Take the Facebook app that Huawei built using their special API access to offer Facebook on their devices. Their implementation was supposed to store the Facebook data locally on the phone. Of course, there’s a concern here that Huawei, a company with strong ties to the Chinese government, could still be siphoning Facebook data off the phone despite that breaking their agreement with Facebook.
But if you don’t trust the device manufacturer and their operating system, what does it matter? If Facebook existed solely as a mobile web app on the phones or as a Facebook Inc produced app, you still have to trust Huawei to not be siphoning off that data. If you don’t trust Huawei, you’re at risk regardless of whoever made the software you use on their phones.
(The device manufacturer FB implementations that stored data on non-FB servers are a different situation though...)
Cambridge Analytica downloaded data? The API worked as expected and people should have been smarter to not share data.
Facebook has special APIs for phone manufacturers? The API works as expected and people shouldn't buy phones from the manufacturers they don't trust.
But, here's the thing - FB shouldn't have allowed this at all. In one part, security is about making things harder for people to break-in. Currently, manufacturers can use official API to siphon off data to non-FB servers. Sure, manufacturers could run some kind of MITM attack to achieve something similar. But having an official API is a strict no.
You're literally hosting your life on it. You should indeed not do this.
What if instead of it being a secret, it was a big button with “upload photo to Facebook” on it?
If Facebook outsourced the implementation of that button for each different type of camera to the respective camera manufacturers, rather than implementing it themselves, would that change it from a non-problem to a problem?
And then fb should tell you about unusual accesses to your account unless the phone vendor is also your Telco and extremely careful.
In OSes you can theoretically attack any app, but it is a pain to even debug them with different versions, changes to their custom storage formats, etc.. Unless they build an ABI, document which parts are stable and give it to you.
Once the manufacturer goes outside the licensed API and uses your credentials to do more than Facebook allows, it commits an actual crime against you in most jurisdictions.
My bet: no criminal cases. Facebook charging less than 50k for violation of an API contract on data that isn't theirs, if numbers are disclosed. No standing for users except in a class action that get $5 or less on a new phone or $2 or less as a check.
With the API, presumably there's an auth token that is only stored on your device. Facebook should also be able to detect unusual access with an auth token. Really, the auth token makes it easier to detect funny business than a username/password.
Apple is a pretty good actor in this regard though, and they're clearly betting a lot on markets to realize the attractiveness of that.
> This is why Right to Repair legislation has become necessary, for example.
I'm not sure I see how a "bad" actor (maybe like Apple) in terms of the Right to Repair is relevant in the context of trusting device manufacturers. If anything I think Apple's (somewhat self-serving albeit not completely detached from reality) argument would be, and has been e.g. https://news.ycombinator.com/item?id=11047359, that their control of device repairs and servicing decreases the risk of malicious software or hardware components being installed.
FWIW I'm partially in the same boat: I like Apple the company and I'm happy for everyone that likes and uses their products but I'm kind of incompatible myself.
People shouldn't put their pictures , and relationship status, and whom they know, and what they think, and where they go, and what they talk in private about, to a private company's service that they don't trust.
Oh, except for, they do.
A large part of GDPR's value is killing these misleading practices by exposing them.
Who are you talking about that in one breath say they don't trust Facebook and in the next go and put their data on their servers?
Is this a trick question?
Facebook's error was in believing that anyone outside Facebook could be trusted to author an app. I expected they know better now.
However, it's high time for Facebook to face intense regulatory scrutiny. Mark has been unfair to us for quite a while, so I'm going to yawn if he complains when the tables are turned. If FB gets broken up or its profits get reduced, Mark can replace his tear stained clothing with one of the identical replacements from the infinitely deep closet his billions constitute.
What a huge statement you’ve buried here and then glossed over. This is the crux of everything, of course. I don’t agree with this statement, but hey, at the end everything comes down to this one notion.
Now we're seeing that it didn't require any baked-in compromise in the hardware, firmware, or Android distribution. It's available via API.
I would like, at least, for a thief to have to put some effort into it.
There is no window to break. My phone can take the key and send it to the phone manufacturer who can then get into my safe deposit box whenever they want. The only way having an API makes this easier is that the manufacturer's Facebook app is more obscure than the browser, but the manufacturer's browser can just as easily steal keys, and it's no more or less illegal.
Whereas if the manufacturer backdoors the browser of the phone to steal or siphon data from Facebook users, Facebook's only fault is creating the unnecessary data hazard itself (which is merely irresponsible instead of illegal in the US).
However, that doesn't mean they'll actually legislate anything with teeth, depending on other factors like lobbying etc. pharma is a great example of this -- universally hated industry at the moment, lots of lobbying power at the moment, and probably lots of people lobbying against them (this is speculation, but I imagine the American hospital association and AHIA probably are endorsing the drug pricing = cause of US high healthcare spend narrative). Strong bipartisan political opposition to an industry + strong lobbying by the defending industry = political actions that are all bark and no bite
"Trusting" or "not trusting" your phone is a very binary threat model. I don't think many tech-savvy people would say they fully trust their Android phone vendor. But you can count on the vendor's self interest to some extent, and basic competence in managing the risk to their reputation.
Do I have access to my friends contact information they choose to share with me? No? Why does the BlackBerry app have permissions that I (in data export) don't?
So while you’re right, it’s also just kinda shitty and probably illegal or at the very least unethical.
This is different.
I'm trying to say facebook shouldn't be responsible.
I've never owned a Huawei phone, butwhen I looked at my Motorola phone five years ago, I found that it was getting Facebook data via a proxy service that Motorola had set up. This was probably partly as an abstraction layer, but do you really think no one in their marketing (or similar) department thought "as long as that data about their FB contacts is passing through our systems, maybe we should analyze it in some way"?
Even if they weren't explicitly collecting it, it probably ended up cached on their servers somewhere, and it was typically sent over plaintext HTTP (even though FB supported HTTPS), so someone else could have easily collected it too.
I've looked at a lot of mobile apps, and I don't think what Motorola was doing was at all unusual, but again, I haven't done a comprehensive analysis of other vendors.
I do agree that the vendor could always configure the phone to explicitly upload anything to them even if something like the FB APIs were accessed directly, but IMO that seems less likely than siphoning off the data as it passes through their middleware.
That's some powerful projection. I mean, unlike the case with Huawei, there is extensive hard evidence of American telecom companies deliberately compromising their hardware to facilitate American spying. We know that the American government routinely intercepts American telecom equipment and compromises it . We know that the NSA seems to conveniently have plenty of zero-days into Cisco hardware . We know that all American ISPs and all major American technology companies provide the NSA with direct feeds for all their communication [3, 4].
So, it actually would be fair to say that all American technology and communication companies are under the complete control of the US government.
But the strange thing is that despite numerous investigations by multiple intelligence agencies and NGO nobody has ever found any of the millions of devices Huawei exports each year to be compromised. But the less evidence that's found the more Americans insist Huawei's technology can't be trusted. There's never any evidence provided and, remarkably, nobody even claims to have evidence that they conveniently can't disclose. There's just a series of directives and pronouncements by the government and the media that obviously Huawei is an arm of the Chinese government until everybody -- well, at least all the Americans -- believe it.
The moral of this story is that (1) like the accusations against Facebook, the accusations against Huawei are without merit  (2) the greatest threat to people's privacy and the integrity of global communication networks is and always has been the US government and (3) the American media will never, ever speak the truth about this simple fact until they are forced to by leaks.
But please, continue to freak out about Facebook and Huawei. It's clear
 https://www.nytimes.com/2015/08/16/us/politics/att-helped-ns..., https://www.thedailybeast.com/why-verizon-is-happy-to-help-o...
 Note here that unlike the US government Facebook has never, ever been caught doing anything illegal. While one can argue they over generously share data with firms like Cambridge Analytica etc. there's nothing remotely illegal about this thanks to America's extremely weak privacy laws. The reality is there are many, many companies doing far worse than Facebook but they're not based in SV so nobody cares.
Do you recall the backdoor that was placed in over 700 million android handsets of Huawei and ZTE? I'm pretty sure that should be considered to be a compromise. The phones sniffed SMS message content, contact lists, call logs, location data and other personal user information and automatically sent that info every 72 hours. The software could also remotely install and update applications on the phones.
You were doing great...
Just because they haven't been punished, doesn't mean nobody is aware.
.. illegal in America. It's still unclear whether they've been involved in breaking pre-GDPR data protection law or even UK electoral law.
As technical users, we all know that every layer of software down to the hardware potentially has access to the data flowing on top of it. If you're running X browser on Y operating system on Z device and you log in to Facebook, you've just trusted X, Y, and Z with your FB username, password, and data. (An API works the same.)
But nontechnical users are just now realizing this as privacy and data security become hot. They're lashing out at Facebook, but I think the scrutiny absolutely should be leveled at the software and hardware vendors. People should be asking phone companies: why can I trust your phone enough to type my facebook username/password into it?
An ideal outcome would be a huge push toward open source (and also toward free software), but that's probably too optimistic.
Realistic outcome will be, unfortunately, companies playing all kinds of tricks to manage the perceived safety of their brand, combined with further locking down hardware and software stacks to reduce the attack surface.
Yeah, but that's a double sided sword. We're the only ones that have had to internalize the idea that incidental access to data will trying to monetize it as much as possible.
In the real world, there are huge expectation that incidental access to something _isn't_ license to do whatever you want with it. The standards of behavior everyone adheres to are almost always narrower than what the law allows. Regular people don't expect others to suddenly become the must ruthless motherfuckers possible just "because computers."
how much does open source improve security? (And does it at all?) In my experience nobody reads the source code before executing it. Maybe the situation is different for big project with many users. On the other hand for example smart contracts (which are open source) had security issues several times in the past which were discovered too late.
Since I don't need to reverse engineer binaries, open source code allows me to spot malicious code much faster. More importantly, it allows me to more easily remove that code from the program.
The rate of vulnerabilities caused by honest mistakes is probably the same.
The 'getting sick' part actually works too - it's important to be able to review the process precisely because it's not always immediately obvious if something is wrong.
It's not so much that people need to read the source code before executing it as it is about the code being auditable by any third party, with or without permission.
Joe Schmo isn't going to be auditing it, actual security researchers are. Heartbleed was only discovered because some research firm was auditing random open source software. Imagine how long the exploit would have gone unnoticed in a closed source application. Now imagine if said exploits were intentionally added and used by the software authors since day 1.
First, [EDIT: this point has many flaws and is too complex to state succinctly, so I'm pulling it]
Much more importantly: The problem isn't who I need to trust, it's that Facebook is deliberately capturing and distributing large quantities of user data, and in addition they are giving it to some exceptionally unsavory people that are doing great harm to the world, including damaging the foundations of democracy and civil society.
Finally, it's disingenuous because few other companies have the power and data of Facebook. Why does Facebook get more attention than other violators? Is that a serious question?
EDIT: And finally finally, the argument overlooks the fact that security is defense in depth. Just because some other component isn't secure doesn't mean you shouldn't secure this one.
This issue seems to be about particular APIs that Facebook gave to certain partners. As I understand it, the partners don't get any data until a user gives them their username and password, for instance by typing it into that third party's app.
Now in my opinion, if a user is already trusting that third party with their entire Facebook account, then everything else is a secondary issue. It is primarily a trust relationship that the user themself has established with that third party.
Again, I'm just focusing on this issue at hand. I'm not saying this is a more important issue than Facebook's general data practices or anything like that.
You misunderstand what this means. This refers to the need to have multiple layers of security, such that if one fails, the others will continue to protect you. If you have two doors to your house, there is little point in putting more locks on the front door when everyone knows you leave your back door unlocked.
I'm familiar with this reasoning and formerly used it myself, but now I see it differently. You need to secure both doors; if you're the front door designer, 'the back door isn't secure either' is a poor excuse for not doing your job and it's counterproductive in securing the house.
>and in addition they are giving it to some exceptionally unsavory people that are doing great harm to the world, including damaging the foundations of democracy and civil society.
The US government? NSA? Big Business? China? All of them?
If your browser is running on an operating system when it applies the encryption, then yes, you are indeed trusting that OS.
They do not understand the difference between "apps" on phones that integrate with Facebook for sharing purposes, and "facebook apps" like the quiz crap that Cambridge analytica abused.
There IS the potential that your phone OS vendor used the FB API access and your credentials to steal your data, but does anyone seriously think apple or blackberry did such a thing?
This whole thing is insane. You might as well accuse Google, Apple, Mozilla, and Microsoft of stealing users data because you use their browsers to access facebook.
Huawei, Xiaomi, and others are a risk for this.
If device manufacturers are stealing users information, at what point are they held accountable instead of FB?
But dogpiling on Facebook is popular right now, whether it's deserved (Cambridge Analytica) or not (this), so the actual facts of the matter will be secondary when politicians evaluate whether to hop on the bandwagon.
This whole controversy feels manufactured.
NYT's watered down article for the lowest denominator and maximum clicks (imo) vs Facebook's way too technical explanation for the maximum PR defense. None of this is going to help US/EU/World lawmakers understand the permission scope that was set in Graph API for hardware vendors.
It will take anyone with an HTTP listener Charles, Burp, Cycript whatever your choice... 5 minutes to see where and how the access token was used.
If only we were discussing the data and HTTP requests and not the way reporters and PR play with words to fit their agendas.
> It will take anyone with an HTTP listener Charles, Burp, Cycript whatever your choice... 5 minutes to see where and how the access token was used.
If you know these things, would you please share with us?
Looks like it won’t be a good week for him.
In all cultures.
To the downvoters: In all cultures happens and is considered normal, that doesn't mean everybody does it. I'm glad your family/circle of friends has a different tradition. This just means that when someone does it no one finds it weird. What is weird, is asking the president of another country for advice. That is weird in all cultures.
Quite the opposite, people tend not to divulge the chosen name until after s/he has arrived as it's less likely anyone will react in a way that might cause them to rethink their choice.
Your wife is Chinese and you have a baby on the way.
This invokes some topical conversation and builds rapport so you say, in jest and without any real intent to follow through, "We're still thinking about names. We have an idea for English but not Chinese. Mr. President, would you like to perhaps suggest a Chinese name?".
Attendees and translators smile, the ice breaks a little more, and they move on to something more substantial.
It's lighthearted throwaway banter. Watch, or attend, a meeting of world leaders or business execs...generic blah-blah proceeds all meetings.
Treason is one of the only crimes defined in the Constitution, and consists solely of making war on the country or assisting an enemy of the country in doing so. The definition doesn't use the word "rival". China isn't an enemy of the US. You can't commit treason by assisting China in any way short of actually declaring war on the US.
People should use the word "treason" a lot less than they do online.
"Whoever, owing allegiance to the United States, levies war against them or adheres to their enemies, giving them aid and comfort within the United States or elsewhere, is guilty of treason"
It doesn't seem like "adhere to their enemies" is quite as restrictive as "assist their enemies to make war on the them"?
But the only person to have majority of votes (more than 60%) in the company. If Zuckerberg doesn't like the responsibility which comes along with being the majority owner of the company, he should change the structure to 1 vote per share. But he won't.
It’s not like he’ll face any real consequences. CEOs get easily payable fines, not prison time.
Facebook functionality ran on a phone using source code not written by Facebook. Anyone who equates that with Cambridge Analytica simply has an axe to grind with FB.
If a device manufacturer wants to betray the trust of their users and siphon data off the phone, they can surely do that in any case, and it’s not even hard to do seeing as how they own the network stack.
Can you think of any other codebase which is used to provide Facebook functionality on our devices using special APIs? Chrome. Mozilla. Safari.
If we can’t distinguish between a user agent and a 3rd party app having access to a Facebook API then I don’t see how this is debating in good faith.
We are taking about the device manufacturers embedding social functionality into the operating system. They also write the rest of the OS you know, if you don’t trust them to render your friend feed then I have bad news for you about your SMS, call history, location data, not to mention you’re carrying around a microphone they can access at any time...
You're basically arguing that yes they did, but it's okay because of the way they did it. Facebook is responsible for communicating that nuance, and they failed to do so. They offered an absolute, and whether they were lying or not, what Zuck said was not accurate.
Would you claim that Facebook is giving information about me to my monitor manufacturer because their pixels are being used to display the information to my eyes?
Would you claim Facebook is giving my information the the people who wrote the code to implement the TLS stack?
Would you claim Facebook is giving my information to Apple because they developed iOS? Or to Chrome because they wrote my browser?
The fundamental archichture of our computing devices is not a technicality. If you equate the fact that our software works using abstraction layers to achieve desired effects with Facebook leaking your information to every layer of software that lives below it, it can only be because you are either grossly misinformed about how software actually works or you are blinded by hatred of Facebook.
You know what, here’s another good analogy. The software which powers the voice calls I make on my iPhone is written by Apple, and one layer below that, Qualcomm. The voice call is only made possible by special APIs provided by my service provider (AT&T) codified through 3GPP. This is like claiming AT&T should be liable for improperly sharing my voice comms with Apple and Qualcomm simply because they helped write the software which allows the call to be made.
Could Apple and Qualcomm be taping my calls? Surely they could be. And if they were, I sure as hell would be angry, but not at AT&T. And if AT&T testified that they had not given my call data to Apple and Qualcomm, they would not have been lying.
The NYT took a Facebook user agent rendering a friend feed, intercepted the network messages, and then gasped, “Look, see, Facebook is sending all your friend information to Blackberry,” as if this was some great conspiracy. Good grief.
This bad news is what people need to hear, but most importantly understand.
How much death/destruction did it take for people to realize it's very important to wear restraints while driving the automobile?
How much death/destruction will it take for users to understand the risks of centrally aggregating the most detailed psychological profiles in history on 2,000,000,000+ people?
- Avoid unrelated controversies and generic tangents.
- When disagreeing, please reply to the argument instead of calling names.
- Be civil. Don't say things you wouldn't say face-to-face. Don't be snarky.
- Please don't post shallow dismissals, especially of other people's work.
(of course, I'm also breaking this guideline in my own comment! Please don't comment about the voting on comments. It never does any good, and it makes boring reading.)
He didn't call anyone a name, he mentioned specific actions: namely, lying.
I obviously can't speak to whether he'd say these things face to face, but you can't either. It sure seems like he made a good faith effort to raise his concerns, though.
The articles he linked to are well reasoned and anything but shallow. Your argument, on the other hand, seems like a pretty shallow dismissal.
"Meanwhile, a good part of the world has re-aligned itself around the increasingly idiotic and sociopathic whims of your former friend, who has settled comfortably into the life of a billionaire capitalist tyrant."
The issue here is that Congress is too weak to call him out on it. Clapper started playing this game years ago, and now others are emulating him, to great effect.
I don't care how much you make facebook, google et al promise not to "abuse" its users data.
What I care about is educating people so that they choose software and companies that respect them.
We should stop treating users & citizens as complete morons who need daddy state to take care of them.
We're treating them as intelligent human beings who can't possibly master knowledge of all the technology, confidentiality, and its implications in a world of analytics and adtech. Even I can only imagine some of it.
Should we educate users to choose safe anesthesia and surgical techniques? To choose proper exotic financial instruments? I think we should require doctors to provide safe anesthesia, Wall Street to provide safe investments, and anyone handling user data to provide confidentiality and end-user control.
Surgical techniques and how to handle exotic financial instruments are specialist topics that are useful in extremely niche situations. In those situations you will speak to someone who is knowledgeable on them.
I'm not sure anything will change until someone with money starts caring. The world needs another Mark Shuttleworth.
Google cache seems to be the easiest method to view it:
Guess the issue is similar, if I access from Europe via a US proxy. I'd assume those accesses are still covered by the GDPR, but it's not clear to me. Anybody know?
I don't agree with this interpretation but I think cfaa is unsalvageable nonetheless. I demand a full repeal!
This is nothing new.
edit: a clarification: the ebooks themselves don't have DRM, but Humble Bundle will refuse to sell them to you if you're in whatever region they (or the publishers) don't want to support at the time.
And did Humble Bundle support fix your issue?
Man, I remember when a major Humble Bundle selling point was being DRM free...
At risk of going off topic, there are two issues at play. One, respecting users' privacy. And two, complying with GDPR. The former does not always mean the latter.
And even if one complies with GDPR, having material over which GDPR applies could result in frivolous complaints and costly regulatory interactions. It is reasonable for a newspaper with a mostly non-Europe to spend resources on other priorities.
Source? Ensuring the permanent deletion of certain data, once, is easier than implementing an a new and complicated compliance regime.
If China passed a law saying you must now delete all references to Tiananmen Square if you have nothing to expoae yourself to their legal jurisdiction you can keep it and literally tell them to get bent.
They probably feel that the non-targeted ad revenue they would make from EU customers would not be worth the server costs, costs to comply with the law, and potential fine costs (risk).
For example, some hosting providers in Europe now automatically disable webserver logs unless the customer explicitly activates them to make sure they don't accidentally collect user data.
Now you might say, well if you run your own virtual server where you control all the services and know for a fact that no personal information is collected you won't run into that problem. But then you might still collide with the law because some network monitoring of the hosting provider might store connection logs. And it is on you to make sure that the companies you use for your business are compliant with the GPDR. You even need to have a contract with every single one of them with which you instruct them to process your users data and that they have to comply with the GPDR when doing so.
And even if you think everything you are doing is correct there are still some law firms that try to extort money from you by claiming some violation. In Germany this game of cat and mouse has already begun (and I don't mean the well known cases against Google, Facebook et. al)
This isn't the US. You can't sue for GDPR non compliance, only complain to the authorities