Take the Facebook app that Huawei built using their special API access to offer Facebook on their devices. Their implementation was supposed to store the Facebook data locally on the phone. Of course, there’s a concern here that Huawei, a company with strong ties to the Chinese government, could still be siphoning Facebook data off the phone despite that breaking their agreement with Facebook.
But if you don’t trust the device manufacturer and their operating system, what does it matter? If Facebook existed solely as a mobile web app on the phones or as a Facebook Inc produced app, you still have to trust Huawei to not be siphoning off that data. If you don’t trust Huawei, you’re at risk regardless of whoever made the software you use on their phones.
(The device manufacturer FB implementations that stored data on non-FB servers are a different situation though...)
This is one of the strangest defenses for Facebook - everything works as expected.
Cambridge Analytica downloaded data? The API worked as expected and people should have been smarter to not share data.
Facebook has special APIs for phone manufacturers? The API works as expected and people shouldn't buy phones from the manufacturers they don't trust.
But, here's the thing - FB shouldn't have allowed this at all. In one part, security is about making things harder for people to break-in. Currently, manufacturers can use official API to siphon off data to non-FB servers. Sure, manufacturers could run some kind of MITM attack to achieve something similar. But having an official API is a strict no.
The revolution is going to happen for stupid reasons, just like Louis XVI was executed after cooperating (mostly) with the revolutionaries for years. American politics and news takes are a form of heightened collective idiocy that leaves me convinced that we will only improve ourselves semi-consciously while stepping on a rake and having it nail us and the oppressed people of at least five other countries in the face.
However, it's high time for Facebook to face intense regulatory scrutiny. Mark has been unfair to us for quite a while, so I'm going to yawn if he complains when the tables are turned. If FB gets broken up or its profits get reduced, Mark can replace his tear stained clothing with one of the identical replacements from the infinitely deep closet his billions constitute.
The threat is going from rather hypothetical to more and more concrete. The phone is an appliance that runs software. It would require some substantial effort to get around that barrier - reducing the risk of it actually happening.
Now we're seeing that it didn't require any baked-in compromise in the hardware, firmware, or Android distribution. It's available via API.
Once these issues become the focus of politicians, the technical details matter less. If public opinion is opposed to a particular issue, especially if that opposition is bipartisan, politicians will leverage that for political gain -- just look at zuckerbergs congressional hearings, was all about political points
However, that doesn't mean they'll actually legislate anything with teeth, depending on other factors like lobbying etc. pharma is a great example of this -- universally hated industry at the moment, lots of lobbying power at the moment, and probably lots of people lobbying against them (this is speculation, but I imagine the American hospital association and AHIA probably are endorsing the drug pricing = cause of US high healthcare spend narrative). Strong bipartisan political opposition to an industry + strong lobbying by the defending industry = political actions that are all bark and no bite
The mechanism really matters a lot - think how it would look if a vendor kernel trojan was found siphoning FB data, vs "accidentally" sending off some official-api provided FB data to their statistics servers.
"Trusting" or "not trusting" your phone is a very binary threat model. I don't think many tech-savvy people would say they fully trust their Android phone vendor. But you can count on the vendor's self interest to some extent, and basic competence in managing the risk to their reputation.
FB's special manufacturer's API included access to some of your friends' data, in some cases even when they had refused permission for it to be shared, so the concern is not merely with data that would have been on your device in some form.
It’s pretty negligent to sell or give access to a company, someone else’s personal data with a handshake and wink that they won’t turn around and do nefarious shit with it.
So while you’re right, it’s also just kinda shitty and probably illegal or at the very least unethical.
This isn't about apps putting buttons on devices or people trusting device manufacturers. FB has lied about how and when data gets disclosed, has intentionally not respected the privacy controls that users' set, and lied to Congress about the subject.
If this is an accurate tl;dr, then shouldn't facebook be liable for even allowing Huawei phones to access facebook at all even over 3rd party browsers? Any information going through any Chinese manufactured device might as well be at risk. All it takes is the Chinese government saying "hey Huawei, add a keylogger if you see the phone is activated on a US carrier".
I'm trying to say facebook shouldn't be responsible.
I think the "the data was supposed to be stored on the phone" thing is a little misleading.
I've never owned a Huawei phone, butwhen I looked at my Motorola phone five years ago[1], I found that it was getting Facebook data via a proxy service that Motorola had set up. This was probably partly as an abstraction layer, but do you really think no one in their marketing (or similar) department thought "as long as that data about their FB contacts is passing through our systems, maybe we should analyze it in some way"?
Even if they weren't explicitly collecting it, it probably ended up cached on their servers somewhere, and it was typically sent over plaintext HTTP (even though FB supported HTTPS), so someone else could have easily collected it too.
I've looked at a lot of mobile apps, and I don't think what Motorola was doing was at all unusual, but again, I haven't done a comprehensive analysis of other vendors.
I do agree that the vendor could always configure the phone to explicitly upload anything to them even if something like the FB APIs were accessed directly, but IMO that seems less likely than siphoning off the data as it passes through their middleware.
Huawei does not have "strong ties to the Chinese government." There is absolutely no concrete evidence that Huawei of such a relationship. Please stop spreading propaganda.
I'm in the camp that this anger at Facebook is largely misdirected, even though I'm very privacy-oriented. It's very interesting seeing nontechnical reactions to this news.
As technical users, we all know that every layer of software down to the hardware potentially has access to the data flowing on top of it. If you're running X browser on Y operating system on Z device and you log in to Facebook, you've just trusted X, Y, and Z with your FB username, password, and data. (An API works the same.)
But nontechnical users are just now realizing this as privacy and data security become hot. They're lashing out at Facebook, but I think the scrutiny absolutely should be leveled at the software and hardware vendors. People should be asking phone companies: why can I trust your phone enough to type my facebook username/password into it?
An ideal outcome would be a huge push toward open source (and also toward free software), but that's probably too optimistic.
> An ideal outcome would be a huge push toward open source (and also toward free software), but that's probably too optimistic.
Realistic outcome will be, unfortunately, companies playing all kinds of tricks to manage the perceived safety of their brand, combined with further locking down hardware and software stacks to reduce the attack surface.
>As technical users, we all know that every layer of software down to the hardware potentially has access to the data flowing on top of it.
Yeah, but that's a double sided sword. We're the only ones that have had to internalize the idea that incidental access to data will trying to monetize it as much as possible.
In the real world, there are huge expectation that incidental access to something _isn't_ license to do whatever you want with it. The standards of behavior everyone adheres to are almost always narrower than what the law allows. Regular people don't expect others to suddenly become the must ruthless motherfuckers possible just "because computers."
>An ideal outcome would be a huge push toward open source (and also toward free software)
how much does open source improve security? (And does it at all?) In my experience nobody reads the source code before executing it. Maybe the situation is different for big project with many users. On the other hand for example smart contracts (which are open source) had security issues several times in the past which were discovered too late.
Non-technical users read the hitjob published by the NYT yesterday and just assume Facebook lies and continue on their lives with absolutely zero understanding of the OSI model.
This argument is repeated so often today that it seems like the latest FB talking point. It's whataboutism yet again - who cares if someone else is doing wrong? 'There are other rapists too' is not an accepted plea in court. The argument also is disingenuous for several other reasons:
First, [EDIT: this point has many flaws and is too complex to state succinctly, so I'm pulling it]
Much more importantly: The problem isn't who I need to trust, it's that Facebook is deliberately capturing and distributing large quantities of user data, and in addition they are giving it to some exceptionally unsavory people that are doing great harm to the world, including damaging the foundations of democracy and civil society.
Finally, it's disingenuous because few other companies have the power and data of Facebook. Why does Facebook get more attention than other violators? Is that a serious question?
EDIT: And finally finally, the argument overlooks the fact that security is defense in depth. Just because some other component isn't secure doesn't mean you shouldn't secure this one.
This article and the nyt one are almost completly bullshit.
They do not understand the difference between "apps" on phones that integrate with Facebook for sharing purposes, and "facebook apps" like the quiz crap that Cambridge analytica abused.
There IS the potential that your phone OS vendor used the FB API access and your credentials to steal your data, but does anyone seriously think apple or blackberry did such a thing?
This whole thing is insane. You might as well accuse Google, Apple, Mozilla, and Microsoft of stealing users data because you use their browsers to access facebook.
> There IS the potential that your phone OS vendor used the FB API access and your credentials to steal your data, but does anyone seriously think apple or blackberry did such a thing?
There wasn't much substance to the New York Times's report, and as an outsider, Facebook's official reply--corroborated by Tim Cook's statement about Apple's actual use of the reported APIs--seems perfectly reasonable to me.
But dogpiling on Facebook is popular right now, whether it's deserved (Cambridge Analytica) or not (this), so the actual facts of the matter will be secondary when politicians evaluate whether to hop on the bandwagon.
The issue of whether what Facebook did was reasonable is orthogonal to the issue of whether Facebook/Zuckerberg lied to Congress about it. In this situation it seems that they may have done something reasonable and yet still lied about it. The problem is the latter.
Well it looks like a lie and smells like a lie if these device manufacturers got these info deals from Facebook. It means that the user doesn’t have complete control. This of course hinges on what we mean by complete control. I imagine Zuckerberg is going to become a major campaign donor now going forward... if he isn’t already. I’d expect Facebook lobbying efforts to intensify as well.
The nuances for what a "3rd party entity" vs a "3rd party app" represents in Facebook is really what's at hand here. Anyone who spent time in Facebook developer platform knows this.
NYT's watered down article for the lowest denominator and maximum clicks (imo) vs Facebook's way too technical explanation for the maximum PR defense. None of this is going to help US/EU/World lawmakers understand the permission scope that was set in Graph API for hardware vendors.
It will take anyone with an HTTP listener Charles, Burp, Cycript whatever your choice... 5 minutes to see where and how the access token was used.
If only we were discussing the data and HTTP requests and not the way reporters and PR play with words to fit their agendas.
Earlier today people are Hacker News were talking about if Mark Zuckerberg committed treason due to the data-sharing with the Chinese (as well as the creepy fact that he offered to name his first born after the supreme leader of China).
This seems like a political attack on Facebook. Willful ignorance of technical reality on HN... no wonder lawmakers are claiming Zuckerberg lies.
Facebook functionality ran on a phone using source code not written by Facebook. Anyone who equates that with Cambridge Analytica simply has an axe to grind with FB.
If a device manufacturer wants to betray the trust of their users and siphon data off the phone, they can surely do that in any case, and it’s not even hard to do seeing as how they own the network stack.
Can you think of any other codebase which is used to provide Facebook functionality on our devices using special APIs? Chrome. Mozilla. Safari.
If we can’t distinguish between a user agent and a 3rd party app having access to a Facebook API then I don’t see how this is debating in good faith.
We are taking about the device manufacturers embedding social functionality into the operating system. They also write the rest of the OS you know, if you don’t trust them to render your friend feed then I have bad news for you about your SMS, call history, location data, not to mention you’re carrying around a microphone they can access at any time...
Um... downvoters should read these submissions. This guy isn’t a troll, he’s Aaron Greenspan, the creator of Facebook’s predecessor, code for which seems magically to have appeared in FB. There was a settlement: https://en.m.wikipedia.org/wiki/Criticism_of_Facebook#Aaron_...
"Meanwhile, a good part of the world has re-aligned itself around the increasingly idiotic and sociopathic whims of your former friend, who has settled comfortably into the life of a billionaire capitalist tyrant."
Your downvoted comment appears to be victim to some kind of coordinated and orchestrated artificial pro-facebook narrative I am seeing throughout this thread. Thank you for your 2005 warning.
I know it's a tangent, but I have trouble assigning any significance to this after the James Clapper thing. If he can lie to Congress with impunity, about things that are clearly within Congressional purview, then why should anyone else worry about such things?
I am glad Apple is taking proactive steps in Safari to block tracking and fingerprinting by social platforms. It's a disease and needs to be dealt with. Thanks Apple.
> We should stop treating users & citizens as complete morons who need daddy state to take care of them.
We're treating them as intelligent human beings who can't possibly master knowledge of all the technology, confidentiality, and its implications in a world of analytics and adtech. Even I can only imagine some of it.
Should we educate users to choose safe anesthesia and surgical techniques? To choose proper exotic financial instruments? I think we should require doctors to provide safe anesthesia, Wall Street to provide safe investments, and anyone handling user data to provide confidentiality and end-user control.
The problem is that the companies that profit from harvesting user data (Microsoft, Facebook, Google, Amazon) also have a huge influence on what users see, and thus, public opinion. Unfortunately, they also have huge lobbyist budgets, so I don't think relying on the state is a good option either.
I'm not sure anything will change until someone with money starts caring. The world needs another Mark Shuttleworth.
America needs to redefine literacy and replace these obsolete lawmakers with lawmakers who are coding literate. This is not at all unlike a group of illiterate lawmakers speculating about what a book they cannot read says after interviewing its author.
"Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market. We continue to identify technical compliance solutions that will provide all readers with our award-winning journalism."
More than a week after the GDPR (and two years after it has been announced), the LA Times still can't serve its content to EU viewers.
Can we add a "GDPR" link near the web one, or drop the kind of website that act like this?
[+] [-] varenc|7 years ago|reply
Take the Facebook app that Huawei built using their special API access to offer Facebook on their devices. Their implementation was supposed to store the Facebook data locally on the phone. Of course, there’s a concern here that Huawei, a company with strong ties to the Chinese government, could still be siphoning Facebook data off the phone despite that breaking their agreement with Facebook.
But if you don’t trust the device manufacturer and their operating system, what does it matter? If Facebook existed solely as a mobile web app on the phones or as a Facebook Inc produced app, you still have to trust Huawei to not be siphoning off that data. If you don’t trust Huawei, you’re at risk regardless of whoever made the software you use on their phones.
(The device manufacturer FB implementations that stored data on non-FB servers are a different situation though...)
[+] [-] thisisit|7 years ago|reply
Cambridge Analytica downloaded data? The API worked as expected and people should have been smarter to not share data.
Facebook has special APIs for phone manufacturers? The API works as expected and people shouldn't buy phones from the manufacturers they don't trust.
But, here's the thing - FB shouldn't have allowed this at all. In one part, security is about making things harder for people to break-in. Currently, manufacturers can use official API to siphon off data to non-FB servers. Sure, manufacturers could run some kind of MITM attack to achieve something similar. But having an official API is a strict no.
[+] [-] jadedhacker|7 years ago|reply
However, it's high time for Facebook to face intense regulatory scrutiny. Mark has been unfair to us for quite a while, so I'm going to yawn if he complains when the tables are turned. If FB gets broken up or its profits get reduced, Mark can replace his tear stained clothing with one of the identical replacements from the infinitely deep closet his billions constitute.
[+] [-] lallysingh|7 years ago|reply
Now we're seeing that it didn't require any baked-in compromise in the hardware, firmware, or Android distribution. It's available via API.
[+] [-] aaavl2821|7 years ago|reply
However, that doesn't mean they'll actually legislate anything with teeth, depending on other factors like lobbying etc. pharma is a great example of this -- universally hated industry at the moment, lots of lobbying power at the moment, and probably lots of people lobbying against them (this is speculation, but I imagine the American hospital association and AHIA probably are endorsing the drug pricing = cause of US high healthcare spend narrative). Strong bipartisan political opposition to an industry + strong lobbying by the defending industry = political actions that are all bark and no bite
[+] [-] fulafel|7 years ago|reply
"Trusting" or "not trusting" your phone is a very binary threat model. I don't think many tech-savvy people would say they fully trust their Android phone vendor. But you can count on the vendor's self interest to some extent, and basic competence in managing the risk to their reputation.
[+] [-] aptwebapps|7 years ago|reply
[+] [-] debt|7 years ago|reply
So while you’re right, it’s also just kinda shitty and probably illegal or at the very least unethical.
[+] [-] aqme28|7 years ago|reply
This is different.
[+] [-] IncRnd|7 years ago|reply
[+] [-] wufufufu|7 years ago|reply
I'm trying to say facebook shouldn't be responsible.
[+] [-] blincoln|7 years ago|reply
I've never owned a Huawei phone, butwhen I looked at my Motorola phone five years ago[1], I found that it was getting Facebook data via a proxy service that Motorola had set up. This was probably partly as an abstraction layer, but do you really think no one in their marketing (or similar) department thought "as long as that data about their FB contacts is passing through our systems, maybe we should analyze it in some way"?
Even if they weren't explicitly collecting it, it probably ended up cached on their servers somewhere, and it was typically sent over plaintext HTTP (even though FB supported HTTPS), so someone else could have easily collected it too.
I've looked at a lot of mobile apps, and I don't think what Motorola was doing was at all unusual, but again, I haven't done a comprehensive analysis of other vendors.
I do agree that the vendor could always configure the phone to explicitly upload anything to them even if something like the FB APIs were accessed directly, but IMO that seems less likely than siphoning off the data as it passes through their middleware.
[1] https://www.beneaththewaves.net/Projects/Motorola_Is_Listeni...
[+] [-] dnomad|7 years ago|reply
[+] [-] bo1024|7 years ago|reply
As technical users, we all know that every layer of software down to the hardware potentially has access to the data flowing on top of it. If you're running X browser on Y operating system on Z device and you log in to Facebook, you've just trusted X, Y, and Z with your FB username, password, and data. (An API works the same.)
But nontechnical users are just now realizing this as privacy and data security become hot. They're lashing out at Facebook, but I think the scrutiny absolutely should be leveled at the software and hardware vendors. People should be asking phone companies: why can I trust your phone enough to type my facebook username/password into it?
An ideal outcome would be a huge push toward open source (and also toward free software), but that's probably too optimistic.
[+] [-] TeMPOraL|7 years ago|reply
Realistic outcome will be, unfortunately, companies playing all kinds of tricks to manage the perceived safety of their brand, combined with further locking down hardware and software stacks to reduce the attack surface.
[+] [-] forgottenpass|7 years ago|reply
Yeah, but that's a double sided sword. We're the only ones that have had to internalize the idea that incidental access to data will trying to monetize it as much as possible.
In the real world, there are huge expectation that incidental access to something _isn't_ license to do whatever you want with it. The standards of behavior everyone adheres to are almost always narrower than what the law allows. Regular people don't expect others to suddenly become the must ruthless motherfuckers possible just "because computers."
[+] [-] dorgo|7 years ago|reply
how much does open source improve security? (And does it at all?) In my experience nobody reads the source code before executing it. Maybe the situation is different for big project with many users. On the other hand for example smart contracts (which are open source) had security issues several times in the past which were discovered too late.
[+] [-] zaroth|7 years ago|reply
[+] [-] forapurpose|7 years ago|reply
First, [EDIT: this point has many flaws and is too complex to state succinctly, so I'm pulling it]
Much more importantly: The problem isn't who I need to trust, it's that Facebook is deliberately capturing and distributing large quantities of user data, and in addition they are giving it to some exceptionally unsavory people that are doing great harm to the world, including damaging the foundations of democracy and civil society.
Finally, it's disingenuous because few other companies have the power and data of Facebook. Why does Facebook get more attention than other violators? Is that a serious question?
EDIT: And finally finally, the argument overlooks the fact that security is defense in depth. Just because some other component isn't secure doesn't mean you shouldn't secure this one.
[+] [-] justinsaccount|7 years ago|reply
They do not understand the difference between "apps" on phones that integrate with Facebook for sharing purposes, and "facebook apps" like the quiz crap that Cambridge analytica abused.
There IS the potential that your phone OS vendor used the FB API access and your credentials to steal your data, but does anyone seriously think apple or blackberry did such a thing?
This whole thing is insane. You might as well accuse Google, Apple, Mozilla, and Microsoft of stealing users data because you use their browsers to access facebook.
[+] [-] shakna|7 years ago|reply
Huawei, Xiaomi, and others are a risk for this.
[+] [-] tomatotomato37|7 years ago|reply
[+] [-] pacifika|7 years ago|reply
[+] [-] Niten|7 years ago|reply
But dogpiling on Facebook is popular right now, whether it's deserved (Cambridge Analytica) or not (this), so the actual facts of the matter will be secondary when politicians evaluate whether to hop on the bandwagon.
[+] [-] mehrdadn|7 years ago|reply
[+] [-] sjg007|7 years ago|reply
[+] [-] phwd|7 years ago|reply
NYT's watered down article for the lowest denominator and maximum clicks (imo) vs Facebook's way too technical explanation for the maximum PR defense. None of this is going to help US/EU/World lawmakers understand the permission scope that was set in Graph API for hardware vendors.
It will take anyone with an HTTP listener Charles, Burp, Cycript whatever your choice... 5 minutes to see where and how the access token was used.
If only we were discussing the data and HTTP requests and not the way reporters and PR play with words to fit their agendas.
[+] [-] Bucephalus355|7 years ago|reply
Looks like it won’t be a good week for him.
[+] [-] zaroth|7 years ago|reply
Facebook functionality ran on a phone using source code not written by Facebook. Anyone who equates that with Cambridge Analytica simply has an axe to grind with FB.
If a device manufacturer wants to betray the trust of their users and siphon data off the phone, they can surely do that in any case, and it’s not even hard to do seeing as how they own the network stack.
Can you think of any other codebase which is used to provide Facebook functionality on our devices using special APIs? Chrome. Mozilla. Safari.
If we can’t distinguish between a user agent and a 3rd party app having access to a Facebook API then I don’t see how this is debating in good faith.
We are taking about the device manufacturers embedding social functionality into the operating system. They also write the rest of the OS you know, if you don’t trust them to render your friend feed then I have bad news for you about your SMS, call history, location data, not to mention you’re carrying around a microphone they can access at any time...
[+] [-] thinkcomp|7 years ago|reply
https://www.quora.com/How-did-Zuckerberg-code-Facebook-so-fa...
https://www.huffingtonpost.com/entry/open-to-attack-and-conn...
[+] [-] tomcam|7 years ago|reply
[+] [-] specialist|7 years ago|reply
"Meanwhile, a good part of the world has re-aligned itself around the increasingly idiotic and sociopathic whims of your former friend, who has settled comfortably into the life of a billionaire capitalist tyrant."
https://www.quora.com/What-was-it-like-to-be-Mark-Zuckerberg...
[+] [-] heavenlyblue|7 years ago|reply
[+] [-] delbel|7 years ago|reply
[+] [-] acobster|7 years ago|reply
[+] [-] CWuestefeld|7 years ago|reply
[+] [-] sidcool|7 years ago|reply
[+] [-] timvdalen|7 years ago|reply
[+] [-] paulie_a|7 years ago|reply
[+] [-] sandov|7 years ago|reply
I don't care how much you make facebook, google et al promise not to "abuse" its users data.
What I care about is educating people so that they choose software and companies that respect them.
We should stop treating users & citizens as complete morons who need daddy state to take care of them.
[+] [-] forapurpose|7 years ago|reply
We're treating them as intelligent human beings who can't possibly master knowledge of all the technology, confidentiality, and its implications in a world of analytics and adtech. Even I can only imagine some of it.
Should we educate users to choose safe anesthesia and surgical techniques? To choose proper exotic financial instruments? I think we should require doctors to provide safe anesthesia, Wall Street to provide safe investments, and anyone handling user data to provide confidentiality and end-user control.
[+] [-] swebs|7 years ago|reply
I'm not sure anything will change until someone with money starts caring. The world needs another Mark Shuttleworth.
[+] [-] beenBoutIT|7 years ago|reply
[+] [-] yawz|7 years ago|reply
Mostly?!?
[+] [-] sjcsjc|7 years ago|reply
[+] [-] bastijn|7 years ago|reply
[+] [-] geraltofrivia|7 years ago|reply
[+] [-] sir_kin|7 years ago|reply
[+] [-] mdrzn|7 years ago|reply
[+] [-] calimac|7 years ago|reply
[deleted]