Hacker News new | past | comments | ask | show | jobs | submit login
Facebook Gave Device Makers Deep Access to Data on Users and Friends (nytimes.com)
792 points by sna1l 11 months ago | hide | past | web | favorite | 215 comments



Most notable pieces I took from the article: 1) Facebook does not see third parties (such as BlackBerry) as “third parties.” 2) Facebook told Congress that it disabled third party access to user data, but in actuality did not.

My own strong interjection: Facebook’s competitive advantage is its disregard for ethics. Somehow, Zuckerberg has been able to convince a lot of smart people to do unethical things and build unethical technology, while the competitors have a harder time doing the same. This disregard for ethics has allowed Facebook to “grow at all costs.” Meanwhile, the more conscientious programmers and entrepreneurs (or at least those held more accountable) are busy wrangling with the real challenges and intricacies of civilization. (I personally prefer it that way - I like my work being tied to the well-being of society.)


Talking about ethics, this is going to sound below the belt. If Facebook were to enter into a contract with the defense department like Google did (and terminated a renewal just a few days ago), I doubt if any Facebook employees would even think of creating a petition to management or of quitting their jobs over that. Somehow I feel the people that Facebook attracts as employees may be the ones who don't care much for others overall. That or they're so dedicated to work that they're completely oblivious about all the news in the last several years.


To give benefit-of-the-doubt, I think they believe their own propaganda. Facebook folks actually believed that (e.g. among many) pushing people to reveal all aspects of their life equally to everyone was in society's best interest.

And I once met a Facebook employee who actually was a staunch EFF supporter…

But overall, I dunno… you're probably right.


It takes a certain degree of naivety to believe that. It also lacks a certain degree of critical thinking to not ask the question "but what if some people choose not to share?" or the even easier question "can any of this be abused?"


Could have been just the best possible shot to avoid a neo-totalitarian society, and the current abuse could be actually a minor consequence (and completely manageable for nation states > take a look at EU GDPR).

"move fast and break things" > Why the hurry?


That moral opinions equals the one of Peter Thiel about the good in mass surveillance: based on his opinion that after 9/11, powerful western entities were on the side of really harsh intrusive countermeasures (and the restriction of current liberties quite probably), that could probably, fundamentally change the western societies as they existed at that moment.

The alternative to that way of doing things was to allow the existence of public and private entities like Facebook and their subrepticious intrusiveness, allowing mass surveillance, but also allowing to avoid other gruesome measures.

And that could explain why nobody can pull-out a facebook takedown.

"the cost of freedom is high..." JFK


I hope it's clear in my comment that I'm neither apologizing for Facebook nor sympathizing with Thiel and his crap etc. I think assuming-good-faith and looking for charitable explanations is a good practice, even if I actually don't believe people actually deserve the charity.


> Having known so many people involved with Facebook for so long, I have come up with a phrase to describe the cultural phenomenon I’ve witnessed among them – ladder kicking. Basically, people who get a leg up from others, and then do everything in their power to ensure nobody else manages to get there. No, it’s not “human nature” or “how it works.” Silicon Valley and the tech industry at large weren’t built by these sorts of people, and we need to be more active in preventing this mind-virus from spreading.

https://news.ycombinator.com/item?id=14780186


> Facebook’s competitive advantage is its disregard for ethics.

This appears to be a quality that occurs in some business owners.

I know more than a single entrepreneur with similar disregard for things like data retention and PII. Their reluctance to address these issues when advised, I assume, would persist until they get burned.

Taking a step back, at the root it appears simply that some people are better at focusing than others. These entrepreneurs would work on improving metrics they see relevant and their effort will be more efficient thanks to zoning everything else out.

Seeing evil intent here would be counterproductive, similar to reprimanding someone on the spectrum for not saying hello: it might just not occur to a person. The key difference here is that these decisions negatively impact countless third parties, and those third parties lack the expertise to recognize the issue.

While there’s a lot that can be said against FDA[1], there seems to be a parallel here. I want to reserve my judgement about regulation in this area, but it seems like there’s a case for it, similar to how we’d like to keep food manufacturers in check.

[1] A movie called Dallas Buyers Club comes to mind.


  similar to reprimanding someone on the spectrum for not saying hello
Why hold anyone in the upper class accountable for their actions when we can just claim they all suffer from mental disorders and make excuses for them?


I might’ve been unclear, I do think we could push for more enforced accountability in these cases.

The parallel between narrow focus and mental disorder was meant to illustrate how attributing these outcomes to malice (which I sometimes see) is ineffective. If those actors play by the rules and are immune to ethics-based arguments, then maybe the rules are due to be updated.


The comparison relies on an assumption that these corporate bad actors unwittingly "don't see the harm" that arises as a side effect of their laser focus on (non-maliciously) optimizing something else-- similar to how someone with a different behavioral orientation might unwittingly not register the effect of ignoring a common social convention.

I'd say this claim needs a lot of supporting evidence before we should take it seriously. At the moment it's just a rhetorical device, and would almost certainly be used to mitigate blame aimed at corporate bad actors. So I'd say without some type of serious evidence of this unwitting laser focus, evidence of people genuinely "not seeing the harm" despite huge op-eds in major newspapers, outrage from tech communities, harrowing stories of data privacy issues, etc. etc., we really should not put any weight on this "non-malicious focus" interpretation.

In other words, these are smart people. They knew full well what they were doing. Lobbying, PR, and attempting regulatory capture after the fact to launder their reputation and absolve blame are absolutely baked in as part of the strategy, until conclusively proven otherwise.


You're describing a huge lack of regard for the victims in this situation, and an exceptional amount of forgiveness for the assailants. Unfortunately, this is the attitude that lets ethical gray-lines exist, and the attitude that should be beaten if you want to avoid stricter regulations.


They're not third parties because these API's are protected by user login credentials as near as I can tell. That means you provide your login information, and your device can access your Facebook data, as you expect a client of Facebook to be able to do.

That means all the privacy protections from the "website" are there, you're just not looking at it through a browser, it's an interface provided by the device manufacturer.

What is there to be angry about?


> This disregard for ethics has allowed Facebook to “grow at all costs."

There's a great phrase for this: "move fast and break things". When you believe it is ok to break small rules and norms, it becomes easier to break larger norms and ethics and rules. This philosophy took SV by storm, but at its core it's always been about disregarding things like laws and ethics, and now we are seeing the world that created.


You might think that that's a great phrase for it, but many other people don't interpret "move fast and break things" to mean what you think it means.

I'm all for criticizing things that have gone wrong, but you're using an overly-broad brush.


I wish I could agree with you're more nuanced viewpoint, but seeing a whole industry making insane amounts of money based on abusive and deceptive business models suggests that there truely is a broader issue. Whether the underlying attitude is best describe by "move fast, break things" is debatable but we can't easily dismiss the idea.


That's an excellent reason to attack abusive and deceptive business models. Have at it.


I think the point is that that quip usually refers to technical breakage, i.e. "it's better to ship more often and potentially break something that you then fix equally quickly, than spending thrice as much time analysing the problem to ensure there's no breakage in the first place". In other words, an entirely different meaning that what the grandparent meant when they said it was a great phrase for it.


The point that the poster was making was that while the phrase normally refers to its technical development philosophy, it seems that it also seems to reflect Facebook's attitude to other issues, such as regulation and privacy.


and uber and theranos. and probably others. airbnb had a lot of people that broke their leases and deed restrictions and local zoning laws.


The point is that, while it applies to technical issues, it equally applies to ethical ones.

- "Should we share this data?"

- "I don't know, we'll figure that out in version 2"


I thought it was insightful. Fundamentally, “move fast and break things” means you’re not going to be afraid to do something just because you haven’t thought through all the repercussions yet. Personally I find it easy to see how to, as an engineer...ignore hunches that there might be a security hole or a privacy hole in the interest of pushing things forward. “Move fast and break things” implies that you’ll get something working out the door and you’ll come back and fix it later. When you always move to the next thing, you never really come back and fix all the things you broke.


The original quote is:

> Move fast and break things. Unless you are breaking stuff, you are not moving fast enough.

In the technical space, things may be legacy code or APIs. In the business space, things may be ethics and laws, and this incidentally is exactly the model we see in companies like Facebook and Uber and AirBnB.


The phase fundamentally captures an essense of what Umberto Eco and Rober Paxton observed of early 20th century political movements emerging in Italy and Germany.

I'd recognised this similarity some time back.

http://w3.salemstate.edu/~cmauriello/pdfEuropean/Paxton_Five...

Irrationalism also depends on the cult of action for action’s sake. Action being beautiful in itself, it must be taken before, or without, any previous reflection. Thinking is a form of emasculation. Therefore culture is suspect insofar as it is identified with critical attitudes.... No syncretistic faith can withstand analytical criticism. The critical spirit makes distinctions, and to distinguish is a sign of modernism. In modern culture the scientific community praises disagreement as a way to improve knowledge. ...disagreement is treason.

http://www.nybooks.com/articles/1995/06/22/ur-fascism/


> but you're using an overly-broad brush

No, not really.

If you notice people working - say, construction - in a particular way, and they're trading safety for speed, and if you weren't concerned with worker-safety, you might consider that tradeoff their business. If you also found that it led them to build buildings that overlapped other people's properties, you might note that the tradeoffs they choose might also lead to that problem.

Especially if you notice that other construction firms are making the same sorts of tradeoffs and also having the same problems.

I'm not saying that firms who "move fast and break things" are inevitably also unethical, shitty companies. Everyone sacrifices QA depth for release at some point. But there's nothing wrong with pointing out many high-profile companies who trumpet their pride of it are, in fact, unethical, shitty companies.


The wrong thing about combining not-very-related things is that you're wasting your ire and offending ethical people at the same time. Great for starting an argument, not so great for convincing people.

BTW, your construction example is terrible. Unsafe construction worksites are illegal, and continuous integration and deployment of software is not.


But they do appear to be related. You see the same things in the same companies, and the commonalities are consistent with treating consequences of the quest for growth at all costs as acceptable. When you have people racing a (real or perceived) time window, they don't stop pushing when humans are involved rather than software.

> your construction example is terrible

Takes all kinds. Including people who intentionally read things obtusely.


I think at first people thought it meant something less toxic, like "things" meaning "software" or "industry norms".

But then the likes of Uber came along and showed that it meant "laws".


Huh. I always interpreted "move fast and break things" to be referring to the speed of development cycle, as in, SV startups prefer to we deploy new code without really testing everything as thoroughly as an enterprise company might, because time to market is most important and people are forgiving if we break their experience for a short time. I don't think anyone would really fault anyone for that interpretation.

However, if that becomes "do whatever we want to anyone without regards for laws or ethics or customs including directly lying to regulators" as it appears Facebook did then I agree it becomes a problem.


The break-things part is related to the startup meme of disruption too. And as some critic I read once said, many startups disrupt business status quo in the same way that I disrupt the idea of pet-ownership if I steal your dog.


Move fast and break things means don't be afraid to try things that might fail, but it doesn't mean ethics don't matter. There has long been a concern about what facebook does with people's privacy, now there's no doubt they went way too far.


> Move fast and break things means don't be afraid to try things that might fail, but it doesn't mean ethics don't matter.

Sure it does. Move fast and break things means don't be afraid to try new things, but the line isn't "ethical concerns" but rather "legality". There's a whole gray area between what is ethically acceptable and what is legally acceptable, and FB profits in that gray area that other companies are afraid to try because of their corporate values or personal misgivings.


I think Uber's strategy was to go illegal in a big way, presenting a city with a fait accompli of a large number of unlicensed Uber cabs on the street. And then Uber would resist any regulatory efforts through lobbying and in court.


And they got the FTC to not really interfere with their practices, even after they were found out.

Good luck on net neutrality with the FTC...


Net neutrality isn't FTC's domain. FTC is the Federal TRADE Commission, which handles stuff like mergers of giant companies, the Do Not Call registry, and identity theft; the FCC, the Federal COMMUNICATIONS Commission, handles things like net neutrality, amateur radio licensing, and selling bands of spectrum.


I think everyone here knows the definition of communications. The parent poster is referring to the position of the current FCC chairman, who is pushing responsibility over to the FTC. It is clear to me, the the parent poster is skeptical of this.

The Federal Trade Commission (FTC) and Federal Communications Commission (FCC) announced an agreement on Monday to coordinate their efforts to police the internet once the latter agency has repealed its net neutrality rules.

http://thehill.com/policy/technology/364336-fcc-ftc-announce...


> Facebook’s competitive advantage is its disregard for ethics. Somehow, Zuckerberg has been able to convince a lot of smart people to do unethical things and build unethical technology, while the competitors have a harder time doing the same.

While I absolutely agree that it's a serious problem, Facebook does not stand out in the business world in this regard. Many in the business world celebrate, rationalize, and embrace this point of view: Making money is all that matters. On HN, until recently I often read the argument that businesses' only responsibility is to make as much money as possible for shareholders and that they have no responsibilities to employees or community. The current U.S. administration openly embraces this view as policy; Rex Tillerson (former oil company CEO) openly stated that US policy was that human rights took a back seat to making money.

For generations, corporations have made money on the labor and the suffering of others, to the point of undermining governments and supporting oppression and murder. Off the top of my head: There was the East India Company in the 19th century, the banana companies in the early 20th century, the businesses that helped the Nazis, the ones who helped and cashed in on right-wing dictators throughout the Cold War, the financial companies who committed massive fraud causing a global recession in 2008, and all the IT companies helping oppressive states like China with their surveillance technology and means of oppression, not to mention Hollywood and other businesses who censor criticism of China.

The question is, why do we normalize and accept this behavior? What is wrong with the morality of business leaders?

(And to be clear, I'm not demonizing all business. Business provides the resources that make advanced nations prosperous, safe, healthy, and connected.)


While I agree I know a few ex Facebook employees and they all, genuinely, believe thst FB cares about user privacy. I suspect they've convinced good people to go bad with some strange coolade and all those free lunches.


Facebook's competitive advantage is that they gained critical momentum as the platform we all started using post myspace, etc.

There are plenty of companies that are willing to do 'unethical' things.


What is this describing? First-party apps with Facebook integration and/or OS features connecting to Facebook? The leakage of Facebook information onto MS/Apple/Blackberry servers would be concerning, but having Microsoft software connect to Facebook on a user's device sounds harmless (to the extent we trust MS/Apple/Blackberry software to not leak information so accessed). Right now I'm giving Apple similar access to every single communication I make through my computer, to my bank accounts and health records, to all the work I do for my employer.

This distinction wasn't made clear in the story (or I can't read) and it's an important one. Privacy is complicated enough already.


Yes, I didn't quite understand that. Apple had this to say:

> An Apple spokesman said the company relied on private access to Facebook data for features that enabled users to post photos to the social network without opening the Facebook app, among other things.

So is this like what connecting your Facebook account in Settings does? Allow you share pictures through the share sheet in Photos or whatever? What does Apple get to see, and what stays on the device?


>is this like what connecting your Facebook account in Settings does?

It depends on the platform.

On iOS you could post various types of information to Facebook, and you could sync Facebook contact and calendar data to the local device.

https://www.cnet.com/how-to/understanding-facebook-integrati...

Aside from letting you share information and sync Facebook contacts and calendars, Windows Phone 7, for instance, pulled in a lot more data to populate it's People hub.

>For all intents and purposes the People hub is the Facebook app for Windows Phone 7. If you’ve supplied your Facebook login, the default “what’s new” tab will serve as your news feed.

https://www.anandtech.com/show/3982/windows-phone-7-review/7


Apple told the Times that it wasn't involved with this since September of last year. I wonder if this is why it's no longer possible to update your Facebook status from the Notifications panel.


Apple is basically outsourcing user data mining to Facebook so that they can take the high groud.

Didn't Tim Cook just two months back bragged about how Apple doesn't do certain things? He was right. He asked Facebook to do that for him.


Apple dropped social media integration from their upcoming operating systems.


I believe it's describing "First-party apps with Facebook integration and/or OS features connecting to Facebook". It was OS-level integration to provide you with convenient access to Facebook data and features. The best example in the article was from Apple, who used it to allow users to post photos to Facebook directly from the standard Photos app. It wasn't so that the device makers could rifle through your data and influence elections or sell you things.

There's nothing to see here, but it sure makes for a provocative headline that will get lots of clicks and make the NYT lots of money from personalized ads. You have to love the irony.


> Facebook allowed the device companies access to the data of users’ friends without their explicit consent, even after declaring that it would no longer share such information with outsiders. Some device makers could retrieve personal information even from users’ friends who believed they had barred any sharing, The New York Times found.

There's a dangling "their" in there which is causing trouble. What I think this means:

- Alice adds their email or phone number to their Facebook account. Alice sets this to "private".

- Bob is friends with Alice

- Bob's phone has access to Alice's phone/email, even though this wouldn't be normally visible to him.

(The Windows Phone social media integration in the contact maanger was absolutely excellent at presenting everything about your friends on every platform in one convenient place)


I don't think that's right. They clarify this somewhat further into the article. "Facebook’s view that the device makers are not outsiders lets the partners go even further, The Times found: They can obtain data about a user’s Facebook friends, even those who have denied Facebook permission to share information with any third parties." I'm pretty sure this is a reference to the setting which disabled sharing information with Facebook apps used by friends. If I'm understanding correctly, it's more like this:

- Alice adds their email or phone number to their Facebook account. Alice sets this to be visible to friends, but not to third-party apps they use.

- Bob is friends with Alice.

- Bob's phone has access to Alice's phone/email, even though this wouldn't normally be available to third-party Facebook apps like games.

Edit: Facebook's response at https://newsroom.fb.com/news/2018/06/why-we-disagree-with-th... also clarifies this. "Contrary to claims by the New York Times, friends’ information, like photos, was only accessible on devices when people made a decision to share their information with those friends."


>What is this describing?

The "build new private APIs for device makers through 2014, spreading user data through tens of millions of mobile devices... and other systems outside Facebook’s direct control" makes it sound like they were making deals with the manufacturers where the device would auth and fetch data through the manufacturer's infrastructure when accessing Facebook? The Blackberry Hub app is used as an example in the infographic.


This might explain why I got random people's profile pictures assigned to my phone's "$MY_CITY Taxi" address book entry... people who have I have 0 shared friends with, who happened to add the local taxi service's phone number as their phone number as a joke or whatever.


The distinction wasn't made clear because we're talking about some 60 different agreements with various companies, with each company acting differently.

As stated in the article: Facebook acknowledged that some partners did store users’ data — including friends’ data — on their own servers. .. which meets your definition of concerning.

It will likely be some time before we learn the extent of all of these agreements and how the data was used.


For one, Facebook obviously had access to contacts and photos, without any way for user to disallow it.


Why would it be "harmless" if you weren't even aware it was happening, let alone give you consent?


This and the discussion here is obnoxiously bad. Facebook gave some device makers special APIs to access authorized data. This is literally no different than a web API or scraping facebook HTML, just more streamlined. What you guys seem to be objecting to is that non-facebook code was able to interact with authorized user data. But that is a necessary feature of displaying data of any kind (unless facebook owns the entire software stack). This is a non-story.

And HN's facebook derangement syndrome continues.


No, you are wrong, this is a pretty egregious mistake. They defined device makers as service providers, and then allowed them to do things that even third parties weren't allowed. Yet they claimed they shut that stuff off to third parties (so they lied by omission). "No, we don't allow third parties anymore to do that kind of stuff" (but there's this large group that can do it, but we aren't calling them third parties). This wasn't just another way to get at the data. The NYT article goes into some detail about what they allowed them to do.


This is like saying that Chrome, Edge or Firefox are “third parties”.

Embedding user agent functionality into the OS is not the same as third party access.

Talk to me when a device manufacturer is caught exfiltrating this user data off the phone and then aim your pitchforks at them.


Google, Firefox, and Edge are not Facebook so yes they are third party.


And does it upset you that when a user signs into facebook in one of these browsers, facebook allows the browser access to that user's data and even data of that user's friends? Even when those friends have explicitly disabled sharing of facebook data with third parties?


HN has reached a level of popularity where its attracted too many non-engineers that love jumping into these threads with ignorant, reactionary, hyperbolic responses. every post on uber/tesla autopilot has at least a few people calling for elon to be tried for manslaughter for car accidents. really shows the stupidity of the mob. this thread is another great example. if only it were benign and didn't have real, foolish policy implications like the GDPR


That’s not what the term means. User agents which render Facebook UI components are not “third parties” to my Facebook data anymore than my monitor manufacturer is a third party to my Facebook data while I am viewing the pixels in the screen.


> my monitor manufacturer is a third party to my Facebook data

It actually is. Your monitor, on the other hand, can be considered a part of yourself for the purposes of viewing the data.

If it somehow sends sensitive information back to its manufacturer, thought, that would be a new, different can of worms.


They are the second party -- the user.

Facebook never has any interaction with the human user, they only interact with the user agent.


So they basically relied on us not reading the small print. And we didn't. There should be laws against small print technicalities like that.


>They defined device makers as service providers, and then allowed them to do things that even third parties weren't allowed.

Because they're not third parties. Third parties are anyone off the street that meets some minimal requirements. It's like the distinction between third party and second party releases on video game consoles. Second party releases are extensions of the first party publisher because of the special access and extra scrutiny they get. The difference in this case is that this "special access" is apparently no different than what you get from the website through scraping HTML, just in a more convenient manner.


The user is the second party dude.


The user doesn’t manipulate the EM spectrum with his mind, but through user agent hardware, firmware, and software. The client stack necessarily has the same access he does.


Yes, so it might be OK for software written by a third party to access FB with the second party's authentication and privileges, when running on the second party's device.

But that doesn't make it OK for that data to be stored on the third party's servers or be otherwise available to the third party.


That's not what third parties means. Third parties means parties other than the service provider and the user.


Third party has never meant anyone who is not the first party. Special agreements between companies alter this status.


You're conflating the issue of informed consent with access ubiquity.

Simply because the data was gathered in a way not unlike most apps, doesn't make it a non-story. In fact, the lack of informed consent and the very misleading statements to Congress make it a huge story.

User data is a commodity, and is worth far more than money. Considering how easily manipulated large portions of the Facebook community can be (e.g. Facebook mood studies, election-year propaganda, etc.), giving access like this to large tech companies - third parties - absolutely needs to be well regulated and come with the informed consent of it's user base.

Not to mention that the policies around turning this data over to other parties -- namely law enforcement -- is different between most of these companies.

The objection is not non-facebook code accessing facebook data. The objection is that, once again, powerful information is being traded and used as leverage to drive profit, with the intent of the buyer or receiver largely unclear, and the impact yet to be seen.


There is no issue of informed consent here. When you upload data, you consent to your allowed friends being able to view that data in whatever manner they see fit. These device specific interfaces to facebook is just an example of this. FB themselves took reasonable steps to ensure the device manufacturers adhered to the consent that users give when adding data to the site (i.e. only use the data in service to displaying it).

>The objection is that, once again, powerful information is being traded and used as leverage to drive profit

There's no evidence of any of this.


>There's no evidence of any of this.

I disagree. I think Facebook, driven by ad dollars, is attempting to secure as many users as it can. Part of that is to make it as seamless and convenient as possible.

Data as currency is a given at this point. Facebook ensures longevity through ease-of-use. Service providers secure further assets, and are in a position to use it.


>> There's no evidence of any of this.

> I disagree. I think ...

I think you misread "no evidence" as "no one believes".


If these people are so easily swayed and manipulated, what exactly is informed consent supposed to cure?


Informed consent is simply that -- being able to consent without missing a piece of knowledge.

It may cure nothing. But the fact remains that Facebook acted (and continues to act) in bad faith to the user.

Maybe nothing changes, especially now that users are so deeply attached. Real-time targeted advertising has been around since the early 2000s, but explain to the average tech-illiterate user that their phone can hear when a Tide ad is on television and can serve a Clorox ad in their Instagram feed, and watch how uncomfortable they get.

How much of this could be stopped with informed consent.


> Facebook gave some device makers special APIs to access authorized data. This is literally no different than a web API or scraping facebook HTML, just more streamlined.

If I found out that Google was using Chrome during my authenticated Facebook web sessions to scrape my Facebook data, and my friends' Facebook data, I'd be pretty upset too.


But nothing like that happened here... in the slightest?

This was OS chrome integrating Facebook features. An API for Mobile OS UI to integrate Facebook features.

How else do you think the OS provides FB functionality... after you enter your credentials into the Settings screen?!


I think you need to read a bit more carefully. This was not just API calls, these were data sharing partnerships--i.e. the device companies had access and permission to collect, aggregate, and store customer data in one place, like Cambridge Analytica did. Example quotes (emphasis added by me):

> They said its partnerships were governed by contracts that strictly limited use of the data, including any stored on partners’ servers.

> Tests by The Times showed that the partners requested and received data in the same way other third parties did.

Facebook customer data was collected and stored on servers owned by the device manufacturers. This is not analogous to a browser interacting with the Facebook web application.


Did the OS keep the data or use it in any way beyond what the OS needed for display etc?


Hackers proclaiming "but it wasn't technically a breach" or "the API worked as intended" is 2018's edition of Great Recession bankers' "the counterparty should have known it was our business to screw them" or "it isn't our job to diligence the mortgages". There is discomfort associated with any paradigm shift. Particularly when our livelihoods are entangled in them. A good way to stick oneself on the wrong side is to brand change as derangement.


Should that data have been available via a web API or Facebook's HTML though?


>Should that data have been available via a web API or Facebook's HTML though

There is no evidence that these APIs provided more data than a user had legitimate access to.


This is simply Facebook functionality being integrated into parts of the OS chrome.

We trust our devices not to exfiltrate our data every second we are typing on them. Tightly integrating social features into a mobile OS is not third party access unless the device maker in exfiltrating the data for any purpose other than encrypted cloud backup.


If the discussion here is bad, you definitely have played a role in making it so. Claiming people who disagree with your point of view are "deranged" is not constructive.


> This is literally no different than a web API or scraping facebook HTML, just more streamlined.

I see you're using the new definition of literally, the one that means figuratively. In the same sentence you have said it is no different and then said it is vastly different. Your post makes no sense.

Even if you were right that the data is 100% hash-compatible, SHA-1 it and get the same data as the API (you're wrong), it being streamlined is a huge difference and makes this news, in fact.

You surely agree that an individual person walking up to others on the street and asking a question is different than a team of 10M people doing them same thing, right? But there's "literally no difference", just streamlined?

Streamlining something defines patents and makes billions. Streamlining a legal activity can make it illegal.

Your post is wrong, you are using logical fallacies and you are then blaming everyone else with harsh language, while it is is you who seems to have, in your own words, some kind of "facebook derangement syndrome". Wow, those are rude words. Flagged.



Did you actually write this many words based on your disagreement of my usage of "literally"?


Here you've crossed into incivility, which is not ok. Please (re-)read https://news.ycombinator.com/newsguidelines.html and post civilly and substantively, or not at all.


No, I wrote that comment because you are an abrasive member of the community who is writing direct insults to other members, calling them deranged, etc, and doing other things that are against the rules of the site. You are breaking the conversation here. You are distracting. You are lying. You are being abrasive and causing fights. You are calling people names and causing a big scene.

You ignored my entire post, and instead chose to post an off-topic question, further distracting and hurting the conversation. That is also against the rules. I'm responding to you so that others are more aware of the damage you are causing.

We are not "deranged" people for our thoughts on Facebook. Stop it.


Since this is a repeating pattern and asking you many times to stop doing it hasn't apparently worked, I've banned you until we get a commitment from you at hn@ycombinator.com that it won't happen again.


This is very different than scraping html. Facebook has obviously been lying about 3ed party data access.

This comment is incoherent, at best, and it says a lot about how far the HN community has sunk that it is the top comment. "------ derangement" syndrome is a common phrase used on lots of political blogs that also specialize in nonsensical arguments and don't seem to care that entities in power lie through their teeth.


Response from FB: "Why We Disagree with the NYT" https://newsroom.fb.com/news/2018/06/why-we-disagree-with-th...


Agree with FB on this one. The privacy issue with 3rd party developers was that friend data was sent to the 3rd party developer databases. Here, the data just stays on the device.

The way the article is titled can make it look like the device makers actually got to make their own database of Facebook users.

Edit: I read it again, the article does say "Facebook acknowledged that some partners did store users’ data — including friends’ data — on their own servers," but they don't follow up on that at all, they go back to messing with a BlackBerry. That's the big question.


Once an app has particular data, there is nothing FB can do to prevent it from uploading that data wherever. It would be difficult for Google or Apple to prevent that, and they control the platform. With enough apps, it is a certainty that this happened.


Have you heard of the power of legally enforceable contracts? Lots of things aren't technically impossible but are forbidden by the law or by a contract. It's one of the ways modern societies function, check it out!


Have you heard of the power of contracts that have never actually been to court. It turns out many of them aren't legally enforceable. It's one of the ways modern society is dysfunctional. Check it out: http://www.ycombinator.com/legal/


How many firms have FB sued for breach of this hypothetical contract? Other than "Cambridge Analytica", can you think of one they might sue?


The NYT article is definitely overblown. It’s popular to hate on Facebook about privacy, and yeah, they’ve made mistakes in the past, but that’s largely because they’re just engineers trying their best to do the right thing. IMO they need more non-engineer types to inform them what “the right thing” actually is, when it doesn’t align with the typical attitude of “Oh, there’s a technical solution to this problem!”

> the BlackBerry app had access to all of the reporter’s Facebook friends and, for most of them, returned information such as user ID, birthday, work and education history and whether they were currently online.

User ID and birthday are both public information, and people typically share work and education history as public (or at least “networks” thereof, for finding friends). AFAIK online status is the only thing that’s usually friends-only, but perfectly reasonable to share with a device messaging app.


I generally agree with you that this piece is a bit sensationalistic but...

> [...] they’re just engineers trying their best to do the right thing.

What makes you say that? Beyond potential abuses of data by third parties (or whatever), I would expect that most FB employees are trying their best to get paid. Whether or not all or any single one of them cares about “the right thing” is mostly unknown to outsiders. I have always assumed, based on FB’s overall business model, that there is a general disregard for any particular interpretation of “the right thing” at least when it comes to the privacy of the platform’s users.


I worked there in the past. Everyone I met was earnestly trying to do good work and afraid of getting fired or sued for doing something that would impact privacy and thereby FB’s bottom line. Facebook is strongly incentivised to protect user data because that is their primary market advantage—having ad targeting data that other ad networks don’t. Leaks and breaches of trust are bad for business and bad for the RSUs that employees and acquirees are given.


There is a huge distance between "Doing the right thing" and "doing one's best to avoid getting sued". There are lots of things that are legal but frowned upon in a decent society.

And no, Facebook is not "just engineers <...>". There are lots of other positions who make high-level decisions, e.g. decide how the company is going to make money.


Also from the article:

Some device partners can retrieve Facebook users’ relationship status, religion, political leaning and upcoming events, among other data.

Are those public?


Also, is it the data belonging to the user of the device and the Facebook account the device is logged into?

"Facebook integration on device OS allows viewing user's own profile after logging in to account" doesn't seem that shocking.


"We are not aware of any abuse by these companies." - seems to be carefully worded. They do not make claims that there are no abuses, nor do they elaborate what checks/audits they have in place to detect abuse.


> They do not make claims that there are no abuses

How can any honest people make such claim? It is the same as proving the non-existence of abuses.


I think point of above is more that it's in their interests to make sure they never do any checks, so no doubt they never do any.

They could probably catch 99% of abuses by just specifying it in the contract with the 3rd party, but they have't done that.


How do you know that they didn't already catch 99% of the abuses, but it's just that 99% is still zero?


Yeah - try reading between the lines since FB's response is not in line with your confirmation bias against them.


I was trying to read the article critically, but am open to alternate parsings / viewpoints on the article. Would love to hear your thoughts on the subject matter of the article.


What I apprehended from the article is that those API's still exist, and even still work in full.

Meaning that today it is still possible to generate an access_token using a client_id extracted from an old blackberry device with a valid facebook account and extract much more data (using the private device API's) than what that user should be allowed to see.

Do I understand that correctly? Because that seems like an enormous security breach.


Disagreement lies in there, fb says devices access as much as fb app access, NYT claims otherwise but probably wrong


>The company continued to build new private APIs for device makers through 2014, spreading user data through tens of millions of mobile devices, game consoles, televisions and other systems outside Facebook’s direct control.

So Facebook says "we don't sell data," but they are giving manufacturers access to data in exchange for being integrated/pre-installed on the device. How is that not "selling" data? Just because they aren't receiving cash?


They're not giving manufacturers access to data in exchange for being integrated/pre-installed on the device; they're giving those manufacturers' apps access to data because they need that access in order to be able to present that data to the users who are accessing Facebook through those apps. It's not a quid pro quo, it's something that's fundamentally necessary for the apps in question to actually allow users to interact with Facebook through them.


That might have been true in certain cases, but the article makes it clear there were other situations:

>Facebook acknowledged that some partners did store users’ data — including friends’ data — on their own servers. A Facebook official said that regardless of where the data was kept, it was governed by strict agreements between the companies.

Furthermore, why would they be putting an end to all these "partnerships" if they were "fundamentally necessary for the app"? Manufacturers can turn to the normal api that any other app dev uses.


If you read the NYT article, there's one pretty obvious reason why they can get away with ending the partnerships now: almost everyone has smartphones that can just run the official Facebook app. It probably also helps to understand that on a few of the older platforms, almost everything went through the manufacturer's servers, including email and sometimes even web browsing.

While I guess technically they could've use the normal API and only got the same information as Farmville or any random quiz could, this would have the result that - depending on what phones your friends used - you wouldn't be able to share information with all your friends without also sharing it with Farmville, Cambridge Analytica, and all the other shady Facebook platform apps that weren't held to the same privacy standards. That doesn't seem like a win to me, particularly since getting someone to click "yes" on a permissions dialog is a lot easier than creating a widely-used hardware platform and convincing them to use it.

(Of course, given just how many intrusive permissions it demands, getting everyone on the official Facebook app arguably isn't a great leap forward for privacy either.)


IT's been obvious they do exactly that since the Zuckerberg hearings. But all of the politicians asking him questions seem to have missed that subtlety and kept asking about "selling data".

Facebook hardly sells any data. It just shares it for free with a ton of partners (and without freely-given user consent).


They chose their words carefully.


Having read (been warned) "Chaos Monkeys" and "Dragnet Nation" this comes as no surprise.

https://mobile.nytimes.com/2016/06/29/business/dealbook/revi...

https://www.npr.org/books/titles/281981849/dragnet-nation-a-...

Editorial: It's startling to me how outfits as reputable as NYT can time and again parrot a narative (e.g., FB is better than sliced bread), and then after the fact report on something that was right under their nose all along.

Given the book review (link) above, it's as if they don't read their own publication. If I have to connect the dots myself then I'm going to stop reading - which I essentially did, many years ago.

That said, SV has become the ultimate cult / religion. All those followers and zero heretics (i.e., whistleblowers). The irony that so many of the faithful champion the likes of Snowden et al is as funny as it is frightening.


I've been reading studies about how facebook makes you depressed for years. Facebook may have had a golden age around the time of the Arab spring, is that the narrative you're referring to?


The two books mentioned are not new. One is specific to FB and reviewed in the NYT. The other might have been reviewed there as well. I did not dive that deep.

The narrative is more about the MSM's alleged ignorance about FB's biz model, biz practices, etc. All those "journalist" and not a single question.

The point is, this is old news. It borders on fake news. Real news boils down to two things. It's new. And it's relevant.

Again, if the NYT - as a MSM outlet - is the best we got then we deserve better.


> Editorial: It's startling to me how outfits as reputable as NYT can time and again parrot a narative (e.g., FB is better than sliced bread), and then after the fact report on something that was right under their nose all along.

That is almost completely a problem of the format of news articles, and that journalists have to write for a lowest common denominator. Take as an example from the NYT article:

> Details of Facebook’s partnerships have emerged amid a reckoning in Silicon Valley over the volume of personal information collected on the internet and monetized by the tech industry.

That, plus the next paragraph, is basically the entire context the NYT can give about a discussion about privacy that ranges from the inception of the Internet, spawned numerous NGOs like the EFF, etc. To present an sort of accurate picture, they would need a five volume work, so they have to rely on their readers already knowing something about internet privacy, and this is only meant as a reminder.

The same problem seems to be with the entire article, the NYT seems to define "third party" as any party that is not Facebook, while Facebook defines "third party" as app developer. If I understand the NYT article, and Facebook's press release [0], the entire kerfuffle seems to be about an legacy api that can only be accessed by device makers, and it is entirely unclear if device makers have to exfiltrate the data from the individual devices, or if they have access to FB's databases. [1]

The problem in the context of writing articles is, that one needs a quite technical article of the same length as this one to explain the lowest common denominator news reader what the difference between those two scenarios is. (Remember the average reader does not know what an api is, does not know what local or remote means in the context of handheld devices, does not know the difference between an OS and an app, and in general is not a programmer.)

The quality of news gets even worse, because market pressures push newspapers like the NYT to conform to a certain set of newsworthy topics and to a specific framing of these topics. They have to adhere to a certain set of newsworthy topics, because people who talk with their co-workers about news don't really appreciate it, if their newspaper did not write anything about the topic. And they are pushed to a specific telling of these topics, because some of their readers are checking different newspapers and if they have incompatible framing of the news, then those readers will at some point conclude that the majority of newspapers is right.

[0] https://newsroom.fb.com/news/2018/06/why-we-disagree-with-th...

(h/t to whoever posted it in the comments)

[1] Note, in the first case FB did constrain the ability of the device makers to access data on the phone, by getting them to sign TOS of the api. In the second case, FB is just lying about a breach of privacy for any reasonable definition of "third party."


> Note, in the first case FB did constrain the ability of the device makers to access data on the phone, by getting them to sign TOS of the api

That's not a very good constraint.


My point is, that after reading the NYT article twice, I see several different interpretations, and the difference between the interpretations runs from FB is trying to do the right thing, to FB is outright lying. (And that it is pretty hard to write an article that nails down one of the interpretations without going into more technical detail than is possible in an article for a general audience.)

I agree that such a TOS is not a strong constrain, it is not technical and it is easily cirumvented, by just not using that specific api and instead getting the same data from the OS.


> the NYT seems to define "third party" as any party that is not Facebook

This is what third party means


I'm still a bit confused as to the facts here, but it seems this is about the client software having access to data via apis authenticated with user credentials. If it's the software acting on the client's behalf, I don't view the client as third party (it's the user itself). Something along the lines of the old Farmville app would be third party.

Now if blackberry or apple had carte blanche access to data via an API that was authenticated just based on the company credentials, that would be different.


I agree, however my point is, that this is potentially just a disagreement over definitions, not a disagreement over reality.


Facebook's old policy: Move fast and break things.

Facebook's new policy: Move fast and deny everything.

I'm only half-joking as I was surprised to see a Facebook rebuttal so quickly after an article like this. It seems a new strategy is in place, to not let these article fester. The problem is their response is devoid of actual content, or even actual rebuttals to the main points of the NYT article. Mainly that FB does not consider these vendors as "third-parties", and that friends data is accessed even when sharing is explicitly disabled.


I'm only half-joking as I was surprised to see a Facebook rebuttal so quickly after an article like this.

Reputable journalists always seek comments when they write in depth about a person or company. There’s always at least some forewarning.


> I'm only half-joking as I was surprised to see a Facebook rebuttal so quickly after an article like this

>Market Cap: 561.740B https://www.bloomberg.com/quote/FB:US

Not surprised at all. Their business model depends on it on people uploading all of their personal information, thoughts, and feelings into the machine for analytical processing. If that trust/relationship dies, facebook dies with it.


I think the problem isn't so much a question of users trust in Facebook but rather users apathy with regards to their own privacy.

I think most people are aware enough that they are the product - I just think they don't really care all that much.


> I was surprised to see a Facebook rebuttal so quickly after an article like this.

Article contains Facebook's response, so they most likely read it before it was published. As far as I can tell, they probably didn't like the way reported interpreted things so they prepared at least part of the response before, so they can react when it will be published.


Here we go again... it feel like there's no way to break out of this cycle where companies routinely go unpunished for bad behavior. Facebook, Equifax, Wells Fargo...


The problem is that "bad behavior" is a concept in flux. Facebook never hid what their business model was: sell your personal data to third parties. Only a few privacy activists were concerned. Others reactions went from "meh" to "it's actually smart!" (Remember when Obama's campaign was praised for its innovative approach profiling voters?).

It took Cambridge Analytica for people to realize that they did not want this.

I have been paranoid about Facebook since day one, but there is something I won't do: blame them for coming up with a business model that is legal and did not seem to concern users ethically either.

The hearings of Zuckberg have been shameful. As much as I love seeing him on the grill, I have more contempt for the lawmakers in front of him, who actually enabled Facebook to become such a monster by either facilitating or simply not understanding what it was doing.

Facebook is a problem, but the ones responsible for this situation are not to be found within the company.


> The problem is that "bad behavior" is a concept in flux. Facebook never hid what their business model was: sell your personal data to third parties.

So not to interrupt the outrage mob here ... but facebook did not sell data to these companies. And actually I'm not aware of any case where people are outraged where facebook sold peoples data, including the Kogan case.



> Remember when Obama's campaign was praised for its innovative approach profiling voters?

Didn't Obama's campaign obtain users' consent before reading data?


Obama's campaign obtained users' consent before reading their friends' data. They did not, however, obtain the consent of those friends in any way, and at least for the 2012 campaign it was those friends who they were trying to convince to vote for Obama.


>I have more contempt for the lawmakers in front of him, who actually enabled Facebook to become such a monster by either facilitating or simply not understanding what it was doing.

Does your contempt extend to the billions of non-technical minded users who also did not understand what FB was doing?


Not really. The notion that the non-technical should understand EULAS dozens of pages long is a total fiction (that is legally binding in the US but not so much in saner countries).

On thousands of issues that can put several things I hold dear at risk, I just trust elected officials to do the right call. It is THEIR job to understand these issues and take the correct stance. I mean, this is literally what they are paid for.

I still wish that privacy had been a bigger concern to the population at large, but thanks to recent scandals, and to EU laws, this starts being the case.


>It is THEIR job to understand these issues and take the correct stance. I mean, this is literally what they are paid for.

Perhaps they are paid more by their donors to pass laws written by corporate lawyers


Hopefully some GDPR stick will help fix this


GDPR, the tool to prevent the disruption of Facebook from ever being economically viable! Yay. Let’s celebrate.


If disruption of Facebook is economically viable because the new whatever-book is doing the same things to user privacy, then that's not useful anyway. It's not that important who is the largest provider, as long as the incentives are the way they are now, the largest provider will be doing harmful things. We need to establish appropriate incentives and boundaries (of which GDPR isn't perfect but certainly in the right direction) so that no matter if it's Facebook or someone else, their behavior is one that we can live with.


The assumption there being that Facebook continues to be economically viable...


Facebook disruption will be Facebook "spontaneously" ceasing operations, without replacement.

I bet on a quick shutdown, possibly with extradition shenanigans, offshore funds and other drama, after a criminal investigation or a whistleblower shines a light on potential liabilities.


China just executes the CEO. Mindless ambition. Mindless consequences.


I hope you're not trying to say that's a better solution.


It probably is, given the type of characters proped up by the attention economy.

China hasn't produced a Trump yet. Meanwhile the US has laid the foundation with the attention economy (that props up people with the largest view/retweet/like count) to produce an entire crop of Trump type "leaders" in every sphere of life from the corporate world, to the army, to academia, to the media etc etc. The ground has been prepared and the seeds have been planted.

Look around. What is going to prevent their rise? Regulators? Zuckerberg?


So China has redefined CEO to mean: "Chief Executable Officer" :)


That is pretty good :) I can't find it right now, but some very similar phrase was used after the Deep Water Horizon explosion and oil spill, which caused the BP CEO to get fired, to describe the role of the leader in such situations.



This


It seems a lot of these tech companies' competitive edge is to ignore regulations and rules (other examples: Uber, AirBNB) to grow a massive user base 100x faster, as they hold onto the "scrappy startup" image.

Once they have achieved their scale and network effects, they can just promise changes and do an apology tour in response to any regulatory or public backlash after it happens.


> promise changes and do an apology tour in response to any regulatory or public backlash after it happens

Except they aren't apologizing for this. And they shouldn't, it's a non-issue. The next article is going to be about how facebook shares user's data with third parties (chrome/firefox/opera/nefarious browser #3/etc) without any sort of agreement about how those third parties use the data.


Nothing will change Facebook's behavior except heavy regulation or the threat of a breakup.


And no one should be surprised by this either.

Violating privacy is their business model. As long as it is legal it would be stupid for them to change it.

As a former French banker (now standup comedian) once said: "Hoping to regulate companies by asking nicely is like going to the prostitutes with a flower bouquet"


Honestly the only way might be American regulation specifically targeting Facebook. And the next player might be just as insidious. It would be extremely hard to avoid this result without a dramatic shift in public opinion and frankly culture.


This appears to be an API to integrate Facebook chrome and functionality into a mobile OS UI;

> “An Apple spokesman said the company relied on private access to Facebook data for features that enabled users to post photos to the social network without opening the Facebook app, among other things. Apple said its phones no longer had such access to Facebook as of last September.

...

> Usher Lieberman, a BlackBerry spokesman, said in a statement that the company used Facebook data only to give its own customers access to their Facebook networks and messages. Mr. Lieberman said that the company “did not collect or mine the Facebook data of our customers,” adding that “BlackBerry has always been in the business of protecting, not monetizing, customer data.”

> Microsoft entered a partnership with Facebook in 2008 that allowed Microsoft-powered devices to do things like add contacts and friends and receive notifications, according to a spokesman. He added that the data was stored locally on the phone and was not synced to Microsoft’s servers.”

The story recounts how the BlackBerry Facebook view could... not surprisingly in any way... render your Facebook friends’ information which you are supposed to be able to access.

But the NYT apparently thinks this is nefarious in some way.

> “The Hub also requested — and received — data that Facebook’s policy appears to prohibit. Since 2015, Facebook has said that apps can request only the names of friends using the same app. But the BlackBerry app had access to all of the reporter’s Facebook friends and, for most of them, returned information such as user ID, birthday, work and education history and whether they were currently online.

> The BlackBerry device was also able to retrieve identifying information for nearly 295,000 Facebook users. Most of them were second-degree Facebook friends of the reporter, or friends of friends.”

...How the hell else do you suppose the UI was rendering your Facebook Feed?! Maybe they thought BlackBerry used magic unicorns to render the Facebook UI components on their Hub view.

If only there was a term to describe when media sites write a non-story to stir up fake controversy by smearing a popular target...


Your entire post boils down to, "just trust the billionaires!"

No, we won't. They are liars and cheaters, the lot of them, and we aren't going to trust them any more. They said in court "we didn't do that" so then you post it here that everything is okay, but I don't trust it. Not one bit. None of us do, or should, trust what those companies say.

Mark Zuckerberg is a liar. The whole concept of, "We're doing the right thing with your data, just trust us" is ridiculous. He already called you and I and every single one of us a literal "dumb fuck" for trusting Facebook with the data. Mark Zuckerberg would be banned from HN for vile language if he were here. Clearly, we are not meant to trust him or any of them at their word. They lie and they know it.

NO, zaroth, I do not believe a single part of any of the quotes you wrote. I don't believe them. We also know that Zuckerberg was intentionally misleading or lying in recent EU appearances.

> How else was the UI rendering your Facebook Feed?!

This kind of incredulous, "we must have Facebook on our phones, what else were we supposed to do?!" is silly. Facebook and these partners clearly overstepped their bounds.

> But the NYT apparently thinks this is nefarious in some way.

What? You then quoted the NYT listing a series of facts. Nowhere does the NYT say anything like nefarious or anything like that. You are making things up.

> ... fake controversy ...

Did you just call this whole thing fake? Like, the controversy itself? It's not fake..... This HN thread's existence proves the controversy is real. This stuff is not fake.


I get it that you are channeling Stallman and that you think your device is spying on you. And by all means lets fight that fight and write those stories.

But that’s not the story that the NYT has published here.

I’m incredulous that programmers and hackers would feign surprise that a UI rendering a Facebook feed would necessarily use an API which returned a data structure with... your fucking Facebook feed.

If device manufactures or OS developers (Apple, Microsoft, Samsung, Amazon, Google, etc.) are exfiltrating personal data off of your device — and BTW my Facebook feed would be the least of my concerns in that case — prove it, and the point your pitchforks at them.


The article cites Facebook as the source for partners having that data on their servers. Is that evidence enough?


Which partners? In what form? For what purpose? Are we talking about cache data like Amazon Silk? Encrypted backups?

It doesn’t help the discussion to conflate user agents with third party applications.

But user agents do sometimes push our private data to their own servers — like Chrome’s Omnibar — and if and where that is happening, and how that data is used, absolutely should be disclosed by the device manufacturer.


If the bit about "on their servers" didn't refer to device partners I would have expected Facebooks response[1] to the article to call that out as misleading, but it didn't. I hope too we'll see details somewhere to get a better judgement of how bad/not bad it is.

[1] https://newsroom.fb.com/news/2018/06/why-we-disagree-with-th...


Thanks for the link!

I had not read Facebook’s response but it seems to me to perfectly describe what actually occurred with these APIs and highlights what NYT got wrong with this story.


> you think your device is spying on you

Well, of course it is. Ridiculous to think smartphones aren't spying on their users in this day and age.

> But that’s not the story that the NYT has published here.

Uh, yes it is.

> I’m incredulous that programmers and hackers would feign surprise that a UI rendering a Facebook feed would necessarily use an API which returned a data structure with... your fucking Facebook feed.

I'm incredulous at this sentence. Good lord what anger you have for people just being people. I don't see anyone here "feigning" surprise! I haven't seen that at all about this topic. No need to swear, either. We can talk like reasonable people.

> If device manufactures or OS developers (Apple, Microsoft, Samsung, Amazon, Google, etc.) are exfiltrating personal data off of your device — and BTW my Facebook feed would be the least of my concerns in that case — prove it, and the point your pitchforks at them.

I don't have a pitchfork out and I have absolutely no idea what you're ranting about. This swearing, pitchfork holding comment makes no sense to me. Didn't they take the data anyway? Sounds like you should have your pitchfork out and pointed at Apple, et. al.

This is a privacy concern and that's real. It's not fake, it's real. Nobody is "feigning" concern, this is a real concern, we are not fake people writing fake opinions.


The ad hominem doesn’t help your argument.

Look at how the NYT portrays the Blackberry Hub view as having access to the FB data required to render your feed, in order to render your FB feed... and equating it to a third party app having the same level of access.

For starters, a user agent requires that you enter your FB username and password in order to function.

If they rendered a Facebook feed through a browser the exact same data would have passed over the network, and the device would have had the same level of access to that data.

It is sloppy reporting and a disservice to the non-technical community to equate an embedded user agent with a third party app.

You seem to think the NYT wrote an article discussing the finer details of whether we can trust our personal devices to keep all the private data that flows through them. What I read seemed more like a sloppy hit-job on Facebook because it’s a popular punching bag of late.


"Facebook Gave..."

Well, that's like problem number 15. Number one is to look at what you're giving to facebook.

Number 2 is to look at how much control you have over the intimacy of your own life and those around you, using or not.

Number 3 might be to look at how many phones/devices you can root, rip and reset (I mean, c'mon, the personal data sink on a phone is enormous and most have little to no say about what can be on it and when much less port and comms control).

Number 4 is maybe that any middlin' IQ ass with a badge or a note with some letterhead can scoop your kit. (See Number 1.)

Number 5 - Who makes the rules? (Don't think too hard on it, please.)

Et cetera.

Facebook is easy. Fasebook is sleezy. Facebook is free. So? I think I'll trust my peers well before I trust any piece of must-have with a logo that gives you only tactile controls, at best. The masses do not choose wisely. (See Number 5.)

If you do the sharing then you need to do the caring. Button it up and bring it down. Believe it or not your likes are your own and if you don't like what they're doing now then shut it down. I know it's easier said than done for some but the keys to the kingdom are in corporate hands now. Good luck.


Well, if you want to have your social network app preinstalled on a lot of phones, I guess there's either paying for it or offering up your users.

iPhone doesn't have it preinstalled, no, but if memory serves, there were integrations built in. At least for a while.

Why would they need this data though, really? Once you've bought the device, they could get at the interesting data outright if so inclined?


I would love to see someone with an old BlackBerry write up whether this uses a unique endpoint (different from public api) especially to see if it would be possible to 'spoof' a BB device to get the data.


Can't wait the apology commercial.


maybe another Zuckerberg nationwide tour that he'll chronicle on Facebook if we're lucky.


I find the Wells Fargo commercials absurdly self-serving. I can only imagine what the makers of “Chairs”[0] would conjure up.

[0] https://www.youtube.com/watch?v=SSzoDPptYNA


The first 500M Facebook users were signing up for "the graph".

The NY Times piece even goes so far as to illustrate this in diagrams.

The graph was a phone book replacement... "white pages" for the Internet.

It was only when public discourse on FB pivoted to religion and politics; both very private and personal topics; that sentiment pivoted towards privacy... and removing themselves from discoverability on the graph.


"The company continued to build new private APIs for device makers through 2014"

"Michael LaForgia, a New York Times reporter, used the Hub app on a BlackBerry Z10 to log into Facebook." -- this is a phone announced in 2013.

I understand the concern with Facebook, but this article is presenting information from 4 years ago as if it's news.


It's news if people didn't know. Plus FB itself says that 60 companies used these APIs, and only 22 of those have ended as of today.


> "In interviews, Facebook officials defended the data sharing as consistent with its privacy policies..."

Facebook's EULA pretty much gives them carte blanche to do whatever they want with the data you've provided them. Of course, who actually reads EULAs or cares about privacy anymore?


Alternatively worded: Facebook let RIM build Facebook for Blackberry.


This paints Facebook’s recent marketing campaign in a new light. Here I was thinking we were dealing with a company finally that decided to get their act together and turn themselves around, when in reality it was actually just Facebook trying to whitewash their reputation ahead of all the horrible abuses they knew were about to be exposed.


Until the top execs are removed, don't believe there's a sincere desire to change at Facebook


just switch out of FB. you dont have to quit social media just find a more suitable network (I personally like ello). the crux of the issue is that they know they are a monopoly and wallstreet knows that too so these things will continue until there is a moderating force like people leaving. otherwise I doubt there'll be much happening to rectify these issues for they are the core of their business model not some happenstance things.

btw mozilla created a FB jail thats fully open-sourced a few months ago. use that on FF and it should alleviate some desktop tracking. access here:https://www.mozilla.org/en-US/firefox/facebookcontainer/


Worked at an OEM. We preloaded Facebook apps in our phones in exchange for user data. I can't provide more information on how the data was used but I would trust Facebook on this case.


I always found it suspicious that on new (Android) phones with manufacturer ROM, the Facebook app was almost always uninstallable (system app).


Shooooooooocking. This getting pathetic. Personally I am using Facebook less and less and attempting to block it as much as possible.


I think it's pathetic when people complain about something and continue to use it. That's why companies are allowed to get away with so much bs.


At which point can facebook start suing around for [slander/damages]? It's not like they did all this in secrecy , they were quite open about their platform with developers (which has helped developers warm up to a company that basically sells gossip). They never will of course, because they 'd be retroactively judged with today's standards. E.g. I find their unfair advantaging of the Obama campaigns a lot more troubling than this.


You can't sue for libel over accurately reported news? The bar for successful libel actions is extremely high in the US, as well.


I mocked up a new Facebook apology ad: https://i.imgur.com/EWDJjwx.jpg

Let me know if marketing wants to license it.


When is Facebook giving full disclosure? Why do we have to find out like this? Facebook knows exactly which entities have been harvesting data. Just tell us already...


I for one do not expect Facebook to change much unless there's a big shakeup from the top, including removing Mark Zuckerberg, Sheryl Sandberg and others. What they have shown repeatedly is contempt for their users in the guise of apologies and remediations that go nowhere. Since such a shakeup is unlikely to happen, the other thing that could happen is a breaking up of the company, which I'm guessing (this is not a prediction) will happen in a couple of years. To start with, Instagram and WhatsApp would have to get unwound from this mess by becoming individual and unrelated services.

I don't have a lot of hope on social media platforms respecting user privacy and avoid massive data collection and/or sharing. Privacy in today's world is for the privileged people, in various ways.


I don't believe there is much synergies between FB and Instead anyway, and even less so with WhatsApp which seemed to be have been bought out strictly to stop it from growing into its own social network.

But I don't see the US ever breaking up FB in the coming decade, as the agenda is clearly not to fight monopolies and trusts.


Any breakup, if it were to happen, would be likely to be triggered mainly by the EU, IMO. For all the complexities that EU regulations sometimes bring in, I see the EU as the only hope in such cases.


When has the EU ever break up a world class monopoly ?


When has the EU ever produced a world class monopoly?


Maybe this time is when? I don't know. But I personally don't have hopes on any other government or governments to take such an action.


Change means less revenue, IMO. Their business model is to keep squeezing every bit of data and seize every opportunity for the next quarter. So, that type of change will happen only if forced.

I've said it before: FB should not have been allowed to buy them in the first place.


OR, the people who made Facebook interesting will go elsewhere. I've received a few invites to email lists, and one to a private blog, to replace the authors' Facebook posts.


At least try to understand what is going on before regurgitating all your confirmation biases against Facebook. These device APIs were a necessity before iOS and Android came along. How do you think you got FB experience on Blackberry before they had an app store?

Pretty sad piece by NYTimes who are just trying to get views and probably have an agenda against FB (given how much FB is ravaging their business model).

This is FB's response: https://newsroom.fb.com/news/2018/06/why-we-disagree-with-th...


The device APIs are not just "before iOS and Android came along". And they have remained and alive for a lot longer than they were supposed to be. That much is clear both from the NYTimes report (though it did lack clarity and could've been much better) and from Facebook's own response. Where is the statement that billions of devices (including older ones) out there don't have this access any longer?


Facebook will not be the same without the masterminds (Mark Zuckerberg, Sheryl Sandberg and others). Practically, the business there is all about finding monetary value of the user data.

Whether very few of us like that or not, we keep going back to using Facebook anyway, how (long) can we avoid the platform where our family and friends (and billions of other mindless users) are?


Stop using Facebook already ... it's a liar and deceiving social network.


they haven't changed. they will not change. why should they change. this is their normal. they are rotten to the core.


Why this is shocking, or even news?

When you create and use a Facebook account (or when a shadow profile is created for you), Facebook has (and has always had) the right to share anything and everything you publish on their platform with anyone they have a legal responsibility to (e.g., law enforcement) or commercial agreement with (e.g., advertisers).

All Facebook content is essentially public and should be treated as such.


We (society) made the rules, and we can change them. We have the power to make laws dictating how Facebook can use the data, regardless of what the contract says, regardless of their current "obligations", and regardless of how "public" this data might be. We made new laws about medical data -- we can make news laws about social data.

That's what these stories are about -- things we can think about when drafting this new legislation, or interpreting old legislation.

Our system of laws is not set in stone, we can update it, and we will--for better or worse.


Why does the law need to change for this? Facebook should disclose what they do with your data, and that is about it. At that point, it is really up to you to decide if you want to play ball...


So Facebook gets to make the rules? The law changes whenever we feel like it should, that's how democracy works.

You say why should the laws change and why shouldn't we individually decide whether or not to play ball?

For one thing, Facebook creates profiles of people who don't have accounts, but for another, and more importantly:

Why should companies not be able to dump toxins in rivers? It's up to us whether we want to buy from that company and contribute to pollution -- or we could start up an EPA... which we did. Same deal with Facebook, sort of. Society can make whatever rules it wants, the only natural law is chaos, and of it we make order.


Yes you should fight to change the law if you don't like it and likewise I do not think the law need to be changed nor the more regulation is needed so I will fight it too. In this case the harm (if any) that fb make is not substantial enough for me to care.


I completely agree. I don't think there's any need for legislation. I think people should just realize the simple adage, "if a product is free, you're the product" or whatever.

Our society needs to wise up.


Dunno why this is getting downvotes--you are absolutely right. You echo my thoughts after reading this. Folks, why is this a surprise at all? Don't post stuff on Facebook you don't want public.


Now read this and do make sure you type the takeaways like you did for the NYTimes article above: https://newsroom.fb.com/news/2018/06/why-we-disagree-with-th...


Doesn't actually deny any of the accusations, except maybe for the "access to friends' data not being shared" (for which the NYT should be criticized for being too vague - it's not clear how and why they "believed" it wasn't shared).

I like the part "all these partnerships were built on a common interest" - tautologies always sound good.

As for the only actual defense (the data agreements), it was already in the NYT story.


And, Contrary to claims by the New York Times, friends’ information, like photos, was only accessible on devices when people made a decision to share their information with those friends. We are not aware of any abuse by these companies.

Parsing: friends’ information, like photos,

I have a friend named Tammy. Tammy has photos.

was only accessible on devices

Someone/thing can access these photos

when people made a decision to share their information with those friends

I decided to share information with Tammy. I now have access to her photos. I open some silly fb app. That app now has access to my friend Tammy's photos. According to this, Tammy may not even know that those photos have been compromised. She may have a son who is gay, but not out yet, and Tammy (being the understanding parent) is sharing with people she trusts. Now, unbeknownst to her, everything is out in the wild.

This is the problem.

We are not aware of any abuse by these companies.

Were you looking? Did you care? Do you now?


So basically, your argument is that it's a dangerous attack on users' privacy for Facebook to allow users to view it through any app but their own, no matter how strict their contracts with the app developers, even if those developers are big companies like Microsoft with a lot to lose if they get caught doing something malicious? That it's an attack on gay rights for the Facebook walled garden to not be maximally strict and absolute in its grip on what software people can use to interact with their friends on it?

Because that's what we're talking about here: apps that allow users to access their Facebook accounts and interact with their friends through them. Not shady Zynga games or information-mining quizzes, but alternatives to the official Facebook app that are only allowed to "provide versions of the Facebook experience" and are created by major device manufacturers.

I'm curious how Facebook's continued willingness to allow web access to people's private information fits into all this too. After all, the user's web browser has access to all this dangerous personal information about their friends, it can certainly do all kinds of malicious things with it, and Facebook doesn't even have any kind of contractual relationship with the browser developers preventing this. Given how many shady browser extensions are out there this is certainly being abused right now. Should Facebook take down their web version too in the name of protecting gay children?


So basically your argument is that corporations should be trusted to self-police, because they know that bad things would happen if they get caught misbehaving? Like, Microsoft would be destroyed if they were found to be sending users' information to their servers and the average user didn't realize it?


Quite the opposite.

The moment facebook provides a way for a person to use a device to view information, they've simultaneously produced something the device's OS could use to exfiltrate that information. There's nothing facebook can practically* implement to allow Windows Phone users to use Facebook while preventing Microsoft from exfiltrating data.

Drop the API, and they can scrape webpages; it doesn't remove any fundamental barrier to information. If Facebook wanted/needed to limit access to this information from untrusted device manufacturers, a website is out of the question, and you couldn't just release a windows/android/linux app — you'd need to go per-manufacturer.

This leaves pretty much everyone worse off. [though it'd be pretty great for Apple.]

Users need to trust the manufacturer of the devices they use. There's room for regulation/enforcement to ensure that they can.

But holding services responsible for vetting the platforms that can access their data makes open platforms like the web untenable, and doesn't fix anything.

* Impractically, facebook could send and show encrypted data which can be decrypted by the user via pen & paper.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: