481 comments

[ 2.7 ms ] story [ 218 ms ] thread
(comment deleted)
So I was trying to remember the buff old guy from Avatar, Stephen Lang. Once I found him, I noticed that I am suddenly being recommended videos on YouTube that include him.

Okeydokey, machine-learning, moving on.

Anyone got a non-paywall link?

Is there a reason for me to not flag paywalled submissions?

(comment deleted)
> ”Is there a reason for me to not flag paywalled submissions?”

The FAQ is clear on the mods' stance on paywalled articles:

(https://news.ycombinator.com/newsfaq.html)

> "Are paywalls ok?"

> "It's ok to post stories from sites with paywalls that have workarounds."

> "In comments, it's ok to ask how to read an article and to help other users do so. But please don't post complaints about paywalls. Those are off topic."

> It's ok to post stories from sites with paywalls that have workarounds.

I got around the wall by getting there from the Google search results.

It's usually easy to click the 'web' link on the top of the discussions page and follow the first result on google.

I believe there have been many discussion on the utility of paywalled articles and I believe the discussion has mostly settled on allowing it as long as it is easy to circumvent.

OT: actually interesting to see how the author worked backwards to understand why he is receiving adds. Still: all this, and still they keep showing adds for stuff I recently bought...

Showing ads for stuff you recently bought happens to be extremely valuable advertising.

Sometimes the first order doesn’t arrive, or you want another one for the office... You think the chances of that are low, but they are still far better than showing you a generic ad.

Rarely would the author of an article have any kind of control over the advertising shown on the page.
Display ads, get ad-blockers. Demand cash in exchange for delivering articles, get complaints.

Publishers really can't win, can they?

Quick tip: search for the article's name on Google and click on the link from the results.

They could start by not demanding a full subscription and a user login for a single article.

Also, the Google trick won't work if you bounced off the paywall already, you have to open a private tab or clear cookies.

"Is there a reason for me to not flag paywalled submissions?"

People worked hard on the article. Should they not get paid for their work? Do you feel you shouldn't be paid for your work?

The claim of the article is that it would be technically infeasible - and they go into how difficult it is to interpret context. However simple keyword matching would be more than enough.

Facebook has a lot of compute resources, but they wouldn't have to use it. Your smartphone is more than fast enough to do simple speech recognition. The accuracy rate wouldn't have to be that high - you won't get mad if you see an ad for a misheard keyword.

Wouldn't that destroy your battery life?
I don't necessarily believe that FB was literally listening to the phone mic, but it is the case that the FaceBook app was a notorious battery hog.
Radioshack sold a voice recognition chip in the 80s[1] that was a simple 8-bit microcontroller. If you are willing to slip on the accuracy and false positives you can do recognition with very little computation.

[1] http://21stdigitalhome.blogspot.ca/2013/06/vcp200-voice-reco...

"80s" - "voice recognition" - "accuracy" - which doesnt fit?
your wrong preconceptions don't fit :)

the downside was power usage. Motorola made one that was power efficient, used by nokia in the 90s and its pretty much the same chip in google's phone line today (just even more power efficient).

division is under lenovo now

Does the Assistant listening for OK Google destroy your battery life?

Your phone reads sensor data as a base state.

Not really. These have hardware dsp support. The drain is minimum.
The Google Now only listens for the trigger phrase when idle - which is done all locally, without needing to talk to the servers.

It has a battery impact but much less than sending all the voice data continuously to a server somewhere. The biggest battery killer would be the wifi or 3G transmitting non-stop in that case.

It wouldn't have to transmit non-stop -- it could do some parsing/cleanup locally, then queue it up and upload it periodically with other, expected FB traffic.
The Facebook app does destroy the battery life of certain phones at least. That is the only reason I've actually seen people uninstall it for.
It does. Uninstall FB and see how long you have to go between recharges. In my case it's every day with FB, and every 3 days without.
I was thinking the same thing. Also not claiming to have any real idea of as to what they are actually doing but certainly having access to everyone's phone gives them a ton of distributed computing power for free.
>I was thinking the same thing. Also not claiming to have any real idea of as to what they are actually doing but certainly having access to everyone's phone gives them a ton of distributed computing power for free.

Only if by "everyone" you mean people foolish and vapid enough to use Facebook and give them access to your phone.

It would be extremely easy to implement.

Ad is easy. You don't have to understand context. Just listen for a thousand or so keywords related to products that are paying you. Then if detection happens apply some rudimentary sentiment analysis on the surrounding phrase and that's all you will ever need.

if you have a couple millions for me to start a small team we can offer this as a service next month or two.

The last thing to install on ones phone is FB app - technically one gives up all privacy. If you need to use FB then stick to browser and clear browser data afterwards.
It's potentially not just the app. The Facebook SDK is embedded in probably 50%+ of _all_ the apps we use e.g. In top 10 most popular cocoapods - https://libraries.io/search?order=desc&platforms=CocoaPods&s... - the FBSDKCoreKit - https://libraries.io/cocoapods/FBSDKCoreKit
But that’s open source and can be audited.
Yes but there's a gap between "can be audited" and "is being audited". If they got caught doing anything malign they can just pull the "oooops we didn't mean to" defence as they've done before[1] - their track record here says "if we can find a way, we're at least going to experiment with it"

Also consider this in the light of recent EU rulings on Facebooks tracking of non-users via the Like button on websites being an illegal violation of privacy[2]. As usual the law lags the technology by many years - was the EU even aware of the Facebook mobile SDK being wisely installed in many 3rd party apps when they made this ruling? (edit: reading the report from the University of Leuven it seems they were at least aware of the implications of things like Facebooks Mobile Advertiser network)

[1] https://www.google.ch/amp/s/techcrunch.com/2015/10/22/facebo...

[2] https://www.google.ch/amp/s/amp.theguardian.com/technology/2...

Sometimes it even comes pre-installed, for your convenience ;)
When I was still on Facebook, I used a 3rd-party Facebook app alternative. I forget which one exactly, but I distinctly remember being impressed that it barely needed any permissions.
You also give up most of your privacy if you buy a smartphone with an OS made by Apple or Google.
Citation needed if you're going to include Apple in that group.

Here's Apple's privacy policy: https://www.apple.com/legal/privacy/en-ww/

And yes, it's followed relentlessly.

Seems like I've been a bit too quick to judge. Apple has made some changes to reduce fingerprinting of devices: https://stackoverflow.com/a/6993440/321749
Sidenote: this applies to 3rd party apps. Lets remember Apple vs. Google is very real, so playing the privacy advocate is not only good marketing for Apple, but also allows them to interfere in Google's ability to track users like this.

Ad blocking is another example; allowing it in iOS was probably a strong blow against Google.

Apple can and does collect a lot of data from your phone. Their business might not rely as much on individual targeting, but they still want to understand users as much as possible and have the means to do so.

Apple was involved in a very controversial case in 2011 [1]. IIRC, the resolution involved nothing about them claiming that tracking user location without their consent was bad, and focused only on the fact that the data was easily accessible a by 3rd parties.

In fact, they still collect tonnes of data from phones, but now they're more careful about the data not being user-accessible. A few quotes from the link you posted to their privacy policy:

> "We also collect data in a form that does not, on its own, permit direct association with any specific individual."

The "on its own" sounds a little scapegoat-y tbh.

> "We may collect information such as occupation, language, zip code, area code, unique device identifier, referrer URL, location, and the time zone where an Apple product is used"

You can learn and infer a lot from those vectors. Towards the end of the paragraph they also mention that they use this data, amongst other things, to deliver "better advertising".

> "We may collect information regarding customer activities on our website, iCloud services, our iTunes Store, App Store, Mac App Store, App Store for Apple TV and iBooks Stores and from our other products and services. Aggregated data is considered non‑personal information for the purposes of this Privacy Policy."

Ofc.

> "We may collect and store details of how you use our services, including search queries. [...] Except in limited instances to ensure quality of our services over the Internet, such information will not be associated with your IP address."

Ensuring "quality of services over the Internet" is _incredibly_ broad. For a company like Apple it could apply pretty much to anything tbh.

A lot of people don't know Apple collects all this data; and part of it is probably the fact you can't disable this collection. Only App usage, the one that might also be shared with 3rd party devs, is optional.

Thinking Apple doesn't take part on Google or Facebook scale data collecting because they sell phones and not ads is not only inaccurate (they do sell ads), but also a little naive. Data is very valuable. I'm not saying Apple doesn't care about privacy; their business model relies a less on individual targeting than Google or Facebook, but they're also in on the game of understanding users as much as possible, and given they control the phone they're in very deep.

[1]: https://arstechnica.com/gadgets/2011/04/how-apple-tracks-you...

> Data brokers run personal information through an algorithm before uploading so it’s not identifiable, Facebook says, but it still can be matched with Facebook account information.

You keep using that word...

Well, if you had known what you were looking for you would have seen it written on my dorm room window.
Similar Guardian article with no paywall: https://www.theguardian.com/technology/2017/nov/09/facebook-...

That said, this is a quite silly conspiracy theory. Believing the "recording" theory requires you to believe that Apple and Google both are in cahoots with Facebook to give them a rootkit-like API for mic and location access that override all of the OS-level controls and warnings about when that hardware is in use, and hide it from the data and battery usage stats on the phone.

This API, when (not if) found, would be a watershed moment for privacy legislation directed at all three companies. Little to gain, potentially the whole farm to lose.

>this is a quite silly conspiracy theory.

Seems like you put conspiracy theories in two boxes. So what's on the other box?

Theories with evidence to support them.
Reasonable box label. I meant what's inside.
As an example, the degree to which government agencies are involved with snarfing up private communications from Americans with almost no real oversight. Mostly out of the bogus box when Carnivore came to light, completely out when Snowden did his leaks.
> requires you to believe that Apple and Google both are in cahoots with Facebook to give them a rootkit-like API for mic and location access that override all of the OS-level controls and warnings about when that hardware is in use, and hide it from the data and battery usage stats on the phone.

You mean like when they gave Uber special access to grab screenshots even when the Uber app wasn't running? Yeah, totally impossible to believe.

You mean the access that had a completely legitimate reason to be used and was trivially located by way of reading the app's manifest files?
I don't know of any access to record my screen that I didn't authorize that is legitimate, so you must be talking about something different.
Let's can the snark. That access was only ever used for screen rendering for a flagship app on a flagship device, temporarily.
You started the snarkiness and now that it's being used against you, you are upset? You said that the app would have to have special access, and that it would absurd if they were given that. But they were given that.

I can only believe that you are trolling at this point, and won't discuss this any further with you until you bring arguments in good faith.

We're talking about two different things here; in Uber's case, they were given access to an API in a completely above-board way. There was a legitimate reason, the access was used to work around a hardware limitation in a temporary way.

In this case, you're talking about something that completely bypasses the entitlement/permission control of the OS, something which both Apple and Google have no reason to ever add. Uber actually used a private one with Apple's consent, (the com.private.apple- entitlement) while there is no evidence of any such private APIs being used in the Facebook apps.

Calling people trolls when you disagree with them because of your own misunderstanding isn't allowed here.

It's worth nothing that the reason security researchers haven't just intercepted the traffic from the Facebook apps to see if its transmitting voice data is because the apps use Certificate Pinning, which prevents the SSL traffic from being decrypted using the SSL certificate generated by mitmproxy/Charles.

In light of that restriction, what might be interesting is looking at the amount of data transferred by the Facebook app with/without the microphone/location services enabled. (this is a data project I have in the pipeline)

Note that while certificate pinning does make reverse-engineering harder, it's also a legitimate security feature; without it, anyone who controlled a CA (including most major governments) would be able to forge a certificate and use it to spy on users.

Certificate pinning is a hurdle to reverse engineering, but a surmountable one, at least on Android. Since the app is running on a phone where you may potentially have root, you can pick it apart with a debugger and see the traffic before it leaves the phone. This is technically challenging, but it is something that people do sometimes.

CA?
Or you can find and replace CA file/string with your own and then do mitm. There is virtually no way app developers can defend against such hacks on any platform owned by user (so, everywhere except on Apple devices).
Would something like this work as a method to authenticate authentic clients?

http://www.cnn.com/TECH/computing/9908/20/aolbug.idg/index.h...

Paraphrasing the article, it would be for the server to use undefined behavior in the _authentic_ clients to determine that they were in fact authentic. In this case, a buffer overflow doesn't appear to crash the client, but lets the server know that it's talking to a legitimate client. That's quite clever.
On jailbroken devices such an effort would be about as trivial.
It's more annoying than you'd think if your adversary anticipates this and designs around it. Fragments of the CA can be used within the codebase, effectively making you need to pull everything apart and with security canaries and embedded interpreted scripts even if you're getting close you never know if you're still black and if you're still seeing the same thing as everyone else.
Well, it turns into a reverse engineering arms race at that point. There's no way they can guarantee anything, but they can throw resources at obfuscating things more.

If you're the reverse engineer and I'm the app author, you find/replace my CA file. Then I respond (or anticipate!) by checksumming the file to detect tampering. Then you respond by find/replace on the checksum.

Then I obfuscate the checksum string. Then you respond by faking out the platform's checksum API so that it always returns true. Then I respond by computing a checksum that I know should fail and verifying that the checksum API isn't just always returning true. Then you respond by faking out the platform checksum API with a whitelist of blobs whose checksum it should lie about.

Then I respond by statically linking my own checksum verification code into my binary instead of calling the platform's. Then you respond by patching my binary to jump around the code. Then I respond by using code obfuscation techniques.

And on and on. Given enough time and resources, any implementation I create can be subverted. But if I'm a huge tech company, I can afford a lot of time and resources too, if I want to. I can't eliminate it, but maybe I can make it something that rarely happens.

But if I'm a huge tech company, I can afford a lot of time and resources too, if I want to. I can't eliminate it, but maybe I can make it something that rarely happens

The whole cracking scene can afford far more time and resources than any one tech company. All adding protections does is make a more valuable target, because crackers love a good challenge.

"There's always a crack in everything. It's how the light gets in."

> But if I'm a huge tech company, I can afford a lot of time and resources too,

Can? Sure! Would?

Security is one of those things that most people say they care about, but they are really not willing to pay for. Big companies have resources, but they are also in the business of making money, so they will put most of those resources to work on features that produce a ROI. Security is a huge cost center, and even when taken seriously it will be pursued only to the degree that it addresses/mitigates risks enough to conduct business.

Not really. A skilled reverse engineer does not find/replace any certificates, or anything like that. They just debug the app, stepping over all the code, instruction by instruction. There's no way you can beat that. I'm a malware reverse engineer - I work with this kind of stuff every day. And I'm pretty sure there's no 'game': once the binary is in my disassembler, it's over.
It's funny how all the security measures for "your safety" always seem to reduce user's transparency and control.
It's an unfortunate feature of reality.

From the point of view of software, it's impossible in principle to tell whether or not the code being executed does what the user wants it to, and only what the user wants it to. Half of that is the halting problem, the other half is that "what user wants" is an General-AI-complete problem. Moreover, the software can't even tell the difference between "the user" and "a malicious third party".

In meatspace we solve this problem with rules and laws. Software, for better or worse, moves around too fast.

Not really.

I gave it a thought, and decided I don't need apps to be able to obtain highly elevated privileges, root or similar. This is, indeed, dangerous, esp. regarding ADB root access (a rogue "charger" + an accidental wrong tap[1] = totally compromised device that can be only fixed by full re-flashing). I needed my own firmware that does things my way, signed with the keys I control.

So I did. Now all the "secure" apps are happy, and I still have the control over my device's behavior.

( Okay, I've cheated - I had to sanitize androidboot.verifiedbootstate when kernel initializes, because I can't control the bootloader :( )

[1] Hm, maybe password-authenticated root access is okay, though... But not a typical "tap to allow" dialog.

It's the same problem posed by child-proof lids of drug bottles.
I think Android has features for detecting whether the device is rooted. Facebook could then disable spying, in effect Volkswagening the situation
Magisk (Android root utility) has the ability to hide itself very well. Google Pay and most, if not all, banking apps are not able to detect it. It is a cat and mouse game for sure, but so far the Magisk developers are keeping ahead of that curve.
Wasn't the most active development on Magisk from when Pokemon Go was really big? I remember there being an arms race with Niantic at some point.
If I’m not mistaken, it is common for windows malware to act differently if it is running inside a VM, to avoid analysis.
You could vary the complexity to encode the sounds you input (silence,pure tones, white noise, psychocoustically weighted white noise, etc.) to prove that that they're transmitting them.
Facebook recording voice data and transmitting to their servers in the US is not only highly illegal in most parts of the world it's also unacceptable to basically everyone. At some point it would have been leaked internally.

The idea that Facebook is doing this is just ridiculous.

Surely no large organaization has ever been found to be doing illegal or unwelcome things.
Quite sure that listening to the conversations of billions of people is on a different scale than what you typically see.
I suppose you don’t see things of this scale often but I would argue that big things like this are happening all the time. I was watching recently some interviews from 2005 about the justification for the US invading Iraq in 2003, and the disparity between what the public was told about WMDs and what the security community believed was maybe on a similar scale (depending on how you view privacy and war). And then the people who made decisions that led to the 2008 financial collapse were doing things that hurt people on what you may consider a similar scale, depending on how you view robbing people of their wealth versus robbing them of their privacy.

Facebook invading our privacy by recording persons of interest or the people en masse would be horrible and in many ways unprecedented, but it wouldn’t be beyond the levels of abuse we have seen from powerful people in the past. I can easily imagine that the app supports hot mic capabilities and that they do turn it on sometimes at least at the request of law enforcement. And then the question is... when else would they turn it on? And would that program ever grow? Would they ever fork the program so each team involved thinks there working on a small project? This is all speculation but I can imagine a situation where it starts small and then grows until it seems like an insane program but everyone involved is accustomed to it.

^ actually, IMHO the fact that you assume that "The idea that Facebook is doing this is just ridiculous." is what is ridiculous.

Some companies do "highly illegal" things all of the time. It all comes down to the fact that whoever is in charge:

1) doesn't hold to a moral system that restrains them from doing said illegal things (or at least doesn't hold to one consistently)

and

2) thinks they can do said illegal things without getting caught, or if they are caught, thinks they'll be able to recover reasonably well from any punishment (if there is any) that is handed down.

Personally, I do not know whether Facebook is recording/transmitting data like this, but I guess if I found out they were, I would not be surprised -- given the things the company has done in the past, and the things their leadership has said and done in the past.

What if they just analyze the audio locally for keywords, and then transmit that?
Most of the analysis done about this controversy boils down to Facebook not listening because they can buy it otherwise obtain data that is more effective.

When you read their responses to this controversy, pay more attention to what they don’t say. Whomever aggregates your viewing habits by listening to audio from your TV may be listening, for example, Facebook just Hoovers up the data.

Leaked internally... to Facebook employees...
You could also look at the variance in amount in different environments for different sensors (noisy/not noisy), (complex image/flat color).
Chrome is moving away from certificate pinning [1].

Even if it's an issue, a security researcher could recompile Chromium or Firefox with certificate pinning turned off and test with that.

[1] https://groups.google.com/a/chromium.org/d/msg/blink-dev/he9...

The browsers are moving away from certificate pinning. The apps aren't, as they control both ends. If I made a Facebook replacement today i'd do it too.
Couldn't someone just patch the binary to accept a different certificate? Or for that matter, read the decompiled bytecode and figure out if the app is listening? Or run a patched Android that logs all microphone API calls?

I suspect I'm overlooking something, as surely some security researcher would have done some of this already.

Yup, patching the binary works fine.
Unless that package/binary is signed - which Android ones are.
Then patch the signing...

...and if the signing code is also signed, then patch that.

It's patches all the way down. ;-)

Wouldn't it be possible to crack an app (decompile etc) to disable Certificate Pinning? What comes to my mind also is a debug to obtain TLS master-secret then one can decrypt encrypted stream post-factum (Wireshark accepts master-secrets).
While certificate pinning is annoying, it's just an obstacle not a roadblock. I haven't met a security research that mentioned this to be a prohibitive feature.

There are couple ways out, from revers engineering the binaries, through jailbroken/rooted phones, running apps in simulators, etc.

You can't beat certificate pinning with offline analysis?
You can, if you want to read reverse engineered code. Takes more time, but completely doable. I do that on all Android apps.
Facebook already has plenty of issues with people not trusting them. Lying about this and then being caught red handed would be devastating from a public opinion perspective. Even if you assume a completely amoral team that cares about nothing but ad revenue, do you genuinely think they’d risk something as dangerous as that? Especially given how much you can still achieve with the data that is known to be collected?
in the current climate, getting caught doing anything just means you have to slime your way out of it, rename/rebadge the activity and then carry on when the attention goes somewhere else.

is uber still the most hated company or has the magnifying glass moved onto somewhere else?

What makes you think that user trust isn’t one of the things they’re willing to break in order to move fast?
I've met a lot of people outside HN who believe FB is listening to their conversations through the mic. I haven't yet met one who has stopped using it as a result.

I think you wildly overestimate how angry users get about privacy violations. For examples, Target, Yahoo, Home Depot, and Equifax have not been screamed into rubble.

To be fair, people who believe that are not bright bulbs. They fail at very simple statistical analysis and conspiracy theory testing.
To be fair, almost everybody fails at statistical analysis, even scientists whose work depends on it.
Many of them haven't stopped using facebook, but many have uninstalled the app.
How devastating would it be, really?

It would likely be a blip in the news, and then people would move on, as usual.

Remember the Sony rootkit fiasco? People still buy Sony, and most people probably either never heard of that incident, don't remember, or don't care. Buying whatever the new Sony gizmo of the day is is more important to them.

Microsoft has had endless spyware fiascos, and people still routinely buy Windows, as long as they can play their games or run Office, that's all that matters to most of them.

Then there have been scandals like Enron, where the execs knew that they were doing something that was clearly illegal, and that their company really would be devastated if what they did was ever revealed. These "smartest people in the room" did it anyway.

Corporate history is full of just such deceptive and destructive practices. I'm not sure I'd put Facebook above that sort of thing, a priori.

Exactly. People would be outraged! and they will happily log into Facebook to post their outrage about Facebook.
I remember when some news broke about Facebook doing something or other a year ago and the common response seemed to be to make an official sounding wall post saying "I do not give Facebook the right to do X with my data", sort of like Michael Scott yelling "I declare bankruptcy!"

I can see that happening again with voice recordings.

Speaking of badware: last week I found Mac Afee installed on the laptop of a relative that I manage. I assured me that he had not installed it himself (I had not installed anything actually). Could it have come from windows updates ?
if you manage their device there's a great chance they have no fucking idea what they're doing and could easily have installed it unintentionally
No, Windows Update doesn't distribute third party software. And even if it did, MSE is technically a competitor to McAfee so there wouldn't really be a solid reason to distribute it.

Your relative probably installed something and pressed "Next" through all the dialogs including the ones asking if they want to install super helpful bundled software.

McAfee comes packaged in the installation of some other software, e.g., Java, where it can easily be installed by mistake if you aren't paying attention.
True. At the same time, there are pretty solid rules against recording the audio of someone's conversation that would be unambiguously illegal and allow for actual prosecution.

But it's an interesting question: if someone credibly proved that FB was "wiretapping" on such a massive scale, would they get prosecuted? How much could they do in their own defense? Are they so enmeshed that prosecutors wouldn't bother?

Feels like a case of "unstoppable force meets immovable object".

Any app that had microphone permission at all already has your permission to use your microphone.
Uber broke almost every moral rule and still everybody's using it.
I refuse to ever install the Uber app, specifically because of their conduct.

So not literally everyone... but still many.

I can see someone having to install the uber app... but having to install the facebook app? just use the web app... that might be possible with uber too but I'm not sure because I don't use uber
m.uber.com works fine without installing anything.
The Uber app was "helpfully" pre-installed by Microsoft on my Lumia 950.

It was the second to go, just after Facebook.

> being caught red handed would be devastating from a public opinion perspective

For what it's worth, this public opinion backlash has not appeared with other companies: "Of course we're not working on leaked project [x]". "Look at project [x] we're working on!"

Even Facebook's own under-disclosed psychological experiments have been largely forgotten; Facebook has suffered few if any long-term ill effects from it.

The psychological experiments scandal was a nothingburger from the start. Facebook is not an academic research institution. They already operate with user's consent. Every business that engages in advertising or product design is performing psychological experiments.
Their customers love it, and with customers I mean advertisers. For users to leave there must be somewhere to leave to. And there needs to be another business model that does not depend on marketing. Maybe selling actual hardware, with built in social media.
Hubris is powerful. Look at the dumb behavior exhibited by Uber as an example.
How much worse would being caught lying be compared to straight up admitting it? I'd say it's worth the risk for them.
"which prevents the SSL traffic from being decrypted using the SSL certificate generated by mitmproxy/Charles"

There are some shady companies out there [1] that use the mic to listen to what shows are being played real time. [TVs in the US are on all the time] (Check out their customer list). These companies need this pinning.

[1] https://www.audiblemagic.com/

Different (esp. older) versions might be another variable that would be of interest to a researcher.
Is there any reason that pinning should not be optional?

In other words, any reason that the user should not be able to "disable" it? (Use own root CA.)

Consider that in this case, the data being transferred to Facebook belongs to the user.

Is it unreasonable for a user to require that they be able to see what data is being transferred before they agree to transfer it?

Enterprises do this on PC --- they have to be able to MITM all their user's traffic. Not sure how mobile devices are covered.

As for transparency, look to GDPR and friends to see what rights are being declared.

Considering that certificate pinning protects hacked user devices from making insecure communications, it would completely defeat the point if the user could disable it.
I don't think so. Certificate pinning protects from rouge CAs.
Certificate pinning is relatively easy to disable on jailbroken iOS devices and rooted Android phones. I'm not highly technical and I did it myself to sniff Snapchat traffic 2 years ago. Any half competent security researcher should be able to do this trivially.
If the speech recognition is done on the device, the amount of data could be very small indeed. If I was to do this, what I would do would be to defer the heavy lifting of speech recognition (if it caused any significant load on any of the chips) and perform it in the background, later, when the device is known to be plugged in to power. That way this kind of work would not be impacting the battery. I don't think looking at the amount of data is going to tell you much unless they have done things in a spectacularly stupid way.
Speech recognition is quite compute-intensive and the load of running it on the device would be obviously detectable - not necessarily by random users, but definitely by any security researcher who'd care to do so.

Also, storing the data until it's plugged in would require an unusually large amount of storage, and that would be detectable.

I was replying to a commenter who was proposing to inspect what was being sent over the network, if you'll just read what they said.

That aside, speech recognition isn't that heavy of a process these days if all you're looking to do is extract keywords. We used to do industry-leading large vocabulary continuous speech recognition on a Pentium 133... phones these days are way beyond that without breaking a sweat. Detectable? Sure. But remember, I was talking about this person's plan to look at network data.

Furthermore you don't need to store all data. You can store only when the phone is hearing stuff, as determined by a super lightweight measure of magnitude that does no speech recognition whatsoever. Is the storage detectable? Sure. But again, what was I responding to? Network traffic monitoring.

why not inspect the traffic locally before it gets encrypted?
This is why I like Caffè Nero's loyalty cards. They are little pieces of cardstock with nine coffee cups printed on them. You get a stamp every time you order. Once all nine cups are stamped, redeem the card for a free coffee. There's no PII on the card and your name isn't going through an additional computer (on top of the standard 17 a day, per Cereal Killer).

More places should do this.

This is the kebab shop business model in Europe, is it really that rare to find simple loyalty cards with stamps where you live (assuming USA)?
This is the USA we're talking about, where if an unethical way to wring out more dollars doesn't have a law explicitly forbidding it (and there are laughably few such laws here), it WILL be used against you.

I know of a few places that have simple stamp loyalty cards. Oftentimes they are mom and pop shops, or chains still finding their footing. Most cards are electronic and want a name and phone number associated with them.

App loyalty cards, while still having some information on you, are largely about large merchants (ie starbucks) avoiding credit card interchange fees by giving rewards for people who load money to the app and purchase from there.

So, all incentives are not against consumers. The merchants avoid the credit card oligopoly fee and pass on the rewards to consumers.

Avoiding a credit card processing fee could be done the same with with a punch card.
By having a punch card and forcing customers to use cash? While cash is making a come back in many places, there are still plenty of potential customers who would not buy if cash was required.
I wasn't aware a punch card was "cash-only".
At this point I think I am unaware what a punch card is. I was assuming a card that gets punched each time you visit a place, and after N punches you get an item for free. Is that right or totally off?
Lol! Yes. I think we're both confused. Let's just leave it.
Loyalty stamp cards are pretty common, but most chains (Starbucks etc.) have loyalty apps instead of loyalty cards.
Every pizza shop seems to have one in France. I've seen hairdressers with stamp cards in Germany.
Sounds super easy to make your own stamp then. ;)
Yeah, you'll probably be able to get away with that about once per location, give or take.
I've seen a ton of custom hole punches being used in this case more than stamps.
Your fingerprints are all over that card! All I have to do is wait for one of those cards to hit their trash, and I'll have a pretty good idea of how long it takes you to fill one up, and so how much coffee you drink.
I put my Caffè Nero loyalty card in the same pocket as my phone (which runs the Facebook app).

I have no way of proving this but I'm pretty sure they used my camera to read the card because the next thing I knew I was seeing ads for Starbucks (a competing coffee chain). I have never said Starbucks out loud and suddenly I am seeing ads.

Highly unlikely. More likely they're using location tracking or a shared data source to know that you like that specific coffee place.
I don't buy it. There was nothing else in that pocket.
Your pocket is irrelevant. Location tracking and shared marketing databases have nothing to do with what was in your pocket.
So you think it was my pants?
"Location tracking and shared marketing databases"
“I haven’t checked but I don’t think I’m in too many databases.”
Neato. Well dude you got your answer, take it or leave it. I understand acting dumb and trolling is fun too though.
That's silly. That probably costs them $0.XX to make.

Loyalty apps/datasets literally print money in comparison.

Am I alone in being horrified by the reality that many people today consume most if not all of their news and entertainment holding a camera and microphone on proprietary communication systems running software controlled by the same entities producing the content?

How is this not the greatest threat to democracy in the entire history of democracy?

Yes you're probably alone amongst other conspiracy theorists.

Firstly, at least on iPhone users know when camera/microphone is being engaged. Secondly, the entities you talk about don't produce the content. Users do. Thirdly, it is completely and utterly stupid for them to cross the line when it comes to privacy. Which is why they largely don't.

> Firstly, at least on iPhone users know when camera/microphone is being engaged.

How can you know that on a closed system? There's no hardware indicator.

> Thirdly, it is completely and utterly stupid for them to cross the line when it comes to privacy.

Yeah, I'm super glad nobody else has done that because it would be sooooo stupid to do

/sarcasm

So it started with being Facebook is secretly recording you. Now it is Apple has secretly embedded a backdoor in the hardware and OS of the phones. Specifically so Facebook can use it to secretly record you.

A conspiracy of thousands of people ? No that doesn't sound crazy at all.

The point is we don’t know what goes on inside our computers, they’re proprietary, they’re closed and we’ve had some pretty shocking revelations already. It’s absolutely not outside the realm of possibility.
It's also possible that Apple has embedded a grenade inside each iPhone.

That's about as likely as them enabling the microphone specifically so Facebook can invade everyone's privacy and commit espionage on a scale never before seen in human history.

It's just another step in the long slow boiling of the pot. The mass media already are nearly uniform in their interpretation of events with the exception of how they inflame cultural grievance. The American public is the most heavily propagandized in the world.

https://medium.com/@caityjohnstone/no-there-will-not-be-any-...

Edit: removed a section of this comment because it seemed too much to me.

> Here's an example of someone that has encased himself inside of corporate propaganda so completely that it physically surrounds him at work, at home, and even his inner thoughts:

Interesting piece, but was the rent of that place $4800 per month? How does that make any sense?

I am coming around to the idea that this particular grievance-- at least the camera and microphone bit-- is the "terrorists" of privacy.

That is to say: it's an absolute bad thing and is a concern. But because it's so easily visualisable and conceivable, the actual threat is blown way out of proportion, and much less sexy threats that are much more important are ignored.

You're more likely to die slipping over in your bathtub than being killed by terrorism, etc.

I guess the "slipping in your bathtub" for privacy would be the consumerist / capitalist / deregulated culture that allows, normalises and incentivises trading away privacy for convenience with no real pushback. Which in turn actively discourages keeping your privacy, because it's like: why play some constrained rule-set that disadvantages you and no one else plays by?

If in the 1980s, during the height of the Cold War, you had predicted that in 30 years virtually everyone would voluntarily be wearing tracking devices that pinpointed their location 24 hours a day, and voluntarily carried recording devices which could at least in principle record everything they and anyone they talked to said, you'd be branded a conspiracy theorist or a believer in sheer science fiction.

Today it's no longer a paranoid fantasy but a reality, yet even those who aren't in denial about it are mostly not choosing to opt out of the surveillance.

There’s nothing democratic about corporations. They’re essentially tyrannical in their internal structure and unaccountable to the public.
yet everyone does not care... 1984 is here
I find it amazing that people even notice. I don’t have an ad blocker on all my browsers, and except for YouTube and interstitial ads that Chrome will soon block, most ads are simply not registered by my brain.
Are you sure? Everyone says that they are “immune” to advertising (or propaganda), and yet here we are where the collective result shows that it works, surprisingly well too. Another theory could be that people just get the causal order wrong:

ad display => subconscious influence, nudge => eventual product purchase, mention etc => recognized ad => spooky feeling

Yes. I know it works. Why would these companies spend so much money if it was not. And in addition they have good metrics to know which campaigns work. But this flies in the face of my personal experience... Aside from YouTube, I can’t remember when was the last time I saw and ad and what it was. Must have been weeks ago.
I find it amazing that so many people find it amazing that other people are different.
> I keyed in my phone number so I could get loyalty points.

Do this: lie. 234-567-8901 works at a lot of US stores. Sometimes you can even use it for gas discounts.

(comment deleted)
Hey Facebook, if you got nothing to hide, show us the code.

We showed you our friends, our relationships, our interests, our intimate and disarmed states, our rants, and probably half of the websites we visited. (in retrospect, that was dumb)

Oh, your tin can and strings might show? Competitors might get ideas? Please.

Until then, not a fan of you, not clicking on your ads, and generally avoiding your site. In fact I think I'll start deconstructing my profile as soon as I can muster the courage to choke back my gag reflex.

Sincerely, A growing group of mugged social network burnouts.

Which code ? Server side code is unreasonable to expect. For client code, you can just use the browser. It may not be as convenient or full featured as the app, but it'll do the job if you absolutely must use FB. The situation is much better with stuff like FB which is not that essential. It's more problematic with Google Maps, where you can't get turn by turn navigation unless you use the app.
> Server side code is unreasonable to expect.

Honest question: why would it be unreasonable for us to expect server-side code to be open-source? Facebook's value lies in its brand and its infrastructure, not in its code, so there's no risk of upstarts taking Facebook's code and standing up a clone (which, even with the code, is way easier said than done).

Because it would highlight all the things they do which users would find unsavory. Rather than e.g. just speculating about what facebook does with our mic, we'd be able to point to where they do it in the code.
Because you have no way of knowing that the server side code you're looking at is the server side code running.
First let's talk about value, because it is relative for different audiences (and my take is obviously not canonical either). For Facebook's users, the value is primarily the network. For Facebook's partners, the value is converting sales from users engaging with advertisements.

Facebook must offer enough to the users that the network is still worth coming back to while still giving advertisers a chance at having their eyes. A major breach could cause user and partner abandonment because of security concerns. Once the genie is out, there is no putting it back in. Their stock will fall faster than they can rewrite the product.

It is unreasonable for us to expect open-source for server-side code because it exposes Facebook (and potentially it's users) to a lot of risk for only a small upside. 1) While open-source software has myriad benefits, those benefits require the public at large to audit their code as it is being continuously changed and deployed. Can we keep ahead of the criminals exploiting freshly merged and deployed commits? 2) Knowing the source code is one half the battle, the other half is knowing what is actually executing at runtime. How would users verify this to get the value of open-source? 3) Open-sourcing server side code of Facebook could have serious negative consequences for users or Facebook in the event of a breach due to intimate knowledge of the system only afforded by being privy to the source code.

Not a point, but a philosophical question: *) Where does this stop being virtuous? Should Microsoft open-source SMB tomorrow? Would you feel comfortable with that?

Edit: grammatical fixes

>Facebook's value lies in its brand and its infrastructure

Isn't code infrastructure?

Agreed. I've only been using facebook through my phone's web browser and (at least for what I do) it's totally fine. Is there something the app gives you? Maybe for folks who use messages or want notifications...?
>Maybe for folks who use messages or want notifications...?

Yeah, at some point they blocked the mobile browser from working with messages. I think you can circumvent it by changing your user agent string to a desktop browser.

Sending a desktop user agent string works. Even easier is using mbasic.facebook.com, which is still available and works with messages.
They are VERY pushy about installing the app which is quite fishy. Now all photos have banners saying "Photos look better in the Facebook app" etc
How is it fishy? Native app delivers a 'better' experience and lets Facebook do the things that make you (supposedly) use it more, like push notifications and location tracking, sharing photos + videos, etc.
I just don't know why it thinks any of this is better.

I also hate the fact to even look at my messages I have to "refresh as desktop site" on iOS

You don't know why anyone would think that a native app can deliver a better feature set than a website?
How does viewing the code give you confidence that the app is running the code you saw?
You can pretty easily compare compiled binaries.
That's assuming you can replicate their build process exactly and that process produces perfectly reproducible builds.
Or you could just run the code you compiled yourself?
Can you? I was under the impression that perfectly reproducible builds were still very much a hard and open problem.

Furthermore, I believe that the Facebook app codebase is massive in scope and highly illegible due to most of it being auto-generated from other codebases. It has over 18,000 classes on iOS. The odds of anybody being able to meaningfully audit that are pretty low.

Why couldn't you decompile the apps to see what it's doing?
Reply All did an episode on this that was really good: https://www.gimletmedia.com/reply-all/109-facebook-spying#ep...

The thing I thought was interesting is just how adamant people are about FB spying via mic.

They also had an update in their year-end episode: https://www.gimletmedia.com/reply-all/113-reply-alls-year-en...

Both worth a listen.

Something to note as you listen is that people convinced they're being spied on are mostly amused by it. They don't sound outraged or frightened at all.
I believe that's the sentiment of most users, unnervingly.
Which is a little surreal. I think I get the same way though. It really freaks me out, but there's not much I can do about it, so I'll laugh it off. I don't use social media (although I'm still on Reddit), and I still feel this way.
You can do one more thing that may be extreme, depending on where you live now. You can move to a country covered by GDPR.

If you're in the US, you can also be a privacy activist, which we need more of.

> just how adamant people are about FB spying via mic

I'm of the opinion that it's easier for your average Jane/Joe to believe (and maybe even preferable to believe) that someone is listening and responding to your words than a computer piecing together a picture of you from unrelated clues via some nebulous "machine learning algorithm".

Anybody can listen to your words and advertise to you based on them. It is, on the other hand, not feasible for a human to look at a stream of unrelated posts and figure out that you're pregnant.

I might have believed that too, except I know about data profiles and ML, I’m a programmer and can think like that too, and yet I’m still convinced by the examples my wife and our friends personally encounter that there’s no better explanation than that FB is spying on us via the mic and using it to target ads to us.
Don't you think it's more likely that they just aren't noticing the ad before it is relevant? I mean, how often do you really notice an ad anyway?

That being said, perhaps the ads are doing their job and planting the idea for that particular product. You then bring it up in conversation or mention it out loud. Then, when you return to facebook later, you see the same ad again and due to it's recent mention, it jumps out at you.

Both seem more plausible.

No. We've definitely mentioned out loud things we've never searched for or even entered into a phone or computer, either before or afterwards, and they've shown up in our ads within hours. It's happening at least once a week now. I'm confident it's not any kind of cognitive bias, and that it's just FB spying on us through our mics.
jjeaff didn't say you searched for or entered it into your devices, but that it might have been the devices themselves that first made you think about those topics.
I call BS. You're just hyper sensitive to it now. There is absolutely no way FB is able to spy on people through their phone mics at this time.
Well, Target was doing just that a few years ago, using patterns they noticed among purchasers.
A lot of it is confirmation bias as well. People will remember when an ad is creepily relevant, but they don't remember the dozens of times they were completely irrelevant. It's like when my friends made me watch Stranger Things, it felt like Stranger Things references suddenly started to appear everywhere on the internet.
Confirmation bias and the Baader Meinhof Effect. I've talked with friends about topics I didn't know about before. Then I got fitting ads about it on my phone. I wouldn't have noticed these ads if they weren't fitting. It seems more creepy because it's new to me (consciously).
I think that's definitely the class of behaviour we're seeing. In general people don't think in terms of second order effects (or anything more abstract). Even if they do understand the concept, they will still prefer to believe something simpler.

Telling people that doing A and B leads to C which leads to D which makes E more likely to happen is just a bunch of gibberish that can't be right because who can you blame?

Humans tend to anthropomorphize - "my printer hates me" etc. It's simpler to think the thing listens than figure facebook included javascript tracking code along with the like button on some independent website that they visited an hour back. Even I have a job figuring what script did what.
My beef was more with google, but my isolated instance of this was pretty damning. I started watching Meet the Press after the election. It airs on Sunday mornings. One day though, it was pre-empted by a golf tournament, I forget which, maybe the British open. I never ever watch golf. I have been golfing maybe once, never search for it, never talk about it, have zero interest in it.

I think I got distracted, or maybe since my show wasn't on, I just decided to go shower, and left it on for a bit. The next week, I start getting notifications about golf on my phone.

There are two possibilities here- Verizon (my cable provider) is making data available on what I watched to google, or google is using my microphone to pick up what I am watching on TV. I don't know which is more likely, but VZ and google having a partnership like that and keeping it secret seems unlikely.

Is it possible that Google would know that you watch Meet the Press (generally)? That coupled with knowledge that it was replaced by the golf tournament (either from TV listings or an influx of people searching "Meet the Press" + "golf" to find out why it isn't on) _might_ explain it without Google/Verizon specifically tracking that individual event.
There isn't strong evidence either way that Facebook is or isn't listening in on the mic. Considering they spy on everything else, and they've exhibited plenty of sociopathic behavior, it's reasonable to assume they listen to audio surreptitiously until proven otherwise.
I'm glad you're not a judge
(comment deleted)
This is the same sort of flawed logic as people who won't take a breath without a peer reviewed study saying air is safe. Personal decisions are not the same as the legal system.
> There isn't strong evidence either way that Facebook is or isn't listening in on the mic.

Is there _any_ evidence that Facebook is spying using the mic? Surely we have to start there, right?

Once again my point is we don't know, and based on past behavior it would be prudent for you to assume they do if for whatever reason you don't want to be listened to. I was responding to the unsupported assertion that Facebook is not listening to you.

If you only use direct evidence to come to conclusions and toss out theories and deductive and inductive reasoning you won't be able to function in this world.

But there's lots of things we don't know. Just because I think Facebook is creepy and advertising-crazy, doesn't mean I can just make up claims. You have to come to the table with at least a little bit more than just not liking FB and superstition.
If someone beats you up every time you interact with them, it would fair to fear for your safety before you knew for sure that they would attack you the next time you saw them. It's not just "not liking" your attacker.
Correct. It’s fair to be weary of them in general.

But it wouldn’t be fair to say that they rape girls in the alley, or throw up your hands and say “look, we don’t have much proof either way!”. It’s a completely baseless accusation that makes it harder to talk about real problems.

Funny how they're adament that Facebook doesn't utilize microphone (while they still don't really know themselves). Why is it laughable that Facebook is using both the FB Pixel, microphone, and other technologies to spy?
I found that episode annnoying because it implies that the red line is microphone tracking.

They buried a lede — the story laid out a case that Facebook doesn’t need your audio. Isn’t that a bigger story?

They explicitly talk about that in the episode though - the reality of Facebook buying all this credit card and shopping history data might actually be creepier than them listening to your mic.
It’s a wonderful podcast. +1 to the recommendation of that episode.
Step 1: don't use Android. Step 2: don't use smartphones at all. Step 3: black-hole FB and others at your router at home.

I personally skip step 2 because I'm addicted to being able to quickly search for things, read blogs. But even so: a) don't login to any websites, b) clear website data often, c) minimize use of apps, d) recall that when you browse the web from an app you're using the same cookie jar and other state as the main browser, and that you're letting the app track you.

I think this is the exact opposite approach to take, it is a cat and mouse game to avoid being tracked, and you will always be the mouse.

If anything, go out of your way to ruin the creepy tracking, analytics and bullshit metrics. Add as much noise as possible to their databases.

Drove by a scion iM in a parking lot one time.. and I said out loud "Scion iM? What the heck is that?" -- ads on IG and FB for Scion iM when I got home 20 minutes later. No search, no associative info, no dealer info... I simply said it.

I've had quite a few of those, and usually I can trace it back to me googling something, etc. But this time, nada.

I'd blame this on confirmation bias - there must be dozens if not hundreds of times you use or mention a product every day that you don't notice ads for, but the rare time you do, it reinforces the belief that they are reacting to what you said.
Well you surely can't deny that SOMEONE is listening? Google or Facebook, do some tests and you will find it's true. Confirmation bias is a possibility but from what I have seen and experienced I just can't believe that is always the case.
I don't have a FB account, but my wife's account absolutely delivers her ads intended for me. I've not been able to isolate exactly how it is doing it, but the dragnet is absolutely wide enough to capture a household.

She's received ads for Civic Type R (she hates cars), Senior Java Developer (she works in a totally unrelated field), cooking tools (I do all the cooking), and tons of other things. It creeps me out.

I’m guessing you and your wife share a home and an IP address, and Facebook is using that to associate “your” ads with your wife’s FB account.

Edit: How Facebook would get your browsing data, even if you’ve disabled things like ads and those FB like buttons (like I assume most HN posters would), is beyond my wild speculation.

If they have positional data they could do a correlation of location speed, along time time of week. If they constantly see you going to the same places on the weekends, that might be a clue, especially if in close proximity. Especially if traveling at the exact same high speed in close proximity (Driving there). GPS, at the high range, can tell location within meters.

And none of this would have to happen while you were talking about cars, or anything else. Just enough times to make the correlation, and with data that could have been collected months to years ago. Google Now did that for my commute from work to home.

I think it is more likely Facebook is using location data to create edges on a shadow social network. We just bleed metadata.

My current suspicion is they think my phone is hers due to IP. She doesn't use FB mobile at all and I use ad-block + NoScript on my computer, but not on my phone.

I've picked two different, random topics (boats & umbrellas) to occasionally search for on my phone and computer respectively. So that should help me figure out what the source is.

It could very well be, but do you know what kind of evidence you would have to see to conclude that FB is listening? Otherwise you're just making a fully general argument against the possibility of this (or any such scheme) happening.

Side anecdote: One weekday after I vacationed in Tahoe, I saw a BART (subway) ad for Tahoe, and I was like, "oh, great , probably because I just came back from ... wait, that's not possible!"

but do you know what kind of evidence you would have to see to conclude that FB is listening?

Any one of:

* OS-level confirmation (permission entitlements, cpu usage, etc)

* Packets resembling sound data being caught in flight.

* An internal leak of the method they'd be using to do so from one of three of the largest tech employers. Not even Apple can keep their secrets secret, and they're probably the most paranoid tech company in existence.

You know, literally anything concrete, rather than evidence-free accusations based on fallible memory.

So far, not one bit of these instances can't be explained by a combination of Baader-Meinhof and confirmation bias, with a mix of plenty of non-audio data that Facebook no doubt has. People are so willing to paint FB as this boogeyman that they're disregarding basic logic.

So do I understand you correctly that you’re categorically excluding any kind of experimental evidence, no matter how well controlled or rigorous? That, so long as there is no breach of the source of the technique, you can’t be convinced?

I understand that any one person’s anecdotes are weak evidence, but your comments are going much further and claiming that such tests can never be evidence, even though much scientific knowledge is similarly obtained.

Experimental evidence is fine, given an actual experimental protocol. So far, all we have are weak anecdotes that don't come close to proving the assertion.
>* Packets resembling sound data being caught in flight.

Not even necessary. You could do keyword recognition on the device itself, pushing a list of keyword<->waveform maps, and sending an indicator when they're recognized.

Why don’t you run an experiment, say something totally random that you know you’ve never searched and is out of the range of normal interests you have and see what happens. I have done that on more than one occasion and it confirms we are being recorded. It’s not just Facebook.
I did that experiment this morning -- before work at home and on the way to work, my wife and I were discussing getting a new car, and spoke about a particular car brand that a coworker just purchased.

I just asked her to check her Facebook and she doesn't see any car ads. I checked too but didn't see any ads for cars or that brand, but I don't have the Facebook app on my phone (she does) and our Facebook profiles aren't strongly linked (i.e. she's not listed as my "wife", we just friend each other). She uses her phone for navigation while driving, so it was in a position to clearly hear us.

I haven't done any research on that car brand, but I suspect that once I do a Google search, then the ads will start flooding in.

So maybe this is confirmation bias in the other direction, but I don't see any evidence that Amazon Alexa, Facebook, or Google Assistant are spying on us. Though it could just mean that this particular carmaker doesn't purchase ads based on keyword spying

For experiments like this, use items that have high CPM. Gold, silver, niche personals and preserved food are great canaries.

Try doing different things. I don’t think name brand vendors do pervasive audio surveillance. I do think they broaden the scope of your intents. Use GBoard dictation or similar tools to write. Write stuff down in different contexts. Use apps in different ways.

Amazon and Facebook share in near real time. Anything you do in a consumer Amazon property is feeding context to FB.

Sorry, I didn't mean to imply that I wanted to do this test, I just happened to do it by accident this morning -- using a very similar term as the writer of the parent post, he said he mentioned Scion, I mentioned another major car brand that starts with S.
But you aren't being recorded or listened to. Countless security researchers have dug into this problem and can tell from the traffic that there is audio being recorded. Furthermore, if facebook is accessing the microphone without permissions, it would be through an unknown security vulnerability and would be against the terms of service with both android and ios.

You are just not noticing these ads until it is something you have called out. You would never have given a second thought to this totally random item otherwise.

I have tried the same test as you multiple times just for kicks and have never found it to be confirmed.

Did you consider the possibility that they were running ads for a car that most people hadn't heard of yet (i.e. it was newly released)?
They say in the article they track your location. I think it's more likely the ad happened from that.
Ghostery found 39 trackers on that article. The irony is strong today.
Doesn't Ghostery sell data to advertisers too?
Privacy Badger is a good alternative.
I use uBlock on safari but that's it. Can you recommend an alternative to Privacy Badger (or a trustworthy implementation[0]) that works on Safari? HTTPS everywhere and PB are not supported.

[0] Some company called softtonic has a "Privacy Badger" branded extension but I am skeptical about downloading from an unofficial source.

uMatrix is uBlock for all the things. Or, enable advanced / expert mode in uBlock and use the "traffic light" system to configure blocks to specific domains as encountered.
I think that one should consider the possibility of FB group indirectly accessing this data.

They don't have to collect information only directly from their FB/Instagram/WhatsApp apps: what they can do is buy information from other companies that publish thousands of "free" apps on appstores.

You have to wonder how so many of these free apps seem to sustain themselves since GDN advertising does not seem to be profitable enough.

FB group should be obligated to disclose whether they are buying information from these kinds of third parties.

More importantly they should disclose whether the price they pay is illogical, effectively making them silent partners in an indirect scheme to access your camera/mic information, while at the same time maintaining the allegation that "we do not access your mic through our apps".

They buy the info from massive data brokers, who buy data from other large and small data brokers, who buy the data from app makers, services, etc. User123@gmail.com expressed interest in buying kitty litter isn't exactly sensitive information so there's probably not much in the way of auditable logs maintained, probably impossible to determine the original provenance of the data in many cases.
I find it hard to take this article without a truckload of salt, given the Wall Street Journal is owned by News Corp.

Murdoch has money to make by gaining leverage over FB.

I haven’t had a Facebook account in almost 4 years and I block their traffic on my router, so I have no love for them. But I seriously doubt this story’s motives.

FWIW (admitedly not very much, anecdotally from another rando HNer) The newsroom side of the Journal is among the vanguard of quality journalism and has largely remainined that way post-Murdoch. The editorial pages on the other hand are extremely opinionated and seemingly in a completely different reality than the newsroom.
I think people really underestimate the power of ad retargeting and advertising analytics. Take in some location information and cross-reference it with friends lists and their product searches and you can explain 90% of these occurrences without voice data.
(comment deleted)