top | item 17243333

(no title)

Trundle | 7 years ago

Non-developer here. Can someone check my understanding of this situation for me please.

Facebook or any other website has information that ideally only I should have access to. I don't visit Facebook hq with my id in hand to get it, I use a computing device to talk to their computing device. they don't really know if it's me using that device, just that it knows information only I should have (password). The device is also my choice, they just provide general instructions for talking to theirs, or rather just comply with standards. Meaning html or whatever the total information sent from browsers and back again is called. Some browsers being difficult, they even have some code in there for them specifically. Mostly css for ie and mobile safari.

Because me visiting the Facebook building every time I want to see something or like something is ridiculous and something no one thinks happens, when these browsers request information as me they're then referred to as me, or my agent. So if data goes from Facebook to a macbook with chrome on it that knows my password, it's for all intents and purposes a two party relatiinship. No one sees that chrome, osx, my ISP, my router, my whatever; and goes "Facebook is giving data access to third parties!"

Enter mobile devices, or more accurately old mobile devices. Complying with those standards I mentioned above /html /building a quality full functionality browser is hard given their tech. They still want you to be able to use facebook, facebook still wants you using it, and you want to use it. So the device manufacturer and Facebook come up with a communication method they can use. Basically the same information sent and received as if you were using a browser and facebooks standard html, facebooks still just assuming you're on the other end because the device knows your password, but the syntax of their messages is different. Basically a more extreme version of having some funky css in there to make old IE work.

Terminology aside, am I on the right track? If so, what exactly is newsworthy about this? Is there a practical difference from a data security viewpoint between Facebook -> my Huawei phone -> me, and Facebook -> my Huawei phone -> chrome -> me?

If my user agent - the hardware /software I choose to use to talk to facebook - is hostile to me, I'm fucked either way aren't I?

discuss

makomk|7 years ago

You're exactly right, and there is no practical difference from a data security viewpoint. Except web access is probably worse in practice: many of the older mobile devices funnelled all web browsing through manufacturer-provided or third party servers, this is still an option in Chrome on Android, and desktop browsers are plagued by malicious extensions.

The New York Times is arguing that allowing users to access Facebook with third-party apps running on hardware the users own is the same as giving those third parties access to the data, that the setting which blocked third parties like Zynga and Cambridge Analytica from accessing this data should block those apps too, and that not doing so is a betrayal of user privacy. There's a Twitter thread by one of the journalists behind this that's even more clear about this: https://twitter.com/laforgia_/status/1003619629355413504

Like, I'm not exaggerating here, the journalist who's writing this series of articles really does think that if Facebook respected user privacy they should've made the setting which blocks every random quiz and game your friends use from scraping your data also force your friends to install the Facebook app to interact with you. (I don't think he's grasped that web browsers are third-party software though.)

Trundle|7 years ago

Thanks! Pretty concerning that a lot of hn commenters seem to be with the nytimes on this.

I'm the filthy saas salesman that should be tainting this place with their ignorance. Everyone else is meant to be more informed on these things so I can get a more educated perspective!