Hacker News new | past | comments | ask | show | jobs | submit login
As Facebook Raised a Privacy Wall, It Carved an Opening for Tech Giants (nytimes.com)
499 points by jumelles on Dec 19, 2018 | hide | past | favorite | 190 comments

“Among the revelations was that Facebook obtained data from multiple partners for a controversial friend-suggestion tool called “People You May Know.”

The feature, introduced in 2008, continues even though some Facebook users have objected to it, unsettled by its knowledge of their real-world relationships. Gizmodo and other news outlets have reported cases of the tool’s recommending friend connections between patients of the same psychiatrist, estranged family members, and a harasser and his victim.

Facebook, in turn, used contact lists from the partners, including Amazon, Yahoo and the Chinese company Huawei — which has been flagged as a security threat by American intelligence officials — to gain deeper insight into people’s relationships and suggest more connections, the records show.”

Well, that explains some of the conspiracy-mongering that was so rampant around this feature. Facebook (probably) wasn’t secretly recording your phone calls etc. They didn’t need to - they were getting streams of data from other partners.

“Facebook also allowed Spotify, Netflix and the Royal Bank of Canada to read, write and delete users’ private messages, and to see all participants on a thread”

Uhhhh, excuse me?

> Royal Bank of Canada to read, write and delete users’ private messages, and to see all participants on a thread

There's a settlement out there for anyone with a Facebook account who was turned down for a loan by RBC. No chance RBC wants its dirty laundry aired in a Fair Housing suit.

Why would RBC even expose themselves to this liability? What was the point?

With every single one of these companies I am...baffled, that anyone thought this was a good idea, but in this situation especially it makes zero sense. All that liability for what possible upside?

I think this was intended to be a customer support channel and they had to be able to delete the messages containing bank info after a certain amount of time. I had read something about it, I don't think carte blanche access to users' messages was sought or given, it was just support conversations. I didn't use it so this is like my memory of 2nd hand info.

I used to work in Social Media customer support using a well known platform, in a large telecommunications company.

We could only access the private message history containing the conversations we had had with the individual, nothing else.

You think people care about their personal data, you should see what type of information they provide through private messaging platforms. Including through public posts, it's shocking.

Well, sure, there are always people that act against their own best objective interest but the case here is that Facebook is making a bad decision for them, and also not informing about it other than in broad, hard-to-grok language.

One reason would be that RBC was allowing people to send money from its app via Messenger - http://www.rbc.com/newsroom/news/2013/20131211-facebook.html

> Well, that explains some of the conspiracy-mongering that was so rampant around this feature. Facebook (probably) wasn’t secretly recording your phone calls etc. They didn’t need to - they were getting streams of data from other partners.

I really wish there was a law requiring real disclosure of such customer/user-data sharing agreements with enough detail to know what's actually happening. The disclosures should include things like schemas, example records, and reasonable names for data receiptients (e.g. Amazon Inc., not Sunshine Data Brokers II Inc., an unacknowledged subsidiary of Amazon).

There's no way to make an informed choice about using a particular service or dealing with a particular company without that.

GDPR makes a pretty good attempt at that.

RE: Royal Bank of Canada, their access to the Messages API was specifically to let people send money to their friends via Messenger through the RBC app.

In Canada, the only way method for P2P money transfer is through a system called Interac, which relies on email addresses. Using Facebook Login + Messenger was a big improvement since it's harder to accidentally send money to the wrong person.

One possibility would be that Facebook users were supposed to be able to read, write, and delete their own chat messages via custom chat clients built by Spotify, Netflix, and so on.

If so, the New York Times is throwing shade on Facebook basically for not being enough of a walled garden. I hope their journalists are not that confused?

They have been exactly that confused (or possibly intentionally deceptive) in the past. One of their previous articles pretended that Facebook, by giving users the ability to log in and interact with their friends via a built-in manufacturer app on their Huawei smartphones, was actually giving those friends' data to Huawei: https://www.nytimes.com/interactive/2018/06/03/technology/fa...

Yeah, I think nytimes is intentionally being misleading here. I don't doubt FB made some shady deals with the big tech companies, but it seems like they're conflating granting app permissions so that certain functions like sharing Spotify songs over Messenger work with granting access to all user data.

That would grant the app access to those permissions, not the companies.

Oh hey, would you look at that: https://www.theverge.com/2017/8/14/16143354/facebook-messeng...

I'm a bit worried that some journalists (and some readers) no longer care to make any distinction between an app having access for legitimate reasons that respect users' intentions and the whole company having access to do whatever they like. At least, they don't explain it well.

The distinction doesn't exist in practical terms. The company controls the behavior of the app; the fact that an app has access for legitimate reasons doesn't mean that any given use of the access was for legitimate reasons.

I don't think this article made the case that the access granted was unreasonable.

Mark my words. There is going to be an article that grossly misunderstands oauth and tells people that facebook, twitter, etc, are all giving access user information to third party's willy nilly and that there is an entire system widely used across the web for encouraging this sort of behavior.

> Facebook also allowed Spotify, Netflix and the Royal Bank of Canada to read, write and delete users’ private messages, and to see all participants on a thread.

At this point it’s hard to dispute that at Facebook “private” is synonymous with “public” for most practical purposes.

Shared under NDA with business relationships is not “public” for the common use of the term. Although I agree with your sentiment, your statement isn’t really accurate. Otherwise I would be able to read Spotify users’ facebook DMs, and I can’t.

You’re kidding, right? If I send a “private” message, but everybody from law enforcement to my bank has access to it, it’s not private. It’s public knowledge as far as any background checks or loan applications are concerned. By contrast, if my bank worked out a deal with Bell where they get to record my all phone conversations they would still be committing a felony in almost all jurisdictions, NDA or not. That’s a reasonable example of “private” communications.

You have a very good point, and in an ideal world that's what one would expect. Unfortunately our mindset has to change and we have to be way more suspicious on what companies do with our "private" data.

It’s public knowledge as far as any background checks or loan applications are concerned.

You give permission for those and the data accessed is often not public. There are degrees of privacy - what you're trying to do make up your own definition of 'public' and then have message board fights about it. It's not really a sensible position, let alone interesting conversation.

> There are degrees of privacy - what you're trying to do make up your own definition of 'public' and then have message board fights about it.

This is actually a fair criticism. I don't know why you're being downvoted for it.

> You give permission for those and the data accessed is often not public.

I'm not sure this was always the case with Facebook though. Let's say my friend John gives RBC access to his messages and I message him asking to loan me $50 because I'm struggling with money. Down the road if I apply for a loan from RBC they now have access to my "private" message, without my permission and can ostensibly then use that information when determining my creditworthiness. All without my knowledge or consent.

It's up for sale to commercial entities who pays up, and available to law enforcement with no legal expectation of privacy. That's public for the common use of the term.

I’m always puzzled by the need people have to try to dispel the notion that Facebook listens to ambient audio or conversations.

They are the bad guys. They didn’t need to steal Android phone logs either, but they did.

I don't understand why we're not allowed to be skeptical of accusations once the masses have decided that a company is evil. Aren't you at least curious about what they actually did and how they made decisions?

It's quite possible that, even at a company that has done some bad things, other things have a more innocent explanation.

I am, but they don't seem to be exactly keen to tell us that. They seem more interested in bunkering down and writing pre-made apologies for each thing the media discovers.

I just wish there was a way to figure out _why_ I'm getting some ads, to dispel that fear.

On Instagram last weekend I and a friend were shown a number of ads for Chandon sparking wine after I bought a bottle, and someone else at the party also did and we talked about it.

Both of us insist we didn't google sparkling wine, Chandon, or anything we think relevant... it really does on the face of it appear Facebook had listened to us.

Boy, if you think the amount of data FB sells is creepy, wait until you find out how much information your insurance provider sells, or your cell phone provider, or your credit card provider, or your health provider...

If you ever get in a car accident in the United States don't be surprised to get mail the very next day from accident insurance attorneys because you bet every service you use is selling every aspect of your life without your explicit knowledge or consent. Every time you use a credit card to purchase something that information is sold to a network larger than you can imagine, who will in turn sell it to their network. Your geographical location is sold by your cellphone provider whether you realize it or not and whether you think you have GPS tracking turned off. If you have a SIM card that's tied to you as an individual, it's being sold.

Here's just one example: https://www.washingtonpost.com/news/the-switch/wp/2018/06/19...

Notice how the keyword is "suspend"? I don't doubt that they've quietly resumed the practice. In fact, I bet all of these companies and service providers are overjoyed right now that the media is so focused on FB to care about all of the shady shit they're doing on a daily basis.

I'd rather not have any of my data shared, of course, but if I had to pick and choose between my health insurance being sold and versus what TV shows I liked on FB, I'll take the TV shows any day.

Is this reply meant to be for me? It doesn't seem specifically relevant.

Facebook isn't tapping your phones microphone 24/7. It's a nice little dystopian theory that's been disproven time and again.

A far more probable and less exciting explanation is that your credit card provider (or the store you bought the wine from) is selling your information and Facebook happens to be one of the buyers.

Furthermore, people grossly overestimate how unique they are. At any given point in time you're a target market for millions of products, you just don't notice the ads for the ones you don't buy. Just because there's a correlation doesn't mean you were singled out as an individual.

I think something shady was going on with the company formally known as Axciom:

"On May 14, 2014, Acxiom announced that it had acquired LiveRamp, a data onboarding company, for $310 million. LiveRamp was founded in 2011 as a spinout of RapLeaf, a marketing data and software company founded in San Francisco, California in 2005 by Auren Hoffman and Manish Shah.

In May[2017], LiveRamp announced a consortium formed with two other ad tech companies, AppNexus and MediaMath, to compete with Facebook and Google in the area of programmatic advertising, the term used to refer to the use of automation software to buy advertising.

In 2016, LiveRamp acquired two data and identity-matching startups, Arbor and Circulate, for more than $140 million combined. The company also announced the launch of IdentityLink, a method of anonymizing consumer's identities as they are tracked across multiple platforms.

In February 2018, Acxiom announced a reorganization from three divisions into two - a Marketing Solutions group and its LiveRamp business. In May, the company announced international expansion into Brazil, Netherlands and Italy, and released Global Data Navigator (GDN), a portal for identifying available data elements by country. In June 2018, Consumer research firm GfK MRI has partnered with Acxiom."


Well that's my point - however they're doing the targeting is so good as to be creepy and so I wish there was a way for me to force them to show me why I'm seeing a particular ad.

If you purchased the wine with a credit card then Facebook has the ability through agreements with other data providers/aggregators to connect it back to your Facebook, Instagram, etc account. Source: I know someone who is in biz dev at one of said companies and sells this type of “profile” data to Facebook and countless other companies. If you purchased with cash then sure does sound like they were somehow listening.

Hmm, I did. But her bottle was a leftover from a wedding several months ago (because we're connected on IG perhaps? Seems like quite the stretch though).

Also surely advertising the same wine I just bought to me is... dodgy ROI at best?

It'll remain a mystery forever.

At least wine is a consumable. Compare the thread on how Amazon will relentlessly advertise you the same refrigerator you just purchased.

So here's how it could have happened....

You may have brought it online in which case almost certainly there was a FB tracking pixel fired back from the e-commerce website to signal that you did. On the other hand if you bought from an offline store and swiped a loyalty card while doing so, your transaction might have been uploaded to create a custom audience. If you paid by your phone or have your loyalty app on your phone this becomes even easier - convenient offline to online matching is the only reason loyalty program apps are pushed.

Finally, even if you didn't do any if these and the other person did, if you both connected to the WiFi at the party and checked FB (or better still you added the other person as a friend), the shared IP address between your devices is enough of a signal to begin connectings.

this happened with a few co-workers. They got ads about things we spoke about at work and shared it with the group on slack. After nagging them about uninstalling FB for a while, the targeted ads scared some of them to finally uninstall the always listening FB spyware from their phone(s)

I once dropped my work laptop and snapped the plastic housing on the charger plug. I only discussed it verbally with my manager and said that I, as a consultant, would replace it at my own expense. Before I'd had chance to search for and price one up adverts for laptop chargers started following me around the web.

It could have been that she then searched for a charger and being a small company we all shared an external IP address, that we also shared the ads... or it could have been that spy software on my phone had sold our conversation to advertisers. Either way, mic privileges were locked down and ad and tracker blocking efforts doubled after that.

I don't think that's a fair suspicion when you shared the same IP address

"Facebook would like access to your contacts. Do you agree? YES no"

Address book import and triangle closing drives the most PYMK features across every social network. It's a gold mine, and that's why everything wants it.

> to read, write and delete users’ private messages

I wonder if the delete permission was by accident or whether these companies were actively deleting private messages - craziness.

Facebook's permissions scopes have never been that granular - if you get approved for a permission it's generally access to create, edit, view, and delete all in one.

(Citation needed)

It's a little hard to cite now - most of the user-level permissions are gone, or are behind a "This permission is restricted to a limited set of partners and usage requires prior approval by Facebook" restriction.

They've clamped down repeatedly on how much data comes out of the API - you used to get full info on friends, then just their names and IDs, then that list wound up filtered to just other friends who'd authorized the same app.

It used to be extremely wide-open.

It's not exactly nefarious to query friends of friends in the same geographical area. The problem is people willingly constructing a social graph without care for the consequences. G+ theoretically enabled this sort of isolation but in practice it is too much work to maintain separation. The only way to win is not to play at all.

> Gizmodo and other news outlets have reported cases of the tool’s recommending friend connections between patients of the same psychiatrist, estranged family members, and a harasser and his victim.

Geez, and I thought I was annoyed with mere former bosses showing up who I didn't part on good terms with

> Spotify, which could view messages of more than 70 million users a month, still offers the option to share music through Facebook Messenger.

Not sure why the others needed it

Spotify doesn’t need to read your DMs to let you message share links, either.

That's what that article had - on Googling it looks like Spotify makes suggestions in messenger when talking about music as well.


> The social network allowed Microsoft’s Bing search engine to see the names of virtually all Facebook users’ friends without consent, the records show, and gave Netflix and Spotify the ability to read Facebook users’ private messages.

> The social network permitted Amazon to obtain users’ names and contact information through their friends, and it let Yahoo view streams of friends’ posts as recently as this summer, despite public statements that it had stopped that type of sharing years earlier.

The records the New York Times reviewed were "generated in 2017" and "some were still in effect this year." That means not only did these agreements cross through Facebook's representations to various governments, they also overlap with GDPR.

>> "they also overlap with GDPR"

Both Facebook and Google were hit with GDPR-related lawsuits since the first day of GDPR enforcement.

Companies are being sued left and right by privacy advocates and by "ambulance chasers".

Which is great IMO, I hope Facebook gets at least a big fine for this.

A big fine is nice. But until some high-level executives go to jail, they will do it over and over again. A fine is just an operational cost.

I guess this sort of defeats the purpose of switching from Google search to Bing over privacy concerns.

I've been using DuckDuckGo as my default. I mostly only use google for news search now. No complaints.

duckduckgo works really well. For some topics google is better, but for 95% ddg do the job as a day to day standard search engine. And those times you need google, it is very simple just to add !g bang to get the google search results. With ddg you get better privacy and dont end up in googles filter bubble. More should try it out.

Does it still affect you if you don't connect your FB account? I wouldn't think so

Advertisers can still figure out how who you are without linking an account. It may take them slightly longer, but the information is out there.

Is THAT what the Bing goalposts were on the graphs? Tons and tons of fatal errors when they’d come calling. I don’t think they were getting much.

Looked like |______|.

Then one day, no more. So odd.

It is absolutely obscene how much of a breach of trust and decency these are.

Facebook still hasn't fully come clean because they knew they were doing unsavory activities and just wanted to not get caught and keep getting away with it.

If worse comes to worst, they can become a credit rating agency.

There should be a CFAA for personal information.

Slightly related: The Chinese government is already working on a social credit rating system using mass surveillance. I shudder to even imagine living in such a world.

They may merely be one step ahead.

I’m sure Zuck will offer a heartfelt apology.

Hopefully from Federal prison with a life sentence. Literally billions of times he and his execs, managers, and engineers have violated the Computer Fraud and Abuse Act, Electronic Communications Privacy Act, Federal Wiretap Act, and more.

Facebook could be considered as a strategic military asset, as it is capable of quite accurately mapping people around the world. Relationships between people in Iran, same place same time, same IP, ghost profiles...

If you were the CIA, wouldn’t you work on protecting/ preventing such people from having a trial?

Of course it is. I agree with your comment. I also think FB is the work of secret services, from its inception to the present day. I've seen Zuck talk, and he doesn't strike me as a specially smart guy. But he's young and always smiling, shows enthusiasm and that's what people need. It's a nice cover.

If you don’t look at Facebook’s origin story this could almost be believable.

In [2011]


If you continue to post flamebait we will ban you again.

>How Zuck doesn't seem smart? Have you seen " the social network "

Because watching Zuckerberg played by someone else in a dramatized Hollywood film is a great way to tell if he is smart.

Watch Zuck testifying in Capital Hill and contrast it with "The Social Network", he really acts the same way everywhere.

The movie is correct potryal of his character.

You're saying that Jesse Eisenberg matching the mannerisms and manner of speaking is a good way to determine how smart Mark Zuckerberg is?


Personal attacks are not ok here, regardless of whom you're attacking. Maybe you don't owe better to reviled $billionaire but you owe much better to this community.

If you'd please read https://news.ycombinator.com/newsguidelines.html and use this site as intended from now on, we'd appreciate it.

> The infiltration of the ivy league by the CIA

What does this even mean? I can't imagine many more wasteful uses of government revenue than approaching dull undergraduates and coercing them into starting clandestine programs that prey on their peers.

That's where they recruit from.

How does that saying go?

"If you owe the bank a million dollars, the bank owns you. If you owe the bank a billion dollars, you own the bank."

> Hopefully from Federal prison with a life sentence. Literally billions of times he and his execs, managers, and engineers have violated the Computer Fraud and Abuse Act, Electronic Communications Privacy Act, Federal Wiretap Act, and more.

Preferably multiple life sentences to ensure he can never get out or create another monstrosity like FB. Also get laws created/strengthened against such repeat abusers of people.

They'll go right in the same comfy cell as the Equifax execs. Oh wait...

10 DO heartfelt_apology GOTO 10

Zuckerberg isn't a robot - he's entitled, overconfident, and underappreciative of the depth or complexity of the world beyond his experience or the impact of his actions upon it. Further, he shows no hesitation in imposing his will on others despite those shortcomings, and is entrenched in his perspective and tactics rather than open to learning. More briefly - he's a jerk.

> The social network allowed Microsoft’s Bing search engine to see the names of virtually all Facebook users’ friends without consent, the records show, and gave Netflix and Spotify the ability to read Facebook users’ private messages.

> The social network permitted Amazon to obtain users’ names and contact information through their friends, and it let Yahoo view streams of friends’ posts as recently as this summer, despite public statements that it had stopped that type of sharing years earlier.

This information contrasts with a statement Facebook provided in 2018, stating that such data sharing partnerships ended at the end of 2015. That statement itself was correcting an earlier statement stating that such access had ended even earlier.

From https://www.nbcnews.com/tech/tech-news/facebook-shared-user-...:

> Facebook shared personal information culled from its users' profiles with other companies after the date when executives have said the social network prevented third-party developers from gaining access to the data, the company confirmed Friday.

> The companies had access to the data during a stretch of time in 2015 after Facebook had locked out most developers who build apps that work on its social network. Facebook gave select "whitelisted" companies extensions before they were also blocked from getting its users' personal information.

> Those extensions expired before the end of 2015, Facebook said. The company believes the previously unreported extensions with a select group of companies is consistent with previous statements that Facebook CEO Mark Zuckerberg has made, including in testimony to Congress, about shielding its 2.2 billion users' personal information from third parties since 2015.

> "Any new 'deals', as the Journal describes them, involved people's ability to share their broader friends' lists — not their friends' private information like photos or interests," Ime Archibong, Facebook's vice president of product partnerships, said in a written statement.

A basic principle of PR is that you should trickle out good news, and get all the bad news out in one dump. Because when bad news trickles out, and the public reads a fresh bit of bad news every day, it does more damage.

One wonders at Facebook's very passive strategy here. They're not controlling the narrative at all, and we're reading a fresh bit of bad news almost every day.

Occam's Razor might suggest this interpretation:

Facebook is as bad or worse a company as its strongest critics suggest. There's not some dump of bad news, there's horrific practices everywhere you look, so every investigation uncovers more bad stuff since it's the norm for the company rather than the exception…

One possible explanation is that they are sitting on so much potential bad news it would be a disaster to release all at once.

A couple years ago Zuck was hinting at creating a privatized global government to compete with the U.N. I feel like a lot of the good stuff hasn’t even started coming out yet.

I don't think many of the employees at various levels understand the "bad news" part of this. Therefore, they can't plan appropriately.

I don't think it is intentional but rather a function of most employees being in a weird corporate "filter bubble" with extra strong cool-aid being served on the daily.

I know a couple Facebook employees. It is actually very disturbing to see at what length they go to cover and find excuses for each of those breaches. Not a lot of the them are taking a step back. Echo chamber...

Another tactic is to do this in the run-up to Christmas while everybody is preoccupied.

Whoa, my AI Motivator instagram just posted that https://www.instagram.com/p/BrjhQ5UAoTa/

I always wonder about the engineers at Facebook who implemented a feature like this. Someone like me, more or less. Did they stop to wonder why they were being told to bypass user privacy preferences? Did they raise any internal questions about ethics? Did any of them consider becoming a whistleblower? Or perhaps everyone who works for Facebook is convinced this kind of data sharing is OK?

I think it's easier to understand how this happens as an aggregate effect instead of "one engineer looked the other way".

As a hypothetical example:

- Some engineer implements the Like/Share buttons to push more users onto Facebook.

- Some engineer working on the ads product realizes that the Like button is a great Trojan horse to gather info about a user's browsing habits. Thinks of it in terms of analytics - "understanding who the users are." Harmless enough, but now we're over the ethical hurdle of collecting that data.

- Another engineer working on the ads product realizes that using this data to target ads could get advertisers to pay more for the same ads. Now you're just using data we already have, right?

- Facebook signs a bespoke advertising deal with some companies which includes access non-anonymous data. Facebook already collects and uses it and users sign it over in terms of service, so... what's the problem with using it in a way that's still advertising, just specific to some new partners?

None of the steps look that bad if you don't look too closely. No engineer had to think too hard about the specific ethical problems, but the aggregate effect is the travesty we have today. If any decision maker along this path stopped to really think about it and cared enough to stop it, this might not have happened, but market competition and general indifference meant nobody really took a long, hard look at this chain of events as it was happening.

Most likely why they aggressively hire college grads and keep the developer workforce young. I doubt they teach corporate ethics in any comp sci program.

> I doubt they teach corporate ethics in any comp sci program.

Actually, when I was in school, there actually was an extensive ethics module in one of the required courses, and I think it was required by an accreditation body or the ACM. It also felt like it was used to satisfy some kind of writing-intensive course requirement, since it consisted of banging out 10-page papers on various topics.

Neither the professors nor the students took it very seriously because everyone was more interested in technology, not philosophy. It felt like it only existed to check-off a checkbox.

Most of the young people getting hired by FAANG are grads from big name schools so they've most definitely taken one or two ethics courses.

I think we're just seeing 22 year olds' ethics are collapsing when they're given $150k/year straight out of school.

It's one thing to understand right from wrong. It's another thing entirely to expect a 22-year old, struggling to get on their feet, to look their boss or a VP in the eye and say "this is not ethical." You're asking them to risk everything: their job, their income, their reputation when they've only just begun.

That's a big ask even for someone who has taken hundreds of ethics courses.

I can only speak for Stanford when I was there, but almost every CS graduate took "Computers, Ethics and Public Policy" as it was the best way to satisfy the degree's "Technology in Society" requirement.

In talking to friends and coworkers it sounds like taking an ethics course was more common than not.

If someone in their 20s doesn't know much about ethics, then we're doing something wrong, as a society.

I'd imagine the issue is more that a recent graduate doesn't necessarily know when or how much to push back

It may also be futile to try to have a meaningful concept and practice of professional ethics without professional autonomy.

The ABA and AMA take a lot of heat here on HN and other libertarian-leaning forums, and some of it is deserved, since they clearly do engage in cartel-like behavior.

However, it is important to remember that they have established a set of laws and practices that give the members of the profession the ability to resist unethical commands from "superiors". For example, generally speaking, a non-lawyer can't own a law firm. Same for physicians. A lawyer must be licensed to practice, and that right can be revoked. A lawyer isn't allowed to say "my boss made me do it", but at the same time, a lawyer can't have a non-lawyer boss, and that boss can't legally go hire someone who isn't a lawyer (and isn't bound by a code of ethics) to do it instead.

I want to be clear that I'm aware that in reality, it doesn't come close to working out this neatly. But the conceptual framework, at least, is there.

I do think programmers are in an untenable position, when they are stripped of any professional strength but called on to resist unethical demands of clients and bosses. And yeah, I do mean stripped, not just denied. A large section of the programming workforce is employed under visa conditions where their employer controls their right to live and work in the US, as well as their position in a very long queue for a green card application. So we aren't just ordinary workers with no special protections but no special liabilities either, we are often a workforce that is particularly vulnerable and unable to push back against the orders of people who aren't ethical and aren't part of our "profession".

This! Knowing that "this is wrong" is only half the battle. Having the political pull to actually push back and have fellow engineers behind you is the other blade of the scissors necessary to actually cut any wrongdoing.

We have a word for "when everyone who pushes back against wrongdoing must go out on a limb and do it at tremendous personal expense": Gomorrah. (I mean, in the sense of wanton immorality, not the dubious sexual mores.)

Ethics, labour, and politics are intertwined. A single parent risks blacklisting and imploding a means of income, for example.

Markets regulate themselves to a profit driven “ethics” solution that reverberates.

ABET requires an ethics course to get a computer science degree.

The question to ask is rather, how much money is OK to remain silent. Unfortunately for the majority it’s not in the millions. Almost any big corporation does some activity that are not strictly in the ethical norms. To me, strict laws must be passed and people must be held accountable to really see a change.

I'd love to hear a Facebook critic rebut this thread re: the article:


What this seems to boil down to is a side channel for certain partners with looser technical controls but tighter monitoring of misuse, and no evidence that that tradeoff actually resulted in any misuse that couldn't have occurred through normal data access channels.

If you don’t trust Facebook to do the right thing, that thread is not much of a defense, since it just says they will police their partners.

It also sounds like access to certain APIs was much more limited than the NYT article implied:

> When you hear things like read/write access that access was only granted when the user gave permission. For example, if you share a Netflix link to messenger, the post is coming from Netflix.

> If you're sharing using messenger, you're able to search who you're sharing with through Netflix. If you then delete the message within Netflix, it would delete on Facebook. Very similar to using Tweetdeck for Twitter - same permissions

It's not a matter of whether I trust them. It's a matter of whether any misuse of data actually occurred, or whether this is a lot of innuendo with no evidence that any harm was, or even could be, done.

My surprise is not that Facebook did this, but that developers within Facebook built this privacy violating ecosystem without question or publicly voiced concern.

You guys sold your family and friends out for RSUs.

Question for the most of the people who read this who will still use fb/instagram/messenger all day, or even at all:

is there something so bad that fb could do that would get you to stop? If so, what is it? Where is your red line?

Or absent an alternative with fb's network effects, will you keep using their products regardless of the unseen costs you rack up?

I don't think FB has that many unseen costs.

I don't really care if FB sells my information to advertisers, so they can market products to me more effectively.

I don't care if FB co-operates with other companies in order to suggest friends to me.

FB adds a lot of value to my life (messaging & finding out about events).

What I truly dislike about FB is that it creates information bubbles, so people are never exposed to viewpoints outside of their own. Also FB doesn't regulate false information/alt-right propaganda enough.

Obviously, I would prefer if FB didn't sell my data, but at the end of the day it doesn't impact me at all.

That being said, if I ever become an important figure who is running a business that is competing with Facebook in some way, then I'll be sure not to use their service.

I can't think of any concrete red-line that Facebook could cross. I've never been a techno-utopian, and the Snowden leaks were the catalyst that drove me to learn programming.

I recall being in my early teens, when I went to create my (first) Facebook account. I mentioned it to my dad. He explicitly told me that whatever I did on Facebook would go to their servers, that whatever reached their servers was theirs, and that they would do whatever they wanted with that data regardless of whether you agreed to it or not. The whole reason I gave up and made an account was because my friends had already given the app their contact list, and the service already had my phone number.

From day one I've treated online services like amoral, dangerous animals, and so far nothing these organizations have done has especially shocked me, though I have been impressed or surprised on occasion. My mantra is generally 'if I or the NSA could imagine it, private industry will attempt it'.

I still get a lot of value out of my Facebook account. Facebook pages are a gateway to niche interest groups, social trends, and the political fringes that would otherwise be inaccessible to outsiders. Seeing the ads Facebook puts in my feed helps me to calibrate my mental model of how I'm being observed, who's sharing data with who, and how online services perceive me (I typically use ad-block, and only occasionally close it to check my ads).

If I want to contact someone I've only met in passing, keep up with family and political bubbles, or do a bit of background investigation, Facebook's there for me.

Accessing the service requires a bit of a faustian bargain. But by the time I joined, the country had already made it on my behalf, so I opted to reap the benefits of that bargain rather than just being social collateral.

Facebook could scare me off the way Google Search did - by sanitizing its content feed to the degree Google's sanitized its search. But I'd still use Messenger, and any other useful service they come up with.

But otherwise it'd have to become obsolete in the same way as MySpace.

what do you use for search, then?

For general queries, I use Searx.me. Occasionally I'll use Google if Searx is down, or I need technical information that I need search operators for.

For current events, I use Searx, Bing, Yandex, Yahoo, and Baidu (if I'm really digging). I don't trust any one provider on politically sensitive topics, and the the order/kinds of the results can occasionally carry as much signal as the the content of them.

I'm not conspiracy mongering, though. I merely think of search algorithms as extensions of the contexts in-which they're designed, and are more likely to represent the interests of their creators than my search for knowledge.

Trusting Bing, Yandex and Baidu for politically sensitive topics? Are you being sarcastic?

Hardly. I use multiple search engines specifically because I lack trust.

While I'm more than likely to take the papers of record at their words, I've known more than enough police officers, journalists, and armchair philosophers to know that consciously or not, individual biases can color the processing and presentation of information.

Details that may seem obvious or superfluous through one lens may not be to another.

Only by extracting perspectives and datapoints from each source I access, can I confidently say that I have a reasonable understanding of the progression of any given event, as well as the metanarratives surrounding it.

Depending on the topic at hand, omission from one search engine can be as damning as the inclusion of propaganda in another.

The obsession with reputability is why I abandoned Google. In narrowing the array of sources the search engine surfaced in the hopes of protecting the average user from misinformation, it narrowed access to fringe sources of knowledge, which although unreliable can be a goldmine of supplemental information.

Say what you will of Baidu and Yandex, if you know a bit about their nation's leadership and international policies, you can guess their biases and can guess how they'll adjust what you see. That's useful. American companies can be much less predictable.

Just so. Also, though the western spooks can probably see some of the encrypted traffic through to those companies, if you send it to google or bing, they can see all of it.

And yes, you should be afraid of western spooks if you live in a western country. I wouldn't have said that 10 years ago.

I am sorry, but you just seem to be trying to find truth by reading many different lies, this in my experience, almost never works. Still, good luck.

> Trusting Bing, Yandex and Baidu for politically sensitive topics? Are you being sarcastic?

“The central television’s family name is the party” - a real actual quote from an actual "media" organization:


Yep. I've never put any kind of personal information on FB aside from a profile picture and a name. My profile has otherwise been blank for the past 10 years. I've never liked any pages or products or left any meaningful comments that reveal anything of importance. Today, I block all of their ads and scripts (I haven't seen an ad on Facebook for the past 10 years). I've never shared my contact book as annoying as they make the popup in Instagram. Facebook has gained nothing from me directly. Others might argue they've gained more information than I could know from the people I choose to associate with, but I can't really control that.

Today, I use Facebook because it's useful for connecting with people I just met, long lost friends, and because Messenger is the most convenient messaging app out there. Instagram is a great app that I enjoy using and will continue to use (also anecdotal, but I've never seen an ad in Instagram either. I guess I must not follow enough people?)

Realistically, the only way I stop using FB's services is if they start charging for them. That's my personal red line, just because I'm too lazy to pay and I figure most of my friends will be, too, so they'll just move on to the next big thing.

My account is currently suspended, pending me uploading identification papers to prove I am who I say I am - this despite the fact that my account was originally verified against university records back in 2007 when it was only open to verified university graduates ...

It feels like a red line ... I'm mulling over various options including just letting it go.

It seems like a bad idea for them since I'm one of the few people I know in my circle of friends that's still active and posting ...

>will you keep using their products regardless of the unseen costs you rack up?

Honest answer: my purchasing/social network data is worth extremely little to me, so I don't care who has it. And I don't have a problem with advertising; I prefer to allocate responsibility to individuals for their own decisions, so if somebody is influenced by an advertisement, if anybody is to be faulted then it's themselves, not the advertisement/advertiser.

Start charging money.

That would be a good thing?

In all seriousness, if companies actually had to pay for your data, suddenly their business models would flip and you would find that we would go from being the products to being the customers.

“Facebook also allowed Spotify, Netflix and the Royal Bank of Canada to read, write and delete users’ private messages, and to see all participants on a thread — privileges that appeared to go beyond what the companies needed to integrate Facebook into their systems, the records show.”

Wow...that’s scary

> With most of the partnerships, Mr. Satterfield said, the F.T.C. agreement did not require the social network to secure users’ consent before sharing data because Facebook considered the partners extensions of itself — service providers that allowed users to interact with their Facebook friends.

Wow, this seems like yet another contortion to get out of asking the user what they want.

Dude, we are all one, connected through the universe, don't harsh the buzz with your pesky permissions.

After reading facebooks response I am once again disappointed by the art of journalism we have to deal with these days :(

Turns out NYT either doesn’t understand the technical details or doesn’t want to


While I'm also disappointed by many news organizations / journalists these days, NYT is not one of them. In fact, they are one of the few newspapers that are keeping larger entities in check and doing their job by reporting them. I've been continually impressed by NYT, specifically, for its care in ensuring the highest level of integrity. Mistakes do happen and as far as I know, they've been pretty good about apologizing for them.

If it weren't for this linked article (much of which I learned a significant amount and was news to me), we wouldn't have had such a response from Facebook with further clarification on this topic. For example, did I know they were also passing my private messages to other entities? No. I also don't blame myself because they could've made it a lot more obvious that I was sharing such personal content with other third parties.

Journalists have a tough job, but they should be commended when bringing to light articles like this.

I was a big fan of the NYT. I’ve always considered them a trustworthy source of news.

However, their coverage of Facebook since the election has showed me how much bias there is in the media as well as how much an entity can serve their own agenda.

Unfortunately the truth behind these integrations are beyond what your average person can understand. Your average person doesn’t understand how OAuth and user consent / permissioning works. And so media can prey on the ignorance of people to spread fear, uncertainty and doubt. NYTimes comes off just as bad as Fox News.

I bet you none of the authors have ever implemented 3rd party auth. I doubt any engineers were consulted. Instead they quote so called “media experts” that are just professors at universities who again know nothing about the technical integration and how it works.

I’ve seen some people who understand how OAuth works but these are clearly engineers. NYTimes could’ve used the opportunity to explain how people gave consent but instead chooses a different narrative in order to 1) get page views; 2) attack an arguably competitor in the media space and 3) blame FB for getting Trump elected.

For me, the nytimes and the big media companies are the biggest disappointments. Smaller and local media companies tend to be far more reliable and trustworthy than large corporations. And integrity isn't a word I'd associate with the nytimes or any major corporation for that matter. They are greedy self-serving entities with their own agenda, like every business.

I do believe corporations like the NYTimes and facebook have accrued too much power and are corrupt and a destructive force in the country and the world. I think we need more competition in the traditional media and social media space.

For all the talk about monopolies in tech, we talk too little about the monopolies in news and media along with every other industry from agriculture to banking.

Also, Facebook is a symptom of a national ( or international ) economic system that applies to pretty much every major industry today. Too much consolidation and too little respect for privacy. Facebook is providing what every industry ( including the news industry ) wants. Information and data. And every industry is invading their own customers' privacy and selling data. Credit card and banks sell your data. The NYTimes sells your data ( after all they sell ads too ).

(A) The NYTimes cannot “sell your data” as Facebook does, because it just does not have that data.

(B) if you are alluding to their ads, then the local media you praise is just as guilty, and so is any other site financed by ads. They all just include whatever JS snippet the ad platforms give them.

(C) The rest of your comment is just repeated assertions that you don’t like the Times. It’s hard to take advise on newspapers seriously, when they come from someone who apparently has not read enough to pick up on the proper handling of spacing around parentheses.

(D) Are you making any claim that the story here contains (specific) inaccuracies? Are you accusing the Times of any specific facts being wholesale fabrications? Can you point to any instance of the Times publishing fabricated information? And please don’t use an example that’s old enough to drive, was discovered and disclosed by the Times itself, and resulted in career-ending firings of the reporter responsible.

Not sure what you're talking about, Facebook explicitly confirms what NYT writes???

>Did partners get access to messages? >Yes. But people had to explicitly sign in to Facebook first to use a partner’s messaging feature. Take Spotify for example. After signing in to your Facebook account in Spotify’s desktop app, you could then send and receive messages without ever leaving the app. Our API provided partners with access to the person’s messages in order to power this type of feature.

Facebook is trying to spin it in a positive way ('you had to sign up first!!'), but nowhere did you agree that Spotify could read all of your messages.

If we carefully parse this, and suspend any usual assumption of good faith, this actually seems much worse:

> But people had to explicitly sign in to Facebook first to use a partner’s messaging feature.

This does not say you had to "explicitly sign in first for Spotify to get access". It says you had to sign in to use the feature enabled by Spotify already having access.

> After signing in to your Facebook account in Spotify’s desktop app, you could then send and receive messages without ever leaving the app.

This says exactly the same, only using the Spotify example. It again dodges the question when data sharing started.

I hold the idea of assuming good faith in the highest regard. But a statement as important as this must have gone through several layers of lawyers with the finest combs available, right? To then so artfully miss answering the actual question... It would be quite a coincidence.

If indeed it is deliberate, OP of this thread falling for this artfully crafted admission of guilt should actually command some respect for the craftsmanship of their PR people, in a certain, ethically-challenged light. Although people ignorantly finding fault with everything the Times does may just be an easy mark for PR wordsmiths.

Edit: After perusing OP rock_hard’s history, I will have to once again break “assumption of good faith”, sorry. Almost literally all their posts are defending Facebook, or making accusations against Apple, Google, or the New York Times. I’ve often seen responsible disclosures of self-interest by, among others, people working at Google here. This is the first time I’ve seen a pattern this suggestive of the opposite.

The usual way these partnerships worked is that Facebook allowed partners to ask users to grant them more account access than ordinary Facebook apps were allowed - in the form of special partner-only Facebook app permissions that could only be obtained by approved apps. That is, it didn't bypass the normal need to request permission from the user, it just allowed them to request extra permissions. There's no reason to believe that the Spotify integration is any different. Even those leaked emails just talked about adding more permissions that companies could request.

I don't know on what planet that's supposed to be reassuring. They thought that sending FB messages within Spotify was such a whizbang feature that they gave Spotify unrestricted access to FB PMs? "But it's okay, they had to be signed in to FB"?

If they wanted to do this, couldn't they have done some plugin, where all interaction with FB features is within that plugin but inaccessible to to the broader app? Because otherwise, they have to effectively assume that this partner has gotten full access to the PMs. In crypto terms, a "total break" for that user.

I'm not even sure how this makes sense from a greedy megaglobocorp perspective. FB should be guarding that data tightly against other companies having it; their exclusive access is valuable.


I actually stumbled upon the following in their report:

“Internal documents obtained by The Times show that Facebook shared data with more than 150 companies — most of them tech businesses, but also automakers, media organizations (including The Times) and others.“

I think it takes an awful lot of motivated reasoning not to hold an organisation in the highest regard that freely works against its own interest, in the pursuit of its mission.

Also note that Facebook didn't even mention Yandex (Russian Search Engine).

This is spin by Facebook.

Remember in their last scandal, they denied using The Definers at first then weeks later admitted it.

I'm so glad I left that place. I always had concerns but I had no idea the greed and abuse of users was so entrenched. Working in infra you don't find out about this kind of stuff.

It's fine for sharing publicly-palatable things with friends and family members.

I wouldn't conduct anything on it that you'd care to keep secret, though.

> Facebook empowered Apple to hide from Facebook users all indicators that its devices were asking for data. Apple devices also had access to the contact numbers and calendar entries of people who had changed their account settings to disable all sharing, the records show.

> Apple officials said they were not aware that Facebook had granted its devices any special access. They added that any shared data remained on the devices and was not available to anyone other than the users.

Any more information about that? I would be curious to know if we have actual proofs about those statements.

That's referring to the Facebook integration in iOS. There were similar integrations for Flickr, Vimeo and Twitter as well. These have been removed as of iOS 11.

It would let you sync your contacts and add their Facebook profile pic to them, as well as post to Facebook using a system UI. Apparently this API gave Apple more permission than was needed for these features, but that Apple was unaware of it.


Whoa! This makes sense now.

"and gave Netflix and Spotify the ability to read Facebook users’ private messages"

When I watched 21 on Netflix, Facebook Messenger on my phone suggested to play blackjack, literally the hour after.

That's the reverse direction.

All of these were data sharing agreements, they were two way. Samsung, for example, had access to Facebook and also gave Facebook contact info

It was only a few weeks ago that people were arguing that it was anti-competitive for Facebook not to share data with other companies.

It’s about control. If it’s my data, I should be able to give permission for other apps to access it - regardless of whether Facebook views them as a competitor. Likewise, I should be able to block access for a given third party - regardless of how much money such a “partnership” would generate for Facebook.

So yes, it is anti-competitive for Facebook to block access against the explicit wishes of its users. But it’s also despicable to sell user data to whomever without asking permission first. It’s pretty obvious from Facebook’s actions that they consider it their data, not your data.

Opt in vs opt out, pretty clear distinction.

Intention is so central to judging actions in both the law and ethics generally, it’s bordering on willful ignorance to profess ignorance (recursion intended).

Why do people even speak to Zuckerberg about Facebook? Yes he is the CEO but he's also the Kellyanne Conway of Facebook pretty much.

> The New York Times interviewed more than 60 people, including former employees of Facebook and its partners, former government officials and privacy advocates.

> The Times also reviewed more than 270 pages of Facebook's internal documents and performed technical tests and analysis to monitor what information was being passed between Facebook and partner devices and websites.

Deleted my Facebook nearly 6 months back. Never missed it

Deleted my Instagram three weeks back because my feed was 1 ad for every 3 posts. Haven't missed it.

If I could only get rid of Whatsapp, I would never need to use anything from this awful company

Install Signal, tell your friends.

Although I tried getting one friend to switch today, didn't work because of network size. I'm afraid our only alternative is to organize all our really cool stuff on Signal and get 'em with FOMO.

I got my immediate family and the friends I care for (3?) to switch.

My family was easy. No pics of my daughter on any social network. "Y'all want pics? install Signal. If I catch you posting on FB, you're cut off"

Once mom installed Signal, the rest followed.

As to my friends, the ones I actually care for are privacy freaks like me - although they're not techies - and understood its importance.

It's never worked for me - the answer is always something along the lines of "oh no, I'd have to install another app, it's such a hassle".

If only there were some means for people to use whatever apps they liked and for these to communicate with each other.

I am worried about how much access was given to Palantir.

This sequence of exposes and revelations doesn't speak to Facebook's credibility. It would be one thing if it was just the incidents surrounding the 2016 elections, but the pattern in all these news reports seems to be that Facebook's design doesn't simply doesn't respect its users.

Too many features and plugins Facebook has seem to be leaky in some respect. Messanger does not use default end-to-end encryption for whatever mysterious reason. If Facebook owns the endpoints, it can just as easily obtain the data for themselves before encrypting and submitting the message if it were enabled anyway.

How could I have any faith Facebook doesn't collect messages intended to be sent in confidence if collecting them suits Facebook's purposes?

I'm not sure however if Facebook's sketchiness is intentional or not. We have few examples of companies that were early movers in the inception days of the modern internet. And the decisions made early on prefigured everything that was to come.

At this time I would look to other others for inspiration about the correct way to make use of a data jackpot. Facebook's own totally unrestricted laissez-faire mentality in the relentless pursuit and utilization of its data is undermining itself.

Based on the salaries at Facebook, I would hope it’s intentional.

If not, what the hell are they paying top-of-industry salaries for?

I guess we can change "I have nothing to hide" to "I have nothing hidden."

How much more until we all start using end to end encryption?

I don’t mean server to client. I mean clients have the keys and only the clients.

Why are we relying on third parties to pretty please enforce access control?

Now I really doubt if whatsapp is secure, even though they say it has end-to-end encryption.

its not secure. if you have facebook app and whatsapp installed. the whatsapp can share data with the facebook app and upload it to their servers. messages on your phone are not encrypted. they are only encrypted during sending.

A good workaround for Android is installing "Friendly" in place of official FB app. Not sure if there's an iOS version too.

Also, if you are on android and do a Gdrive backup, all the WA logs are in the clear on googles server. They will gladly pass these logs to authorities on with the appropriate paperwork.

Oh my goodness, I should just delete fb.

Just Android, or with iOS too?

It’s crazy that there ever is/was an endpoint to read a user’s private messages. What exactly would ever be a good use case for that where a user would knowingly agree to it.

Here’s one: I used to work for a company that made social media compliance software for financial companies. Agents/brokers/salespeople had to connect their FB accounts and agree to have their PMs monitored so the compliance department their home companies could monitor what they said. This was so the companies wouldn’t fall afoul of FINRA/SEC/etc.

IIRC, we could see the agrnt’s half of the exchange only, and they were certainly informed of exactly what was going on. The software did other things, too, such as being able to post approved content on their behalf, but this was a core function. Their alternative was to not be able to use Facebook at all.

A third-party app allowing you to chat, possibly using more than one network?

C. F. email.

Did you know that every single email you've ever sent was readable by every single mail delivery agent in between?

It is possible this random person on HN was using PGP, so I don't think it's fair to use "every single" verbiage as it is clearly hyperbole.

So now I understand how it is, that despite putting no personal data on my Instagram account, the Amazon ads I see when I browse Instagram are so very well targeted to me...

They never sold user data for cash, but the monerary value of what they would have gained in network effects would have had measurable value, or they would not have done it.

Time to pay the piper!

Where WhatsApp messages shared with Netflix and Spotify? They're owned by Facebook. I'll never use Facebook Messenger again

What really bothers me, is that of all possible partners, they gave access to Yandex, and Yandex == FSB

Would MZ ever face criminal charges?

> Would MZ ever face criminal charges?

He's lied to Congress. He's lied to half of Europe. (Or blown them off.) He's knowingly directed the violation of a federal consent decree and several EU directives. He presides over a platform profiting from mass atrocities in multiple countries.

There's plenty to go after him with. The only things protecting him are his standing and lack of unexpected criminality.

Evidence that he's lied to those entities?

There is no evidence, just innuendo, raw emotion, and pure discounting of personal responsibility. Many seem to want all the perceived benefits of FB, but none of the costs. Just to be clear, I don't use, nor like FB.

No. The laws under which he might possibly be charged are never applied to billionaires or those with sufficient connections in military or government.

The rules for you and I are not the same rules for Zuckerberg or Clapper.

Don't forget to incl. Jeff. Epstein

Does anyone know if described behavior violate GDPR?

When is the FTC getting involved?

When a new administration shows up.

Maybe that's not fair, but I just assume that very little in the form of corporate regulation is on the table right now.

Great, the Kremlin has your data.

Interesting. Let's see what the local "defend FB at all costs" group has to say about this.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact