Hacker News new | past | comments | ask | show | jobs | submit login
Facebook tracks your private calls (twitter.com/mat_johnson)
169 points by daenz on March 24, 2018 | hide | past | favorite | 45 comments

It should be clear to everyone now that Facebook is engaged in building a surveillance system which tracks every one of its users throughout their daily lives. Though others will disagree, this kind of behavior, especially done so without informing the user in full candor, is morally wrong.

As I've advocated in other commentary on this site: Engineers at Facebook have a moral obligation either reform from the inside or quit. This kind of surveillance apparatus should not be built, by either government or private entities.

>> which tracks every one of its users throughout their daily lives

Actually you don't even have to be one of its users! Facebook has what they call "shadow profiles" for tracking people who haven't yet created Facebook accounts. That's how they instantly show you everyone you know when you finally create a FB account. You have Facebook cookies on your computer even if you have never visited facebook.com. Try deleting them. Within 30 minutes of browsing random web sites I guarantee you'll once again have facebook cookies. They track everything you're doing online even if you're not one of their users. Then they buy offline data about you from other companies, to complete their profile of you.

Sadly they only way to put an end to all this is by hoping the European Union will introduce new laws -- the only government that actually represents their citizens, as opposed to big businesses.

I have my browser set to only accept first party cookies, does this help?

Contrary to the other comment, of course it helps to disable third-party cookies.

There are some other ways to identify users, e.g. the E-Tag header or canvas-based methods. But cookies are the main and most reliable tool.

You can go one step further and just always use Incognito/Private mode for sites that don't require a login. If you need to be logged in a lot, Firefox Account Containers are a new feature to separate site data.

For others (Firefox, not sure about Chrome): https://security.stackexchange.com/questions/176046/how-does...

It doesn't.

This is something I've been thinking about. While I don't think that e.g. React poses a threat itself (it's open source and very unlikely to contain malicious code) I do wonder if we should stop using it, out of principle of what else Facebook has been up to.

Oracle has done a lot of evil stuff. Should you stop using Java?

I mean, you should stop using Java, but not for that reason :)

I agree. Now what about engineers at Google, especially with their drone program partnership with the DOD? How about engineers at Uber making cars that are unfit for the road?Engineers in general need to either grow a spine and a conscience fast, or they need enforced ethical standards. It’s. It just Facebook, although Facebook is particularly nasty, and there is no sign of people giving upon their cushy jobs to do the right thing.

Mostly they seem happy to go public while babbling about how they’re “changing the world” as in that pitiful letter from DropBox.

If people working at Google can look at the drone partnership and still try and argue that they're "doing good," we've really entered a whole new era of cognitive dissonance.

(FWIW, I think there are good and moral people who work at Google. But if they're not going to organize their labor or quit to stop this stuff, it doesn't really matter either way)

I refused to even interview for Palantir when their recruiter called and have quit jobs in the past when I was asked to do something unethical. It’s not as if google or fb engineers can’t find jobs elsewhere.

We need more legal protections for corporate whistleblowers.

What part of a DoD contract requires whistleblowers? Are we going to arrest all of Lockheed Martin or Northrop Grumman?

As long as they don’t kill people incorrectly…

Some replies say that the user should take a second look at what permissions they give, but in the case of Android apps the permission to use the Account Manager (used to register a service account like Facebook, Google, Twitter or any other things that need to synchronize in the background) is displayed as a "Contacts" permission to the user.

So some apps like Facebook might synchronize or make other uses of contacts with their service accounts, but many other service don't do anything with contacts and doesn't EVEN request the actual contacts permission but their permission request is still displayed as "Contacts".

How can the user be able to do responsible choices in giving apps permissions when the permissions layer of the OS make no sense?

I may be misremembering/totally off base, but didn't Android go through some rounds of "simplifying" or "renaming" permissions over the years to basically obfuscate and confuse? (Or have they always been terrible?)

I've often seen this permission rationalised as "Well apps need to suspend when a call is incoming", but why is ability to know if there is a call the same permissions as knowing every call made and for how long?

Facebook may have been "given permission" but as people are discovering, it wasn't really actually given permission. This is why there is such a notion as informed consent, because giving permission isn't always as simple as agreeing to something.

Can we start putting some blame on the developers the product managers and in general the IT team behind the facebook Android App?

Not only they executed it, they have thought of it, where to store it, how to download it etc.

It is not just Zuckerberg who is at fault.

How about Google? They didn’t do this on iOS because they can’t.

Why the hell was this an option? Why wasn’t there a really big ‘holy hell are you sure you want to do this’ dialog box? How do normal apps even get to ask for this in the first place?

Doesn't Zuckerberg control FB? Didn't he also control it in all of it's past?

All of the teams of people you mentioned work for him. They take direction from him, and ultimately the buck stops there.

The point wasn't that the buck shouldn't stop, it was that the fact that the buck passes someone isn't a defense. Lots of folks were involved in building this disaster, and they all share blame too.

To Godwinize for clarity: Hitler wasn't the only war criminal in Nazi Germany.

If you think Zuck has knowledge of even 1% of what his 25,000+ employees do and the code they're writing, you're dreaming. He is still ultimately accountable, but it is unreasonable to assume that he is personally directing the efforts of the teams here.

> it is not _just_ Zuckerberg who is at fault

What IOS iPhone permission do grant the app that allows this? Is it "Allow Access to Contacts"? I mean, there's a difference between allowing say, an app to be able to lookup and dial a phone entry, and an app getting call logs

They need to split that permission if it is combined with other stuff.

Apps written by "mere mortals" probably can't get that information. But there's a whole API called "CoreTelephony" that's mostly gated behind an entitlement, http://iphonedevwiki.net/index.php/CoreTelephony.framework

I used to think Apple would never grant this entitlement to any other apps other than those that are builtin to iOS, but then there was that whole Uber framebuffer capture entitlement scandal...

Did the scandal actually happen? The articles I found only talked of the possibility for abuse by Uber.


The big deal isn't what uber did or did not do with their magic provisioning profile. It's the fact that Apple apparently sometimes hands out god-mode provisioning profiles to 3rd party developers at all.

None. It’s impossible for an app to get this info on iOS, at least, not without jailbreaking the device first. This story must be about Android.

Pretty sure there's no API to access call logs. I know India's government wanted to create an app on iOS that could access that, purportedly for blocking spam, but Apple said no.

remember one thing though: the phone OS (Android or, less likely, iOS) developers are as much at fault as FB on this one.

From that and other comments it seems like this story may not apply to iOS?

I've had the FB app on my iPhone for years and I just checked the FB zip file download of user data, and my contact info html file is empty.

My download archive has all my contacts' names & phone numbers stored. Wtf? Why do you need this information in your data servers Zuck?

I guess I now know how you recommend me those obscure "friends" like a recruiter from a company I didn't join, or my gardener etc. Totally uncalled for.

I would recommend everyone download their archive. I just did. 1.8mb for me. All of it benign and boring. I honestly feel a little left out. But I did get to read a lot of conversations I forgot I had. It was fun to remember "the good old days".

After this media blitz dies down, they'll likely soon just start directly sending this to the FB servers from the application, without leaving behind any localized files...

That, and the 10 other facebook-related posts currently on the front page. I understand it's a huge revelation that facebook tracks people and shares the data in ways and for purposes which we weren't aware of, but the news has been nothing but facebook for a week now. For something that was mostly known already (we knew they had it, just not that it was applied in this way), it's getting a little tedious.

Yes, it's like everybody is gaming the stock market options. Or finally the reality of social media is catching up with the populus all at once.

I suspect the peak won't be reached until we read a court transcript with the quote "show us upon this dB schema were Facebook touched you".

edit: misread

If FB (or any other app) could record your phone's mic without you knowing, that would be a GIANT security issue on Apple/Samsung/etc.'s part. As any app developer knows, you need to explicitly request permission to record, and the user sees a big red bar for the duration of the recording. Unless you're the NSA or something, you're not getting around that.

Not sure how that relates to them tracking calls.

Apparently they serve your archive up on some dialup link or something. I just noticed my archive is available (no email received though), and it's going to take an hour to download 255 MB. On a 1G fiber link.

I guess this kind of complies with the GDPR. Seems like FB probably has fast internet links somewhere.

It took me about 15 minutes to download my 2GB archive on a 30Mbps connection which seems normal to me.

As a counter-example, I requested mine about 20 minutes ago, received an e-mail confirming the request, received another e-mail 6 minutes later to say it was available for download, and the ~90MB download completed in under 10 seconds on my 150Mbps connection.

My archive was ready faster than I could log into my webmail and the massive 12kb archive downloaded in less than a second on the hotel internet.

Applications are open for YC Summer 2021

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact