“Did partners get access to messages?
Yes. But people had to explicitly sign in to Facebook first to use a partner’s messaging feature. Take Spotify for example. After signing in to your Facebook account in Spotify’s desktop app, you could then send and receive messages without ever leaving the app.”
Does anyone have a screenshot or remember what the opt in UX was like this for this? I have been logged in to Spotify via Facebook since basically the very beginning. I worked in tech as a dev, PM, and designer of flows. I never had the understanding that my Facebook connect with Spotify gave them read/write to all my messages. It’s certainly possible that this permission was requested in an auth form that I quickly granted without realizing, which would make this more of a dubious product decision that blatantly unethical. Anyone have info?
I worked for Spotify very close to this integration. Not going into too many details, but the access they got is generally what's being reported. That said, I'm not aware of Spotify doing anything with messages other than displaying them to users; they weren't mined for data or retained. The intent was a unified messaging experience across apps, but it's been effectively dead for over four years. The only creepy thing I'm aware of that they tried with Facebook data was try to build a taste profile from "likes," and this is from public profile data.
There's a big difference between what the permissions could do and what they were actually used for. Facebook takes its contracts with trusted partners as seriously as they say. My concern would be less around "how was my (let's be honest--Facebook's) data used" and more around Facebook's growth at any cost engine.
I've always believed that this was one of the primary motivations for Facebook separating Messenger out into its own app: it feels separate and therefore more private, without actually being either.
The content of a post with privacy controls restricted to just one other person is functionally the same as sending a message to that person on Messenger — only the UI is different. But, to the average person, it feels completely different because it looks like texting.
It has screenshots of the messaging functionality but no clarification on how permissions were granted for this, as discussed elsewhere on this thread.
> “Did partners get access to messages? Yes. But people had to explicitly sign in to Facebook first to use a partner’s messaging feature. Take Spotify for example. After signing in to your Facebook account in Spotify’s desktop app, you could then send and receive messages without ever leaving the app.”
Of course this is true. The media reports complete nonsense like "everyone had access to all your messages and your microphone and everything else ever on you and Zuckerberg sucks" and the truth is always, always that the users agreed to give up permissions and the permissions were actually pretty finely controlled. (Or Facebook was hacked.)
But that doesn't sell, so instead people conflate some data sharing with NSA-level conspiracy trolls and drum up bullshit media reports that they know Facebook cannot effectively fight since everyone currently hates them. It's absolute trash journalism.
The language of this post seems extremely carefully chosen and to present as 'let me explain why what Facebook did was fine' and 'Facebook is full of great features that people use.' The language is somewhere in between reductive and manipulative.
"this work was about helping people" and "people could have more social experiences" and "People want to use Facebook features"
and then: "Our integration partners had to get authorization from people. You would have had to sign in with your Facebook account to use the integration offered by Apple, Amazon or another integration partner."
I read the last quote as "we used a dark pattern[1] to get your permission for this"
The whole article seems odd. I have no training in public relations, but I assumed the narrative would try to at least seem sincere about end-user's privacy concerns.
There's none of that at all, not that it would be believable at this point anyhow. But it reads like a bully trying to justify to a teacher why he chose to eat another kid's lunch. It's clear fb has no moral guilt here and actually implies that all blame is shifted off of themselves.
It's extremely poor PR. I was caught up in the 2012 FTC investigation on social networks and data brokers. Public just wants to hear how you are going to protect their data. Doesn't matter if you're right or wrong. Pushing that you weren't wrong narrative just alienates your users even more.
What did I just read? Is this a legitimate Facebook post? Are they actively trying to defend and justify their actions? First step in crisis management would be to acknowledge the crisis for what it is. Without that stage Facebook will never get out of this. It's like Microsoft's security before Bill Gates's trustworthy computing memo. Facebook you have to change.
I assume someone at Facebook, hopefully the person that wrote this, or someone who has more influence over this issue, is reading.
I am an engineer. I understand technology better than most of the general population. When I sign in to my Facebook account to use Spotify, I am absolutely not expecting that Spotify will now have access to read every single one of my private messages. This is a gross violation of trust, and if this is what happened, then the fact that you not only made this mistake, but also then published this blog post defending it, marks a low point for Facebook. Perhaps irrecoverably so for me.
"After signing in to your Facebook account in Spotify’s desktop app, you could then send and receive messages without ever leaving the app. Our API provided partners with access to the person’s messages in order to power this type of feature."
This is a write permission. So you needed to give Spotify permission to create a message. It seems that your system combines the read and write permissions, since you just grouped them together by saying "access to the person's messages". It also seems from your defense that you see absolutely no issue with this. In order to share a song through Spotify, you are giving them access to every single private message the user has ever written.
I find it hard to believe that Facebook refuses to acknowledge any fault in this: The initial product decision, the upholding of this decision through previous privacy investigations, and this PR response. Am I misinterpreting the facts or scale of this?
> I find it hard to believe that Facebook refuses to acknowledge any fault in this.
I feel that the distance between their rhetoric and their technical machinations is their liability. And to those who say, "no big deal, everyone already knew this" - well, then why does Facebook's rhetoric not match their underlying technology?
If Facebook came out and said, "our business model is to sell ads, so we do everything legally in our power to give people the power to connect to each other, while supporting ourselves by selling ads," then I would have confidence in their statements. They instead obfuscate and disemble.
When they speak of "integration partners" and speak about using Facebook services on various devices, and not in terms of selling the data itself, opening up entire streams of data to read and write permissions, then their aims in this press release are different from the aims of their clients and shareholders. And the extent of that difference is a liability.
That they can't be honest in plain language about their technical systems means they don't yet have confidence that their technical systems would be culturally sustainable were they to be well understood. Incentives are not aligned here - and that is a very scary and generally untenable place to be.
Well if you want to receive a message that someone sends you then you'd also need to grant Spotify read permissions. In essence, you'd be using Spotify as a client app for fb messenger. How else could that work without Spotify getting read/write access to your messages?
"After signing in to your Facebook account in Spotify’s desktop app, you could then send and receive messages without ever leaving the app. Our API provided partners with access to the person’s messages in order to power this type of feature."
> This is a write permission. So you needed to give Spotify permission to create a message. It seems that your system combines the read and write permissions, since you just grouped them together by saying "access to the person's messages".
How is it a write permission when the thing you quoted says "send and receive messages"? That's an inbox. An inbox reads messages.
I was too young to really keep abreast of the Microsoft anti-trust lawsuit, but I've never seen a technology company come under so much sustained pressure than Facebook over the past 18 months.
The New York Times in particular has definitely made it a mission to air out all of Facebook's dirty laundry. Overall, I don't think that this will result in users becoming more concerned about privacy (although their governments may) but it does seem like Facebook from a product perspective is vulnerable, even considering the amazing backstops that are Instagram and WhatsApp.
> The New York Times in particular has definitely made it a mission to air out all of Facebook's dirty laundry.
There are two thoughts here that people here assume are mutually exclusive, but they're really not.
(1) What NYT has reported is true, and highlights some serious issues that Facebook needs to address.
(2) NYT also, without saying anything untrue, takes negative news about Facebook out of context and gives it more prominence/repetition than is appropriate.
Both of these are possible simultaneously. I happen to believe both are true. The "providing a platform" argument was much more relevant at the time most of these actions occurred, even if that doesn't fully excuse them. And even if this significant news, that might not justify burying other important stories (e.g. imminent government shutdown) so that it can be top of the news multiple times in the next week. As it surely will, even if there are no new revelations.
As for the substance of the OP or the NYT story to which it responds: no comment. Facebook PR is going to have to do this one without me. >:-(
It seems like NYT was right on this one as FB themselves acknowledged that they gave 3rd party access to their users’ private messages (and apparently they still don’t see this as a big no-no ?!?). There are also quite privacy-aware users on this very website who say that they don’t remember being explicitly asked by FB about granting Spotify access to their private messages, and there’s also a link to an old screenshot from around 2013 showing that the FB confirmation screen was indeed very vague, there was no explicit mention of the user giving a 3rd party access to his/her private messages, just to his/her “data”, a very general term which is not generally correlated to private messages.
As such I’d say that articles like the one recently published by the NYT are spot on, and I also hope that FB will pay the price for what it has done (I’m personally in favor of a forced break-up).
It's hilarious. Facebook misbehaves like a three year old and lies to your face about it. Fifteen years later and the same dysfunctional relationship continues. In a few days, in a couple of weeks there will be some post from their engineering department regarding some fantastic thing they are working on, they released, whatever. And this hate love debate will dissipate to the far end of your minds. When will you say enough?
I think what they are failing to address here, and what is incredibly misleading of them in this message, is that they fail to define what "public information" or "public activity" means to them. They define this in their TOS & Privacy Policy as pretty much anything you do on facebook, or a separate property that integrates with them, that you don't EXPLICITLY set as private. This statement tries to make it sound like they use very little data, when in all actuality most of what you do on FB is considered "public" to them even if they don't show this stuff publicly. That's not okay.
So basically it's totally OK because someone clicked sign in with fb? I bet the majority didn't realise that implied giving access to private messages.
Seems pretty dark pattern-y at best
>this work was about helping people do two things
One of the most disengenious things I've read in a while. Nothing about this was about helping users.
I hope they get slaughtered on the markets tomorrow (again).
There are 3 parts to a genuine apology.
1 we’re sorry
2 we messed up
3 here’s what we’re doing to fix it
This is a poor attempt at an apology. It just shows how desperately they acted to grow users with little to no regard for user privacy. That’s a typical footprint for a mercenary company, not one who’s mission is to respect its users.
This is all the more confusing that Facebook internally is genuinely great at that. I was hoping that with Schrage out, those half-assed statements would be gone but nope…
> To personalize content, tailor and measure ads and provide a safer experience, we use cookies. By tapping on the site you agree to our use of cookies on and off Facebook. Learn more, including about controls: Cookie Policy
> By tapping on the site
> use of cookies on and off Facebook
So an accidental interaction when trying to navigate away after seeing your cookie policy opts me into your cookie policy.
And now you know why Google is _really_ shutting down Google+ earlier than planned. Someone should also take a look at Android, where there are some insane permissions available, like accessing your messages and call log. I wonder how much those have been abused by third parties far less trusted than e.g. Spotify. Granted, you have to consent to all of this crap, but 99% of users perceive this as a speed bump and click OK without reading, and the remaining 1% won't touch Android with a 10 foot pole after seeing one of those permission dialogs.
> And now you know why Google is _really_ shutting down Google+ earlier than planned.
You are implying that this was some deeply hidden motivation until now, but both of the announcements pretty directly attributed the shutdown (and accelerated shutdown) plans to security problems.
Can someone clear this up (preferably if you've worked with the FB API):
when NYT published that spotify and netflix have accessed to private messages, isn't that simply for them to do a POST call for sharing a tv show or song?
Facebook appears to have designed their system in such a way that permissions were not granular enough to do things like "Spotify can only post certain types of messages". Instead it had to be "Spotify has full read/write access to all private messages".
Given Facebook's history it's hard to believe that the lack of granularity, and resulting incentivizing of users to grant as much access to personal data as possible, was an accidental oversight.
I think a very common problem with OAuth (way beyond Facebook) is that people often underestimate the permission they are giving to a 3rd party. For example, if you use some email client to manage your Gmail, the email client would request permission to "manage your Gmail", exactly what you want, but that actually gives the 3rd party permission not only to read all your mails, but to send out emails on behalf of you.
The Title should be corrected. The title of post is actually:
"Let’s Clear Up a Few Things About Facebook’s Partners"
This distinction is notable for it's patronizing tone.
Of course the assumption that we all have it wrong. "There's nothing to see here, please move along." Everything that was done was done to make the world a more connected place and for us to have more "social interactions."
This post is a case study in how not to do PR. There's wasn't even a remote hint of concern for what their users might be feeling in the wake of this story. But perhaps it doesn't matter anyway since this company has zero credibility at this point.
So CuteApp allows you to read FB messages and email from their app. They cut deal with FB but you still need to want to do it and then enter your FB credentials while in CuteApp. Unless messages are saved in the app, unsecured, I see no problem. FB users read his messages somewhere else but using their FB credentials. (If I understood it correctly)
No, CuteApp allows you to read FB messages and email from their app. They cut a deal with FB and even if you don't use the service, CuteApp can still access your messages. You don't actually know about the service - it isn't in the permissions and you didn't give explicit consent for it. Doesn't matter.
The bigger issue is that the vast majority of users aren't informed about what they're granting access to.
If they truly knew half of what these applications were doing with their "private" information, I can guarantee less than half would continue using it.
They are no good at all at apologizing. They somehow manage to be consistently condescending. Facebookers, take this into account next time (or the next dozen times) you have to write up an apology. https://news.ycombinator.com/item?id=6116544
...and every time I think FB can't get any worse, it does.
Serious Q: is there a way to find out what services I've ever authorized into using my Facebook account, and nuke those links/permissions? I haven't done that in years, but who knows how many of these there are still lying around.
[+] [-] mindgam3|7 years ago|reply
Does anyone have a screenshot or remember what the opt in UX was like this for this? I have been logged in to Spotify via Facebook since basically the very beginning. I worked in tech as a dev, PM, and designer of flows. I never had the understanding that my Facebook connect with Spotify gave them read/write to all my messages. It’s certainly possible that this permission was requested in an auth form that I quickly granted without realizing, which would make this more of a dubious product decision that blatantly unethical. Anyone have info?
[+] [-] jahlove|7 years ago|reply
Source: https://stackoverflow.com/q/17561784/9027089
[+] [-] exspotifier|7 years ago|reply
There's a big difference between what the permissions could do and what they were actually used for. Facebook takes its contracts with trusted partners as seriously as they say. My concern would be less around "how was my (let's be honest--Facebook's) data used" and more around Facebook's growth at any cost engine.
Or the overall growth engine of tech.
[+] [-] fitzroy|7 years ago|reply
The content of a post with privacy controls restricted to just one other person is functionally the same as sending a message to that person on Messenger — only the UI is different. But, to the average person, it feels completely different because it looks like texting.
[+] [-] mindgam3|7 years ago|reply
It has screenshots of the messaging functionality but no clarification on how permissions were granted for this, as discussed elsewhere on this thread.
[+] [-] icelancer|7 years ago|reply
Of course this is true. The media reports complete nonsense like "everyone had access to all your messages and your microphone and everything else ever on you and Zuckerberg sucks" and the truth is always, always that the users agreed to give up permissions and the permissions were actually pretty finely controlled. (Or Facebook was hacked.)
But that doesn't sell, so instead people conflate some data sharing with NSA-level conspiracy trolls and drum up bullshit media reports that they know Facebook cannot effectively fight since everyone currently hates them. It's absolute trash journalism.
[+] [-] freshfunk|7 years ago|reply
[+] [-] i_am_proteus|7 years ago|reply
"this work was about helping people" and "people could have more social experiences" and "People want to use Facebook features"
and then: "Our integration partners had to get authorization from people. You would have had to sign in with your Facebook account to use the integration offered by Apple, Amazon or another integration partner."
I read the last quote as "we used a dark pattern[1] to get your permission for this"
[1]https://darkpatterns.org/
[+] [-] jahlove|7 years ago|reply
[+] [-] Humdeee|7 years ago|reply
There's none of that at all, not that it would be believable at this point anyhow. But it reads like a bully trying to justify to a teacher why he chose to eat another kid's lunch. It's clear fb has no moral guilt here and actually implies that all blame is shifted off of themselves.
[+] [-] adrr|7 years ago|reply
[+] [-] kerng|7 years ago|reply
[+] [-] zephyrnh|7 years ago|reply
I am an engineer. I understand technology better than most of the general population. When I sign in to my Facebook account to use Spotify, I am absolutely not expecting that Spotify will now have access to read every single one of my private messages. This is a gross violation of trust, and if this is what happened, then the fact that you not only made this mistake, but also then published this blog post defending it, marks a low point for Facebook. Perhaps irrecoverably so for me.
"After signing in to your Facebook account in Spotify’s desktop app, you could then send and receive messages without ever leaving the app. Our API provided partners with access to the person’s messages in order to power this type of feature."
This is a write permission. So you needed to give Spotify permission to create a message. It seems that your system combines the read and write permissions, since you just grouped them together by saying "access to the person's messages". It also seems from your defense that you see absolutely no issue with this. In order to share a song through Spotify, you are giving them access to every single private message the user has ever written.
I find it hard to believe that Facebook refuses to acknowledge any fault in this: The initial product decision, the upholding of this decision through previous privacy investigations, and this PR response. Am I misinterpreting the facts or scale of this?
[+] [-] toufka|7 years ago|reply
I feel that the distance between their rhetoric and their technical machinations is their liability. And to those who say, "no big deal, everyone already knew this" - well, then why does Facebook's rhetoric not match their underlying technology?
If Facebook came out and said, "our business model is to sell ads, so we do everything legally in our power to give people the power to connect to each other, while supporting ourselves by selling ads," then I would have confidence in their statements. They instead obfuscate and disemble.
When they speak of "integration partners" and speak about using Facebook services on various devices, and not in terms of selling the data itself, opening up entire streams of data to read and write permissions, then their aims in this press release are different from the aims of their clients and shareholders. And the extent of that difference is a liability.
That they can't be honest in plain language about their technical systems means they don't yet have confidence that their technical systems would be culturally sustainable were they to be well understood. Incentives are not aligned here - and that is a very scary and generally untenable place to be.
[+] [-] marrone12|7 years ago|reply
[+] [-] grey-area|7 years ago|reply
It is well past time. FB have repeatedly demonstrated who they are.
[+] [-] smokeyj|7 years ago|reply
[deleted]
[+] [-] keyboardmowing|7 years ago|reply
[deleted]
[+] [-] kareemsabri|7 years ago|reply
> This is a write permission. So you needed to give Spotify permission to create a message. It seems that your system combines the read and write permissions, since you just grouped them together by saying "access to the person's messages".
How is it a write permission when the thing you quoted says "send and receive messages"? That's an inbox. An inbox reads messages.
[+] [-] 40acres|7 years ago|reply
The New York Times in particular has definitely made it a mission to air out all of Facebook's dirty laundry. Overall, I don't think that this will result in users becoming more concerned about privacy (although their governments may) but it does seem like Facebook from a product perspective is vulnerable, even considering the amazing backstops that are Instagram and WhatsApp.
[+] [-] notacoward|7 years ago|reply
There are two thoughts here that people here assume are mutually exclusive, but they're really not.
(1) What NYT has reported is true, and highlights some serious issues that Facebook needs to address.
(2) NYT also, without saying anything untrue, takes negative news about Facebook out of context and gives it more prominence/repetition than is appropriate.
Both of these are possible simultaneously. I happen to believe both are true. The "providing a platform" argument was much more relevant at the time most of these actions occurred, even if that doesn't fully excuse them. And even if this significant news, that might not justify burying other important stories (e.g. imminent government shutdown) so that it can be top of the news multiple times in the next week. As it surely will, even if there are no new revelations.
As for the substance of the OP or the NYT story to which it responds: no comment. Facebook PR is going to have to do this one without me. >:-(
[+] [-] paganel|7 years ago|reply
As such I’d say that articles like the one recently published by the NYT are spot on, and I also hope that FB will pay the price for what it has done (I’m personally in favor of a forced break-up).
[+] [-] artificial|7 years ago|reply
[+] [-] seem_2211|7 years ago|reply
[+] [-] ImaCake|7 years ago|reply
[+] [-] Teichopsia|7 years ago|reply
[+] [-] PaybackTony|7 years ago|reply
[+] [-] Havoc|7 years ago|reply
Seems pretty dark pattern-y at best
>this work was about helping people do two things
One of the most disengenious things I've read in a while. Nothing about this was about helping users.
I hope they get slaughtered on the markets tomorrow (again).
[+] [-] armini|7 years ago|reply
This is a poor attempt at an apology. It just shows how desperately they acted to grow users with little to no regard for user privacy. That’s a typical footprint for a mercenary company, not one who’s mission is to respect its users.
Just look at how Apple apologized about their battery dilemma. Here’s a great way to show you care about your users https://www.apple.com/au/iphone-battery-and-performance/
[+] [-] jhacker123|7 years ago|reply
In Fb's case, users are not their customers, they are product for them. and product are meant to be for sell, and this is what they do.
[+] [-] CaptainZapp|7 years ago|reply
[1] https://www.fastcompany.com/40547045/a-brief-history-of-mark...
[+] [-] bertil|7 years ago|reply
[+] [-] etxm|7 years ago|reply
> By tapping on the site
> use of cookies on and off Facebook
So an accidental interaction when trying to navigate away after seeing your cookie policy opts me into your cookie policy.
You bastards are full on assholes, huh?
[+] [-] eridius|7 years ago|reply
[+] [-] drugme|7 years ago|reply
It's like they know they're in a very deep hole - yet with every press release they just keep digging themselves in deeper.
[+] [-] m0zg|7 years ago|reply
[+] [-] creato|7 years ago|reply
You are implying that this was some deeply hidden motivation until now, but both of the announcements pretty directly attributed the shutdown (and accelerated shutdown) plans to security problems.
[+] [-] dirkgently|7 years ago|reply
Care to prove your blatant lie with some evidence, or you are just going to bash Google/Android because it's the thing to do on HN?
[+] [-] dirkgently|7 years ago|reply
[+] [-] kkhire|7 years ago|reply
when NYT published that spotify and netflix have accessed to private messages, isn't that simply for them to do a POST call for sharing a tv show or song?
[+] [-] ubernostrum|7 years ago|reply
Given Facebook's history it's hard to believe that the lack of granularity, and resulting incentivizing of users to grant as much access to personal data as possible, was an accidental oversight.
[+] [-] echevil|7 years ago|reply
[+] [-] bogomipz|7 years ago|reply
"Let’s Clear Up a Few Things About Facebook’s Partners"
This distinction is notable for it's patronizing tone.
Of course the assumption that we all have it wrong. "There's nothing to see here, please move along." Everything that was done was done to make the world a more connected place and for us to have more "social interactions."
This post is a case study in how not to do PR. There's wasn't even a remote hint of concern for what their users might be feeling in the wake of this story. But perhaps it doesn't matter anyway since this company has zero credibility at this point.
[+] [-] onetimemanytime|7 years ago|reply
[+] [-] ameister14|7 years ago|reply
[+] [-] bdibs|7 years ago|reply
If they truly knew half of what these applications were doing with their "private" information, I can guarantee less than half would continue using it.
[+] [-] verdverm|7 years ago|reply
I spent an hour trying to remove all of the advertisement connections, have no idea how far into it I got. Mostly realtors and car dealerships
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] jeromebaek|7 years ago|reply
[+] [-] jpatokal|7 years ago|reply
> Yes.
(o_O;
...and every time I think FB can't get any worse, it does.
Serious Q: is there a way to find out what services I've ever authorized into using my Facebook account, and nuke those links/permissions? I haven't done that in years, but who knows how many of these there are still lying around.