Old news. Facebook has been doing this since at least 2009, I recall seeing an article where Facebook censored all links (including those in private messaegs) to thepiratebay.org [0]
They also crawl links you share in private messages to grab the title, intro, and favicon to generate that clickable widget link thing.
I have the same initial reaction. However, even though we 1% of tech geeks that are paying attention and are aware of these things, how many of us have had people slightly tilt their head sideways in confusion when we try to inform them of this stuff. I'm sure we've all been labeled kooks, conspiracy nut, tin foil hat wearers, etc in the past.
This is one of those situations where the mass populace just didn't want to understand, couldn't understand or combination of both, but the mass populace is finally starting to see just how much of this tracking stuff has been going on. I still think it's not enough, though.
It's similar to the activities of most anti-virus/malware agents on computers. Of course, one could argue those cases are focused much more on the security aspects, rather than Facebook's revenue-generating motives to see what you do for advertising purposes.
Yep, very old news. They also blocked URLs to competitors claiming the links were spam. Even if you legit posted the link, Facebook didn't notify you the message didn't send. It just failed silently.
> They also blocked URLs to competitors claiming the links were spam. Even if you legit posted the link, Facebook didn't notify you the message didn't send. It just failed silently.
Here's one from back when Google+ launched and they blocked G+ invite links for about a week.[1] If I recall correctly, there was something similar that happened about a year later where Messenger messages with a G+ profile URL would silently fail to send. I can't remember the details on that though.
Interesting, thanks. Also interesting last paragraph:
> Some speculate this could be a Google plot to spur distrust for Facebook while bringing more attention to Google+. I'm not sure the search giant would go that far, but I think it's telling the company's employees chose to post about the issue on their own social network rather than contacting Facebook directly and asking for an explanation.
Thanks! I wasn't trying to question its validity, was just curious how bad/blatant it was, how often it happened, what kinds of links it happened to, etc.
Yes the mechanics of handling a message or posting or whatever is understood at some level by everyone and perfectly acceptable. What's troubling is that they associate all of it and more with a cumulative collection of information about a "persona" that is essentially permanent, and in the majority of cases they know who that persona belongs to. The individual concerned has no control over it. Further even FB et al do not have complete control how that persona is used or abused.
This is not old news and the examples you provided are not proof that they were doing it prior.
It is perfectly possible to crawl pages to get titles and FavIcons client side or using a web service that don't necessarily keep a log of these requests.
Same thing for censoring links. You can have a static list of disallowed domains and do all the filtering client side or have a web service that given a link returns true or false if it should be censored. It doesn't necessarily means it needs to be logged, kept, associated with a user or manually analyzed.
What we're seeing now is that facebook is actively looking at whole messages, that's a step up from the previous instances. It's still unclear if this is all automated or if some are manually reviewed. It's also unclear if these are associated with a user, or anonymized when analyzing them. Are these logged? How long are they kept for? Facebook should be more clear on how this all works. Otherwise we're just left guessing.
In that medium story, the Facebook devs claim accessing privately shared messenger links is a publicly documented behavior, citing the Facebook Crawler Docs. They quote: "The first time someone shares a link, the Facebook crawler will scrape the HTML at that URL to gather, cache and display info about the content on Facebook like a title, description, and thumbnail image."https://developers.facebook.com/docs/sharing/webmasters/craw...
I would update my original comment if I could, however the edit period has passed.
FTA:
“For example, on Messenger, when you send a photo, our automated systems scan it using photo matching technology to detect known child exploitation imagery
Ah yes, the "Think of the children" [1] argument. This is the favorite argument of censorship [2] lawmakers, dictators and everyone who wants to destroy personal liberties and privacy. They always invoke "think of the children" arguments because you look like a monster if you oppose it.
I think the parent's (unstated) implication is that a system that can detect and block from a list of CP hashes could also be used to block any other content.
For example, let's say I create an eye catching flyer image detailing locations for a peaceful protest against the firing of a Mueller. Such a system could be used to block it.
Right now no one opposes building it, but the capacity once created can be easily abused.
Don't fool yourself. There's nothing stopping any pedophiles from sending links to private websites where their content is hosted. Saying that they are scanning anything to "think of the children" is simply being naive.
Some (off the top of my head, Taleb) advance the argument of survival bias:
Smarter criminals are less likely to get caught and so, are less likely to be offered a seat by Chris Hansen.
There seems to be a cottage industry around making words more palatable when it comes to tech privacy.
"Scans" should be "reads and stores"
"What you send to other people" should be "private messages, images, and videos"
"What you send to other people" implies that there was no expectation of privacy in the first place, which (while true) I think does not match the 'normal' person's expectations or understanding.
News organizations need to be more candid with the public about how their information is being inspected and stored instead of using slick language to downplay the distasteful practices of many organizations.
Another example of charitable sanitisation: referring to personal data being 'monetized' rather than 'sold'. Information is sold when advertisers can target sets of users based on their personal data.
I disagree. If I can query some API and it gives me some output, the data has changed hands. I can't really imagine a system where one has 'access' to data and does not receive it, unless it's in some kind of "Data Library" and nothing is allowed to leave the premises.
Maybe it's better to accuse companies of "selling access to the person".
Such as if you were eating at a restaurant and touts came directly in and started trying to sell you various things. Where the touts had paid off the business for access to your person.
I hear this point frequently, but never really understood it. Can you explain? Here's the flow as I understand it.
1) Advertiser tells tech company "please show this ad to people you think are interested in X"
2) Tech company uses its private data to figure out who to show the ad to.
3) If you don't click the ad, end of story. No data leaves the tech companies servers to tell anyone anything about you.
4) If you click the ad, the place that ad directs to will know the ad you came from. Åt most, they can use referral source to infer some data about you.
To me, data is sold means that large amounts of personal data are shared about me without my consent. What am I misunderstanding?
Why does selling information mean 'large amounts of data must be shared'?
The explanation is in your point (4). Let's expand on it:
I click an ad targeted at African-American, Christian homosexuals, over 40 years old, living in Boston, earning >$100,0000 with a custom audience set consisting of 100 email addresses the advertiser scraped from a forum.
By the way, I never told Facebook my sexual orientation, salary or religion, it was inferred based on other sites I visit.
When I click the ad, Facebook reveals to the advertiser that I match this description: and this is exactly what the advertiser pays them for.
I'd like to see the 'Wikipedia' of social media emerge: a centrally managed, decentrally moderated, non-profit, 'nagware' funded social media.
Most users don't care about federation or decentralisation. They want low-cost and convenience but they're starting to realise they don't want it at the expense of their mental health or privacy.
Nothing can be simpler for the end user than a centrally managed service: I just go to wikipedia.org and start reading/writing. Censorship issues are avoided because moderation is decentralised: the site has a governance framework.
So I believe there's a space for a similar concept in social media. There's no question social media fulfils a genuine human need. But the profit motive inevitably forces commercial social medias to make decisions that detriment the user. For example, 'engagement': a santised term for addiction. Is it good for the user that social media should be continually engineered to increase 'engagement'? A non-profit has no such conflict of interest. It may even take steps to reduce engagement if it believes users are at risk of depression, addiction, anxiety etc.
I would love to talk to anyone who has ideas about bootstrapping something like that (email address in profile).
Is the recent attack on Facebook a coordinated effort to kill Zuck's office run?
Don't get me wrong, I think all the flak Facebook is getting is deserved but there's little in the revelations coming lately after Cambridge Analytica that is really new. However the media backlash is a lot, a lot bigger and more sustained that I thought it'd be, even here in HN. I'm not one for conspiracy theories but could it be partially orchestrated by some political powers that be to kill his political aspirations? Or even if it didn't start that way, I guess it could have been helped by this.
I think his sort of awkward introvert style already marked him as not much of a threat politically. How would he do in a debate? Thus, not buying a conspiracy to keep him out of politics. It shouldn't be this way, but charisma is a base requirement in politics.
I don't disagree but listening to the absolute nonsensical, lie riddled incoherent rambling of the current POTUS makes me believe I don't really know what charisma is.
Can you elaborate on how that change affected news outlets? I can understand they losing traffic to fb in general but I guess I'm unaware of that specific change.
There is no way Zuckerberg was ever going to hold any political office. Why on earth would he even want to? He has WAY more power and influence simply by controlling the Facebook empire and being worth $60+ billion.
All this talk started because he hired a top Obama campaign manager as a lobbyist for his foundation, and somehow people got "he obviously wants to be President" out of it.
Well no, he also went on a grand 'meet the plebs' tour, and recently claimed that religion was 'very important to [him]' after historically being an atheist, to name just two highly suggestive actions in addition to the one you mention.
This started because Zuckerberg added a "public-service clause", wherein he could go into public office for a period of 2 years and then come back to his role as CEO of Facebook. Adding this clause caused friction with members of the board, which proves it's important to him.
To me, it seems more recently that these larger negative stories tend to linger around. I think it's less related to malicious intent, and more, news websites attempting to capture more of the residual interest with a barrage of derivative articles (and succeeding).
So Facebook Messenger has the option of end-to-end encryption of chats when you use "Secret Conversations", which are encrypted using the Signal Protocol [0], [1]
Is there any indication that FB doesn't scan the contents of these messages before encrypting them with your own key and sending them across the wire?
Have tested this myself with known bad links (ie malware, spam and piracy websites). None were blocked.
Steve Weis was involved in its development (previously PrivateCore, Google Security Engineer where he developed 2FA and the keyczar library) and jumped on the defense after it was initially announced. Earlier versions were reviewed externally by some pretty well-known cryptographers.
That being said, meta-data around use of E2E encryption in Messenger is still an issue since it's not enabled by default.
Yep. Same with the Apple crash character bug from a few weeks ago. Also when linking .EXE's and .SCR's, I didn't see any hits on the server. Facebook blocks direct linking to executable files, and usually does a HEAD request against the web server - in this case I didn't see anything when sending via Secret.
I think most people, at some level, know this and accept it. I think the shock comes when you think how long this information is kept for, and what that means. i.e. each year they can advertise age appropriate birthday presents, a few years from now they might get adverts for children party suppliers. As they grow up college saving funds, colleges, trips to Disney land, first cars can all be targeted to you at just the right time.
I just hope people, including a lot of people reading this, remember this for longer than two or three news cycles. Just because Not-Trump gets into power someday doesn't mean that he or she won't be followed by Not-Not-Trump. In fact, I guarantee the eventual rise to power of Not-Not-Trump, because the only thing that would stop it is if Not-Trump successfully institutes totalitarianism, hardly a win. Our vigilance on this matter can't depend on how much we collectively do or do not like the people currently in power. That was a big mistake Silicon Valley made over the past decade and the bill is coming due in a big way.
I only listed those two events because they were so obvious that I was surprised you hadn't considered them. There are, of course, far more events that people remember.
As far what was happening in January/February:
Pretty sure the government shut down at some point, I think that was around then.
I also remember a lot of news about the stock market breaking records and some post analysis on the tax bill which I think had already passed by then. I could have that timeline wrong on that though.
I think the Alabama Senate election was around then. That might have been earlier though, but I think there were still headlines about it in January.
That's all I remember off the top of my head. I follow political news more closely than other news lately.
People won't realize how bad it is because nothing has tried to contrast the ethics and outcomes of our inter-connected society. It took Black Mirror to make us cynical about the onward march of any non-defense era technology.
>When our daughter was born, and I sent an announcement via GMail, I started seeing ads for diapers.
Your comment is making me feel really, really old. Have people forgotten Gmail's history?
Gmail is not that old. When it was new, what you are pointing out was in the news. It was all over the news. To the point of members of Congress commenting on it. It was heavily debated. Google was very open about the fact that they were doing it. Google was the first (major) email provider to offer 1 GB of mail (well over the usual paltry 50MB that was the norm). Everyone asked "How can they afford it?" And it was very much in the open that it was being paid for ads, and that Google will mine your emails and provide you with targeted ads.
I remember while reading an email on Gmail back in 2004/2005 there was a very obvious targeted ad based on the content of that email.
I honestly do not mean this as a criticism, but I am really, really surprised that a HN poster was surprised by this. That Gmail scans (or scanned) emails and uses them for ads is almost part of their identity. It's like being surprised that there are ads in a newspaper.
There are multiple vectors for them obtaining that information - location records from your phone, receipts for parking ramps at a hospital, any mention about a pregnancy or baby on social media in the past (pregnancy announcement etc), image recognition of the newborn, registering for baby related gifts, buying pregnancy/baby related items (books, classes, equipment etc), a third party selling your information (health insurance maybe?), or using your web search history.
It's safe to assume that much of the data we all leak is being mined for revenue.
That's amateur level stuff for modern marketing, have you seen this article back from 2012 on how Target can figure out that you're pregnant and send you ads for maternity stuff before you've told anyone at all, just by watching what you buy?
That's the 'for' argument, made by advertisers. Oh, we're just trying to more effectively let you know about the best deals for all the stuff you need!
The problem is, though, that any form of bargaining (and sales is bargaining) is an information game. The more they know about you, the worse a deal you will get. One recent real example was the advertisers targeting women on their periods. Taking it further, imagine a liquor company finding out that you've just lost a family member and flooding you with ads for alcohol. The more they know about you, the worse you get screwed.
Would you rather see ads for cat food? (Even though you don't have a cat.) This is not a rhetorical question: please answer it.
The reason for this question is that even though you don't have a cat lots of people do! It's absolutely not a false dichotomy. Either people who have no cats must see cat food advertisements (bad choice), or cat food advertisements must be shown to people who probably have a cat (better choice). There's really nothing in between.
This is the world we live in, and you should prefer to see baby diaper ads vs cat food ads, when you do have a baby but don't have a cat. The statistical number of cats or babies is irrelevant. As you may know, Google is pretty good (not perfect) about not allowing keyword targeting that gets down to individual people so the privacy implications really are pretty limited.
-
That said, I have a funny story to share. (About adapting to this world.) I am learning a foreign language and I decided to watch baby cartoons in that language. But before I did, I thought to myself, "Okay if I start searching YouTube for cartoons for 1 year olds, pretty soon Google is going to decide that I'm a new mother and I'll see nothing but baby cartoons in my feed for the next 5 years."
I was sure enough in my reasoning that I went ahead and created a brand new Google account for the express purpose of being able to pollute its YouTube feed. I only watch stuff related to that language learning on that account.
This had the exact effect that I wanted. That youtube became absolutely awesome for spending focused time on my language learning, using all sorts of related videos. It includes people documenting what life in that country is like for tourists and foreigners, it includes foreign-language teachers' channels, it includes related cartoons and films at a good level for me, it includes political speeches from that country subtitled in English. I couldn't be happier with the result.
You know those acknowledgments we've been clicking through for the past few years by Google saying "Hey!! We're doing this. READ THIS"? I think it makes what they do pretty above-board.
As a consumer we're able to adapt to this, but it's not something I have any problem with.
(Disclaimer: I indirectly contributed to Google in the past but not now, I would definitely list it as a disclaimer if it were happening now but I remember that it changed how I wrote about Google especially when I was the most critical of them, so I think it's worth mentioning still. I am a bit nicer when I'm really pissed off at them as a consumer - but this is not the case in this instance.)
---
EDIT: I carefully edited this as it is falling to -1. I stand by the sentiments in this comment: they are correct. Downvoters are wrong.
Yes. I do not own a cat but would prefer to see cat food ads.
I would suggest however, that cat food brands should advertise on pet channels on Youtube, or on pet related blogs perhaps. This allows targeting, but without collecting data about the users, many of whom do not know enough about online advertising to provide informed consent.
The best adverts I've seen were from Carbon[1] and Fusion (which seem to have merged now?). They were well targeted, unobtrusive, respected my privacy, and generally fit well with the content I was reading around the web.
Let me ask you this then. I clicked your HN profile for clues about what your interests might be, and you mention your public key on keybase.io. For this example (I am writing this before I did this search) I will search Google for keybase.io and copy here one of the top ads.
Unfortunately keybase.io and keybase as search terms don't show me any ads. Let me try "public key". Still no ad. (On Google's homepage.)
Let me try keybase public key. Still no ad.
Let me try public key server. No ad. I clicked around on some related queries, until I finally saw an ad. (The query I ended up under was: sks keyserver setup).
Now here is the ad that I saw:
OpenPGP Library for .NET
Adwww.didisoft.com/
Pure .NET OpenPGP Library Easy API
Online examplesPurchaseProduct page
Now let me ask you. If you are a .NET developer and you're trying to work with PGP, would you rather see what I just showed you - or would you rather see an ad for cat food (even though you don't own a cat)?
As I tried to explain in my comment, if the relevance of adverts depends on tracking me, I'd much rather have irrelevant ads. If the relevance can be done entirely through similarity or link to the content I'm consuming then I am much more ok with it.
I would rather see the cat food. Software products that need advertisement to succeed are either underperforming (because they’ve spent their money on ads instead of devs) or scams.
Depends what you consider an advertisement - advertising on something like Read The Docs or sponsoring conferences is one thing and I feel that's acceptable, but buying keywords on Google is just spam. I would not trust any software product (especially a low-level one like a library, as opposed to an out-of-the-box SaaS) that advertises on Google keywords or similar.
so you love conferences they sponsor. would you ever pay some minimal amount to go to a conference? If so isn't an adword (in your gmail or in your search results) an appropriate place to see you, in the clearly labelled advertising section? Wouldn't you be quite likely to click it, and also be happy that it was served to you?
> would you ever pay some minimal amount to go to a conference
Yes.
My issues with Adwords are the following:
1) they're abused by spam and garbage, so seeing a (potentially good) software product in there immediately turns me off and is actually a red flag.
2) it shows that the developer has no idea of the target market for their product - anyone that has the brains to use a software library would be blocking the Adwords anyway.
3) the above could mean they're instead targeting managers/CTOs as opposed to the actual people who will be using the library (developers), which is also a huge red flag.
I have no problem at all with your logic for the specific case you mentioned. (In fact it's easy for me to agree with it.)
In fact we're arguing/discussing better targeting now! As a developer you don't want to see an open source product advertised.
On the other hand, if you're a manager who can't deliver a feature that your customer is begging for because there is no out of the box solution/library for it, and you don't have the personpower - but lo, you can license one for $100/month that's worth tens of thousands to your customer, you'll be thrilled if you can learn about the existence of it. (Just a hypothetical, use a different one if you want: again, we're talking about better targeting.)
You didn't answer my question about if you want to see ads for a conference (I took two long sentences to ask you super explicitly) - is it because that's a resounding yes? I get that you don't want to answer the question because it's counter to your philosophy that targeted ads are bad. That philosophy, as we're seeing, is wrong.
The issue I have with targeting is that the ads should be targeted to the content I see, not to me - this is why ads on platforms like Read The Docs are fine by me as they target based on the content of the page they're displayed on, instead of trying to stalk me around everywhere in order to target better ads to me.
I'm happy to see computer-related ads on Read The Docs, but on standard Google I'd rather have cat food advertised (or other generic product).
Oh sorry, I totally missed that you were talking about ads for conferences as opposed to conferences themselves - but again the above still applies; more than happy to see conference ads on developer related websites. On Google, especially when I search for a generic keyword? No, give me cat food any day.
I know you say you want it but I am sure that you will love seeing ads for conferences that actually interest you, in your gmail inbox, and you will be annoyed by irrelevant ads (such as cat food when you don't have a cat.)
I've never been bothered by ads I see in gmail.
they're also super explicit about the way in which they collect and collate data and I understand that maybe I will have to make different Google accounts to be targeted to different things.
I guess your and my perspective is just very different. but enjoy your cat food or Amazing skin lightening! (for darker skinned people) ads - they're both very popular products. (the latter is a scam product category.)
I don't use Gmail as I don't want to have ads in my inbox. Ads might have a place elsewhere but not in my daily work tool. I'm happy to pay Office 365 for the privilege of not having potential garbage advertised to me.
One of my issues with advertising on the web is the tracking/stalking. I am okay with ads that are targeted based on the content of the current page as this does not require stalking me everywhere.
My other issue is that highly targeted ads (to the individual) create an echo chamber. The thing is, after a day of work, I no longer want to see development-related ads. Give me cat food (or other generic products) instead. This is what I actually like about print & billboard ads in the real world - they're generic and actually make me discover new brands & products I haven't heard of before.
Finally the problem with Adwords and similar online advertising is that there just isn't enough vetting nor review for them - there is a lot of spam, garbage products, etc. Print ads are much better as the publisher more or less takes responsibility for them, so they're doing their due diligence when choosing which ads to run. You don't have that on the web.
I do see what you mean about an echo chamber (filter bubble) and can understand some of your points. I guess Google's advertising has just never bothered me - and as mentioned upthread, one of my machines blocks their ad server so that I can't follow their ads when I try to: many times I've manually gotten around it to see what I tried to click. (This reminds me of how I do like their ads.)
Maybe we have a difference in preferences but I just never felt stalked or the like. I suppose it might change in the future. Thanks for your thoughts.
You’re ok with someone reading your mail then spamming you after learning something from it? Does that only apply to email, or physical mail too (with your permission in a vast TOS document of course).
What if someone looked in your windows then sent you advertising based on what they saw? I’m always a bit startled at what people are ok with.
>You’re ok with someone reading your mail then spamming you after learning something from it?
Does not match this (OP):
>When our daughter was born, and I sent an announcement via GMail, I started seeing ads for diapers.
I can see how the language "I started seeing ads" might sound like it applies to spam (unsolicited mail or messages) but to me it's clear that the poster just meant that the types of textual gmail ads they see changed to include baby ads. They're talking about this:
Now there's something actually interesting here. We don't have enough information to decide, but I bet this is the reason that poster paid so much attention to those text ads: they used to be highly relevant for them!
I bet they used to be filled only with stuff like industry conferences, IoT dev kids they were really interested in, security whitepapers, all sorts of stuff. (An indication of this is that they did not learn to mentally filter those parts of their inbox out as irrelevant.)
On one of my computers I have a hosts file that blocks Google's ads - so I often have to copy the ad URL and open it myself: because I clicked on it, and still want to see it after it doesn't open, and after knowing very clearly that it's an advertisement. Advertising doesn't get much better than this.
Ads where? Do you just mean display ads on the web? If so, your browser likely ended up on a list for diaper ads by some other means. Top of mind:
- Did ever add a baby-related product to a shopping cart on a retail site?
- Did you visit baby-related websites?
Less likely, but possible,if your browser cookie was linked to other personal information by 3rd party data brokers:
- Do you use a loyalty card at a physical store? Did you suddenly buy baby stuff for the first time?
- Did you return a product registration card for a carseat or something like that? The company my resell their customer lists.
Yann LeCun (the famous Deep Learning researcher) gave the reason behind this: "WhatsApp uses end-to-end encryption. Facebook Messenger doesn't, which allows it to provide enhanced services using AI-based content understanding (the information is not shared with 3rd parties). Both are owned/run by Facebook. It gives you a choice."
> "For example, on Messenger, when you send a photo, our automated systems scan it using photo matching technology to detect known child exploitation imagery or when you send a link, we scan it for malware or viruses," a Facebook Messenger spokeswoman said in a statement.
"A Facebook Messenger spokeswoman" who wouldn't put her name to the statement? Ugh. Child porn is terrible, but very few people produce it or want to look at it. On the other hand, opaque and unaccountable algorithmic censorship hurts everyone.
If they didn't scan and detect child porn, there would be articles about how they're letting people get away with sharing child porn on Messenger. It seems there's no way for Facebook to win here, given that people want both complete privacy and also no illicit activity on the platform.
Thanks for that link - I can’t edit my above comment now to note that some scanning does happen.
I wonder how well it works, as the false positive rates must be huge? The idea of someone looking at my account and playing abuse/not abuse roulette is disturbing.
Well it's an automated system, so it's highly unlikely that someone is reading all (or any) of your messages. The volume of messages Facebook and Google process every day is astronomical, so no manual oversight process would scale. It's similar to how email spam filters have worked in a completely automated fashion for years. In this case, PhotoDNA works by comparing image hashes, so it probably has fewer false positives than spam filters.
But with a powerful search tool, one could go hunting for any 'type' of person they wanted based on social association info, geolocation or keywords. Its not benign or unweildy just because its large.
Well there's a good balance. Running PhotoDNA [0] on every image sent is a pretty good practice. Raising flags on any content that might break community guidelines is a completely different story. Two users might willingly want to break the code of conduct between them for whatever reason -- and Facebook wants to be able to halt that. In contrast, there's no legal grey area if you share child pornography. Just using an automated tool for that is great -- extending it to the entire platform's guidelines is not.
> Child porn is terrible, but very few people produce it or want to look at it.
There are many jurisdictions were people who are legally underage engage in sexting etc. There's hardly any "universal standard". Never mind areas where "gay" sex illegal etc.
Yes, they have access. The point is more that they have an automated system scanning and flagging messages, specifically so that they're reviewed by humans, for content they don't want on their platform.
My landlord has access to my apartment, and I certainly don't expect them to just pop in and take things out that they don't like -- I at least expect some kind of notice. You can apply this to basically anything in the physical world, like mail. Having the capability to access does not equate to having permission to access.
>My landlord has access to my apartment, and I certainly don't expect them to just pop in and take things out that they don't like -- I at least expect some kind of notice.
That is because there are laws preventing them from doing it (both the theft and the entry without notice). And I did live in a state that allows them entry without prior notice. And they did do it. And it didn't bother me because they clearly have the right to do so.
>You can apply this to basically anything in the physical world, like mail.
Again, very clear legislation on this. I believe it is an explicit felony to open other people's (physical) mail.
>Having the capability to access does not equate to having permission to access.
Yes, but sans any legislation, doing stuff on their platform does equate to having permission to access - especially if there is no legal contract (e.g. terms of service, privacy policy, etc) stating otherwise.
I honestly don't get this. In the old days people (including me) ran message boards on this web site. There was no shock when the owner of the message board deleted posts or put filters, etc.
The point is more that they have an automated system scanning and flagging messages, specifically so that they're reviewed by humans, for content they don't want on their platform.
Expect more of that due to the recently passed sex trafficking legislation that got Craigslist personals, reddit escorts and all sorts of other places shut down.
Well, we had this thing called phone companies. In the beginning, many places, the switchboard operator would listen in. Then switchboards became mechanical and the industry regulated as a utility. And while it was technically easy for phone companies to listen, it was illegal for them to do so. (and nsa built a closet so it could listen in illegally, and got caught, and faced no consequences beyond an astronomical budget increase, anyhow...).
In The US there seems the trend is if you transport it, you get to data mine it (as long as "it" is digital, and "you" isn't a post service or phone company - not sure about isps). While in Europe the GDPR states that we live in a digital world, detecting that someone made a thousand copies of your data is really hard; but we'll make sure everyone is responsible for helping keep your data safe. Like the mailman and the telephone company.
But yeah, I think a lot of people still assume that a company facilitating private conversations won't have as primary business model to spy on those conversations.
>In The US there seems the trend is if you transport it, you get to data mine it (as long as "it" is digital, and "you" isn't a post service or phone company - not sure about isps).
I may not be 100% correct, but the history of this is related to liability. Telcos don't want to be held liable for crimes committed using their services (e.g. planning a bank robbery over the phone). They do not want the burden of monitoring calls to catch these people. So in exchange for that kind of immunity, they had to give up the right to listen in on calls.
I don't know the legal status for FB and the like, but I imagine it would be similar. As Facebook needs ads for money, they would rather not get that kind of a deal. As they decline immunity, they likely can be held liable for crimes planned on their services. Hence, they need to monitor.
So they mention the encrypted mode, but they don't confirm that facebook doesn't read those (either can't or won't). Can anyone confirm one way or another?
Messenger is such low quality garbage. People might receive a message, you might get a notification 2 months later. But you will always get a notification about some phantom message.
The dark patterns, ugly UI and unreliability, all with zero privacy.
This actually sounds reasonable; most other messaging programs do the same in order to provide previews, thumbnail images, scan for malicious links or spam, etc.
They could. Correct me if I'm wrong but users don't see which public keys have been used to encrypt the message's symmetric key. Theoretically Apple could easily and invisibly include themselves as a recipient.
You're exactly right and I'm not sure why this is being downvoted. Apple can add additional keys to iMessage messages and thus view them in transit - they say this themselves in their own security white paper[0].
> The private keys for both key pairs are saved in the device’s Keychain and the public keys are sent to Apple’s directory service (IDS), where they are associated with the user’s phone number or email address, along with the device’s APNs address.
I'm no security engineer but wouldn't that require Apple to have access to the private key, whereas the whitepaper says they only have access to the public key?
They can't mess up with the private key (at least this is what they say, and we can't verify that as their software is closed source). But they're free to manipulate the public key which is used during the encryption phase.
For Apple as a company, not having access to iMessages is the safest thing to do, and I believe them when they say they can't access them in the current setup and are not willing to change that. It's because this would change their status from hardware/software vendor to telecommunications provider, with all related problems and costs - and they don't need any of these, so the best option is just to shield themselves from any user-to-user communication.
I don't think so but I'm not a security expert either so I might have this wrong.
If you send a group message, Apple provides your messaging client with all of the recipients' public keys that are used to encrypt the symmetric key that actually protects the message. They could slip their key into that list and I don't think you would be able to easily tell if they did that.
If you send a message to a single person, then that's just a group of one.
The interesting question to me is if Apple can be compelled to write code to do this if they haven't already done so (and I don't think they have). I wouldn't think they could be forced, but like Microsoft did with Skype, they might do it anyway.
Ofcourse they do. On one hand it’s absolutely surprising that such a piece is considered “news” but on the other hand at least the general public (not just people in CS) are paying more attention to their privacy.
But in this case I think it’s 100% fine, even expected in order to stop bad content (porn, abuse etc) from going through
> But in this case I think it’s 100% fine, even expected in order to stop bad content (porn, abuse etc) from going through
I was pretty shocked when FB filtered out a pornhub link I tried to send to my then-girlfriend on Messenger. I thought it was very inappropriate of them to police our relationship like that. We were both adults...
stopping "Bad content" is a slippery slope, especially on a network, where most only talk to people they actually know and who are usually using real identities. Keep in mind it's private messaging we're talking about.
Anyone can email me and the only way to prevent spam from unknown senders is by providing a filter.
With messaging, I've already explicitly told Facebook who I want to contact me - my "friends". I've never received a message from a friend claiming to be Nigerian prince or trying to sell me "generic Viagra".
It seems like this could easily be fixed my multi factor authentication. I've clicked on phishing links on purpose just out of curiosity. They usually show a page that looks like a FB log on.
But to actually use the phished credentials, they would have to log on to FB. FB could simply send a text.
Except of course that Google and Facebook are also the places that people go to search for information. They manipulate the data you see so that it becomes much, much harder (if not impossible) for any competitor to gain traction because they are blocked or buried on page 50 of search results.
Except of course that Google and Facebook manipulate the data you see so that it becomes much, much harder (if not impossible) for any competitor to gain traction because they are blocked or buried on page 50 of search results.
If they told you what was being blocked and why and also gave the recipient the option to override the block, then I think the slippery slope problem is minimized.
At some point Facebook will disgust the majority of their users. Today, as well, it goes public that not just to Cambridge but all their user database was "leaked" to advertisers. 2 billion. There is far too great of smart people at FB to not know. Right now it's being spun publicly to offset responsibility, but their entire business model is about what happens once the lights turn off...
Hold on. Wasn't Facebook Messenger supposed to be encrypted E2E?
EDIT: Ok, from the responses I get I was confused. Maybe Allo? Skype? I'm sure someone else other than Signal and WhatsApp were using Signal's protocol. Just ignore this post.
I don't think you even had to actually send anything. Don't they grab everything you type, even if you delete it all before clicking enter (when you calm down quick enough)?
Speaking from experience, when Facebook didn’t do anything message scanning with messenger (allowed any person to send any message to anyone else) it was a tool for massive amounts of extreme personal abuse, blackmail, etc.
facebook like any other company with social products, scans anything and everything, since the beginning till the day they die. thats what social companies do. they cannot survive without it.
PS: this does not only apply to companies with social products.
"You can't watch your kids 24/7," reads one poster, which has a picture of Schumer, Zuckerberg, and a shirtless Anthony Wiener outside Facebook's New York offices. "BUT WE CAN."
...
Schumer - who in 2016 railed that "a person's cellphone should not become a James Bond-like personal tracking device for a corporation to gather information" - has stayed relatively silent since Facebook's user data scandal with Cambridge Analytica broke last month."
Are they that desperate to find their daily DeBlasio/Schumer/Cumo 2 min hate? Can they not just call random Democrats Communist to satisfy their readership? Could Sabo possibly find a more tenuous link between Schumer and Facebook?
The fact that Sabo admits to having an unnamed financial backer coupled with the fact that this non-news is reported on in the Murdoch press makes me think this is some sort of guerilla marketing by an underhanded conservative firm similar to Cambridge Analytica.
I really wish I could find a source that has a picture of this one:
> "You can't watch your kids 24/7," reads one poster, which has a picture of Schumer, Zuckerberg, and a shirtless Anthony Wiener outside Facebook's New York offices. "BUT WE CAN."
Do you trust that the source code for the Signal iOS app on Github is the source code of the application you're running on your phone? All you really have to go on is the word of each company.
> Do you trust that the source code for the Signal iOS app
On one hand, we have moxie and a team of people with no evidence against their integrity. On the other hand, a culture that responds to criticism with aggression [1] and then responds to criticism of that by deleting their communications [2].
TL; DR It's reasonable to trust Signal's iOS closed-source app while distrusting Facebook Messenger's also closed-source secret mode app.
The whole point of it being E2E encrypted is that you don't need to audit the server. As long as it's implemented correctly on the client, both users verified the shared key out-of-band, and both users have enabled the option to warn when the shared key changes, the most the server can do is traffic analysis or denial of service.
If you can be sure that the part running on your phone encrypts the message, then it doesn't matter as much what's running on the server. Anyway being open source wouldn't improve the auditability of the server.
I believe that’s only text. Try sending someone a video. Takes a while. Try forwarding that video to someone else moments later. Happens pretty quickly.
They also crawl links you share in private messages to grab the title, intro, and favicon to generate that clickable widget link thing.
[0] https://torrentfreak.com/facebook-blocks-all-pirate-bay-link...