> Are you accusing these developers of violating privacy?
Yes, the app is downloading private user messages (ostensibly to show a modified messaging interface) and private photos, according to their feature list.
This isn't a simple DNS-level ad-block, its acting as a proxy where the app developers can intercept and see all data.
An app downloading data on behalf of the user is basically what Cambridge Analytica was doing.
The problem is that data ownership is complicated. If I know your phone number, can I share it with other people? That was CA (me downloading data about all my friends). Here the issue is private messages — is it okay for me to share the messages you sent privately to me? A lot of people will get quite upset if you do that!
If I send you something, you should be able to copy and distribute it as you see fit, no matter what I wish you would and wouldn't do with it, and my recourse should be limited to not sending you more things in the future.
In this interpretation, FB should not have been fined for CA. While it’s a cogent theory, regulators disagree with you and they have guns backing them up.
Thankfully many of us here live in countries where the pen is mightier than the sword. If regulators' opinions don't match up with those of the people, then maybe we need some new regulators.
Not trying to imply there's any sort of consensus here, of course. Just that "regulators disagree" certainly isn't the end of the discussion in any country with a functioning democracy.
To be clear, I'm not saying that there should be no consequences if you distribute a message that I didn't want you to. I'm just saying that I shouldn't be able to stop you from doing so. If you signed a contract saying you wouldn't, and then you do, I should still be able to sue for that, but the existence of such a contract shouldn't let me control your technology to prevent you from breaking it in the first place.
I'm distinguishing between two different meanings of "can't": not allowed vs. not capable. You should be capable of violating NDA/ToS's, but possibly suffer legal consequences if you choose to do so.
> An app downloading data on behalf of the user is basically what Cambridge Analytica was doing.
Nowhere close. CA was asking permissions from users and then got the data from those users and all of their FB friends who did not agree to anything nor did they know their data is being collected.
This is exactly the crux of the problem. Consider Alice and bob, where bob used CA and Alice did not. Alice shares her data with bob. What can Bob do with it? Can he share it with CA?
It’s messy! Another similar problem in this vein is data about you that does not belong to you. Who owns your purchase history from Amazon, or which pages you clicked on? You? Amazon?
That is a naive view. If/when the app devs go malicious, it will be Meta on the legal hook for users' "stolen data."
The press and users will blame Meta, not the developers of this app, or the users that unwittingly handed over their data. The headlines will say "X million Facebook users' data leaked," or "X million Facebook users hacked."
Meta is acting in an entirely reasonable manner for a company under such regulatory and press scrutiny.
Are you seriously saying it should be Meta's job to continuously reverse engineer a third party client (that doesn't even have a privacy policy) to figure out if it violates users' privacy?
That's absurd. Far more sensible to just ban it and call it a day.
If Microsoft provided a public API where you could download all the credentials for both the user and all their friends, then yes, Microsoft would be blamed.
> Yes, the app is downloading private user messages (ostensibly to show a modified messaging interface) and private photos, according to their feature list.
In 100 years, I wonder how we will look back at our generation tried to wrap its head around how digital information works. The implications are mind mending and we've been figuring it out our whole lives, with new aspects appearing regularly.
People like my grandparents couldn't ever download a conversation and share it, not in the same way
What evidence do you have that this application was acting as a "proxy" where the developers can "intercept and see all data"? That's a pretty big claim to make without providing any supporting evidence.
That’s how any third party interface works. It’s a proxy that ostensibly just formats and displays the data to the user but there is no way to guarantee they don’t upload it to their own servers or something, as Cambridge Analytica did (which got Facebook in trouble)
There is in fact a way to verify whether the application sends the data elsewhere.. The most basic of network monitoring tools will immediately indicate what external hosts are being communicated with. If all the network activity is strictly with Instagram's servers, it's plainly clear that the app dev is not siphoning off user data.
So, this is why I ask. It's actually really easy to find out what network hosts a piece of software is interacting with. If the dev really is stealing user data, it should be trivial to prove. This is the evidence I am asking for, otherwise that person's claims are completely baseless speculation.
Again, I'm asking _the person in the thread above_ who made these claims that the app is stealing user data to provide any supporting evidence, perhaps via the methods I described in my last comment. I'm not talking about Meta.
THat's not the what you were asking. You asked 'What evidence do you have that this application was acting as a "proxy" where the developers can "intercept and see all data"?'
The app is by definition acting as a proxy, and therefore the developers can intercept and see the data, though they might not be doing so currently.
Is the Facebook Messenger app a proxy? Is the Instagram client a proxy? Is the mail app on my phone a proxy? I'm trying to grasp what definition of "proxy" you're using here, because every usage of the word "proxy" I've ever see relating to internet services is: "a program which redirects network traffic to another destination". The subject is explored in detail at https://en.wikipedia.org/wiki/Proxy_server . Yet again, I'm seeking to see any shred of evidence that even _suggests_ that the application has acted as a "proxy" or sent more user data to the app developer than absolutely necessary to function.
>The app is by definition acting as a proxy, and therefore the developers can intercept and see the data, though they might not be doing so currently.
You're making an assumption here that hasn't been confirmed. That assumption being that any app accessing user data from Meta is proxying (i.e., streaming the requested data to the app publisher's servers and then passing that data along to the end user) that data through their servers.
Is that the case with the app in question? Is it the case with every such app?
Or are there apps that directly connect to Meta's servers from the user's hardware without streaming the requested data through the app publisher's servers?
The app in TFA may be proxying (see above) data through their servers (that's the definition of a proxy in this context), but I don't know if they are doing so. If they are, there certainly are serious privacy/security issues with that process.
But again, no one has provided evidence that's what the app in question is doing. If they are, you should run screaming in the other direction.
However, if the app is simply performing the same API calls as Meta's app and returning the data directly to the end user, the risk profile is pretty similar for both apps (dependent on code quality, the ethical stance of the publishers, etc.).
Charles Proxy is proxying requests to your browser.
If you use the built-in dev tools to do the same thing, then there is no proxy.
An alternative client for something is (usually) not a proxy. It connects directly.
But more importantly, "a proxy where the app developers can intercept and see all data" is not referring to a client-side proxy. Even if there was a client-side proxy involved somewhere, that would make the initial claim wrong.
That is not the point. The person you replied to wasn't saying they know for sure they were stealing user data, just that Meta has no way of knowing they aren't, and even if they aren't right now, no way of knowing if they will start in the future.
It doesn't matter what the app does at this moment, it can be changed at any point.
Should Meta also ban users who connect to their services from GrapheneOS, since it could be updated to steal all of your application data in the future?
>That is not the point. The person you replied to wasn't saying they know for sure they were stealing user data, just that Meta has no way of knowing they aren't, and even if they aren't right now, no way of knowing if they will start in the future.
But isn't such an application running on the end-user's hardware and making requests at the end-user's behest?
If so, what does Meta have to do with it at all? Should they be allowed to tell me what software I'm allowed to run on my hardware?
The risk you mention is all on the user's side and none of it on Meta's side. If the user decides they want to accept that risk, AFAICT it's no skin off Meta's nose. Or am I missing something here?
>If I grant a friend permission to view my photos, I am not also granting some random 3rd party that permission.
Assuming the "third-party" client is just that (a client app), there really shouldn't be an issue. If I use FluffyChat[0] instead of Element[1], do the FluffyChat folks have access to all my (and those with whom I communicate) Matrix communications? If I use Element, do they have such access?
If you use Firefox to access Facebook, are you granting Mozilla full access to your (and your FB friends') profiles?
There has been a lot of noise about "third-parties" and how they only exist to steal your data.
But we use "third-party" clients all the time. Web browsers, IRC clients, and a host of other "third-party" apps. Why aren't you up in arms about them stealing your data and that of your contacts?
Those other third party apps usually have a monetization scheme that's clearly separate from a need to steal your data or are open source which allows you to see if there's any weirdness or build it yourself. And I shouldn't need to mention that if it was found out that Firefox was uploading data from every page you read to their servers that there would be a massive reckoning.
Tell me, for the OGApp what is the monetization scheme? How do they intend to make money? By default if you don't see anything upfront you should assume that your data is what is being monetized. And your data in this case includes everything the app can pull down from Instagram while it's acting as a proxy.
Similarly and I keep mentioning this: Just because there's no current evidence of them stealing your data does not make them trustworthy. A site asking you for Steam login details would be almost impossible to prove that it's phishing for login details, but it would be a bad, bad idea to put in your login info anyways.
If they want their app to be trusted then it should be made open source.
>Tell me, for the OGApp what is the monetization scheme? How do they intend to make money? By default if you don't see anything upfront you should assume that your data is what is being monetized. And your data in this case includes everything the app can pull down from Instagram while it's acting as a proxy.
I have no idea. I'd never heard of this app as I don't ever use whatever functionality it provides.
I'm not saying these folks are saints, I have no idea what sort of people they are. If it makes you feel better, I'll posit that they're scumbags who would sell their own mother for a nickel.
But that doesn't change the fact that I (or anyone else, for that matter) should be able to use the client of their choice for anything. If that's not the case, then Meta (or HN, for that matter, if they decide to be as scummy as Meta) would be within their rights to decide which browser you use to connect to their properties, and what add-ons you install in that browser.
Sorry, that's not an acceptable solution[0].
>If they want their app to be trusted then it should be made open source.
You won't get any argument about that from me. But even if these guys are all clones of the anti-christ scheming to destroy humanity (for the record, I have no idea and make no value judgement about the ethical standards of the app publisher and its employees) by creating a subset of the data Meta already collects, if I (or anyone else) decides they want to use that software on their personal property, who's to say what can or can't run on that hardware?
I don't (and wouldn't try to) speak for anyone else, but my property belongs to me and I will run the software I choose on my property. That has nothing to do with Meta or the publisher of the app discussed in TFA. Rather, it's about my control of my property. Full stop.
[0] My objection is one of principle, not about any specific software. And I stand by that objection.
Yes, you can choose whatever software you want to run, but Meta would be in full rights to ban you for using third party clients. And Meta has a vested interest in ensuring that people aren't using clients that scam their users out of their credentials because said users don't exist in a vacuum. They have friends, family, private messages and so forth that other users did not consent to have stolen or taken by a third party. This was the whole Cambridge Analytica controversy in a nutshell and their decisions around stuff like this all stem from that.
And in fact, sites are within their rights to determine which browser you can use to connect. Sites are often designed for and optimized around certain browsers and if they detect you running Internet Explorer 3, they can tell you to go away. This is a fact of the internet. And you're just as free to simply not go to their sites. This has been a fact for decades. No site is obligated to serve your obscure internet browser. And no API is obligated to serve every client that calls it.
>And Meta has a vested interest in ensuring that people aren't using clients that scam their users out of their credentials because said users don't exist in a vacuum.
Did this specific app actually "scam users out of their credentials?"
I'd expect that they didn't "scam" anything. The end user installed the app and voluntarily provided their credentials in order to access their content.
How is that a scam? If I'm using an Android phone and sideload an app to access say, HN, whether that's an apk from a publisher's website or from F-Droid, have I been scammed out of my HN credentials by that app's publisher?
If the app claimed to be the "official" app from Meta and used phishing techniques to get folks to install the app and/or reveal their credentials, that would be scamming.
But a deliberate choice by a user to use a specific app for a specific purpose, with the app in question actually serving that specific purpose doesn't seem like a "scam" to me.
Sure, Meta doesn't like it for a bunch of reasons. And it doesn't surprise me that they took action to smack these guys down. But characterizing this app as a "scam" doesn't seem to reflect reality.
> Their website doesn't even have a privacy policy, just a dummy link
That’s not true at all. They have a privacy policy linked at the bottom of their page. It opens in a new tab by default which is probably blocked by our adblocker.
I just checked in Firefox on desktop - and their privacy policy links to a real page. I thought maybe it was recent, so I checked on the Internet Archive as well. Nope, it's been there since at least September.
Are they doing something weird and non-standard that may not work everywhere? Quite possibly. Is it a dummy link that goes nowhere, per your claim? Absolutely not.
Proxying.. i don't think it means what you think it means. By that logic they should ban all of google's employees because chrome "proxies" information from facebook's servers (i.e. chrome shuffles private data from facebook's servers to user's eyeballs)
How is Meta supposed to verify this? And verify that they don't start behaving badly in the future?
This is what got Facebook in trouble with the FTC... they allowed developers access to all the users data without oversight. They are required by their settlement to not just trust app devs that they won't abuse the data.
That's not what I am asking. GP said that this third-party app is violating user privacy, and I am asking for evidence of that. As of now, there's nothing to suggest that the app is doing more than we're led to believe they are. CA went beyond what they claimed they were doing.
That said, while I don't disagree with the point you're making, I disagree with the approach. There's a difference between recognizing that the market is interested in the approach the third-party app is taking and working with them to figure out how to move forward together, and nuking from orbit the unconnected personal accounts of everyone tied to the app on LinkedIn.
Yes, the app is downloading private user messages (ostensibly to show a modified messaging interface) and private photos, according to their feature list.
This isn't a simple DNS-level ad-block, its acting as a proxy where the app developers can intercept and see all data.
Their website doesn't even have a privacy policy, just a dummy link: https://www.theogapp.com/