Hacker News new | past | comments | ask | show | jobs | submit login
Facebook’s Data Deals Are Under Criminal Investigation (nytimes.com)
811 points by tysone on Mar 13, 2019 | hide | past | favorite | 225 comments

IANAL. But this:

"reports last June and December that Facebook had given business partners — including makers of smartphones, tablets and other devices — deep access to users’ personal information, letting some companies effectively override users’ privacy settings."

suggests breach-of-contract. Just by creating those privacy settings, the company is 'saying' to (promising) the customer who elects to use them that it will protect that information. That's an (implied) contract. Subsequently allowing anyone else to access that information is a breach.

It'd be interesting to see FB argue in court that breaking promises was okay as a form of restitution for the services they provide.

IANAL either, but two things stand out. First, breach of contract is not a criminal wrong, only a civil one. Second, it would be a big stretch to say that the relationship between users and Facebook (or any nominally free service) is a contract, as valid contracts must follow certain requirements like consideration or a meeting of the minds. This is partly why things like the Computer Fraud and Abuse Act that e.g. Aaron Swartz was being prosecuted under (persecuted, IMHO) can be so alarming: things like terms of service normally wouldn't even stand up as a contract, but under CFAA, they can give rise to criminal charges.

I have no idea what charges the Eastern District of NY might be seeking pursuant to these data deals, but maybe something like mail/wire fraud or honest services fraud? Again IANAL, but those are fairly broad and the government could make the case that Facebook fraudulently breached its duties to its users.

Read the article. This discusses violations of an agreement between Facebook and the FTC. Not an agreement or ToS between users and Facebook.

Did you read OP? In context, the idea is clearly that Facebook violated some sort of contract with its users.

If it's for one user then it's a breach of contract, if you do that for 10 million, that's a deliberate act of breaching all contracts and that is usually criminal.

scale matters on these issues as well.

and if you are doing it as a big utility company (e.g. banks) then you are free to go :)

I am still raging angry about Wells Fargo and Equifax.

Wells should have been shut down, and I say that as a libertarian. They should have been shut down for this alone: https://consumerist.com/5283290/affidavits-on-how-wells-farg...

The bank I've long used is constantly reminding me that it shares data with its 'affiliates'. So I give it very little data to share.

So I work for a bank and constantly have to take compliance training...

One of the courses is over disclosure of information to third parties. This info isn’t part of my personal bau, so I might have it wrong, but:

There are two kinds of data sharing a bank does with affiliates, necessary for business (credit checks, appraisal companies, etc) that you cannot opt out of.

Then there’s everything else which you can.

It’s in legalese, but you can ask someone at your bank how to opt out of as much as possible.

It doesn’t help much, but it’s something I guess(?)

This sounds like an absurdity, hiding your information from your bank?

Why not? That is, why does your bank need all that information about you? I give bank my money for safekeeping and the bank provides convenient access to it. Reliable access can be done with different methods using a different degree of anonymity.

At least in the US, banks requiring all sorts of information do it not even as their own business choice -- they do it because government regulators insist that this data is collected because security, because terrorism, because money laundering, etc.

Fake address is a good start... Like a PO box you own. Banks are the worst offenders in sharing data with... Data brokers.

Please refrain from suggesting idiotic and potentially illegal actions.

Get a better bank. And better banking regulation. I'm pretty sure Dutch (and probably European) banks aren't allowed to share their customers' data around like that, and I'm horrified that there are banks that do this.

Well, the largest Dutch payment provider did intend to sell payment data: https://nos.nl/artikel/510009-banken-verkopen-pingedrag-klan...

(They've since retracted that plan after the plan was met with widespread disapproval. I don't think they've tried again since.)

Wait, isnt that illegal? Afaik you need to use correct information in a contract.

If the mail reaches me then AFAIU it's legal. A contract does not stipulate that I must spend nights at the address I provide. How, for example, would you otherwise deal with having two residences?

While you may have multiple residencies, legally you have one domicile. This is the location where you live and verification of you actually living there is required by most contracts and is enforceable in a court.

Unless of course you don’t live anywhere because you move every 4 weeks.

Turns out our society is really not designed for someone without a physical residence. It’s made for a frustrating year for me.

I hope that this does not include providing incorrect information. That would be very dumb and an easy way to lose control of your own money or worse!

Referring to Facebook users as customers is quaint.

I could call them what Zuckerberg did, but some people here might take umbrage.

Did anybody else catch this?

> Apple was able to hide from Facebook users all indicators that its devices were even asking for data.

I've seen a lot of discourse here seem to favor Apple over the big "G" but... this seems pretty shady. Anyone else know anything about this practice or what specifically they might've been referring to?

This was discussed the previous time this topic came up [0, 1, 2]. This is basically OS level integration which enabled users to share Facebook updates without opening Facebook like OS level integration. Apple removed the Facebook, Twitter, Flickr etc. integration in iOS11 [3].

[0] https://news.ycombinator.com/item?id=17223926

[1] https://news.ycombinator.com/item?id=17229301

[2] https://news.ycombinator.com/item?id=17224071

[3] https://www.cultofmac.com/485346/ios-11-ditches-facebook-twi...

Apple fights the privacy battles on its users behalf only where it sees a PR benefit, like the high publicity FBI's iPhone encryption dispute a few years ago.

wprq: So which phone does a concerned person buy?

An old android phone that supports Lineage OS with no G-Apps. You've still got a closed baseband and random hardware blobs, but I'd say it is the best option at the moment.

iOS device with iOS 11 or newer (current devices are on iOS 12)... or don't log into Facebook on an older device.

This isn't Apple cynically hiding selling your data behind your back. Back when they had Facebook integrated it was so that you could share stuff easier with your friends. Yes it was a security risk because of how Facebook used the information. That is part of the reason Apple removed the integration.

> This isn't Apple cynically hiding selling your data behind your back.

It's just both a grave security mistake and a breach of trust to treat Facebook preferentially without letting the user know.

To me, it's indistinguishable from cynically handing over the user to Facebook.

> It's just both a grave security mistake and a breach of trust to treat Facebook preferentially without letting the user know.

The user knew. The user asked for it. People were howling for Facebook integrations. This was back before Facebook's privacy transgressions were as widely known.

It's also worth noting that the integration was designed to allow posting to Facebook from iOS. Facebook then took advantage of that opening to get additional data from the device. That's why Apple slammed the door shut.

the user who logged into Facebook...

It's not good. It stopped in 2017 when they removed Facebook integration.

As far as I know Replicant[1] is the only completely open option (besides the baseband OS). I would love to run it myself if it supported more phones, although I have not personally tried it. I keep an eye on the project though. Other projects like Copperhead OS[2] have all mysteriously imploded.

[1]: https://replicant.us/

[2]: https://news.ycombinator.com/item?id=17289536

I've run Replicant (as an exercise, not for serious privacy/security requirements), but I don't really recommend Replicant.

Replicant drawbacks include:

* Starved for developer time (e.g., low device support, slow/no updates for known exploits, question of how many eyeballs seeing changes, no current semi-secure way to browse Web).

* Only kinda barely minimally almost works.

* The supported hardware devices are not only few and old, but have fundamental security weaknesses in hardware.

* Android is a huge code base, and, going forward, to some degree you're at the mercy of whatever the developer decides to do with it.

* You're trying to adopt a platform that was, to some extent, designed around surveillance of the user. You can disable a lot of snooping, but you would design it very differently if privacy&security were goals.

Librem5 is sorta an option, if you can afford it, though they still use closed hardware black boxes. (Also, even when two black boxes are "isolated", and you think you control the communication channel, you don't necessarily.)

It's too bad that FirefoxOS didn't work out. The Gecko layer and up could've been moved to a purer Linux stack (ditching the Android build tree monstrosity), and to more trustworthy hardware.

Personally, I'm hoping we go back to the original Linux emphasis on mainline kernel, maintainable open drivers, blob-free. The closest effort I've seen is PostmarketOS [1], but it's still in an early state, and it could also be a little more strict about compromise slippery slopes (e.g., the wiki can be misleading about what works on a device, since it might be talking about a non-mainline kernel, and perhaps they should ban kludges to run closed Android drivers). I wish I had more time to work on pmOS at the moment (but am job-hunting, and my new open source work has to be much more near-term employable than this).

[1] https://www.postmarketos.org/

You don't.

Though I suppose a dumb phone would do, or maybe a LineageOS/MicroG-based smartphone.

wprq, tfdim ?

It was opt-in. And hardly used.

Ok, so those partnerships were basically allowing Samsung and others to build Facebook app on their phones (i.e. allowing alternative client).

Would this means that it will be criminal to allow companies to create alternative clients? That is really interesting development.

Samsung devices shipped with the same Facebook client app as on the Google Play store, it wasn't an alternative. The back end data access was through other means.

Not all samsung devices had android at that time.

Individually negotiated confidential deals are not the same as open APIs and protocols which is where alternative clients normally come into play. And the “alternative client” stuff doesn’t even apply to Amazon, Bing etc

Ironically, the whole point of having individual deals rather than an API open to everyone seems to have been ensuring the companies didn't do anything dodgy with people's data. Then the New York Times spun Facebook's approval process as them giving those companies special access to users' data, even when that data never left the end user devices, and now this has apparently lead to a criminal investigation.

> even when that data never left the end user devices

Do we know that to be true?

In any case, I'm pretty sure they don't bring criminal cases like this frivolously. There's obviously something here.

You see the scary descriptions and illustrations of how much information was shared with the Blackberry Hub app in the previous New York Times article about this at https://www.nytimes.com/interactive/2018/06/03/technology/fa...? Well, their reporters got that information by sniffing the network traffic from the app. They knew exactly where the data was going, and clearly they didn't see it going to Blackberry's servers or that'd be right in paragraph one of the article.

Presumably Blackberry is using an access token to fetch that data, I can't see any reason why they couldn't also store that access token server side and query data without it ever appearing in device logs.

The same could be said for mail.app sending your Gmail password to Apple, but it would be rather unlikely.

>>Ironically, the whole point of having individual deals rather than an API open to everyone seems to have been ensuring the companies didn't do anything dodgy with people's data.

They were not charged for special API access? Still, FB might have used this as a negotiating tool as they dealt with Apple, Microsoft etc etc

My guess would be data harvesting to FB without the app installed.

No, of course not. Why would I you ask this?

It seems like Facebook somehow gave these partners rather deep access. To all users, not just those using those phones or who opted into the arrangement.

Mostly, because article is mashup of random data things about Facebook, and it's not clear what is being investigated. They started that phone makers data deals are being investigated (which is basically alternative client), then goes into Cambridge Analytica, and mention Bing data access in the end (which could be about deep access you are talking about, but it does not looks like it's being investigated).

And for phone deals, criticizing friends/deep data access... If you want to build alternative FB client, your phone have to have access not just to your data, but also to your fiends data (i.e. all data you have access), in order to provide any useful service. So yes, technically your friends didn't agree that your alternative FB app can access to their data, but you gave your access credentials (and permissions) to access that data to your phone.


Please don't be rude and please don't post unsubstantive comments here.

When another comment is wrong, please explain why so we can all learn. Alternatively, it's always an option not to post.


I was personally involved in a leadership role in one of these key strategic deals while at a major handset maker.

To be clear, we built the 'Facebook experience' for our device because only we really could. During this era, APIs were a disaster of a mess, moreover, the special API that made the device so special was not available to the public. Ironically it was our internal APIs that were making the special sauce!

For this purpose, Facebook provided users of the app we designed access to their own profiles. Obviously, this is a fairly wide API and it had to be made available specially for users of our app.

At no time did we ever have access to FB users private information. At no time did anyone even remotely suggest anything inappropriate or nefarious. There were simply no moral or legal discussions on this front because it was moot.

The situation, net, was akin to Facebook having hired a 3rd party to design an app for them, giving that app the internal FB API necessary to function, and then distributing the app.

This isn't an issue of 'times have changed' or 'looking back we'd have done something different' rather - I can affirm that there was simply no bad acting, no breach of individuals accounts, and no undue risk to individuals accounts.

Obviously this situation is very specific, and that conditions will have varied.

If FB was truly giving Bing special access without people's consent - this is a big problem.

The Cambridge issue - well - this is a tricky one because Cambridge merely took advantage of the API's the entire world had access to. There was little if any discussion of the inherent problems with those APIs, and when it looked like maybe they were being abused, Facebook did the right thing and closed them. They even went ahead and investigated Cambridge to ensure the data was gone, and Cambridge presented them with evidence that it had been deleted. I think in this case Facebook was a responsible actor.

Clearly there are more situations to consider, but we should be thoughtful in terms of how we approach newly released information and not get caught up with the mob.

Personally, I loathe the koolaid mob that built Facebook up, but I'm equally loathe the hate mob wanting to take them down.

As far as the responsibility goes I’ll raise you a Zygna, and especially the Obama campaign which was lauded by the media and facilitated by the platform because after they noticed the abuse “they’re on the same side”. I doubt this would be such a pernicious issue if another candidate won.

I'm so glad you wrote this. It's mind-bogglingly stupid what people are saying about the nefarious purposes this stuff was put to when that's obviously so far from the case and EVERYBODY involved in working on this stuff 10 years ago understands it.

I should add that it's possible there were some loose ends in some other scenarios. I don't think we deeply considered our situation, to the point wherein there might have been some loopholes with caches etc..

At the time, nobody considered the issue to be hugely problematic, it was 'info on a site' and we treated it responsibly, but not like top secret data.

Also, we had no reason to want user data. Today, companies may or may not be able to use such data, but they all seem to be in the game of collecting user information as a systematic impetus. I think this will evolve.

"It is not clear when the grand jury inquiry, overseen by prosecutors with the United States attorney's office for the Eastern District of New York, began or exactly what it is focusing on."

What is NYT source for this story?

A leak about the existence of an investigation?

NYT journalist saw entries for grand jury subpoenas on PACER?

How do they know the crime has to do with data deals?

We must wait until complaint is filed before anyone can disclose the statute allegedly violated, correct?

“according to two people who were familiar with the requests and who insisted on anonymity to discuss confidential legal matters.”

Yes, there is a lot (more) we would like to know.

But this is as good a time as ever to do a little experiment regarding the practice of anonymous sources: at some point, we are likely to learn more about this investigation. Then, you can check if the information we have now was correct. Or, as the common accusation goes, it was a wholesale fabrication by the Times.

Thank you. Sadly, I missed that line.

It sounds like a leak from within Facebook or another tech company on the receiving end of one of these requests.

I always thought grand jury proceedings are supposed to be secret. Maybe this explains the anonymity. I guess it is not unusual for the fact of the existence of proceedings to leak and for media to speculate? Does this have potential to negatively affect the outcome?

Are you suggesting NYT is lying...? I mean, why they'd lie about it? Prosecutors use the media routinely to push their POV so it's not that strange...

Not revealing sources is SOP

>NYT source for this story

Most probably a US DA turning the screws on Facebook.

At this point it is just an investigation. Nobody has been charged with anything. They have to find a law Facebook has broken first, and presumably establish enough evidence that they expect to succeed at a trial.

Do you have any idea what charges these may be? IFAIU, there're no laws which make it criminal to share information.

If even a single byte leaked, I guess the charges can include being accessory to identity fraud?

Criminal charges assume intent, and it's very hard to think that facebook as a company had intent of committing identity fraud.

Crimes do not always require intent. It depends on what the statute says specifically.

Yes, there're such crimes, but there aren't so many of them.

There are lots of crimes that require a mental state less than intent (either recklessness or criminal negligence, mostly, though there are some strict liability crimes, and the weird case of “malice aforethought” for common law murder which is narrower than recklessness but just slightly broader than only intent.)

Recklessness and negligence require some understanding of what you are doing and that it's wrong. So, it's really hard to commit them by mistake.

> Recklessness and negligence require some understanding of what you are doing and that it's wrong.

Negligence specifically does not, it only requires the existence of a duty of care (except not in specialized cases, that of reasonable care, which doesn't mean you are aware of risk, but that a reasonable person in your place would be.) Recklessness requires conscious awareness and disregard of risk, but not awareness of wrongness.

Harms from recklessness are mistakes, while recklessness itself is not, but negligence is quite normally a mistake.

You know data often leaks and leads to identity theft and yet you slurp it down anyways and freely share it around. Sounds reckless and negligent to me.

Since it appears the investigation is focused on information sharing agreements between Facebook and "device manufacturers" I would suspect criminal wiretapping.

But of course there's always the Computer Fraud and Abuse Act which is so broad that it could potentially apply to just about anything anyone has ever done via an internet connection.

Doesn't a grand jury meet after charges have been filed? Or is federal different than state in that respect?

No. After charges are filed you go to court. Grand jury votes on the charges.

I thought grand jury meets before charges are filed so they can authorize access to documentation and such things?

IANAL, but grand juries do a lot of work before the charges are filled. For example, they check whether there's a probable cause for a search warrant.

Do you know how grand juries are selected? I find it weird that I've been selected for a trial jury a bunch of times but never a grand jury.

Get a bigger hat, it's right there in the name.

AFAIK, they are selected the same way as trial jury. I think the main problem is that there's less need for grand juries since they process information much more quickly than trial juries.

Yeah, I was kind of writing that under assumption "if it would have been found criminal".

> F.T.C. officials, who spent the past year investigating whether Facebook violated the 2011 agreement, are now weighing the sharing deals as they negotiate a possible multibillion-dollar fine. That would be the largest such penalty ever imposed by the trade regulator.

A multibillion dollar fine? That's great, but even greater would be to put Facebook's exces behind bars. A CEO shouldn't walk away with a stuffed bank account after years of criminal offences, violating the privacy of millions of people all around the world and then not take any personal responsibility for it in front of our jurisdiction. The fine is attributed to Facebook, but there also needs to be a heft penalty for the people who ran Facebook and that is the executive team. Jail terms must be given. In the long term this will set an important precedent and detract possible future offenders!

>but even greater would be to put Facebook's exces behind bars.

What is with this place wanting to throw everyone in prison? Is there some thrill you get from seeing executives in an orange jumper?

Fines can be far more beneficial to society. Make them pay in a way that actually helps other people.

People are exasperated with bad actors being allowed to set the common trust on fire with gasoline. For example, if this story were about a smaller dev they would probably be prosecuted for credit card fraud: https://news.ycombinator.com/item?id=18995823. Fines so far have not caused that to stop, so now the mob is asking for blood. Try to take it as an indicator of how desperate and frustrated people are, rather than a fetish.

Fines can be far more beneficial to society.

It's not an either/or. You can be sentenced with both a fine and jail time. Plus, I feel like the goal here should be stopping illegal activity (should this investigation find something, of course), and I think jail time would be more of a deterrent than a fine. Plus, we already have a system in place for corporations to benefit society from the earnings society lets them make: taxes.

Because fines are rarely proportional to income, and are frequently written off as the cost of doing business.

Fines simplify criminal behavior down to a "business decision." Is the extra revenue to be made minus the fine still profitable? If so, it makes sense to break the law. Often it is, because fines don't tend to scale with the size of the company they're levied against.

Start putting executives in jail, and behavior will actually change. Isn't that the desired goal?

Fines are absorbed as a cost of doing business and are not a disincentive.

Jail. Jail for a looooong time. Only in negatively and significantly affecting the life or lives of those responsible will there be adequate justice.

Better question is, what is it with HN and rallying to the defense of unethical and illegal business practices?

People convicted of insider trading get prison sentences. Was theirs a violent crime? No. Did they cause a recession, harming thousands of people? No.

They're sent to prison because it has a deterrent effect, in an industry where insider trading is easily accomplished by also hard to prove in court.

Same goes here. The public has no ability to audit FB's data collection and sharing practices. We simply have to take their word for it when they announce a new "privacy-focused Facebook".

If prosecutors can find a criminal charge that sticks, any conviction should lead to jail time.

I think it comes down to real versus symbolic consequences and anthropomorphising non persons (Here, person in common language is constrained to individual Homo sapiens NCBITaxon:9606) The non corporeal entity in question can not be put in an orange jumpsuit and the fine if large enough could have an actual impact. However a number on a ledger does nothing to satisfy a human perception of justice served.

To me the answer is; do both.

>Is there some thrill you get from seeing executives in an orange jumper?

Criminals. The word you're looking for is criminals. And yes, most people like seeing criminals in an orange jumper.

>Fines can be far more beneficial to society. Make them pay in a way that actually helps other people.

How exactly?

Moral indignation is the new chic

Better to just let people get away with whatever they want, right?

I mean, as long as the crime made a lot of money, it can't really be a crime, surely?

It's better to be rational about creating the right incentives to prevent socially damaging behavior rather than stoking moral indignation disconnected from any semblance of benefit to society. How the left became the torch-bearers for unreflective moral indignation and retributivism is beyond me.

> It's better to be rational about creating the right incentives to prevent socially damaging behavior rather than stoking moral indignation disconnected from any semblance of benefit to society.

I hope you apply the same rubric to shoplifting, drug posession, and the dozens of other non-violent crimes that get people put in jail regularly. Otherwise this is just a justification for keeping power unaccountable.

Absolutely. I think free will is a terrible concept that only serves to justify our retributive tendencies. Our entire approach to criminal justice needs an overhaul.

I think it's not only moral indignation. It's a feeling that fines are not working. Since fines are not working, maybe prison would.

If you make the fine large enough to actually matter, it would probably affect people working at the company who had nothing to do with the illegal activity. So maybe you should figure out who said 'OK' to the stuff, and who implemented it, and then put them in prison. Maybe then other companies won't do similar things.

I don't know if it would work, but the sentiment doesn't necessarily come from moral indignation or "retributivism".

There's plenty of glee in this thread at the prospect of MZ facing jail time. That's the retributivism I'm referring to.

As far as fines being incentives, if the fine is large enough it will work. Make it so shareholders feel the pain and the board will hold the executives accountable. Then you'll get the necessary feedback to curb these actions.

>the right incentives

Like, say, not going to prison? You know, the main incentive used for regular people? Just spitballing here.


What specific charges can be filed against him? What laws have Facebook broken?

I suspect FB have broken many laws but perhaps the country simply has inadequate consumer protection.

Advocating for jail terms without specific charges is not the direction to go.

What laws have Facebook broken?

The article very clearly states that there is a criminal investigation going on.

Right. So people in the thread advocating 3-5 years of prison for someone who hasn't even been charged with a crime is outrageous.

> So people in the thread advocating 3-5 years of prison for someone who hasn't even been charged with a crime is outrageous.

I don't see how its outrageous. We're (probably) not judges and we're not likely to be on the jury either. This kind of "I hope he goes to jail for a million years" posturing is quite common when people discuss any sort of criminal behaviour.

Is it beneficial or just? Perhaps not. But it's so natural that calling it "outrageous" is quite a reach.

Which Facebook exec(s) would you put behind bars and for how long?


Charged with what specifically under what precedent? The USA is (supposedly) a nation of law. If Zuck broke an existing law with precedent for those kind of terms then that would make sense. If you are simply angry at legislators for not protecting you with adequate law, your issue is not with Zuck. You are simply angry at him. If you simply want him "made an example of", I hope you think of the repercussions to legal framework of the nation.

Not at all. The article says "criminal investigation" but after some cursory discussion of a grand jury and EDNY they pivot to talking about the FTC and civil punishment.

I am not a lawyer, let alone a federal prosecutor. However, it does appear that actual federal prosecutors are suspicious enough that a crime took place to take it to a grand jury.

Facebook is an unprecedented company with unprecedented access to users' private information that committed an unprecedented breach of contract. There's no reason why a judge should rely on precedent.

Judges use historical cases as guidance. To say there is no precedent is misguided. This would still be the case.

More importantly, judges do not pass legislation. They adjudicate law.

Can you name a similar breach that happened in the past and was adjudicated by the court? If not, there is no judicial precedent, by definition.

No indication of what the charges are? The closest thing in the article is:

> the partnerships seemed to violate a 2011 consent agreement between Facebook and the F.T.C

which doesn't seem like it would be criminal?

Does the US actually have criminal laws regarding selling data? Any educated guesses on what's actually going on?

Attorney here!

Violation of a consent decree can result in criminal contempt-of-court charges. See 18 U.S.C. section 401 (https://www.law.cornell.edu/uscode/text/18/401). See also United States v. Schine, 125 F. Supp. 734 (W.D.N.Y. 1954).

Interesting, thanks! Who at the company could reasonably be jailed for such a thing?

What do criminal charges risk for a company? I guess fines?

How might this affect an FCC or breakup conversation?

I would entertain a wire fraud argument.

Facebook isn't doing anything worse than what Acxiom and other data brokers have been doing for decades. None of it is criminal without any general purpose data protection laws. This is just pitchfork populism.

If federal prosecutors are conducting a criminal investigation, it's almost certain those investigators believe(d) a law was broken. I don't think anyone here is in a position to claim "they did nothing criminal" without inside knowledge of the investigation - in which case you certainly wouldn't be commenting here

Facebook isn't doing anything worse than what Acxiom and other data brokers have been doing for decades

Because other people are doing bad things, it's OK for Facebook to do bad things.

I'm not sure that's how the law works.


That's literally how the law works. What "bad things" we prohibit people from doing is determined by law.

We don't have laws regulating the gathering and trade of data on populations or individuals.

Did you read the article?

> Privacy advocates said the partnerships seemed to violate a 2011 consent agreement between Facebook and the F.T.C., stemming from allegations that the company had shared data in ways that deceived consumers.

That (among other things) is what's landing Facebook in legal trouble.

The 2011 FTC consent agreement itself does carry the force of law, which means that if Facebook breaks the terms, it's breaking the law and penalties can be assessed.

I failed to add a qualifier (as in "good" laws, "robust" laws, etc.), but the comment I was responding to was a broad generalization and not specific to this case.

I was aiming at the notion that "this isn't how the law works".

How do you know it?

Unless Facebook is mishandling HIPAA data they can do no wrong in the US.

That's not true.

With the 2011 FTC consent agreement, there is plenty that Facebook can do with customer data that will land them on the wrong side of the law.

Investigating and preventing unfair or deceptive acts/practices affecting commerce is a big part of what the FTC does: https://www.federalreserve.gov/boarddocs/supmanual/cch/ftca....

Or they sign a consent decree. Or their customer agreements and disclosures say they don’t do something that they do.

I used to think that as well. I've been monitoring the fallout of several labs that were recently hacked and basically mismanaged patient data for millions of people, most of whom have no idea their data was compromised. I have yet to see any of the labs punished. The most recent that I know of was LabCorp.

There has been a tremendous amount of grassroots lobbying, fundraising, and private investigation in New York over the past two years with respect to Facebook. It’s a serious area I feel Silicon Valley has abdicated its moral obligation to stand up to its own. Hoping we can develop the evidence that comes out of this case into criminal charges for individual engineers and senior officers.

There is a movement starting to put ownership of data back into the hands of the people who created it.


Feels like the right solution even if the task is monumental.

I was all 'pro' this link, until I read:

> Hu-manity.co has ... designed new intelligent contracts on blockchains which humans can use to negotiate new terms of consent and authorization with corporations so that inherent human data can be respected as legal property.

It's great that people are serious about this, but extreme care should be taken with the latest tech hype! Blockchains are (by design) are 'out there', which means that once consent it given, that consent is 'out there' for all time. Blockchain also rather public, so it would seem rather easy to 'harvest' who has consented to what...

... unless I missed something?

More importantly, if a project describes itself as using or being involved with blockchain, most of the time it is a scam - be it about scamming people for money or attention. I would be careful before getting tainted through association.

An audit log on blockchain with a decentralized data exchange would be a viable use case for this kind of application to build trust on the network but also provide GDPR compliance.

I'm all for it but this really needs proactive changes from legislation. EU has made a start with GDPR other jurisdictions need to follow suit and take it further.

What kind of scenario could you see an engineer getting charged? I find that pretty hard to imagine here.

For what its worth, Volkswagon did have at least one engineer(software) convicted for the emissions issue[1].

With that said, I don't know if that is applicable here as I'm not even aware of what the potential charges might be.

[1] https://www.nytimes.com/2017/08/25/business/volkswagen-engin...

Criminal charges for what exactly? They shared their user data with other companies. Since when is that criminal?

Breach of a consent decree is not necessarily criminal, as far as I can tell. And even if it was, it definitely wouldn't represent a crime on the part of any FB engineers.

Attorney here!

Violation of a consent decree can result in criminal contempt-of-court charges. See 18 U.S.C. section 401 (https://www.law.cornell.edu/uscode/text/18/401). See also United States v. Schine, 125 F. Supp. 734 (W.D.N.Y. 1954).

Sure, it can result in a criminal charge, but it is not in and of itself a crime. So, investigating them for breach of consent decree is not a 'criminal investigation'.

Bluntly speaking, you are totally, completely wrong. You can't imprison someone in the U.S. unless that person is reasonably suspected of a crime or has committed one. The code in question allows for such imprisonment - that's why it's called "criminal contempt."

> You can't imprison someone in the U.S. unless that person is reasonably suspected of a crime or has committed one

I didn't say otherwise.

> The code in question allows for such imprisonment - that's why it's called "criminal contempt."

I don't disagree. What I said is that breach of a consent decree is not necessarily a case of criminal contempt. And whether or not it does rise to the level of criminality will be determined by the judge, not the investigators. Therefore, referring to it as a 'criminal investigation' does not make sense if the investigation is strictly investigating breach of a consent decree.

Agreed, but it seems like pointless hair-splitting to me. One could reasonably still call it a criminal investigation even if it leads only to a civil contempt finding. Many situations are investigated as possible crimes even if no activity rising to the level of a crime is found.

Ya, I take your point, but I don't think it really is hair splitting unless one of the following is true:

A) The base rate of consent-decree breaches resulting in a criminal contempt charge is high, which I very much doubt that it is.

B) There is some information about this particular case that makes a criminal contempt charge likely. This could be true, but the article makes no attempt to demonstrate it.

Failing one of these things being true, I don't think it's fair to refer to it, at this stage, as a 'criminal investigation'.

But why why would that be enforced by the USAO-EDNY?

Under the Federal Wiretap Act[1] intentionally using a device to intercept an electronic communication is a crime. Since the NYT article indicates the investigation is focused on device manufacturers and the article notes the devices may have facilitated the sharing of user data without consent this is the most likely potential charge.



Please don't insinuate that someone hasn't read an article. "Did you even read the article? It mentions that" can be shortened to "The article mentions that."


Nothing in that sounds criminal (though I'm not a lawyer) except maybe perjury if the "contradicted statements" were under oath.

And how exactly would any of that lead to criminal charges for any engineers?

5th of May last year in many places and in every other place in the world where you manage to convince a judge that it is. It's easier when there are explicit laws on the books.

Which laws are those?

I think he’s referring to GDPR.

GDPR was 25th of May, and it's still not a criminal law.

It started after Facebook started getting blamed for landing Trump in the White House, and the pile-on has increased steadily since then.

I’m no fan of FB’s extensive use of dark patterns, but the concerted attack on FB is meant as pressure so that Zuck agrees to let FB be used as a great firewall.

Thank you, Zuck, for resisting the pressure if indeed you have. It will only increase as 2020 approaches.

Zygna and the Obama campaign weren’t nearly as vilified for harvesting user data on a massive scale. My suspicion is it’s more of an old vs new media fight.

It's probably in large part old vs new media, but Facebook's scumbaggery also has been going on the longest and it certainly showed the least restraint on outright lying to everyone.

Who in particular is trying to set up a great firewall-type situation in the US? That doesn't seem like a legitimate risk to me.

All governments want a great firewall of some sort (and a social credit system too). Facebook is being strong-armed.

So let's incriminate engineers for building a faulty airplane too.

When you hold yourself to the same legal and social standards as actual accredited engineers, of the type who build things like airplanes, you’ll be in a better position. Right now the software works wants the benefits of the unregulated Wild West, without the consequences. Such a scenario simply cannot last, and in the absence of self regulation and setting of standards, the legal system will step in. It’s slow, it’s clumsy, and it’s inevitable.

Quality software exists and is written by talented engineers. Its written in specific languages and is tested on specific hardware configurations and verifiable. These things cost a bit more. I’m sure if the mass market were willing to bear an enormous cost this would already be solved. Unfortunately I doubt you or your cohorts are willing to pony up $2,999,999 USD a seat (Minimum order 500).

In your fantasy, why does a “seat” cost orders of magnitude more than a first class round trip to Australia in an actual seat? On that note, in the same way that I prefer a more expensive seat on a plane that was designed in accordance with professional and legal standards, yes I’d do the same for software.

Maybe there would even be less cruft and bloatware when externalities were accounted for.

The seat is a reference to a software license. Airlines are economies of scale, this is a small run of software that would meet your expectations to run and be verified to do so. Are you aware how much it costs to develop an airplane? It's more than the cost of a single ticket.

Make your software to the same fine degree as one makes an airplane and maybe you’d even deserve the prices you quoted.

But engineers (real engineers, not self-styled unregulated ones) are already liable for their negligence and failures.

The vast majority of engineers at Boeing and similar companies are not personally liable for failures; the company is. They are working under an industrial exemption.


229 If a builder builds a house for someone, and does not construct it properly, and the house which he built falls and kills its owner, then that builder shall be put to death.

230. If it kills the son of the owner, the son of that builder shall be put to death.


FB Response: https://twitter.com/fbnewsroom/status/1105993038671691776?s=...

> It's already been reported that there are ongoing federal investigations, incl. by the Dept of Justice. As we’ve said, we're cooperating w/ investigators and take those probes seriously. We've provided public testimony, answered questions, and pledged that we'll continue to do so

Is facebook still down or something? Why are they posting the responses on twitter?

Does anyone ever say they're not cooperating with investigators?

No. When they don't cooperate they say something bullshit like "We've cooperated as much as possible" or "We're going to let the investigators do their work."

Elon Musk tends to continue posting foot-in-mouth tweets, when he's under investigation.

Roger Stone?

Okay let me amend that, does anyone except Roger Stone do that? :-) Like I obviously don't mean this 100% literally (obviously someone does this somewhere), but I'm trying to ask whether the statement really carries any weight not.

Nah, snark aside, you're right. "We're cooperating with the investigation" is largely PR speak for "we're doing the absolute minimum that's legally required of us, and we're doing that as slowly as possible".

When are all the revelations going to end? It's been every few months for the past five years.

They’re a regular Wells Fargo.

Then they'll be perfectly fine in the long run. Maybe Warren Buffett can even get in on some shares at a discount.

Seems likely. Probably a large, meaningless fine.

Facebook is a criminal corp. And indeed when you are selling data to clients that resell or do with the data as they please (including mining them) they should be under criminal investigation. Thank God the FBI exists and counting for the day that criminal charges are brought against executives who broke the law.

Considering they are accused of broad criminal activity, your statement should be considered a valid expression of public opinion on the matter, and should not be downvoted.

First, the post is sensationalist populism that only serves to pull the conversation down and cause shouting matches.

Second, Facebook is not currently "accused of broad criminal activity". They are being investigated for breach of a consent decree, which may lead to criminal charges, which in turn may be broad.

Excuse me for being short, but common sense analysis by a technically inclined person results in the nearly undeniable conclusion that fb exceeded reasonable monopolistic boundaries long ago, and presumed itself to be, under Zuck’s leadership, to be so important as to be responsible, e.g. for “maintaining integrity of elections”. It’s no exaggeration that he fancies himself the leader of a sovereign nation, backed by an army of lawyers and special interest connections private and government.

In public testimony, imo Zuck came across as a smug mob boss intent on accumulating power without bound. The recent pivoting, conspiracy theory rumors that shall remain nameless accusing Zuck of rogue cia cooperation, news releases about criminal shenanigans surrounding data sharing coinciding with the excessive global downtime yesterday, and now his consligere departing, all look suspicious.

At the least, it’s an obvious monopoly controlling a significant cultural aspect of a global social graph. Now they are moving to undo the messaging unification. Last week they wanted gossipers to have more privacy so they can gossip and get away with it better.

I admit to being biased, but given my direct research on how data moves around the Facebook world whether a member or not, whether you have blacklisted any fb domains using little snitch etc, disable all remote js, doesn’t matter, they keep tabs on you somehow. they are essentially their own intelligence community with unchecked power and reach

The accusation from Voldemort is they had or have secret deals with telcom etc which if true is beyond insidious. Ianal but common sense wise if that’s true, they should be broken up and not simply by undoing messaging unification.

The fact that FB and all of its services were down at the same time can't really be a coincidence, can it?

Is Facebook trying to delete incriminating evidence? It wouldn't surprise me one bit if they did that. I hope the prosecutors are smart enough to look for evidence of this, even though I'm sure FB's experts will try to leave as few traces as possible.

OT: While I like how FB is recently struggling, I have to say that their open source contributions and the teams working on those are by far the best in this industry. I hope they keep up doing this great work despite all their problems.

Looking at code in Linux contributed by Googlers I don't see how what Facebook has made is better "by far". In my opinion it isn't better at all but that's just me.

by far?

redhat, ibm, (linux, java, etc) for starters...

Intel (Linux, Mesa), Microsoft (VS Code, .Net core, Python, Language Server Protocol)

See also, for the next likely criminal investigation:


That page reads like a mishmash. Fake sites is it? "Plainsite not so plain," it would be helpful to provide some kind of flashlight.

I suppose we’ll someday hear that many of the companies who got people’s data have themselves been hacked, and that privacy is ended for many people. Surely Facebook must have some responsibility in such cases. It can never be too late to benefit from proactive protection of one’s own data; isn’t that why people have been leaving Facebook?

It's going to be great seeing all the years of HN commenters complaining that no bankers went to jail, insist that it's bad policy for software engineers to be held criminally liable.

Usually when I saw those calls to hold bankers accountable (especially when referring to the recent recession), they are talking about the executives of the company. While Zuckerberg was an engineer, his day-to-day role now is the executive of the company. So, I think the comparison's to bank executives and tech executives are similar. However, pinning this on software engineers is an entirely different ballgame.

Meanwhile I hope this thread stays at the top of HN for the day to see how the thread summary reads over at n-gate


Don't violate the prime directive.

That’s quite the hate-on someone has at that site. There’s some funny to be had, but it’s mostly very tryhard. The “coverage” of the Vitamin D thing was great, but when there isn’t low hanging fruit it just sort of defaults to generic noise. Without the anger and repetition it could be worth reading, but as it is there’s a lot of predictable 4channery.

Have you considered the possibility that you might not be the target demographic?

What’s the target demographic, and what demographic do I represent?

I'm pretty sure I'm at least partially it. I like to check the site out every now and then to get a point of view from the other side. HN, although having a lot of high quality discussions, can sometimes be a deafeningly loud echo chamber, and getting a different perspective helps to, well, put things into perspective.

People in need of a chuckle?

I mean there's Poe's Law and then..

for me, it's stuck on the security check - or is this the joke?

I think it only does that when linked from this website.

ah, okay, it works now. I wondered about a broken captcha being the joke after seeing their about page: http://n-gate.com/about/

I'd like to go on record advocating both groups be imprisoned.

If in order to get equal liability we have to _really_ advocate for our interests.

Wholesale surveillance of individuals by internet companies has to stop. And that includes Google.

It has always been the advertisers that are asking for the sort of tooling that can be taken advantage of during the election cycle. If you don’t think Russia should be able to manipulate the black voting populace then maybe it’s worth thinking about whether Unilever should be able to specifically target and market axe body spray in the same fashion. The tools only exist because advertisers are paying for them. Blaming Facebook is akin to being mad at a Martin Shkreli, both are playing within the rules of a bad system.

>Blaming Facebook is akin to being mad at a Martin Shkreli, both are playing within the rules of a bad system.

That's such a poor excuse. Lead by example.

When many of the "rules" they're playing by are the way they are as a result of the massive amount of money those corporations spend lobbying to keep them that way, they no longer get to play the "we're just playing by the rules, change them if you don't like them" card.

Martin Shkreli didn't play within the rules, which is why he's in prison today.

What he is in prison for is not related to what most people are mad at him for.

Oh, poor FB and Google! They are playing by rules of a bad system!

Cmon, they are surveilling billions of people, selling, sharing, and using our data en mass. They monopolized internet, search and digital advertising. And I need to sympathetic to their situation?

Since when is Google is the owner of the Internet?

That's the "deflect" part of "Delay, Deny and Deflect"


prediction: record fines coming

Create a culture that is so fixated on wealth above all else and this is what happens. When everyone around you is judging you based on what you have and on the successes you've achieved, what motivation does one have to behave morally? God died and the dollar took its place. I know we will one day look back on this in complete confusion as to how we just watched things so clearly destructive destabilize the country. It's always hard to understand how these things happen when looking at history without being in the contemporary madness of the times.

> destructive destabilize the country

I don't think Facebook is destabilizing the country. In fact I don't think anything bad at all is happening. Like please explain to me your negative repercussions from Facebook sharing some of their data with Amazon. How did that undermine the country? People have gotten so hysterical about this topic, it's a madness, and that is what's destabilizing the country IMHO.

Like OP is calling to put some of the most brilliant minds in Silicon Valley in jail, which is ridiculous! But if anything like this should happen, I think you gonna see FAANG & Co seriously consider rebasing outside U.S. (well maybe not G)

> I don't think Facebook is destabilizing the country.

umm.. massive and hugely polarizing public influence campaigns, if extant, aren't destabilizing?

> Like OP is calling to put some of the most brilliant minds in Silicon Valley in jail, which is ridiculous!

plenty of brilliant sociopaths out there.. brilliant != good.

It is possible to act morally without God as motivation. God was a strong motivator in the Dark Ages- did people act more morally then?

It is possible to be a capitalist and act morally. Rates of crime are at some of the lowest levels of all human history now.... is that a sign of immorality?

Morality is about making responsible choices.... often tough ones. Abdicating responsibility to a deity or a monetary system is the opposite of what is needed for morally responsible decision making.

it's possible to be a "moral" capitalist but not without strong laws and punishments. There are countless # of instances where corporations have gotten away with either indirectly or directly knowingly doing harm.


My first thought after reading the headline was that they had been placed under some kind of litigation hold and had to immediately back up all of their data on US customers to comply.

Just baseless speculation; I dont work for Facebook or have an inside source.

Not directly.

But employee burnout (and the nascent mass exodus of top talent we'll inevitably be hearing about shortly) may very well be.

Perhaps related: the frequency of FB Production Engineer recruiters reaching out to me has increased in the last couple months.

I simply can't sell myself to an immoral organization where, I’m afraid, any concerns of mine would be drowned out, ignored, or silenced by the incumbent powers at Facebook that are dead set on their current path.

There might be good engineers at Facebook trying desperately to change the culture, but I encourage others to resist fighting the (in my view futile) good fight.

> I simply can't sell myself to an immoral organization where, I’m afraid, any concerns of mine would be drowned out, ignored, or silenced by the incumbent powers at Facebook that are dead set on their current path.

Facebook is doing so many shady things that you would likely be able to verify that your fear would be proven correct, but many other companies do shady stuff too and you'd be none the wiser simply because they don't do enough of it to trip your alarm. The amount of stuff going on that can't stand the light of day is usually roughly proportional to company size, or, if the management is at all enlightened non-existent because they instruct their employees to not just follow the law but to do what is right. That's pretty rare though.

> Perhaps related: the frequency of FB Production Engineer recruiters reaching out to me has increased in the last couple months.

As a further anecdote, I just had a FB recruiter contact me about an ML position three months after they rejected me and I told them never to contact me again.

Oh wow, this is going to be huge.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact