The article skips a lot of context to make it sound significantly worse than reality. Facebook didn't just randomly give Netflix access to everyone's messages. Specific user would need to purposefully log in to the Netflix app with their Facebook account in order to grant Netflix access to the chat functionality (intended to send movie recommendations to Facebook friends inside the Netflix app).
And if a user consented to Netflix-based chat, Facebook overshared all chat data, instead of only the Netflix chat data, because they couldn't be bothered to build a properly isolated API?
That's like asking permission to read and write your entire phone, just to provide the ability to write and read back a file.
Note that everyone had access to the Inbox API at the time. We made an art project highlighting the invasiveness of such broad access:
"E-dentity is a project that asks a participant to login to its Facebook account, then takes his/ her private data from their profile and automatically prints them in an understandable booklet that is handed to the user. This booklet seeks to raise awareness of the hidden data we are sharing which we are often not aware of."
Thanks for the context, it's important. But from the link you posted:
> In order for you to write a message to a Facebook friend from within Spotify, for instance, we needed to give Spotify “write access.” For you to be able to read messages back, we needed Spotify to have “read access.” “Delete access” meant that if you deleted a message from within Spotify, it would also delete from Facebook. No third party was reading your private messages, or writing messages to your friends without your permission.
So here Facebook acknowledges that an app that sends messages needs write permission, not read. I would assume that sending a recommendation is a write only thing, especially with something private as direct messages. And it is pretty well understand pattern. When you share something through iMessages, Signal or WhatsApp from the a different app, the app does not get an access to you chat history.
The allegation that Arstechnica are pretty sever:
> By 2013, Netflix had begun entering into a series of “Facebook Extended API” agreements, including a so-called “Inbox API” agreement that allowed Netflix programmatic access to Facebook’s users' private message inboxes
Strange naming "Inbox" for sharing API.
> in exchange for which Netflix would “provide to FB a written report every two weeks that shows daily counts of recommendation sends and recipient clicks by interface, initiation surface, and/or implementation variant (e.g., Facebook vs. non-Facebook recommendation recipients).
This is something that Netflix could do even without special access to the messages, since links originate from them. But so could Facebook, since they see the traffic in messages and can identify referral links. Looks like Titan API, whatever it is, gave even more access?
NYTimes article from 2018 [1] has more details, but it is still unclear if user consent was explicitly obtained for Netflix to read messages. But an interesting quote from Steve Satterfield, Facebook’s director of privacy and public policy:
> With most of the partnerships, Mr. Satterfield said, the F.T.C. agreement did not require the social network to secure users’ consent before sharing data because Facebook considered the partners extensions of itself — service providers that allowed users to interact with their Facebook friends.
A rather conspicuous statement by someone who have properly collected consent from users.
> Disclaimer: I work at Facebook but not on messaging or anything related to this article
Same as "Hey, Googler here. Let me tell you how I'm right and why you should think this way."
> Facebook didn't just randomly give Netflix access to everyone's messages.
That's not at all what the title alleges, nor what the article says. The article (1) provides evidence that Facebook monetized user private messages in a data-sharing project with Netflix and (2) cites court documents that litigate Facebook having Jedi-Blue-like monopoly-preserving interaction with Netflix.
It doesn't matter what the Facebook TOS says or how the tech works. Human users never provided informed consent that their private comms would be monetized as well as used for anti-competitive un-American purposes (un-American as in the Sherman Act, altho creating a monopoly is perhaps very American indeed). And Facebook has done that time and time again.
So... this sounds like OAuth, with a nice consent scene that says I'm giving Netflix this access to my FB DNs. That's what you mean, right? Otherwise, what the fuck is the difference?.
And really, as if this makes anything better, wow. Imagine having the feeling of obligation that you have to stick your neck out over this. Just take your over-sized salary and be happy knowing you work for one of the worst companies of our time. (despite my tone, at this point, I honestly say that without judgement, just ... own it.)
"Meta said it rolled out end-to-end encryption "for all personal chats and calls on Messenger and Facebook" in December. And in 2018, Facebook told Vox that it doesn't use private messages for ad targeting.1 But a few months later, The New York Times, citing "hundreds of pages of Facebook documents," reported that Facebook "gave Netflix and Spotify the ability to read Facebook users' private messages.""
1. "Does Facebook use info from your private messages to target you with ads?
No. Facebook says it might look at your private messages to determine if they violate the company's policies, but it doesn't use that information for ad targeting. Facebook won't use the contents of your private messages to target you with ads on Facebook Messenger, WhatsApp or Instagram either, according to a spokesperson."
If the messages are encrypted "end-to-end" or whatever the chosen marketing buzzwords, so that Facebook cannot read them, then how is FB able to "use" messages for anything. One accustomed to normal communications services might think FB is storing and delivering messages and that's all. But in truth, it's "using" them. (For purposes other than complying with any request from a court of comptent jurisdiction.)
Exactly what they might be doing is of course highly confidential. You are free to take guesses. FB may answer yes or no. Answers cannot be verified, so their value outside of marketing is dubious.
NB. Meta _is_ a third party. It feels as if some people believe they can redefine terms like "end-to-end", "third party", etc. As if they know many readers will happily go along for the ride.
They describe several cases where the E2E means user<->facebook<->otheruser. Some examples: group chat. Shared images. Shared Urls with snipets. Absolutely everything involving interactions with a whatsapp "business account".
So they are not exactly lying. just being extremely dishonest.
I'm not clear whether I understood what the article is claiming. It's clear they claim that Meta shared customer's direct messages with a business partner without notifying the individuals who sent and received the messages. It also SOUNDED to me like the article was claiming they did so AFTER Meta introduced "end-to-end encryption" (which would ALSO mean that they were lying about offering end-to-end encryption). Am I reading that correctly?
The cluster of allegations is that the Onavo acquisition put FB-designed and built rootkits underneath TLS on a significant fraction of all smartphones in the United States and that FB/IG (now Meta) used clear text access to ostensibly secure HTTPS sessions to extract arbitrary data from both competitors and partner companies to play poker with X-Ray glasses on as concerned all competition in an ostensibly free and fair and competitive marketplace while simultaneously creating scope for arbitrary other advanced actors to exploit the same intentionally crippled OS-level security at the cost of weakening the entire world’s digital security infrastructure for pure financial profit without so much as a FISA court order to justify such actions.
If substantiated, such accusations would be among the most damning in the history of technology.
I find the article quite confusing and unclear to be honest. Are there any other sources?
This is the original NYT article from 2018 https://www.nytimes.com/2018/12/18/technology/facebook-priva...
"Internal documents show that the social network gave Microsoft, Amazon, Spotify and others far greater access to people’s data than it has disclosed."
FB has supported e2e messaging since 2016, but it wasn't the default until 4 months ago (Dec 2023). So likely very few users had it enabled (much less on both ends needed to protect a message from FB).
The netflix deal starts in 2013. Even after 2016, e2e would just mean netflix would get slightly fewer messages.
So I don't see anything that would necessarily indicate FB is lying about e2e.
Agreed. I would like to read more details about the "access to the Titan API" that Facebook gave to Netflix. Has anyone read the lawsuit PDFs? Maybe more details are in there somewhere.
For me it sounds that they read the messages to measure sentiment (what people are watching / what they like and dislike / what they recommend / generic information about competition from other rv shows, movies and video games), but probably the system was "bugged" (plausible deniablity) so those with access could read everything they wanted - be it messages made by employees from some competitor startup, or perhaps partners and sweethearts. Creepy stuff.
I don't recall this potential bombshell (maybe because it was shortly before a Christmas, and the NYT headline looked like just more of the same ol'):
> And in 2018, Facebook told Vox that it doesn't use private messages for ad targeting. But a few months later, The New York Times, citing "hundreds of pages of Facebook documents," reported that Facebook "gave Netflix and Spotify the ability to read Facebook users’ private messages."
This is one of the litany of bad things that happens when antitrust precident is ignored and we allow a small number of companies to become large enough to dominate the economy.
But commenters here want that right? They're rilling up against an API that allows data export and user ownership and demand that they're removed and all interoperability to be killed because "users are too stupid". This cements and entrenches monopolies because noone is allowed to compete or interoperate.
In sense, things like Apple Mail is a problem for them because it uses full access to GMail account to extract private data over API.
I find out interesting that the discussion on HN is narrowly focused on the technical/messaging accesss angle, rather than on the anticompetitive collusion. The collusion is the "big picture" root cause of so many downstream evils.
Buried in the article, but not just Netflix, Spotify as well.
The New York Times, citing "hundreds of pages of Facebook documents," reported that Facebook "gave Netflix and Spotify the ability to read Facebook users’ private messages."
There is a lot of confidential information in Facebook private messages, probably people cheating, plans to leave one's job, political organizing, brides, illegal activities, etc. If Netflix gets access to this information, it is likely that other companies and 3rd parties got access either directly or indirectly.
Very scary what can be done with that information.
The encryption concerns here are a bit confusing IMO. Facebook owns the UI that show you the text of the messages.
There doesn't have to be a backdoor into E2E encryption at all per say, a simple UI property check would give full access to message contents directly in the frontend code. Throw that into a private API and Bob's your uncle, decrypted messages that were transmitted with 100% secure E2E encryption.
how much effort did meta put into building a legit competition vs netflix/youtube? it's hard to imagine they couldn't put up a decent competition with max user reach and $
just how great of a moat do yt/netflix have? is Disney the only one mounting a decent fight?
Tiktok is probably the biggest competitor to YT. But it had to come in from short form video angle, because the moat of YT in long form video is probably insurmountable. Its fate remains to be seen.
Hacker News is literally constantly claiming that there are too many competitors to Netflix and there needs to be some kind of compulsory licensing to reduce competition. Like there are hundreds of posts on the front page every week to that effect.
Meta never took Watch very seriously, just because it requires literally billions of dollars of investment and they clearly never wanted to spend that much.
They licensed Buffy the Vampire Slayer for the US, clearly saw it didn't move the needle much and they'd need to spend $5 billion+ to get there, and scrapped the whole idea.
This story seems very overblown. Are we arguing that Facebook should not ever allow any third party app to ask permission to read the user's Facebook DMs? There are valid use cases for this permission, and every case where an app asks for it is not a "privacy violation". Sure, did Netflix or Spotify actually need the ability to read back DMs instead of just write them so that they could send recommendations? No, they shouldn't have needed that. If Facebook's API required that they have read access just to send a message, then that's crap design. But is it nefarious? No.
As long as the user is appropriately briefed on what they are granting (and it appears that they were), and as long as Facebook addresses over-scoped permissions requested by third party apps in a timely manner, then this should not be an issue.
I for one believe that we need to mandate that FAANG companies have these sorts of permission-driven systems to avoid the vendor lock in we're all too commonly stuck with today.
Because these things are needed for competition to thrive and to avoid the big companies from creating moats that prevent us, the startups out there, trying to dethrone them, its all the more important that these companies invest in better UIs that help a user understand the implications of what they are doing, and better review processes to stop bad actors from exploiting users' ignorance on an ongoing basis.
I despise Meta, but come on. Don't throw the baby (interoperability) out with the bathwater (interoperability can enable exploitation).
Remember that this site is full of people outeight supporting monopolies and walled gardens when it comes to companies they like. So yes, they're absolutely defending removal of APIs that allow data sharing with explicit user consent.
Whenever someone asks a question about Snapchat, the answer is usually that
because their traffic is encrypted we have no analytics about them. . . .
Given how quickly they’re growing, it seems important to figure out a new way to
get reliable analytics about them. Perhaps we need to do panels or write custom
software. You should figure out how to do this.
From Danny Ferrante (FB Data Scientist):
- We developed "kits" that can be installed on iOS and Android that intercept traffic for specific sub-domains, allowing us to read what would otherwise be encrypted traffic so we can measure in-app usage (i.e., specific actions that people are performing in the app, rather than just overall app visitation). This is a "man-in-the-middle" approach.
- Our plan is to work with a third party—like GFK, SSI, YouGov, uTest, etc.—who will recruit panelists and distribute the kits under their own branding. We already have proposals from several of these providers.
- The panelist won't see Onavo in the NUX or in the phone settings. They could see Onavo using specialized tools (like Wireshark).
Two things are truly horrifying if this is true. 1. Just how normalized this behavior has become in Silicon Valley upper management circles. 2. That this has not gotten out earlier. Hundreds or thousands of employees at both companies could have reported this to the FTC or elsewhere.
tsunamihippo|1 year ago
https://about.fb.com/news/2018/12/facebooks-messaging-partne...
Disclaimer: I work at Facebook but not on messaging or anything related to this article.
lupire|1 year ago
That's like asking permission to read and write your entire phone, just to provide the ability to write and read back a file.
some1else|1 year ago
"E-dentity is a project that asks a participant to login to its Facebook account, then takes his/ her private data from their profile and automatically prints them in an understandable booklet that is handed to the user. This booklet seeks to raise awareness of the hidden data we are sharing which we are often not aware of."
https://github.com/some1else/Edentity
YeBanKo|1 year ago
The allegation that Arstechnica are pretty sever:
Strange naming "Inbox" for sharing API. This is something that Netflix could do even without special access to the messages, since links originate from them. But so could Facebook, since they see the traffic in messages and can identify referral links. Looks like Titan API, whatever it is, gave even more access?NYTimes article from 2018 [1] has more details, but it is still unclear if user consent was explicitly obtained for Netflix to read messages. But an interesting quote from Steve Satterfield, Facebook’s director of privacy and public policy:
A rather conspicuous statement by someone who have properly collected consent from users.[1] https://archive.is/DH17k
choppaface|1 year ago
Same as "Hey, Googler here. Let me tell you how I'm right and why you should think this way."
> Facebook didn't just randomly give Netflix access to everyone's messages.
That's not at all what the title alleges, nor what the article says. The article (1) provides evidence that Facebook monetized user private messages in a data-sharing project with Netflix and (2) cites court documents that litigate Facebook having Jedi-Blue-like monopoly-preserving interaction with Netflix.
It doesn't matter what the Facebook TOS says or how the tech works. Human users never provided informed consent that their private comms would be monetized as well as used for anti-competitive un-American purposes (un-American as in the Sherman Act, altho creating a monopoly is perhaps very American indeed). And Facebook has done that time and time again.
ionwake|1 year ago
I dunno I’m surprised I’m still surprised these days
notnmeyer|1 year ago
unknown|1 year ago
[deleted]
k8svet|1 year ago
And really, as if this makes anything better, wow. Imagine having the feeling of obligation that you have to stick your neck out over this. Just take your over-sized salary and be happy knowing you work for one of the worst companies of our time. (despite my tone, at this point, I honestly say that without judgement, just ... own it.)
aihkas|1 year ago
[deleted]
rmbyrro|1 year ago
[deleted]
lesuorac|1 year ago
So, it could work exactly as it sounds and you'd have no idea?
---
Although I'm not sure the complaint [1] (linked from articled) actually says that messages were given.
[1]: https://cdn.arstechnica.net/wp-content/uploads/2024/03/compl...
cm2012|1 year ago
1vuio0pswjnm7|1 year ago
1. "Does Facebook use info from your private messages to target you with ads?
No. Facebook says it might look at your private messages to determine if they violate the company's policies, but it doesn't use that information for ad targeting. Facebook won't use the contents of your private messages to target you with ads on Facebook Messenger, WhatsApp or Instagram either, according to a spokesperson."
https://www.vox.com/2018/4/11/17177842/facebook-advertising-...
If the messages are encrypted "end-to-end" or whatever the chosen marketing buzzwords, so that Facebook cannot read them, then how is FB able to "use" messages for anything. One accustomed to normal communications services might think FB is storing and delivering messages and that's all. But in truth, it's "using" them. (For purposes other than complying with any request from a court of comptent jurisdiction.)
Exactly what they might be doing is of course highly confidential. You are free to take guesses. FB may answer yes or no. Answers cannot be verified, so their value outside of marketing is dubious.
NB. Meta _is_ a third party. It feels as if some people believe they can redefine terms like "end-to-end", "third party", etc. As if they know many readers will happily go along for the ride.
1oooqooq|1 year ago
So they are not exactly lying. just being extremely dishonest.
leidenfrost|1 year ago
The point of e2e is to block any third party to to see your conversations by sniffing packets. Not to stop Meta themselves.
mcherm|1 year ago
benreesman|1 year ago
If substantiated, such accusations would be among the most damning in the history of technology.
tobias2014|1 year ago
This is the original NYT article from 2018 https://www.nytimes.com/2018/12/18/technology/facebook-priva... "Internal documents show that the social network gave Microsoft, Amazon, Spotify and others far greater access to people’s data than it has disclosed."
Facebook promised E2E at the end of 2023.
rgbrenner|1 year ago
The netflix deal starts in 2013. Even after 2016, e2e would just mean netflix would get slightly fewer messages.
So I don't see anything that would necessarily indicate FB is lying about e2e.
bastawhiz|1 year ago
kylecazar|1 year ago
'granted programmatic access to FB user's inboxes' could mean a lot of things. What privileges? I read the article and still can't tell.
I don't believe that Meta allowed Netflix to read messages that a user sent or received, but that seems to be what they're implying.
chatmasta|1 year ago
rvba|1 year ago
bicepjai|1 year ago
neilv|1 year ago
> And in 2018, Facebook told Vox that it doesn't use private messages for ad targeting. But a few months later, The New York Times, citing "hundreds of pages of Facebook documents," reported that Facebook "gave Netflix and Spotify the ability to read Facebook users’ private messages."
2018-12-18 https://arstechnica.com/tech-policy/2018/12/report-facebook-...
2018-12-18 https://www.nytimes.com/2018/12/18/technology/facebook-priva...
_heimdall|1 year ago
Who cares if it was for ads, giving third party companies access should be a huge problem with or without ads.
jgalt212|1 year ago
unknown|1 year ago
[deleted]
throwaway2990|1 year ago
[deleted]
crmd|1 year ago
izacus|1 year ago
In sense, things like Apple Mail is a problem for them because it uses full access to GMail account to extract private data over API.
jfil|1 year ago
scarface_74|1 year ago
This is a case of possible “collusion” not anti trust
stephenm00|1 year ago
The New York Times, citing "hundreds of pages of Facebook documents," reported that Facebook "gave Netflix and Spotify the ability to read Facebook users’ private messages."
pc86|1 year ago
bhouston|1 year ago
Very scary what can be done with that information.
unknown|1 year ago
[deleted]
timetraveller26|1 year ago
_heimdall|1 year ago
There doesn't have to be a backdoor into E2E encryption at all per say, a simple UI property check would give full access to message contents directly in the frontend code. Throw that into a private API and Bob's your uncle, decrypted messages that were transmitted with 100% secure E2E encryption.
lxgr|1 year ago
dbg31415|1 year ago
They don't do creepy things on occasion by accident, they do them intentionally by default.
Same old story for the last 20 years. Zuck is creepy AF, everything he touches is creepy AF.
https://www.businessinsider.com/well-these-new-zuckerberg-im...
treme|1 year ago
just how great of a moat do yt/netflix have? is Disney the only one mounting a decent fight?
cherioo|1 year ago
Tiktok is probably the biggest competitor to YT. But it had to come in from short form video angle, because the moat of YT in long form video is probably insurmountable. Its fate remains to be seen.
Mindwipe|1 year ago
Hacker News is literally constantly claiming that there are too many competitors to Netflix and there needs to be some kind of compulsory licensing to reduce competition. Like there are hundreds of posts on the front page every week to that effect.
Meta never took Watch very seriously, just because it requires literally billions of dollars of investment and they clearly never wanted to spend that much.
They licensed Buffy the Vampire Slayer for the US, clearly saw it didn't move the needle much and they'd need to spend $5 billion+ to get there, and scrapped the whole idea.
ozfive|1 year ago
tored|1 year ago
2muchcoffeeman|1 year ago
frogpelt|1 year ago
itioo|1 year ago
I have a Gmail account because everyone needs email these days, and an iPhone with Gmail and banking and little else “online”
Sorry not sorry tech people but I never really asked to be born or have your existence specifically but on me specifically.
You’re society’s problem, not mine. It can deal with it without knowing I exist.
mgoetzke|1 year ago
rezonant|1 year ago
This story seems very overblown. Are we arguing that Facebook should not ever allow any third party app to ask permission to read the user's Facebook DMs? There are valid use cases for this permission, and every case where an app asks for it is not a "privacy violation". Sure, did Netflix or Spotify actually need the ability to read back DMs instead of just write them so that they could send recommendations? No, they shouldn't have needed that. If Facebook's API required that they have read access just to send a message, then that's crap design. But is it nefarious? No.
As long as the user is appropriately briefed on what they are granting (and it appears that they were), and as long as Facebook addresses over-scoped permissions requested by third party apps in a timely manner, then this should not be an issue.
I for one believe that we need to mandate that FAANG companies have these sorts of permission-driven systems to avoid the vendor lock in we're all too commonly stuck with today.
Because these things are needed for competition to thrive and to avoid the big companies from creating moats that prevent us, the startups out there, trying to dethrone them, its all the more important that these companies invest in better UIs that help a user understand the implications of what they are doing, and better review processes to stop bad actors from exploiting users' ignorance on an ongoing basis.
I despise Meta, but come on. Don't throw the baby (interoperability) out with the bathwater (interoperability can enable exploitation).
izacus|1 year ago
unknown|1 year ago
[deleted]
drexlspivey|1 year ago
From Zuck:
Whenever someone asks a question about Snapchat, the answer is usually that because their traffic is encrypted we have no analytics about them. . . . Given how quickly they’re growing, it seems important to figure out a new way to get reliable analytics about them. Perhaps we need to do panels or write custom software. You should figure out how to do this.
From Danny Ferrante (FB Data Scientist):
- We developed "kits" that can be installed on iOS and Android that intercept traffic for specific sub-domains, allowing us to read what would otherwise be encrypted traffic so we can measure in-app usage (i.e., specific actions that people are performing in the app, rather than just overall app visitation). This is a "man-in-the-middle" approach.
- Our plan is to work with a third party—like GFK, SSI, YouGov, uTest, etc.—who will recruit panelists and distribute the kits under their own branding. We already have proposals from several of these providers.
- The panelist won't see Onavo in the NUX or in the phone settings. They could see Onavo using specialized tools (like Wireshark).
unknown|1 year ago
[deleted]
advael|1 year ago
cyost|1 year ago
unknown|1 year ago
[deleted]
_tk_|1 year ago
rrr_oh_man|1 year ago
unknown|1 year ago
[deleted]
staticautomatic|1 year ago
unknown|1 year ago
[deleted]