2) NYT seems to intentionally not elaborating on the "access to users' private messages" part and conflating app permissions to actually scanning, parsing, storing, deleting, modifying individual messages. Until disproven, it sounds like these are just standard app permissions needed to implement functions like song sharing in Messenger chat (in the case of Spotify), or sending payments over chat (in the case of RBC).
This is disappointing journalism, to be honest. FB has done a lot of bad things and they deserve the negative press, but it does seem like NYT has some kind of personal agenda against the company and they aren't afraid of exploiting the tech ignorance of their readers to accomplish that goal.
This is like publishing "Popular privacy extension uBlock Origin 'Accesses your tabs and browsing history'". Yeah. Because it needs those things to function:
Anyone who's ever written an Android app or a Chrome extension should see right through this sensationalism.
- Facebook had some messages API for developers ( which apps can act as messenger client ), some kind of allowing 3rd party messenger applications, those had all access to messages, conversations, contacts (friends) etc
- Then Facebook deprecated this API
- Probably after that, someone came up with this ideas about sharing stuff on messenger, (song on spotify case, movie on netflix etc etc)
- Then someone in facebook figured out they can use this old API ( in the end they trust those names, they want to do minimal development for this stuff etc )
- So they whitelisted those apps for this deprecated API
So basically they messed up, by giving unlimited access to messages of users to some whitelisted apps, instead of giving let's say selective permission to just to 'send some message' over messsages
To say The New York Times and the multiple reporters covering the Facebook scandals all have a personal agenda to make Facebook look bad is delusional.
The scandals started with Facebook, and the NYT, as well as other news organizations covering this story, are there to write about it.
Moreover, the Times spoke to nearly 60 current and former employees. You'd think if they had an agenda they wouldn't talk to that many people to corroborate the facts.
If the paper wanted to do a "hit piece," they'd just grab one of their columnists to write it and slap OPINION at the top of the story. A reminder for some people: Opinion is not the same as News. They are different departments that, in most newsrooms, do not dip in each others work.
The Times' investigations team is one of the best in American journalism. I highly doubt the editors would publish a story as a middle finger to Facebook. If you think otherwise, I welcome specific examples of agenda- pushing stories, with exactly the thing they're pushing out that benefits them and not the public.
Again, the scandals started with Facebook, and they're out now for every one to see.
The old saying goes, "Don't do anything that you'd wouldn't want published on the front page of The New York Times."
"Facebook gave your personal information to Netflix/Spotify/etc when you installed their app and approved the permission request" is NOT a scandal.
The NYT article makes it sound like the former, not the later. This is either incompetence or malicious intent.
It is definitely a scandal, 99% of the users generally approving TOSes/permission request screens (including myself) have no idea what it's in there, we generally rely on the goodwill of the companies that wrote out those TOSes/permission request screens.
This tweet about the issue with TOS sum things up nicely:
"If you were to describe a contract that
- no one has read
- it doesn’t matter if you read because you can’t bargain over the terms
- can be unilaterally changed at any time
- does not explicitly describe the consideration you provide (data!)
You’d fail your 1L contracts class"
Either way, many, many of the users would have clicked OK on the confirmation screen even if it had said something like "Facebook is going to sacrifice your first-born child", that's why hiding behind confirmation screens/TOSes when doing nasty stuff like what's described in the article is not enough.
You get similar messages when you install most mobile apps. What exactly are you looking for? If you want to install apps, and the apps are going to do anything useful with data, you need permissions.
nasty stuff like what's described in the article
This thread is about how the article is false and misleading. You can't use the article to justify the article.
What I'm saying is that giving access to FB private messages to entities outside of FB even with apparent user consent is not ok. Yes, I received that information from the article, but even if I had heard it from a neighbor down the hallway I would have thought the same thing.
> You get similar messages when you install most mobile apps. What exactly are you looking for?
I'm saying those user consent messages don't absolve FB or any such entity of anything when it comes to them sharing private user data with third-parties. I'm looking at them to not share private messages with 3rd party entities, even if that stands against some of the "usefulness" you mention.
LOL. The only goodwill they have is towards their bottom line and covering their ass.
“This is just giving third parties permission to harvest data without you being informed of it or giving consent to it,” said David Vladeck, who formerly ran the F.T.C.’s consumer protection bureau. “I don’t understand how this unconsented-to data harvesting can at all be justified under the consent decree.”
Facebook, if you carefully parse their statement, does not deny this: https://news.ycombinator.com/item?id=18714352
Maybe they're just technologically illiterate then, because many of the NYT articles conveniently eliminate nearly all of the context or specifics around data use in a way that seems deliberately designed to make Facebook look bad. e.g. the story on partner deals last year conveniently did not mention that it would be impossible for FB to make an app that worked on feature phones without the existence of an API like the one the NYT got so worked up about.
> If the paper wanted to do a "hit piece," they'd just grab one of their columnists to write it and slap OPINION at the top of the story.
That's not how hit pieces work.
> The Times' investigations team is one of the best in American journalism. I highly doubt the editors would publish a story as a middle finger to Facebook. If you think otherwise, I welcome specific examples of agenda- pushing stories, with exactly the thing they're pushing out that benefits them and not the public.
Try reading all of the NYT pieces on FB for the last 12 months (including Cambridge Analytica) then look at the state of the tech world and the size of Facebook during the time they were making those decisions, then look into the technical details behind many of them (actual hacks excluded). The "FB is evil" narrative is not nearly as clear cut as you think.
I'm sure the reporters and editors involved are trying their best to be fair. But succeeding in those circumstances is really, really hard.
I find your argument to highly misleading. Facebook asked users for permission to grant the apps the permission to send messages, and then when the users approved that request, implemented that access by white-listing the applications to give them carte-blanche access to a deprecated API that included not just message-sending abilities, but full read-write access to their entire Messenger history, along with the rest of the deprecated Instant Personalization API.
Cambridge Analytica has already demonstrated how bad actors will misuse any access they have for profit -- granting broader than described permissions simply opens the door to further such abuses. It's utterly naive to believe that these companies would all voluntarily restrain their access to the subset users had been told about, rather than full suite of data they were handed access to.
Is that in the article though? I don't think OP is guilty of being misleading, maybe just not fully informed. I didn't know this bit, either. Can you source it?
Facebook was the bad actor. Facebook divulged user data to the thisisyourdigitallife app in ways that were counter to what it told users. When the scandal broke, Facebook claimed that its terms of service were violated because the app was collecting the data for commercial purposes, not research, but in either case FB would have been divulging private data improperly.
If you think “sharing data with X without consent” implies that data being misused by X, then that’s a process happening entirely within your head. I agree that it an obvious thought to have, which is probably why so many people have problems distinguishing what they read from what the words made them think off.
This obvious thought process is also why I’m somewhat certain the reporters pondered the possibility, just like you and me. But they decided against putting it in their article, sticking only to the specific facts they had the internal documents and 60 sources to verify.
Its RBC that is the interesting one here. Did anyone think we would live in a world where your bank has the ability to read your private messages between your friends?
Puer mentions below that this might just be a permissions issue and it doesnt mean that they actually read your private messages.
My gut is telling me it wasn't just about prospective credit worthiness analysis or placing advertising for retail products and services.
Maybe debt collection and finding new ways to hunt down delinquent loan recipients? What else?
Nowhere does the article say they used that access in improper ways. The accusation isn’t that your neighbor stole money from your bank account. It’s that your roommate gave them your card and pin, without your consent or even knowledge. If you draw conclusions the journalists consciously did not make, that’s your error in reasoning, not theirs.
To then claim insights into the thought process of an action that did not happen, I. e. your accusation of intent, just heightens the absurdity.
"Facebook also allowed Spotify, Netflix and the Royal Bank of Canada to read, write and delete users’ private messages, and to see all participants on a thread — privileges that appeared to go beyond what the companies needed to integrate Facebook into their systems, the records show."
I find it highly unlikely that these companies actually had the power to delete individual's users private messages. There's a distinct difference between needing general read/write permissions so that Spotify can insert a song into your message and Spotify actually having the power to delete your individual messages, read them, or write them on your behalf to their fullest wishes.
I claim "intent" because how an article will be interpreted, especially for a story of this scale, is no accident. Hacker News has a much more tech literate population than the NYT's general readership, and yet even here there are people misunderstanding what permissions Spotify, Netflix, RBC actually had because NYT framed the information to be interpreted that way.
Example: Saying Spotify has full editorial control over your messages is a very different narrative from "If you connect your FB account to Spotify, you can then send FB messages to your friends from Spotify's desktop app." In one, the implication is that Spotify as a company somehow has the power to directly modify a users' private message. In the other, the user has the power--through Spotify's app--to modify their own private FB messages.
NYT is being factually correct with their reporting, but they're also being misleading, and my argument is that at a news organization of their size and stature this is no accident. Just read the comments from their readers and you'll quickly see how many of them are misinterpreting the above information.
I think that's the crux of it: what communication/disclosure has to happen around granting a company access level X, even when they only hold it to implement feature Y which doesn't do all the bad things you could do with that access level, and who gets trusted with that and who doesn't? (I haven't seen the details of the precise example, so I don't have a detailed opinion on it, but would like to note that a design process aiming to reduce this exposure would maybe have removed or restricted the ability to read messages, allowing only to send recommendations or only read responses to sent recommendations)
Facebook in their response to this says:
> Did partners get access to messages?
Yes. But people had to explicitly sign in to Facebook first to use a partner’s messaging feature. Take Spotify for example. After signing in to your Facebook account in Spotify’s desktop app, you could then send and receive messages without ever leaving the app. Our API provided partners with access to the person’s messages in order to power this type of feature.
What does explicitly sign in mean here? For a while, signing in with Facebook was the only way to create a Spotify account, and sign in with X is a common pattern in apps for authentication purposes only. Did it explicitly ask for permission? (what permissions?) Could you use your Facebook-bound Spotify account without granting this permission? I wish both sides in this would publish screenshots...
"Did partners get access to messages?
Yes. But people had to explicitly sign in to Facebook first to use a partner’s messaging feature. Take Spotify for example. After signing in to your Facebook account in Spotify’s desktop app, you could then send and receive messages without ever leaving the app. Our API provided partners with access to the person’s messages in order to power this type of feature."
So, why wouldn't Facebook add here: "to be clear, the third party apps only had access to messages which were sent and received from the app. Private conversations with friends could not have been leaked to the third party companies" or something like that?
If they got any more than that, it wasn't because of need, it was because someone at Facebook was being lazy and insufficiently respectful of user privacy.
But then something is inherently flawed, isn't it? As if there was no way to solve this without giving them access to all private communication.
This could possibly be a "build fast and break things" security oversight rather than a full-on Big Brother grant to external parties. We'd need more closure and proof from Facebook if this was the case.
> Don’t Fall for Facebook’s ‘China Argument’
> America’s global dominance in technology requires fierce competition at home, not the coddling of monopolies.
Also, the Great Firewall is a massive trade barrier, which I think would justify trade-retaliation against the companies protected by it if they somehow they gained ground in the US due to domestic tech-company regulation.
You can't do it. Of course it doesn't matter to the CPC what Tencent does with this game, because games are inconsequential. But if this wasn't Tencent's LoL, but rather WeChat we were talking about? At that point CPC policies, including censorship will be applied by Tencent. And what "trade-retaliation" will you use then?
No, this false equivalency is something that Big Tech have created now that they are looking at the very real possibility of regulation. Please don't propagate this disingenuous and self-serving bit of economic nationalism for these companies.
It's also ironic that you mention Google in this context considering the existence Project Dragonfly.
And how do you know they did not, when apparently they don’t care enough about users’ privacy to even inform them, and continued said practice even after getting lots of uncomfortable questions?
What "way" is that? By reporting facts? What "whole thing"? Facebook sharing user's data with third parties without user's consent and then lying to congress about the continued existence of it? And doing so while they were under a consent decree by the FTC You mean that "whole thing"? They talked to 60 people for this piece including former FB employees and partners, they reviewed 270 pages of internal FB documents regarding the program. There were 5 contributors to the article. To suggest that this is just some flimsy piece of yellow journalism is a joke.
>"The most egregious sounding parts of this (eg giving Spotify and Netflix the ability to read your messages) sounds like it was entirely tangential to what those agreements were all about."
Unless you work for FB and were involved in negotiating these agreements how do you know "what those agreements were all about"?
What we do know was that FB allowed third parties to access user's data without those user's knowledge or consent. Access to user data was exactly point, the carelessness with which FB did that can hardly be seen as a "tangent."
Is this GDPR compliant?
But to fulfill your yearning, the original NYT report mentions “consent” 12 times: https://www.nytimes.com/2018/12/18/technology/facebook-priva...
(Although two of those mentions are in the context of “consent decree”, which arguably doesn’t make it look any better)
So I stand by my accusation that you are pretending to be stupid, because no person working at Facebook would really be unable to find the accusation of private data being shared in an article titled “Facebook gave Spotify and Netflix access to users’ private messages”
maybe i am wrong but user blaming seems so very basic to me, and completely ignores how you are responsible for the things you create and the damage they do - and the false confidence or foolish acts they lead people into.
I would like to believe that on average we are ready to just not accept user blaming for privacy and security issues. if they are not qualified to wield the tools then we should not have given them out. as in: "blaming the user is an immature response" seems like a statement it should be okay to say.
NYT seems to be on the attack against FB out of some ideological motivation but the details they are presenting leaves out contextual information about how the data was processed before it was handed off.
There's no question FB has been nothing but elusive and ink-spraying about this whole set of ordeals. It's one level of uncomfortable if FB is simply handing away sanitized data, it's another thing if you can just pay them and they will give you all the private posts of any given user without any sort of identity protection.
The fact of the matter is FB's terms basically allow them absolute possession of whatever data you give them. So there is so much grey area and legal ambiguity that it has been allowed to work with, especially in the US which matters most for a US company.
Europe has come around to the concept of citizen's rights to their own data. In some countries you can't even use websites unless they inform you they store cookies. At the end of the day, it's your responsibility who you give your data to.
What ideology is that? The ideology of truth? The ideology of facts? The ideology of accountability and transparency? The ideology that one of the most power corporations in the world willfully failed to comply with a federal consent decree? Or that they lied to congress? You mean those ideologies? Did you miss the entire news story about how FB was used to influence the 2016 election?
And as such it is very much a public interest story. And you want to suggest that reporting on such a public interest story by a newspaper of record is "an attack"?
RBC - get out of the way!
You need consent from all parties messaging back and forth.
One party consenting to Netflix/Spotify/etc accessing your chat messages, is not enough.
I would hypothesize, that they didn't only grant access when all sides had consented, as the API was (supposedly) primarily used to share media with your friends, something that's pretty innocuous and shouldn't require "chat message read" access at all.
That FB would give lots of user data to third parties is hardly surprising, nor is it shocking. That they'd give private messages to third parties (barring warrants) is shocking, though still not surprising.
It shouldn't be surprising that such networks will continue to monetize whatever they can.
> "They trust me — dumb fucks," says Zuckerberg in one of the instant messages, first published by former Valleywag Nicholas Carlson at Silicon Alley Insider, and now confirmed by Zuckerberg himself in Jose Antonio Vargas's New Yorker piece. Zuckerberg now tells Vargas, "I think I've grown and learned a lot" since those instant messages.