HN Theater @HNTheaterMonth

You are likely mistaken. FB/Meta is still the leading data-broker because

(a) they track you even though you are not on their app [1] (b) they own 55% of app downloads in the US [2]

[1] https://media.ccc.de/v/35c3-9941-how_facebook_tracks_you_on_... [2] https://app.finclout.io/t/b9BbQa4

Maybe this is of interest for you: https://media.ccc.de/v/35c3-9941-how_facebook_tracks_you_on_...

Seems to me, this is pretty much exactly how this works.

Do people still believe that Facebook doesn't collect data from the apps owned by them? Hell even the apps that is Facebook SDK send user data to Facebook even when you don't use facebook owned apps:

https://media.ccc.de/v/35c3-9941-how_facebook_tracks_you_on_...

⬐ croes

They don't care

⬐ blackcats

They know the Facebook Mafia does, but non of their network is moving to alternatives

For anyone interested in Facebook's SDK behaviour on Android, there's a good video[1] from 35C3 covering this topic, and a related HN discussion thread[2].

[1] - https://media.ccc.de/v/35c3-9941-how_facebook_tracks_you_on_...

[2] - https://news.ycombinator.com/item?id=18788658

It stands to reason that for every WhatsApp conversation they'd have access to:

- who is communicating with whom,

- dates, times, and durations,

- method (text / voice / video),

- amount of data transferred,

- type of attachment if applicable, and

- location of each device,

along with unique device identifier, and perhaps other information.

See the Privacy International report[0] or video[1] on how much data FB glean from on other apps that merely use the Facebook SDK, each time an app that uses it it opened for a clue... how much more will they want from a service they paid billions for?

[0]: https://privacyinternational.org/report/2647/how-apps-androi...

[1]: https://media.ccc.de/v/35c3-9941-how_facebook_tracks_you_on_...

⬐ blackbear_

Completely anecdotal: I have no facebook apps or social media on my android except for whatsapp, and I never use anything else from them. I see between 400 and 500 calls to graph.facebook.com _every day_

⬐ gvurrdon

I see a few on iOS from time to time, but they are blocked by Adblock Pro with a hosts file listing Facebook servers.

⬐ freeone3000

WhatsApp is a facebook app.

⬐ mandelbrotwurst

Ha, the person you're replying to even wrote "except for Whatsapp"! That's curious...

⬐ NikolaeVarius

Websites and apps use Facebook apis. Nothing conspiritorial about that

⬐ tobr

On the contrary, it fits the definition of conspiracy pretty well.

⬐ NikolaeVarius

Explain.

⬐ kevin_thibedeau

Facebook has bought their way into tracking people who are not users of their service with no notification and no opportunity to opt in or out.

⬐ tobr

I’ll give you a definition of “conspiracy”: a group of actors that coordinate in secret to achieve something harmful or unethical.

I’m not sure what to explain.

⬐ NikolaeVarius

Its not really a secret if it outright tells you what is happening. Its like claiming at all 3rd party JS is a conspiracy.

⬐ stiray

Install NetGuard https://github.com/M66B/NetGuard (no root needed) and block them.

I am also using XPrivacy Lua (you need rooted phone) https://github.com/M66B/XPrivacyLua to give applications fake details like android id, gps coordinates, contacts etc.

For a nice addition, uninstall all google software and use microg instead.

⬐ prophesi

NetGuard looks nice. I do think their reason for not having an F-Droid release is unsatisfactory, though.

https://github.com/M66B/NetGuard/blob/master/FAQ.md#user-con...

That same logic applies to the Play Store, as it's up to the whims of Google if they roll out your update.

⬐ stiray

He probably pulled out classic "its for security reason" PR stunt. :D

Anyway, the guy is legend since its XPrivacy hit android...

⬐ eden_h

It would be helpful to be more upfront in the video about why Facebook is tracking this, because it looks like it's Facebook Analytics for Apps - (https://analytics.facebook.com/get-started/Apps#fq), which puts this on par with Google Analytics for Apps - (https://developers.google.com/analytics/solutions/mobile) in terms of problematic behaviour.

So it is unclear if this is data that is provided to Facebook servers but not accessible to Facebook, similar to options for Google's Analytics platforms, or if it is harvested by Facebook by permission of the app creator. Both options being shady, as it's not told to the user, but this video feels more like it's saying Facebook is actively tracking people, not App Designers are giving Facebook permission to track you in exchange for marketing analytics.

The data that is being provided is significantly too high, and the user should be made aware, but this video seems to only discuss it being API calls to the Analytics interface when using the app. I'd definitely expect there to be API calls when using an app, but how User ID tracking is done is probably the most potentially dangerous part here.

⬐ mfer

Does Facebook Analytics for Apps segment the data from that of Facebook or combine it? Is there any policy even stated that says it's not used for other things. I would suspect, but have not looked, that all the data is combined together and used for selling ads and in other ways.

If that is the case, an app that is using it to get analytics for themselves is also sending lots of data to Facebook to be used for their other purposes.

Is this information transparent to anyone? This can lead to the tracking failing GDPR or other laws.

Now, if it was only analytics for apps for the benefit of the app owner and not shared... things might be different legally speaking.

Of course IANAL and they may have much more to say.

⬐ solounavez

At the 7:00 minute mark, they show that the company has false or misleading advertising, can that company be sued for this?

⬐ mcintyre1994

It's pretty amazing that Facebook got such a foothold here that all these high profile apps use their SDK. Are they just using it for log-in? Are their mobile ads better than Google's for developers? I assume that Google provide all the same tools for their own ads, analytics etc. and presumably similar tracking by Google is already baked in and unavoidable.

⬐ harryf

> Are their mobile ads better than Google's for developers?

The situation may have changed but last time I worked (as a PM) with people doing mobile marketing back in 2015, Facebook App install campaigns were _massively_ better than anyone else. You could get installs for under $3 per user and the performance was fantastic eg 1000 times more installs in the same time as the next best network.

Facebook may have upped their prices since and Googles App install products have got a lot better, especially on YouTube

⬐ dep_b

Login is a big thing but if I can get away with it, I'll simply use a web view Facebook authentication instead. Adding all that framework weight for something the average user only uses once and will be a jarring experience from the rest of the app no matter what you do is not worth it to me.

⬐ ttctciyf

As mentioned in the video, but not afaics in the description, the page from the presenters at https://privacyinternational.org/appdata has the testing environment if you want to extend or replicate these results, as well as the report itself and its documentation, along with a March 2019 update.[1]

1: https://privacyinternational.org/blog/2758/guess-what-facebo...

⬐ BenGosub

How hypocritical it is to both boast that you are privacy focused, while blatantly invading users privacy at the same time!? I think their days are numbered, but hopefully we get rid of them sooner than later.

⬐ blindseer

This is tangential, but I really dislike how this YouTube channel always downloads the original video, strips it of all information regarding the speaker and the conference and uploads it to their channel. Even though the original is published under Creative Commons Attribution, it still bothers me that they 1) download and reupload (wouldn't this be better accomplished by a playlist?) 2) strip information that makes it appear they produce the content. I'm curious what other people think about this.

Anyway, here is the source [1] from their video description.

[1] https://www.youtube.com/watch?v=y0vlD7r-kTc

⬐ input_sh

Not to mention that they're breaking the license by not indicating that they've made changes to the original work. As far as 2) is concerned, that's allowed by Creative Commons Attribution, but it must be indicated that the changes were made. Just the fact that they've cropped the video makes their video a modification.

From[0]:

> How do I properly attribute material offered under a Creative Commons license?

> You must also indicate if you have modified the work—for example, if you have taken an excerpt, or cropped a photo.

[0] https://creativecommons.org/faq/#how-do-i-properly-attribute...

⬐ perlpimp

stripping is not good but corralling and filtering videos maybe not so bad. maybe in the future content id can let people know of people from which a given video originates? that would be a useful exploration feature.

⬐ indalo

I'd like curated content to have a larger presence as well. I wonder If enhancing playlists could accomplish this. You can add metadata and arrange while the video remains on its channel.

On the other hand I doubt a lot of reuploading is done in earnest.

⬐ dang

OK, we've changed to that from https://www.youtube.com/watch?v=OTt1AVRQyx0.

⬐ saagarjha

Can we link to the CCC page instead? It has the video along with additional resources: https://media.ccc.de/v/35c3-9941-how_facebook_tracks_you_on_...

⬐ dang

Sure. Changed from https://www.youtube.com/watch?v=y0vlD7r-kTc.

⬐ kekebo

Original full length video from 35C3: https://www.youtube.com/watch?v=y0vlD7r-kTc [How Facebook Tracks You On Android]

⬐ saagarjha

Previous discussion: https://news.ycombinator.com/item?id=18788658

⬐ dang

Missed that one. Thanks!

So it actually turns out that on Android if you opt out of ads personalisation, the app still sends the advertising ID, but also sends in the JSON "advertising_tracking_enabled: false", which is not so reassuring. See Privacy International's talk here: https://media.ccc.de/v/35c3-9941-how_facebook_tracks_you_on_...

Why would anybody bother trying to hide traffic? Lots of apps already waste bandwidth and CPU to exfiltrate a wide variety of data, often sending it straight to Facebook[1]. They simply relabeled it "analytics",

[1] https://media.ccc.de/v/35c3-9941-how_facebook_tracks_you_on_...

Reminds me of this presentation: https://media.ccc.de/v/35c3-9941-how_facebook_tracks_you_on_...

⬐ richardhod

That'll be mostly because they gave this talk and they link to it in the article!

> Facebook doesn't want these companies sending users' personal data to them without their knowledge

Facebook's claim about not wanting the data is contradicted by actions. They chose to make their SDK send[1] analytics signals on library init before the user could have even been presented with a request for consent. They chose to have their analytics SDK send[2] everything to Facebook by default, requiring developers to go out of their way to disable the spyware (including somehow discovering that this step is needed).

> Now if Facebook were to use this data for their own purposes,

What would Bayesian analysis say about that question given a history with multiple events where FB et al were using the all of data they received however they want? Facebook lost the benefit of the doubt a long time ago, and it will take a lot of work to rebuild their reputation.

[1] https://media.ccc.de/v/35c3-9941-how_facebook_tracks_you_on_...

[2] Ibid.

⬐ edmundsauto

A Bayesian analysis would have to include all the decisions where FB was a good steward of user data. The events reported in the news are a very small fraction of the possible times that FB could have done wrong.

Not that I'm defending FB, but your attempt to lend credence to your statement with a smart sounding approach was undercut by selecting a superficial and biased prior.

>There are plenty of alternatives to social media - email, SMS, phone calls, and even decentralized options.

Someone didn't see the video[0] where the Facebook SDK, packaged into other apps, was sending all of the information plausible/possible back to Facebook - before the Terms and Conditions of the application could even be accepted.

The problem is far greater than you've perceived it to be.

[0] - https://media.ccc.de/v/35c3-9941-how_facebook_tracks_you_on_...

⬐ sjroot

Any developer that uses the Facebook SDK has to agree to its terms and conditions. If you have an issue with this then you should avoid using applications that use the Facebook SDK.

How is it a problem with Facebook when they have released this software free of charge for any developer to use? Again, just like the Facebook website, it is a product that they offer.

⬐ renholder

Developer does not equal consumer. Just because the developer agrees to the terms and conditions of Facebook's SDK, it doesn't give Facebook carte blanche on the end-user's device - before the end-user has even agreed to the app's Terms & Conditions.

Also, how in the feck do you propose avoiding using apps with the Facebook SDK included? It's not as if such use is advertised by the apps, yeah?

From your argument, it's free, so why the feck should anyone complain? That's pretty banal: Trading subversive data practices for the cost of it being "free" should never have been an acceptable position for anyone to take, in the first place - no matter who it is.

The problem with Facebook is that they track everyone, FB users or not. Most likely breaking GDPR for basically every European who uses the internet.

Good talk from a few weeks ago: https://media.ccc.de/v/35c3-9941-how_facebook_tracks_you_on_...

(that's just android, but they do just as much web tracking through their pixel for example).