I find this statement from Facebook in the article to be oddly worded, as if it was carefully constructed by a lawyer to avoid getting caught in a lie:
"Facebook does not use your phone's microphone to inform ads or to change what you see in News Feed."
OK... so they are saying they don't use your microphone to target ads. But how about precisely enumerating how FB uses your microphone?
Do they use it for any purpose other than helping you communicate during a call?
Do they try to infer any persona information about you, which can then be used indirectly to make money from your data?
I too have had odd coincidences where eerily relevant ads show up after I have had a conversation. If only FB was more transparent about what they do, I might not be so paranoid about it.
I think you're on to something here about the indirection.
I too have witnessed the uncanny ads, but not even from my own phone (I don't have Facebook on my phone). A friend mentioned a particular restaurant I have never been to, been near, or searched for.
I can only assume my friend's conversation was geo-tagged either by my phone (android, no non-system mic access), or the data was combined on the server end to place both of us at the same place / same time, and used his recording to market to me.
I'd also like to note, the 'amount of bandwidth needed' is almost nothing by today's standards. Not to mention it can wait to transmit that data until on wifi. 8khz audio (telephone quality) is just kilobytes per second. A reasonably unsophisticated algorithm could trim the audio for an highs and lows (IE, statistically, sound below or above some dB threshold is trimmed because it won't be useful) and uploaded. We're talking about just a few kb per conversation.
Of course, the Facebook app is a memory, storage, and cpu hog (IMO), so I don't think it's unreasonable that given today's modern phone hardware some word recognition software may be present on devices themselves.
Or consider another scenario: your friend went to said restaurant and paid for something; read an article about the restaurant; viewed/interacted with an ad for the restaurant; liked a social media post for the restaurant; or was geo-tagged at or around the restaurant. Any of the above would be sufficient to associate your friend and the restaurant, and I'd wager targeting your social graph after you've interacted with a product/service would have a good ROI.
Alright here's another anecdotal experience. To preface it, i don't have Fb app or messenger on my phone but have WhatsApp and Instagram. I opted out of whatsapp's data sharing policy when you were able to do it.
So i was walking with co-workers for coffee and somehow we talked about a college. Now i can assure you that i have never ever searched for that college and i didn't even know it existed before that conversation took place. And 30 mins later, i'm browsing instagram at work and there is an ad of the said college. If this isn't creepy af, i dunno what is.
It might be creepy, but it might not be. It is possible that the conversation influenced the ad shown. But it is also likely that ad would have been shown no matter what the prior conversation was about. If the conversation hadn't included talking about the college prior to seeing the ad it would have been a non-event. But being primed in advance makes it at least feel like a freaky coincidence or at worst nefariously creepy targeted advertising.
These kind of events happen by chance and have been happening well before almost everyone started carrying mobile recording devices in their pockets and even pre-internet.
I have no doubt that advertisers would love to have that kind of insight but I can't help but feel that the anecdote of the form, we talked about A and A showed up X minutes later, is too easily explain by coincidence. How many topics were discussed, how many ads were shown? When I read something like this I imagine the anecdote should read more along the lines of how we talked about A, B, C, D, E and F and among the dozen or so ads I saw afterwords one of them was topic A! Can you believe it? And yes, yes I can, that is a pretty neat coincidence.
On the other hand if out of all 6 of the topics discussed all of the ads that were shown afterward were related to them, maybe not all, but more than one or two. That sounds like there is something fishy going on.
I don't mean to single out this particular example, it was to be a simple comment that had more to say. So, thank you for the inspiration!
The first time it happened to me, I considered it a coincidence. And the next few times too. It must because the game is new, or they know I've been searching for new floors on my computer, ect. But it keeps happening, and it's always in the time following after it was talked about, but not searched for. It has happened for things we talked about at friends place, that is completely outside what my wife and I would do.
The most blatant I've experienced was on the Wii U. The controller with the screen powers up and shows ads for new games every now and then. We actually had a bit of fun with it, casually talking about new games and guess what happened. An ad for that particular game was shown. I'm 100% certain now, that it happens with smartphones as well.
It could be the ads came up a more conventional way - the makers are priming the publicity for the game so it shows up in magazines and ad buys etc. If you and your friends are avid gamers - you probably get some early exposure before more general ad channels buys show up.
But to really answer this question, we could build a better experiment. Write out a set of topics on index cards. You have to be careful that topics aren't new product rollouts (otherwise you really have to think about how you decided to write that topic down in the first place). Draw a card, don't talk about or search the topic for some amount of time, then inject the topic where it might be observed (talk about it and/or search for it somewhere), then for some amount of time, see if it comes up.
Also keep track of every time that you see references to each topic both before and after bringing them up.
And have a control group that you simply don't bring up at all. Make sure to have more than one, so that you still have more remaining if someone around you brings up one of your control topics.
Here's a fun experiment idea. When you are around friends and the Wii U, only talk about games that came out at Wii U launch, ideally one you don't have. Like, FIFA Soccer 13 or something. Don't ever search for that game or talk about it away from the Wii U. After a week or so of that, see if you get an ad for it.
"We were talking about new games and I got and ad for a new game!" sounds like pretty standard, non-targeted advertising. Easily chalked up to coincidence. Steam advertises new games to me, some I'm interested in and some I'm not, but I don't think Steam is reading my brainwaves.
I cannot remember that it have ever showed one while I was sitting and reading an entire evening. But as soon as we start talking it will show advertising. That could be explained that it simply detects noise in the room, but it correlating to what we're talking about more often than not.
There's an option to disable it waking up and displaying things, so I've never seen adverts on mine (but maybe there's other things shown you do want to see?)
College is running an ad campaign, one of your co-workers saw it (consciously or unconsciously) earlier in the day, and that is what lead to the college coming up in conversation?
Your friend could have searched for the college before or after your discussion, or maybe even your friend had just been looking up old college friends on Facebook lately and that was enough to match up that ad and you. Not that I wouldn't put it past Facebook to do something like this, but it will be hard to prove from anecdotes because, ironically, Facebook captures so much other data that plausibly could reveal the same connections.
What about the hundreds or thousands of other ads you see each day which have little relevance? It's easy to remember the ad that is creepily accurate, but I don't think it's at all surprising that these ads are occasionally hitting the jackpot
* the "somehow we talked about a college" is because someone else at coffee was looking at something college related and it was recently on their mind so they brought it up. You're associated with those people, so ad agency it decides to show you an ad. It may do this a lot, but the times it actually works really stick out to you.
* After the coffee, one or more people search or perform actions associated with that college. Ad agency knows you were recently meeting with them so decides to show you some associated ad.
Keep in mind that the ad agencies, whether Facebook or Google or some lesser known but still large one, have their own profiles of you and who you associate with.
I think Occam's razor holds that since we know there are multiple agencies tracking what you do and who you do it with online and that can conceivably be used to explain most of this, it's a much more likely explanation than a large company outright lying in a way that would have a horrendous backlash if proven (and it's not really that hard to prove if people got serious).
I get ads all the time that appear to be directly related to what my boyfriend, a non-facebook user, has been searching for. I figured it must be some IP based analytics.
Was your friend talking about the college because he saw an ad on Instagram or Facebook for it? Often times my roommate and I are in the same ad cohorts on Instagram and will see the same advert within a few days to each other.
And more importantly, that would be much more accurate AND lower risk than the conspiracy theory trying to transcribe everything the microphone hears when it's buried away in your pocket or bag and target ads based on that.
You don't need to transmit the audio. Just transcribe to text, remove any common or stop-words (a, an, the) and transmit what's left over in encrypted form to cover their tracks.
I wonder whether there is another mechanism at play. Often when I have conversations with friends, it's likely that either I or they search a term, or have done so recently. Couple that with the social graph and location tracking, and it's very easy for Facebook/Google to target an ad knowing when I interacted with another person and assume that I may have interest in the term that was recently searched by them.
A creepier one is before I proposed to my fiance I would now and then look up rings. One time I literally said "I need to look up some rings again" and went on Instagram not short after and BAM! There it was an advertisement for rings. It's too damn creepy of a coincidence, and I rarely ever believe in coincidences (sure enough more times than not they're not - at least in my experiences). There's been other moments of things I hadn't looked up or bought that I mentioned verbally and damn it, sure enough an ad on Instagram. It's downright witchcraft. Maybe I'll start documenting the phenomena every time it happens, maybe they'll auto take me out of the A/B testing for this by scraping HN. Ok I needa take off my tinfoil hat... Then again, could Google (Android is on my Phone) sell more detailed data to Facebook? I am going to heavily consider finally rooting my phone and installing a ROM on it.
I can't tell if you are being sarcastic or not.....
Wedding rings have an EXTREMELY high margin, and almost infinite budget for advertising. If you google rings once, you will continue seeings ads for YEARS, regardless of any conversations you have.
Honestly if Facebook knows you are in a relationship for 3+ years and you are under 35, you are going to start seeing ads for engagement rings even without searching for anything.
If you really think they are getting you through the microphone, start talking to your phone without anyone around, while browsing Facebook about Baby Diapers, Baby Formula, and Baby Toys. Don't search for anything baby related, and obviously use something else if you are a Father already.
I'm mostly being a bit over dramatic about it, but I did suspect my mic being snooped on when it did happen, could you blame me / anyone? Hence this article was written. It's very reasonably a coincidence considering how often I would search for rings, but creepy nonetheless. Hadn't seen those ads prior to starting on my search though.
My favorite is when you finally buy something and they still show you ads. Like a coworker mentioned, if I buy a refrigerator I don't need another one... I have one house! Come on! Maybe they do it in case you change your mind? Who knows how these ad companies think.
They keep showing you ads for the fridge because they don't know you have purchased the fridge.
The only way for them to know you have purchased a product is if you buy it online and get hit with the confirmation tracking pixel on the checkout page.
Most people see ads for a fridge, but then go into a physical store to make and finance the large purchase.
Oh no, that doesn't matter. I can search for something a buy it online, and be pestered with ads for the same product for days.
The ad-placement folks have technology and patents and millions tied up in all that. And what do they come up with? "Show ads for what they just bought"
Its more complicated than that. You are probably included in separate funnels that can't communicate.
The "fridge store" is doing a pixel based retargeting list, which is easy to take you off when the purchase is made.
But they also might have a list of 'customers likely to purchase a fridge' from Google searches that you are being served ads to as well. You might be on a 'look-a-like' list from Facebook, because people in your demographic tend to buy new fridges. You could be removed from that list if Google shared the IP addresses of everyone on their list, but at a serious cost to your privacy. These walled gardens are ultimately good, but result in a ton of advertising inefficacy.
I know its annoying but the advertisers are smart enough... we don't actually want them getting any better than they are now.
I agree with this. I don't think these companies need to tap your phone to figure out how to choose an Ad for you. They can do an excellent job just knowing that someone is at your house looking up something specific. I suppose one could argue that your privacy is really only worth as much as the person standing next to you values theirs. People just need to understand that their personal privacy decisions really aren't so personal after all.
I've had discussions with people about things I've never searched for or purchased -- discussions around specific companies, and then the same day I start receiving advertisements for those companies, only on Facebook (don't even get Google ones). I have a hard time believing they are re-assembling this from purchase history or any other metadata they have that is not real time. I'm still looking for a simple explanation for this!
Facebook is not a trustworthy company, so I have a hard time believing them about this. But it's why I don't install ANY Facebook applications on my phone anymore and that includes Messenger and Instagram, or any other company they purchase.
The simple explanation and (maybe scary) truth is that we're a lot more predictable than we think.
Remember when Target got into hot water for outing a pregnant teenager based on an assortment of items she bought [1]? That was based on items like scent-free soap, cotton balls, and vitamin supplements.
That was 6 years ago and (no offense to Target) done by a company that isn't nearly as adept at doing that kind of targeted advertising or inference.
For example, Facebook might know (hypothetically) that you're a young adult in the tech field who lives in Brooklyn and spends a lot of time looking at photography or you're friends with a lot of amateur photographers. So they show you ads for high-end cameras from the most popular vendors, knowing that you're likely to develop an interest in photography if you haven't already.
That's just an extremely simple example, you can imagine that there are far more subtle indicators about someone's interests or likely interests (like the cotton balls for pregnancy).
The timing is almost certainly a coincidence. It's far more likely they show you those ads all the time and you're just noticing them when the coincidence occurs because you're on high alert now for things like this.
I actually don't think the timing is a coincidence... OP says:
> I've had discussions with people about things I've never searched for or purchased
That doesn't mean his network hasn't been searching for or purchasing those things or leaving behind other breadcrumbs... which is probably enough for Facebook to guess you're a decent candidate for the ads.
It was weird because we were having a discussion about problems in the office, construction related noise, and if we could find a different place to work temporarily. In that group discussion, specific companies that provide co-working services were proposed. I never searched for anything related to this around this time (but it's possible someone in that group did!), I remember that very clearly and why the experience was so creepy. And then that same day I start seeing advertisements for many of the co-working spaces in the area that came up in that discussion. Sure, it could be a coincidence, but it's not the first time I've had that happen with a similar context.
I think the example another person gave is almost just as creepy -- your friends influencing your own advertisements. That means that what your friends are searching for, private (embarrassing) things, could potentially leak over to you.
I'm pretty aware of the fact that if I go looking for socks, I'm going to start getting sock advertisements on almost every page I go with advertisements, on both Google and Facebook. I don't find that creepy, just dumb and ineffective because it usually starts well past the time I already bought the socks.
Off the top of my head, it could easily be the case that Facebook is:
1) Aware of construction happening close to your place of employment (in any number of ways that doesn't require any super advanced knowledge)
2) Knows that people usually start to get fed up with construction noises after X days
3) Started showing you popular co-working spaces as a result
Or, as you noted, your co-workers started searching for co-working spaces and Facebook picks up on that and assumes something is happening in your office such that other people might also be interested in co-working spaces. Creepy, sure. But doesn't require clandestine recording and parsing conversations.
Or, even simpler than that: I see WeWork advertisements all the time despite never discussing them. It's not really that insane to think that places like WeWork might just be targeting your demographic and that's why you saw the advertisement.
Anyway point being, none of these explanations require Facebook to record you.
The point of the article is you should be even more paranoid about what Facebook has without your microphone.
With the amount of data that's floating out there about you and your friends, these coincidences are way, way more likely, and are very reasonable if you think about it.
Your friend told you about some restaurant, and then an ad shows up on Facebook.
Why is your friend telling you about it? Maybe he went there recently enough? Maybe he gave the restaurant a review? Maybe the restaurant has a list of people who've been to the restaurant before and is using Facebook ad manager to target those people and their friends? It's on his mind, so maybe that's causing him to leave enough breadcrumbs behind to make Facebook have an inkling of his interest, and you're his friend so Facebook knows to perhaps nudge you as well. And maybe Facebook actually has some idea that you and that person are meeting (yay geotracking!)
Now add a prediction system driven by deep learning models that are terrifyingly good at finding signal with a decent dose of probability (think of all the conversations you've had that didn't result in eery advertising), and you've got yourself a frightening reality where a company doesn't need your thoughts to make a decent guess about what you're thinking.
Frankly it might not even be this complicated. Maybe your network searching for or purchasing things is enough for Facebook to guess you're a decent candidate for the ad too, and you guys just happen to meet up on the same day.
I’ve wondered that, too. Their denial is suspiciously specific.
In a personal experience that made me wonder if FB was listening through my phone, the item was a friend suggestion.
Yes in America while you are writing a status they use your microphone in a Shazam-like way to suggest things to put in your status. Apparently anyway. Not in America so can't test it.
I did quite a bit of Jailbreak/tweak dev in the past, and I was curious if you could just hook into AVAudioRecorder and show an alert any time it was invoked.
So, I did this sort of thing years ago when I wrote a tweak for the InPulse smartwatch (later became Pebble) https://github.com/brandontreb/inPulseNotifier .I was able to hook into the system messaging, forward it to a custom bluetooth stack (sending it to the watch) and forward the message up the stack to be displayed by the system.
It would stand to reason that the same sort of process would be effective for catching Facebook invoking audio recording. Once you hook into the AVAudioRecorder's interface, you could theoretically observe the following:
1. Open the Audio Recorder app and hit Record - An alert should show to prove your tweak is working.
2. Open the Facebook app. If you receive a similar alert at some point, you could at least prove that FB is invoking the audio recorder at some point without the user's expressed permission.
It's possible Facebook could be using an exclusive method to access hardware more directly, much like how Uber had access to restricted developer debugging tools which allowed them to record the screen even when the app was closed.
If you want to get paranoid... Maybe it can detect jailbreak and do nothing. or even better, detect jail break, use it to detect if there is hooks into the audioRecord interface, if no hooks, record even more with it's new found powers :)
Do you have the hashes to prove that what you tested matches what is actually installed elsewhere?
No, I'm not actually claiming there actually are different versions in the wild. I just find it strange that anybody can make broad claims about what widespread software may or may not be doing. Widespread use of "A/B testing" and forced remote updates should make everyone question the nature of every binary, even when they have the same name (including version number).
Fb's well known for large scale A/B testing though. Isn't it more than possible that the binaries/versions/etc that you tested simply weren't part of the test?
On the Android side, it's not terribly difficult to send a copy of the app to a computer and decompile it. Then you can simply search for any code that invokes the Android function for mic access.
Delete Uber for a good reason, such as the fact that ride sharing makes driving unreliable as a source of income. Professional drivers have seen their incomes decrease and hours increase drastically.
The article in question starts out breathlessly accusing Uber of spying on users, only to completely walk back the claim by the end. Just by reading the article alone we see that the permission was granted to overcome a capability lapse in the Apple Watch.
Seems like an insufficient reason to me. Many software developers automate processes which in turn eliminates jobs entirely. It's a little different, but still a case of one person/group benefitting at the cost of another's livelihood.
It is, however when building a mobile substrate tweak, you have visibility / access to the headers of every single system class. One could theoretically hook into any number of audio recording mechanisms (assuming they knew where to look ;) )
The Microphone access switch in Privacy settings is not just to make users feel better – it enforces that the app has zero access to the microphone. If someone has reason to believe that's not the case, they should report it to Apple Security.
The tricky bit is when users give microphone access to the app (i.e. for video recording functionality), but want to verify it's only being used then.
That is the marketing statement, yes. But the technical implementation is somewhat more complex and possible to bypass than your boilerplate comment suggests.
The technical implementation is called the sandbox, and it's a fundamental part of iOS security. Yes, it is possible to bypass the sandbox, but it would involve exploiting security vulnerabilities on the user's device, which Apple offers up to a $25k bounty for. You generally have bigger problems if something escapes the sandbox on your device, though :)
My theory is that a different 3rd party app is listening and that FB/Goog are buying the data without even knowing the 3rd party app is listening. Some of the coincidences could be frequency illusion, but I really don't think so. Some of the coincidences are just too strange.
> On the other hand, facebook can check (at least on IOS) easily if the device is jailbroken and behave differently.
I'm not 100% sure what's involved in jailbreaking iOS, but I'm pretty sure on a rooted Android you could put measures in place to "fake" results for any root checks the Facebook app would run. You could patch any APIs Facebook could use to make such checks.
Indeed, that's the whole point of having "root" --- to have complete control over the device and what the applications on it see.
It is a bit of a cat and mouse game, but as the long history of software cracking shows, as long as they still own the machine, the crackers always have the upper hand.
But if they decide to do, I think best way of action will be some defensive programming around it, with plausible deniability.
I am guessing they are already checking binary integrity etc, also they can probably push code updates from server. So when you put this pieces together, they have everything they need technically.
So, code updates from the server doesn't matter as we can hook all of the audio recording APIs at a system level. Their _only_ defense IMHO is to NOT do it on Jailbroken devices. You are right, it's super easy to detect jailbroken devices.
If I were Facebook and I were trying to surreptitiously record users via the microphone, I think I would do it by using lower-level hardware APIs rather than high-level Cocoa APIs.
Disclaimer: I don't really know a) if there is some other way to interface with the mic or b) what I'm talking about in general.
I am not an expert in this at all, but I would think they would need special permission from apple; many of these undocumented APIs get your app auto rejected.
My impression was that involved a great deal of trust, and if they breached that trust Apple wouldn’t hesitate to smite them. Recording people’s mic seems like it’s pretty harmful to the iPhone brand... But you are right, this could be happening today, and Apple is giving them too much trust, and the smite-ing is yet to come.
Not disagreeing but this is this the hook... facecrook on one hand, you would think would want to save face from a pr perspective. However, on the other they have huge economic incentives to not give af. Given their track record we as individuals assume the best at our own peril.
you mean introduce a traceable side effect in the underlying dll/system-api? Sure that could work (many debuggers do that), but perhaps they are just not using the same API, or just find another way to stream the data without go through the same interfaces (idk, perhaps through browser APIs or they keep recording all time and just send portions of data which is locally inspected)... it is a good challenge and certainly observing the interruptions hardware could be the right way to go.
In the other hand that is a considerable effort for someone who does not usually work with this part of the stack... would you be able to introduce this changes in an android OS?
See my response to the other comment about them using private APIS. Basically, we would have to try and guess which APIs they were accessing under the hood.
But you are right, this would def be a considerable effort for someone not in the jailbreaking space. I would love to hack it up, but unfortunately haven't dabbled in JB dev since 2011.
That's why I posted the comment to HN. In hopes it might inspire someone in that space to build it. Might also be worth jumping in the theos IRC channel. For someone with the toolchain already set up and a jailbroken iOS device, the code is actually pretty trivial.
This method would be a waste of time and energy. Just reverse the app and find it out. No need to play it like a binary is a magic black box that's impossible to inspect.
As a thought experiment, such content would likely be encrypted. The request size can give away the content type, but speech-to-text could be done on device, making it harder to guess the contents based on request size (assuming the identified speech would be significantly smaller compressed relative to audio).
Then correlate speaking with CPU usage. Processing audio is always going to have /some/ cost /somewhere/, and likely one we can detect for the time being.
If both of those are true then your concern is of the form "ANY party records audio data and sells it".
Which is why we don't want random apps having permanent mic access. Or permanent anything access. This is why data mining is bad, not just because the party doing the mining can get the data, but because they can sell it to third parties who combine it in unexpected ways to leak data that you really don't want to be public.
Totally agree. Although now might be a good time to raise the issue that "an obfuscated single-line mention buried in a 60-page clickwrap license presented in an 80x4 character window resulting in over 9000 pages of bullshit that you can't possibly realistically read does not 'consent' make".
It's worth nothing that the reason security researchers haven't just intercepted the traffic from the Facebook apps to see if its transmitting voice data is because the apps use Certificate Pinning, which prevents the SSL traffic from being decrypted using the SSL certificate generated by mitmproxy/Charles.
In light of that restriction, what might be interesting is looking at the amount of data transferred by the Facebook app with/without the microphone/location services enabled. (this is a data project I have in the pipeline)
Note that while certificate pinning does make reverse-engineering harder, it's also a legitimate security feature; without it, anyone who controlled a CA (including most major governments) would be able to forge a certificate and use it to spy on users.
Certificate pinning is a hurdle to reverse engineering, but a surmountable one, at least on Android. Since the app is running on a phone where you may potentially have root, you can pick it apart with a debugger and see the traffic before it leaves the phone. This is technically challenging, but it is something that people do sometimes.
Or you can find and replace CA file/string with your own and then do mitm. There is virtually no way app developers can defend against such hacks on any platform owned by user (so, everywhere except on Apple devices).
Well, it turns into a reverse engineering arms race at that point. There's no way they can guarantee anything, but they can throw resources at obfuscating things more.
If you're the reverse engineer and I'm the app author, you find/replace my CA file. Then I respond (or anticipate!) by checksumming the file to detect tampering. Then you respond by find/replace on the checksum.
Then I obfuscate the checksum string. Then you respond by faking out the platform's checksum API so that it always returns true. Then I respond by computing a checksum that I know should fail and verifying that the checksum API isn't just always returning true. Then you respond by faking out the platform checksum API with a whitelist of blobs whose checksum it should lie about.
Then I respond by statically linking my own checksum verification code into my binary instead of calling the platform's. Then you respond by patching my binary to jump around the code. Then I respond by using code obfuscation techniques.
And on and on. Given enough time and resources, any implementation I create can be subverted. But if I'm a huge tech company, I can afford a lot of time and resources too, if I want to. I can't eliminate it, but maybe I can make it something that rarely happens.
But if I'm a huge tech company, I can afford a lot of time and resources too, if I want to. I can't eliminate it, but maybe I can make it something that rarely happens
The whole cracking scene can afford far more time and resources than any one tech company. All adding protections does is make a more valuable target, because crackers love a good challenge.
"There's always a crack in everything. It's how the light gets in."
Not really. A skilled reverse engineer does not find/replace any certificates, or anything like that. They just debug the app, stepping over all the code, instruction by instruction. There's no way you can beat that. I'm a malware reverse engineer - I work with this kind of stuff every day. And I'm pretty sure there's no 'game': once the binary is in my disassembler, it's over.
> But if I'm a huge tech company, I can afford a lot of time and resources too,
Can? Sure! Would?
Security is one of those things that most people say they care about, but they are really not willing to pay for. Big companies have resources, but they are also in the business of making money, so they will put most of those resources to work on features that produce a ROI. Security is a huge cost center, and even when taken seriously it will be pursued only to the degree that it addresses/mitigates risks enough to conduct business.
It's more annoying than you'd think if your adversary anticipates this and designs around it. Fragments of the CA can be used within the codebase, effectively making you need to pull everything apart and with security canaries and embedded interpreted scripts even if you're getting close you never know if you're still black and if you're still seeing the same thing as everyone else.
Paraphrasing the article, it would be for the server to use undefined behavior in the _authentic_ clients to determine that they were in fact authentic. In this case, a buffer overflow doesn't appear to crash the client, but lets the server know that it's talking to a legitimate client. That's quite clever.
Magisk (Android root utility) has the ability to hide itself very well. Google Pay and most, if not all, banking apps are not able to detect it. It is a cat and mouse game for sure, but so far the Magisk developers are keeping ahead of that curve.
From the point of view of software, it's impossible in principle to tell whether or not the code being executed does what the user wants it to, and only what the user wants it to. Half of that is the halting problem, the other half is that "what user wants" is an General-AI-complete problem. Moreover, the software can't even tell the difference between "the user" and "a malicious third party".
In meatspace we solve this problem with rules and laws. Software, for better or worse, moves around too fast.
I gave it a thought, and decided I don't need apps to be able to obtain highly elevated privileges, root or similar. This is, indeed, dangerous, esp. regarding ADB root access (a rogue "charger" + an accidental wrong tap[1] = totally compromised device that can be only fixed by full re-flashing). I needed my own firmware that does things my way, signed with the keys I control.
So I did. Now all the "secure" apps are happy, and I still have the control over my device's behavior.
( Okay, I've cheated - I had to sanitize androidboot.verifiedbootstate when kernel initializes, because I can't control the bootloader :( )
[1] Hm, maybe password-authenticated root access is okay, though... But not a typical "tap to allow" dialog.
Facebook already has plenty of issues with people not trusting them. Lying about this and then being caught red handed would be devastating from a public opinion perspective. Even if you assume a completely amoral team that cares about nothing but ad revenue, do you genuinely think they’d risk something as dangerous as that? Especially given how much you can still achieve with the data that is known to be collected?
It would likely be a blip in the news, and then people would move on, as usual.
Remember the Sony rootkit fiasco? People still buy Sony, and most people probably either never heard of that incident, don't remember, or don't care. Buying whatever the new Sony gizmo of the day is is more important to them.
Microsoft has had endless spyware fiascos, and people still routinely buy Windows, as long as they can play their games or run Office, that's all that matters to most of them.
Then there have been scandals like Enron, where the execs knew that they were doing something that was clearly illegal, and that their company really would be devastated if what they did was ever revealed. These "smartest people in the room" did it anyway.
Corporate history is full of just such deceptive and destructive practices. I'm not sure I'd put Facebook above that sort of thing, a priori.
I remember when some news broke about Facebook doing something or other a year ago and the common response seemed to be to make an official sounding wall post saying "I do not give Facebook the right to do X with my data", sort of like Michael Scott yelling "I declare bankruptcy!"
I can see that happening again with voice recordings.
True. At the same time, there are pretty solid rules against recording the audio of someone's conversation that would be unambiguously illegal and allow for actual prosecution.
But it's an interesting question: if someone credibly proved that FB was "wiretapping" on such a massive scale, would they get prosecuted? How much could they do in their own defense? Are they so enmeshed that prosecutors wouldn't bother?
Feels like a case of "unstoppable force meets immovable object".
Speaking of badware: last week I found Mac Afee installed on the laptop of a relative that I manage. I assured me that he had not installed it himself (I had not installed anything actually). Could it have come from windows updates ?
No, Windows Update doesn't distribute third party software. And even if it did, MSE is technically a competitor to McAfee so there wouldn't really be a solid reason to distribute it.
Your relative probably installed something and pressed "Next" through all the dialogs including the ones asking if they want to install super helpful bundled software.
McAfee comes packaged in the installation of some other software, e.g., Java, where it can easily be installed by mistake if you aren't paying attention.
I've met a lot of people outside HN who believe FB is listening to their conversations through the mic. I haven't yet met one who has stopped using it as a result.
I think you wildly overestimate how angry users get about privacy violations. For examples, Target, Yahoo, Home Depot, and Equifax have not been screamed into rubble.
I can see someone having to install the uber app... but having to install the facebook app? just use the web app... that might be possible with uber too but I'm not sure because I don't use uber
> being caught red handed would be devastating from a public opinion perspective
For what it's worth, this public opinion backlash has not appeared with other companies: "Of course we're not working on leaked project [x]". "Look at project [x] we're working on!"
Even Facebook's own under-disclosed psychological experiments have been largely forgotten; Facebook has suffered few if any long-term ill effects from it.
The psychological experiments scandal was a nothingburger from the start. Facebook is not an academic research institution. They already operate with user's consent. Every business that engages in advertising or product design is performing psychological experiments.
Their customers love it, and with customers I mean advertisers. For users to leave there must be somewhere to leave to. And there needs to be another business model that does not depend on marketing. Maybe selling actual hardware, with built in social media.
in the current climate, getting caught doing anything just means you have to slime your way out of it, rename/rebadge the activity and then carry on when the attention goes somewhere else.
is uber still the most hated company or has the magnifying glass moved onto somewhere else?
"which prevents the SSL traffic from being decrypted using the SSL certificate generated by mitmproxy/Charles"
There are some shady companies out there [1] that use the mic to listen to what shows are being played real time. [TVs in the US are on all the time] (Check out their customer list). These companies need this pinning.
Couldn't someone just patch the binary to accept a different certificate? Or for that matter, read the decompiled bytecode and figure out if the app is listening? Or run a patched Android that logs all microphone API calls?
I suspect I'm overlooking something, as surely some security researcher would have done some of this already.
Certificate pinning is relatively easy to disable on jailbroken iOS devices and rooted Android phones. I'm not highly technical and I did it myself to sniff Snapchat traffic 2 years ago. Any half competent security researcher should be able to do this trivially.
While certificate pinning is annoying, it's just an obstacle not a roadblock. I haven't met a security research that mentioned this to be a prohibitive feature.
There are couple ways out, from revers engineering the binaries, through jailbroken/rooted phones, running apps in simulators, etc.
Facebook recording voice data and transmitting to their servers in the US is not only highly illegal in most parts of the world it's also unacceptable to basically everyone. At some point it would have been leaked internally.
The idea that Facebook is doing this is just ridiculous.
^ actually, IMHO the fact that you assume that "The idea that Facebook is doing this is just ridiculous." is what is ridiculous.
Some companies do "highly illegal" things all of the time. It all comes down to the fact that whoever is in charge:
1) doesn't hold to a moral system that restrains them from doing said illegal things (or at least doesn't hold to one consistently)
and
2) thinks they can do said illegal things without getting caught, or if they are caught, thinks they'll be able to recover reasonably well from any punishment (if there is any) that is handed down.
Personally, I do not know whether Facebook is recording/transmitting data like this, but I guess if I found out they were, I would not be surprised -- given the things the company has done in the past, and the things their leadership has said and done in the past.
I suppose you don’t see things of this scale often but I would argue that big things like this are happening all the time. I was watching recently some interviews from 2005 about the justification for the US invading Iraq in 2003, and the disparity between what the public was told about WMDs and what the security community believed was maybe on a similar scale (depending on how you view privacy and war). And then the people who made decisions that led to the 2008 financial collapse were doing things that hurt people on what you may consider a similar scale, depending on how you view robbing people of their wealth versus robbing them of their privacy.
Facebook invading our privacy by recording persons of interest or the people en masse would be horrible and in many ways unprecedented, but it wouldn’t be beyond the levels of abuse we have seen from powerful people in the past. I can easily imagine that the app supports hot mic capabilities and that they do turn it on sometimes at least at the request of law enforcement. And then the question is... when else would they turn it on? And would that program ever grow? Would they ever fork the program so each team involved thinks there working on a small project? This is all speculation but I can imagine a situation where it starts small and then grows until it seems like an insane program but everyone involved is accustomed to it.
Most of the analysis done about this controversy boils down to Facebook not listening because they can buy it otherwise obtain data that is more effective.
When you read their responses to this controversy, pay more attention to what they don’t say. Whomever aggregates your viewing habits by listening to audio from your TV may be listening, for example, Facebook just Hoovers up the data.
If the speech recognition is done on the device, the amount of data could be very small indeed. If I was to do this, what I would do would be to defer the heavy lifting of speech recognition (if it caused any significant load on any of the chips) and perform it in the background, later, when the device is known to be plugged in to power. That way this kind of work would not be impacting the battery. I don't think looking at the amount of data is going to tell you much unless they have done things in a spectacularly stupid way.
Speech recognition is quite compute-intensive and the load of running it on the device would be obviously detectable - not necessarily by random users, but definitely by any security researcher who'd care to do so.
Also, storing the data until it's plugged in would require an unusually large amount of storage, and that would be detectable.
I was replying to a commenter who was proposing to inspect what was being sent over the network, if you'll just read what they said.
That aside, speech recognition isn't that heavy of a process these days if all you're looking to do is extract keywords. We used to do industry-leading large vocabulary continuous speech recognition on a Pentium 133... phones these days are way beyond that without breaking a sweat. Detectable? Sure. But remember, I was talking about this person's plan to look at network data.
Furthermore you don't need to store all data. You can store only when the phone is hearing stuff, as determined by a super lightweight measure of magnitude that does no speech recognition whatsoever. Is the storage detectable? Sure. But again, what was I responding to? Network traffic monitoring.
Considering that certificate pinning protects hacked user devices from making insecure communications, it would completely defeat the point if the user could disable it.
Wouldn't it be possible to crack an app (decompile etc) to disable Certificate Pinning? What comes to my mind also is a debug to obtain TLS master-secret then one can decrypt encrypted stream post-factum (Wireshark accepts master-secrets).
You could vary the complexity to encode the sounds you input (silence,pure tones, white noise, psychocoustically weighted white noise, etc.) to prove that that they're transmitting them.
The browsers are moving away from certificate pinning. The apps aren't, as they control both ends. If I made a Facebook replacement today i'd do it too.
> just how adamant people are about FB spying via mic
I'm of the opinion that it's easier for your average Jane/Joe to believe (and maybe even preferable to believe) that someone is listening and responding to your words than a computer piecing together a picture of you from unrelated clues via some nebulous "machine learning algorithm".
Anybody can listen to your words and advertise to you based on them. It is, on the other hand, not feasible for a human to look at a stream of unrelated posts and figure out that you're pregnant.
A lot of it is confirmation bias as well. People will remember when an ad is creepily relevant, but they don't remember the dozens of times they were completely irrelevant. It's like when my friends made me watch Stranger Things, it felt like Stranger Things references suddenly started to appear everywhere on the internet.
Confirmation bias and the Baader Meinhof Effect. I've talked with friends about topics I didn't know about before. Then I got fitting ads about it on my phone. I wouldn't have noticed these ads if they weren't fitting. It seems more creepy because it's new to me (consciously).
Humans tend to anthropomorphize - "my printer hates me" etc. It's simpler to think the thing listens than figure facebook included javascript tracking code along with the like button on some independent website that they visited an hour back. Even I have a job figuring what script did what.
My beef was more with google, but my isolated instance of this was pretty damning. I started watching Meet the Press after the election. It airs on Sunday mornings. One day though, it was pre-empted by a golf tournament, I forget which, maybe the British open. I never ever watch golf. I have been golfing maybe once, never search for it, never talk about it, have zero interest in it.
I think I got distracted, or maybe since my show wasn't on, I just decided to go shower, and left it on for a bit. The next week, I start getting notifications about golf on my phone.
There are two possibilities here- Verizon (my cable provider) is making data available on what I watched to google, or google is using my microphone to pick up what I am watching on TV. I don't know which is more likely, but VZ and google having a partnership like that and keeping it secret seems unlikely.
Is it possible that Google would know that you watch Meet the Press (generally)? That coupled with knowledge that it was replaced by the golf tournament (either from TV listings or an influx of people searching "Meet the Press" + "golf" to find out why it isn't on) _might_ explain it without Google/Verizon specifically tracking that individual event.
I think that's definitely the class of behaviour we're seeing. In general people don't think in terms of second order effects (or anything more abstract). Even if they do understand the concept, they will still prefer to believe something simpler.
Telling people that doing A and B leads to C which leads to D which makes E more likely to happen is just a bunch of gibberish that can't be right because who can you blame?
I might have believed that too, except I know about data profiles and ML, I’m a programmer and can think like that too, and yet I’m still convinced by the examples my wife and our friends personally encounter that there’s no better explanation than that FB is spying on us via the mic and using it to target ads to us.
Don't you think it's more likely that they just aren't noticing the ad before it is relevant? I mean, how often do you really notice an ad anyway?
That being said, perhaps the ads are doing their job and planting the idea for that particular product. You then bring it up in conversation or mention it out loud. Then, when you return to facebook later, you see the same ad again and due to it's recent mention, it jumps out at you.
No. We've definitely mentioned out loud things we've never searched for or even entered into a phone or computer, either before or afterwards, and they've shown up in our ads within hours. It's happening at least once a week now. I'm confident it's not any kind of cognitive bias, and that it's just FB spying on us through our mics.
jjeaff didn't say you searched for or entered it into your devices, but that it might have been the devices themselves that first made you think about those topics.
There isn't strong evidence either way that Facebook is or isn't listening in on the mic. Considering they spy on everything else, and they've exhibited plenty of sociopathic behavior, it's reasonable to assume they listen to audio surreptitiously until proven otherwise.
Once again my point is we don't know, and based on past behavior it would be prudent for you to assume they do if for whatever reason you don't want to be listened to. I was responding to the unsupported assertion that Facebook is not listening to you.
If you only use direct evidence to come to conclusions and toss out theories and deductive and inductive reasoning you won't be able to function in this world.
But there's lots of things we don't know. Just because I think Facebook is creepy and advertising-crazy, doesn't mean I can just make up claims. You have to come to the table with at least a little bit more than just not liking FB and superstition.
If someone beats you up every time you interact with them, it would fair to fear for your safety before you knew for sure that they would attack you the next time you saw them. It's not just "not liking" your attacker.
Correct. It’s fair to be weary of them in general.
But it wouldn’t be fair to say that they rape girls in the alley, or throw up your hands and say “look, we don’t have much proof either way!”. It’s a completely baseless accusation that makes it harder to talk about real problems.
This is the same sort of flawed logic as people who won't take a breath without a peer reviewed study saying air is safe. Personal decisions are not the same as the legal system.
They explicitly talk about that in the episode though - the reality of Facebook buying all this credit card and shopping history data might actually be creepier than them listening to your mic.
Something to note as you listen is that people convinced they're being spied on are mostly amused by it. They don't sound outraged or frightened at all.
Which is a little surreal. I think I get the same way though. It really freaks me out, but there's not much I can do about it, so I'll laugh it off. I don't use social media (although I'm still on Reddit), and I still feel this way.
Funny how they're adament that Facebook doesn't utilize microphone (while they still don't really know themselves). Why is it laughable that Facebook is using both the FB Pixel, microphone, and other technologies to spy?
Hey Facebook, if you got nothing to hide, show us the code.
We showed you our friends, our relationships, our interests, our intimate and disarmed states, our rants, and probably half of the websites we visited. (in retrospect, that was dumb)
Oh, your tin can and strings might show? Competitors might get ideas? Please.
Until then, not a fan of you, not clicking on your ads, and generally avoiding your site. In fact I think I'll start deconstructing my profile as soon as I can muster the courage to choke back my gag reflex.
Sincerely,
A growing group of mugged social network burnouts.
Can you? I was under the impression that perfectly reproducible builds were still very much a hard and open problem.
Furthermore, I believe that the Facebook app codebase is massive in scope and highly illegible due to most of it being auto-generated from other codebases. It has over 18,000 classes on iOS. The odds of anybody being able to meaningfully audit that are pretty low.
Which code ? Server side code is unreasonable to expect. For client code, you can just use the browser. It may not be as convenient or full featured as the app, but it'll do the job if you absolutely must use FB. The situation is much better with stuff like FB which is not that essential. It's more problematic with Google Maps, where you can't get turn by turn navigation unless you use the app.
Honest question: why would it be unreasonable for us to expect server-side code to be open-source? Facebook's value lies in its brand and its infrastructure, not in its code, so there's no risk of upstarts taking Facebook's code and standing up a clone (which, even with the code, is way easier said than done).
First let's talk about value, because it is relative for different audiences (and my take is obviously not canonical either). For Facebook's users, the value is primarily the network. For Facebook's partners, the value is converting sales from users engaging with advertisements.
Facebook must offer enough to the users that the network is still worth coming back to while still giving advertisers a chance at having their eyes. A major breach could cause user and partner abandonment because of security concerns. Once the genie is out, there is no putting it back in. Their stock will fall faster than they can rewrite the product.
It is unreasonable for us to expect open-source for server-side code because it exposes Facebook (and potentially it's users) to a lot of risk for only a small upside.
1) While open-source software has myriad benefits, those benefits require the public at large to audit their code as it is being continuously changed and deployed. Can we keep ahead of the criminals exploiting freshly merged and deployed commits?
2) Knowing the source code is one half the battle, the other half is knowing what is actually executing at runtime. How would users verify this to get the value of open-source?
3) Open-sourcing server side code of Facebook could have serious negative consequences for users or Facebook in the event of a breach due to intimate knowledge of the system only afforded by being privy to the source code.
Not a point, but a philosophical question:
*) Where does this stop being virtuous? Should Microsoft open-source SMB tomorrow? Would you feel comfortable with that?
Because it would highlight all the things they do which users would find unsavory. Rather than e.g. just speculating about what facebook does with our mic, we'd be able to point to where they do it in the code.
Agreed. I've only been using facebook through my phone's web browser and (at least for what I do) it's totally fine. Is there something the app gives you? Maybe for folks who use messages or want notifications...?
>Maybe for folks who use messages or want notifications...?
Yeah, at some point they blocked the mobile browser from working with messages. I think you can circumvent it by changing your user agent string to a desktop browser.
How is it fishy? Native app delivers a 'better' experience and lets Facebook do the things that make you (supposedly) use it more, like push notifications and location tracking, sharing photos + videos, etc.
The claim of the article is that it would be technically infeasible - and they go into how difficult it is to interpret context. However simple keyword matching would be more than enough.
Facebook has a lot of compute resources, but they wouldn't have to use it. Your smartphone is more than fast enough to do simple speech recognition. The accuracy rate wouldn't have to be that high - you won't get mad if you see an ad for a misheard keyword.
I was thinking the same thing. Also not claiming to have any real idea of as to what they are actually doing but certainly having access to everyone's phone gives them a ton of distributed computing power for free.
>I was thinking the same thing. Also not claiming to have any real idea of as to what they are actually doing but certainly having access to everyone's phone gives them a ton of distributed computing power for free.
Only if by "everyone" you mean people foolish and vapid enough to use Facebook and give them access to your phone.
Radioshack sold a voice recognition chip in the 80s[1] that was a simple 8-bit microcontroller. If you are willing to slip on the accuracy and false positives you can do recognition with very little computation.
the downside was power usage. Motorola made one that was power efficient, used by nokia in the 90s and its pretty much the same chip in google's phone line today (just even more power efficient).
The Google Now only listens for the trigger phrase when idle - which is done all locally, without needing to talk to the servers.
It has a battery impact but much less than sending all the voice data continuously to a server somewhere. The biggest battery killer would be the wifi or 3G transmitting non-stop in that case.
It wouldn't have to transmit non-stop -- it could do some parsing/cleanup locally, then queue it up and upload it periodically with other, expected FB traffic.
Ad is easy. You don't have to understand context. Just listen for a thousand or so keywords related to products that are paying you. Then if detection happens apply some rudimentary sentiment analysis on the surrounding phrase and that's all you will ever need.
if you have a couple millions for me to start a small team we can offer this as a service next month or two.
If somebody wants to definitively answer this, there's no reason you couldn't just say random advertising related words in front of your phone (1 per day) and check how many come up in your search. There are basic statistical methods to establish if the results can be explained by chance.
This would have the upside of not requiring any reverse-engineering.
Yeah. For example, if you don't own a cat, you could just talk about cats and brands of cat food in front of your phone for a while. If you end up with a bunch of ads for cat products, then that would be seriously weird.
* Own a cat, dog and other animal
* Have between $100k- $999k liquid investible assets
* Have a net worth between $1 and $1m
* Am highly affluent
* Am a high spender
* Am a frugal spender
* Own a house
* Have multiple families
Yet none of these are true (well, I guess apart from the 'has income' demographic I'm in).
I know Twitter isn't known for being an advertising powerhouse (esp. compared to Facebook), but I wouldn't take too much stock in Facebook serving me up irrelevant ads.
I moved to the other side of the world 2 months, updated my "living" location on Facebook and have been tagged at multiple locations in my new city, yet Facebook still serves me ads for buying an iPhone or Car back in my home town.
Wouldn't this still be subject to confirmation bias? As in: you'd be more likely to notice advertisement that is related to a word you pronounced recently, since you would be training your brain to look carefully for these words.
I don't have a link right now (youtube though) but I saw a couple do this with 'cat food' and it ultimately resulted in a brigade of ads despite not owning a cat.
I've seen stories where people could not explain why they were suddenly seeing certain ads in their feeds, and they thought Facebook had recorded some keywords from a conversation.
For example one guy had a buddy who had recently purchased a certain motorcycle, and all of a sudden he started seeing ads for that motorcycle.
But... really there's a simpler explanation than the microphone. Although of course it doesn't by itself rule out the microphone being used.
Facebook can just see when you are in the same location as some other people, and see what things those other people are into, and then signal whatever ad networks that you might also be a prospect for those things. Visit your buddy and see his new bike? Start getting ads for the same bike. No audio needed, just location services and some posts on FB from your buddy about his motorcycle. And there are other sensors beyond that. A lot of things are possible once the user has granted permission for use of various inputs.
Also if it is the microphone as the story suggests it could be in some cases, the evidence for it being any one particular app is thin. There are other apps that get granted microphone access by users all the time, and some of them should be looked at, not just Facebook. Not to defend Facebook here, but the net should be cast wider than just one app, even if the ads are appearing on Facebook, which itself is perfectly capable of gleaning interest information from multiple sources including other ad networks fed by other apps.
I'm not surprised. Facebook track browsing habits use it to share advertisements with your friends.
I've shared this story on HN before this was what I experienced from 2016ish:
I saw an ad buried in my facebook feed to "buy Gallium and Bismuth metal in Australia" I thought it was an oddly specific ad so I made a joking post about it - turned out several of my friends were seeing the same ad.
A common friend we all shared who is a high school science teacher spoke up. He explained his class was studying the periodic table and he had purchased samples of Bismuth and Gallium online to show to the class.
I'm absolutely convinced only reason my friends and I saw that ad was because we all shared a friend who was searching for this stuff online.
That level of surveillance is really creepy to me...
Definitely by IP address. I proxy all traffic for a family member in Central Europe and hilariously enough I get ads for “local” nightclubs that are thousands of miles away from me (east coast US).
What’s funnier is when google decides that it needs to localize my search results for that country. So there is a lot of tracking that assumes all traffic from a single residential IPv4 address is somehow correlated.
IP address, or if you have any shared accounts you could have a cookie identifying you as the same user. Ads also target connections of people who're interested in a product so you could get the ad from being friends/following someone who watched the videos. The ads will find you.
Even if FB/Instagram knows my wife and I share an IP address or there were both FB/Instagram and Google cookies on the same browser where I searched for Meow Mix, how would Instagram know my Google/Youtube history?
That's easy. The ad network that serves you ads on YouTube also serves ads on Facebook. They have a profile of you that connects your facebook and google accounts.
I hate Facebook, but I don't think the example you gave is accurate. Both your searches would only be recorded by Google. And why would Google share any of it with Facebook?
The only way the data could have gone over is through a malicious browser extension.
The last thing to install on ones phone is FB app - technically one gives up all privacy. If you need to use FB then stick to browser and clear browser data afterwards.
Yes but there's a gap between "can be audited" and "is being audited". If they got caught doing anything malign they can just pull the "oooops we didn't mean to" defence as they've done before[1] - their track record here says "if we can find a way, we're at least going to experiment with it"
Also consider this in the light of recent EU rulings on Facebooks tracking of non-users via the Like button on websites being an illegal violation of privacy[2]. As usual the law lags the technology by many years - was the EU even aware of the Facebook mobile SDK being wisely installed in many 3rd party apps when they made this ruling? (edit: reading the report from the University of Leuven it seems they were at least aware of the implications of things like Facebooks Mobile Advertiser network)
When I was still on Facebook, I used a 3rd-party Facebook app alternative. I forget which one exactly, but I distinctly remember being impressed that it barely needed any permissions.
Sidenote: this applies to 3rd party apps. Lets remember Apple vs. Google is very real, so playing the privacy advocate is not only good marketing for Apple, but also allows them to interfere in Google's ability to track users like this.
Ad blocking is another example; allowing it in iOS was probably a strong blow against Google.
Apple can and does collect a lot of data from your phone. Their business might not rely as much on individual targeting, but they still want to understand users as much as possible and have the means to do so.
Apple was involved in a very controversial case in 2011 [1]. IIRC, the resolution involved nothing about them claiming that tracking user location without their consent was bad, and focused only on the fact that the data was easily accessible a by 3rd parties.
In fact, they still collect tonnes of data from phones, but now they're more careful about the data not being user-accessible. A few quotes from the link you posted to their privacy policy:
> "We also collect data in a form that does not, on its own, permit direct association with any specific individual."
The "on its own" sounds a little scapegoat-y tbh.
> "We may collect information such as occupation, language, zip code, area code, unique device identifier, referrer URL, location, and the time zone where an Apple product is used"
You can learn and infer a lot from those vectors. Towards the end of the paragraph they also mention that they use this data, amongst other things, to deliver "better advertising".
> "We may collect information regarding customer activities on our website, iCloud services, our iTunes Store, App Store, Mac App Store, App Store for Apple TV and iBooks Stores and from our other products and services. Aggregated data is considered non‑personal information for the purposes of this Privacy Policy."
Ofc.
> "We may collect and store details of how you use our services, including search queries. [...] Except in limited instances to ensure quality of our services over the Internet, such information will not be associated with your IP address."
Ensuring "quality of services over the Internet" is _incredibly_ broad. For a company like Apple it could apply pretty much to anything tbh.
A lot of people don't know Apple collects all this data; and part of it is probably the fact you can't disable this collection. Only App usage, the one that might also be shared with 3rd party devs, is optional.
Thinking Apple doesn't take part on Google or Facebook scale data collecting because they sell phones and not ads is not only inaccurate (they do sell ads), but also a little naive. Data is very valuable. I'm not saying Apple doesn't care about privacy; their business model relies a less on individual targeting than Google or Facebook, but they're also in on the game of understanding users as much as possible, and given they control the phone they're in very deep.
I know we are all really concerned about privacy but we need to take a step back here for a second. Facebook will continue to show you ads - that will never stop. By following what the author mentions in his article, all that will happen is that you will see less relevant and useless ads. Would you rather less ads which are useful or those which are completely disconnected from what you want? I have discovered some really nice SMB stores via FB ads - that would have never happened otherwise.
Good luck to the author as now he will see generic AT&T and Galaxy S9 ads. Privacy has its costs and one should make an informed decision eitherways.
It might be just me, but I rather see irellevant ads like on TV which don't have that much power influencing my decisions on what to buy and what not to buy than a really targeted ad which makes it almost impossible to resist to spend my money on something I really don't need but just want.
In that case, you should follow the author's steps. I personally love the ads which FB and Google show - they are well targeted and look nice and some of them are very influential which I think is a good thing. Otherwise, I will still see ads but they aren't that helpful and just take up space.
Let me give you an example. While I was furniture shopping for my house, FB showed an ad of a nice boutique furniture store which opened less than a mile from where I lived. Since this was a new store, it had no Yelp reviews and had no word of mouth references. I visited the store and absolutely loved and bought a number of large items from there. I believe this is a positive development and these ads, at least to me, are a lot better than some of the non targeted things I see.
> Would you rather less ads which are useful or those which are completely disconnected from what you want?
You're making the common mistake of assuming "targeted advertising" means targeted to what you want. The point is to allow marketing to target specific groups. Any overlap with your interests is just a coincidence.
Yes, that's included in what I said. Facebook already decides which posts it will actually show you from the feeds you have explicitly subscribed to. Do you really believe they don't do the same for ads?
You are not their customer; your interests matter only to the extent they provide more data points advertisers can target.
You're being shown the content (ads) that people pay FB to show you. If that's what you consider "best", I suggest that you might want to do more research into how modern advertising works. Hint: ads represent marketing budget, not which product is "best".
So the alternative is stop FB from targeting you so that you get less relevant content?
I spend >30min of my time on FB. As long as I find relevant content (which includes ads) I am good. I am not saying FB is the best source for all to find content but I do like to see updates from my friends and pages I follow and if relevant ads are sprinkled in between, I am a happy user.
Either you don't understand that FB isn't trying to target your relevant interests (they target you based on the categories[1] advertisers choose to target), or...
> I spend >30min of my time on FB [...] which includes ads
you are so entrenched in consumer culture and used to having your opinions manipulated by marketing departments that you no longer recognize the difference between "relevant content" and attempts to "nudge" your behavior in specific directions. I suggest taking a break from the internet/media/ads for a couple weeks.
Drove by a scion iM in a parking lot one time.. and I said out loud "Scion iM? What the heck is that?" -- ads on IG and FB for Scion iM when I got home 20 minutes later. No search, no associative info, no dealer info... I simply said it.
I've had quite a few of those, and usually I can trace it back to me googling something, etc. But this time, nada.
I'd blame this on confirmation bias - there must be dozens if not hundreds of times you use or mention a product every day that you don't notice ads for, but the rare time you do, it reinforces the belief that they are reacting to what you said.
It could very well be, but do you know what kind of evidence you would have to see to conclude that FB is listening? Otherwise you're just making a fully general argument against the possibility of this (or any such scheme) happening.
Side anecdote: One weekday after I vacationed in Tahoe, I saw a BART (subway) ad for Tahoe, and I was like, "oh, great , probably because I just came back from ... wait, that's not possible!"
but do you know what kind of evidence you would have to see to conclude that FB is listening?
Any one of:
* OS-level confirmation (permission entitlements, cpu usage, etc)
* Packets resembling sound data being caught in flight.
* An internal leak of the method they'd be using to do so from one of three of the largest tech employers. Not even Apple can keep their secrets secret, and they're probably the most paranoid tech company in existence.
You know, literally anything concrete, rather than evidence-free accusations based on fallible memory.
So far, not one bit of these instances can't be explained by a combination of Baader-Meinhof and confirmation bias, with a mix of plenty of non-audio data that Facebook no doubt has. People are so willing to paint FB as this boogeyman that they're disregarding basic logic.
>* Packets resembling sound data being caught in flight.
Not even necessary. You could do keyword recognition on the device itself, pushing a list of keyword<->waveform maps, and sending an indicator when they're recognized.
So do I understand you correctly that you’re categorically excluding any kind of experimental evidence, no matter how well controlled or rigorous? That, so long as there is no breach of the source of the technique, you can’t be convinced?
I understand that any one person’s anecdotes are weak evidence, but your comments are going much further and claiming that such tests can never be evidence, even though much scientific knowledge is similarly obtained.
Experimental evidence is fine, given an actual experimental protocol. So far, all we have are weak anecdotes that don't come close to proving the assertion.
I don't have a FB account, but my wife's account absolutely delivers her ads intended for me. I've not been able to isolate exactly how it is doing it, but the dragnet is absolutely wide enough to capture a household.
She's received ads for Civic Type R (she hates cars), Senior Java Developer (she works in a totally unrelated field), cooking tools (I do all the cooking), and tons of other things. It creeps me out.
I’m guessing you and your wife share a home and an IP address, and Facebook is using that to associate “your” ads with your wife’s FB account.
Edit: How Facebook would get your browsing data, even if you’ve disabled things like ads and those FB like buttons (like I assume most HN posters would), is beyond my wild speculation.
If they have positional data they could do a correlation of location speed, along time time of week. If they constantly see you going to the same places on the weekends, that might be a clue, especially if in close proximity. Especially if traveling at the exact same high speed in close proximity (Driving there). GPS, at the high range, can tell location within meters.
And none of this would have to happen while you were talking about cars, or anything else. Just enough times to make the correlation, and with data that could have been collected months to years ago. Google Now did that for my commute from work to home.
I think it is more likely Facebook is using location data to create edges on a shadow social network. We just bleed metadata.
My current suspicion is they think my phone is hers due to IP. She doesn't use FB mobile at all and I use ad-block + NoScript on my computer, but not on my phone.
I've picked two different, random topics (boats & umbrellas) to occasionally search for on my phone and computer respectively. So that should help me figure out what the source is.
Why don’t you run an experiment, say something totally random that you know you’ve never searched and is out of the range of normal interests you have and see what happens. I have done that on more than one occasion and it confirms we are being recorded. It’s not just Facebook.
I did that experiment this morning -- before work at home and on the way to work, my wife and I were discussing getting a new car, and spoke about a particular car brand that a coworker just purchased.
I just asked her to check her Facebook and she doesn't see any car ads. I checked too but didn't see any ads for cars or that brand, but I don't have the Facebook app on my phone (she does) and our Facebook profiles aren't strongly linked (i.e. she's not listed as my "wife", we just friend each other). She uses her phone for navigation while driving, so it was in a position to clearly hear us.
I haven't done any research on that car brand, but I suspect that once I do a Google search, then the ads will start flooding in.
So maybe this is confirmation bias in the other direction, but I don't see any evidence that Amazon Alexa, Facebook, or Google Assistant are spying on us. Though it could just mean that this particular carmaker doesn't purchase ads based on keyword spying
For experiments like this, use items that have high CPM. Gold, silver, niche personals and preserved food are great canaries.
Try doing different things. I don’t think name brand vendors do pervasive audio surveillance. I do think they broaden the scope of your intents. Use GBoard dictation or similar tools to write. Write stuff down in different contexts. Use apps in different ways.
Amazon and Facebook share in near real time. Anything you do in a consumer Amazon property is feeding context to FB.
Sorry, I didn't mean to imply that I wanted to do this test, I just happened to do it by accident this morning -- using a very similar term as the writer of the parent post, he said he mentioned Scion, I mentioned another major car brand that starts with S.
But you aren't being recorded or listened to. Countless security researchers have dug into this problem and can tell from the traffic that there is audio being recorded. Furthermore, if facebook is accessing the microphone without permissions, it would be through an unknown security vulnerability and would be against the terms of service with both android and ios.
You are just not noticing these ads until it is something you have called out. You would never have given a second thought to this totally random item otherwise.
I have tried the same test as you multiple times just for kicks and have never found it to be confirmed.
Well you surely can't deny that SOMEONE is listening? Google or Facebook, do some tests and you will find it's true. Confirmation bias is a possibility but from what I have seen and experienced I just can't believe that is always the case.
I think that one should consider the possibility of FB group indirectly accessing this data.
They don't have to collect information only directly from their FB/Instagram/WhatsApp apps: what they can do is buy information from other companies that publish thousands of "free" apps on appstores.
You have to wonder how so many of these free apps seem to sustain themselves since GDN advertising does not seem to be profitable enough.
FB group should be obligated to disclose whether they are buying information from these kinds of third parties.
More importantly they should disclose whether the price they pay is illogical, effectively making them silent partners in an indirect scheme to access your camera/mic information, while at the same time maintaining the allegation that "we do not access your mic through our apps".
They buy the info from massive data brokers, who buy data from other large and small data brokers, who buy the data from app makers, services, etc. User123@gmail.com expressed interest in buying kitty litter isn't exactly sensitive information so there's probably not much in the way of auditable logs maintained, probably impossible to determine the original provenance of the data in many cases.
The notion that Facebook is secretly recording your microphone is beyond idiotic and shows how ignorant the general population is (and consequently how vulnerable). It is the fantasy of an aspiring but untalented screenwriter.
Facebook isn’t spying on your microphone because they don’t have to. They know enough about you to monetize the shit out of you from things that are out in the open. When the populace trusts Facebook and Google with nearly their entire digital lives, and the DOJ lets these giants acquire the rest without a fight, why would they need to resort to clumsy subterfuge?
I think people really underestimate the power of ad retargeting and advertising analytics. Take in some location information and cross-reference it with friends lists and their product searches and you can explain 90% of these occurrences without voice data.
> Data brokers run personal information through an algorithm before uploading so it’s not identifiable, Facebook says, but it still can be matched with Facebook account information.
I use uBlock on safari but that's it. Can you recommend an alternative to Privacy Badger (or a trustworthy implementation[0]) that works on Safari? HTTPS everywhere and PB are not supported.
[0] Some company called softtonic has a "Privacy Badger" branded extension but I am skeptical about downloading from an unofficial source.
uMatrix is uBlock for all the things. Or, enable advanced / expert mode in uBlock and use the "traffic light" system to configure blocks to specific domains as encountered.
In my humble opinion, we are missing something here. I am not a Facebook user since a long time. But something really interesting happens whenever me or my girlfriend are talking about a particular product.
She gets related ads in the web wherever she goes. She has Facebook installed in the phone while I don't.
But the interesting thing is that this is not happening to me. Never. I do not get ads for scuba diving suits if we speak about it. She does. How can we explain this?
Does she scuba dive as well? Or she may have possibly mentioned that you scuba dive in a message to a friend? Or somebody posted a photo of you related to scuba diving without you knowing?
Sounds like she is just more context aware. I skim past ads and never notice them. Some people might take note if the ad is something they had recently discussed.
Am I alone in not really caring about my privacy that much? I understand many people care about theirs, and I fully respect their right to their privacy. With that said, I could care less how much data Google/Facebook acquire on me. For now, all it is for more targeted advertisements.
My tune would obviously change if that data were used in more malicious ways. But as long as it is advertising targets, I personally don't care.
Well, besides the fact that privacy violations are (should be?) against the law and unethical, there are a few considerations you could have.
The one that springs to my mind right now is: Knowledge is power; which is also true in that case: the more an entity knows about you, the more power it has over you. And not only blackmail, but recent hints (AI-powered election meddlings, addictive user interfaces, etc.) have proven that your instinct can be, and will be used against you, whether you are conscious of it or not.
And of course, there are problems linked to physical security (if the wrong person can see you're spending a week abroad, your house might be broken into, or worse).
Let's not dwell on the ethics of financing a company that sells your personal data.
Private data is by definition not supposed to be made public, it is sensitive.
Treat it like an attack surface: the more there is out there, the more likely it is that something can be used against you.
My question is whether I am alone in actually caring very much about my privacy.
I don't consider myself to be paranoid, but I have never been willing to share details of my life with strangers. I recognize that any online activity is subject to surveillance, but I do what I can to minimize sharing that. There's a lot you can do along those lines, with really fairly minimal effort -- though I consider "minimal" to include not having a facebook account and not having any photos of myself on the internet, for example, which I know from having these conversations in the past is for many people some insurmountable hurdle.
Anyway, why would I want strangers to know the details of my personal preferences and tastes? There's no benefit to sharing it as far as I can tell. That is what has always stumped me when people say they don't care about their privacy.
Not just online activity. Bank/credit card transactions. Utility/tax information. Postal information. Subscriptions to anything. DMV records. A detailed profile of you is for sale to anyone who cares to pay. Probably less detailed than most people, since you're careful, but enough to be spooky.
The fear comes from exactly that. People aren't worried about targeted advertising. People are worried that swathes of their data isn't "theirs" anymore and can suddenly be used maliciously. Sure maybe not by Facebook. But Facebook's customers? The customers to those customers?
> My tune would obviously change if that data were used in more malicious ways. But as long as it is advertising targets, I personally don't care.
Diamonds are not actually forever, but data is. There's little you can do to prevent Facebook from using the data you've already given them in malicious ways tomorrow. Throw in an economic crisis or major war and it's almost a certainty that they will do so due to desperation or legislation.
But how can you be sure that Facebook will keep your data safe? Experian showed us that you cannot trust these data companies to keep your data out of the hands of nefarious people.
If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him.
Once your data is collected, you have no control over it any more. Are you sure there's a valid retention policy, it is actually working and enforced, there are no secret agreements with e.g. the national security apparatus, and it is absolutely secure from malicious employees?
That is the big issue around data collection. Even if you're fine with it being collected now, you might not want a recording of this at a later point. For many different reasons. But a big one being that it's really easy to twist your words against you.
You're not alone. If we're talking unintended consequences of privacy invasions, I'm more inclined to not like something like letting people add you to groups without your permission (e.g. when people were outed by being added to a gay choir group on FB many years ago).
I might be biased because I run ad campaigns on FB and the data is helpful (more efficient than Snapchat or Twitter where they have less data on you).
Of course not. Nobody I know IRL cares about their privacy, save one or two people who also happen to be generally paranoid (I don't mean it's paranoid to worry about Facebook, though). From the looks of the web, people I don't know are far, far less concerned about their privacy.
Would you be upset if Facebook used information about you to choose what to display on your feed? Probably not. What about if they were simply experimenting to see if they could make you happier or more depressed by carefully choosing that information?
Are you aware that 'your data' can involve your reactions and small actions like mouse moments and that all that data can be used to steer your emotions and behaviour without you noticing it.
Then there is the the combined effect of everyones data that is threatening.
As my meatspace identity, I don't worry about this stuff very much. Indeed, it would be an identifier for me to do so. In meatspace, I'm just a regular guy. Mirimir, he's the privacy freak.
Anything that I want to keep private, I do as a compartmentalized persona. Separate hardware. Separate LAN. Separate Internet connection path. No overlapping Internet activity or interests.
I uninstalled FB from my phone because it cut the battery life in one third, even if not used at all. One can imagine how busy it was behind the curtain to need all these joules...
So I was trying to remember the buff old guy from Avatar, Stephen Lang. Once I found him, I noticed that I am suddenly being recommended videos on YouTube that include him.
I've disabled auto update for all apps on my android. However, Facebook and Messenger still updates automatically. This itself raises suspicion of Facebook's control over my phone.
1. Some big features in Facebook/Messenger already exist in the app, and are just enabled/disabled remotely. This is pretty common in most big apps, it's how they can control rollouts. For example, the Snapchat design update: not everyone got it at the same time because the code was living in the app and they gradually enabled it for each user.
2. Wouldn't surprise me if part of the app were heavily reliant on things that can be updated remotely. Chunks of big apps will sometimes be just views fetching some web components. Facebook created React Native, and iirc it can be updated dynamically, like a web site.
When you have lots of people working on an app you have a high probability of introducing bugs. I worked at a company that shipped a faulty update; it looked OK to users, but it was essentially DDoS-ing the servers. Having to wait for the App Store to approve your app to fix things like that is annoying and costly, so people tend to look for alternatives.
I have suspicion that at least instagram is listening. I started saying words that I've never looked up for in the past, nor have I ever saw an ad related to them like 'dog walker', 'babies'.. and over the course of minutes I started seeing ads for both. Not sure how to explain this.
> Facebook works directly with six data brokers, all of which allow you to opt out from their sharing of your personal data, everything from your email to your purchase history.
And that sort of explains everything.
I kept wondering how the info that keep to the Google-verse (search, Gmail) makes it to Facebook. Now I know.
Does it mean that Google collaborates with these data brokers? While it doesn't harm them directly, it seems like a myopic thing to do, arming a company that may undercut your sole major source of income. Yes, I imagine they take it directly from the device, but doesn't Google have control over the Android internals?
Also, I am in somewhat unique position. Being a Microsoft zealot, I still carry a Windows phone (v8.1) with slowly dying services. I almost don't use Facebook yet I still get these too relevant ads, mostly according to what I google on my desktop.
How much use do you make of Bing, if you don't mind me asking? Is it a case of mainly using it (as you are a Microsoft fan) but occasionally needing to refer to a Google search?
I am more used to Google which I use on the desktop, but when on the phone, I use both interchangeably.
When it comes to the US and global content, there is virtually no difference in the results. Google is much better in the local content and the knowledge graph results though, as well as the maps. Video search is better in Bing.
When I worked in the OEM industry, there were rigorous standards and compliances that had to be met to ship our phones. If an app was invoking audio recording without the proper permissions, this would be a huge red flag. Google would never approve the phone to be shipped as it would be breaking their CDD.
Also, if audio data was being transmitted using some obscure APN that does not use mobile data or Wi-Fi, OEMs could still easily detect these from the modem side, no matter how encrypted the data is. After all, the app is still JUST an app, in the system folder with all the other apps like Candy Crush. Unless this specific audio recording feature was built into the Android framework, I will say it is 100% impossible.
Note: this is just for Android. I have no idea how iOS works.
You should check your sources again - that statement is false.... You only have to look at the release notes from the dev preview on Android P today to see that was possible for any background app to access the camera and microphone at any time:
> Android P strengthens privacy by limiting the ability of background apps to access user input and sensor data. If your app is running in the background on a device running Android P, the system applies the following restrictions to your app: Your app cannot access the microphone or camera.
It says that apps in the "background" cannot access user input and sensor data. This means that even if the app gains permission in the foreground, it won't have access when the app is running in the background.
Note that this use case was extremely rare anyway, but I know Google did this simply to ease people's minds (I know several people on the Android framework team).
Step 1: don't use Android.
Step 2: don't use smartphones at all.
Step 3: black-hole FB and others at your router at home.
I personally skip step 2 because I'm addicted to being able to quickly search for things, read blogs. But even so: a) don't login to any websites, b) clear website data often, c) minimize use of apps, d) recall that when you browse the web from an app you're using the same cookie jar and other state as the main browser, and that you're letting the app track you.
Signed up for Facebook Workplace trial and let it expire. They’ve now shared our details with third party implantation consultants who are approaching us. Not great.
I work at Google and I'm a long time hobbyist Android developer. I have a lot of non-technical friends ask me about this.
What I always say is that this would not be possible. To constantly listen for audio, process it, and upload the results would use so much data and battery that you'd notice. Only a plugged in laptop/desktop could get away with this.
Am I wrong? Would it even be technically feasible for Facebook to listen all the time?
This "I work at Google" thing... doesn't give instant knowledge on all areas.
There are many ways this could be covered, as many have said here (Above & Below). Noise gates... other Apps listening for key phrases etc.
E.g.
A Fitness App could be installed with a noise gate + setup to listen for specific fitness related terms... that triggers a simple pules to say person A is interested in that topic....
Another App does the same for topic B... and the list goes on...
That's just off the top of my head. (I don't work at Google)
You shouldn't assume that and actually do the math. GSM-HR (an early 90s codec that is fast to encode and designed to be low-power) combined with a trial noise gate will only require[1] uploading <100 kB/hr.
> Only a plugged in laptop/desktop
Audio compression existed before MP3/AAC. GSM-HR only uses 5.6 kbit/s, and was designed to be encoded on early (GSM) cellphone embedded CPUs/DSPs. Modern devices have several orders of magnitude more CPU/power/bandwidth available.
> all the time
It's only necessary to record when voice is actually present. A trivial noise-gate[2] will cut the recording time down to only a few percent of the time at most. Obviously a better filter should be possible.
> To constantly listen for audio, process it, and upload the results would use so much data and battery that you'd notice.
A few years ago I uninstalled the official facebook app because it was using all of my battery and a fair bit of data, even when I wasn't actively using it. The battery usage record in the settings indicated the facebook app was the cause. After removal it felt like I'd bought a new phone, everything was running so much faster. I recommended the change to friends who saw similar results.
I don't know if it was maliciousness or incompetence behind the battery usage, but it would seem that you can get away with it largely unnoticed.
There's no reason the application must always be listening. Facebook could do their voodoo to determine when during the day you are most likely to be in a social atmosphere, and begin listening to the microphone only during that range of time.
Processing and uploading doesn't have to happen all at once. They could analyze/process the audio while you're asleep. The power drain would be negligible - or completely unnoticeable if your phone is charging while you sleep. Data obtained from these processes could be uploaded in chunks, hidden inside the photos and videos you upload from the Facebook app.
So, in my opinion, not only is this all possible, it'd be not too difficult for Facebook to hide it from the general public.
I've tested it on my own phone (Lumia 920), and a background audio recording uses about a half to a quarter as much power as the Gmail (IMAP) app - it's pretty negligible. Compressing it to send over the wire might use more (I was recording to WAV), but with the right choice of codec (e.g. GSM-HR as mentioned below) I can't see it adding all that much. A common complaint is that the Facebook app uses a lot of battery anyway, so the costs of audio recording probably _could_ (I doubt they _are_) be buried in that.
I'm pretty sure it's optimized to listen for a single hotword and then initiate the network connection to process what comes next.
What people accuse Facebook of doing would require constant processing of the audio stream for random interesting tokens. Either process on device and then send metadata (more battery, less network) or send the raw stream and process on the server (less battery, more network).
I have an android 6, from archos, which is relatively clean in term of vendor layer.
I regularly go in the storage part of apps, and despite the fact that I don't use many apps, they still manage to generate megabytes of data, which are not clean by the "clean cache" functionality.
I'm not using it for texts and calls, I only use it with wifi, but still, I have low trust in the android ecosystem.
I did Android QA for a VPN/Proxy app. Had to benchmark battery usage and verify that we upgraded to SPDY properly. A lot of rooting, and tcpdumping. Eventually we got a WiFi network set up by sysadmins that mirrored traffic to one Ethernet socket. Plugged it in on a local SSH-accessible machine and I could tcpdump the whole WiFi traffic without fiddling with devices.
Facebook and Instagram are awful network hogs. Both send a lot of packets every 5-10s when the screen is on to Facebooks tracking domains.
I removed both and haven't looked back since I saw that.
Google and other tracking companies of course are not better, hence the apps mentioned at the top.
This is not a viable solution long-term though. They will find ways to eventually circumvent these restrictions.
Now I'm thinking about setting up the same thing I had at work at home, just to see what kind of crap goes through my network daily.
You're on Windows 10? Guess what Microsoft does. Install Wireshark and check for yourself how much MS domain hits you get. Not to mention HTTP traffic from random apps and/or websites that circumvent privacy protection domain lists.
The implication here is that you're the product but not for that company or another. You're for all of them, ISP included. The more crap leaks on your network the more they know and sell.
As a side note, I have no idea why DNS traffic still goes in pretty much plaintext...
Have you heard about tracking data exchanges?
The overall problem is that everyone is spying on you on multiple levels because there's money to be made on profiling. Facebook just grabs the headlines. Apps listening to you are scary but the fact is you don't have to speak to be heard by them.
Am I alone in being horrified by the reality that many people today consume most if not all of their news and entertainment holding a camera and microphone on proprietary communication systems running software controlled by the same entities producing the content?
How is this not the greatest threat to democracy in the entire history of democracy?
It's just another step in the long slow boiling of the pot. The mass media already are nearly uniform in their interpretation of events with the exception of how they inflame cultural grievance. The American public is the most heavily propagandized in the world.
> Here's an example of someone that has encased himself inside of corporate propaganda so completely that it physically surrounds him at work, at home, and even his inner thoughts:
Interesting piece, but was the rent of that place $4800 per month? How does that make any sense?
If in the 1980s, during the height of the Cold War, you had predicted that in 30 years virtually everyone would voluntarily be wearing tracking devices that pinpointed their location 24 hours a day, and voluntarily carried recording devices which could at least in principle record everything they and anyone they talked to said, you'd be branded a conspiracy theorist or a believer in sheer science fiction.
Today it's no longer a paranoid fantasy but a reality, yet even those who aren't in denial about it are mostly not choosing to opt out of the surveillance.
I am coming around to the idea that this particular grievance-- at least the camera and microphone bit-- is the "terrorists" of privacy.
That is to say: it's an absolute bad thing and is a concern. But because it's so easily visualisable and conceivable, the actual threat is blown way out of proportion, and much less sexy threats that are much more important are ignored.
You're more likely to die slipping over in your bathtub than being killed by terrorism, etc.
I guess the "slipping in your bathtub" for privacy would be the consumerist / capitalist / deregulated culture that allows, normalises and incentivises trading away privacy for convenience with no real pushback. Which in turn actively discourages keeping your privacy, because it's like: why play some constrained rule-set that disadvantages you and no one else plays by?
So it started with being Facebook is secretly recording you. Now it is Apple has secretly embedded a backdoor in the hardware and OS of the phones. Specifically so Facebook can use it to secretly record you.
A conspiracy of thousands of people ? No that doesn't sound crazy at all.
The point is we don’t know what goes on inside our computers, they’re proprietary, they’re closed and we’ve had some pretty shocking revelations already. It’s absolutely not outside the realm of possibility.
It's also possible that Apple has embedded a grenade inside each iPhone.
That's about as likely as them enabling the microphone specifically so Facebook can invade everyone's privacy and commit espionage on a scale never before seen in human history.
This is why I like Caffè Nero's loyalty cards. They are little pieces of cardstock with nine coffee cups printed on them. You get a stamp every time you order. Once all nine cups are stamped, redeem the card for a free coffee. There's no PII on the card and your name isn't going through an additional computer (on top of the standard 17 a day, per Cereal Killer).
Your fingerprints are all over that card! All I have to do is wait for one of those cards to hit their trash, and I'll have a pretty good idea of how long it takes you to fill one up, and so how much coffee you drink.
This is the USA we're talking about, where if an unethical way to wring out more dollars doesn't have a law explicitly forbidding it (and there are laughably few such laws here), it WILL be used against you.
I know of a few places that have simple stamp loyalty cards. Oftentimes they are mom and pop shops, or chains still finding their footing. Most cards are electronic and want a name and phone number associated with them.
App loyalty cards, while still having some information on you, are largely about large merchants (ie starbucks) avoiding credit card interchange fees by giving rewards for people who load money to the app and purchase from there.
So, all incentives are not against consumers. The merchants avoid the credit card oligopoly fee and pass on the rewards to consumers.
By having a punch card and forcing customers to use cash? While cash is making a come back in many places, there are still plenty of potential customers who would not buy if cash was required.
At this point I think I am unaware what a punch card is. I was assuming a card that gets punched each time you visit a place, and after N punches you get an item for free. Is that right or totally off?
I put my Caffè Nero loyalty card in the same pocket as my phone (which runs the Facebook app).
I have no way of proving this but I'm pretty sure they used my camera to read the card because the next thing I knew I was seeing ads for Starbucks (a competing coffee chain). I have never said Starbucks out loud and suddenly I am seeing ads.
It seems to be pretty basic. They access the photos within the photo library and the location of the device(both of which you've most likely granted Facebook to access).
FB then cross reference with any other devices nearby and any identified objects within the photos are cross referenced with their ad inventory.
I find it hard to take this article without a truckload of salt, given the Wall Street Journal is owned by News Corp.
Murdoch has money to make by gaining leverage over FB.
I haven’t had a Facebook account in almost 4 years and I block their traffic on my router, so I have no love for them. But I seriously doubt this story’s motives.
FWIW (admitedly not very much, anecdotally from another rando HNer) The newsroom side of the Journal is among the vanguard of quality journalism and has largely remainined that way post-Murdoch. The editorial pages on the other hand are extremely opinionated and seemingly in a completely different reality than the newsroom.
I find it amazing that people even notice. I don’t have an ad blocker on all my browsers, and except for YouTube and interstitial ads that Chrome will soon block, most ads are simply not registered by my brain.
Are you sure? Everyone says that they are “immune” to advertising (or propaganda), and yet here we are where the collective result shows that it works, surprisingly well too. Another theory could be that people just get the causal order wrong:
ad display => subconscious influence, nudge => eventual product purchase, mention etc => recognized ad => spooky feeling
Yes. I know it works. Why would these companies spend so much money if it was not. And in addition they have good metrics to know which campaigns work. But this flies in the face of my personal experience... Aside from YouTube, I can’t remember when was the last time I saw and ad and what it was. Must have been weeks ago.
It’s really too easy to tap the “I’m not driving” button. We have a global cell-phone-use-while-driving epidemic going on that’s taking way too many innocent lives. I wish tech companies would start sharing phone use data while driving. That’s when people will start to care about the lives of others and the rule of law, the moment they see their premiums going up things will get better rather quickly.
The only "app" I use to access Facebook and other social media is a well locked down browser. IMHO if you use apps, then your a schmuck and a sitting duck ;-) :-)
That said, this is a quite silly conspiracy theory. Believing the "recording" theory requires you to believe that Apple and Google both are in cahoots with Facebook to give them a rootkit-like API for mic and location access that override all of the OS-level controls and warnings about when that hardware is in use, and hide it from the data and battery usage stats on the phone.
This API, when (not if) found, would be a watershed moment for privacy legislation directed at all three companies. Little to gain, potentially the whole farm to lose.
> requires you to believe that Apple and Google both are in cahoots with Facebook to give them a rootkit-like API for mic and location access that override all of the OS-level controls and warnings about when that hardware is in use, and hide it from the data and battery usage stats on the phone.
You mean like when they gave Uber special access to grab screenshots even when the Uber app wasn't running? Yeah, totally impossible to believe.
We're talking about two different things here; in Uber's case, they were given access to an API in a completely above-board way. There was a legitimate reason, the access was used to work around a hardware limitation in a temporary way.
In this case, you're talking about something that completely bypasses the entitlement/permission control of the OS, something which both Apple and Google have no reason to ever add. Uber actually used a private one with Apple's consent, (the com.private.apple- entitlement) while there is no evidence of any such private APIs being used in the Facebook apps.
Calling people trolls when you disagree with them because of your own misunderstanding isn't allowed here.
As an example, the degree to which government agencies are involved with snarfing up private communications from Americans with almost no real oversight. Mostly out of the bogus box when Carnivore came to light, completely out when Snowden did his leaks.
> "It's ok to post stories from sites with paywalls that have workarounds."
> "In comments, it's ok to ask how to read an article and to help other users do so. But please don't post complaints about paywalls. Those are off topic."
It's usually easy to click the 'web' link on the top of the discussions page and follow the first result on google.
I believe there have been many discussion on the utility of paywalled articles and I believe the discussion has mostly settled on allowing it as long as it is easy to circumvent.
OT: actually interesting to see how the author worked backwards to understand why he is receiving adds. Still: all this, and still they keep showing adds for stuff I recently bought...
Showing ads for stuff you recently bought happens to be extremely valuable advertising.
Sometimes the first order doesn’t arrive, or you want another one for the office... You think the chances of that are low, but they are still far better than showing you a generic ad.
1) FB doesn't listen to you.
2) Why are people getting so upset for seeing relevant ads? Ads is what pays for many of the services we use for free, would you rather see obnoxious irrelevant ads?
In my experience most targeted ads are both creepy and irrelevant. It's quite an achievement. After shopping for custom USB keys online I saw custom USB key ads for months. Long after I had already found a supplier for them. The experience is not unlike being followed around a mall by a really pushy salesman after you glance at a toaster; because now he thinks all you want to buy is more toasters.
If you bring this up with someone who works in adtech, the stock response is that we need even more tracking to fix it. It's like the adtech version of "no true Scotsman".
Edit: That's not to mention what a huge waste of money this must be for the client buying this ad space. After ordering something from an Adafruit-like electronics shop, I saw ads for them around the web for quite a while. Often trying to sell me the very thing I had just ordered.
How did I find them in the first place? Second or third page on Google search.
"Facebook does not use your phone's microphone to inform ads or to change what you see in News Feed."
OK... so they are saying they don't use your microphone to target ads. But how about precisely enumerating how FB uses your microphone?
Do they use it for any purpose other than helping you communicate during a call?
Do they try to infer any persona information about you, which can then be used indirectly to make money from your data?
I too have had odd coincidences where eerily relevant ads show up after I have had a conversation. If only FB was more transparent about what they do, I might not be so paranoid about it.