin were more-or-less extra-judicially just herded into camps back around WWII, and the perceived "risk factor" of American Muslims right now.

An observation: I recently watched a presentation from a developer who works at a random adtech company. He was a nice, albeit naive guy. In order to explain the technical topic he gave a bit of context about the business. It was so creepy, you could feel the audience thinking - Oh-kay. He didn't even notice.

Now. I watched hundreds of technical presentations from Google and Facebook engineers. Did a presenter ever got into the details on how they track the user for what metric, and so on. Not a single freaking time.

Andrew Ng recently told in a presentation, that all data must be accessible in one place. Did he came across creepy? Not at all. He is such a professional person, that he can even weave in a remark about privacy just right beside the talk about the uber-data-warehouse.

That is professionalism. I expect Facebook to have a silent policy about talking about things developers and admins see on the inside.

Apart from this complex issue. Who inducts ethics for managers? Why do people come up with bad ideas (track all users all the time, or buying such data for that matter) in the first place? Hint: The problem is not developer ethics.

It is not wrong when you benefit from it.

This is a human trait, people do not see the wrong on the things you benefit from.

For example, did you ate beef or fish lately? When was the last time you thought about the animals that were killed in order for you to eat them. Have you seen the sacrifice of an animal needed for eating it. In Mongolia or Middle East nomads will sacrifice the animal in front of you before eating so you know what you eat is the best they have.

Imagine that cows were able to think like humans, and remember what you did to their veal. As a children I worked feeding cows and they are not as stupid as people believe, and they like horses have emotions and personalities like humans have.

When humans personally benefit from something it is very easy to just rationalize it. Humans rationalize everything.

Workers on facebook are multimillionaires that are pretty happy about their life becoming the new central intelligence of the World. They will rationalize it as a good thing focusing on this service being needed and useful for the world, as it is.

The problem is that even when the best of intentions, Governments, and secret services of countries want to use this service for nefarious purposes in the same way that if you centralize money in one place, some people want to take it by force if necessary, if you place too much personal information in some place, some people will want to take it for their own use.

Ironically I'm a vegetarian for just these reasons. I don't say that because I'm perfect (I am not yet fully vegan, for example) but because I do take ethics seriously. Maybe we do rationalize too often, but shouldn't we still try to work against that impulse? The fact that something unethical benefits me generally makes me more upset, not less upset.

Thats great of you, I am vegetarian by birth, became vegan by choice , Even in vegetarian people rationalise when they come to terms with messy aspects of dairy farming.

The question of ethics is weighing hard on me, even normally rational people who talk about human rights etc turn off their ethical circuits when question of meat comes up .. I think this points to a deeper question of how rationalising can affect morality ..

Does average human consider their wants above ethics he seems to subscribe? , why is hypocricy not making many upset? Many won't consider themselves as beings who put only themselves above others, they cry out for morality, but when question of ethical boundaries they themselves cross, it becomes question of rationalisation.

One has to really ponder, did a slaver in the past (sad that its not that ancient) who cared about ethics of his fellows , rationalised away his slavery?

If people really thing about this in terms of past people rationalising stuff away, if they feel upset about that, maybe it will lead to them thinking about ethical problems they too rationalise away

>This is a human trait, people do not see the wrong on the things you benefit from.

No, people very frequently do see that things have downsides. Only idiots think in black and white of 'right' and 'wrong'. For example, you just commented on a site that requires electricity to operate. This usage induces electrical demand and you have therefore contributed to global warming and assisted in killing polar bears. Will you choose to kill more polar bears to respond to me, or do you think it's not that simplistic now?

>Workers on facebook are multimillionaires that are pretty happy about their life

There are tons of people that work at facebook that are not millionaires at all. Most hires at facebook today are making standard SV salaries that could be made working for other companies.

cows are even more stupid than you think. Your view probably comes from interacting with them as a child, being not very smart yourself. I've grown up in the italian country farming animals and I've seen cows stupidity literally kill them.

  > When was the last time you thought about the animals
  > that were killed in order for you to eat them.
I don't think of them often but I grew on the farm so I could witness (and sometimes particpate) in the whole process. I see nothing wrong with that. I could even see more wrong in the attitude where people become veg(etari)ans for "ethical reasons". That's some fucked-up ethics, if you ask me.

Why it's fucked-up? If i feel bad eating an animal and i can live without eating one, what's wrong with that? <edit> (Hello from LT.)

So you think people who avoid unnecessary killing are ethically fucked up? Hitler, is that you?

SoftGooFace: We can easily double your current salary.

Engineer: Oh

SoftGooFace: You don't have to worry about employment ever after

Engineer: Oh

Soft: We are so powerful, we can dump unwanted OS upgrades on people Goo: We are so powerful, people are terrified of linking to other sites Face: We are so powerful, even heads of state better watch out before criticizing us

Engineer: Uh..

SoftGooFace: Every time someone makes a critical comment about your employer, you can look at your bank account and tell them to f-off

Engineer: Uh..

SoftGooFace: And we open source everything

Engineer: Oh, where do I sign up?

And yet they underpay and also use their lobbying muscle/money to change laws to keep engineering pay down.

Note the sheer desperation to keep the pay secret so it doesn't turn into an auction for scarce resources for engineering talent the way it does with lawyers, bankers, MBA's. If you're in it fore the money don't work for facebrick.

payment is relative. to the rest ofnthe world, all of the SV engineers looks grossly over paid.

> to the rest ofnthe world, all of the SV engineers looks grossly over paid.

Only to people who don't understand economics. I know the salaries in NYC are high as well, but I understand the cost of living that drives that.

no, even to people who understand economics.

the only reason the cost of living is so high in SF is because of grossly over paid employees who drive up the cost of living. its a private little island of inflation.

Ive made a lower SV salary after my education in Bern Switzerland. I had to pay way less taxes, had benefits included, and cost of living was lower as well.

Lobbying to keep pay down? To what does this refer?

> open source everything

Sure. Like they open sourced their Blu-Ray cold storage system. Oh, wait, if they do that, people will realize they should be sued for using the word "delete", since you can't remove data from Blu-Ray.

The standard way to do this is to store the data encrypted, and store the key in something modifiable. Then when there's a delete you scramble the key.

So who is auditing Facebook, making sure they actually do that?

Open source is catnip for software engineers.

It's worth remembering that ethics go beyond software rights.

I have a friend at Facebook. Yes, they do understand that some data they collect is pretty ... private. But since it's good for Facebook -- it's good for them. In all personal discussions they defend the company to the point that I started feeling like there is some mind-washing going on. Of course it's just a feeling, but my point is -- they don't think it is bad.

“It is difficult to get a man to understand something, when his salary depends on his not understanding it.” - Upton Sinclair.

Same, I have a friend who works there, often tells me about how good his stock prices are etc, never ever heard him talk about ethics, it's just not even on his radar. The other day I installed messenger (in the hope I never have to login to FB web again) and received a message about 15 seconds later saying, "Good boy, that's good for my stock prices" ha.

I know what you mean though, it's like they're trained not to discuss topics with outsiders or something?

>I know what you mean though, it's like they're trained not to discuss topics with outsiders or something?

Pretty standard amongst companies to discourage employees from talking politics about the product.

It's hard to work for any software bigco that doesn't have an ethics violation somewhere. Same as living in a country without an ethics violation attributable to it's govt. Google is probably the scariest one out there out of all of the bigcos because of how much data they have on the world, yet they cover themselves with a cutesy image.

Such an odd impulse. I've known guys who sold heroin and meth on the small to medium scale, they don't defend the drug or their actions except to perhaps say "I'm trying to take care of my little girl". It might be a socioeconomic thing coming from a poor background nobody is really proud of what they do to make ends meet so nobody has to pretend to be.

There is no personal gain or advantage to dwelling on the bad things your company could be doing. So if you work at company X and company X does some bad things but you're working on something you consider not bad, you focus on what you're working on. Sure you'd do things differently if you ran the company but you don't, so you just ignore that stuff. Mental self defense at its finest.

You also don't want to rock the boat and bite the hand that feeds you (and your wife, children, etc.).

I heard the urinals at Facebook have a sheet at eye-level where the week's "metric-to-hit" is posted.

Methods like this seem to be effective, but creepy and invasive.

That can become common at many larger tech cos. Usually its about some random technical fact, like how to write a better test or whatever else. It's community driven at about the sophistication level of a community newsletter.

The urinals at the rest stops among the highways here have sheets at eye-level telling people not to drive when they're too tired or drunk. Is that creepy and invasive?

I've been in the Facebook office and it's true that they have information posted above the urinals. Didn't really read it though.

Ideally, who speaks for your wants and desires? Realistically, who do you allow to speak for you on a regular basis? Your mom? Your boss? Perhaps an unhealthy narcissistic friend? Facebook?

Speaking for others is formulating emotional responses for someone else and then constructing a dialog that elicits those feelings in that person. Today, that can be done with software as has been shown time and time again with Facebook. In the past it's been the tool of choice for those who control others. Narcissistic parents or greedy corporations, the end result is the same: loss of choice for all.

I've talked with some FBers about this after one of them prompted me that I should apply for a job at FB. The rationale is entirely predictable (heavily paraphrased as most conversations involved alcohol):

* Zuckerberg has grown up and matured. We've all done stupid things at that age so we shouldn't measure him by his infamous line about how his early users were gullible idiots.

* There's no harm in retaining that kind of data. FB is handling the data responsibly because it's their competitive advantage. The only people who could get access are the government and we don't need to worry about the US government doing anything evil with it because that could never happen in the US.

* If you don't want to be on Facebook, don't use Facebook. Nevermind that Facebook will still track you with a shadow profile if any of your friends are on Facebook and staying off Facebook means you have no way to take down photos of yourself shared by others.

* If you don't want something about you ending up on Facebook, don't do it. If you have nothing to hide, you don't have to worry. And you can still ask for your information to be taken down if it does end up on Facebook.

* Facebook is just a company. They don't have any ulterior motive beyond creating a product users want. Market forces prevent Facebook from doing anything bad.

* Civil rights organizations like the EFF may be complaining about Facebook, but they just have a different opinion. They don't understand how Facebook works anyway.

* Who cares about politics? Facebook has a lot of interesting tech problems and it's a great opportunity. I can still go somewhere else if I decide I don't like it.

In other words: the Banality of Evil at work. Same reasoning that allows people to work for organisations like the NSA with a clean conscience.

Maybe I should add a disclaimer that all of the people I talked to were on the younger end of their 20s and most of them were likely drawn in by the opportunity to work on cool tech and the salary & benefits (like being hauled to conferences all over the world where speakers are often treated as celebrities).

I don't see how this is being on the wrong side of an ethical issue. Perhaps it is (somehow, after years of this being in the news) shocking that that data is collected about your life, but Facebook isn't doing the collection. Anyone can buy that data and many organizations do.

Facebook hasn't actually done anything here that is harmful, not with the non-shocking data collection from third parties and not with the data you willingly give them by using their service.

Even the fake news situation, which is another supposed reason why Facebook is evil, is purely a result of the hubbub over having human editors. When the human news editors were around, the news links were interesting, of decent quality and unbiased.

Facebook really hasn't been on the wrong side of any moral or ethical debate, just the wrong side of public opinion (or at least the opinions of writers who need clicks/pageviews).

> not with the data you willingly give them by using their service.

Imagine I am a producer of sugared water. Do I want you to delve into health issue associated with that? Not necessarily. As a owner of a site that lives from user interaction, do I want my users to go out without their phone and have fun without me? Well, do it, but only if you really must.

There is a conflict of interest here, but that's too disturbing to communicate. Period.

Most people don't have the time and money to check facts anyway, so let's just claim facebook is the internet (for example) - because, you know, without all this livestock, our investors get unhappy. Business as usual, I would say.

>Facebook isn't doing the collection

Who is it then that allows facebook like buttons and social widgets to be integrated into other sites?

Facebook does that data collection, but not the data that the article discusses - no social widget is responsible for figuring out your income or what you do at physical retailers.

> no social widget is responsible for figuring out your income

That is actually an intended purpose of many social widgets.

Not everyone agrees with your ethics.

I have no financial stake in Facebook (don't work there), but really don't see many moral problems with what it does. And I think their mission of connecting the world in a single easily discoverable network is absolutely world-changing and noteworthy. It's changed my world for sure.

I think a lot of fear is rightly grounded in history: it's clear that this much power in very few hands turns to shit at some point. Facebook may well be humanity's biggest concentration of power (knowledge being power). How do you keep an advantage when the other side knows >> than you could ever know? There's also the disparity in availability of AI, since large applications need powerful and thus expensive hardware.

To be clear, I don't think Facebook is flawless. All the issues you bring up are definitely true.

I just think it's unfair to assume that these issues automatically make Facebook evil and that there's no good they do.

They certainly could do good, theoretically. Problem is their business model, because manipulating people doesn't fall under "doing good". As long as they make profit by selling people, they're the opposite of good because their activity goes against peoples' interest.

i'm guessing to work for facebook the employees probably know what they're signing up for so it might not feel like "the wrong side" for them

Uber seems to be in a similar boat; HN comments from employees 100% defended the company:


Same for Google and its multiple violations of privacy. Great products, but everything revolves around selling user information to the highest bidder or general establishment Democratic/liberal cronyism.

Will we see a Democrat apply anti-trust laws?

Why is it Facebook's responsibility to discuss what your credit card will happily sell to literally anyone?

This story is utterly baffling.

Not a Facebook employee, but I don't see any particular ethical problem with the company. There's nothing in the law or Facebook's terms of use that obligates the company to release data they buy from third-party sources.

I'm not trying to agree or disagree with you here (for the record, I despise Facebook and anyone who works there), rather I want to point out that ethics often has no correlation with law. The difficulty in making ethical determinations is precisely that there is often no well-defined written criteria like a law or terms of use that dictate what are the ethical boundaries or what might be ethically or morally reprehensible.

Yes, I agree there can be unethical behaviour that is still lawful. But regarding the specific charge of deception it becomes much harder to convict Facebook if the company has done everything that they explicitly agreed to do.

In this particular case I cannot even see any shade of grey. I apply for a credit card. The application form states that the credit card company may pass the information about me to third parties. The credit card company tells Facebook my income. Facebook does not reveal to me that they know my income. Where is the deception?

And that's fine. Most of the "ethical" barbs I see being leveled about facebook are on the hypothetical/philosophical level, rather than the practical one.

As a general rule, I'm a lot more bothered by actual bad actions rather than hypothetical future ones. Facebook collecting all the data they want just doesn't even register as even sorta bad to me. (And no, I don't work there.)

I definitely disagree with you on Facebook being bad and there not being a practical component, however I'm willing to see what you are saying. There's a lot that can go wrong, but like you imply, it's mostly perspective. Sure it's hypothetical, but even those with the best intentions see the results of their work take interesting (evil) turns for the worst. Further, there's a lot that does go on that is not hypothetical and the problem tends to be that it is hard to educate yourself about if you are an outsider, i.e. not the person doing these things.

Regarding hypotheticals, if you collect data, it is always there for someone to abuse, whether they are technically "allowed" to do so or not by laws, company policy, or otherwise. It can and does happen more often than we believe as I came to find out from friends and family who work in government and legal roles. I am more of the cautious sort and would rather try to make a best effort that might not be perfect to simply mitigate and minimize the issue of the wrong thing happening. Though these cases may never happen, I am in the camp of "let's not make it easier."

As an aside, a lot of feelings towards these issues can be influenced by environmental and contextual reasons. For instance, I was raised in a family that lost a lot of people due, but not limited to things like data collection, humans selling each other short, supposedly good people making bad choices, and individuals acting highly in self-interest despite their "ethics." Further, I also grew up in a country more under constant and tangible threat than the US for part of my childhood and served in its army against very real threats during wartime. I'm certainly no action hero as my job was more of the engineering and intelligence nature, though I have seen first hand what people can, will, and tend to do with data, especially if there is money or physical security involved. Especially on the other side of things (i.e. our enemies) if they are losing. As such, I am more sensitive than most when it comes to people knowing things about me. I assume "they" know everything, but as I implied, I try not to make it easier than it needs to be and I actively throw in disinformation about myself. It helps if you know a thing or two about algorithms and the best ways to confuse them :)

Facebook has created a product that feeds an entire generation of low self esteem digital addicts their drug of choice. It perpetuates the idea of instant gratification without any substance. Facebook is digital cancer.

It probably feels pretty good from inside your very own Tesla.

You can replace "Facebook" with thousands of other companies. Everyone is doing this because the cost is low, its easy, and the return is massive. The sole service my roommate's company does is match your customer with data about them from countless other sources.

If you want a peek into a small section of this type of data, go build a facebook ad. You can see all the targeting options. You can upload a list of email and build a "look a like" audience of people who are similar to your customers.

A company called cartalytics will let a brand purchase lists of people who have bought a specific product in the past 6 months and show them ads. Ex. If you've bought a big mac (with a credit or debit card) in the last month, I can show you McDonalds ads.. but they are super expensive.

> match your customer with data about them from countless other sources

With so many data sources, it should be easy to find proxies for protected classes (race, sex, etc). Indirect discrimination was (and still is[2]) used to enforce racial segregation ("redlining"[1]). Facebook was recently caught[3] enabling direct discrimination. I wonder if your roommate cares that his company is probably doing the same thing indirectly.

[1] https://en.wikipedia.org/wiki/Redlining

[2] https://portal.hud.gov/hudportal/HUD?src=/press/press_releas...

[3] https://www.propublica.org/article/facebook-lets-advertisers...

We both discuss how our jobs will step over moral lines on occasion. It is something I don't like, but not something strong enough to make me quit. If I were in charge I wouldn't be supporting some of these types of advertising.

Apple, for example, seems quite committed to competing on the fact that they do not do this...

Apple has plenty of its own ethical issues, starting with 350,000 Chinese workers paid $1.90 an hour in dubious conditions.

Well, that particular issue is not really Apple's "own" - pretty much every single tech company on earth benefits from cheap foreign labor.

But then they'll tell you that these employees are very happy to work at such factories, because they make way more money than they would ever make on the farm in their hometown, and often work there a year or two to save as much money as they can before moving back to where they lived before.

(Apple actually does way better than most other companies on that front - see http://www.apple.com/supplier-responsibility/)

Does it open an entire rabbit hole about the ethics of globalization? Sure. Is it a strictly black and white issue? ...heh.

They do.


Source that they don't?

I'd presume that they do absent a credible source they don't.

They don't offer any services that would benefit from it.

Search advertising doesn't require massive data collection, just bidding on search terms. Anyways, I bet anything Apple makes on app store ads is a rounding error compared to their hardware business. They probably don't care that much, and certainly have no need to go into the surveillance business.

They have audience options for ads (like age/gender/location, see http://searchads.apple.com/how-it-works/#features), meaning they collect data about their users as well.

Also, they colluded with other companies to, effectively, keep employees' wages down. Amount of money they saved was probably a rounding error for them in this case too.

Tangential question: Do you know if it's possible to identify financial institutions which don't sell this kind of data? Credit unions?

Up until a few years ago, credit card networks had divisions that were trading on transaction data, but they've had to shut those down. So now they sell the anonymized data to prop trading firms and advertisers. I think cash is your best bet.

Hah, I actually did a small project on some of this data for one of those companies. Pretty amazing what you can get out of 50 char descriptions at scale.

Do you happen to know the law that caused them to stop trading PII? Is it only the networks, as opposed to the issuers who trade information?

Small credit unions would be your best bet, but I'm not aware of any specifics unfortunately.

The problem is small credit unions still use co-branded cards with Visa/MC, etc who sell your data. I believe AMEX is your best bet for privacy, because you are already paying a premium to them, or good ol' cash money.

"Everyone is doing it" sounds wrong on so many levels.

Go ahead and take the moral high ground here. No one is stopping you. But you'll be broke as hell if you do (or run out of funding).

As someone who's been bootstrapping his own startup for the past ... 6 years and refused VC money (not for moral reasons), I have to take it. I still refuse to implement Google Analytics and integrate FB/Dropbox/Google in any of the projects I'm involved with.

Moralist? No, I'm just not into feeding the monster.

Got a link to your startup?

Total rubbish. Targeted advertising is not the economy.

maybe that's not the worst thing.


My first time creating an ad on FB was startling. I didn't know all those targeting options existed.

But, they've worked extremely well for my niche SaaS. We currently focus 60% of our ad budget on FB.

With it being so rampant, why is it so difficult to discover what people know about you. And what are the barriers to changing this?

Regulation. Consider EFF membership.


I think you mean Cardalytics.

The amazing thing is that hedge funds trade on aggregate credit card purchase data.

I know this is too late to get noticed much, but here's the truth:

This is a race-to-the-bottom. Everyone in this whole area has to compete with whoever is the scummiest exploiter unless they really go out of their way to sell their service with privacy and ethics as the top feature. So, some ethical niche services can exist, but meanwhile, everyone else is screwed, and network effects make any niche thing stay pretty irrelevant.

The only way to avoid races-to-the-bottom in a competitive market is with real enforceable regulation that outlaws the worst shit and requires truly effective disclosures otherwise. That's not easy, sometimes it's impossible, and it often has major negative side-effects and problems, but whether or not we determine that regulation is worth it or not, we know that races-to-the-bottom are a real thing, so we can give some leeway that each company isn't actively trying to be malicious — they are just competing in a race-to-the-bottom situation (and we can reject the dogmatic free-market people who deny that this and all sorts of other natural market-failures exist).

I agree that it's a race to the bottom but not that regulation is a way out. There are too many services employing too many engineers, and furthermore governments benefit from this massive surveillance. They pay for the results, and the direction in government today is towards less privacy, not more.

And if you do win the regulation battle, you only win it for the current generation of tech. There will be more, and every decade the power of information collection will get stronger.

I believe that we need to embrace the loss of privacy and ask ourselves how to transition to a world where one's personal history and daily life is freely available to the general public. I give it 30 years until we get there. The tech is certainly not going away.

>I agree that it's a race to the bottom but not that regulation is a way out. There are too many services employing too many engineers, and furthermore governments benefit from this massive surveillance. They pay for the results, and the direction in government today is towards less privacy, not more.

In Norway we have an independent administrative body of the government called Datatilsynet, known in English as The Norwegian Data Protection Authority. Wikipedia has a very short article about it in English [1] and a longer article in Norwegian [2]. For a translation of the Norwegian article, see [3].

Notably, the King and the Ministry may not instruct or reverse Datatilsynet's exercise of authority in the individual case according to law.

So while some parts of a government might want to maximize data collection and surveillance, it is still possible to have other bodies of the government work to protect the privacy of its citizens.

[1]: https://en.wikipedia.org/wiki/Norwegian_Data_Protection_Auth...

[2]: https://no.wikipedia.org/wiki/Datatilsynet_(Norge)

[3]: https://translate.google.com/translate?sl=auto&tl=en&js=y&pr...

The way I see it is until someone truly hacks Facebook and the data is used for really malicious purposes. Killing actual humans/ destroying bank accounts there is not enough of an incentive.

If US didn't bomb Japan, the general public would not have the same fear of nuclear weapons that we have today.

Well, I didn't mean to imply that regulation was actually a feasible answer (it needs to be enforceable, non-captured, effective… hard to do). Maybe it's hopeless. I was just suggesting that races-to-the-bottom can only be solved with regulation or other systematic measures, not asking each player to refuse to participate. If you're right that regulation won't work, then you're probably also right that it's hopeless.

There are some mitigating factors though, like if we push for software freedom and get rid of legal support for DRM… that at least will allow some level of control by technology users.

> Facebook Doesn’t Tell Users Everything It Really Knows About Them

I've been saying this for years. It's pretty clear that if Facebook told regular users just how much they knew, those users would be seriously creeped out (though, these days, probably not creeped out enough to do anything about it). I expect that another example of this would be the ability of their facial recognition system and the breadth of the database behind it.

Users are Facebook's product, and they should expect to be treated as such. The Facebook site and associated services are just infrastructure designed to a) collect information on users and b) give advertisers optimal access to those users.

edit: also, obviously, Facebook is not the only company engaged in this sort of thing. It's all around us.

When you download the archive of personal data Facebook shares with you, it includes some facial recognition data. Specifically, it gives 3 "Threshold" decimal values. Does anyone know what these numbers mean?

I read up on "eigenfaces", and it sounds like Facebook is most likely subtracting my face from the mean and then projecting it onto N different face-like and orthogonal images to obtain numbers like this, and so these numbers would represent the weights used to reconstruct an approximation of my face from a linear combination of basis images. But N=3 is way too small for this method to be useful. It seems silly to share these values with a user but not tell them what it means.

Facebook has far more sophisticated facial recognition systems than Eigenfaces, based on deep neutral networks.

I'm starting to wonder if we the people need to begin creating a sousveilance system to track public officials and corporate heads.

I really think what we need is to be willing to pay for the things we use so that we aren't aggressively productized for the benefit of the entities who cover that cost "for us".

I stopped using Facebook not because I was worried about privacy (although that did help) but because it was just a waste of time. It wasn't doing anything positive for me. All the features that I had once enjoyed had been removed or drowned under a torrent of advertising and aggressively "curated" (calculatedly manipulative) content.

Like, how about this: I pay $1 per month and I get a product that's actually built with me in mind, for my benefit, that I enjoy using. I recently switched to Fastmail (while I don't hate Gmail, it's not been great recently) and guess what: Fastmail is better, clearly more interested in catering to me, and it's dirt cheap. A product built for me... imagine that! Crazy talk, really, in today's ad-subsidized world.

Except that the ISPs, automakers, IoT venders, etc are tracking you too if they can get away with it.

It's perfectly possible today to pay for a service and be the product.

Farmers buy new pigs all the time to raise up and slaughter.

Everyone has been saying this for years. I honestly can't believe anyone would think that Facebook shares all their data with you.

> if Facebook told regular users just how much they knew, those users would be seriously creeped out

The sad truth: they wouldn't. They'd simply ignore it, because it would shatter their current beliefs.

Facebook have to respond to Data Subject Access Requests in the UK, which oblige them to send you every piece of personally-linked information - for a maximum £10 fee.

I did this with my bank a few years back and got back a box file full of credit scores, lending decisions and other stuff they'd never normally expose. Facebook's data for a busy user is going to be enormous by comparison - has anyone done this lately (and published / summarised the results?)

Max Schrems filed a request via the irish Data Protection Commission a few years ago and explains the returned data at [1].

Since then, however, the commission seems to have simply stopped processing requests, without any legal justification to do so [2].

[1] http://www.europe-v-facebook.org/EN/Data_Pool/data_pool.html

[2] http://www.europe-v-facebook.org/EN/Get_your_Data_/get_your_...

That might explain a pretty creepy thing Facebook did the other day to me.

I just created a new Facebook account after maybe 4 years of radio silence. Two years ago, I had a job doing IT contracting; often I would go to businesses and repair laptops or run cable to a COM room. We had very very few residential clients since they weren't worth our time; the few that we did have were really just courtesy for doing business for so long. I went to one residents home a SINGLE time, hardly interacted with the man, and he definitely did not know my last name.

Guess who pops up on my "Suggested friends", with no mutual friends or place of work or any similar "liked" pages? Yeah, that one client.

Similarly, we worked in a small office in a cold storage facility, and Facebook also suggested that I add their accountant as my friend.

It's really creepy, but if Facebook was able to know that I worked at that employer then it's possible that it was able to make the connection.

The most common source of those suggestions is phone contacts. Anyone using the Facebook (or Instagram) app is sending them a copy of their entire address book to be used for network mapping purposes.

How about Whatsapp? (especially since it apparently keeps all whatsapp contacts in "unknown" state if you deny the permission on android)

I don't know if this is still true given the permissions model on Android (don't know about iOS). I just checked IG and it only has access to storage. Contacts, SMS, microphone, etc are not enabled.

WatsApp can read your contacts.

Instagram, you say? Go on...

Instagram is owned by Facebook.

No mention here if this was the mobile app, but the IOS version will try and upload your contacts when you install messenger.

If you or one of your contacts uploads their address book then your friendship/connection can be inferred from the emails now in their database.

I'd guess your client has messenger installed if you didn't install it.

I suspect they do this if that client has your email address (even a previous one using the same first / last name) and gave Facebook access to their address book.

LinkedIn did this. Registered, also after years of silence on any kind of social media website other than email: "Would you like to connect with your ex-girlfriend who only emailed you one time at a different address?"

I can confirm with 100% certainty that the Facebook android app will scan all your contacts. If you got a guy's number (and maybe that guy got yours), he'll be suggested.

Yup. Same if you visit someone's page, if you're not friends, both of you'll get suggestions. It's annoying when you repetitively missclicked on an homonym. Some people working there are too proud of these features to remove them.

The more I stalk someone, the more I'm suggested to stalk someone. That is creepy.

I never even had a LinkedIn account and I get those emails from LinkedIn.

Or some other more active Facebook user knew both of you. It doesn't take very many hops of the graph to connect people who might not be aware of that connection themselves.

They know your location and proximity to other facebook users.

This is the actual answer. Your phone tried to connect to their wifi and knows they've also connected to that same wifi. With few other quality friend suggestions, these ones popped up.

Or, if one or both parties were running the Facebook app with location services enabled, it could also have been GPS too.

I wrote about this a few days ago.[0] Basically, new Facebook accounts that you run on the app with location services enabled will provide creepy location-based friend suggestions by default.

[0] https://news.ycombinator.com/item?id=13252568

This is fairly old but if you're curious I have since gotten a new phone and have not connected to their wifi; it was likely their contacts that were uploaded to Facebook which included my number.

Did they ever send you an email or a text? One thing I've had happen is that if the other person uploads their contacts/address book, you start seeing them as suggested friends.

> "He said users can visit a page in Facebook’s help center, which provides links to the opt-outs for six data brokers that sell personal data to Facebook."

The link provided is: https://m.facebook.com/help/494750870625830?helpref=uf_perma....

LOL. The amount of personal information requested at those "opt-out" links is suspicious and/or ironic.

Examples of information requested to "opt-out" of the USA partners' reach include: Social Security Number (!), date of birth, "all variations" of full name, all recent mailing addresses, ... (!!)

I thought that at first too. But they want to make sure they're removing the correct person. I don't know how else they could do it.

They're surveillance companies, so they could probably figure that out based on device fingerprinting if they wanted to. Or they could just remove every record matching the request, since no sane person actually wants to be in their database. But of course neither of those things will ever happen, for obvious reasons.

they could make it opt-in from the beginning, but that'll never happen

I like it when a company whose sole business model depends on pervasive surveillance states "we take privacy very seriously"...

>"For instance, opting out of Oracle’s Datalogix, which provides about 350 types of data to Facebook according to our analysis, requires “sending a written request, along with a copy of government-issued identification” in postal mail to Oracle’s chief privacy officer."

This is outrageous. Why is the onus on a user who never gave permission to a data broker in the first place? They deal in digitial domain when it comes to selling your data when it comes to consumers rights and concerns they operate exclusively via snail mail?

Don't expect this to change any time soon. These brokers have the US Electorate in their pocket. Bought and paid for.

It isn't your data. It is their data about you, which is a very important distinction.

Facebook and Oracle aren't the bad actors here, if you think there is a bad actor. The baddies are the people giving Oracle (and others) that data about you.

(And now I have to hang my head in shame for saying something that sounds like it is a defense of Oracle. They're baddies for many, many other reasons, just not this one)

If you’re an EU citizen, by law, all data about you is owned by you, and only by you. That includes personal data, but also any intellectual property you create, and is irrevocable (you can sell usage rights, but never the ownership rights).

So, yes, they have a legal responsibility to not have that data about you, and you can at any point require any company to delete any and all data they have about you, or created by you, and any data derived from it (oops, does that mean training neural networks on your private data means they have to be deleted, too?)

That seems particularly absurd (which isn't to doubt you, but as much as I like the EU, they have some absurd policies). If you take a very narrow view of data as just bits on a hard drive somewhere, then this seems reasonable.

But if the ownership right to your data is centered on the information itself, and not the company part, that raises issues. I can't simply destroy the memory of reading the message you wrote - is someone to cudgel me until I do? If I write in my diary that I saw xyz person walking down the street and they had blue hair, could they demand that I destroy the entry? Would they have to know about the diary entry before they could make such demands, or could they simply say, "destroy all information regarding me"?

Further, as I understand it, municipal security cameras are in wide use, particularly in European cities. Could I demand that the city/town/council/etc delete all footage of me ever? Could I deny them permission to make those recordings?

And last but not least, how on earth would this stance on data ownership not ruin data retention? E.g. this would seem to open up a pretty big hole where I could commit fraud or launder money, and then demand that my bank destroy the evidence.

These are all awkward questions that come up when you try to protect very broad definitions of privacy. Privacy is a thoroughly unnatural concept; In the physical world, it takes a lot of work to do anything in private, and even then, you're just making it easier for people to avoid stumbling on what you're doing.

> Could I demand that the city/town/council/etc delete all footage of me ever?

In fact, that is required automatically – all recordings have to be deleted as soon as possible, the maximum retention periods unless there is specific evidence against you is usually a few weeks or months.

> And last but not least, how on earth would this stance on data ownership not ruin data retention?

That’s literally what happened. The European Court of Justice has ruled that data retention unless technically required is illegal.

It's simple: you don't get to store data unless there's a technical requirement to keep that data stored to provide whatever service a user signed up for.

If a user didn't agree to their data to be stored in the first place, you don't get to retain it at all.

Whether you can discard data about a user "against their wishes" is likely covered by your terms of service. If you're a commercial hosting provider, there's probably a higher barrier than if you're a free doodling website. This has nothing to do with privacy, though.

If a user tells you to destroy their information, you need to destroy all information about them. There's obviously some wiggle room (e.g. if you keep a flat "view count" on an article, there's likely no way to argue that you should have to deduct the user's views but if you're keeping a record of "views" linked to user IDs the user ID may still be personally identifiable if it can be correlated with other data).

But most companies fail at deleting even the most obvious data. If you "delete" someone's account and they're unable to sign up with the same username or e-mail address again, you're likely not properly deleting information.

And that's if you even offer the option of deleting an account at all. It's horrifying how many (especially American but sometimes even EU) websites don't offer any such option at all or even simply offer an option to "close" an account, marking it as disabled but still retaining all data forever.

> Could I demand that the city/town/council/etc delete all footage of me ever?

Yes. Security cameras have strict regulations and generally recordings have to be destroyed eventually unless there's a good reason to keep them (e.g. they're part of a criminal investigation). This even extends to police cameras: if a police officer makes a recording (e.g. at a demonstration) and the recording isn't relevant to any investigation, you can ask for it to be destroyed ASAP (rather than waiting for them to destroy it). This also extends to other information like your name and address.

> I could commit fraud or launder money, and then demand that my bank destroy the evidence.

There are special laws for financial transactions and criminal investigations. There is such a thing as a "permanent record" but it is clearly defined what goes on it and what doesn't (and at what point it has to be destroyed). There are also very strict laws for handling such information, similarly to the strict PCI rules for handling credit card information.

You're basically arguing that privacy is a slippery slope but in reality it isn't. Privacy may be an "unnatural" concept but the expectation of privacy is a human right (like, officially, as part of the UN Declaration of Human Rights). The EU actually has very few "absurd" policies -- most of them only appear absurd when taken out of context. I assure you that EU privacy laws are not part of them.

Except for the cookie notice. That's not only ineffective but outright ridiculous.

Well, the cookie notice also only is ridiculous if taken out of context.

You literally have the cookie notice in your post, too, as the law simply states:

If you collect any tracking data about a user that's not technically required, you have to let them opt in.

This obviously means tracking cookies have to be opt in, and that's how the cookie notice came to be.

Technical cookies, such as login cookies, are exempt, obviously, but other tracking methods, such as storing in localStorage are included.

True, but I would argue that the idea of cookie notices is good but the execution is poor.

This is one of the few situations where a technical solution would have been better, e.g. having each cookie come with a specified purpose and letting the browser prompt per issuer and displaying the purpose to the user:

* 3 cookies from ads.google.com: "Personalizing the advertisements you see on this page" [Allow] [Deny]

* 1 cookie from share.facebook.com: "Social media integration" [Allow] [Deny]

* 1 cookie from analytics.example.com: "Anonymized site analytics. For more information see http://example.com/privacy. We value your privacy." [Allow] [Deny]

* 1 cookie from www.example.com: "Keeping you logged in as kuschku on www.example.com" [Allow] [Deny]

But this would require passing an actual web standard and getting browser vendors on board (and Chrome has a conflict of interest making them unlikely to support it without sufficient pressure).

This would have satisfied the legal requirement without creating the obnoxious obligatory "Please click 'okay' or we'll keep showing this message on every page" experience we have now. It would also be less error-prone because the failure state would be "users might deny unjustified cookies" rather than "site will send cookies regardless" when not implemented correctly.

Besides, browsers already ask for permissions for things like desktop notifications or geolocation.

EDIT: I'm not saying this shouldn't have been passed into law. I'm saying the EU should have involved browser vendors and investigated a technical solution before making the notices mandatory. Compliance would have then be easier ("just add these headers") and adoption would have been faster ("it's easy to fix and it's the law").

EDIT2: Unlike the old Semantic Web problem of websites being liars I don't think deceptive purpose statements for cookies would have been a noteworthy issue because it would be literally against the law in the EU to deceive users. It would also have imposed the burden on the actual cookie issuers and created incentives for EU websites to hold their advertising providers accountable to comply with EU laws (rather than build a kludge around them to make their scripts opt-in).

Perhaps someone in the EU bears this in mind: https://en.wikipedia.org/wiki/IBM_and_the_Holocaust The 'Final Solution' was facilitated by knowing who everyone was and where they could be found. The technology at that time happened to be the Hollerith Punched Card system.

Well, the go-to example is usually the Netherlands (they had a central registry of all Jews, so the Nazis invaded, and managed to eradicate almost all in mere weeks), but yes.

And the StaSi, with constant surveillance of everyone in East Germany, also is still in collective memory, and another reason why no one wants that much surveillance (although acceptance for surveillance went up since the Berlin attacks, quite a bit, actually).

I went to the Stasi Museum recently. And I remember thinking if you traded the physical surveillance(a man in a van) for the now near ubiquitous security cameras, both the US and the UK are on par with the surveillance state that was the former East Germany. Albeit a much more technologically advanced one. It's a sad irony.

What is the evidence that acceptance of being surveilled went up since the attacks? Opinion polls? Newly proposed legislation? Germany seems to be the bastion of privacy advocation these days so I am curious to hear. I hope that Germany resists letting politicians exploit a heightened emotional state such what exists while the country is grieving a terrible tragedy.

I had never heard this before about the Netherlands and the registry. Do you know why they would have had such a registry?

Opinion polls show that after a few days of searching for the attacker unsuccessfully, which could ahve easily been solved if we knew what he looked like (surveillance), the support for more surveillance went up.

And no, I don't know much about why the Netherlands had such a registry — just that they did.

The fruits of the bad actors, namely the data itself, is what needs to be regulated, analogous to what HIPPA does.

Some of those "baddies" you refer to are forced by contract to willingly upload that data and keep quiet about it. The penalties for breach of contract are severe; an entire company can go bankrupt overnight if they break the seal.

It's not black and white, I'm afraid. Those companies writing up the unfair contracts (Oracle, Visa, etc.) deserve a decent share of the blame, too.

There is plenty of blame to go around, people running data broker services are far from blameless.

iirc it's the same for facebook: if they think you're using a fake name, you'll have to mail them your government-issued identification to get your account back.

And you can send them any blatantly fake/photoshopped ID, supposedly issued by a random country's government, and ultimately they'll accept it. If it doesn't work at first, just keep reposting it, and it will.

However that's a criminal offence in some countries (because you're forging official documents or maybe even impersonating someone else).

You just have to upload it, not mail it in.

1. Of course! 2. It's not too late to delete your account. Go for it! 3. Block it all! https://github.com/jmdugan/blocklists/blob/master/corporatio...

Unfortunately, one should not believe that deleting your account removes the underlying data. The actual operation is probably more like, "set a bit that prevents anyone from logging in to this profile."

True, but I deleted my account 2 years ago, so at least they have a lot less info during that time. Also, I don't miss it at all, not even a little bit. I think it offers no value for my time, let alone data. I am not sure why I am still on Twitter, but Snapshot has been entertaining and LinkedIn invaluable.

I "deleted" my account three years ago, and just before doing so I changed my name to something nonsensical, and I created an alias email address on Outlook.com, set that as my primary email account on Facebook instead of my real Gmail email address, and then applied for a permanent deletion. I still have the confirmation of the"permanent deletion" from Facebook in that fake outlook.com account.

Back in November I started getting Facebook spam on my Gmail account, the "people you might know" your emails, and there were people I knew. I clicked on an unsubscribe link that led me to a login. Out of interest I used my Gmail account and reset my password, and within thirty seconds I was back in my account. It was exactly the same account as I had permanently deleted.

My assumption is that someone screwed up at Facebook and ran a query that updated permanently deleted accounts. I'm not sure what else could have caused this to start so spontaneously after years of peace.

You still have an account and they are still collecting data on you. AFAIK nothing has changed by your deleting your account.

> at least they have a lot less info during that time

How do you know? If FB can't be trusted to actually delete your account (and they can't) how can they be trusted to stop collecting data on you?

Presumably if you've cleared your cookies and you use an adblocker, their ability to reliably track your activity goes way, WAY down.

In addition to the standard protections of the adblocker and privacybadger, I also generally set a full block on all content from facebook[.com/.net] and any identifiable facebook subdomains. I really have no use for facebook, so it is zero imposition on me, and if I ever want to view something on facebook, I can open up a new private window in an alternate browser as a one-off (or, if I'm feeling paranoid, spin up a VM).

All of those precautions are orthogonal to deleting your FB account. You can do all of those things without deleting your account (only log in using an incognito window). Deleting your account may or may not change anything with regards to FB's collection of information about you. There is simply no way to know because it is entirely up to FB what the semantics of deleting your account actually are.

Yeah, that reminded me to clear my cookies again. Of course Facebook is there again. Even if they are somehow still building their dossier on me, at least I am not wasting my life on a site built for, I quote "Dumb F*ucks" - Zuck.

That'd be a legal hot-mess for Facebook.

I think this forum has to recognize a lot of work being done in the valley especially Google and Facebook is ethically questionable and seeking to brush it under the carpet or 'normalize' it perpetuates a dissonance. For starters the whole mythology of liberal freedom loving nerds sits in stark contrast to the reality of actively developing and enabling authoritarian technologies.

The curious consequence of the willful ignorance on one's own actions is the continued posturing and stark dissonance in expecting ethical behavior from other segments of society. If you can't behave ethically you can't expect it from others.

That level of dissonance is untenable and ultimately every intelligent person has to realize not recognizing and confronting unethical behavior is a race to the bottom and will reflect in every aspect of life around you.

Is there anyone out there making a paid, zero advertising/data collecting social network? What if this service allowed you to buy access for 50 of your closest friends and family? I would think if it was executed properly and you provided a standard "I'm deleting Facebook and here is why, apply to join my paid for network group" post people would consider making the jump. I know there's a lot to Facebook and I wouldn't expect some new company to stack up feature for feature. Just give me chat, text/image posts and the wall and I will be happy that I can keep up with my close friends and family. I wouldn't be entirely surprised or disappointed if Apple attempted something like this on their Messages platform but I would just hope they'd make it accessible to all phone/computer/tablet users.

Facebook will censor/shadow-ban such a "good bye" post. It won't show up at most of your friends news feed. You also cannot advertise a competiting social network. The same goes fr private messages to more than a few people. Even if you try to write a seperate message to everyone, if it contains the same link or a similar text body, most of your friends will never see te message you wrote. That's all automatic. And for photos, they have a semi-automatic review process in place, with an army of contracted FTEs working in low paid countries to scan photos (there was a news story about that recently). I wouldn't be surprised if their other properties like WhatsApp and Instagram are monitored and censored/shadow-ban in a similar fashion nowadays.

Source for some of the parents claims: http://money.cnn.com/2015/11/05/technology/facebook-tsu/

The problem is that even if its completely subscription based and has no native advertisements of its own, your data remains very valuable so there is an incentive for the company to sell your data.

There's Ello[1] but it's not going anywhere.

[1] https://ello.co/

There's still email and personal web pages.

Both of which are indexed by Google, unless you're hiding website content behind a login and avoid sending emails to Gmail users. Not much better?

Sort of related, have people noticed or have they officially announced that they are tagging photos on the alt html field with a description of the actual photo? It's pretty accurate with texts like "two people smiling, with baby".

It's creepy how much companies know about you.

When I got married my husband pretty much immediately showed up as my spouse on my transunion credit report as my spouse. How did they know that? Our names are different. At the time we didn't have any loans together. We lived together but so do siblngs and roommates. We didn't register for any wedding registries or send out any announcements. Our wedding consisted of signing some paperwork at city Hall. They also marked me as "Active Duty Military or Dependant" (hubby is in the army so I became a "dependant" when we got married). So the only logical explanation is transunion can access DEERS, but I would hope the DoD doesn't allow random private companies access to DEERS... They DO have a website where you can lookup if someone is covered under the SCRA but dependants aren't covered under the SCRA and don't show up when queried (I tried).

Again this is my credit report. I didn't report a change in my martial status to any of my financial institutions. Not banks, not credit cards, and we already had a joint account for two years before we were married.

Marriage is a legal agreement, the fact that you "signed some paperwork at City Hall" is not at all a minor thing. The records are of course made available to credit reporting agencies.

I don't know why you think this would be a creepy thing, social security and credit scores are stongly connected to the legal and taxation system. Its only obvious that the information gets connected. If tomorrow you were to divorce and claim alimony/child support the wages and tax return of your spouse would be garnished, How would that be possible without linking SSN.

I don't know why you believe I am somehow confused about the legal agreement I entered into with my husband. I am not, I know what civil marriage is. I mentioned it to illustrate that we didn't have a venue or wedding planner so they couldn't have made a newspaper announcement for us.

Transunion is a private for-profit company; it has nothing to do with Social Security or the legal or taxation systems. Transunion gets its records from institutions that voluntarily report to it, as a business arrangement, (credit card companies, mostly) or they pull from publicly available sources. They don't have direct access to any private government (or non-government) databases unless the owner lets them have access. The reason they collect information about you is for their own business purposes. We aren't talking about the IRS here.

In other words my spousal information got in some company's database somewhere which was relayed to transunion, probably through a few other company's databases. It was surprising that information got to Transunion that fast because, as I said in a reply to a sibling comment, marriage records do not appear to be publicly available in my state. It's creepy to know how fast, far, and wide random information about you spreads. It's also scary to think about how false information about you can spread.

After reading this article it seems like that information almost could have indirectly come from Facebook (we did update our status!)

I think you misunderstand just how tightly integrated the credit reporting system is with government. The fact that "Transunion is a private for-profit company" is immaterial. or that it "only" gets information via "voluntarily reports to it, as a business arrangement, (credit card companies, mostly) pulled from publicly available sources" is plain wrong.

Just because some information is not "publicly available" does not means Government wont share it with third parties, especially credit bureau.

As far as information coming from Facebook posts thats just ridiculous.

I'm not going to argue anymore because it's pointless but I'd like to see any hard evidence my state reports directly to Transunion because they have no reason to.

>Our wedding consisted of signing some paperwork at city Hall.

They are constantly checking public records like this and that's how they would have found out. Still a little creepy though.

There are records, of course, but it doesn't seem like marriage records are public records in my state. The state says nothing on their website about obtaining these records other than going to city Hall in person with your ID and that's only to obtain your own marriage certificate. I think they also said something about responding to requests about genealogy requests but only for very old marriage records. There's not an online database of marriages like there is with everything else public in my state. Nothing publicly available for public consumption that I could see.

I can't see if my friends are legally married but I can easily see what they paid for their house.

Divorces are public though and very easy to find on the court's website.

It's funny that a newspaper criticizes Facebook's data mining practices ... but when I opened the article on their website, my privacy badger addon told me that 16 scripts had been blocked (facebook!, twitter, google analytics, chartbeat, outbrain, pardot, ...). Then I read through the article and half way down they throw me a huge banner in the way telling me to like their page on Facebook :/ So basically they preach something and do something else, they are really a bunch of hypocrites!

This could also be seen as a newspaper operating as it should: one group is paid to report news, another is paid to sell ads, and they don't talk to each other. Things are more complicated in real life, more so now that the news people are under pressure to "generate viral content," but having creepy trackers next to an article about creepy trackers isn't necessarily hypocrisy.

Ironically, I cannot read this article as I am immediately redirected to https://www.facebook.com/plugins/share_button.php?app_id=229...

(likely due to a script having a bad reaction with one of the browser extensions granting me a small illusion of privacy)

I cant speak for other countries, but why do American people seem to trust companies more than they do the government? I mean, it is completely known that companies are here to make money, and publicly traded companies are here to please their investors so they will do whatever it takes to do that. They study us, classify us, categorize us, manipulate us. They spend billions in research so they can make that 'perfectly tailored' ad to get us to buy their product. They are constantly buying our data and selling our data, JUST to make their investors happy, and we seem to always just shrug it off.


I am honestly more ok with the government having this data to keep tabs on me than these hundreds of other companies treating my personal info like it's a trading card.

The relationship with the government and companies is different.

I moved to Norway a few years back, and married a Norwegian man. He has trust in government that me, as an American, simply doesn't have. But to be fair, nearly every time I've contacted government - even being searched at customs and going through immigration - has been a decently pleasant experience. Things just get done. It isn't perfect or anything, but it seems to work.

Whereas in the states, it seemed like every effort was made to screw me over - from the government. Companies, on the other hand, didn't want the bad publicity, so tended to treat folks slightly better.

Another aspect to this is things like health care and infrastructure and things like that. Part of the company relationship - jobs, anyway - is healthcare and decent pay. There isn't much of a safety net, so folks rely on companies' and churches' charities to keep them afloat. Americans see companies bring them the things for life where here, a lot of that stuff is simply provided by the government.

I think the reason is that government is vastly more powerful than any single company.

Yeah that's definitely true, and it is what makes me question a lot of why they do what they do and distrust it generally. But would it be better if a company was vastly more powerful than the government?

Actually, I think some companies kind of are in some aspects. They may not have the military, but some definitely have a hand on the reigns.

Speaking of which, perhaps someone can shed some light on the suggested friends feature. Many people suspected it uses GPS/Wifi to perform location based friend suggestions, as well as contact book uploading. However, it doesn't really explain my own case:

I recently encountered a friend suggestion for someone that I only know online (IRC and later, Google Hangout). I don't really know who they are other than a name (as exposed by GHangout). I've never met them as they are in a completely different country. I don't have the facebook app and the messenger app is forbidden to read my contacts as per CyanogenMod's Privacy Guard. I fail to understand how FB can suggest this? The only possible reason I can think of is when they searched my name on Facebook. How else can they do it?

If they have your email address and they leaked it, then the same applies. You get reverse suggestions.

The sad thing is that you can be completely privacy conscious, but if just one of your friends, family or acquaintances uploads their contacts, and you're part of that upload, they've screwed your privacy via the back door.

If the other person has your email address in their address book and FB has access to it then you will be suggested.

they could have uploaded their contacts with you in it (e.g. by e-mail address) it's also conceivable to me they could be doing it using cookie tracking somehow.

When I read this article, I was expecting to see a description of what they collect from users. But the real controversial and creepy part is what's available from the data brokers.

The fact Facebook is aggregating all this to make for better advertising options is discomforting, to be sure.

The most concerning aspect of the article is that these data brokers are able to correlate my purchases. It seems inevitable that insurance companies will take all of these individual data points into account: "We're sorry Mr. Register, because you buy McDonald's every week we'll have to raise your life insurance rates."

I'm curious if it could be possible to buy this data on one's self. Maybe someone could start a company that would allow you to find out this information.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact