> There is nothing in the privacy policy that addresses [that data is being sent to Facebook]
> The Zoom app notifies Facebook when the user opens the app, details on the user's device such as the model, the time zone and city they are connecting from, which phone carrier they are using, and a unique advertiser identifier created by the user's device which companies can use to target a user with advertisements
So Zoom is sending the fingerprints of mobile users to Facebook. Which helps Facebook better track users across the internet. Not only this, but Zoom is not disclosing this information (though it isn't like people read TOS and would be aware of this anyways).
Can we just stop sending data everywhere? If you don't need it, don't gather it.
This is what really gives lie to the whole walled garden thing. Its selling point is supposed to be in Apple preventing things like this, but here we are in reality and they don't. Meanwhile they do e.g. prevent Signal from replacing Apple's default app for SMS, which has no purpose other than to create barriers for cross-platform competitors to the default apps.
I’m surprised Zoom is happy for Facebook to know exactly who its customers are. This is information that could be used against the company at some point, for example if FB made a video conferencing play.
Examples on Android for 'an intercepting proxy' are No Root Firewall, and even better, the paid/donate version of Netguard, which allows you to permanently kill these errant calls. Additionally, you can disable Google Services Framework with it too, if you'd like to try running your Android without Google tethered and watching, while you enjoy sweet, well-designed FOSS apps and services.
Can't apps start up the facebook SDK after someone has clicked the facebook login button? If someone has already logged in with facebook, set a flag in NSUserDefaults, and start the sdk then.
I would love if Apple started treating app analytics like they do my GPS location or my camera permissions. Basically, if apps want to send analytics, they must go through an iOS API.
Then as a user, I can inspect what apps are sending and how frequently. I should be able to block requests or set myself as anonymous. Or allow apps for certain amounts of time etc.
As an app developer, I think that I've done "Facebook SDK integration" task over 10 times at the very least. I don't think I'm the only one. It's unrealistic to expect a mobile app not to offer a user the option to login through Facebook.
And yet, we don't need to integrate Facebook's binary blobs to use this SDK's main features. How about we implement the open version of Facebook SDK that uses their APIs but doesn't do anything that we don't want it to?
To clarify, having just worked with the Facebook SDK library for my company's codebase, I dont think it is possible to setup the SDK without this happening. Disclaimer: I do not know what the FacebookSDK does after you call it's launch methods but I am pretty certain that they are required for a least some versions of the SDK.
If you are a Zoom user who is not using a Facebook account, I believe the only info Facebook is getting is that the Zoom app was launched and nothing about the user itself. Unfortunately the side-effect of using the FBSDK is that Facebook can track your app's usage for all users.
I believe this is true of all apps with a "Login in with Facebook" button. FWIW, it does not appear that other OAuth's do this (including Google's)
Reminder: The NextDNS iOS app allows you to monitor and block these types of requests from all of your apps, via their DNS logging/filtering. (You can also configure the retention on the DNS logging, so as to not cause more toxic waste data.)
I can't recommend it enough. Until/unless we get something like Little Snitch for the phone (are you listening, Apple?!), this is the next best thing.
NextDNS is great, set it up on all my devices a few back when there was a post on here about it. Uninstalled a few apps just from seeing the number of requests they were sending even when I didn't use those apps frequently.
Like its mentioned in this discussion, using the FB SDK will result in apps sending requests to FB. Found a banking app I use was doing this...
(click the area with the various app & website icons to expand into a more detailed view)
I was pretty surprised the first time I came across that list, there are a lot of apps on there that I never did a Facebook login with. For example right now I see that a map app I downloaded when I was travelling last year but only opened once or twice has sent 395 "interactions", the latest of which was 3 days ago. Actually, I should probably delete that now haha. Also, I'm using Firefox with the Facebook container, Privacy Badger, and uBlock Origin, and there are still many websites listed.
So I do not have facebook installed on my phone but I do have instagram and whatsapp.
A large amount of phone apps seem to appear in that list. I guess Whatsapp/Instagram creates a fingerprint of my device and then uses that for tracking?
Well everything that imports the Facebook SDK or allows sign in with Facebook does this so as long as an app has that blue button on the screen, you shouldn't be surprised that it will phone home to Facebook once the app is opened and initialised.
Too bad it isn't practical to have a system-wide blacklist of selected hosts on iOS. Maybe you can but requires a jailbreak, but that too can break some apps.
It’s generally not a good idea to clearly “wink wink” indicate how to abuse an endpoint, since that abuse can be easily interpreted under various criminal laws as malicious and worthy of prosecution. You could protect yourself against such accusations with more neutral language, starting with rewording the “litter” sentence.
A lot of apps are doing it without the developers even knowing about (ask me how I know). You just integrate their SDK for social login or something else and it will start sending data to the mothership.
In my experience developers that integrate the FB SDK into their apps just copy-paste whatever code snippet Facebook tells them to do, which is always maximum data capture, without thinking of any of the implications. There's usually a way to limit data leakage while using the minimum FB functionality you want, such as only using FB for login without sending every damn app event to Facebook.
On Android the first thing you notice when you install a firewall such as NetGuard is the amount of applications that try to access facebook servers. It's mind boggling, probably 50% are doing so. And I'm not even on facebook at all.
More breaking news: Almost every website sends data to google, even if you don't have a google account.
Singling out Facebook as the privacy nemesis while giving a free pass to "cute" conglomerates like Google reeks of class hatred and flavor-of-the-month-style pseudo journalism.
Every time I read an article with FaceBook in the title I'm a little more glad that I stopped using the service a while ago. Stuck using Zoom for work, but I do use it on a semi-quarantined device so it shouldn't be able to tie it back to my old Facebook account or online activity on my desktop.
People crap on the web for its privacy record - justifiably - but at least you can open dev tools and see what the page is doing. Selling apps as being better for privacy just seems like a complete misstatement.
This is really somewhat sad, as it seems unneeded provided they have the funds to wait out the IT approval cycle.
They are handily beating WebEx, MS Teams, etc, on basic shit like showing more than four video feeds from participants, dealing with low bandwidth connections, etc.
Feels like they are doing revenue grabs too early. A little more patience and the contracts will roll in. Especially given how many stodgy companies are newly coming to terms with the WFH need.
Maybe temporarily extend the free plan from 45 minute meetings to 1 hour and grab some market share?
Vice has one of the worst privacy policies in the entirety of media, so it's kind of a curious thing to see them complaining about. They don't mention they phone Criteo and AdNexus on every page load, and I'm pretty confident I see them using Facebook events too.
I like the effort started by Objective Development (creators of little snitch) called IPA: Internet Access Policy [0]. An IAP is a document that defines to what endpoints does an application connect too. Apple should get on this bandwagon and enforce it and the OS level, so that any application must ship this IAP document and only be allowed to connect the endpoints listed in that document. Furthermore a user should have the option to see which endpoints/domains those are, and disable some of them.
I'd love to throw stones here but I'm just used to it. The official way of installing Ubuntu linux (and many other distros such as Mint) from a Mac, for example, uses a giant bloated piece of crap that includes not just the Facebook SDK but also the Google Analytics stack! I think it's a lost cause. There simply aren't enough good software developers active in the world and these SDKs can make it easy or possible for developers to ship product.
Somewhat tangential but with method swizzling Facebook SDK can figure out the location of your device if the host app has location permission. You don't need the Facebook app installed, as long as the host app has location permission (say you give location permission to reddit app which has FacebookSDK), Facebook can piggy back on that to get your location.
PS: Replace redidt with any app that uses Facebook login. IDK if reddit uses FacebookSDK.
Are you asking about React and GraphQL? I'm not sure whether they phone home but their development was certainly subsidized by abusing people's privacy.
[+] [-] godelski|6 years ago|reply
> The Zoom app notifies Facebook when the user opens the app, details on the user's device such as the model, the time zone and city they are connecting from, which phone carrier they are using, and a unique advertiser identifier created by the user's device which companies can use to target a user with advertisements
So Zoom is sending the fingerprints of mobile users to Facebook. Which helps Facebook better track users across the internet. Not only this, but Zoom is not disclosing this information (though it isn't like people read TOS and would be aware of this anyways).
Can we just stop sending data everywhere? If you don't need it, don't gather it.
[+] [-] st3fan|6 years ago|reply
Even if you don't log in. The Facebook SDK sends data back.
Hook your device up to an intercepting proxy and start up a few apps. 99% of them do this.
I really wish Apple would put an end to this.
[+] [-] AnthonyMouse|6 years ago|reply
This is what really gives lie to the whole walled garden thing. Its selling point is supposed to be in Apple preventing things like this, but here we are in reality and they don't. Meanwhile they do e.g. prevent Signal from replacing Apple's default app for SMS, which has no purpose other than to create barriers for cross-platform competitors to the default apps.
[+] [-] leipert|6 years ago|reply
I assume a lot of people just “slap” the SDK in there and call it a day and it starts sending data.
[+] [-] mpclark|6 years ago|reply
[+] [-] tdstein|6 years ago|reply
[+] [-] yellow_postit|6 years ago|reply
[+] [-] ladfjkl|6 years ago|reply
It looks promising, and has been posted to HN a few times, but nobody has commented on it. https://news.ycombinator.com/item?id=20519456
[+] [-] wideasleep1|6 years ago|reply
[+] [-] megablast|6 years ago|reply
[+] [-] kube-system|6 years ago|reply
[+] [-] ChrisMarshallNY|6 years ago|reply
There's a lot of developers that rely on these dependencies, and just blocking them would cause a major backlash.
[+] [-] arendtio|6 years ago|reply
For those who did not read about it: https://andregarzia.com/2020/03/private-client-side-only-pwa...
[+] [-] ozmbie|6 years ago|reply
Then as a user, I can inspect what apps are sending and how frequently. I should be able to block requests or set myself as anonymous. Or allow apps for certain amounts of time etc.
[+] [-] qserasera|6 years ago|reply
[+] [-] ElectrodesD|6 years ago|reply
[+] [-] pergadad|6 years ago|reply
[+] [-] golergka|6 years ago|reply
And yet, we don't need to integrate Facebook's binary blobs to use this SDK's main features. How about we implement the open version of Facebook SDK that uses their APIs but doesn't do anything that we don't want it to?
[+] [-] julianozen|6 years ago|reply
If you are a Zoom user who is not using a Facebook account, I believe the only info Facebook is getting is that the Zoom app was launched and nothing about the user itself. Unfortunately the side-effect of using the FBSDK is that Facebook can track your app's usage for all users.
I believe this is true of all apps with a "Login in with Facebook" button. FWIW, it does not appear that other OAuth's do this (including Google's)
[+] [-] sneak|6 years ago|reply
I can't recommend it enough. Until/unless we get something like Little Snitch for the phone (are you listening, Apple?!), this is the next best thing.
[+] [-] om42|6 years ago|reply
Like its mentioned in this discussion, using the FB SDK will result in apps sending requests to FB. Found a banking app I use was doing this...
[+] [-] claudeganon|6 years ago|reply
[+] [-] totaldude87|6 years ago|reply
[+] [-] proactivesvcs|6 years ago|reply
[+] [-] wackget|6 years ago|reply
> "Try it now for free. No sign up required."
> I click the button
> "Sign In. Don't have an account? Sign up."
[+] [-] zentiggr|6 years ago|reply
[+] [-] rococode|6 years ago|reply
https://www.facebook.com/off_facebook_activity/activity_list
(click the area with the various app & website icons to expand into a more detailed view)
I was pretty surprised the first time I came across that list, there are a lot of apps on there that I never did a Facebook login with. For example right now I see that a map app I downloaded when I was travelling last year but only opened once or twice has sent 395 "interactions", the latest of which was 3 days ago. Actually, I should probably delete that now haha. Also, I'm using Firefox with the Facebook container, Privacy Badger, and uBlock Origin, and there are still many websites listed.
[+] [-] koyote|6 years ago|reply
A large amount of phone apps seem to appear in that list. I guess Whatsapp/Instagram creates a fingerprint of my device and then uses that for tracking?
[+] [-] jmiserez|6 years ago|reply
[+] [-] rvz|6 years ago|reply
Too bad it isn't practical to have a system-wide blacklist of selected hosts on iOS. Maybe you can but requires a jailbreak, but that too can break some apps.
[+] [-] phwd|6 years ago|reply
graph-facebook-com/app/activities is an endpoint used by 3rd party developers working with Facebook SDKs to send app analytic data for insights.
https://developers.facebook.com/docs/marketing-api/app-event... http://www.facebook.com/analytics https://business.facebook.com/events_manager/app/events
This is what a URL can look like.
graph-facebook-com/1106907002683888/activities?method=POST&event=MOBILE_APP_INSTALL&anon_id=1&advertiser_tracking_enabled=1&application_tracking_enabled=1&custom_events=[{%22_eventName%22:%22fb_mobile_purchase%22,}]
If you click the above you'll litter my analytics feed for my app 1106907002683888 with junk data.
Just in case, someone was looking for the specific call talked about because I couldn't find it linked in Vice's article.
[+] [-] floatingatoll|6 years ago|reply
[+] [-] Daniel_sk|6 years ago|reply
[+] [-] bosswipe|6 years ago|reply
[+] [-] fmjrey|6 years ago|reply
[+] [-] qwtel|6 years ago|reply
Singling out Facebook as the privacy nemesis while giving a free pass to "cute" conglomerates like Google reeks of class hatred and flavor-of-the-month-style pseudo journalism.
Opening vice.com link will send data to Google.
[+] [-] ogre_codes|6 years ago|reply
[+] [-] untog|6 years ago|reply
[+] [-] Polylactic_acid|6 years ago|reply
[+] [-] kpierce|6 years ago|reply
https://securityboulevard.com/2020/03/using-zoom-here-are-th...
[+] [-] tyingq|6 years ago|reply
They are handily beating WebEx, MS Teams, etc, on basic shit like showing more than four video feeds from participants, dealing with low bandwidth connections, etc.
Feels like they are doing revenue grabs too early. A little more patience and the contracts will roll in. Especially given how many stodgy companies are newly coming to terms with the WFH need.
Maybe temporarily extend the free plan from 45 minute meetings to 1 hour and grab some market share?
[+] [-] karljtaylor|6 years ago|reply
[+] [-] lifty|6 years ago|reply
[0] https://obdev.at/iap/index.html
[+] [-] thedance|6 years ago|reply
[+] [-] perfectstorm|6 years ago|reply
PS: Replace redidt with any app that uses Facebook login. IDK if reddit uses FacebookSDK.
[+] [-] ChrisMarshallNY|6 years ago|reply
I didn't think they phoned home, but I could be wrong.
[+] [-] RandallBrown|6 years ago|reply
Apple doesn't provide a way to know how a user found your app, but Facebook does. This is why the app I work on uses the Facebook SDK.
Basically, we want to know how effective our Facebook ads are at getting actual installs.
[+] [-] floatboth|6 years ago|reply
[+] [-] danabramov|6 years ago|reply
The SDK in question is Facebook SDK which is completely separate from user interface libraries.
[+] [-] itronitron|6 years ago|reply