Hacker News new | comments | show | ask | jobs | submit login
Facebook's Not Listening Through Your Phone. It Doesn't Have To (wired.com)
59 points by ForHackernews on Nov 12, 2017 | hide | past | web | favorite | 63 comments

Today my girlfriend spoke about wanting a cinnamon roll, and later in the day her iPhone Facebook app showed an advertisement for cinnamon rolls.

We were trying to determine if maybe she had seen that same ad earlier in the day on Facebook, and it planted the craving in her head.

Regardless, it was a very freaky experience. I doubt Facebook is listening, but it's likely their ads are inadvertently influencing us. As we scroll quickly through our news feeds, we automatically ignore most ads. But they are still making an impression.

> We were trying to determine if maybe she had seen that same ad earlier in the day on Facebook, and it planted the craving in her head.

People don't seem to really understand how nefarious ads are. We think we're so smart. We won't be influenced by ads. No way we're falling for that. But if you know what "just do it", "the happiest place on Earth" or "think different" refer to, regardless of you opinions of those products, you have already been influenced by ads, and your next buying choices will reflect that.

We're frail, easily manipulated creatures, unprepared for the combined centuries of expertise that hordes of advertisers can control us with.

This reminds me of the Derren Brown video about the subliminal effects of our surroundings [1].

I agree, we like to discount them, but acknowledging them very often also leads to arguments about the effect of all TV, music, games, general media consumption on behavior and thoughts.

It's real, but so hard to quantity, which leads to benefits for those who can and will exploit, but limits those who try to point it out.

[1] https://m.youtube.com/watch?v=YQXe1CokWqQ

> But if you know what "just do it", "the happiest place on Earth" or "think different" refer to, regardless of you opinions of those products, you have already been influenced by ads, and your next buying choices will reflect that.

I beg your pardon? I know where the "happiest place on Earth" is and yet I have only ever been there once... because I was taken there by others, not because I chose to go. Not sure how my buying choices have ever even remotely taken that slogan into account.

Ads essentially control the domain of discourse. Suppose you did want to go to a theme park. You will have to consider Disneyland as a possible option, because you're keenly aware of it. Ads aren't just trying to convince you that something is great; they're also trying to make sure you just always know the product is a possibility, that it always factors in your choices, even in your choice to consciously reject it.

To use a cliché, the opposite of loving a product isn't hating it; it's being indifferent to it.

Also, the fact that you've already been there means the ads are working. Whether it was your choice or not is less important. You have already been made a consumer.

> Also, the fact that you've already been there means the ads are working. Whether it was your choice or not is less important. You have already been made a consumer.

You seem to be pretty adamant about shoving your wrong idea down my brain even though I'm explicitly telling you you're wrong. I'm telling you I had zero input into whether I go there the first time (others wanted to go while we were around the area and I couldn't care less whether we went there or anywhere else) and that I have since never been there since because I still cannot care less whether I go there or not. I've literally completely forgotten about its existence every time I've been in the area. My reaction to ever going there is exactly the same as it would be to any other theme park: "okay" if I've never been there or if I've enjoyed it before, or "shrug" otherwise... irrespective of the ads.

In other words: unlike your claims, I am neither "keenly aware of it", nor do I "always know the product is a possibility", nor does it "always factor into my choices", nor is my choice to "consciously reject it", nor are the ads "working" by "already making me a consumer". Ads or no ads, Disnelyland or Foobarland, I would have been there the first time just the same, and not there since then. The ads just got the slogan into my brain and literally did nothing else.

It's not a nice feeling to know your mind has been hijacked. But it has been. Ads are very effective.

And your discriminating taste is duly signaled to the teeming HN masses.

But you should make an effort to think more inclusively and creatively. I think you'll find GP's message quite straightforward.

For the record, I will signal that I have no idea where the happiest place on earth is. My guess was some cruise line or other, but that seems inconsistent with your consumer experience.

Disneyland AFAIK

You’re assigning false significance to a coincidence.

There are many people with the same experience. It's happened to me.

It would be pretty lucky if they were coincidences for everyone.

The "Reply All" podcast had a fantastic episode on this. https://gimletmedia.com/episode/109-facebook-spying/ (Click the "show transcript" link to see the transcript.)

One thing they realized is that it was impossible to convince anybody that Facebook doesn't listen in on microphone conversations, even given all of the facts.

One of the co-hosts, Alex, gets on the phone with five people to try to convince each of them that Facebook doesn't use the microphone. He's unable to convince even one of them.

I suppose it would be good for Facebook if Android had the capacity to show a log of which apps used which phone features when. eg.

12:36pm Google Maps used the location feature

12:48pm Instagram used the camera

1:16pm WhatsApp used the microphone for 34 seconds


iOS doesn't have a log, but it does have a really obvious visual indicator (in the form of a fat red status bar) when an app uses the microphone in the background. I became convinced that this whole story was nonsense when I realized a lot of people reporting it were talking about iPhones.

Something like what you describe would be wonderful on either platform, though.

Yeah that seems to me to be the strongest argument against FB using the microphone. For iOS, it would require circumventing the Apple guidelines. FB is clearly a big player but not big enough for Apple to bend their privacy rules for.

They created an exception to their rules for Über [1], a much smaller company than Facebook. If Facebook came with some convincing reason why they really needed something similar I don't see why they would not get their wish granted.

[1] http://fortune.com/2017/10/06/apple-uber-secret-entitlement/

It would have to be a convincing reason to Apple, though. In Uber's case, that convincing reason was providing a better Uber experience on the Apple Watch, which is something Apple would go for. I'm pretty sure Apple would not go for "let us listen to the microphone at all times so we can tailor advertising by spying on the user's conversations."

Doesn't help. People then proceed to argue that the information was never sent to Facebook. Seen it play out before.

I stopped reading the article after the first piece of nonsense:

> To make it happen, Facebook would need to record everything your phone hears while it's on. This is functionally equivalent to an always-on phone call from you to Facebook. Your average voice-over-internet call takes something like 24kbps one way, which amounts to about 3 kBs of data per second. Assume you've got your phone on half the day, that's about 130 MBs per day, per user.

No, this is complete nonsense. They could easily record the audio locally (perhaps even sporadically rather than constantly -- you don't need constant audio data), do some local speech recognition when the phone is plugged in, and send over the resulting text in short bursts along with all the other data they send over. There's no need for raw audio to be sent over the wire. It's not like they need perfect accuracy.

You should have kept reading, because that was discussed as well.

If you liked this article, I recommend his book, Chaos Monkeys, about his time at Facebook as an Ads product manager.

Yes I agree, and he’s a great contributor choice for Wired which has been going downhill lately

The author says facebook isn't listening in on your smartphone, but it can get all the information about you it wants by other means. That makes me feel so much better.

That seems to be the point of the article.

People are in an uproar about being recorded, but not realizing they are being 'recorded' in many other ways.

It doesn't really matter what a former PM focused on ad tech says, because true or not, the average user will not believe FB anyways. FB won't be trusted because of it's anti-privacy history and experiments. That FB gets so much data from other sources just increases the impression that FB is not to be trusted. The first argument made in the article is disingenious and only acts to discredit FB even more. It's not just a FB problem, it's an ad tech driven business model problem. However, Facebook keeps on a path that makes it the perfect poster of a company not to be trusted. Listening or not, FB is not trustable.

> In the bright-eyed naiveté of my first few weeks as Facebook's first leader of the ads targeting effort

Not to be too snarky, but this is facebook's (ex?) ad targeting leader telling us that everything is A-OK? He might well be right, and he presents some good arguments, but in the face of such an opaque system, that doesn't inspire much confidence.

I don't think they're listening through the microphone, but I've been wondering to what extent they use your photos to determine how to market to you. For example, most of my photos on Facebook show me with either hair or a hat on; as I've gotten older I've actually developed male pattern baldness, and so one day I thought it would look best to just buzz off the rest. I had a picture taken of me and use it as my Facebook profile pic. Since then, I seem to get more and more ads in my feed for hair transplants. Maybe they classify your photos and sell that data?

If you think about it, there's a lot more guesses they can make from your photos than listening to a bunch of disjointed conversations. They really don't need to hear what you say.

Have you checked out your FB ad preferences?


(article with context: https://motherboard.vice.com/en_us/article/3dk3y8/how-to-see...)

The Your Information > Your Categories tab might be the most revealing. It is for me as it includes categories that seem to be inferred, not explicitly stated, such as "US politics", "Frequent Travelers", "Expats (Vietnam)" (maybe because I have a Vietnamese surname), and "Technology early adopters", which I can only assume comes from accessing FB using iOS devices soon after their launch date.

That's pretty fascinating... I've been totally oblivious to this feature. Though it turns out I'm not very interesting. The classifications are pretty rudimentary, listing what devices I use, frequent travelers, computation and mathematics, and US Politics(liberal).

Mine are confusing. I saw references to a few things that could've been harvested from comments, some connected to companies that friends and family have used, and a lot of things that I think are celebrity gossip and such. Even the classifications that might make sense on their own were mixed in with enough noise that they almost seem like accidentally there.

Could that be confirmation bias as well? I have no idea how old you are, but quick knowledge graph result said "40% of men have noticeable hair loss by age 35, 65% by age 60, and 80% by age 80." FWIW, if I had a hair transplant product, knowing I could target guys aged ~35 and pique the interest of ~40% of them is a good start. If I cross that with another targeting option (perhaps you're 35 and single, and I assume that maybe getting worried that losing your hair will diminish you chances with women), and run a decent ad, perhaps you'll click. I'd obviously have the pixel code on my page and now you're on my retargeting list for ever more... I could do all that without any photo classification.

Edit: Dwelling on this a bit more, of course - it would make total sense to bucket people with receding hairline photos into lookalike audiences for people who'd engaged with transplant ads... Although I suppose that could be equally relevant for targeting like mentioned above. Right age, relationship status, income bracket... Who knows.

In a sense it's confirmation bias because it caused me to entertain the idea, but I don't believe they are actually classifying photos for advertising purposes. I don't discount the possibility, though. I'm 28 and, although I have been experiencing gradual hair loss. You're right that you could probably take my age and gender to make some guesses, but I'd imagine that using computer vision would allow ads to not be wasted on 60% of men who aren't losing their hair. Having used Amazon Rekognition, which can classify a person based on if they have a beard or not, I think Facebook could do so with reasonable accuracy. Beyond baldness, I imagine detecting the brands of clothes people wear could tell a lot about what fashion lines to advertise to someone.

It could also be a result of you looking at pages (not just on FB) related to male-pattern baldness before making the somewhat pivotal decision to just shave it all off, which would fit in the window of time that you perceive that you started to see more hair-related ads.

But yes, tagging characteristics of people based on photos seems pretty straightforward given the state of their image processing. I would guess that it'd also be used to target eyeglasses to users who wear glasses in their photos.

It wouldn't surprise me one bit. I have an extension that displays the tags that FB assigns to each photo. It detects emotions, environmental features, on and on. Not very hard to strategize with all that information and combining whatever else they know about you (what you "like", etc).

Not sure about Facebook, but Google don't yet look at my photo stream as much as I would expect. Recently I saw an ad for cat food even though I don't have a cat (and Google has all my photos going back 3 years).

They day I truly became old, was the day I stopped receiving ads for partying and travel, and started receiving spam about mortgages, loans, wrinkle-cures and pension schemes.

This part of the article where he describes crunching through some additional user data unnerves me: "It was like pressing a field of livestock into the sausage grinder, and getting out one hot dog as a result. And Facebook users are a very large herd."

Sometimes I wonder if from a high level, that's how Facebook sees users' data ("field of livestock") that goes into the data processing engine ("sausage grinder").

I've seen this multiple times so it's totally not coincidence, you see a post that has someone wearing glasses for example and the next sorted post is someone wearing glasses but the post has no mention of glasses and is completely unrelated to the previous.

A lot of people wear glasses.

i was once talking to a friend that i should get a new laptop bag for my mac, i never searched on anything. but after 2 days i’m abale to see the laptop bag ad from amazon on Facebook

True story -- I was making a peanut butter sandwich the other night. I used Smuckers Natural peanut butter. Pulled out my phone to look something up, and right there staring back at me was an add for Jif peanut butter. I don't ever remember seeing a peanut butter add on my phone before. They must have used some undocumented sensor on the phone to detect the smell of peanut butter and selected an ad based on that. (/sarcasm)

Then again, maybe I've seen hundreds of peanut butter ads on my phone, mixed with the many thousands that come across, and I just hadn't paid any attention to them until something else happened at the same time to make the connection.

Why would it wait two days? Have you never seen an ad for laptop bags before? I see them often.

You can decompile the facebook app. You can install a cert and mitm the network connection. You can do anything to the client. Yet nobody has found any evidence whatsoever of this behavior.

Ugh, I hate this nonsense. You say "you can do X" as if it's so easy. I assume this isn't something you're just pulling out of thin air and that you're at least saying this because you really know how to do it (i.e.: you've done it before). So, please do all of us a huge favor and explain how to do the MITM on Android step-by-step, which you seem to think we're all so lazy & unwilling to do. Not merely "in theory", and not merely on some random app, but in actual freaking practice, on the Facebook app. Because every single person I've caught saying this had evidently not tried it on the Facebook app himself to realize how nontrivial it is. People don't have the time or energy to switch their full-time jobs to being reverse-engineers of the Facebook app, so if you think it's so doable, please do the world a favor and show us how to put this myth to rest. (And to make it even easier, no need to assume zero prior knowledge. You can assume people already know how to do this on a desktop, and just teach them how to do it on the phone. I assure you that the knowledge does not simply transfer over.)

I think it's safe to say that "you can do" here means "it is possible to, and people do".

The risk Facebook would take by pulling a stunt like this is ginormous. See also: Amazon Echo.

The consumer and legal backlash would be swift and stunning, and the secret would be impossible to keep. Mobile app decryption is a well-established process. Reverse engineering a large app is tedious, but fully comprehensible. If you're specifically looking for recording (streaming audio out, or spooling to storage), it's much more manageable.

Of course there's a danger in assuming that someone, somewhere has already done this (or many someones). ~"With enough eyes, all bugs are shallow" ... sure, if the eyes are open. I don't know anyone who has done this work for the Facebook app, or for the Echo. But there are so many little boutique security firms out there today, and the technical prerequisites are so low...I just don't see how it's possible that it hasn't been done a hundred times.

The genuine risk, I think, is that a Corp with all the tooling in place could be compelled by some vaguely legal process in some sketchy jurisdiction, to target an individual of interest with custom code. This isn't hard either. Of course, the "tooling" is minor and any popular app could be subverted usefully in this fashion, so Facebook is not special here.

Still, most of us are laughably uninteresting to LE, but proper opsec still dictates caution.

may be the recorded audio is getting uploaded byte by byte, plus this is not the first time, i always keep my location truned off for Facebook, yet it showed me the realeaste ad near to my location where i was, and that was my client location. not even close to my home nor office.

Or Facebook saw you logged into Facebook using a laptop and whoever at Amazon set up the ad to target people who use laptops

Doesn't have to be searches. Can be derived from visiting pages (Amazon or not) that have anything to do with laptop bags. Can you open up your browser history and see if nothing you visited in those two days had anything to do with laptops or laptop bags?

nope i only spoke about it, never searched it on any shopping portals

author is relying on his own limited technical knowledge on wether it can be done or not.

There are plenty of ways to do it like sampling / increase sampling when other fb friends are around or maybe they just listen randomly and in the end they’ll have a well built profile about you.

It’s not like it needs to be listening all the time or respond anytime a keyword is said.

The author was a Berkeley PhD in physics, modeled derivatives at Goldman Sachs, and was a research scientist at Adchemy before going to FB. I don't think we should just assume he has limited technical knowledge.


Ok, but the whole "Is it possible?" section is predicated on a totally false assumption:

> To make it happen, Facebook would need to record everything your phone hears while it's on. This is functionally equivalent to an always-on phone call from you to Facebook. Your average voice-over-internet call takes something like 24kbps one way, which amounts to about 3 kBs of data per second. Assume you've got your phone on half the day, that's about 130 MBs per day, per user. There are around 150 million daily active users in the US, so that's about 20 petabytes per day, just in the US.

No, all they need to do is use the client device to perform speech-to-text and send the tiny amount of resulting data.

I don't think Facebook records people's conversations, but I also don't buy this article's other arguments that 1) conversation data is not useful to advertisers and 2) Facebook would not at least make a semi-successful attempt at analyzing natural language data with their existing NLP tools.

It is misleading to argue that FB has to store that data. But he addresses the "all they need to do is use the client device to perform speech-to-text" part:

> Because it has no specific trigger word for Facebook, your phone would need to listen for every targetable keyword. That means the speech-to-text translation code could only run on your phone itself, a taxing demand even for the beefy cloud servers that usually handle those tasks.

What app currently does speech-to-text translation with any usable accuracy on the device? Even Siri and dedicated-devices such as Alexa don't seem to attempt anything beyond trigger-word recognition locally.

This is 90's tech, we had speech-to-text working back then for full dictation which is way beyond the needs of facebook for scanning for keywords. Having high accuracy wouldn't be important in the same way it is for Siri et al.

> No, all they need to do is use the client device to perform speech-to-text

On an iPhone, Apple has the full run of all device capabilities, and can even ship custom chips, but they still stream audio back to a server to process what people say to Siri.

Speech to text is very hard even when the speaker is purposefully speaking to the device. It would be way harder to try to extract meaning out of ambient audio.

I think you'd run into complaints about constantly-hot phones and short battery lives doing that, not to mention end up with untrustworthy transcriptions.

these are great achievements for sure but they aren’t related to the domain.

random sampling and building a profile overtime that can be used to enhance the sampling is a very easy method to snoop at times that gives you good results.

But his domain his ad tech. It's not as if he threw away his technical aptitude when taking on the FB job.

The author was the former Facebook PM in charge of creating the ads targeting team.

Well, a former PM who thinks voice analysis is not possible on-device and puts out the red herring of bandwidth and storage capacity as the foundational argument of why he “knows” they’re not listening.

PS I don’t think “they” are listening and use other highly effective means to target ads. But I do think arguing such targeting is only possible in the cloud, and only after recording all the sound in your environment: the air conditioner, traffic, kids playing, etc. and let’s not forget ALL the silence in between, is intellectually dishonest. Especially when we all know that any always-listening device processes the signal locally, scanning for trigger words.

"foundational argument"? He spends half the article talking about the other issues, starting with "But what if those technical realities disappeared?"

I think he smudges the issue by conflating FB's theoretical ingestion of such audio with its current data storage capacity and ingestion. Presumably, raw audio could be transmitted and processed without being stored.

But does the state of the art language recognition allow for broad on-device translation beyond a subset of trigger words, i.e. "Alexa", "Siri", "OK Google"?

> But does the state of the art language recognition allow for broad on-device translation beyond a subset of trigger words, i.e. "Alexa", "Siri", "OK Google"?

You're talking about two different processes, recognition and comprehension.

Recognition on device is quite feasible and could be expanded from the trigger phrase to several dozen or perhaps a couple hundred keywords without burning up the device. The iPhone 4 did this on-device, pre-Siri, for voice dialing. Many cheapo car stereos do this too. And it is what the intelligent speakers and phones already do without cloud interaction, scanning for that trigger word.

Comprehension on the other hand, deciding what exactly the speaker is asking for, requires compute-intensive NLP and AI processing, and yes, that's going to the cloud.

Back to the specious argument by the article's author, to create an audio ad targeter doesn't require constant streaming to the cloud. For starters, you don't need to send silence or background noise. You don't need to send every word spoken either. You can screen for keywords in the trigger list, then send what is stored on-device locally before and after the trigger and forward just that.

Again, I don't think Facebook is listening to target you. Maybe if some CIA front corporation buys them up... I do however think the author's argument, the very first argument he made (and thus my labeling it as the foundation), is a load of malarkey.

> does the state of the art language recognition allow for broad on-device translation beyond a subset of trigger words, i.e. "Alexa", "Siri", "OK Google"?

No. You think Apple, Amazon, and Google ship all those audio packets back to servers for fun?

To believe that Facebook is processing ambient audio on a mobile phone, you have to believe that FB is doing things on a phone that even the phone's creators (who have no sandboxes and can access custom chips) cannot.

PMs aren't as technical as you might think, and the fact that he worked for facebook means he could have strong reasons to deny that they are listening.

My point was that technicality isn't what will get in the way of listening vs not listening. He's backing his claim by saying it's technically impossible but that's just weak defense.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact