And this is an important distinction, especially for investors. Selling data is a one-time occurrence, and requires a lot of effort to maintain revenue. Selling access however uses a subscription model, and guarantees future revenue with a lot less effort. It's the same with software sales vs software subscription models (whether through cloud platforms or support contracts).
That distinction should not matter to lawmakers though.
Nonsense. Changing the means of transfer or payment model doesn't mean changing the product. This is like arguing that Dominos doesn't have to obey health rules because they're not a restaurant, they're a food delivery.
You don't get to decide which parts of your product the law applies to, and which don't. You can't bypass all firearms laws by selling holsters that just so happen to have guns in them as a free bonus. If Facebook tries this in court, the conversation will go something like this:
Court: Do you sell data?
Zuck: No, we sell access to data
Court: so if you took out the data, and gave only access to your systems, completely blank and with nothing on them, people would still want to pay just as much?
Zuck: No, our customers want the data
Court: Then you are selling data. Case closed. Go directly to jail, do not pass go, do not collect 200 email addresses.
This is not necessarily true. Depending on the deal you make with address brokers you more often than not hire specific addresses for one time use. You are not allowed to reuse them for multiple mailings without paying additional fees.
In order to enforce this address brokers seed the data with control addresses.
Carefully curated address lists (say, something like C level managers with an income > 500K $, for example) are expensive, even for one time use.
If an address broker outright sells addresses those are usually of very low quality.
They weren’t selling data. It was a series of API integrations for popular sites that ended years ago. Users had to sign in to those services. I have way less trust for our tech illiterate congress than I do for Facebook.
It was unclear to users what they consented to when they signed in. Because Facebook doesn't give a damn about proper consent. The fact that Facebook botched it up is not less problematic than Facebook selling data because the outcome for users is more or less the same.
Turns out "move fast and break things" is a shitty policy when it comes to privacy concerns.
Yes, but that doesn't mean that they consent to Facebook using that data. Whatsapp for example asks "read SMS" permission to verify your phone number. It also requires access to your contact list or else everyone's name will be shown as a phone number.
The average user seems to assume that the information is used to provide the service and nothing more. The last person I asked if they were worried about how much information FB has about them replied something among the lines of "Yes, but it's only things that I deliberately chose to share." (paraphrased)
I think this might be part of the problem. The idea of handing over your private messages to some random company is so absurd that the average person probably assumes that it couldn’t possibly be what they’re asking for. You’ll have to make the permission prompt really explicit to overcome that.
>The fact that Facebook botched it up is not less problematic than Facebook selling data because the outcome for users is more or less the same.
Users signed in to services they already had accounts with, and therefore trusted, knowing they were enabling features they wanted to use with their data. These services were hand selected big name companies. This is a far cry from selling data to the highest bidder for profit.
When I use a Google or Facebook account to sign into other services I do not expect private messages to be exposed. My likes, pages I follow and other relevant stuff would be expected. I do not expect a company to share my information to a 3rd party just because one of my friend consented.[1]
Congress needs to lay the hammer down and come up with privacy rights akin to GDRP.
It wasn't about signing up to the accounts using FB though (as far as I understand it). These were services that acted as clients for the private messaging so they could send media directly to your friends via FB messages. I could see the granularity being too low (maybe they should have only had access to messages created in that 3rd party service), but I don't think it was necessarily nefarious that they had blanket access to all private messages, that was just the most straight forward way to implement it during a time period when people were way more excited about open APIs then they were about strict privacy.
I was just using the sign in via FB or Google as an example of times where user might not know what they are consenting to. I wouldn’t assume this gives the 3rd party access to my emails.
This is exactly where we need congress to step in and regulate personal data.
I’ve built rest APIs at work and I almost always restrict this type of behavior. Why weren’t they only given access to create PMs and update PMs they create? No requests to pull all the PMs of a certain user.
You may well have been asked for explicit consent to message access. The New York Times is specifically vague about this. They could tell us what kind of access was asked for, but they do not even mention that any kind of access was asked for. Why?
According to the Verge Apple had acces to data even if the user explicitly disabled data sharing.
>Giving Apple access to users’ Facebook contacts and calendar entries, even if they had disabled data sharing, as part of a partnership that still exists.
> According to the Verge Apple had acces to data even if the user explicitly disabled data sharing.
First, the Verge article (https://www.theverge.com/2018/12/18/18147616/facebook-user-d...) did not do any original reporting, they are referencing the New York Times. This is another thing - people think stories have more weight and truth than they do because you've got a 100 publications writing about some other publications article.
The New York Times article makes this claim, but does not explain what "explicitly disabling data sharing" means.
Are they saying that I sign in to Spotify, I am asked to give access, I say no, but Spotify still gets the data? That would indeed be bad. It is unlikely this has happened. If this did happen, it would be worth a couple of words of explanation more, no?
Best guess, they are saying, although my friend disabled all the options in this dialog, I was still able to grant third parties access to my contact list and my messages, which included my friends data - that makes sense to me: I can't use a chat app if half the messages you sent me are missing.
In any case, we have to guess what really happened, because the New York Times can't be bothered to tell us.
Yes. But people had to explicitly sign in to Facebook first to use a partner’s messaging feature. Take Spotify for example. After signing in to your Facebook account in Spotify’s desktop app, you could then send and receive messages without ever leaving the app. Our API provided partners with access to the person’s messages in order to power this type of feature.
Spotify pushed "log in with Facebook" and as far as I know, for a while it was the only way to use Spotify, and I would have expected Facebook to word the above stronger if they had additional steps to give access to messages. Do you know additional details? (really wish both sides here would present detailed flows)
Good for asking for more details, it seems like most people have already made up their minds without asking for any details, just fill in the blanks to fit the narrative.
>These were services that acted as clients for the private messaging so they could send media directly to your friends via FB messages.
So why wasn't the access write-only? If the only purpose for 3rd party access to messages was to send messages, there is no reason they should have been able to read any messages. Seems like a pretty trivial, obvious function - I certainly have keys for send-only access to email accounts to let web apps send things on my behalf with minimal possible privacy exposure.
More importantly, a message you send to me belongs to me as well. If I want to use a third party messaging client which runs on the server of company X, then I am free to do so.
"I have way less trust for our tech illiterate congress than I do for Facebook."
That is a perfectly fine position for you to take. But if you consider that a majority of the citizenry also does not understand the ramifications of "API integrations", doesn't it seem like the Congress is reasonably representative of the population? And that in that case, recent revelations might lead them to being fed up?
They can't possibly have that clause though. RBC, for example, had read & write access to users' private messages supposedly for the purpose of facilitating customer support messaging and electronic cash transfers among friends. RBC would require permission to save data from Facebook's system to their own in order to keep accurate banking records. RBC's attorneys never would have agreed to the contract without the ability to save data from Facebook's system.
The degree of grand standing over this issue leads me to wonder who among the donor base is pushing for such action. Obviously many would welcome something similar to "GDPR", and the question is always how such regulation can be levied in favor of incumbents.
Our new digital footprints are much more detailed, but I've yet to understand how they're fundamentally different from what media companies have been selling for most of the last century.
I don't preclude the possibility that they might be, I've just not understood it yet.
> Our new digital footprints are much more detailed, but I've yet to understand how they're fundamentally different from what media companies have been selling for most of the last century.
Thirty years ago a media company could say you subscribe to these two magazines, this newspaper, and you're a 35 year old male. That means you probably watch these five TV shows and you're likely to be interested in X, Y, and Z. They could also say to advertisers, if you're looking for a 35 year old male who's interested in X, Y, and Z the most effective way to market to them is probably advertising on this radio station or during this T.V. show. They tranched and profiled viewers as groups and sub-groups. Today, they don't have to profile or make generalizations about trends among groups of people. They have all of the information, for each and every one of us as individuals, at their fingertips.
Thirty years ago they sold access to "35 year old males who like football." Today they sell access to you.
Except that you could upload a list of e-mail addresses or phone numbers, or even an e-mail address or phone number list of one, and target that one person.
Facebook, and almost all the other platforms which allow this type of targeting, make it impossible to do this now by setting a minimum matched audience size. This means that even if you upload a list of 9,999 fake email addresses and 1 real email address it will not allow you to run ads against that audience explicitly in order to make it impossible to do this.
You certainly were able to at one point.
http://ghostinfluence.com/the-ultimate-retaliation-pranking-...
I feel like I read about FB making some symbolic gesture to close this particular method (it seemed easily worked around) but my searching is coming up blank.
I'm the first person to hate on Facebook, but for once I think this is hugely overblown. They didn't sell peoples data, that made it possible to voluntarily connect accounts.
It's the equivalent of complaining that hotmail sold your private email data to Thunderbird when you used Thunderbird as your desktop email client. No. They didn't, you gave them access to it because that is what connecting the accounts does.
If should be fairly clear to anyone that if you connect accounts you are exposing data between the accounts. The debate about the granularity of permissions is neither here nor there, everyone should have a clear expectation that connecting accounts = sharing lots of data. Unless it is explicitly stated what is excluded the assumption should be that everything is shared.
> everyone should have a clear expectation that connecting accounts = sharing lots of data.
That's amoral bullshit and we must demand better. It should be expected that that connecting accounts means sharing little more than the subset of data required for the integration. Companies that violation this expectation must face consequences.
GDPR takes a step in this direction, prohibiting retention of PII for longer than necessary for business purposes.
im going to take this a step further and say connecting accounts means sharing _no more_ data than is required for the integration.
I don't understand why netflix gets to see all your DM's when all you want the connection to do is send a message to a person you choose. The connection doesn't need to give netflix literally any data besides maybe the fact that a message was sent. why do they need to know who it was too, and any other messages surrounding it?
Because the recipient could see the message and respond to the message inside the Netflix UI.
I am about to change my mind on the GDPR. If Spotify and Netflix are legally obligated to not store any data they do not need, then Facebook can actually make an additional argument that it is ok to give them wider access; after all, the law will ensure they have to handle it properly.
> If Spotify and Netflix are legally obligated to not store any data they do not need, then Facebook can actually make an additional argument that it is ok to give them wider access; after all, the law will ensure they have to handle it properly.
That seems like a huge perverse incentive. Companies will start constructing systems so that more data is "required" so they can legally collect and share more of it. Then convincing them to collect less would require not just convincing them not to collect the data but convincing them to undergo the expense of redesigning all their systems to not "require" it anymore.
You make a lot of claims without providing reasoning.
> That's amoral bullshit and we must demand better.
Why is this amoral bullshit? It seems like a lot of the outrage around this topic is born out of a 'feeling' that you have an instrinsic right to online privacy. But, I don't see this right clearly defined in the constitution, so where does it come from? Are you sure it exists?
> It should be expected that that connecting accounts means sharing little more than the subset of data required for the integration.
I think it's unrealistic to expect FB to expend resources to determine what subset of data is 'required' for every app in its ecosystem. When inspecting the utility/privacy frontier, the current model of requiring users to grant permission to an app makes the most sense to me. The problem in this case is that the permissions modal may not have been clear enough.
With a name like "smallgovt" I would expect you to be pro-privacy in the real world as well as online. Most people on this forum would likely agree that privacy is a right (just because it's not defined in the constitution doesn't mean we don't have that right. Did people not have the right to life, liberty, and the pursuit of happiness before the constitution?). Also, it is entirely realistic to expect Facebook to at least do a cursory look-over of the types of data app developers are requesting while running on their platform. No reason every app needs access to every piece of data on its users.
I agree that we have a right to privacy, but to what extent?
When it's not defined by law, it's up for debate. And, my main point is that in such a scenario, I don't think calls for moral condemnation are in order.
Laws generally follow the calls for moral condemnation or the relaxation of those calls. And those calls are part of the debate on what should or shouldn't be law. Asking for moral judgment to be removed from discussions because those things are legal, is putting the cart before the horse.
I see your point. I'm not calling for the removal of moral judgement from the conversation. I'm calling for the removal of moral condemnation. That is, we can have a discussion about what is right and wrong based on your value system, but condemning someone is a destructive act which is harmful and unnecessary.
There's a popular idea that it is bad to judge others. I disagree. I think we will judge others whether we like to admit it or not and also that many of the people I have met who claim not to judge anyone have also happened to have been some of the most hypocritical people I have ever met. I think the important thing is to judge yourself and your own judgements on other people, at least as harshly as you find yourself judging others. Put your own opinions of other people up to the coldest possible light. Judge more, not less.
I disagree with that popular notion also. We're entitled to our opinions and it's natural to judge others, but I think it crosses the line when that judgement turns into action, and that action is net harmful.
In outrage scandals like this, we're so quick to condemn the actor and demand punishment. I think the more constructive action is to condemn the action (not the actor) and demand regulation (not punishment). Condemning the actor may quench our thirst for justice, but I think it's often net harmful.
I get that calling for punishment is a good disincentive for future immoral, unregulated activity, but the punishment has to fit the bill. FB lost, what, $30B of value over this 'scandal'. Is that not a big enough fine?
FB lost, what, $30B of value over this 'scandal'. Is that not a big enough fine?
Isn't that like when a rich/famous person evades punishment for a crime that the average person would get a long jail sentence for, because from loss of income etc they'd already got 'a big enough fine'? i.e. effectively only the non-rich are punished for crimes.
Well, I think you have bias on this 'scandal', or should I say scandal. It is a scandal and also to claim loss of market value from the scandal is equivalent to some sort of fine or other legal punishment is beyond ridiculous (and kind of shows your hand a little).
> Did people not have the right to life, liberty, and the pursuit of happiness
These rights have routinely been taken from people with or without their consent throughout history.
EDIT: What I mean to say is having it spelled out can only help, and if we cannot make an argument based on existing legal constructs we might need to spell it out.
> When inspecting the utility/privacy frontier, the current model of requiring users to grant permission to an app makes the most sense to me. The problem in this case is that the permissions modal may not have been clear enough.
Requiring permissions is a good step, but an auditable history would be a huge gain for users world-wide.
In other words, I would like to make an api call or visit a facebook page and see what data was requested by and sent to every third party with which I have shared data. I could then use that data to see if I'm comfortable sharing that information. Automation could also be undertaken by facebook to weed out obviously malicious actors.
So everything has to be on constitution or American companies who don't have any ethics by the way, will abuse as much as possible for profit. Actually that's the message we are getting from silicon valley for some years.
> But, I don't see this right clearly defined in the constitution, so where does it come from? Are you sure it exists?
It comes from morality. Some people think it's immoral to defraud people, whether that is money or their private information.
Some people don't want to live in immoral societies and want the government to enforce some level of moral behaviour amongst it's subjects.
> I think it's unrealistic to expect FB to expend resources to determine what subset of data is 'required' for every app in its ecosystem.
How? They have billions in profits and are in the process of hiring thousands of people to help get their news curation/reporting systems upto scratch. Why can't they setup a process where people have to justify to facebook what they would use the data for?
I could easily argue it would have been in their financial interest as it's quite possible we wouldn't be here talking about facebook if they had taken this approach.
But no, im supposed to believe it's unrealistic to have such simple process.
If I connect my Facebook account to a music service like Spotify I would NOT expect them the make my private messages available to that service.
It's absolutely nothing like your Thunderbird analogy because Thunderbird exists to present you email but Spotify has absolutely nothing to do with messaging.
Facebook should have given Spotify the bare minimum they needed to make me an account and play me music. Anything else is gross incompetence at best.
> Facebook should have given Spotify the bare minimum they needed to make me an account and play me music. Anything else is gross incompetence at best.
And how did you think they were monetizing in the first place? When I read all the outrage here, it’s almost like I’m reading comments from an alternate universe where nobody knew Facebook’s business model. On top of that, I find it even more amusing that lawmakers are up in arms over this, when they were the ones who passed the Patriot Act in the first place, destroying the Bill of Rights and desecrating the Constitution.
I would expect them to monetise through advertising and increasing engagement on the site by using linked services to make the whole site experience richer, thus leading to more ad views.
I might also expect Facebook to ask the services for some money to get their faces seen on the platform.
Spotify wanted to provide a Facebook messaging function within the app. That's all the access was for. It isn't as if Spotify employees were rifling through, or even data mining, your messages
> If should be fairly clear to anyone that if you connect accounts you are exposing data between the accounts.
This is an argument you have to make, but you're just asserting it. If I get pulled over for speeding, I have to show my driver's license, which I also used to open my bank account, which I use to pay my phone bill, which I use to call my mother on her phone, which she pays for out of her bank account, which she used her driver's license to open, which she had to show to get past the security desk at a building downtown to go to a job interview with a business that rents a space there.
Are you saying that I should expect that interviewer to have access to my driving record? If not, to what degree should it be "fairly clear" to me that there is information shared, and why?
OK, now pretend that I used facebook login to periodically read articles about selling fishing gear, at the website for a membership trade organization for fishing gear merchants that I belong to. I set it up (with two clicks) because I was sick of typing my membership number in on the rare occasion I visit the site. It's like 12 digits, and it's like not I keep my membership card in my wallet; I only need it for conventions...
In some states driving records are public info. Also you are conflating government records with corporate info. We have different laws regulating both. By in large corporate data privacy outside of fair credit reporting law is non existent. And where the law has teeth nothing has happened (e.g Experian)... really the issue for Facebook is the political foreign influence on elections. Politicians really don’t like it when they have no control over their electorate.
It's not even remotely the same. Thunderbird is a client application that
1) Runs on my own machine, not on somebody else's servers.
2) Is FLOSS so it's actually possible to verify what it's doing.
I think there's a fair debate to be had about what data should be shared when users volunteer to "connect" accounts, but this Thunderbird analogy is horrendously off base.
>"It's the equivalent of complaining that hotmail sold your private email data to Thunderbird when you used Thunderbird as your desktop email client."
No that's not at all equivalent. If Hotmail were my only email provider, me and hotmail are the only ones who have access to my inbox regardless of what email client or clients I choose to use. That's not "connecting accounts." Thunderbird is not a company. What an absurd statement to make.
>"If should be fairly clear to anyone that if you connect accounts you are exposing data between the accounts."
Except that we don't actually know if FB only gave access to people who had accounts with both FB and the specific third party. Nor do we know who the third parties exposed that data to. FB has very problematic relationship with truth and transparency in general. Nothing should be "fairly clear to anyone" about FB.
>"The debate about the granularity of permissions is neither here nor there ..."
Saying something is "neither here nor there" is a meaningless platitude.
You're not wrong, however the question is, what ethical role does Facebook have to inform their users about how their data is used/transferred, or to educate users on what they are agreeing to?
I don't think there is a "right" answer here that solves all of the problems.
For example, should FB be required to explain to my technically illiterate Aunt how images and text are used to train feature classifiers, which inform the social graph?
When I deleted my unused Facebook account a while back I found that there were a dozen apps linked to my account (incl. Netflix and Spotify), even though I had never giving permission for a single one.
FB is sneaky and does not have the culture of valuing users' privacy. It is going to catch up with them eventually.
> everyone should have a clear expectation that connecting accounts = sharing lots of data
I think this is a common belief in Silicon Valley. It is not elsewhere. This, in a crux, is why decision-making power is being—and needs to be—removed from the former.
I agree that few are behaving in a downright evil manner. (At least according to their own compasses.) But there has been moral drift around when permission needs to be asked, how it needs to be asked, and the degree to which business leaders have a duty to safeguarding their customers’ interests. The same thing happened in the trust-busting era; it’s interesting to see it happen again.
Google isn't getting a freepass, but they are sending their CEO up to testify, and he is apparently doing so truthfully.
In contrast, FB is often sending proxies instead of the CEO, and when the CEO did appear, he was apparently not candid.
Not sure if this rises to the standard of felony lying to congress, but if so, I'd not be sad to see Zuckerberg do time for that, considering the scale of damage he's foisted on our society.
Say I am running a social network. I want to allow my users to give access to their own damn data to third parties. I want them to be able to use third party chat UIs.
Now, how do I do it in a non-evil way? I am presuming here that everyone agrees that should be possible to make that work.
Apparently Facebook did it the wrong way. Why?
If the argument is "Users who agreed to this integration did not know what they were doing because the permission dialog was not clear enough", then I have a couple questions:
- What was the permission dialog like, really? Does anyone have a source for this?
- Why does the New York Times not go into this? I mean, if that is the issue, it seems kind of important?
- Reading the latest Times piece, does anyone feel comfortable arguing that the reader will understand what is apparently the issue - the permission dialog was not clear enough? Or is it more likely that the reader is left with the vague notion that Facebook just dumped all user's private messages over to a bunch of other companies?
To clear it up, we could just refer to the Facebook blog post where they tell the truth, the whole truth, and nothing but the truth on this matter. Is there such a thing?
The Facebook newsroom posts on this matter go into much more detail than the Times reporting. That said, I don't expect Facebook to tell me the inconvenient truth. But I am paying the New York Times so that they improve my understanding of the situation, not make me feel like I can learn more from Facebook PR.
But being a subscription service doesn’t incentive the NYT to improve your understanding of the situation...the only thing it incentivizes them to do is to keep you from unsubscribing which is easier to do by creating outrage than by staying with the truth.
I see what you did: You used a 10 year old meme. Great insight dude.
Next you're going to tell me that just because FB sells access to your data at $10 per account/yr, that this somehow doesn't mean that "you are the product".
These are the right questions. It is disappointing that our top journalists sometimes prefer to fit a story into an existing narrative but narratives capture the public's attention so the incentives get a little weird.
Anyway I do sometimes think that it might be good to have an actual screen recording of everything I do online, just so that I could look back and see what a permission dialog looked like for instance.
Perhaps not "recording",but I can see a real case for an extension that:
1) automatically grabbed a screen text (so it snags the text hidden inside a scrollable container, for example) capture (with notification) when you had a page with a button or link with the text "Agree" or "Understand" or "Accept" in it. Capture would be "tagged" with referrer url, current url, and timestamp. Possibly a screenshot of the rendered page as well.
2) Allowed you to manually trigger such a capture.
I'd think that would involve reasonable space, and even if I wasn't trying to gather legal evidence, it'd be interesting to see the results after, say, only a month.
It is disappointing that our top journalists sometimes prefer to fit a story into an existing narrative but narratives capture the public's attention so the incentives get a little weird.
1) It's not "sometimes." It happens many, many times a day. It's basically become the way they do things.
2) "narratives capture the public's attention so the incentives get a little weird" -- So the news is no longer about finding and transmitting the truth. It's about selling narratives? And the more the legacy news industry progresses on its inevitable collapse, the worse it's going to get? Nice.
1) We can debate the frequency of this all we want (though I don't think it's useful). In my opinion the top (note this is an important qualifier) journalists are not lazy on purpose and in general are trying to deliver accurate information. You may disagree and that's fine. Also technology reporting is particularly difficult when you yourself are not a technologist, but that's a separate issue.
2) I'm not sure what point you are trying to make here. I didn't say that news isn't about finding the truth. But when describing complex systems and situations there is always going to be judgement applied in the distillation process. So for instance, you could say "Facebook provided private message data to some application partners" or you could say "Facebook's users inadvertently agreed to share private message data with application partners." Both are true.
The only permission dialogue I have seen was the spotify one from a few years back on Stack Overflow.
I have also seen Facebook exec emails about obfuscating permission dialogues in order to get more permissions, though. It seems to have been pretty accepted practice.
> Now, how do I do it in a non-evil way? I am presuming here that everyone agrees that should be possible to make that work [...] Apparently Facebook did it the wrong way. Why?
>does anyone feel comfortable arguing that the reader will understand what is apparently the issue - the permission dialog was not clear enough?
There were leaked emails in which FB was discussing how to ACTIVELY ensure the updates for their app specifically obfuscated the fact that they were preventing the users from understanding what they were agreeing to, as it was bad PR, and Zuck authorizing with "yup do it"
You know, I didn't read the memo but if it's by an expert at how to finagle consent from people without them realizing what you're doing, I'm having a real hard time holding zuck accountable for what "yup do it" authorizes (if this makes any sense.) -- I mean that the person could have finagled the "yup do it" without Zuck realizing the extent of what he just authorized.
Note I'm just basing this on what you just wrote - if it was a really clear memo titled "How to trick users into 'consenting' to 'let' us sell their contact lists, messages, and all other data without actually making them realize they've done this" then I take it back.
I'm not on Zuck's side, and I'm not explicitly saying you're wrong, but this feels like a mix up of the response from Zuckerberg to blocking the Twitter API.
If you have a source for him saying "Yup do it" to an attempt at confusing their users on an agreement... that would be a big news story.
I'm looking for the actual emails - basically the discussion was about how to get a feature passively opted into by the user without letting the user know they were allowing that specific permission - and they discussed how to achieve this and then zuck approved the action.
I think you're perhaps mixing two bad decisions into one. One is the decision relating to Android "read call log" permissions – this involves Michael LeBeau and Yul Kwon. The other is Justin Osofsky asking Mark Zuckerberg about shutting off Vine's Friends API access – for this, Zuckerberg personally gave the go-ahead. "Yup, go for it."
Do you honestly think that Facebook was trying to allow users to make the decision in an informed way? I suspect most people instead think Facebook was trying to get some way of SAYING that the users agreed while maximizing the odds that the users would be surprised to discover the implications.
That'd be my answer as to "why". I could be wrong, but I can't think of an occurrence where FB seemed to be acting in their (non-advertising, non-paying) users' interests. Yet FB will claim otherwise.
And that disconnect is what people are finding "wrong".
Just Devil's Advocate here, but you're essentially saying that people affirmatively agreed to something that they didn't understand in a contract of adhesion.
I mean, that's kind of a tough thing to hang our hats on if the idea is to take Facebook down. From congress the best you could hope for there is for companies to be required to use "more clear" language when writing up consumer agreements in the future. Which would be a nightmare requirement in and of itself, so it would likely never happen.
> that's kind of a tough thing to hang our hats on if the idea is to take Facebook down
I'm not taking a position on "taking Facebook down" - I'm arguing that legal isn't the same as moral/ethical, and it's entirely correct to label an activity as "wrong" and to be upset by it without that activity being illegal (In fact, I'd argue there's great value in having such legal-but-not-moral areas as long as they aren't too vast). I'm not well-versed enough in the legalities to SAY if the behavior is legal, but I feel well qualified to say when something feels deceptive and wrong.
Outside of the general issue of legal vs moral: While I agree with you about the legal requirements of agreements, I'm also okay with saying there is such thing as bad faith in entering an agreement, and a reasonableness standard about what people are actually agreeing to seems legit - the alternative grants all the power to people who can afford the time and lawyers for every agreement. Whether such standards would have any impact on this situation is way beyond my knowledge level to be certain (i.e. I'm not saying that's the solution to this particular problem, it's just a related thought)
If someone is always late to everything, and then one day they really do have a flat tire and are late for good reason, and you doubt them when they say they have a flat, and that person asks "What am I supposed to do to make you believe me when I have a good reason?" The answer, though it may seem unfair in this particular instance, is to not always be late to everything else.
If you have a pattern of abuse even legitimate behavior may appear as abuse. The solution is to not engage in a pattern of abuse.
It's good that you say that and that so many people are upvoting you. It means that any kind of debate around this is not possible because most people here are just out there to badmouth Facebook as much as they can. I like it when people are honest.
While this happens, is it a good thing? Or should try to avoid logical fallacies?
If you want an accurate understanding of what's going on in the world, then you should probably believe that people who are habitually late do sometimes also get flat tires. If they say they had a flat, the logical conclusion isn't blind trust or being sure they're lying, but mild skepticism.
GP's scenario poses that the late person asks in exasperation what they need to do to be believed -- there's no logical fallacy in telling them why perceptions are stacked against them. Or in your framing, why it's skepticism instead of presumptive trust.
Yes, the goal should be for both parties to reach a correct understanding: not at fault this time, but often is.
Facebook, to some, appears to be only loudly arguing about the specific injustices they feel, without giving up much ground on their habitual mistakes.
I can empathize with FB leadership, not condone of course. 5 years in SF consumer ad tech turned me into a shell of a person who was coming to accept that reality is created by certain peoples’ wills, so the only lie was deviating from the company message. “Air tight” stories and containment seemed like the M.O. and with 5 figure severance packages and more, I have a hard time seeing many people being the first to be vocal. Everyone wants that money, and most will lie hard for it. Not saying I went full shill, but memories of that time are interesting to reflect on. Surreal, disidentified. I think my soul is growing back, thankfully.
People aren't rational. If you want to deal with human behavior, you don't start by faulting them for their irrationality, you start by acknowledging that it's part of the package.
But it's perfectly rational to distrust someone who isn't trustworthy.
The only irrational part is when there's a disproportionate response, and that comes with part of the social contract - outside of existential threat, repetition and duration require an escalation of response until a behavioral correction is observed. It's a feedback system and feedback is also rational (only the form of the feedback might be questionable).
If they’re late 10% of the time and the odds of a flat tire are 1 in 1000 (based on my driving experience I’d say that’s a high estimate, too) then you should start by assigning a probability of around 1% to the flat tire hypothesis. Then modify that based on how honest they typically are.
Trust is earned and spent. If you regularly make commitments to be somewhere at some specific time and fail to meet that commitment you loose people's trust.
You can't do much over the behavior of people's whose trust you've lost, so if they don't believe your flat tire story, too bad for you.
How is systematically not meeting your time commitment not straigth up lying?
My question here is to the precise nature of Facebook's wrong doing in this instance, and why we don't expect the New York Times to provide specifics.
I am don't think any alleged previous wrongdoing answers those questions, unless you are saying there is no specific evidence of any wrong doing in the latest revelations, but we should assume there to be anyway.
i think we can use a dose of common sense to understand that what FB did was ... let's say not in the interest of users. so really, the problem is not that fb is being unfairly taken to task. the problem here is the NYT reporting isn't a deep investigative enough piece for your taste. it's more of a drive-by "oh boy, what did FB do now" click attractor.
> Facebook also regarded these partners as extensions of itself because they committed to abide by its privacy guidelines, according to the Times report, and therefore the company felt it did not need users' permission before sharing their data.
So what is being claimed here, then? That user did not see a permission dialog? That the permission dialog did not mention the full details? Is it too much to ask from our journalists that they go into this level of detail?
Say I am running a social network. I want to allow my users to give access to their own damn data to third parties. I want them to be able to use third party chat UIs.
This is precisely why I keep pounding on the idea that "Trusted Execution" technologies need to be turned around 180 degrees. It's intimately tied tot he idea of privacy. It's horrible when governments and big companies have "privacy" but use their power to strip individuals of it. Likewise, it's a public good for individuals to have privacy, and for governments and big companies to be transparent. Likewise, it's horrible when big companies turn "Trusted Execution" against individuals -- this is DRM. However, it would be a tremendous good if the voting public got some laws passed requiring big companies to subject themselves to Trusted Execution technologies when handling customer data.
Doing this would give individuals the keys to control their own personal information.
This is also an area that is of great interest to me. I've been saying for the last couple years that the only way out of this mess is for "Can't be evil" to replace "Don't be evil".
> I am presuming here that everyone agrees that should be possible to make that work
But not on precisely how. I think what we’ve identified, nationally, is a need to legislate standards around digital privacy and information monopolies. Your confusion is reasonable. We, as a nation, never had these conversations. Democracy is, at the end of the day, a reactive system.
By stating the result of data sharing directly. e.g. if they are sharing the data with a bank, then state clearly that the bank can deny you loan based on what you're doing on that social media. They know this, but will not say. Silicon valley tends to hide or obfuscate as much as possible without being illegal.
An easy way to solve this is to have a permanent data explorer that shows you your own FB data, but through the lens of each entity you've shared it with, and a one click opt out.
Maybe a list of entities, and when you click on one, you see what they would see.
If you care, you opt out. If you don't, you do not opt out. Either way, it makes it hard to plead ignorance or vagueness of permission dialog text.
> What was the permission dialog like, really? Does anyone have a source for this?
There have been studies on Facebook's permission dialog and its lack of usability, and it's hard to escape the conclusion that it was deliberately designed to make it hard for users to understand. It has been improved several times over the years.
For example http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.183.... (from 2010) which discusses how permissions dialogs are not designed in a way that allows users to easily understand permissions (using Facebook as one example) https://dl.acm.org/citation.cfm?id=2078843 (from 2011) which found that Facebook users were unaware of the extent of 3rd party apps' data access even after viewing the permissions screen.
> Say I am running a social network. I want to allow my users to give access to their own damn data to third parties.
You don't. There is no safe way to do this, but more to the point, this is not something that your users want to actually do. If people want to give their data to a "third party" they can just go directly to that party and give it their data. Your permission or participation is not required.
If you'd like to try it, start a social network and then start serving big dialogue boxes that say "Would you like to give all your personal data to a third party? Click here to get started." Note that Facebook worked very hard to do the exact opposite of serving that kind of clear dialogue.
> I want them to be able to use third party chat UIs.
Why? If you are running a chat system, why not just build the UI you want your chat system to have? This doesn't even make sense to me.
I think maybe what you mean is that you want your users to be able to interact with 3rd party services through your chat UI? In which case the answer is to build an API for that which properly handles data and privacy. "Let this 3rd party do everything with a user account that a user can do" is a shitty, lazy and/or deliberately permissive way to deliver that feature. Note that Apple and Whatsapp, among others, provide 3rd party chat integrations without letting the 3rd parties read every message in the user's archive.
Sure there is. Of course people want to use third party email or chat clients. In fact, this is in many ways the bete noir of Hacker News whenever a related subject comes up, just today Slack blocking Iranian user. People point out that Slack, and Google Talk, used to have to speak Jabber. So I type my password into a Jabber WebClient, and I have just shared all the messages you sent me with a third party. It is literally this thing.
People who used the Nylas N1 client, or now, any app that uses the Nylas APIs are sharing all their email messages, contacts and calendars with a third party - this includes your messages and your telephone number.
we the people want to be secure in our papers... increasingly those papers are virtual now and scattered all over the internet.
lawmakers need to catch up, setup hearings/panels with real digital privacy advocates (not spectacles of the type we've been getting with zuck/pichai/et al.).
I don't like Facebook however I think people are blaming the wrong things.
Facebook should just come out and say it already. They sell and process data like everyone else (what do people think credit card companies and Amazon do? ) . It isn't against the law and if people want it changed, change the laws.
This is mostly on lawmakers for not dealing with the issues for so many years.
This is an amazing statement, I don't even know what to say about it (emphasis added):
"Facebook also regarded these partners as extensions of itself because they committed to abide by its privacy guidelines, according to the Times report, and therefore the company felt it did not need users' permission before sharing their data."
Still holding out for someone to care about Equifax that arguably did far worse by not only collecting large amounts of data, but failing to give consumers any control over it. Their whole business model is collecting and selling personal data and opting likely has financial penalties.
Thank you! For all the data collection of Facebook, it doesn’t even come close to the non-agreed upon infringement into my personal life of the credit bureaus, who, in turn, seem to have limitless ability to resell whatever they might know about me to their hearts content...or, you know, just lose it to even more nefarious agents
The only reason Facebook is under so much fire is because Facebook is a scapegoat for entire groups of people.
You have tech people who hate Facebook because Facebook is a social network and many tech people aren't social, so Facebook represents this experience that they either shun or think they're too "above it". Lots of tech people also hate how much data collection they do, even though users give it up voluntarily.
There's also journalists, who hate how much their business model relies on Facebook.
You have politically left-leaning individuals all over the world, who hate that people on the right use Facebook to organize political movements against the establishment. You see this in Trump, Brexit, and anti-immigrant movements all over Europe.
Almost all the people screaming about Facebook before these allegations came out are the exact same people screaming now. It's just hard to take these people seriously.
Facebook needs reform; Facebook will probably get regulated; but Facebook isn't going to get regulated into oblivion and Facebook is going to be here for the foreseeable future.
> Still holding out for someone to care about Equifax
No tangible harm can be traced to the Equidate breach. (At least not yet.) That makes it politically useless. If you want the Congress to build the legal tools with which to prosecute Equifax the next time around, Facebook is the lens through which to do it.
Remember, the United States doesn’t really have a statorury codification of digital privacy rights. We’re still in the process of distilling popular senses into law.
The big companies are collecting and selling our personal data but since we care more about sharing photographs of our lunch, dog and/or holiday we click away all Terms of Services.
Not until congress is void of financial incentives can the US expect a somewhat decent political solution like Europe tries to do.
In the meantime try not to act like part of the herd and don't post anything that makes you their product.
Am I the only one feeling deja vu, relative to Comey's statements to Congress claiming that the NSA wasn't monitoring our communications?
And given that nothing was ever done to Comey, or anybody else involved in that spying, is there any reason to expect any repercussions for Zuckerberg/FB?
I am not trying to imagine a conspiracy here, but are there any forces on the investor side or outside of the company trying to unseat Zuck? The deluge of bad press seems like a concerted effort.
How come nearly everybody saying pretty much this exact thing on every FB thread recently also emphasizes that they are not trying to imagine a conspiracy here? Now, I am not trying to imagine a conspiracy here...
I haven't seen a breakdown of opposition from perspective of financial interest. Privacy noise is just a tool to get to more money and control. Unless this hole is explored, FB has plausible case to play victim.
Yeah, but everyone has a plausible case to play victim if the evidence threshold is 'scary things that could exist that we currently have no evidence either way for'.
Keep in mind that Facebook entered the spotlight only after it was alleged/found that it didn't do enough (in hindsight) to prevent Russian meddling in the 2016 election.
What is often overlooked from the analysis is that the current president successfully exploited the intended behavior of the news feed algorithm to obtain billions worth of free marketing/PR during the campaign.
The algorithm is essentially a virality detection sensor that finds "high quality" content (measured by how much users will engage with it) and distributes it to users in a way that maximizes the amount of ad revenue generated by their consumption of the content.
There is also a mechanism that creates an exceptionally rich psychographic and demographic profile of each user, so that ads can be targeted with great precision (resulting in higher yield and thus higher ad spend by marketers).
However just as Twitter ran into scalability issues once celebrities started using the platform, Facebook has run into a different kind of scalability issue. The news feed algorithm had very unexpected behavior when large numbers of users started sharing stories about Trump, commenting, liking/frowning, aggressively, etc.
The unexpected behavior was that Trump content (specifically the content he controlled because it was triggered by his deliberate crass remarks) suddenly took over the news feeds of millions and millions of users, and the person controlling the flow of such content was none other than the candidate himself.
The Trump campaign used this mechanism successfully to reach undecided voters -- just because someone posts a story criticizing something crass Trump did doesn't mean the content doesn't reach a small percentage of their FB friends who view the content in a positive light.
Another side effect was that all the newspapers and media outlets had been increasingly measuring social media engagement as a signal of the effectiveness of their content/editorial strategy. So by successfully creating massively controversial stories which got shared on social media, Trump effectively rewarded journalists for helping him control the focus of press coverage of his campaign. One can imagine the praise reporters received for stories that were shared millions of times which outlined some crass comment or another.
The FB news feed algorithm is the way it is because it maximizes revenue for Facebook. At present it is completely possible that Trump or another candidate could use the same exact approach again in 2020 and beyond. As much as Trump is beneficial to many establishment interests, he also endangers many, and this is not a risk that those in power want to allow to happen.
So what US officials want is the ability to suppress content that would otherwise have been promoted by Facebook's algorithm. The excuse we are getting officially is that they want to suppress things like the Russian-funded content (which was a very small factor in Trump's overall viral success). But in actuality what they want is the ability to turn down the volume on some political topics/discussion and turn up the volume on other topics/discussion.
This is, in essence, the same goal as the Great Firewall of China, only it's far more sophisticated because nobody will get any "451 content censored" errors. Over time the public will just end up with slightly different opinions, focal points, etc., than it would otherwise have had.
Keep in mind that Facebook has been gradually doing everything the officials have requested, but Zuck cannot simply wave his wand and make all this available to officials. If he did he might face employees protesting the decision, etc. But officials view the timeline as extremely urgent and are escalating by attempting to harm Facebook's market value so that Zuck gets pressured by other sources to do as requested.
It's funny that we are seeing this peculiar turn of events as the build up to the US having its own Great Firewall. ...
> There is a risk that she will run for president without having had the time to adapt her views to match one of the dominant political parties.
She's a rising star in what has long been a major faction (and which may be taking over as the dominant faction) of the largest, by self-identified affiliation (and by vote total at some levels in recent election cycles, though often strucurally disadvantaged in terms of the outcome that produces) political party.
I'm not sure how much of a pass we should give news media. Even before facebook they were still optimizing for click through rates and ad hits, which was enough to give rise to "clickbait" titles and images. During the election I remember people were _glued_ to CNN, and at work people would say "can you believe what trump just said" and then argue endlessly. Even now, media articles still choose publish about mass shootings, the rise of Chinese hegemony, and other threatening lizard brain topics. "If it bleeds it leads" is still as true as it was back then.
Murdoch hates Facebook and Google because advertisers are spending their money with those guys instead of in his newspapers. So he's launched a consistent campaign to discredit them. Check the sources of these stories. I bet 9/10 come from Murdoch owned companies. Trust me on this inside info.
Lawmakers should be fed up with Facebook. That said, Google is an even bigger issue that deserves more scrutiny. The only difference is that Google is spending more money to buy off politicians on both sides of the isle.
171 comments
[ 0.22 ms ] story [ 175 ms ] threadBasically how I imagine the rationality in Zuckerberg's statement.
That distinction should not matter to lawmakers though.
You don't get to decide which parts of your product the law applies to, and which don't. You can't bypass all firearms laws by selling holsters that just so happen to have guns in them as a free bonus. If Facebook tries this in court, the conversation will go something like this:
Court: Do you sell data?
Zuck: No, we sell access to data
Court: so if you took out the data, and gave only access to your systems, completely blank and with nothing on them, people would still want to pay just as much?
Zuck: No, our customers want the data
Court: Then you are selling data. Case closed. Go directly to jail, do not pass go, do not collect 200 email addresses.
This is not necessarily true. Depending on the deal you make with address brokers you more often than not hire specific addresses for one time use. You are not allowed to reuse them for multiple mailings without paying additional fees.
In order to enforce this address brokers seed the data with control addresses.
Carefully curated address lists (say, something like C level managers with an income > 500K $, for example) are expensive, even for one time use.
If an address broker outright sells addresses those are usually of very low quality.
But that's like Totally Different™ than selling data.
Turns out "move fast and break things" is a shitty policy when it comes to privacy concerns.
Users are aghast. "Mark, that is utterly disrespectful. Say you are sorry!"
Zuckerberg to users: "I am sorry that you are all too stupid"
https://m.youtube.com/watch?v=WTsDqIcpHUc
I highly doubt anyone would consent to allowing third party companies to read their private messages if that was actually made clear to them.
The average user seems to assume that the information is used to provide the service and nothing more. The last person I asked if they were worried about how much information FB has about them replied something among the lines of "Yes, but it's only things that I deliberately chose to share." (paraphrased)
Users signed in to services they already had accounts with, and therefore trusted, knowing they were enabling features they wanted to use with their data. These services were hand selected big name companies. This is a far cry from selling data to the highest bidder for profit.
Congress needs to lay the hammer down and come up with privacy rights akin to GDRP.
[1]https://www.theverge.com/2018/12/18/18147616/facebook-user-d...
This is exactly where we need congress to step in and regulate personal data.
I’ve built rest APIs at work and I almost always restrict this type of behavior. Why weren’t they only given access to create PMs and update PMs they create? No requests to pull all the PMs of a certain user.
>Giving Apple access to users’ Facebook contacts and calendar entries, even if they had disabled data sharing, as part of a partnership that still exists.
First, the Verge article (https://www.theverge.com/2018/12/18/18147616/facebook-user-d...) did not do any original reporting, they are referencing the New York Times. This is another thing - people think stories have more weight and truth than they do because you've got a 100 publications writing about some other publications article.
The New York Times article makes this claim, but does not explain what "explicitly disabling data sharing" means.
Are they saying that I sign in to Spotify, I am asked to give access, I say no, but Spotify still gets the data? That would indeed be bad. It is unlikely this has happened. If this did happen, it would be worth a couple of words of explanation more, no?
They are instead likely referring to this dialog: https://c-7npsfqifvt0x24dofu4x2edctjtubujdx2edpn.g00.cnet.co...
Best guess, they are saying, although my friend disabled all the options in this dialog, I was still able to grant third parties access to my contact list and my messages, which included my friends data - that makes sense to me: I can't use a chat app if half the messages you sent me are missing.
In any case, we have to guess what really happened, because the New York Times can't be bothered to tell us.
Facebook said:
> Did partners get access to messages?
Yes. But people had to explicitly sign in to Facebook first to use a partner’s messaging feature. Take Spotify for example. After signing in to your Facebook account in Spotify’s desktop app, you could then send and receive messages without ever leaving the app. Our API provided partners with access to the person’s messages in order to power this type of feature.
Spotify pushed "log in with Facebook" and as far as I know, for a while it was the only way to use Spotify, and I would have expected Facebook to word the above stronger if they had additional steps to give access to messages. Do you know additional details? (really wish both sides here would present detailed flows)
So why wasn't the access write-only? If the only purpose for 3rd party access to messages was to send messages, there is no reason they should have been able to read any messages. Seems like a pretty trivial, obvious function - I certainly have keys for send-only access to email accounts to let web apps send things on my behalf with minimal possible privacy exposure.
So he lied to Congress and now he's busted. I was wondering whether there exists an audience that wouldn't buy his bullshit wholesale.
Just thinking out loud in weasel here.
Our new digital footprints are much more detailed, but I've yet to understand how they're fundamentally different from what media companies have been selling for most of the last century.
I don't preclude the possibility that they might be, I've just not understood it yet.
Thirty years ago a media company could say you subscribe to these two magazines, this newspaper, and you're a 35 year old male. That means you probably watch these five TV shows and you're likely to be interested in X, Y, and Z. They could also say to advertisers, if you're looking for a 35 year old male who's interested in X, Y, and Z the most effective way to market to them is probably advertising on this radio station or during this T.V. show. They tranched and profiled viewers as groups and sub-groups. Today, they don't have to profile or make generalizations about trends among groups of people. They have all of the information, for each and every one of us as individuals, at their fingertips.
Thirty years ago they sold access to "35 year old males who like football." Today they sell access to you.
Neither platform sales access to a specific person! Instead what they sell is access to “35 year old males who like football”!
E.g. targetted ad in english sent to 10k thai people and one english speaker? Maybe even reduce costs depending on how the system works.
It's the equivalent of complaining that hotmail sold your private email data to Thunderbird when you used Thunderbird as your desktop email client. No. They didn't, you gave them access to it because that is what connecting the accounts does.
If should be fairly clear to anyone that if you connect accounts you are exposing data between the accounts. The debate about the granularity of permissions is neither here nor there, everyone should have a clear expectation that connecting accounts = sharing lots of data. Unless it is explicitly stated what is excluded the assumption should be that everything is shared.
That's amoral bullshit and we must demand better. It should be expected that that connecting accounts means sharing little more than the subset of data required for the integration. Companies that violation this expectation must face consequences.
GDPR takes a step in this direction, prohibiting retention of PII for longer than necessary for business purposes.
I don't understand why netflix gets to see all your DM's when all you want the connection to do is send a message to a person you choose. The connection doesn't need to give netflix literally any data besides maybe the fact that a message was sent. why do they need to know who it was too, and any other messages surrounding it?
I am about to change my mind on the GDPR. If Spotify and Netflix are legally obligated to not store any data they do not need, then Facebook can actually make an additional argument that it is ok to give them wider access; after all, the law will ensure they have to handle it properly.
That seems like a huge perverse incentive. Companies will start constructing systems so that more data is "required" so they can legally collect and share more of it. Then convincing them to collect less would require not just convincing them not to collect the data but convincing them to undergo the expense of redesigning all their systems to not "require" it anymore.
This is exactly what companies do. They decide what data they want, and then set out to find a way that each of those data elements is necessary.
> That's amoral bullshit and we must demand better.
Why is this amoral bullshit? It seems like a lot of the outrage around this topic is born out of a 'feeling' that you have an instrinsic right to online privacy. But, I don't see this right clearly defined in the constitution, so where does it come from? Are you sure it exists?
> It should be expected that that connecting accounts means sharing little more than the subset of data required for the integration.
I think it's unrealistic to expect FB to expend resources to determine what subset of data is 'required' for every app in its ecosystem. When inspecting the utility/privacy frontier, the current model of requiring users to grant permission to an app makes the most sense to me. The problem in this case is that the permissions modal may not have been clear enough.
When it's not defined by law, it's up for debate. And, my main point is that in such a scenario, I don't think calls for moral condemnation are in order.
In outrage scandals like this, we're so quick to condemn the actor and demand punishment. I think the more constructive action is to condemn the action (not the actor) and demand regulation (not punishment). Condemning the actor may quench our thirst for justice, but I think it's often net harmful.
I get that calling for punishment is a good disincentive for future immoral, unregulated activity, but the punishment has to fit the bill. FB lost, what, $30B of value over this 'scandal'. Is that not a big enough fine?
Isn't that like when a rich/famous person evades punishment for a crime that the average person would get a long jail sentence for, because from loss of income etc they'd already got 'a big enough fine'? i.e. effectively only the non-rich are punished for crimes.
These rights have routinely been taken from people with or without their consent throughout history.
EDIT: What I mean to say is having it spelled out can only help, and if we cannot make an argument based on existing legal constructs we might need to spell it out.
Requiring permissions is a good step, but an auditable history would be a huge gain for users world-wide.
In other words, I would like to make an api call or visit a facebook page and see what data was requested by and sent to every third party with which I have shared data. I could then use that data to see if I'm comfortable sharing that information. Automation could also be undertaken by facebook to weed out obviously malicious actors.
Because
> But, I don't see this right clearly defined in the constitution, so where does it come from? Are you sure it exists?
It comes from morality. Some people think it's immoral to defraud people, whether that is money or their private information.
Some people don't want to live in immoral societies and want the government to enforce some level of moral behaviour amongst it's subjects.
> I think it's unrealistic to expect FB to expend resources to determine what subset of data is 'required' for every app in its ecosystem.
How? They have billions in profits and are in the process of hiring thousands of people to help get their news curation/reporting systems upto scratch. Why can't they setup a process where people have to justify to facebook what they would use the data for?
I could easily argue it would have been in their financial interest as it's quite possible we wouldn't be here talking about facebook if they had taken this approach.
But no, im supposed to believe it's unrealistic to have such simple process.
But everyone doesn't, and lawmakers are, on a good day, when doing their jobs, more concerned with reality than idealism.
Or at least, they "should" be :)
its actually just gotten incrementally worse..
It's absolutely nothing like your Thunderbird analogy because Thunderbird exists to present you email but Spotify has absolutely nothing to do with messaging.
Facebook should have given Spotify the bare minimum they needed to make me an account and play me music. Anything else is gross incompetence at best.
And how did you think they were monetizing in the first place? When I read all the outrage here, it’s almost like I’m reading comments from an alternate universe where nobody knew Facebook’s business model. On top of that, I find it even more amusing that lawmakers are up in arms over this, when they were the ones who passed the Patriot Act in the first place, destroying the Bill of Rights and desecrating the Constitution.
I might also expect Facebook to ask the services for some money to get their faces seen on the platform.
Is that hopelessly naive?
This is an argument you have to make, but you're just asserting it. If I get pulled over for speeding, I have to show my driver's license, which I also used to open my bank account, which I use to pay my phone bill, which I use to call my mother on her phone, which she pays for out of her bank account, which she used her driver's license to open, which she had to show to get past the security desk at a building downtown to go to a job interview with a business that rents a space there.
Are you saying that I should expect that interviewer to have access to my driving record? If not, to what degree should it be "fairly clear" to me that there is information shared, and why?
OK, now pretend that I used facebook login to periodically read articles about selling fishing gear, at the website for a membership trade organization for fishing gear merchants that I belong to. I set it up (with two clicks) because I was sick of typing my membership number in on the rare occasion I visit the site. It's like 12 digits, and it's like not I keep my membership card in my wallet; I only need it for conventions...
1) Runs on my own machine, not on somebody else's servers.
2) Is FLOSS so it's actually possible to verify what it's doing.
I think there's a fair debate to be had about what data should be shared when users volunteer to "connect" accounts, but this Thunderbird analogy is horrendously off base.
No that's not at all equivalent. If Hotmail were my only email provider, me and hotmail are the only ones who have access to my inbox regardless of what email client or clients I choose to use. That's not "connecting accounts." Thunderbird is not a company. What an absurd statement to make.
>"If should be fairly clear to anyone that if you connect accounts you are exposing data between the accounts."
Except that we don't actually know if FB only gave access to people who had accounts with both FB and the specific third party. Nor do we know who the third parties exposed that data to. FB has very problematic relationship with truth and transparency in general. Nothing should be "fairly clear to anyone" about FB.
>"The debate about the granularity of permissions is neither here nor there ..."
Saying something is "neither here nor there" is a meaningless platitude.
I don't think there is a "right" answer here that solves all of the problems.
For example, should FB be required to explain to my technically illiterate Aunt how images and text are used to train feature classifiers, which inform the social graph?
FB is sneaky and does not have the culture of valuing users' privacy. It is going to catch up with them eventually.
I think this is a common belief in Silicon Valley. It is not elsewhere. This, in a crux, is why decision-making power is being—and needs to be—removed from the former.
I agree that few are behaving in a downright evil manner. (At least according to their own compasses.) But there has been moral drift around when permission needs to be asked, how it needs to be asked, and the degree to which business leaders have a duty to safeguarding their customers’ interests. The same thing happened in the trust-busting era; it’s interesting to see it happen again.
In contrast, FB is often sending proxies instead of the CEO, and when the CEO did appear, he was apparently not candid.
Not sure if this rises to the standard of felony lying to congress, but if so, I'd not be sad to see Zuckerberg do time for that, considering the scale of damage he's foisted on our society.
We are discussing data privacy though, not algorithmic bias.
Now, how do I do it in a non-evil way? I am presuming here that everyone agrees that should be possible to make that work.
Apparently Facebook did it the wrong way. Why?
If the argument is "Users who agreed to this integration did not know what they were doing because the permission dialog was not clear enough", then I have a couple questions:
- What was the permission dialog like, really? Does anyone have a source for this?
- Why does the New York Times not go into this? I mean, if that is the issue, it seems kind of important?
- Reading the latest Times piece, does anyone feel comfortable arguing that the reader will understand what is apparently the issue - the permission dialog was not clear enough? Or is it more likely that the reader is left with the vague notion that Facebook just dumped all user's private messages over to a bunch of other companies?
See what I did there?
I see what you did: You used a 10 year old meme. Great insight dude.
Next you're going to tell me that just because FB sells access to your data at $10 per account/yr, that this somehow doesn't mean that "you are the product".
Anyway I do sometimes think that it might be good to have an actual screen recording of everything I do online, just so that I could look back and see what a permission dialog looked like for instance.
Maybe I will build a Chrome extension for myself.
1) automatically grabbed a screen text (so it snags the text hidden inside a scrollable container, for example) capture (with notification) when you had a page with a button or link with the text "Agree" or "Understand" or "Accept" in it. Capture would be "tagged" with referrer url, current url, and timestamp. Possibly a screenshot of the rendered page as well.
2) Allowed you to manually trigger such a capture.
I'd think that would involve reasonable space, and even if I wasn't trying to gather legal evidence, it'd be interesting to see the results after, say, only a month.
1) It's not "sometimes." It happens many, many times a day. It's basically become the way they do things.
2) "narratives capture the public's attention so the incentives get a little weird" -- So the news is no longer about finding and transmitting the truth. It's about selling narratives? And the more the legacy news industry progresses on its inevitable collapse, the worse it's going to get? Nice.
2) I'm not sure what point you are trying to make here. I didn't say that news isn't about finding the truth. But when describing complex systems and situations there is always going to be judgement applied in the distillation process. So for instance, you could say "Facebook provided private message data to some application partners" or you could say "Facebook's users inadvertently agreed to share private message data with application partners." Both are true.
I have also seen Facebook exec emails about obfuscating permission dialogues in order to get more permissions, though. It seems to have been pretty accepted practice.
I really like Steve Jobs' comments on how to operate, with regards to questions of user privacy: https://www.youtube.com/watch?v=39iKLwlUqBo (3 minutes)
While I'm not convinced about the need for devices to be locked down, the rest of his response should be the gold standard in my opinion.
There were leaked emails in which FB was discussing how to ACTIVELY ensure the updates for their app specifically obfuscated the fact that they were preventing the users from understanding what they were agreeing to, as it was bad PR, and Zuck authorizing with "yup do it"
Note I'm just basing this on what you just wrote - if it was a really clear memo titled "How to trick users into 'consenting' to 'let' us sell their contact lists, messages, and all other data without actually making them realize they've done this" then I take it back.
If you have a source for him saying "Yup do it" to an attempt at confusing their users on an agreement... that would be a big news story.
https://www.cjr.org/the_media_today/british-parliament-faceb...
https://www.mercurynews.com/2018/12/06/facebook-knew-collect...
https://twitter.com/EFF/status/1071446556946001925
All from here: https://www.eff.org/deeplinks/2018/12/new-documents-show-fac...
Do you honestly think that Facebook was trying to allow users to make the decision in an informed way? I suspect most people instead think Facebook was trying to get some way of SAYING that the users agreed while maximizing the odds that the users would be surprised to discover the implications.
That'd be my answer as to "why". I could be wrong, but I can't think of an occurrence where FB seemed to be acting in their (non-advertising, non-paying) users' interests. Yet FB will claim otherwise.
And that disconnect is what people are finding "wrong".
I mean, that's kind of a tough thing to hang our hats on if the idea is to take Facebook down. From congress the best you could hope for there is for companies to be required to use "more clear" language when writing up consumer agreements in the future. Which would be a nightmare requirement in and of itself, so it would likely never happen.
I'm not taking a position on "taking Facebook down" - I'm arguing that legal isn't the same as moral/ethical, and it's entirely correct to label an activity as "wrong" and to be upset by it without that activity being illegal (In fact, I'd argue there's great value in having such legal-but-not-moral areas as long as they aren't too vast). I'm not well-versed enough in the legalities to SAY if the behavior is legal, but I feel well qualified to say when something feels deceptive and wrong.
Outside of the general issue of legal vs moral: While I agree with you about the legal requirements of agreements, I'm also okay with saying there is such thing as bad faith in entering an agreement, and a reasonableness standard about what people are actually agreeing to seems legit - the alternative grants all the power to people who can afford the time and lawyers for every agreement. Whether such standards would have any impact on this situation is way beyond my knowledge level to be certain (i.e. I'm not saying that's the solution to this particular problem, it's just a related thought)
If you have a pattern of abuse even legitimate behavior may appear as abuse. The solution is to not engage in a pattern of abuse.
If you want an accurate understanding of what's going on in the world, then you should probably believe that people who are habitually late do sometimes also get flat tires. If they say they had a flat, the logical conclusion isn't blind trust or being sure they're lying, but mild skepticism.
Yes, the goal should be for both parties to reach a correct understanding: not at fault this time, but often is.
Facebook, to some, appears to be only loudly arguing about the specific injustices they feel, without giving up much ground on their habitual mistakes.
The only irrational part is when there's a disproportionate response, and that comes with part of the social contract - outside of existential threat, repetition and duration require an escalation of response until a behavioral correction is observed. It's a feedback system and feedback is also rational (only the form of the feedback might be questionable).
If they’re late 10% of the time and the odds of a flat tire are 1 in 1000 (based on my driving experience I’d say that’s a high estimate, too) then you should start by assigning a probability of around 1% to the flat tire hypothesis. Then modify that based on how honest they typically are.
If they consistently "lost track of time" or "got caught up doing X" but they one day get a flat, why wouldn't I believe them?
I don't know if or how this affects the analogy.
You can't do much over the behavior of people's whose trust you've lost, so if they don't believe your flat tire story, too bad for you.
How is systematically not meeting your time commitment not straigth up lying?
I am don't think any alleged previous wrongdoing answers those questions, unless you are saying there is no specific evidence of any wrong doing in the latest revelations, but we should assume there to be anyway.
i think we can use a dose of common sense to understand that what FB did was ... let's say not in the interest of users. so really, the problem is not that fb is being unfairly taken to task. the problem here is the NYT reporting isn't a deep investigative enough piece for your taste. it's more of a drive-by "oh boy, what did FB do now" click attractor.
> Facebook also regarded these partners as extensions of itself because they committed to abide by its privacy guidelines, according to the Times report, and therefore the company felt it did not need users' permission before sharing their data.
This is precisely why I keep pounding on the idea that "Trusted Execution" technologies need to be turned around 180 degrees. It's intimately tied tot he idea of privacy. It's horrible when governments and big companies have "privacy" but use their power to strip individuals of it. Likewise, it's a public good for individuals to have privacy, and for governments and big companies to be transparent. Likewise, it's horrible when big companies turn "Trusted Execution" against individuals -- this is DRM. However, it would be a tremendous good if the voting public got some laws passed requiring big companies to subject themselves to Trusted Execution technologies when handling customer data.
Doing this would give individuals the keys to control their own personal information.
But not on precisely how. I think what we’ve identified, nationally, is a need to legislate standards around digital privacy and information monopolies. Your confusion is reasonable. We, as a nation, never had these conversations. Democracy is, at the end of the day, a reactive system.
Maybe a list of entities, and when you click on one, you see what they would see.
If you care, you opt out. If you don't, you do not opt out. Either way, it makes it hard to plead ignorance or vagueness of permission dialog text.
There have been studies on Facebook's permission dialog and its lack of usability, and it's hard to escape the conclusion that it was deliberately designed to make it hard for users to understand. It has been improved several times over the years.
For example http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.183.... (from 2010) which discusses how permissions dialogs are not designed in a way that allows users to easily understand permissions (using Facebook as one example) https://dl.acm.org/citation.cfm?id=2078843 (from 2011) which found that Facebook users were unaware of the extent of 3rd party apps' data access even after viewing the permissions screen.
https://www.ftc.gov/news-events/blogs/techftc/2015/05/usabil... discusses usability concerns around permissions dialog boxes in general so it's been on peoples' radar for a while as an issue.
You don't. There is no safe way to do this, but more to the point, this is not something that your users want to actually do. If people want to give their data to a "third party" they can just go directly to that party and give it their data. Your permission or participation is not required.
If you'd like to try it, start a social network and then start serving big dialogue boxes that say "Would you like to give all your personal data to a third party? Click here to get started." Note that Facebook worked very hard to do the exact opposite of serving that kind of clear dialogue.
> I want them to be able to use third party chat UIs.
Why? If you are running a chat system, why not just build the UI you want your chat system to have? This doesn't even make sense to me.
I think maybe what you mean is that you want your users to be able to interact with 3rd party services through your chat UI? In which case the answer is to build an API for that which properly handles data and privacy. "Let this 3rd party do everything with a user account that a user can do" is a shitty, lazy and/or deliberately permissive way to deliver that feature. Note that Apple and Whatsapp, among others, provide 3rd party chat integrations without letting the 3rd parties read every message in the user's archive.
People who used the Nylas N1 client, or now, any app that uses the Nylas APIs are sharing all their email messages, contacts and calendars with a third party - this includes your messages and your telephone number.
lawmakers need to catch up, setup hearings/panels with real digital privacy advocates (not spectacles of the type we've been getting with zuck/pichai/et al.).
Facebook should just come out and say it already. They sell and process data like everyone else (what do people think credit card companies and Amazon do? ) . It isn't against the law and if people want it changed, change the laws.
This is mostly on lawmakers for not dealing with the issues for so many years.
"Facebook also regarded these partners as extensions of itself because they committed to abide by its privacy guidelines, according to the Times report, and therefore the company felt it did not need users' permission before sharing their data."
You have tech people who hate Facebook because Facebook is a social network and many tech people aren't social, so Facebook represents this experience that they either shun or think they're too "above it". Lots of tech people also hate how much data collection they do, even though users give it up voluntarily.
There's also journalists, who hate how much their business model relies on Facebook.
You have politically left-leaning individuals all over the world, who hate that people on the right use Facebook to organize political movements against the establishment. You see this in Trump, Brexit, and anti-immigrant movements all over Europe.
Almost all the people screaming about Facebook before these allegations came out are the exact same people screaming now. It's just hard to take these people seriously.
Facebook needs reform; Facebook will probably get regulated; but Facebook isn't going to get regulated into oblivion and Facebook is going to be here for the foreseeable future.
No tangible harm can be traced to the Equidate breach. (At least not yet.) That makes it politically useless. If you want the Congress to build the legal tools with which to prosecute Equifax the next time around, Facebook is the lens through which to do it.
Remember, the United States doesn’t really have a statorury codification of digital privacy rights. We’re still in the process of distilling popular senses into law.
zuck's laughing all the way to the bank.
most of Congress doesn't even know how the Inet actually works commerce-wise, technically, etc. this is yet more kabuki theatre..
Not until congress is void of financial incentives can the US expect a somewhat decent political solution like Europe tries to do. In the meantime try not to act like part of the herd and don't post anything that makes you their product.
And given that nothing was ever done to Comey, or anybody else involved in that spying, is there any reason to expect any repercussions for Zuckerberg/FB?
https://news.ycombinator.com/item?id=18716646
What is often overlooked from the analysis is that the current president successfully exploited the intended behavior of the news feed algorithm to obtain billions worth of free marketing/PR during the campaign.
The algorithm is essentially a virality detection sensor that finds "high quality" content (measured by how much users will engage with it) and distributes it to users in a way that maximizes the amount of ad revenue generated by their consumption of the content.
There is also a mechanism that creates an exceptionally rich psychographic and demographic profile of each user, so that ads can be targeted with great precision (resulting in higher yield and thus higher ad spend by marketers).
However just as Twitter ran into scalability issues once celebrities started using the platform, Facebook has run into a different kind of scalability issue. The news feed algorithm had very unexpected behavior when large numbers of users started sharing stories about Trump, commenting, liking/frowning, aggressively, etc.
The unexpected behavior was that Trump content (specifically the content he controlled because it was triggered by his deliberate crass remarks) suddenly took over the news feeds of millions and millions of users, and the person controlling the flow of such content was none other than the candidate himself.
The Trump campaign used this mechanism successfully to reach undecided voters -- just because someone posts a story criticizing something crass Trump did doesn't mean the content doesn't reach a small percentage of their FB friends who view the content in a positive light.
Another side effect was that all the newspapers and media outlets had been increasingly measuring social media engagement as a signal of the effectiveness of their content/editorial strategy. So by successfully creating massively controversial stories which got shared on social media, Trump effectively rewarded journalists for helping him control the focus of press coverage of his campaign. One can imagine the praise reporters received for stories that were shared millions of times which outlined some crass comment or another.
The FB news feed algorithm is the way it is because it maximizes revenue for Facebook. At present it is completely possible that Trump or another candidate could use the same exact approach again in 2020 and beyond. As much as Trump is beneficial to many establishment interests, he also endangers many, and this is not a risk that those in power want to allow to happen.
So what US officials want is the ability to suppress content that would otherwise have been promoted by Facebook's algorithm. The excuse we are getting officially is that they want to suppress things like the Russian-funded content (which was a very small factor in Trump's overall viral success). But in actuality what they want is the ability to turn down the volume on some political topics/discussion and turn up the volume on other topics/discussion.
This is, in essence, the same goal as the Great Firewall of China, only it's far more sophisticated because nobody will get any "451 content censored" errors. Over time the public will just end up with slightly different opinions, focal points, etc., than it would otherwise have had.
Keep in mind that Facebook has been gradually doing everything the officials have requested, but Zuck cannot simply wave his wand and make all this available to officials. If he did he might face employees protesting the decision, etc. But officials view the timeline as extremely urgent and are escalating by attempting to harm Facebook's market value so that Zuck gets pressured by other sources to do as requested.
It's funny that we are seeing this peculiar turn of events as the build up to the US having its own Great Firewall. ...
Alexandria Ocasio-Cortez is (or at least will be in a couple weeks) a US official.
She's a rising star in what has long been a major faction (and which may be taking over as the dominant faction) of the largest, by self-identified affiliation (and by vote total at some levels in recent election cycles, though often strucurally disadvantaged in terms of the outcome that produces) political party.