Hacker News new | past | comments | ask | show | jobs | submit login
Facebook collects a wide range of private data from developers (wsj.com)
207 points by mudil 31 days ago | hide | past | web | favorite | 69 comments

> Move, the owner of real-estate app Realtor.com—which sent information to Facebook about properties that users liked, according to the Journal’s tests—said “we strictly adhere to all local, state and federal requirements,” and that its privacy policy “clearly states how user information is collected and shared.” The policy says the app collects a variety of information, including content in which users are interested, and may share it with third parties. It doesn’t mention Facebook.

Then local, state, and federal requirements are lacking. "Privacy" is taking a new meaning in today's world than what it would have been understood to mean previously. Yes, I think the scope of the concept of privacy needs to expand to match the expanding capabilities of all actors to violate it. We could have more privacy by living like Ted Kaczynski but that's not conducive to participating in today's society.

> "Privacy" is taking a new meaning in today's world than what it would have been understood to mean previously.

Try to imagine the most personal and private thing about a person, what would it be? Their medical and biological information, of course! In the future we'll be able to look at 3d renders of our body systems, see real-time health statistics, and be able to discover our ailments near instantaneously.

Now, who else should have this data? In my opinion, only the doctor. Definitely not the government, and definitely not my neighbors. Possibly some businesses for product development. Possibly medical researchers, for educational advancement.

> not the government

Point of information: "the government" should not be regarded as a monolithic entity unless it actually behaves as such. As a Brit, my medical records are held by the nationalised health service, but this doesn't mean that random cabinet ministers or police can go leafing through them on a whim.

For me, they're held with https://nhsnss.org/how-nss-works/ ; quite a lot of England actually has them held by a private company, Serco.

(edit: should probably add another distinction between "illegal" and "doesn't happen at all")

Not even the ones with friends at GHCQ et al?

I value your idea about language, and sometimes I use 'government' in general terms. In your example however, I believe given the opportunity, scumbag ministers and police would indeed look into people's medical records, and would indeed abuse this information.

As an American, I'm constantly upset with our government's abuses, especially by our police and their access to otherwise private info.

As a Brit, my medical records are held by the nationalised health service, but this doesn't mean that random cabinet ministers or police can go leafing through them on a whim.


If they decide to legislate to read them, the fact that they're stored in a private company, on a blockchain, or on the surface of the moon becomes irrelevant.

No it doesn't. A private company has an obligation by contract to protect that information, even from the government. Our 4th amendment privacy rights apply to businesses as well.

Edit: I thought we were talking about America.

The answer for America, as far as I can determine from brief googling of a foreign legal system, is "no it doesn't": https://www.scotusblog.com/case-files/cases/huse-v-texas/ and https://law.justia.com/cases/texas/court-of-criminal-appeals... ?

> obligation by contract to protect that information, even from the government

Contract never trumps statute anywhere.

> Contract never trumps statute anywhere.

The 4th Amendment to privacy trumps statues everywhere (i.e. neither the feds nor state can just legislate their ability to read private company data). The contract between the customer and the org. should prevent the org. from just handing it over willingly.

The 4th amendment having any legislative teeth is honestly a joke at this point. The NSA spying programs show the US government has very little interest in upholding the 4th amendment.

Now, does this mean no company will take the government to court to protect their user data? Maybe not, but the list of companies that I can think of which will do that is vanishingly small. And let's not forget that the AT&T NSA spying case was dismissed by the appeals court, and was not accepted by review in the supreme court. Do you think the outcome would be any different next time?

This is where I express my concern that the American government is operating outside of the Constitution and are guilty of violating our rights. Many constitutionists consider these three-letter agencies to be entirely unconstitutional.

Sure, and I'm in favour of constitutional bills of rights (in Australia we have no strong protections of that kind, it's mostly ad-hoc and common law with the only really significant protection being the "on just terms" concept of compulsory acquisition).

The problem is that if there is no way to effectively "petition a redress of grievances" (to borrow a phrase) about some constitutional violations, what is the point of that clause of the constitution? If you have legal protections of your rights, you must also have a court system that is willing to actually hold the government to account over violations of your rights -- and my impression of the US (as an outsider) is that this is not the case for 4th amendment violations.

Yeah, and I really wish I had a better solution than just excavating the cancerous parts of the government, but Americans aren't very rehearsed on the Constitution or their rights, and finding people who openly advocate for them in their entirety is rare.

I think we need need term limits in Congress, so the same stale minds can't dominate forever. Also I think states should start flexing their 10th amendment rights to show the feds that they care about their rights (state legalization of drugs, prostitution for example).

In general our court system is fairly good at upholding constitutional rights. It's not uncommon for a trial to be thrown out because some evidence was collected without a warrant, for example. However you're right that certain events question the viability of upholding our rights against a tyrannically government. That of course is why the 2nd amendment exists.

> on a blockchain

Fuck that! Seriously. Why do people keep wanting to put data on the blockchain? All that does is make the data public. Sure, it can't be decrypted __now__, but do you want to take the risk that it will always be encrypted? Even if you update the security of the entire chain the previous blocks are still decryptable (and we repeat the with same problem).

We don't need a fully audit-able system this type of data. There are advantages to centralized data systems and I would even take a decentralized approach over a BC method. Unless you can give a very compelling reason why the data needs to be audit-able through the entire history.

> Definitely not the government, ... Possibly some businesses for product development.

Presumely, usage by the business would be open-ended and very openly for the gain of the company first.

Meanwhile, a government agency were (at least in theory) bound by publicly available purposes and regulations.

Out of curiosity, why would you trust the private company more than a government agency?

I understand your point though and definitely agree with your on the sensitivity of the data.

American government is something unique. The Constitution provides a framework for operation, and the Bill of Rights restricts the government from alienating our implied/explicit rights. Originally the federal government was meant to be small, while the states were supposed to manage civil laws (see A9/A10). Since 9/11, I've seen insane power grabs at the federal level, in what I see as an attempt to get citizens accustomed to having their rights washed away (see Patriot Act, NDAA, TSA, NSA hacking tools, etc...).

Put simply, I personally don't trust the American government at the federal level, and it's hard to find reasons why anyone should. People who restrain criticisms of the feds often like to pretend that all they need to do to prevent corruption is get into office any make the changes we want. Unfortunately that's extremely naive and huge waste of effort, especially when Congress has no term limits. I believe the only way to reign in federal abuse is by taking its power away.

My point here is that the government has a long track record for abuse at the highest degree, quite literally, and giving them my most personal and private data is terrifying. The problem is that we can't change governments on a whim, thus if we have a crappy one, we have to deal with it. In a free market however, if a corporation is caught with abuses, we can bury them in court and move to a competitor.

Yes, the free market is making it very easy to move away from Facebook.

You are not compelled by law to use it. You may be addicted but it is a different problem. So the short answer is it just you that makes it difficult.

> You may be addicted but it is a different problem.

Not everyone is addicted, but rather Facebook has become arguably necessary because of its network effect.

Facebook has become the de facto standard of communication in some institutions. For example, in some universities, important notices on due dates or class cancellations is done solely through Facebook. One may be very heavily pressured to use it.

The original article points out that you don't even have to use Facebook yourself for someone else to put your data there.

That's true, and I'm not sure what rights Americans have in this case, it's hard to tell. Could claim defamation possibly, or impersonation?

The usual one that's claimed it that it's facebook's free speech. Can't defame someone with unpublished, accurate information ..

I suppose they do have a right to express what they observe.

Yeah, and kids aren't compelled by law to smoke. If you think that Facebook addiction is the result of human weakness, you need to wake up. Facebook has methodically exploited human psychology for years to cultivate addiction. Check out Roger McNamee's new book.

By the way, I don't have a Facebook account.

Is this sarcasm? Because I'm fine without Facebook and there are plenty of social media options.

Yes, it was sarcasm. They're more entrenched than you'd like to admit. They have a monopoly on social networking, they control a huge portion of digital advertising, and together with Google, they've bought a huge swath of Washington D.C. (see McNamee's new book). The results aren't surprising: regular abuse of customers, exploitation of human psychology to cultivate addiction, the peddling of a harmful product to minors. They're a consolidated version of the cigarette industry. Free markets ain't working—we antitrust action and regulation.

I'd rather have the government have it than any company. The government's (usual) mission statement, in practice, is our well-being; any company's mission statement, in practice, is money.

Do you mean you would rather have our current government to have the data, or a specially crafted government that we can control?

If you pick the former, then I'll assume that you're naive to the abuses in our government. If you pick the latter, then I'm going to leave and be productive somewhere else, because you're never going to get it.

Governments have far more capacity to harm people though.

But we have far more capacity to change governments.

Why do you say that?

Far more industry leading companies (much less companies as a whole) have rose and fall in power, changed their goals/products/management/etc in the past 5/15/50/etc years than governments. Turnover is far higher in corporation management positions than congresses and parliaments, and further, there is no law saying that I have to buy any specific good from a company, whereas I don't get a choice in which government I pay to build the the roads or police where I have established my life.

Speaking of Kaczynski his manifesto points to quite a few of these problems that are happening now. Also, I'm not endorsing him or anything he did but do find it interesting that some of his technology fears are correct.

Per the author on Twitter (https://twitter.com/samschech/status/1098981978462961670):

> A few seconds after the app finished measuring my pulse, I saw it pop up in the network traffic headed to Facebook: \"heartrate\":56,\"

What Facebook endpoint lets the app developer accept arbitrary customer data? What does Facebook do with that data? Do they tie it to the user?

It's an analytics feature like those offered by Google and a dozen other analytics SDKs:



Which, in my opinion, means that the blame should really go the app developers of these apps.

Who are those people that think it is a good idea to send your medical details (the article also mentions "Flo Period & Ovulation Tracker", which apparently sends whether you may be ovulating to Facebook) to a third-party, let alone Facebook?

(Actually, at least for Android apps there is a answer to who these people are... and there are quite a lot of them: https://reports.exodus-privacy.eu.org/en/trackers/66/)

If this list is really a list of companies sending personal data to FB, then this is rather appalling!

It's increasingly obvious that iOS and Android need to restrict network connectivity of apps because it's being seriously abused.

Unfortunately this problem is escalating because too few people give a damn about their own privacy, drowning out the voices who do care, deeply, about this issue.

A proper user configurable firewall is the obvious answer, but perhaps also adding limits that an app can only phone home to the domain that the app was signed with.

I feel that both Apple and Google are deliberately perpetuating this problem for financial gain, and should be held accountable as well.

Edit: grammar

facebook analytics?

Why don't they analyze the data themselves instead of sending such personal information to FaceBook?!

If they don't have the available resources/capabilities to build or self host an analytics platform, do they really need that data analyzed?

Have their users explicitly allowed them to send such data to Facebook? Why not use a company that has a better record in respecting peoples' privacy. No wonder why things like GDPR exist!

While I agree this is not a good thing you could say the same thing about the 100s of millions of sites and apps that use Google Analytics.

True, but this is extremely personal information. Google has information on whether or not you are searching for information on breast cancer treatments. Combine with some health/fitness analytics and they can probably deduce whether or not you have breast cancer, and not a family member.

This headline has been modified from the original, and is a mischaracterization of what's happening here. Facebook isn't collecting this data, rather the authors of many popular apps are sending these statistics to Facebook's analytics tool to better target with ads. The article explains Facebook doesn't want these companies sending users' personal data to them without their knowledge.

They are not completely absolved of blame because they should be monitoring for personal data (somehow), but the app developers should be to blame more using this data without users' knowledge.

Now if Facebook were to use this data for their own purposes, we'd have (another) real scandal on our hands.

> Facebook doesn't want these companies sending users' personal data to them without their knowledge

Facebook's claim about not wanting the data is contradicted by actions. They chose to make their SDK send[1] analytics signals on library init before the user could have even been presented with a request for consent. They chose to have their analytics SDK send[2] everything to Facebook by default, requiring developers to go out of their way to disable the spyware (including somehow discovering that this step is needed).

> Now if Facebook were to use this data for their own purposes,

What would Bayesian analysis say about that question given a history with multiple events where FB et al were using the all of data they received however they want? Facebook lost the benefit of the doubt a long time ago, and it will take a lot of work to rebuild their reputation.

[1] https://media.ccc.de/v/35c3-9941-how_facebook_tracks_you_on_...

[2] Ibid.

A Bayesian analysis would have to include all the decisions where FB was a good steward of user data. The events reported in the news are a very small fraction of the possible times that FB could have done wrong.

Not that I'm defending FB, but your attempt to lend credence to your statement with a smart sounding approach was undercut by selecting a superficial and biased prior.

> Facebook doesn't want these companies sending users' personal data to them without their knowledge.

Rubbish. If they didn't want the data, they wouldn't build & offer developers a first class analytics package for free, including analytics that don't require explicitly setting events (though not going as far as showing screen recording, which was the moral outrage of last week).

Having said that, When the screen recording thing broke, I wondered how long it would take for it to shift to analytics in general, especially those offered by Apple competitors. I'm no fan of FB, but given the consistent rhythm of the fb-scandal newscycle, and that all these scandals somehow end up with Apple wearing a white hat, I'm really starting to wonder what kind of offensive PR dark arts may be behind it.

note- strategic adversaries is a more appropriate term than competitors, and it is interesting how language used by nation states now fits the relation between companies so well.

For people reading this article and immediately passing judgements on Facebook, do remember that other networks/SDKs including Google, Applovin, Appsflyer - all capture the same information from the app which WSJ is reporting here. Of course, it makes the narrative softer if you blame all tech companies vs. their favorite whipping candidate (which is Facebook) these days.

Here is a question to consider. If Facebook doesn't do this and all other companies do and use that data for optimization and measurement purposes, won't FB unilaterally lose out? The solution is either no one does it or everyone does it. There is no in between.

You're probably right but this is indicative of our increasing distrust of Facebook. They lie all the time about what they're doing with our data. So can we as developers trust them any more than the average user given their demonstrable willingness to abuse that trust? I personally think not.

It is the same with Google who is collecting and using the exact same data from 3rd party apps as Facebook and is equally opaque on how they use that data. Why do you have different principles when it comes to privacy to judge FB and Goog?

> Why do you have different principles when it comes to privacy to judge FB and Goog?

Why do you assume anyone has? Even if some do, why should the ones that don't have to answer to your assumptions?

When a thief gets caught, and they say "why don't you care about the other thieves?", nobody honors that with an answer.

Not the same analogy

I'm not equating collecting data with theft, I might as well have used mass murder or a parking violation. That someone criticizes FB doesn't mean they don't also criticize similar things, or the whole category, that's really all I'm saying.

Hey, you could even use something positive as example, e.g. that someone says something nice about X doesn't justify the assumption that they wouldn't also appreciate similar qualities in or achievements by Y. Criticism or praise, the principle is the same.

I didn’t once mention Google so I’m not sure what about my comment makes you think I have different principles for Google when it comes to privacy.

The solution is new laws preventing any company from doing it. As you point out, anything voluntary is doomed to fail.

Totally agree. Either put in regulations or mobile OSes move away from device IDs for tracking to something more transient - which makes it very difficult for FB and Goog to ID users accurately.

I believe iOS already does this - different apps are given different unique IDs. But I'm sure it's possible to match back up again when you also have IP addresses, user agents, cookies and so on.

No - they do not. All apps pass in the same IDFA or device ID today.

> The solution is either no one does it or everyone does it. There is no in between.

This is the classic race to the bottom, and it's not a valid defence in my excuse.

We are currently racing to the bottom by being quiescent.

This is the sort of user information that I am much more interested in defending from overreach (developer misuse, knowingly or unknowingly) vs. activity which actually goes on as a user accesses any fb-owned domain (or within fb's apps)

Of course, there is the stock reply about half way through the article from app Move's owner, Realtor.com:

>“we strictly adhere to all local, state and federal requirements,” and that its privacy policy “clearly states how user information is collected and shared.” The policy says the app collects a variety of information, including content in which users are interested, and may share it with third parties. It doesn’t mention Facebook.

Fortunately, there has been recognition and action taken against the collection/usage of this sort of third-party information, albeit in Germany.[0]

>There is currently no way to stop the company from collecting the information in the first place, or using it for other purposes, such as detecting fake accounts. Germany’s top antitrust enforcer earlier this month ordered Facebook to stop using that data at all without permission, a ruling Facebook is appealing.

[0] https://www.wsj.com/articles/germany-orders-facebook-to-stop...

Apple is creating a false sense of privacy with their privacy-focused marketing. I appreciate their efforts building secure products but without a way to block or filter 3rd party app network data they leave their users vulnerable.

Also many ad-blockers that could filter app traffic were nuked from the App Store. I wish there was a way to firewall network traffic in the same way it is possible on other systems.

Shouldn't Apple simply block the Facebook app from the App Store then? And similarly for all apps that pass data to Facebook?

well that would be a lot of them.

For example, the kindle app contacts graph.facebook.com.

I really really wish apple would allow a true firewall

This is an important story (along with the NYT one a while back about location data) because it will help move the ball forward on a privacy law in the US. The ad-tech industry is putting all their lobbying muscle in making sure that nothing as strong as GDPR gets passed.

It also makes it more likely that Apple will crack down on third party SDKs, something I've been posting about a lot here.


I've often considered myself a bit of a paranoid freak with my resistance to running apps on my mobile devices. However, this really makes the point of mobile devices questionable for me if I don't really do anything with them because of the fear of not knowing what they really do. While that's all a bit hyperbolic, I'm kind of glad I just don't trust anything. I have a few apps that I use, but I can't really vouch that they are not doing things I don't know about. If it were not for maps, decent web browsing, and a small number of other slightly more useful than just convenient apps, I'd be willing to go back to a feature phone. One I can take the battery out of if I felt the need.

Facebook has always made it almost impossible to delete anything.If you don't delete your activity on facebook every day,you have a buttload of stuff,including all comments.You can go to activity log and you have hundreds of comments,you can delete them one by one.That can take months because they make it hard to do even that.Who cares what you commented on three years ago ? Much of the activity log can not be deleted at all. My activity log gets deleted every day so I don't have years of crap on there.People have been complaining about this for years,but facebook doesn't care.They just want everything they can get about you to make money off you.

The whole business model is based on mining users’ data. These stories unfortunately are not a surprise anymore.

> Millions of smartphone users confess their most intimate secrets to apps, including when they want to work on their belly fat or the price of the house they checked out last weekend.

The price of a publicly listed property for sale is my most intimate secret? Even if I were to buy it, the sale price would be a matter of public record that anyone could look up.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact