Meta doesn’t have the ability to monitor its users’ computers to see if any of them end up having data sent to a server.

Again, I'm asking _the person in the thread above_ who made these claims that the app is stealing user data to provide any supporting evidence, perhaps via the methods I described in my last comment. I'm not talking about Meta.

THat's not the what you were asking. You asked 'What evidence do you have that this application was acting as a "proxy" where the developers can "intercept and see all data"?'

The app is by definition acting as a proxy, and therefore the developers can intercept and see the data, though they might not be doing so currently.

Is the Facebook Messenger app a proxy? Is the Instagram client a proxy? Is the mail app on my phone a proxy? I'm trying to grasp what definition of "proxy" you're using here, because every usage of the word "proxy" I've ever see relating to internet services is: "a program which redirects network traffic to another destination". The subject is explored in detail at https://en.wikipedia.org/wiki/Proxy_server . Yet again, I'm seeking to see any shred of evidence that even _suggests_ that the application has acted as a "proxy" or sent more user data to the app developer than absolutely necessary to function.

>The app is by definition acting as a proxy, and therefore the developers can intercept and see the data, though they might not be doing so currently.

You're making an assumption here that hasn't been confirmed. That assumption being that any app accessing user data from Meta is proxying (i.e., streaming the requested data to the app publisher's servers and then passing that data along to the end user) that data through their servers.

Is that the case with the app in question? Is it the case with every such app?

Or are there apps that directly connect to Meta's servers from the user's hardware without streaming the requested data through the app publisher's servers?

The app in TFA may be proxying (see above) data through their servers (that's the definition of a proxy in this context), but I don't know if they are doing so. If they are, there certainly are serious privacy/security issues with that process.

But again, no one has provided evidence that's what the app in question is doing. If they are, you should run screaming in the other direction.

However, if the app is simply performing the same API calls as Meta's app and returning the data directly to the end user, the risk profile is pretty similar for both apps (dependent on code quality, the ethical stance of the publishers, etc.).

I (and the person who wrote that) made no such assumption. A client side proxy is still a proxy. That’s why, for example, Charles Proxy is a proxy.

Charles Proxy is proxying requests to your browser.

If you use the built-in dev tools to do the same thing, then there is no proxy.

An alternative client for something is (usually) not a proxy. It connects directly.

But more importantly, "a proxy where the app developers can intercept and see all data" is not referring to a client-side proxy. Even if there was a client-side proxy involved somewhere, that would make the initial claim wrong.

Should Meta also ban users who connect to their services from GrapheneOS, since it could be updated to steal all of your application data in the future?

>That is not the point. The person you replied to wasn't saying they know for sure they were stealing user data, just that Meta has no way of knowing they aren't, and even if they aren't right now, no way of knowing if they will start in the future.

But isn't such an application running on the end-user's hardware and making requests at the end-user's behest?

If so, what does Meta have to do with it at all? Should they be allowed to tell me what software I'm allowed to run on my hardware?

The risk you mention is all on the user's side and none of it on Meta's side. If the user decides they want to accept that risk, AFAICT it's no skin off Meta's nose. Or am I missing something here?

The user is risking more than their own data; they are also risking the data of their friends.

If I grant a friend permission to view my photos, I am not also granting some random 3rd party that permission.

>If I grant a friend permission to view my photos, I am not also granting some random 3rd party that permission.

Assuming the "third-party" client is just that (a client app), there really shouldn't be an issue. If I use FluffyChat[0] instead of Element[1], do the FluffyChat folks have access to all my (and those with whom I communicate) Matrix communications? If I use Element, do they have such access?

If you use Firefox to access Facebook, are you granting Mozilla full access to your (and your FB friends') profiles?

There has been a lot of noise about "third-parties" and how they only exist to steal your data.

But we use "third-party" clients all the time. Web browsers, IRC clients, and a host of other "third-party" apps. Why aren't you up in arms about them stealing your data and that of your contacts?

[0] https://fluffychat.im/

[1] https://element.io/

Those other third party apps usually have a monetization scheme that's clearly separate from a need to steal your data or are open source which allows you to see if there's any weirdness or build it yourself. And I shouldn't need to mention that if it was found out that Firefox was uploading data from every page you read to their servers that there would be a massive reckoning.

Tell me, for the OGApp what is the monetization scheme? How do they intend to make money? By default if you don't see anything upfront you should assume that your data is what is being monetized. And your data in this case includes everything the app can pull down from Instagram while it's acting as a proxy.

Similarly and I keep mentioning this: Just because there's no current evidence of them stealing your data does not make them trustworthy. A site asking you for Steam login details would be almost impossible to prove that it's phishing for login details, but it would be a bad, bad idea to put in your login info anyways.

If they want their app to be trusted then it should be made open source.

>Tell me, for the OGApp what is the monetization scheme? How do they intend to make money? By default if you don't see anything upfront you should assume that your data is what is being monetized. And your data in this case includes everything the app can pull down from Instagram while it's acting as a proxy.

I have no idea. I'd never heard of this app as I don't ever use whatever functionality it provides.

I'm not saying these folks are saints, I have no idea what sort of people they are. If it makes you feel better, I'll posit that they're scumbags who would sell their own mother for a nickel.

But that doesn't change the fact that I (or anyone else, for that matter) should be able to use the client of their choice for anything. If that's not the case, then Meta (or HN, for that matter, if they decide to be as scummy as Meta) would be within their rights to decide which browser you use to connect to their properties, and what add-ons you install in that browser.

Sorry, that's not an acceptable solution[0].

>If they want their app to be trusted then it should be made open source.

You won't get any argument about that from me. But even if these guys are all clones of the anti-christ scheming to destroy humanity (for the record, I have no idea and make no value judgement about the ethical standards of the app publisher and its employees) by creating a subset of the data Meta already collects, if I (or anyone else) decides they want to use that software on their personal property, who's to say what can or can't run on that hardware?

I don't (and wouldn't try to) speak for anyone else, but my property belongs to me and I will run the software I choose on my property. That has nothing to do with Meta or the publisher of the app discussed in TFA. Rather, it's about my control of my property. Full stop.

[0] My objection is one of principle, not about any specific software. And I stand by that objection.

Edit: Added footnote.

Yes, you can choose whatever software you want to run, but Meta would be in full rights to ban you for using third party clients. And Meta has a vested interest in ensuring that people aren't using clients that scam their users out of their credentials because said users don't exist in a vacuum. They have friends, family, private messages and so forth that other users did not consent to have stolen or taken by a third party. This was the whole Cambridge Analytica controversy in a nutshell and their decisions around stuff like this all stem from that.

And in fact, sites are within their rights to determine which browser you can use to connect. Sites are often designed for and optimized around certain browsers and if they detect you running Internet Explorer 3, they can tell you to go away. This is a fact of the internet. And you're just as free to simply not go to their sites. This has been a fact for decades. No site is obligated to serve your obscure internet browser. And no API is obligated to serve every client that calls it.

>And Meta has a vested interest in ensuring that people aren't using clients that scam their users out of their credentials because said users don't exist in a vacuum.

Did this specific app actually "scam users out of their credentials?"

I'd expect that they didn't "scam" anything. The end user installed the app and voluntarily provided their credentials in order to access their content.

How is that a scam? If I'm using an Android phone and sideload an app to access say, HN, whether that's an apk from a publisher's website or from F-Droid, have I been scammed out of my HN credentials by that app's publisher?

If the app claimed to be the "official" app from Meta and used phishing techniques to get folks to install the app and/or reveal their credentials, that would be scamming.

But a deliberate choice by a user to use a specific app for a specific purpose, with the app in question actually serving that specific purpose doesn't seem like a "scam" to me.

Sure, Meta doesn't like it for a bunch of reasons. And it doesn't surprise me that they took action to smack these guys down. But characterizing this app as a "scam" doesn't seem to reflect reality.

Or am I missing something?