The creators of those various libraries should have a valid legal case against Facebook here, if they want to exercise it. I doubt any users are being harmed by this but it’s a violation of the software creator’s rights.
> copying and uploading the libraries is actually illegal (copyright violation)
That isn't what is happening here - the headline is misleading.
Further into the tweet (FFS, it is a tweet and people aren't reading it all before reacting!) it clearly says "It periodically uploads metadata of system libraries to the server".
Basically that means they are sending and storing what versions of what things you have, not the code or other data in the libraries themselves. I'm pretty sure there is no reasonably copyright on the name and version number of a library in this context.
If it is being done for fingerprinting purposes then there might be an unreasonable tracking claim by the users, but not the library copyright holders.
The less worrying explanation is that it is being used for problem analysis: if a new version crashes a lot but only on devices with a specific version of a specific library, that makes tracking down the bug and implementing a workaround or fix much quicker. Of course this is facebook so if it is for the issue analysis (which it almost certainly is) but can also be used for fingerprinting as well, you can bet your bottom dollar that it will be used for fingerprinting as well.
"Facebook can upload the entire files of all system libraries to their server through their Android apps"
"I found they have already collected metadata of 2233 system libraries from my phone, in which 1162 system libraries are pending to be uploaded"
So they've already uploaded the metadata and are in process of uploading the whole files.
At first glance, the amount of damage being done is close to nil — even if they reverse engineer received files to steal trade secrets therein (lol), it is hard to pinpoint specific amount of harm, dealt to the copyright owners.
But actually... why are Facebook people doing that? If I were to wager a guess, Facebook needs those files to create exact copies of user systems to debug. In other words, they are trying to save up on buying real devices for their test lab! Using "pirated" copies of libraries to spin up testing VMs is most likely cheaper than owning lots of real smartphones with all available firmware versions. And also illegal.
I wonder if they gauged possibility of being sued for this along with possible legal expenses and found that it is still cheaper than buying those devices themselves.
Is it through?
If I'm uploading a library to virustotal to check if it's a known piece of malware, am I breaking the law if it was clean?
There are additional excemptions, including copying which is required in the normal use of software, and possibly other information, on electronic systems. Whether copying to a malware-scanning service may or may not be included in that, though it would seem a fair argument that it should be (transformative, doesn't impact market, does affect the whole work, purpose is constructive and not otherwise served, context is specific to the nature of the work).
Absent a rather dubious user agreement allowing Facebook to copy all the data off your phone, Facebook does not have that fair use right. Nor is it likely even remotely ethical to be doing this without explicitly notifying the user. So, illegal and unethical, but I guess unless some PR firm is paying the news media to be outraged about it, they're not likely to care.
Note that there is an exception for such a copy when it’s necessary to run the program, I believe this exemption was added because otherwise running an executable on a personal computer would have been a copyright violation.
> a) Making of Additional Copy or Adaptation by Owner of Copy.— Notwithstanding the provisions of section 106, it is not an infringement for the owner of a copy of a computer program to make or authorize the making of another copy or adaptation of that computer program provided:
> (1) that such a new copy or adaptation is created as an essential step in the utilization of the computer program in conjunction with a machine and that it is used in no other manner, or
> (2) that such new copy or adaptation is for archival purposes only and that all archival copies are destroyed in the event that continued possession of the computer program should cease to be rightful.
Perhaps, but sadly, I don't actually foresee vendors wanting to exercise that right. From a business perspective, why bother?
Maybe in jurisdictions like the US, where the copyright lobby has been very effective in getting aggressive anti-piracy legislation with huge penalties enacted, the statutory damages alone could be astronomical? Since Facebook could still afford to pay them, it might also offer to settle for a very worthwhile sum without even the risk of going to court.
I'm generally not a fan of hugely disproportionate penalties for copyright infringement, but this isn't some normal person falling victim to opportunist lawyers engaging in a form of barratry, this is a huge company with its own legal team who should know better than to wilfully infringe copyright.
They could potentially have ... friends ... who would have an interest in seeing a case brought, though.
(And since Bollea, barratry seems acceptable.)
But Facebook? Not so much.
There are definitely some non-shady useful reasons to do this, but Facebook has sorta lost my default assumption of not-evil, yea.
Next step to reduce creepiness is to only upload info on system libraries that actually affect the app (so if some users experience crashes and others don't, they can trace it to differences in system libraries).
Edit: see for instance https://www.usenix.org/conference/usenixsecurity17/technical...
I don't know, you could be right—maybe Facebook really wants their analysis to only run on their own servers. It just seems like a stretch to me.
What are the risks?
"How do you sleep at night?"
"On a bed made of money."
(I'm talking extreme end here, btw). Someone doesn't turn to high crimes overnight nor are they (usually) born that way. You start of making smaller immoral decisions which then become normal. You essentially move the bar a little more and more. People sleep at night frankly because they no longer think that these things are immoral. That's why there's plenty of sayings along the lines of "the path to heaven is long and narrow and the path to hell is short and wide".
Obviously morals are flexible and need to be to survive in this world. But the thing is when people are put into environments that encourage this bar to be pushed too far (by what society determines is too far).
Btw, if you like podcasts Hidden Brain did an episode on this concept that went through how an athlete went from taking no sports enhancing drugs to being a major dealer. And they decompose each step and how reasonable they seem in the context.
Tldr: it's no longer immoral for them, so the real question is "what keeps them up at night?"
Basically the story I remember is that there was a sports athlete that was in the lower ranks and then got a prescription, that they actually needed, that also improved their performance. Then I think it got banned? So they start buying it from another country like China or something. They then started buying in bulk because it was cheaper. Their friends started asking for some because he was getting it for cheap and he didn't think anything of it because he was just helping them save money too. They're his friends after all and he was already buying the stuff. So what difference did it make if he just ordered a little more? Then it started being friends of friends. Before he knew it he was selling tons of this stuff and to people he had no real previous knowledge of.
I now really want to listen to it again so if someone can help find it let me know. I think they might have also talked about Lance (I'm not sure if they interviewed him or that's another podcast I'm thinking of).
Nobody in their fourties who has the life experience of being married with kids is going to work lots of overtime and put up with their boss acting like a child and treating them like they are nobody. I guess that's why they like hiring college grads (that and they don't know their value so can be paid much less).
Especially on Qualcomm devices (such as the Jolla phone) Qualcomm explicitly forbids you from distributing their OpenGL drivers. So if facebook copies libGLESv2.so off from the device they are potentially performing straight piracy at that point.
If I recall the damages demanded by RIAA it was several hundred k per infringement.
I don't think they care for it. They already paid a $5B fine
It’s is extremely difficult to diagnose Android native code crashes. Unlike iOS where it is both straightforward to unwind on the phone, and where Apple makes the iOS system symbols available for symbolizing system frames in a stack trace, neither of these things are true on Android.
My first approach for my company’s Android crash manager SDK was to use Google Breakpad. This works by capturing a snapshot of stack memory at the time of the crash. Unwinding then occurs on a backend server. But to unwind successfully, absent a frame pointer register, you need unwind info to provide to the unwinder. This simply isn’t available except for Nexus devices for which you can download the system images from Google. And even on devices where the code was compiled with a frame pointer, you still need symbols so you know what each frame’s function was.
Another approach is to unwind on the device. In my experience, using libunwind, this is successful about 50% of the time. It also risks hanging the app, which looks even worse to the user than just crashing.
Years ago, I briefly considered having our crash SDK, optionally and with user consent, extract the symbols and unwind data from the libraries on the device and upload them to our backend. I dismissed it as too expensive to do on a user’s phone.
Instead, we crowd source as much as we can from our employee phones.
Android native code crashes remain a bear to diagnose. Especially annoying since Android itself collects a ton of diagnostic data about your app when it crashes - it just doesn’t make it easily, or in some cases at all, accessible to the app itself.
This wouldn't be possible in Linux, right?
Basically, this is malware.
Edit: Thanks, all. So OK, I get that it's possible, because apps have read and execute permissions for all libraries that they use.
But it's not common for apps to upload system files, right?
If you have read access, then yes. Conventional desktop and server linux distributions would allow this behavior. As does android. Good luck using dylibs without it, anyways.
Since the android market is so fragmented and customized, this probably saves them from having to buy lots of phones when diagnosing crashes.
The knee-jerk reaction is to feel uncomfortable but these are system files, shipped with the phone, that are accessible to anyone who purchases the phone. This saves FB the trouble of spending $200 every time a new OS update comes out. Personally, with that knowledge, I don't have a problem with this - however, I have a ton of problems with other stuff FB does so I'm happy to keep not using their service.
The difference is in people's expectations of mobile vs. desktop apps. You'd never install untrusted software on your desktop, but mobile OSes provide the sense that software is isolated. In Android, that's mostly an illusion.
It's not like Facebook is some small, unknown malware peddler so that its software should be considered "untrusted". If anything, it's untrusted because it's coming from a scummy company and opaque (due to being closed source).
I knew many Linux desktop users who had installed the Slack client back in the days we used Slack at work. Myself I have installed Skype. Not that I find Skype particularly good, but sometimes I need to communicate with people who have no clue about software freedom.
So, yes the number of "untrusted apps" is significantly lower on a (Linux) desktop, but "you'd never install" is an incorrect characterization.
- build lists of every phone, including carrier variant and internal revisions (pretty common!), to make sure they could be sure they had a complete library
- rely on the manufacturer to publicly post the ROM (cheaper mfg wont do this) (or somehow retrieve the URL from the update mechanism, said URL not easily accessible from userspace)
- handle the multiple different packaging mechanisms that android phones, especially older versions use (Google has gone a long way in remediating this but FB has to support billions of devices that don't adhere to best practices).
- For ROM packages that are encrypted, they'd need to acquire the keys from real devices.
- and they still would not have visibility into non-posted firmware, such as factory versions with day 1 upgrades (aka many many devices)
- grab the files and send 'em
2. I have doubts that you need copies of all kinds of system libraries to debug that crash. They won't help you debug a crash dump (assuming they don't have debug symbols left in for some reason). They generally won't help you reproduce the crash unless you actually know reproduction steps - it wouldn't surprise me if they tracked every user action, but I doubt they do - so it takes many of those crashes to even start debugging. At that point you probably know precisely which library you need and can obtain it legally.
That said, I agree that uploading the files themselves is not necessary to fingerprint users (the hashes would totally suffice). Unless they do the uploading as a cover-up story, which doesn't make much sense either.
I can see this as an opt-in but not as a silent, default behavior.
So it is piracy.
I mean, an application has to be able to read standard libraries to function, right? Same with any traditional Linux distro and /lib, /usr/lib. Really tight Apparmor or SELinux profiles can lock this down a bit.
Therefore, I can only conclude that the identifying information is which precises system libraries are installed on any given machine. Any solution to this problem other than "have fewer system libraries and don't change them as often" is adding far more complexity to computing than it will ever be worth, and computing already has enough of such "for the security gods!" solutions.
Yes, we're talking about the same thing.
> Therefore, I can only conclude that the identifying information is which precises system libraries are installed on any given machine.
Specifically, it provides very detailed information about your hardware revision, OS version, security patch level, which is generally something that forms part of most fingerprinting suites. Now, I'm not saying that we can solve this problem easily–but I do think it's important to recognize the privacy implications that uploading them can entail.
All to prevent... what? If you log into Facebook, which is presumably why you have the application, then it already knows who you are. Not to mention the hundreds of other ways to fingerprint you.
So Facebook, if it's relying on hardware/software fingerprinting, might compromise multiple users to each other.
Whereas the execute flag on a page allows one to only load data from there but not jump there is nothing that allows one to execute code while preventing mov.
FB has the means (resources) to route around this and find the ways to properly debug apps.
I hope this would find its way to Google Play blocking the app and a class action lawsuit. It's the only fair outcome.
You seriously think that's a good use of bandwidth?
Let's face it. This is the freakin' Facebook app. It's not doing anything so incredibly revolutionary in the field of computing that requires it to be intimately involved in system libraries. It needs to display cat pictures and take in and emit text and make HTTP and HTTPs calls over the network, oh and monitor the user's every move, even while they sleep.
It is wholesale going after every library on the system, AFAICT.
I hope they at least wait for the user to connect to WiFi before pushing all that data.
I would expect them to potentially grab the list of apps separately from that though (Some Ad SDKs do that, not sure if Facebook also does it - https://www.androidauthority.com/sdk-invasion-a-privacy-thre...)
That being said, even if I used Facebook, there's no way I'd install their app because I don't trust them.
Its just that its not Facebooks place to do this. I wouldn't expect a app linux binary to upload the contents of /usr/lib, or a windows app to start sending system32 dll's off system.
FB can try to sell this as a 'lite-AntiVirus' type service, but that is not its place. There is no indication the app is doing this. Its FB being creepy as usual.
If Google did it, it would be less creepy, just like how Microsoft can grab malicious files detected by Defender -- but they write, support and protect the OS! FB is just an app. It shouldn't be harvesting its users operating system files!
Google's SafetyNet scans the system files, but it looks for _specific_ files that should not be there and ensures that certain files that must remain unaltered actually remained unaltered to ensure that the security model is still intact, so it doesn't need to violate copyright laws by stealing copies of files off the user's phone without permission or user awareness.
...and funny that you mention Windows Defender because it repeatedly advises the user that it might upload files to Microsoft and asks for their approval for doing so at multiple points. Microsoft is being perfectly transparent about what they're doing and giving users the ability to opt-out. They're also the people who make the entire operating system so they've got an obligation to try real hard to prevent another Blaster incident. Facebook just makes a social media app.
This is the biggest one for me. Anyone who has that data is capable of playing back the 0-days that affect android. How many android phones are kept out of date?
As other user mentioned, the Android ecosystem is like the Wild West. Given there's a report for 2.5B active devices, how many can be affected by such an attack?
1% would affect 25M devices, around the population of Australia.
10% - 250 million devices.
40% - 1 billion devices...
And this too:
Not that it is going to matter, any more than you can dissuade members of a cult by telling them they should forego their membership. It just seems to bring the cult closer together.
How good is the sand boxing on iOS?
THIS is a good thing.