51 comments

[ 3.2 ms ] story [ 107 ms ] thread
> Facebook told two senators why it tracks users’ locations even when their tracking services are turned off. The lawmakers now say Facebook should give users more control over their data.

> Facebook said that even when location tracking is turned off, it can deduce users’ general locations from context clues like locations they tag in photos as well as their devices’ IP addresses.

> While this data is not as precise as Facebook would collect with location tracking enabled, the company said it uses the information for several purposes, including alerting users when their accounts have been accessed in an unusual place and clamping down on the spread of false information.

> Facebook doesn’t allow users to turn off location-based ads, although it does allow users to block Facebook from collecting their precise location, the company wrote.

If I say I don't want you to track my location, I mean exactly that. Not respecting users' wishes like this is a terrible thing to do.

(comment deleted)
> If I say I don't want you to track my location, I mean exactly that. Not respecting users' wishes like this is a terrible thing to do.

Isn't this more of an OS level issue?

There are ways to track location outside of the operating system.

For example, even Facebook says (and the comment you replied to noted) it uses photo tagging and what wifi network you're connected to in order to determine location.

> There are ways to track location outside of the operating system.

> For example, even Facebook says (and the comment you replied to noted) it uses photo tagging and what wifi network you're connected to in order to determine location.

By photo tagging, do you mean GPS coordinates? Isn't that done by the app that takes the picture?

Can't I disable Wi-Fi?

If my wireless ISP is giving everyone free access to my location through some sort of IP address or rDNS scheme, isn't this an ISP issue? I mean, can't you make this exact complaint about every single thing you use that connects through an IP address?

By photo tagging, do you mean GPS coordinates? Isn't that done by the app that takes the picture?

On Facebook and many other social apps you can manually specify the location a photograph was taken. Some apps will ask you for the location if it's not available from the operating system or metadata.

Can't I disable Wi-Fi?

Sure. Go nuts. But you have to connect to the internet somehow to use the app, so if you're not on wifi, it can get your location from your cellular network.

Yeah, I notice you didn't address the last paragraph. Any reason you responded so selectively?
OS can block access to location, but they can still have a coarse location from your IP, tagged photos, checked-in locations, message content and so on. Disabling location tracking in FB should also disable this on the FB server side.
> Disabling location tracking in FB should also disable this on the FB server side.

Facebook is free to do with their servers as they please. Don't like it? Don't use it. I don't.

How do we know you aren’t lying?
You can take audio snapshots of unique sounds and compute location from that- when somebody nearby has similar audio and location active.
No, it isn't. Just like breaking into someones house to steal his data isn't an issue of homeowner not having a 2mil$ vault.
> No, it isn't. Just like breaking into someones house to steal his data isn't an issue of homeowner not having a 2mil$ vault.

To my knowledge, facebook isn't breaking into anything. This is a terrible analogy.

> clamping down on the spread of false information

It seems this user is at the corner of 47th and 3rd, so we won't tell them how oil companies lied about global warming. Did I get that right?

I'd imagine it would look more like "these twenty people are all in the same building in Russia posting a whole lot of opinionated content about America", if it was a true story.
> the company said it uses the information for several purposes, including alerting users when their accounts have been accessed in an unusual place

Recently Twitch has started screaming when I log in in an incognito window. They send me an email with a 6-digit code that I have to enter because an attempt was made to access my account from an unknown machine.

Left unmentioned is any conceivable reason I would care if someone else did log in to my Twitch account. The alert and the one-time code are pure nuisance.

For you, not much. For people who make their livelihood on it, a lot.

If you’re lazy and share passwords between accounts like some people do it’s also good to know that your password might be leaked.

But I won't get an alert if this blocks someone else from accessing my account. The email will go to the address associated with the account, and the odds of me checking that address without knowing I need to are nearly zero. And all of that is as it should be, because attempts to compromise my Twitch account do not matter in any way at all.

You'd need to be a lot more important than a non-streaming Twitch account before I'm going to provide an email address that can reach me reliably.

"But how is Twitch supposed to know whether I'm a streaming account or a non-streaming account?"

I'd personally rather it be secure by default than unsecure by default.
The contrast here isn't "secure by default" vs "unsecure by default". It's whether a legitimate login can come from any computer, or only a computer Twitch recognizes as having logged in to the same account in the past. I'm not saying they should stop asking for your password.

So we have "secure by default" or "secure, and also incredibly irritating, by default".

Security in depth. It's reasonable to require 2FA for new devices.
They're not requiring 2FA for new devices:

1. I'm logging in from the same device every time. They're just freaking out because I'm in an incognito browser window.

2. They're not asking for more than one factor. The one-time code is sent to my email address. Control of the email address is already sufficient to take over the account, regardless of whether I know the account password.

If you're not able to identify new devices, is it still reasonable to prevent logins from those unidentifiable "new devices"?

I was under the impression that because of the lack of tracking in incognito, most sites regard it as a "new device". Regardless, your second point stands, makes sense. That is dumb.
FB is poison. Do not ingest.
All they need to do to convince lawmakers is to offer them the data, I bet.
The FB mobile website works perfectly fine except for messenger.
mbasic.facebook.com

It's not a great looking site, but you can read and respond to messages on there.

(comment deleted)
there's also a Firefox extension that can unblock "messenger"...
you can view m.facebook.com in desktop mode to avoid the redirect to install messenger
messenger works fine for me with firefox 20.2 on iOS 13.2.3
> Facebook said that even when location tracking is turned off, it can deduce users’ general locations from context clues like locations they tag in photos as well as their devices’ IP addresses.

Facebook can still do all this on the mobile website.

Delete your account already. No one here can act like they didn't know what FB is like.
Why does the government need to stick their fingers in this? No one needs Facebook. If you’re not happy with the product or with the company’s ethics, stop using it.
Sir, have an upvote. Spot on. Unfortunately, there are those - wired - to be dependent on it and know nothing else.

This is a very big, overlooked problem.

This argument could be made for any ~addictive~ product. Minimal requirements can shift the burden off of every single consumer.
Because you can’t opt out. Facebook creates shadow profiles for people who have never created an account. They track people’s faces in photos they appear in that were posted by friends. They link people’s personal information to their shadow profile whenever a user allows Facebook to access their address book contacts.

Facebook is a pervasive, all-consuming data monster. If lawmakers don’t rein it in, it will grow so powerful that it will challenge the sovereignty of governments. It’s not a joke.

By what mechanism does an individual suffer harm through this shadow profile?

In what way do you imagine Facebook challenging the sovereignty of a government?

They are having data about themselves collected without their consent. That is the harm.
In what way is that harmful to them?
Are you being wilfully obtuse?
Does taking photographs of a mountain harm it? Articulate your reasoning, rather and resorting to vague insinuations.
At some point in the reasoning chain you reach the bad thing that is bad because its intrinsically bad and if you try to reason more you'll just go in circles. Or you enter a philosophical debate of such depth that it's stupid to have it with internet strangers.

Drink driving is bad.

Why is that?

You might cause a crash.

Why is that bad?

People could die.

Why is that bad?

They'll be dead.

Why is that bad.

They don't get to exist any more.

Articulate your reasoning!!!!

With enough data you can segment for almost any group.

- Who is likely to vote Bernie?

- Who is gay?

- Who is gay, but not out?

- Who is cheating on their wife?

Etc etc..

If you can't see the potential for harm at both the individual level (think extortion) or political level of that kind of power I'm not sure what would convince you.

If data is collected about you without your consent, that collection is itself harm, because your rights and intent are being actively bypassed.

That's plenty harm enough all by itself.

Two words: Cambridge Analytica.
Can you explain how any individual was harmed?
If challenging the sovereignty of governments is the problem, then there's an obvious solution - just nationalize it! Then all the tracking will be done in the public interest and we can go back to sleep.
Very good. We could also open conversation of serious privacy violations finally when AJ is whistleblowed they real agenda.