Hacker News new | comments | ask | show | jobs | submit login
Facebook Warns Investors to Expect 'Additional Incidents' of User Data Abuse (siliconvalley.com)
115 points by gerbilly 9 months ago | hide | past | web | favorite | 27 comments



I told people ten years ago that they were doing this sort of thing and got blown off. Now I've had some of the same people come to me and tell me to get off Facebook in patronizing tones that reminded me of my grade school teachers and irritated that I didn't warn them. I don't know if I've ever been so infuriated at someone face-to-face in my whole life.


Haha, went through the same. Shut it down in like 08 after having used it for like three months but people were getting weirded out. I used to tell them that the service is too expensive as I couldn't afford to waste my personal data like this. They didn’t quite get it.


Unsolicited advice: These are people you need to let go from your life.


If you just let go people who irritate you once then you're going to die alone


Sure but this doesn’t sound like a one time thing. And if it causes emotional distress why hang on?


the way da_chicken wrote it, it sounded like a one-time thing


Yes, it was a one-time thing. I've just had three different people do it one time.

I assume the response was for the same reason relationship advice from strangers is always "break up immediately." People are really bad at judging things they know only one thing about.


It's not abuse, it's what the platform was built for. Calling it "abuse" it following the spin, don't do it.


There are two aspects: technical and legal.

Technical: companies got the data in a way that system was designed. No abuse there.

Legal: companies didn't adhere to TOS and used data in a way that were not supposed to. This is why is it called abuse.


TOS aren't necessarily enforceable legally[0], setting aside jurisdictional issues. If you have an account, sure facebook may use such to disable/delete it, but there are many ways to get data from facebook without having an account.

[0] https://www.eff.org/issues/terms-of-abuse


It's still violated on agreed terms (even if not legally enforceable) so it can be called abuse.

Also, how does the provided link support claim that they are not necessarily enforceable legally? I read it but saw only criticism of TOS in general, nothing about whether they are or are not legally enforceable.


>It's still violated on agreed terms (even if not legally enforceable) so it can be called abuse.

If you grab data hosted on facebook or any other website, without having an account, where is the explicit contractual agreement? Are HTTP requests contractual agreements? MITM/DPI'ing facebook users who connect via your hardware contractual agreements?

The extent that is abuse, is that facebook (or any other site) service is engineered in such a way that makes such information it collects available to any degree in the first place. True, anyone can make dubious claims of abuse.

>Also, how does the provided link support claim that they are not necessarily enforceable legally? I read it but saw only criticism of TOS in general, nothing about whether they are or are not legally enforceable.

"These "terms" are actually purported legal contracts between the user and the online service provider (websites MMORPGs communication services etc.) despite the fact that users never get a chance to negotiate their contents and can often be entirely unaware of their existence."

purported legal contracts != legal contracts, i.e. just because someone says it's a legal contract, doesn't mean it actually is.


> purported legal contracts != legal contracts

Oh, learned the new word today. Do they have also some analysis that say why TOS should be purported legal contract and not valid legal contract?

> If you grab data hosted on facebook or any other website, without having an account, where is the explicit contractual agreement?

I assumed that we were about platform API abuse. In such case, each developer had to agree with TOS before he is allowed to use the API. So in this case, developer explicitly agreed to terms that subsequently broke. So I think it can be called "abuse". It's not random HTTP request.

For random HTTP requests, that is much less clear. My stance on this is that as long as you are respecting robots.txt, and not trying to circumvent any blocking measures by the site you are using, everything is fair game (in general, maybe there could be exceptions). I don't think it's right/moral to violate those two. And whether it is legal, it depends on jurisdiction, who you are scraping (I am assuming we talk about automated access), if you respect robots.txt, if you try to go around blocks, ...

Two interesting cases in scraping I know about are these ones: https://en.wikipedia.org/wiki/Facebook,_Inc._v._Power_Ventur.... https://arstechnica.com/tech-policy/2017/08/court-rejects-li...

> MITM/DPI'ing facebook users who connect via your hardware contractual agreements?

I am no expert in law, but MITM/DPI to extract data sounds highly illegal. I don't think that TOS have to handle this case.

> The extent that is abuse, is that facebook (or any other site) service is engineered in such a way that makes such information it collects available to any degree in the first place.

So you are arguing that Facebook should be walled garden, with minimal possibilities for users to share their data with developers (not that I disagree). I don't think this is problem with existence of these platform / capabilities, but that the users are not understanding implications of what they are allowing (but doing that is gargantuan task, they will probably invent new nobel prize for anyone who manages doing that).


>I assumed that we were about platform API abuse. In such case, each developer had to agree with TOS before he is allowed to use the API. So in this case, developer explicitly agreed to terms that subsequently broke. So I think it can be called "abuse". It's not random HTTP request.

Even assuming that, developers who check in their credentials to public repos, third parties that use such never agreed to the terms. You can do this do today, without agreeing to facebooks terms (i.e. go to github, get access tokens, connect to "open graph", no accepting terms or creating accounts needed).

>Do they have also some analysis that say why TOS should be purported legal contract and not valid legal contract?… For random HTTP requests, that is much less clear…

It's not really about random HTTP requests or not, it's that any of this will have to be argued in courts. From the examples you have listed, in the US, this is not really in Facebook's favor (unless they can scare people to stop doing such before getting to the courts).

>So you are arguing that Facebook should be walled garden, with minimal possibilities for users to share their data with developers (not that I disagree)…but that the users are not understanding implications of what they are allowing

Personally, I don't think facebook should be this at all, and although they may have sold developers on their platform, this has been less of the case over all as time goes on (bait and switch). They say they want to connect the world, but what they really mean is that they want to connect the world on their terms (and they have every right too, but they can't necessarily stop others from doing something).

I don't think it is facebook's responsibility to give its users any illusions of privacy since any "friend" they have on the platform or any third party app they connect with is just another attack surface agaisnt such: by design. I think every user of any platform needs to take to protections in their own hands, if they care about such, first and foremost. Expecting governments/corporations/organizations to coddle them and provide everything that they desire without doing anything for oneself, is just naive to how humans have operated throughout history. It's been over a decade since facebook has been around, people can keep saying that people just dont understand, but I will think people will keep saying such even after another decade (or more) if facebook is still around.


> . You can do this do today, without agreeing to facebooks terms (i.e. go to github, get access tokens, connect to "open graph", no accepting terms or creating accounts needed

if I go to pastebin and find login credentials dumps, i can login to those services without accepting any TOS. Yet, I would probably go to jail of caught. This seems to be similar case. but I doubt that user access token (that you need to access that users data) is somewhere on github. app user token sure (as sometimes you have to ship it with the app, or app can be opensource), but user access tokens are like passwords, so they should not be in the code.


Many Android apps can have much more information on you then Facebook, I don't really understand this whole thing, but I am still glad that it is getting more attention...


The most interesting part of this story to me is apparent divide between the perception of how people should react to their data being mishandled and how they actually react.

Anecdotally, most of the outrage I’ve seen has come from white men in their 50’s who don’t actively use the platform. I don’t mean this as a jab, I literally have seen the most outrage from this group although I’m not sure why. Perhaps it’s just coincidence or that is the most outspoken demographic.

Meanwhile, I haven’t seen any change in usage from those people I know who actively use Facebook/Instagram/WhatsApp.

I think that people feel that this story should adversely affect the company and it’s earnings, but there is no evidence that it actually will.


> Meanwhile, I haven’t seen any change in usage from those people I know who actively use Facebook/Instagram/WhatsApp.

Over the last three years, the percentage of my friends who are active on these platforms has dropped dramatically, like ~80% to ~20%. I think most of the people who understood that Facebook and associated properties were toxic tailed off using those services well before the Cambridge Analytica thing.


I deleted my Facebook because I was using it mainly for messenger. I simply didn't feel comfortable having my private conversations on their servers, so I got my close friends to (begrudgingly) pivot to Signal.

Later, it would some out that Cambridge Analytica (and likely other bad actors) had been siphoning up PMs:

https://www.theverge.com/2018/4/10/17219606/cambridge-analyt...


That's no surprising. I already developed a game for Facebook a few years ago and was amazing how many information about the user and his friends was possible to collect. There were simple no restriction.

I try to imagine games like Farmville that were played by millions of people, how many information they collected.

Nowadays, Facebook has Graph API. You need to specify exactly what information about the user you want. And depending on the information, Facebook needs to review in advance.


I think that they are preparing for the future where everyone will realize that the whole Facebook is a user data abuse (and more because they are tracking non users without their consent).

I think they have decided to take the hit rather now (in the stock price) than in the future assuming that the hit now will be smaller now than later.


I can think of at least a couple of startups I've come into contact with that collect data from user profiles on FB and other social sites. Wouldn't surprise me if there are hundreds of them out there.


What sort of data? It's normal and expected to collect public facing stuff like profile photo, name, gender. I'd be much more irritated if they're scraping entire profiles.


Do warnings like this have any impact on future lawsuits against Facebook? Does it help Facebook in other ways?


I wouldn't dare to guess either way if I had to put money on it, but from what I have learned of US investor reports -- companies are legally obligated to list known and anticipated business risks in their filings.

Maybe not in those very words, but the concept comes up quite frequently in Money Stuff[0]. Recently I've seen a recurring theme around "everything is securities fraud". Which boils down to a very utilitarian and cynical core: if you are a company and do X but don't disclose to your investors that doing X may have an effect on the value of their investment, then the investors can sue you for securities fraud and try to claw back whatever future profits they feel they had been entitled to.

0: https://www.bloomberg.com/view/topics/money-stuff


Making such a warning should in no way reduce the consequences that Facebook should be forced to face for their responsibility in dragging all of us kicking and screaming to this place.

That is, of course, precisely why they spoke up. Their lawyers and accountants determined that would be the least costly approach.

As an aside, why do we continue to tolerate this kind of behavior from corporations? They aren't _really_ people and they don't deserve and should not be afforded the freedom to experiment with their impact on our society and our lives that real people are privileged to enjoy. Regulations and massive punitive consequences are _good_ things to ensure corporate behavior serves the public interest. And yet this has been going on for almost a century and nothing ever happens to change it?

It's nothing but an evolution of the robber barons.


this is my surprised face.




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: