It uses energy and bandwidth I paid for to surreptitiously transmit my information for use which will solely benefit Facebook and the software developer.
I feel like I'm in the minority here -- but I don't understand the problem.
Software developers want to know whether their existing marketing methods are effective. The FB SDK helps with this. You always have the choice to not install the app (if you don't want to).
This also helps developers make sure their marketing is effective and reaching the right people, which seems like a win-win to me.
>Software developers want to know whether their existing marketing methods are effective. The FB SDK helps with this.
As you mention, this is something the software developer want, not necessarily the user.
>You always have the choice to not install the app (if you don't want to).
This argument may have some teeth if directed toward a user in our industry. Depending on the scope of the particular software in question, the majority of users is likely to be those outside the software industry; the layman. The argument falls flat when the other person doesn't have the necessary understanding to be able to perform thoughtful analysis.
>This also helps developers make sure their marketing is effective and reaching the right people, which seems like a win-win to me.
That may be one reason this practice is in-use. I don't see how it makes the difference: the software developer continues these practices with no consideration of their user, much less the user's consent or indication anything is going on at all. It's all about what the software developer wants, not the user and that's not OK.
> It's all about what the software developer wants, not the user and that's not OK.
I work in Software Development. Most of the time, the user doesn't know what he or she wants. They might feel that something is just not right, but don't know why, or cannot express why, because they don't know. Or don't care: I used to send out surveys, and the response rate was usually around 300 out of 50.000 confirmed users. That's... not much. At least for me, if I need to make major decisions.
My main takeaway with metrics is that I'm fine to give metrics to the vendor, as long as it's only me and the vendor, and as long as I know what it's used for. Also, it depends a lot on what is tracked.
Starting and closing the app, ways the user took to get to a certain point - I'm fine with that. But dare you transmitting my file names over to your server. Or any data I enter. That's none of your business.
You wanting more data does not give you license to assume consent for using a device you do not own to spy on a user. Even if a majority would have consented, assuming consent means that you are now co-opting some number of devices which do not belong to you to do things the owners of those devices do not want to happen.
Well - the user is using the device with a part that I created. If the user doesn't want to participate in enhancing the product, we need to go the old school way of enhancing products: Research. We need to conduct studies, do testing with test persons, etc.
This can be done, sure. But then your off-the-shelf app won't be available for 99 cents or for free, but cost more like 19.99 USD.
Might help streamlining the market, so I‘m open for that.
This very same argument would apply to, say, "5% of the price of my dinner goes towards healthcare for the waitstaff. That's something the company wants, not something I want."
There are much better argument for it being spyware, e.g., that it spies. It's not a very strong argument that a thing is bad simply because it helps the provider of the thing.
It is not the same argument. Money is fungible, you know exactly what you are paying and the cost to you, how the money is used is not usually your problem [1]. In this case you have no idea how much and with what you are paying. The app could be exfiltrating all kind of information and you have no way of knowing.
[1] although people might have issues with unethical or illegal uses.
>This very same argument would apply to, say, "5% of the price of my dinner goes towards healthcare for the waitstaff. That's something the company wants, not something I want."
I'm not sure I follow. If you're paying the same amount in either scenario, how are you adversely affected when a portion of your bill is allocated to a healthcare account?
>There are much better argument for it being spyware, e.g., that it spies. It's not a very strong argument that a thing is bad simply because it helps the provider of the thing.
I'm lost here, as well. Your argument is that I haven't made any arguments stronger than "that it spies"? I agree that stating only "that it spies" would be lacking critical thought and analysis, but my arguments have been more specific. The whole "it spies" assertion, generally speaking, is the basis for the more detailed responses I've submitted to this discussion.
Do you expect 100% of the cost of your meal to be the raw ingredients? Surely in (almost?) every single retail or service transaction, part of what you are paying is going towards operational costs, taxes, and yes... employee health insurance.
OK, but those taxes are paid by someone (usually business taxes). I am strongly in favor of government-funded healthcare but the number of countries where the government can be funded by, like, drilling oil is very small, so I think my argument stands - some portion of the money I spend on dinner is going not towards things that directly produce my dinner but things that someone else thinks is worthwhile. Even if I agree with it, it's not my decision.
Structuring something in the interests of what benefits them won't necessarily align with what benefits you, since the actual structure of the relationship matters, as brief regard to my flippant comment on your analogy. It isn't about what % of dinner goes to healthcare - it's (and I was assuming some hideous employer-pays healthcare system) rather about the system which is built to align incentives and benefits in certain ways. That is, I stand to lose in many situations if healthcare is provided directly by the payments of my customers, or whatever.
Likewise, with privacy, it isn't just that 'it spies', it's that what it purports to aid me in is likely coincidental. Just like a targeted advertisement actually really benefiting me is effectively irrelevant to the advertiser - it's just nice if our incentives happen to align, for one brief moment. :-)
User benefits from effective marketing. If software dev knows who their audience is better it means product will reach the correct customers more efficiently. It is win for everybody.
Marketing platform and the product being marketed benefit from effective marketing.
That the user was “sold” to is not inherently positive. Not all products are good. Not all users can afford products they’re buying. Not all users necessarily understand they’re paying in ways they’re unaware of.
Straying away from social media in this example, cigarettes and alcohol feel like good candidates here.
It has to say something about the effectiveness of your marketing if the only way you even observe it having an effect is by installing spyware on every users system.
If companies genuinely believed that they'd advertise loudly that they were using the ad platform. The fact that they do it surreptitiously speaks volumes.
What’s wrong are two things: lack of transparency and lack of choice. They could just ask where people got the app, and offer them a choice not to disclose, but they choose to not offer the user that choice and to not transparently communicate the choice has been withheld.
That’s user-hostile.
The problem with saying “just don’t install the app” is that you have to be informed first, and that even then you have no real choice. If you want to take part in digital social networks you must surrender control and privacy. If your data is a valuable commodity you should be able to decide who gets what, just like you decide with your money. But you can’t, not really.
It is not clear to users which apps use the Facebook SDK, so they can’t avoid them even if they wanted to. And so many do include it that it’s hard to find alternative apps…
> You always have the choice to not install the app
You also have the choice to consider the practice questionable, unethical, a systemic problem once it becomes widespread; to highlight it in public posts and forums, to protest how widespread it has become, to believe that it should be illegal in the context of consumer and privacy protections, to lobby for making it illegal, etc.
I think it's pretty clear that if you're not paying for the application, then you're the product not the customer. Even the most ignorant users have probably got that message by now.
If the app is paid-for, it's less forgivable to be using this kind of spyware.
The user has not explicitly allowed this information to be collected, yet the software developer wants to. That I think is the definition of spyware.
If I were to project this pattern 10 steps further, a software developer may want to know the gender and emotional state of the user installing their software using the front camera. That would also be a spyware, but it's on the higher end of the spyware spectrum.
>The FB SDK helps with this. You always have the choice to not install the app (if you don't want to).
up until now I wasn't even aware of the facebook sdk or that say, spotify is sharing my data with facebook even if I don't use their login option so it's pretty hard to make a informed decision.
To the best of my knowledge, no. Even if we assume advertising attribution falls under legitimate interest (which isn’t certain), it would still only allow them to call out to Facebook once after install to report whether the app was installed from an ad. As of right now the Facebook SDK calls out every single time the app is opened or brought back in foreground.
Spotify is actually using Facebook for login, though, so they don't necessarily use App Ads. The original commenter only said that it's the reason most (but not all) apps use the SDK.
Facebook Login can be implemented with plain oAuth without sending any data to Facebook until the user actually uses the FB Login feature.
Regardless of which SDK features they use the SDK calls out to Facebook with the device's fingerprint and a persistent UUID every time the app is launched or brought back into foreground.
Would 100% suggest going the basic OAuth route with FB, and not relying on their SDKs whenever possible. Been bit by Friday-afternoon-PST deployments that wreak havoc until work starts Monday too many times :/
It's not exactly what you want, but just yesterday I made AccountsJS work with Facebook OAuth.[1]
I was glad today when watching this newsline, to have avoided the facebook SDK.
I think OAuth is usually better because every major provider has some version of it and so you basically can implement them all the same or at least in a really similar fashion.
Ah. I'm thankful for the opportunity, err... requirement to trade my privacy for others to have one fewer password to deal with. And of course for Facebook to have more personal data to munch on.
I'm not really sure what the problem is here. You are perfectly free to not use Spotify, or any other app that chooses to utilize Facebook login or other components of the Facebook SDK. Spotify made their choice to use the SDK for whatever gains they get out of it, and as a customer you can choose to not use their service or app if you disagree with that.
There's even comments in this HN thread that point you on how to do it on Android if you're so inclined.
This is really just a variant of the "and yet you participate in society, hmmm" argument.
At some point users are allowed to complain about shady behaviour done by huge corporations with resources they use to try to thrust their way into everyones lives.
And at some point, companies are allowed to make their own decisions about how they want to instrument and monetize their products. This general complaint about not liking a component of someone else's software doesn't resonate with me at all. Not that you're wrong, but we just have different values.
I sometimes will load a website that uses React when really it's just a static content site. It just gets tiring, and doesn't add to the conversation, when every discussion about an article that could be HTML devolves into that. I get that other people feel that way, and in many ways I share their values... But it becomes its own sideshow and hijacks the otherwise interesting conversations, without adding anything new.
<< I get that other people feel that way, and in many ways I share their values... But it becomes its own sideshow and hijacks the otherwise interesting conversations, without adding anything new. >>
With sincere respect, I don't understand this argument, in general, whenever it comes up. Whenever I find a discussion unhelpful or tedious, I move on or mute it. Often, I've been in an interesting online discussion, and someone pipes up with the wish for everyone to stop talking about this topic because it's not interesting, when they have the tools available to not follow the discussion.
>> And at some point, companies are allowed to make their own decisions about how they want to instrument and monetize their products.
No, they are only allowed to monetize according to laws and regulations. There is nothing magic about software making it right to disregard laws or not having respect for customers. It feels like some think software should be where to world was at the start of the industrial revolution, where companies could do what they wanted and there was no laws stopping them from dumping acid in the river.
Obviously companies can choose how they want monetize, that doesn't mean you are obligated to defend then when what they're doing is scummy it immoral.
Why deflect criticism.by saying "well you don't have to use their app now do you?"
When a person does something immoral rarely do people defend them by saying "well you don't have to engage with them now do you?
Why not debate the morality or legitimacy of the act in question rather than deflect try to deflect the criticisms?
Spotify made their choice to use the SDK for whatever gains they get out of it, and as a customer you can choose to not use their service or app if you disagree with that.
Wrong. At least for EU citizens.
If Spotify are collecting data in this way (and not only using the SDK for Facebook Login), they are in violation of the GDPR. There must be clear unambiguous consent to collect the data in the form of an affirmative action of the user and it must be possible to use the app without giving consent, because the Facebook data collection is not essential for the app to operate.
If they do share data with Facebook, Spotify should be scared, since they are definitely large enough to be on the radar of the EU or national bodies.
Moreover, outside the EU it would be dumb for Spotify to say "just don't install the app if you don't agree". The 10 Euro per month that premium users pay is worth more than some Facebook tracking.
> If Spotify are collecting data in this way (and not only using the SDK for Facebook Login), they are in violation of the GDPR.
It's kinda worse. They "only" open the gate wide and any of your data they can see is there for Facebook to take. It can feast on any data it can grab with the same permissions the main app has. Like a fucking virus from MS-DOS times infecting binaries, but this time developers are doing it quite voluntarily.
There should be more visibility on where a user's data is going. User's should be informed, similar to malware sites, they should be informed "this website is sending your data to the following companies" etc.
For the average user out there, the fact is, most people only care about privacy when there's a breach/outage/scandal of some kind. Otherwise, the average person is not going to have "zomg fb is spyware" on their mind.
If apps start charging money, there would be a significant drop in the # of average user installs. Then the app would only make money off of privacy focused users, which is comparatively small.
>For the average user out there, the fact is, most people only care about privacy when there's a breach/outage/scandal of some kind. Otherwise, the average person is not going to have "zomg fb is spyware" on their mind.
Because they don't know.
Like every industry, there are practices involved to which the layman is oblivious. It is important to remind ourselves that the reason the majority of users aren't vocalizing their concerns with these unsavory practices isn't because they don't care but because they don't know.
The 'not knowing' part happens when the outrage is then transferred to any app which does integrate the FB SDK (like zoom). We as developers have sortof taken for granted that the FB/Google/etc SDKs can do no evil. Maybe that attitude should change, because public opinion certainly has.
>The 'not knowing' part happens when the outrage is then transferred to any app which does integrate the FB SDK (like zoom).
Sorry, I'm lost here. Can you elaborate?
>We as developers have sortof taken for granted that the FB/Google/etc SDKs can do no evil. Maybe that attitude should change, because public opinion certainly has.
Previously, you mentioned
>If apps start charging money, there would be a significant drop in the # of average user installs. Then the app would only make money off of privacy focused users, which is comparatively small.
I don't have any reason to believe sales would lessen if a formerly "free" application began charging. The difference, however, I have no idea. You mention "significant" which is, of course, relative.
It isn't difficult to see the incentive at work in this scenario:
a) I could charge a nominal fee for use of my software, foregoing the unsavory practices discussed in this thread, and make X amount of money.
b) I could sell my user out and potentially make more than X amount of money. How much more? I don't know, but more.
That makes sense if you're talking about ads in the app, but that wasn't the discussion. The discussion is about the marketing folks running ads on Facebook for the app and wanting to know how effective those ads were.
If the software developer would charge a reasonable price directly to the user, they wouldn't have to use intrusive and unreliable libraries like Facebook SDK.
Nowadays, lots of things are spyware. It's important that we acknowledge this fact. Back when the Internet had a more technical userbase, the shady nonsense software tries to pull nowadays would not have flown at all. Those people would be outraged, and they'd absolutely agree that things like Facebook, Spotify, and Windows 10 meet the definition of spyware.
But slowly, the Internet population grew to include the masses, and it turns out most people don't care whatsoever about what their software is doing or how it works so long as it gets the job done, whether that's communicating with relatives, playing music, or providing a platform for other applications.
2. They begin applying the label to as many things they don't like as they can get away with.
3. This changes the definition of the label, causing it to become some blanket umbrella term.
4. The label loses its power, because it now describes many lukewarm behaviors instead of just the worst offenses.
For example, it's popular nowadays to say "everyone is racist." Well, if everyone is racist, is being labeled a racist really that bad? Not compared to what it used to imply about you.
>That definition is rather too broad. It makes basically everything spyware which dilutes the word too much to be useful.
I don't agree. I was very specific in stating that the practice of consuming a user's resources to transmit their information, without their explicit consent, nor an indication of the activity, for the sole benefit of Facebook and the software developer, can absolutely be considered spyware.
Devil's advocate: you could always not run those apps. Although for non-technical users it would be challenging to determine if the apps were transmitting that info, it's possible for technical users to detect it (assuming the info goes to an obviously-facebook url and isn't piped through e.g. spotify)
Additionally I don't think there is anything wrong with client-side analytics in general since it's basically the only way to monitor performance/usage in production. And this type of thing is hard to discern from the more benign case
>Devil's advocate: you could always not run those apps. Although for non-technical users it would be challenging to determine if the apps were transmitting that info, it's possible for technical users to detect it (assuming the info goes to an obviously-facebook url and isn't piped through e.g. spotify)
But therein lies the rub: the overwhelming majority of users of software are not like you and me and have no idea what's going on behind the curtains.
>Additionally I don't think there is anything wrong with client-side analytics in general since it's basically the only way to monitor performance/usage in production. And this type of thing is hard to discern from the more benign case
I hear this argument a lot and I empathize with the idea that having such information can aid in the development process. However, the argument asserting that some data may be useful to the developer so the developer is thus entitled to it, doesn't wash.
Regardless of the ubiquity of this behavior in today's software development industry, the fact remains that this process consumes the user's resources without their knowing or say in the matter and it's not OK.
Some of them aren't, though. The Facebook SDK isn't a trivial resource. It also depends a lot on the specific device the software is being loaded on to. It may be trivial to a newer device or one with upgraded hardware, but perhaps not so with baseline hardware or devices several years old.
>If you don't like it you don't have to use the app that you chose to install.
This argument may work with someone working in the software industry, but falls flat the moment the implied obligation is place on the unsuspecting.
My bank has the Facebook sdk in there app. At the time they where the only bank willing to open an account for an under 18, international student. I queried them about opting out, they told me to opt out on Facebook's end. Not sure how I would avoid banking.
What is this fresh hell? If you buy a spatula on Amazon, would you accept "client-side analytics" on what you cook because "it's basically the only way to monitor it?" Or would you say that your spatula usage is nobody's business?
I love and happily pay for Spotify, but it is eye-opening that they send any data to Facebook. Well, shit.
> Additionally I don't think there is anything wrong with client-side analytics in general since it's basically the only way to monitor performance/usage in production. And this type of thing is hard to discern from the more benign case
I think in these situations it often helps if we would find this behaviour acceptable in the real world. For example we see advertisment in airport toilets or malls or whatever. As someone pointed out, the company advertising does have an interest in finding out if the ad is effective. So would people find it acceptable if someone was following the from the advertisement and writing down which stores they go to, what they buy? I acknowledge that there is significant effort to develop technology (e.g. using ultrasound) to do this, but the efforts to do this covertly are IMO a good indication that people would not accept it if it was done in the open.
That's what I acknowledged with the ultrasound tracking (I was not aware of the tracking at Schiphol). But it just reenforces my point, if they would do it openly people would strongly object. Privacy invasion using technology is so abstract that it doesn't really relate to reality for many people (even very smart people).
I can see a difference between paid and free-to-play apps.
If I pay for the service, I can expect that the service is taking nothing more from me than the payments I make. Our contract is explicit.
If it's a free-as-in-beer service, then the user must realize that the business which is offering the service expects to get something for its purposes from the user, such as user's eyeballs and user's computing resources.
If it benefits the software developer and this is what allows their business to work, then that benefits you. If it didn't then you wouldn't have the app.
I’ve got tons of apps in my App Store’s update queue, some that I haven’t updated for a couple months and they still work perfectly. Uber is one that comes to mind. They keep changing the UI while I keep using the same version from ages ago. I don’t bother updating anymore, it’s just noise.
I do update banking and critical apps (say, VPN clients, PDF reader), though.
In the consumer app cases, either I'm hitting somebody's backend with wrong data, which fails and so I update the app, or more frequently, those whiny apps with almost daily updates are just a WebView shell to some website.
Otherwise, what a hacked iOS sandboxed app can do? If there's an exploit to escape the sandbox, like in the WhatsApp case, we have a way larger issue and I wouldn't expect a random hacker to waste such an exploit that could be better targeted at Jeff Bezos or so.
Other exploits are for system apps (Mail, Safari, etc) and are handled by OS updates.
There are other ways to target / close the circle. App developers can share emails of new installs with facebook for cross match and more options. Would this feel better?
>There are other ways to target / close the circle. App developers can share emails of new installs with facebook for cross match and more options. Would this feel better?
Of course not because it describes the same behavior.
It's difficult to argue about whether it's "surreptitious." It's certainly no secret. I think this is why you need organizations (perhaps government or otherwise) to establish standards for what is and isn't acceptable, so we don't have to quibble over words like "surreptitiously."
There is no easy way to tell whether an app shares data with third-parties without setting up an MITM proxy or a packet capture. As far as the majority of users are concerned it is a secret.
>It's difficult to argue about whether it's "surreptitious." It's certainly no secret. I think this is why you need organizations (perhaps government or otherwise) to establish standards for what is and isn't acceptable, so we don't have to quibble over words like "surreptitiously."
It is a secret, though. Outside of you, me, and a few other folks like ourselves, users of this software have no idea what's going on behind the curtains. There is no overt disclosure to the user explaining the myriad communication exchange, occurring on a nearly constant basis, between their device and some remote server(s); much less giving the user a say in the matter.
Stating the use of the word "surreptitious" (to act in a clandestine manner; exactly how these communications are executed) amounts to a mere quibble is disingenuous.
I cannot easily see what information goes through an ASP form submitted with a ViewState parameter (where the page state is encoded in a blob buried in a JS var or HTML comment). Is that also surreptitious?
>I cannot easily see what information goes through an ASP form submitted with a ViewState parameter (where the page state is encoded in a blob buried in a JS var or HTML comment). Is that also surreptitious?
I can't say I completely understand the scenario, but if you're talking about a user filling out a form, then submitting that form, then no. That would be expected behavior.
Data may be encoded in any number of encodings depending on need. Encoded data isn't always human readable; especially so during secure transmission. It's not so much the inability for a human to read the encoded data as it is the data being consisting of only what is necessary to perform the action expected by the user; those expectations, of course, set via whichever means the user is interacting with the software.
That's exactly my point. "Surreptitious" is being used to mean "I think it's bad, and I think it's not expected." The "bad" part is obviously subjective, but even if we agree on that, the latter is where you really need standards bodies to agree on what is acceptable technology practices. To me, ad tracking is definitely expected (regardless of whether I think it's bad). I suspect it's also expected by nearly all HN participants, and ubiquitous ad tracking is even in the mainstream public consciousness outside of tech circles.
Then that's the fault of companies who fucked up self-regulation so badly that the government has to step in. If they had behaved, this wouldn't be necessary.
There absolutely could, if the new legislation were easy enough to circumvent for large companies but expensive to implement for everyone else, giving big players an even bigger advantage as far as data goes.
>Having a government full of technical lot illiterate politicians regulating digital advertisement - what could possibly go wrong.
I'm not sure that argument works.
If we expand a bit, It wouldn't be difficult to find that governments are mostly comprised of <industry> illiterate politicians. There is no need for a government to be comprised of digital advertisement industry specialists in order to pass meaningful industry regulation.
You're trying to convince me that the system isn't perfect. Listen, I've long since agreed with you.
I commented on your initial response because it was overly dismissive and implied the only way forward is to first wait until we have a government stocked with domain experts who only act only on policy within their domain. It dismisses the fact that it is unlikely that the politicians introducing regulation were solely responsible for its construction.
Yes, there is corruption in government and yes ignorance is painfully obvious in some legislation, but to dismiss the idea of enacting regulation because the politician(s) signing it into law may not be experts in the field the regulation addresses, isn't at all practical.
I'd further argue that it is incumbent upon those working in industry to ensure the creation of regulation is conducted transparently and includes representatives from the industry to contribute the necessary knowledge and expertise required to formulate the law(s) such that society benefits from the protection and commerce suffers no undue burden.
Given the choice between a corrupt company and a corrupt politician, the corrupt politician can do far more damage. It’s far easier for me to choose which companies I use than choose which government that I am under.
The government can do and has done far more damage than big tech.
> Is that "spyware"?
No You know its being used then you install the app. You have a choice. Either don't use Spotify and go to some shitty open source music app or give your data.
Yes, absolutely.
It uses energy and bandwidth I paid for to surreptitiously transmit my information for use which will solely benefit Facebook and the software developer.