Hacker News new | comments | ask | show | jobs | submit login
U.S. lawmaker: 'Sure looks like Zuckerberg lied to Congress' (latimes.com)
409 points by JumpCrisscross 8 months ago | hide | past | web | favorite | 216 comments

I don’t get some of the concerns about this.

Take the Facebook app that Huawei built using their special API access to offer Facebook on their devices. Their implementation was supposed to store the Facebook data locally on the phone. Of course, there’s a concern here that Huawei, a company with strong ties to the Chinese government, could still be siphoning Facebook data off the phone despite that breaking their agreement with Facebook.

But if you don’t trust the device manufacturer and their operating system, what does it matter? If Facebook existed solely as a mobile web app on the phones or as a Facebook Inc produced app, you still have to trust Huawei to not be siphoning off that data. If you don’t trust Huawei, you’re at risk regardless of whoever made the software you use on their phones.

(The device manufacturer FB implementations that stored data on non-FB servers are a different situation though...)

This is one of the strangest defenses for Facebook - everything works as expected.

Cambridge Analytica downloaded data? The API worked as expected and people should have been smarter to not share data.

Facebook has special APIs for phone manufacturers? The API works as expected and people shouldn't buy phones from the manufacturers they don't trust.

But, here's the thing - FB shouldn't have allowed this at all. In one part, security is about making things harder for people to break-in. Currently, manufacturers can use official API to siphon off data to non-FB servers. Sure, manufacturers could run some kind of MITM attack to achieve something similar. But having an official API is a strict no.

>> people shouldn't buy phones from the manufacturers they don't trust.

You're literally hosting your life on it. You should indeed not do this.

True, but let's say you bought a DSLR camera, wouldn't it irritate you if the manufacturer was secretly uploading your pictures elsewhere for others to use against you? To most, such practises would seem beyond intrusive. I sort of feel that this is what's happened here, albeit, in a subtler manner.

> secretly uploading your pictures

What if instead of it being a secret, it was a big button with “upload photo to Facebook” on it?

If Facebook outsourced the implementation of that button for each different type of camera to the respective camera manufacturers, rather than implementing it themselves, would that change it from a non-problem to a problem?

Is there any evidence that has happened? That sounds like it goes directly against the APIs terms of service. If device manufacturers are doing that, they could equally upload your passwords from the browser.

>. If device manufacturers are doing that, they could equally upload your passwords from the browser.

And then fb should tell you about unusual accesses to your account unless the phone vendor is also your Telco and extremely careful.

In OSes you can theoretically attack any app, but it is a pain to even debug them with different versions, changes to their custom storage formats, etc.. Unless they build an ABI, document which parts are stable and give it to you.

FB can tell you about it but there is no law mandating anti-hijack security features. Nevermind that the spyware can be inserted in the client itself or in the official gateway supplied by Huawei, necessary "for technical reasons", making it completely invisible.

Once the manufacturer goes outside the licensed API and uses your credentials to do more than Facebook allows, it commits an actual crime against you in most jurisdictions.

I'm sure people will be investigating and finding a few examples of on phone API violations then transferred.

My bet: no criminal cases. Facebook charging less than 50k for violation of an API contract on data that isn't theirs, if numbers are disclosed. No standing for users except in a class action that get $5 or less on a new phone or $2 or less as a check.

> And then fb should tell you about unusual accesses to your account unless the phone vendor is also your Telco and extremely careful.

With the API, presumably there's an auth token that is only stored on your device. Facebook should also be able to detect unusual access with an auth token. Really, the auth token makes it easier to detect funny business than a username/password.

What if your friend does this and gets your data, even though you got the safe phone. Do we now have to be aware and affected by the technology choices of all of our friends? The problem here is that you are affected by not just your decision but the decisions of anyone who has access to your data on Facebook.

There aren't a whole lot of (i.e. _any_) good actors because the market does not incentivize them. You can't rely on capitalism to resolve the Prisoner's Dilemma here. This is why Right to Repair legislation has become necessary, for example.

> There aren't a whole lot of (i.e. _any_) good actors because the market does not incentivize them

Apple is a pretty good actor in this regard though, and they're clearly betting a lot on markets to realize the attractiveness of that.

> This is why Right to Repair legislation has become necessary, for example.

I'm not sure I see how a "bad" actor (maybe like Apple) in terms of the Right to Repair is relevant in the context of trusting device manufacturers. If anything I think Apple's (somewhat self-serving albeit not completely detached from reality) argument would be, and has been e.g. https://news.ycombinator.com/item?id=11047359, that their control of device repairs and servicing decreases the risk of malicious software or hardware components being installed.

Apple is not a "Pretty good actor". Better than some, yes, but good? No.

Honestly, Apple's privacy move over the years is genius. Its going to be a long time, maybe never, before I buy something besides an iPhone. I don't even like Phones(in general) that much and Apples aggressive cable policies drive me insane but this is getting really scary.

That was an unusually balanced perspective in a debate that usually tends to lack much nuance here.

FWIW I'm partially in the same boat: I like Apple the company and I'm happy for everyone that likes and uses their products but I'm kind of incompatible myself.

just because something is true doesn't make it a good defense of facebook.

>people shouldn't buy phones from the manufacturers they don't trust.

People shouldn't put their pictures , and relationship status, and whom they know, and what they think, and where they go, and what they talk in private about, to a private company's service that they don't trust.

Oh, except for, they do.

Companies shouldn't intentionally mislead users about privacy and data use. They should be either trustworthy or held accountable for deceiving consumers.

A large part of GDPR's value is killing these misleading practices by exposing them.

Facebook never mislead anybody about how their data was being used. That's a lie the media is feeding everyone for some reason.

Zuck recently said their legal contracts required data to be deleted and therefore it was. That's directly misleading.

I hear nothing about people not trusting Facebook, other than from those who don't use it. But plenty of people who either trust them or don't care either way who do put their personal data and photographs on Facebook. It's only when stories such as Cambridge Analytica make the news that they then realise how their data is being used.

Who are you talking about that in one breath say they don't trust Facebook and in the next go and put their data on their servers?

How can Facebook protect your data from a hostile phone manufacturer?

They can... not enter into agreements to share data with them as is detailed in this article?

Is this a trick question?

You're completely right. Facebook should not have created APIs that could be used to re-implement a Facebook application. They most certainly should not have made such APIs available to companies that are anything less than completely trustworthy in every possible way.

Facebook's error was in believing that anyone outside Facebook could be trusted to author an app. I expected they know better now.

So if I consent for my data to be transferred, why I should be prevented from that?

Facebook wanted to do this so everything did work as expected, they have been doing it for a long time and built it precisely to be used just as Cambridge Analytica used it. The only problem came when it was used to help Trump. When it was used to help the Obama campaign nobody batted an eye. Facebook is a political agenda and getting more people involved and helping their favored campaigns is something they were very interested in doing; that is why they allowed this - not realizing it would bite them back.


The revolution is going to happen for stupid reasons, just like Louis XVI was executed after cooperating (mostly) with the revolutionaries for years. American politics and news takes are a form of heightened collective idiocy that leaves me convinced that we will only improve ourselves semi-consciously while stepping on a rake and having it nail us and the oppressed people of at least five other countries in the face.

However, it's high time for Facebook to face intense regulatory scrutiny. Mark has been unfair to us for quite a while, so I'm going to yawn if he complains when the tables are turned. If FB gets broken up or its profits get reduced, Mark can replace his tear stained clothing with one of the identical replacements from the infinitely deep closet his billions constitute.

> Mark has been unfair to us for quite a while

What a huge statement you’ve buried here and then glossed over. This is the crux of everything, of course. I don’t agree with this statement, but hey, at the end everything comes down to this one notion.

The threat is going from rather hypothetical to more and more concrete. The phone is an appliance that runs software. It would require some substantial effort to get around that barrier - reducing the risk of it actually happening.

Now we're seeing that it didn't require any baked-in compromise in the hardware, firmware, or Android distribution. It's available via API.

The difference is between having a window that's easy for a thief to break and giving the thief a key to your house and asking them to sign something promising not to steal.

I would like, at least, for a thief to have to put some effort into it.

This is a really bad analogy, and misleading. A better analogy is like Facebook is a bank with safe deposit boxes. I give my key to my phone, and then my phone goes and gets something from the box for me.

There is no window to break. My phone can take the key and send it to the phone manufacturer who can then get into my safe deposit box whenever they want. The only way having an API makes this easier is that the manufacturer's Facebook app is more obscure than the browser, but the manufacturer's browser can just as easily steal keys, and it's no more or less illegal.

Except that providing an API to a third party, without controls, makes Facebook complicit. They don't get to provide such an API to a third party and then disavow themselves of any responsibility what it is used for.

Whereas if the manufacturer backdoors the browser of the phone to steal or siphon data from Facebook users, Facebook's only fault is creating the unnecessary data hazard itself (which is merely irresponsible instead of illegal in the US).

As I understand it the API has controls. There's no fundamental difference between the APIs we're talking about and the web interface, except the API is easier to use programmatically.

And a lot of thieves won't break the window.

Once these issues become the focus of politicians, the technical details matter less. If public opinion is opposed to a particular issue, especially if that opposition is bipartisan, politicians will leverage that for political gain -- just look at zuckerbergs congressional hearings, was all about political points

However, that doesn't mean they'll actually legislate anything with teeth, depending on other factors like lobbying etc. pharma is a great example of this -- universally hated industry at the moment, lots of lobbying power at the moment, and probably lots of people lobbying against them (this is speculation, but I imagine the American hospital association and AHIA probably are endorsing the drug pricing = cause of US high healthcare spend narrative). Strong bipartisan political opposition to an industry + strong lobbying by the defending industry = political actions that are all bark and no bite

The mechanism really matters a lot - think how it would look if a vendor kernel trojan was found siphoning FB data, vs "accidentally" sending off some official-api provided FB data to their statistics servers.

"Trusting" or "not trusting" your phone is a very binary threat model. I don't think many tech-savvy people would say they fully trust their Android phone vendor. But you can count on the vendor's self interest to some extent, and basic competence in managing the risk to their reputation.

FB's special manufacturer's API included access to some of your friends' data, in some cases even when they had refused permission for it to be shared, so the concern is not merely with data that would have been on your device in some form.

What bothers me is that they don't allow me to download this data from Facebook's half assed takeout tool for experiment my Facebook data.

Do I have access to my friends contact information they choose to share with me? No? Why does the BlackBerry app have permissions that I (in data export) don't?

It’s pretty negligent to sell or give access to a company, someone else’s personal data with a handshake and wink that they won’t turn around and do nefarious shit with it.

So while you’re right, it’s also just kinda shitty and probably illegal or at the very least unethical.

My current employer has to maintain records on what their customers do with the product after the sale; they're a chemical supply company and it's a federal law.

Yes, but your current employer doesn't turn around and sell that info to any medium-to-high bidder. They also have a well defined and legitimate reason to use such data.

I have a hard time imagining Huawei siphoning data via MITM without someone noticing odd traffic and thoroughly nuking their PR.

This is different.

This isn't about apps putting buttons on devices or people trusting device manufacturers. FB has lied about how and when data gets disclosed, has intentionally not respected the privacy controls that users' set, and lied to Congress about the subject.

If this is an accurate tl;dr, then shouldn't facebook be liable for even allowing Huawei phones to access facebook at all even over 3rd party browsers? Any information going through any Chinese manufactured device might as well be at risk. All it takes is the Chinese government saying "hey Huawei, add a keylogger if you see the phone is activated on a US carrier".

I'm trying to say facebook shouldn't be responsible.

I think the "the data was supposed to be stored on the phone" thing is a little misleading.

I've never owned a Huawei phone, butwhen I looked at my Motorola phone five years ago[1], I found that it was getting Facebook data via a proxy service that Motorola had set up. This was probably partly as an abstraction layer, but do you really think no one in their marketing (or similar) department thought "as long as that data about their FB contacts is passing through our systems, maybe we should analyze it in some way"?

Even if they weren't explicitly collecting it, it probably ended up cached on their servers somewhere, and it was typically sent over plaintext HTTP (even though FB supported HTTPS), so someone else could have easily collected it too.

I've looked at a lot of mobile apps, and I don't think what Motorola was doing was at all unusual, but again, I haven't done a comprehensive analysis of other vendors.

I do agree that the vendor could always configure the phone to explicitly upload anything to them even if something like the FB APIs were accessed directly, but IMO that seems less likely than siphoning off the data as it passes through their middleware.

[1] https://www.beneaththewaves.net/Projects/Motorola_Is_Listeni...

So the basis of your argument is that you posit that device manufacturers are wiretapping their customers phones en masse (committing a felony)... but somehow this is a story about Facebook?

Huawei does not have "strong ties to the Chinese government." There is absolutely no concrete evidence that Huawei of such a relationship. Please stop spreading propaganda.

Are you serious? At this point we have to assume that every single Chinese company has strong ties to the Chinese government. Even if it doesn't have strong ties today, if Xi wants there to be strong ties, they will be there tomorrow.

It's frightening that this is downvoted so quickly - Xi has exactly this sort of unfettered power and more.

If we follow that thought it would seem to me it is the same in the US. I'm not saying it is okay for others to do it because the US does it too, but cleaning ones own house really should come before pointing fingers.

Are you saying the two governments are equivalent, particularly in limitations on power?

Is their management in China? If so couldn’t one argue that they are under the complete control of the Chinese government ?

Ah, I see, simply being headquartered in China is enough to make them an arm of the Chinese government.

That's some powerful projection. I mean, unlike the case with Huawei, there is extensive hard evidence of American telecom companies deliberately compromising their hardware to facilitate American spying. We know that the American government routinely intercepts American telecom equipment and compromises it [1]. We know that the NSA seems to conveniently have plenty of zero-days into Cisco hardware [2]. We know that all American ISPs and all major American technology companies provide the NSA with direct feeds for all their communication [3, 4].

So, it actually would be fair to say that all American technology and communication companies are under the complete control of the US government.

But the strange thing is that despite numerous investigations by multiple intelligence agencies and NGO nobody has ever found any of the millions of devices Huawei exports each year to be compromised. But the less evidence that's found the more Americans insist Huawei's technology can't be trusted. There's never any evidence provided and, remarkably, nobody even claims to have evidence that they conveniently can't disclose. There's just a series of directives and pronouncements by the government and the media that obviously Huawei is an arm of the Chinese government until everybody -- well, at least all the Americans -- believe it.

The moral of this story is that (1) like the accusations against Facebook, the accusations against Huawei are without merit [5] (2) the greatest threat to people's privacy and the integrity of global communication networks is and always has been the US government and (3) the American media will never, ever speak the truth about this simple fact until they are forced to by leaks.

But please, continue to freak out about Facebook and Huawei. It's clear

[1] https://www.theguardian.com/books/2014/may/12/glenn-greenwal...

[2] https://arstechnica.com/information-technology/2016/08/cisco...

[3] https://www.nytimes.com/2015/08/16/us/politics/att-helped-ns..., https://www.thedailybeast.com/why-verizon-is-happy-to-help-o...

[4] https://en.wikipedia.org/wiki/PRISM_(surveillance_program)

[5] Note here that unlike the US government Facebook has never, ever been caught doing anything illegal. While one can argue they over generously share data with firms like Cambridge Analytica etc. there's nothing remotely illegal about this thanks to America's extremely weak privacy laws. The reality is there are many, many companies doing far worse than Facebook but they're not based in SV so nobody cares.

> But the strange thing is that despite numerous investigations by multiple intelligence agencies and NGO nobody has ever found any of the millions of devices Huawei exports each year to be compromised.

Do you recall the backdoor that was placed in over 700 million android handsets of Huawei and ZTE? I'm pretty sure that should be considered to be a compromise. The phones sniffed SMS message content, contact lists, call logs, location data and other personal user information and automatically sent that info every 72 hours. The software could also remotely install and update applications on the phones.

> Note here that unlike the US government Facebook has never, ever been caught doing anything illegal.

You were doing great...

Just because they haven't been punished, doesn't mean nobody is aware.

> never, ever been caught doing anything illegal. While one can argue they over generously share data with firms like Cambridge Analytica etc. there's nothing remotely illegal about this thanks to America's extremely weak privacy laws.

.. illegal in America. It's still unclear whether they've been involved in breaking pre-GDPR data protection law or even UK electoral law.

Huwei’s founder was an officer in the People’s Liberation Army and is party member. That alone isn’t exactly “strong ties” but I also agree with the other commenters’s points.

I'm in the camp that this anger at Facebook is largely misdirected, even though I'm very privacy-oriented. It's very interesting seeing nontechnical reactions to this news.

As technical users, we all know that every layer of software down to the hardware potentially has access to the data flowing on top of it. If you're running X browser on Y operating system on Z device and you log in to Facebook, you've just trusted X, Y, and Z with your FB username, password, and data. (An API works the same.)

But nontechnical users are just now realizing this as privacy and data security become hot. They're lashing out at Facebook, but I think the scrutiny absolutely should be leveled at the software and hardware vendors. People should be asking phone companies: why can I trust your phone enough to type my facebook username/password into it?

An ideal outcome would be a huge push toward open source (and also toward free software), but that's probably too optimistic.

> An ideal outcome would be a huge push toward open source (and also toward free software), but that's probably too optimistic.

Realistic outcome will be, unfortunately, companies playing all kinds of tricks to manage the perceived safety of their brand, combined with further locking down hardware and software stacks to reduce the attack surface.

>As technical users, we all know that every layer of software down to the hardware potentially has access to the data flowing on top of it.

Yeah, but that's a double sided sword. We're the only ones that have had to internalize the idea that incidental access to data will trying to monetize it as much as possible.

In the real world, there are huge expectation that incidental access to something _isn't_ license to do whatever you want with it. The standards of behavior everyone adheres to are almost always narrower than what the law allows. Regular people don't expect others to suddenly become the must ruthless motherfuckers possible just "because computers."

>An ideal outcome would be a huge push toward open source (and also toward free software)

how much does open source improve security? (And does it at all?) In my experience nobody reads the source code before executing it. Maybe the situation is different for big project with many users. On the other hand for example smart contracts (which are open source) had security issues several times in the past which were discovered too late.

I read the source code of programs I use often, mostly for learning purposes. The first thing I do when I want to evaluate the security of a program I don't trust is look at the system calls it performs, especially those related to I/O.

Since I don't need to reverse engineer binaries, open source code allows me to spot malicious code much faster. More importantly, it allows me to more easily remove that code from the program.

The rate of vulnerabilities caused by honest mistakes is probably the same.

Yeah, everybody is going to start reading the entire source code of the apps they use.

There's still a benefit even if only a small amount of people read it, because they can call it out. You don't go to the production areas of packaged food you buy to make sure you know they're not making any mistakes/pumping sawdust into the food, but you trust that because everyone else is buying it and no one is getting sick that there's a fair chance you won't either.

You broke your analogy a bit there. You don't go to the production areas of packaged food companies because you assume that others are doing so - specifically, state regulators. It's not that no one is obviously getting sick - they might be getting sick in subtle ways they can't pin on the food, like long term heavy metal poisoning, in the same way that malicious software can be very quiet about it.

That's a good point. It's not a 1-1 analogy, but I think the overall principle applies. If it's open source, more people can regulate it, as opposed to less.

Oh no, it's a fine analogy! I just thought you muddled it a little at the end with the 'no one getting sick' part. It's important that source code be available for the same reason that food preparation not be done behind locked doors with secret ingredients - not so much so that everyone can see for themselves, but so that someone can, and raise the alarm for the rest of us if anything is amiss.

The 'getting sick' part actually works too - it's important to be able to review the process precisely because it's not always immediately obvious if something is wrong.

> In my experience nobody reads the source code before executing it

It's not so much that people need to read the source code before executing it as it is about the code being auditable by any third party, with or without permission.

>In my experience nobody reads the source code before executing it

Joe Schmo isn't going to be auditing it, actual security researchers are. Heartbleed was only discovered because some research firm was auditing random open source software. Imagine how long the exploit would have gone unnoticed in a closed source application. Now imagine if said exploits were intentionally added and used by the software authors since day 1.

You definitely have some good points, but I think there are good responses. (1) It doesn't have to be perfect to be better. (2) You don't need everyone to read the source code, just a few people. (3) Open-source not only makes it technically harder to do malicious things to users. It also (hopefully) improves the incentives.

Non-technical users read the hitjob published by the NYT yesterday and just assume Facebook lies and continue on their lives with absolutely zero understanding of the OSI model.

This argument is repeated so often today that it seems like the latest FB talking point. It's whataboutism yet again - who cares if someone else is doing wrong? 'There are other rapists too' is not an accepted plea in court. The argument also is disingenuous for several other reasons:

First, [EDIT: this point has many flaws and is too complex to state succinctly, so I'm pulling it]

Much more importantly: The problem isn't who I need to trust, it's that Facebook is deliberately capturing and distributing large quantities of user data, and in addition they are giving it to some exceptionally unsavory people that are doing great harm to the world, including damaging the foundations of democracy and civil society.

Finally, it's disingenuous because few other companies have the power and data of Facebook. Why does Facebook get more attention than other violators? Is that a serious question?

EDIT: And finally finally, the argument overlooks the fact that security is defense in depth. Just because some other component isn't secure doesn't mean you shouldn't secure this one.

Hi forapurpose. I don't want to minimize the problems with Facebook and its practices around data. On the contrary I'm quite critical and skeptical of them. However, right now I'm trying to get to the bottom of this particular issue which has just come up in the news.

This issue seems to be about particular APIs that Facebook gave to certain partners. As I understand it, the partners don't get any data until a user gives them their username and password, for instance by typing it into that third party's app.

Now in my opinion, if a user is already trusting that third party with their entire Facebook account, then everything else is a secondary issue. It is primarily a trust relationship that the user themself has established with that third party.

Again, I'm just focusing on this issue at hand. I'm not saying this is a more important issue than Facebook's general data practices or anything like that.

>security is defense in depth

You misunderstand what this means. This refers to the need to have multiple layers of security, such that if one fails, the others will continue to protect you. If you have two doors to your house, there is little point in putting more locks on the front door when everyone knows you leave your back door unlocked.

> If you have two doors to your house, there is little point in putting more locks on the front door when everyone knows you leave your back door unlocked.

I'm familiar with this reasoning and formerly used it myself, but now I see it differently. You need to secure both doors; if you're the front door designer, 'the back door isn't secure either' is a poor excuse for not doing your job and it's counterproductive in securing the house.

Who do you refer to with this?

>and in addition they are giving it to some exceptionally unsavory people that are doing great harm to the world, including damaging the foundations of democracy and civil society.

The US government? NSA? Big Business? China? All of them?

> First, if my application encrypts something, such as if my browser encrypts traffic, then the layers beneath it cannot access the data (without intentionally hacking the application).

If your browser is running on an operating system when it applies the encryption, then yes, you are indeed trusting that OS.

This. Many security systems protect you laterally and from layers above you. Layers below can still be vulnerable (e.g. non-standard openSSL library in the exception case, keyloggers in kernel space, etc)

This article and the nyt one are almost completly bullshit.

They do not understand the difference between "apps" on phones that integrate with Facebook for sharing purposes, and "facebook apps" like the quiz crap that Cambridge analytica abused.

There IS the potential that your phone OS vendor used the FB API access and your credentials to steal your data, but does anyone seriously think apple or blackberry did such a thing?

This whole thing is insane. You might as well accuse Google, Apple, Mozilla, and Microsoft of stealing users data because you use their browsers to access facebook.

> There IS the potential that your phone OS vendor used the FB API access and your credentials to steal your data, but does anyone seriously think apple or blackberry did such a thing?

Huawei, Xiaomi, and others are a risk for this.

True, and if they wanted to steal all of your data they could do so with rootkits and modified TLS libraries.

If device manufacturers are stealing users information, at what point are they held accountable instead of FB?

They are held accountable when FB doesn't help them do it

To be honest Google probably does intercept Facebook data given it is their biggest competitor and has a near identical view on user privacy

Please stop spreading FUD. This isn't reddit.

If the intelligence agencies want the info you’re saying these companies could refuse? No

There wasn't much substance to the New York Times's report, and as an outsider, Facebook's official reply--corroborated by Tim Cook's statement about Apple's actual use of the reported APIs--seems perfectly reasonable to me.

But dogpiling on Facebook is popular right now, whether it's deserved (Cambridge Analytica) or not (this), so the actual facts of the matter will be secondary when politicians evaluate whether to hop on the bandwagon.

The issue of whether what Facebook did was reasonable is orthogonal to the issue of whether Facebook/Zuckerberg lied to Congress about it. In this situation it seems that they may have done something reasonable and yet still lied about it. The problem is the latter.

Well it looks like a lie and smells like a lie if these device manufacturers got these info deals from Facebook. It means that the user doesn’t have complete control. This of course hinges on what we mean by complete control. I imagine Zuckerberg is going to become a major campaign donor now going forward... if he isn’t already. I’d expect Facebook lobbying efforts to intensify as well.

I just don't see any evidence of a "lie" in the New York Times article. And if I add my Facebook account to iOS, of course I realize that I'm trusting Apple in that scenario.

This whole controversy feels manufactured.

The irony in that Facebook shares data with Chinese companies despite Facebook being blocked in China.


The nuances for what a "3rd party entity" vs a "3rd party app" represents in Facebook is really what's at hand here. Anyone who spent time in Facebook developer platform knows this.

NYT's watered down article for the lowest denominator and maximum clicks (imo) vs Facebook's way too technical explanation for the maximum PR defense. None of this is going to help US/EU/World lawmakers understand the permission scope that was set in Graph API for hardware vendors.

It will take anyone with an HTTP listener Charles, Burp, Cycript whatever your choice... 5 minutes to see where and how the access token was used.

If only we were discussing the data and HTTP requests and not the way reporters and PR play with words to fit their agendas.

> None of this is going to help US/EU/World lawmakers understand the permission scope that was set in Graph API for hardware vendors.

> It will take anyone with an HTTP listener Charles, Burp, Cycript whatever your choice... 5 minutes to see where and how the access token was used.

If you know these things, would you please share with us?

You have to set up any of those apps and use the provided proxy in your browser. Now when you visit some site you can take a look at which site is using the token saved by fb in your last visit. That is the gist of it.

Earlier today people are Hacker News were talking about if Mark Zuckerberg committed treason due to the data-sharing with the Chinese (as well as the creepy fact that he offered to name his first born after the supreme leader of China).

Looks like it won’t be a good week for him.

Not to be overly pedantic here, but Zuck didn't offer to name his child after the Xi Jinping, but asked him to help provide a chinese name for his child [1]. To give some context, in Chinese culture, asking a family member or a close friend to advise on the naming of a child is normal. While Xi Jinping is far from either, keep in mind that he was asking for a Chinese name, which for all intents and purposes can be thought of as a secondary name and thus isn't as significant of a request. On the flip side, my father's (who is Chinese American) Chinese co-workers have approached him to help give their children english names.

[1] https://www.independent.co.uk/news/people/china-s-president-...

> To give some context, in Chinese culture, asking a family member or a close friend to advise on the naming of a child is normal.

In all cultures.

To the downvoters: In all cultures happens and is considered normal, that doesn't mean everybody does it. I'm glad your family/circle of friends has a different tradition. This just means that when someone does it no one finds it weird. What is weird, is asking the president of another country for advice. That is weird in all cultures.

In my experience that's not the case for American culture.

Quite the opposite, people tend not to divulge the chosen name until after s/he has arrived as it's less likely anyone will react in a way that might cause them to rethink their choice.

In some cultures names of children are determined algorithmically. If the first born male child is expected to be named after the father's father, it would not be normal to ask for advice on a name.

Is that Zuck cuddling up to the leader of a totalitarian government, or is that standard etiquette for anyone who meets the President of China? It sure comes off as creepy, but if it's a necessary formality of dealit with a powerful tyrant, so be it. Certainly doesn't win Zuck any cred with the anti-globsist-One World-government folks who'd rather not see oligarchs and tyrants working together to oppress the masses.

You go meet the leader of China.

Your wife is Chinese and you have a baby on the way.

This invokes some topical conversation and builds rapport so you say, in jest and without any real intent to follow through, "We're still thinking about names. We have an idea for English but not Chinese. Mr. President, would you like to perhaps suggest a Chinese name?".

Attendees and translators smile, the ice breaks a little more, and they move on to something more substantial.


It's lighthearted throwaway banter. Watch, or attend, a meeting of world leaders or business execs...generic blah-blah proceeds all meetings.

Pedantic, but worth being pedantic about:

Treason is one of the only crimes defined in the Constitution, and consists solely of making war on the country or assisting an enemy of the country in doing so. The definition doesn't use the word "rival". China isn't an enemy of the US. You can't commit treason by assisting China in any way short of actually declaring war on the US.

People should use the word "treason" a lot less than they do online.

> and consists solely of making war on the country or assisting an enemy of the country in doing so


"Whoever, owing allegiance to the United States, levies war against them or adheres to their enemies, giving them aid and comfort within the United States or elsewhere, is guilty of treason"

It doesn't seem like "adhere to their enemies" is quite as restrictive as "assist their enemies to make war on the them"?

A declaration of war, or state of open warfare, must exist if the charge is to be based on assisting a foreign power.

The most favored trading partner of your country is an odd place to start when you are looking to label anyone who helps them a traitor.

What's strange to me is that Zuck isn't the only person who works for Facebook, and Facebook isn't the only company that works in the NSAdtech market. Hopefully he's not just the ablative heat shield.

> What's strange to me is that Zuck isn't the only person who works for Facebook

But the only person to have majority of votes (more than 60%) in the company. If Zuckerberg doesn't like the responsibility which comes along with being the majority owner of the company, he should change the structure to 1 vote per share. But he won't.

If your boss tells you to do something illegal, he could have 100% of voting shares and you would still get in trouble. If Zuckerberg's directives haven't been illegal than nobody stands to get in any trouble at all. The only case where Zuckerberg stands alone as the only person in trouble would be if he gets in trouble for lying about doing the thing instead of getting in trouble for the actual thing. That's an "ablative heat shield" solution because it may appear to the public that something has been done, while in reality the disincentive and the thing people want to stop are totally unrelated.

Why hopefully? It seems appropriate the CEO and owner takes liabilty for his company.

It’s not like he’ll face any real consequences. CEOs get easily payable fines, not prison time.

It would be unfortunate to have a Skreli situation where we just randomly take out the one with the most punchable face rather than dealing with the structural issues that have created a whole industry doing what he was doing.

Shkreli was by no measure a dominant player in anything other than the tiny niche he exploited for a short time.

Sure, he just had the most punchable face.

Shkreli messed up by continually taunting US law enforcement. He probably wouldn't have had the book thrown at him if he wasn't constantly talking about how great it was to be an evil capitalist, and instead gave the mealy-mouthed platitudes that every other CEO of pharma companies does.

Yep, he's the poster boy for "play stupid games, win stupid prizes."

That's an odd definition of "random."

I think his point is that more than him should feel consequences, not just the slap on the wrist for the CEO.

Fine percentage of revenue, then. I don’t see how going after individuals would disincentivise the system unless they go after a significant percentage of the organization. Otherwise there’s no point to penalizing people at all—it’s just outrage theater.

> NSAdtech I can’t tell if this is an NSA pun or if it’s an Apple API.

Ablative meat shield?

This seems like a political attack on Facebook. Willful ignorance of technical reality on HN... no wonder lawmakers are claiming Zuckerberg lies.

Facebook functionality ran on a phone using source code not written by Facebook. Anyone who equates that with Cambridge Analytica simply has an axe to grind with FB.

If a device manufacturer wants to betray the trust of their users and siphon data off the phone, they can surely do that in any case, and it’s not even hard to do seeing as how they own the network stack.

Can you think of any other codebase which is used to provide Facebook functionality on our devices using special APIs? Chrome. Mozilla. Safari.

If we can’t distinguish between a user agent and a 3rd party app having access to a Facebook API then I don’t see how this is debating in good faith.

We are taking about the device manufacturers embedding social functionality into the operating system. They also write the rest of the OS you know, if you don’t trust them to render your friend feed then I have bad news for you about your SMS, call history, location data, not to mention you’re carrying around a microphone they can access at any time...

You're trying to argue technicalities that most people not only don't understand, but don't care about. The key question is: Did facebook give information about you to other people without your control?

You're basically arguing that yes they did, but it's okay because of the way they did it. Facebook is responsible for communicating that nuance, and they failed to do so. They offered an absolute, and whether they were lying or not, what Zuck said was not accurate.

In this instance it’s quite clear to me that Facebook did not give information about anyone to anyone except to the user who was viewing their own feed.

Would you claim that Facebook is giving information about me to my monitor manufacturer because their pixels are being used to display the information to my eyes?

Would you claim Facebook is giving my information the the people who wrote the code to implement the TLS stack?

Would you claim Facebook is giving my information to Apple because they developed iOS? Or to Chrome because they wrote my browser?

The fundamental archichture of our computing devices is not a technicality. If you equate the fact that our software works using abstraction layers to achieve desired effects with Facebook leaking your information to every layer of software that lives below it, it can only be because you are either grossly misinformed about how software actually works or you are blinded by hatred of Facebook.

You know what, here’s another good analogy. The software which powers the voice calls I make on my iPhone is written by Apple, and one layer below that, Qualcomm. The voice call is only made possible by special APIs provided by my service provider (AT&T) codified through 3GPP. This is like claiming AT&T should be liable for improperly sharing my voice comms with Apple and Qualcomm simply because they helped write the software which allows the call to be made.

Could Apple and Qualcomm be taping my calls? Surely they could be. And if they were, I sure as hell would be angry, but not at AT&T. And if AT&T testified that they had not given my call data to Apple and Qualcomm, they would not have been lying.

The NYT took a Facebook user agent rendering a friend feed, intercepted the network messages, and then gasped, “Look, see, Facebook is sending all your friend information to Blackberry,” as if this was some great conspiracy. Good grief.

>They also write the rest of the OS you know, if you don’t trust them to render your friend feed then I have bad news for you about your SMS, call history, location data, not to mention you’re carrying around a microphone they can access at any time

This bad news is what people need to hear, but most importantly understand.

How much death/destruction did it take for people to realize it's very important to wear restraints while driving the automobile?

How much death/destruction will it take for users to understand the risks of centrally aggregating the most detailed psychological profiles in history on 2,000,000,000+ people?

Mark has lied consistently, and in public, since at least 2005. My first post on Hacker News was a warning. It's a shame no one listened.



Um... downvoters should read these submissions. This guy isn’t a troll, he’s Aaron Greenspan, the creator of Facebook’s predecessor, code for which seems magically to have appeared in FB. There was a settlement: https://en.m.wikipedia.org/wiki/Criticism_of_Facebook#Aaron_...

I downvoted because the comment just doesn't seem like a good comment. Here are some HN guidelines I feel it breaks or comes close to breaking:

  - Avoid unrelated controversies and generic tangents.
  - When disagreeing, please reply to the argument instead of calling names.
  - Be civil. Don't say things you wouldn't say face-to-face. Don't be snarky.
  - Please don't post shallow dismissals, especially of other people's work.
Though Aaron, given the history I do understand why you'd have strong feelings about Zuck's integrity.

(of course, I'm also breaking this guideline in my own comment! Please don't comment about the voting on comments. It never does any good, and it makes boring reading.)

Lying in public seems pretty relevant to an article about lying to Congress.

He didn't call anyone a name, he mentioned specific actions: namely, lying.

I obviously can't speak to whether he'd say these things face to face, but you can't either. It sure seems like he made a good faith effort to raise his concerns, though.

The articles he linked to are well reasoned and anything but shallow. Your argument, on the other hand, seems like a pretty shallow dismissal.

Love this:

"Meanwhile, a good part of the world has re-aligned itself around the increasingly idiotic and sociopathic whims of your former friend, who has settled comfortably into the life of a billionaire capitalist tyrant."


Aaron, do you have more info in terms of Mark lying?

Your downvoted comment appears to be victim to some kind of coordinated and orchestrated artificial pro-facebook narrative I am seeing throughout this thread. Thank you for your 2005 warning.

Thanks Aaron. You make a compelling case.

I know it's a tangent, but I have trouble assigning any significance to this after the James Clapper thing. If he can lie to Congress with impunity, about things that are clearly within Congressional purview, then why should anyone else worry about such things?

James Clapper doesn't lie on the record. He constructs his statements so carefully that he isn't technically lying, but actually saying something completely different than what you think he is.

The issue here is that Congress is too weak to call him out on it. Clapper started playing this game years ago, and now others are emulating him, to great effect.

I am glad Apple is taking proactive steps in Safari to block tracking and fingerprinting by social platforms. It's a disease and needs to be dealt with. Thanks Apple.

I can't believe I have to say this, but here is a Google Cache mirror for Europeans: http://webcache.googleusercontent.com/search?q=cache:http://...

So. Much. Irony.

He absolutely lied to Congress and it was obvious from the get go. I'm sure he will apologize and nothing will happen.

The privacy discussion is misguided.

I don't care how much you make facebook, google et al promise not to "abuse" its users data.

What I care about is educating people so that they choose software and companies that respect them.

We should stop treating users & citizens as complete morons who need daddy state to take care of them.

> We should stop treating users & citizens as complete morons who need daddy state to take care of them.

We're treating them as intelligent human beings who can't possibly master knowledge of all the technology, confidentiality, and its implications in a world of analytics and adtech. Even I can only imagine some of it.

Should we educate users to choose safe anesthesia and surgical techniques? To choose proper exotic financial instruments? I think we should require doctors to provide safe anesthesia, Wall Street to provide safe investments, and anyone handling user data to provide confidentiality and end-user control.

Doesn't this all depend on how often you would be using that knowledge? Average computer literacy is horrendous and we use them every day. These devices are used for everything and becoming more and more integral to society.

Surgical techniques and how to handle exotic financial instruments are specialist topics that are useful in extremely niche situations. In those situations you will speak to someone who is knowledgeable on them.

The problem is that the companies that profit from harvesting user data (Microsoft, Facebook, Google, Amazon) also have a huge influence on what users see, and thus, public opinion. Unfortunately, they also have huge lobbyist budgets, so I don't think relying on the state is a good option either.

I'm not sure anything will change until someone with money starts caring. The world needs another Mark Shuttleworth.

America needs to redefine literacy and replace these obsolete lawmakers with lawmakers who are coding literate. This is not at all unlike a group of illiterate lawmakers speculating about what a book they cannot read says after interviewing its author.

"...and the data mostly remained on phones that accessed it. "


"Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market. We continue to identify technical compliance solutions that will provide all readers with our award-winning journalism."

At least they aren't pretending to comply with the GPDR yet blatantly violating it, for example by making it difficult or impossible not to opt-in.

Google cache seems to be the easiest method to view it:


Weirdly I assume then accessing via google cache does comply with the GDPR (otherwise they could of course block google via robots.txt).

From memory, google cache still fetches assets from the original site (and I think also triggers Javascript?) so it's possible this is kind of moot?

Guess the issue is similar, if I access from Europe via a US proxy. I'd assume those accesses are still covered by the GDPR, but it's not clear to me. Anybody know?

You are breaking a US law - CFAA. Which could be an interested showdown CFAA vs GDPR.

How is CFAA being broken here?

I think the joke here is that some people argue that usage not permitted by the terms of services is a criminal offense under the cfaa

I don't agree with this interpretation but I think cfaa is unsalvageable nonetheless. I demand a full repeal!

Wow, not only this bypasses the GDPR wall but the experience is much cleaner. Thanks.

Is outline.com legal?

Running the Chrome extension on your own device? Yep that's OK. But republishing full articles on the web accessible to all - no chance. They have a DMCA link at the bottom to "excuse" themselves.

What if you use a Chrome extension to train a ML model to format the article, then publish that model back to the web? At least it would allow users to remove ads and other cruft from articles.

In what country?

as legal as Google Cache, probably.

Google Cache respects paywalls and robots.txt, it seems Outline does not.

So, the fragmentation of the internet has begun...

Begun? Surely you remember Youtube region locking videos. Or companies that don't offer their services (or have different) outside of their region opening international sites that have different content in different regions.

This is nothing new.

Even worse, and more surprising and alarming, a few weeks ago the Humble Bundle was selling region-locked EBOOKS! Someone explain that one for me, please. This means I wanted to buy a bundle of sci-fi books -- that's buy, not read for free -- and all of the most interesting books (old classics, by the way) were "not available in your region".

edit: a clarification: the ebooks themselves don't have DRM, but Humble Bundle will refuse to sell them to you if you're in whatever region they (or the publishers) don't want to support at the time.

Say what now?

And did Humble Bundle support fix your issue?

Man, I remember when a major Humble Bundle selling point was being DRM free...

If it's like previous times I've seen this, the ebooks themselves will still be DRM-free, HB just won't sell some of them to you i.e. they won't be included in the bundle you get.

Yes, thanks for clarifying. This is still tremendously disappointing. They show you the books in the bundle, but refuse to sell them to you. I wonder how this is a thing. It certainly lowered my faith in the Humble Bundle.

I'm sure it's a distribution rights issue - probably someone who didn't want to deal with Humble Bundle owns the book rights in those regions. As a non-American I see it all the time with media.

I'm sure it is too, but IMO Humble Bundle should refuse to carry books with those restrictions.

I explained myself badly. It's like commenter mrec said: it's not that the ebook itself has DRM, but that they won't sell it to you, with the message "unavailable in your region". Very disappointing.

So it's not negative that right after we stopped doing it with videos, we are doing it with everything? I'm European. I just want to use the Internet, all of it; please, EU, leave me alone, I can handle my data by myself more than well enough.

Then go ahead and allow the companies to use your data. No one stops you. And leave the rest of us alone.

I'm unable to access this website. I can't let them use my data, GDPR is stopping me because compliance is apparently too expensive for this site. I don't have any option to click on a "I don't want any GDPR-provided 'rights'" button or e.g. sending such header with my requests.

AFAIK, the GDPR explicitly makes it illegal for a company to operate on a “pay with your data” basis. So no, they can’t.

How so? The users just have to give their consent for it.

Because you can't have access to the service conditional on the consent.

So are we going to lose access to Google and most other services? Because they are effectively "pay with your data"

If gdpr had its way, then yes, you would probably lose access to google and pretty much the rest of the web. Right now, most companies are skirting around the law though so we will have to wait and see the real effects once the lawsuits start settling.

Previously you've had to use the likes of tor to reach the dark net, now, I guess, non EU IP is enough. Same divided internet, only the boundary is moved.

Well, we had piracy in the 90s, and if some greedy CEO wants to support a revival of that tradition..

Why would a news magazine website do this? Is it their ads that violate GDPR?

To completely block EU users to me at least implies greater degrees of data collection.

Why? Many other news websites simply force you to opt-in, which is illegal. It seems ad analytics are vitally important to their business model.

It's not though, they can still sell subscriptions and show ads without violating user's privacy.

> they can still sell subscriptions and show ads without violating user's privacy

At risk of going off topic, there are two issues at play. One, respecting users' privacy. And two, complying with GDPR. The former does not always mean the latter.

And even if one complies with GDPR, having material over which GDPR applies could result in frivolous complaints and costly regulatory interactions. It is reasonable for a newspaper with a mostly non-Europe to spend resources on other priorities.

But they still have the data of European residents. So merely blocking access to EU residents hasn't done much to lessen their GDPR liability, unless they've cleaned all their data.

From what I have read about GDPR here, the intent matters. By blocking EU ip addresses, they have shown their intent to not service the EU and therefore are exempt from GDPR.

> they still have the data of European residents

Source? Ensuring the permanent deletion of certain data, once, is easier than implementing an a new and complicated compliance regime.

There is no source needed that is a result of jurisdictions and national sovereignty

If China passed a law saying you must now delete all references to Tiananmen Square if you have nothing to expoae yourself to their legal jurisdiction you can keep it and literally tell them to get bent.

This is what I don't understand. Why did the LA Times add the IP filter in the first place? Why do they care if they get sued and/or fined by a foreign country? Let the EU block their IPs or DNS themselves if they feel like it.

To make money advertising to EU users, most advertisers probably have some EU presence, hence the ad network would too. Thus, the ad network might require their users to be GPDR-compliant.

But I certainly don’t know how much that effects their income and I doubt you do too. Maybe it’s not worth it without the tracking.

Because they don't have the technical knowledge to ensure compliance with 88 pages of mandates, maybe? If you violate GDPR you will be fined by the EU even if you do not exist in the EU.

It's funny that they have the technical knowledge to implement tracking (or outsource it to another company), but they don't have the technical knowledge to comply with GDPR (or outsource it to another company).

But why would a news website per se need to collect or process user's personal data? If you don't, you don't have to care about GDPR at all.

Um, to sell more profitable ads.

They probably feel that the non-targeted ad revenue they would make from EU customers would not be worth the server costs, costs to comply with the law, and potential fine costs (risk).

Maybe or it could be that they don't have a data compliance officer, which is mandated by the GDPR. Or it could be that they just don't know what the issues are and have no clue how to get compliant. IP addresses are protected data and make you a data controller if you have log files.

The point is that if you are exercising the law to it's maximum extent then it is next to impossible not to collect personal data, even if you have no intention to.

For example, some hosting providers in Europe now automatically disable webserver logs unless the customer explicitly activates them to make sure they don't accidentally collect user data.

Now you might say, well if you run your own virtual server where you control all the services and know for a fact that no personal information is collected you won't run into that problem. But then you might still collide with the law because some network monitoring of the hosting provider might store connection logs. And it is on you to make sure that the companies you use for your business are compliant with the GPDR. You even need to have a contract with every single one of them with which you instruct them to process your users data and that they have to comply with the GPDR when doing so.

And even if you think everything you are doing is correct there are still some law firms that try to extort money from you by claiming some violation. In Germany this game of cat and mouse has already begun (and I don't mean the well known cases against Google, Facebook et. al)

> extort money from you

This isn't the US. You can't sue for GDPR non compliance, only complain to the authorities

I'm looking forward to seing the first non-EU company (that has no EU offices) fined by the EU and the middle finger that will ensue.


Yep, me too (France).

How long until HN needs a GPDR link, like the web one?


Latimes still hasn't sorted it's shit and blocked your friends from across the ocean. Can you guys post a plaintext of the article here?

More than a week after the GDPR (and two years after it has been announced), the LA Times still can't serve its content to EU viewers. Can we add a "GDPR" link near the web one, or drop the kind of website that act like this?

I have to wonder what questionable things LA Times are doing, if the only way they can comply with GDPR is to block an entire continent from reading news articles on their site.

Both left and right news organizations seem to want to blast Zuckerberg. That makes me like him more, a nerdy comp sci guy who changed how everyone communicates has political ambitions? SHUT IT DOWN


"Sure" and "looks like" are in the same sentence. What does that mean?

"It definitely appears to be the case that..."

Imagine Zuckerberg in jail...?

In the event that it even becomes a possibility, I'm sure we'd hear the affluenza-oriented, "embarrassment is punishment enough" canard.

same day the Equifax guys go to jail

Imagine as president which is a lot more likely :-)

Oh I hope not. It's going to be worse than Trump.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact